Sunday, February 26, 2006



There is a new company called Goodmail Systems that has a new angle on fighting spam and other email-related problems. They are partnering with AOL and Yahoo to launch a new "Certified" email system in which legitimate companies will pay Goodmail to certify that messages they send are actually from the claimed source. Goodmail will attach a cryptographic certificate to the message that AOL, Yahoo and other ISPs will recognize. Messages certified by Goodmail will be delivered directly to the users' inboxes and will never go to the spam or junk mailboxes. You will be hearing a lot about Goodmail in the coming months -- it will be quite controversial -- and I will be discussing it in this posting... in a minute. But first, a trip down memory lane.

Do you remember those birthday cards you used to get when you were a kid -- the ones that were just a sleeve with an oval opening on one side where a dead president could look out? As an adult you might now suspect that Uncle Irving or Aunt Sue were too lazy to shop for cards and found it convenient just to slip a few bucks in a sleeve and mail it out. But that is because, as an adult, you have forgotten the crucial thing that all kids know: a birthday card with money in it is high-quality mail -- much better, for instance, than the birthday postcard you get from your dentist with the slightly-creepy happy, smiling toothbrush.

Your mom may have thought the money-card was tacky but Aunt Sue wasn't sending it to your mom; she was sending it to you and Aunt Sue knew that her six dollar investment -- one dollar for the sleeve, the envelope and postsage, and five dollars as payload -- would result in at least six dollars worth of seven-year-old birthday glee. The card from Dr Molar, your dentist, on the other hand, was mostly intended for your mother; it said to her that Dr. Molar was still in business and his practice was sufficiently well-managed to send out birthday postcards to the children on his patient list. The postcard cost less to send and was of less value when it arrived but, on balance, it too was worthwhile.

Ahhh, nostalgia... But, back to Goodmail. Goodmail is targetted at buisness-related email. It is intended to allow companies who need to get email to their customers -- for things like monthly account statements or airline e-tickets -- to be sure their messages will be delivered. The company can enter into an arrangement with Goodmail, pay a small per-message charge and have their mail marked as legitimate in a way that AOL, Yahoo, etc. can recognize using a cryptographically secure mark that spammers (phishers, etc.) cannot replicate. When the message arrives, not only will it bypass the spam filters, but it will also be marked with an indication that AOL/Yahoo/Goodmail certify that it was sent by the claimed sender and has not been modified in transit.

Let me be clear about one thing. This is a very good idea. If properly implemented it will take a big bite out of the problem of "phishing" (fraulent emails claiming to come from a trusted business or organization that ask for personal information which will be used for indentity theft.) It will also help somewhat with spam -- but not as much as it could. It is, as I said, a good idea, but I wish it would go farther.

What will be controversial about the use of Goodmail is that it will divide email into two classes: trustworthy certified mail and unvetted ordinary email. The certified email will be generally safe to open and, since the source is known, will be less prone to fraud. Also, since sending each message will cost the sender money there will be an incentive to limit the messages to high-value communications. The non-certified mail, on the other hand, will be the same mess it is now. One will never know for sure from whom a message has come and whether or not a message is safe to open. Since the incremental cost of sending an email message is neglegable, low-value bulk email will continue to flood user's inboxes. The technological battle between spammers and spam filterers will continue with both sides claiming advances but neither side winning. One will never be able to send an email and know that it will be received and read -- a false-positive match in a spam filter may cause it to be blocked, of if delivered it may still get lost among the hundreds of bulk messages the user doesn't have time to read. Private email will continue to be mired in this morass while commercial messages flow freely and reliably.

The main opposition to the use of this new channel will come from non-profit organizations who don't want their bulk messages to arrive uncertified but are unwilling to pony up for the per-message price to have them certified. (See this from InfoWorld.) They know that once users realize that messages marked as certified email are safer to open and less prone to fraud they will become more reluctant to open uncertified bulk mail. Goodmail states that they plan to offer certification services at cost to non-profit organizations -- setting the price at a cost-recovery level so they neither profit from, nor subsidize, the NPOs -- but it will still represent a cost to the NPOs. Many of them are currently spreading fear, uncertainty and doubt about the certified email program in an effort to prevent the service from being launched.

Goodmail is targetting business emaail (with a slight concession to the larger NPOs) but are doing nothing about private email. Their FAQ states, in part:
CertifiedEmail is NOT "email postage" for personal, individual, consumer emails. Individuals will not pay. Neither Goodmail nor its ISP partners have ever, or would ever, suggest that any consumer should pay to send emails.
CertifiedEmail is NOT "a tax. Neither AOL nor Yahoo! nor any other ISP with whom Goodmail partners will require senders to use the service in order to get their volume email delivered. Those who do decide not to use the service will see no change in their current delivery metric as a result of the Goodmail/AOL partnership.

CertifiedEmail is NOT for prospecting. CertifiedEmail is only for organizations' permissioned-based or transaction-based email. Those who receive their messages are people who have agreed to be contacted--typically they have transacted business with the sending organization and expect the communication, for example, a travel confirmation.

CertifiedEmail is NOT for spammers. Only reputable ogranizations can use the service. Goodmail carefully vets its senders, accrediting each one to verify its good sending practices, and rigorously monitor its complaint levels to be sure the sender is complying with Goodmail's acceptable use policy. The service is NOT a way for an organization to buy its way past AOL and Yahoo! spam filters.
CertifedEmail is NOT a barrier for those who don't use it. CertifiedEmail does not limit consumer access to the Internet or harm notions of free speech--rather, it protects consumers from online fraud, identity theft, and overzealous marketing practices.

CertifiedEmail is NOT a spam filter or spam blocker. Goodmail's goal is to raise the bar so high on sender behavior that messages are not second-guessed by filters and get a direct path to the inbox and a visual identification that the message is good. Goodmail has never suggested CertifiedEmail is the silver bullet for all of email's ills.
While this is an altogether sensible position for Goodmail to take it does not attempt to solve all the problems with email. Goodmail's FAQ admits this in the last section I quoted. It is quite likely that Goodmail has chosen the right target for their business. Business email is where the (honest) money is to be made in the email biz and their approach should be a big help with phishing. But it would be nice to see something a bit more effective against spam. In particular, I would like to see a way for private individuals to be able to send "certified" emails without opening the door for spammers.

The key to understanding how this might work is to remember Aunt Sue's birthday card. It was demonstrably a valuable piece of mail because it contained money. And Dr. Molar's postcard, while it did not contain currency, still cost something to send and Dr Molar was not likely to send one to everyone in the phone book. He, at least, needed to think it had some value to send it out at all.

That, I think, is the most significant indicator of spam -- each message is of very low value to either the sender or the receiver. The sender tries to compensate for the low value by sending his message to millions of addresses. The receiver compensates for the low value by actually reading less and less of the email he is sent, trying by various error-prone processes to pick out the increasingly small percentage of email that has any value and ignoring the rest.

A Modest Proposal.

Form a company to allow individuals to send "certified" emails using Goodmail as the channel (obviously Goodmail would have to approve the deal.) Users would create accounts and would choose user ids and passwords to control access to the account. Users would need to log in to send certified email. Users would be charged an initial amount to fund the account and would be able to provide additional funds as needed to maintain their balance. When a user wished to send a certified email the user would specify an amount to be drawn from their account balance and attached to the message. A minimum amount (perhaps initially ten cents) would apply. The user sending the message would designate a charity to receive the funds (less a small processing fee) when the message was opened unless the recipient preferred to have the funds sent to a different charity or applied to the receiver's account balance. The user would also have a receiver's profile which would allow them to specify a minimum amount that would need to be attached for messages addressed to them to be delivered. They could also specify whether this amount should go into their account or be donated to a charity of their choice. If a message was delivered but remained unopened for thirty days the funds attached to it (less the handling fee) would revert to the senders balance and the recipient would be able to read the message without triggering any transfer of funds.

The idea here is to associate a nominal fee with sending a message. The fee would reflect the value of the receiver's time and attention in reading it. If we assume that the recipient actually reads his email then deliberately sending a low-value message is a theft of the recipient's time. The recipient can set whatever value he wants on his time but not less than the minimum amount needed to make sending spam uneconomic. The disposition of the funds (to the recipient's account or to a charity of his choice) is up to the recipient if he has an account. If the recipient has no account, and declines to set one up, the funds will go to the charity suggested by the sender. The funds in a user's account can only be used to send messages and can never be converted to cash paid to the user but can be converted to cash paid to a non-profit charity either at the user's direction or as part of the process of sending messages as described above. All funds paid to the company to maintain the users' balances will eventually either be consumed by transaction fees in sending messages or will be paid to non-profit organizations as directed by the users' profiles.

Obvoiusly the concept still needs work. But I think the ideas are sound and the central idea is that "free" email is a bad idea. Email-related fraud and other crime doubles year over year and the root cause is the silly idea that email ought to be "free". As it turns out email is neither free as in speech or free as in beer. Instead, it is free as in free-for-all and free as in free-fall. I think it should be fixed and I think Goodmail is a step in the right direction.


Calvin said...

I agree that there is a place for services like goodmail in the e-mail universe. asicaly a company is willing to pay money to make sure their e-mail gets through the spam filters. But one thing I didn't hear you mention is whether Goodmail will let companies send unsolicited commercial e-mail through their service. If so, then it will just change the nature of the spam. So I'll get spam mail for credit card offers instead of penis enlargers. If the companies agree to only send e-mail through godmail that I specifically requested for, such as my monthly account statements, etc., then it is indeed a valuable service.

BigLeeH said...

If you read the third item in the excerpt from Goodmail's FAQ -- "Goodmail is NOT for prospecting" it suggests that there will be such a restriction.

I, in the other hand, have always thought that the definition of spam that you cited -- "unsolicited commercial email" -- misses the point at best and introduces a red herring that makes the problem of spam harder to understand. I very much prefer to think of it as "low value email" -- things that would never be sent if it cost a dime to send it. The very fact that non-profit organizations (which are not commercial by definition) are letting out such a howl at the idea of paying a fraction of a cent a message suggests that they send out large amounts of low-value email.