Modernizing Authentication — What It Takes to Transform Secure Access
Berman's bill is not much better. To its credit, the bill would require copyright owners to notify the U.S. Attorney General of the specific technologies it intends to use. But there is no obligation to notify the target of the attack before the attack begins. Once the attack occurs, the target would, under the bill, have the right to demand an explanation. (I never knew denial-of-service attacks came with return e-mail addresses.) The bill would also let targets complain to the Attorney General about wrongful attacks, though the Attorney General is not allowed to release the names of those behind the wrongful attacks (yet another secret list being kept by the U.S. Department of Justice).
No doubt, the motives of the spam vigilantes are pure. These are talented coders doing a public service. But there's also no doubt that the effect of their work is to make e-mail worse. They looked at the open and flexible system of e-mail that gave birth to much of the Net and decided that this system created too much freedomat least for spammers. Their response was to find a mix of code and norms to restrict the freedom of e-mail. The result of their good intentions is a much less flexible e-mail system but not much less spam. Indeed, it's hard to believe that this conspiracy to cripple e-mail has done anything except make e-mailing more difficult.
But at least with the spam problem, there is a much simpler solution that, so far, Congress has failed to see. Imagine a law that had two partsa labeling part and a bounty part. Part A says that any unsolicited commercial e-mail must include in its subject line the tag [ADV:]. Part B says that the first person to track down a spammer violating the labeling requirement will, upon providing proof to the Federal Trade Commission, be entitled to $10,000 to be paid by the spammer.
The aim of Part A is to enable simple filtering. If all spam were tagged, then it would be extremely easy to choose whether to receive it or not. Spammers say there are lots of people out there who love to receive spam. Good for them. They can tell their Internet service provider or e-mail client to deliver all e-mail, regardless of the subject line. But those of us who actually work for a living can choose to ignore this class of junk on the Internet by filtering all e-mail with the subject line [ADV:].
The aim of Part B is to make Part A effective. The vast majority of proposals before lawmakers to regulate spam has made enforcement depend either upon an action by the state or by lawsuits filed by ISPs. This is not an accident; it is a product of effective lobbying by direct marketers and other commercial spammers. These people know that attorneys general and ISPs have better things to do than track them down. By making them the only enforcers, spammers know that any law aimed at stopping them will likely not be enforced.
But if the vigilantes who are working so hard to keep lists of offending e-mail servers were to turn their energy to identifying and tracking down spammers, then this passion to rid the world of spam might actually begin to pay offboth for the public and for the bounty hunters. If we deputized the tens of thousands of qualified people out there who are able to hunt offenders, then a large number of offenders would be identified and caught. Pretty soon the message to spammers will be delivered quite effectively: Label or pay.