P3P, the new Internet privacy protocol unveiled last month by the World Wide Web Consortium (W3C), has been both lauded as the answer to everyone’s privacy worries and castigated as a Trojan horse that will divert public attention from real problems. The truth is, it’s neither. It’s merely a potentially nifty tool that might help ensure privacy in cyberspace — if the government gets its act together.
Among the boosters of Platform for Privacy Preferences Project, or P3P, we find the White House, major technology companies like Microsoft and America Online and organizations like the Center for Democracy and Technology. They position P3P as powerful technology that will help consumers to control the spread of their personal information over the Internet.
Microsoft, for instance, announced that support for P3P will be built into the next version of Internet Explorer, now the most popular Web browser on the planet. “Our commitment to protecting consumer privacy through technologies based on P3P and other efforts stems from Microsoft’s long-standing focus on building technology that empowers the individual,” said Microsoft’s president and CEO Steve Ballmer.
Not to be outdone, Vice President Al Gore issued a statement hailing P3P as a powerful tool “for giving consumers greater control over their personal information.” And to prove its point, the White House set up a P3P policy for the White House home page.
But P3P isn’t technology, it’s politics. The Clinton administration and companies such as Microsoft are all set to use P3P as the latest excuse to promote their campaign of “industry self-regulation” and delay meaningful legislation on Internet privacy. At least that’s the claim being made by two of the most trusted names in Internet privacy, Electronic Privacy Information Center and Junkbusters, both of which have called P3P a Trojan horse.
The privacy organizations are right: P3P lacks the power to create a new privacy-rich Internet. That’s because P3P is nothing more than an optional labeling standard. And as long as the protocol remains optional, organizations will have few incentives to create P3P labels that can help consumers.
Still, the privacy organizations needn’t turn their backs on P3P. P3P could actually be a wonderful tool to help promote meaningful privacy protections on the Internet — both technical protections and legislative ones.
P3P has its roots in the World Wide Web Consortium’s (W3C) much-maligned Platform for Internet Content Selection (PICS), a protocol that was created to enable censorship. Conceived in 1996, during Congress’ first attempt to regulate pornography on the Internet, PICS was designed to prevent the children of protective parents from being able to view pornography on the Web. The grand idea behind PICS was that every Web site on the Internet would have a pornography rating, and that Web browsers would consult those ratings before displaying the Web pages. If a Web site had pornography and the computer was configured not to show pornography, no inappropriate images would appear on young Jimmy’s screen.
Privacy activists looked at the PICS technology and said to themselves, “You know, if technology can do this for pornography, perhaps we could build a similar system to protect privacy.” The technology would be similar. If you clicked into a Web site whose policy for dealing with personal information didn’t match your preferences, your browser would throw up a warning and prevent you from going further.
In order to make this technology work, the P3P group had to come up with a way to encode a site’s privacy policy, which is typically a long document written in legalese, into something that a computer could read. To do this, members of the group decided to use XML, or Extensible Markup Language.
XML looks a lot like HTML, the language of the Web, but it allows developers to create special tags that have particular meanings. For example, the tags mean that a Web site holds on to its personally identifiable information forever. The tags mean that a Web site collects data but doesn’t share it with others. Your browser would check these tags and give you a warning if the Web site’s policies disagreed with your preferences.
Basically, P3P is a rather straightforward system for translating human-readable privacy policies, which are filled with legalese, into a compact block of data that can be understood by your computer.
The P3P standard also allows you to specify different policies for different parts of your Web site. For example, you might have some Web pages that collect a lot of personal information, while others might not collect any. This feature, it turns out, is critical to both P3P’s success and possible failure.
The flexibility is critical, because large Web sites need to be able to say that different rules apply to different areas. But the flexibility also makes it possible to restrict P3P policies to very small segments of a site, and leave the rest unlabeled.
The Clinton administration, being a strong proponent of self-regulation, hopes that the P3P technology will make it easier for consumers to rate the privacy policies of Web sites. If consumers demand more privacy, the thinking goes, they will flock to the Web sites that protect consumer privacy and thereby force the market to do the right thing. And if the market does the right thing all by itself, there will be no need to pass and enforce privacy-protecting laws.
In reality, P3P technology won’t do much of anything to guarantee your privacy, and you need go no further than the White House’s own Web site to understand why. Any company or organization can create P3P policies and then issue self-congratulatory press releases gushing about their P3P-compliance. They look like good guys. But they might not be good guys at all.
Consider the White House Web site’s much touted P3P policy. I took a close look at the original White House policy when it was first unveiled in June. Translated from XML back into English, it said that the organization named “the White House” had the contact e-mail address of feedback@whitehouse.com, a phone number of 202-456-1414, a place of business at 1600 Pennsylvania Ave., N.W., Washington, D.C., 20500, that it recorded clickstream information, the name of the Web browser that every visitor uses, the previous Web site that they visited and that such information would be retained indefinitely. The information would be used for administrative purposes, development and operations. But the policy only covered the Web site’s home page and simply ignored the other 4,000 pages on the Web server.
I called the White House and asked for the reason for the apparent disparity. Spokespeople told me that the P3P policy for the home page was merely a demonstration, and that they were doing a redesign in a few weeks and would do a better job then.
The redesigned Web site, ironically, doesn’t have a P3P policy at all.
By creating so much fanfare about its P3P policy and then lazily delivering so little, the White House is simply playing into the hands of P3P critics. Its behavior alone makes it clear that P3P doesn’t give consumers “control over their personal information,” as Gore says it does. Only federal data protection legislation, laws that would force the White House to get all of its pages properly coded to tell visitors what data they’re handing out and what it will be used for, could have that result. In the meantime, the ability for P3P policies to carve out huge exceptions makes it a pretty ineffective tool for “self-regulation” as well.
On the other hand, combined with regulation, P3P could be a pretty impressive tool. One of the problems that academics and regulators alike face with today’s Web site privacy policies is that that they are written by lawyers and their language can be fairly impenetrable. I mean, precisely what does this sentence, taken from the privacy policy of cable company MediaOne, actually mean? “You hereby consent to, and expressly waive such rights as You may have under the Cable Act or otherwise to limit or prohibit, the collection by, and sharing between, MediaOne and ServiceCo and other MediaOne entities of such information.”
The beauty of P3P is that it reduces such legalese into unambiguous XML statements. Some future Web browser could translate these statements into any human-readable language, allowing a person who only speaks Japanese to make sense of privacy statements posted in English, for example. Search engines could automatically display a site’s policy along with its links. Economists researching the field of privacy could rapidly survey the policies of 10,000 Web sites and show how they change over time. That’s the promise of P3P.
Ultimately, though, Americans shouldn’t be put in the position of having to decide whether or not they want to give up their privacy in order to partake in the pleasure of viewing pages on the Internet: We should have base-level privacy protections in law. We do this in other areas, such as food, drugs and the environment. Likewise, there should be certain privacy guarantees that are fundamental to our society; privacy guarantees such as the right to see information that a company has collected on you and the right to have erroneous information expunged.
P3P can’t create these rights and it can’t enforce them. But P3P will make it easier to cut through the legalese and tell the difference between Web sites that are truly committed to protecting privacy and those that are information sharks — provided, of course, that both kinds of Web sites post P3P policies that are comprehensive and accurate. And, of course, there’s a fat chance of that happening without meaningful legislation.
I was reading my e-mail somewhere over the Atlantic when my laptop tried to go online. I was in the middle of composing a rather lengthy e-mail, so I didn’t think about it much. I just put Windows back into “work offline” mode and kept typing. But a moment later, I discovered that the laptop was back in online mode. Indeed, I soon discovered that no matter what I did, I couldn’t keep the laptop in offline mode; it was determined to stay online.
Since I was running Windows, I did the normal thing you do when you encounter problems: I rebooted. But exactly the same thing happened when Windows came back up a few minutes later. So I started hunting around the laptop’s operating system to see what was going on, and I discovered that a program called “DSSAgent” was silently running in the background. I killed the program with the Windows task manager and my computer started working normally.
Problem solved, I guess, but now I was curious. A little more investigation revealed that my computer’s Windows registry had been modified to launch this DSSAgent program whenever the computer started up. The program itself had been hidden deep within my Windows directory, apparently designed to look like a system file. Further investigation revealed that the DSSAgent had been written by Brøderbund and had been installed when my daughter loaded an Arthur’s Reading Race CD-ROM onto my laptop the previous weekend.
There were thunderstorms over my destination, so while my jet ran racetracks in the sky, I fired up some tools and started pulling apart the DSSAgent program. I discovered that the DSSAgent contained a copy of the developer’s kit for the Pretty Good Privacy encryption system, that it contained the ability to send e-mail and post forms to Web pages and that its creators had gone to great lengths to hide the software’s function. And there was no copyright message indicating who had written the program.
When I got home I did some more research and found that the DSSAgent program was running on every computer in my house. A quick search on the Web the next day revealed that Brøderbund is owned by Mattel Interactive, so I called up the company’s public relations group and asked why its software had installed this program on my computer: Why was it there, and what did it do?
According to Debbie Galdin, a spokeswoman for Mattel Interactive, DSSAgent is part of a service that Mattel calls “Brodcast.” Says Galdin: “Brodcast is designed to provide additional content for our more up-to-date products. The program does not send personal information to Mattel and does nothing to identify a particular user.”
Maybe Mattel knows something about rapidly advancing phonics theories that I don’t, but I can’t imagine what kind of “up-to-date” content the company wants to rush out to all the 5-year-olds using “learn to read” software. Actually, the only sort of up-to-date information I’d bet Mattel is really interested in offering would come in the form of advertisements for its own just-released products.
The Brodcast technology was developed by Brøderbund (hence its name), but I never knew that it was there: Brøderbund never told me about its presence. (When I ran the installer again later, the technology was never identified.)
“If the program is enabled, it communicates with our servers to let them know that a particular product has been installed and retrieves JPEG images for that product if any exist,” explains Galdin. “This allows us to provide our customers with additional content for the products they have purchased, communicate product fixes, etc. To this end, it connects to the server and sends the product SKU number, last time a connection was made and if any downloads are in progress. Based on that information the server decides whether to send a JPEG image or not.”
While this indeed may accurately describe the company’s intention in including the DSSAgent, it’s pretty easy to see how such technology could cause problems. If it wanted, the company could scan your hard drive for competing products, then flood you with offers to purchase its own similar products, or even just use that info for competitive research. Once this kind of capability is introduced, it could also be misused by a rogue employee to retrieve your financial records or credit-card numbers or to download child pornography onto your computer.
And what about the fact that this technology is included in software for kids?
Earlier this year, the Children’s Online Privacy Protection Act went into effect. One of the most significant aspects of this law is that it prohibits companies from collecting information on children under 13 without explicit parental consent. Consent is not just clicking a box — parents need to send in a letter, a fax or an identifying e-mail message. There’s no way to get legal consent through the installation process, and I certainly hadn’t signed any permission forms.
Galdin insists that nothing in the Brodcast technology violates COPPA, but after the law went into effect, Mattel stopped shipping old versions of the Brøderbund CD-ROMs and gave the products new installers. “COPPA applies to Web sites directed towards children only and does not extend to this situation,” Galdin argues.
“Nevertheless, once COPPA was enacted, we changed our installation software activating both Brodcast and registration so that it first asks the age of a user,” she says. “The latest version asks if the user is under 13 years of age and, if so, does not offer to install the Brodcast program and does not ask any of the registration questions requiring personal information.” If you are over 13, the program gives you a choice as to whether you want the Brodcast technology installed.
Galdin sent me some new CD-ROMs with the improved installer. I tried them out. But it turns out that even if you tell the installer that you don’t want to use Brodcast, the installer puts the program on your computer anyway. “If the user doesn’t want it, it is not enabled,” Galdin says. But the program is still installed, she says, because it is part of the complete CD-ROM application.
Galdin says that DSSAgent used PGP encryption to protect the information sent from Brøderbund (and then Mattel) to the user. “We don’t want anyone else to intercept our communications and send other kinds of information.” Nevertheless, she says, Mattel’s new products — those shipped since April — do not include the Brodcast technology at all.
All’s well that ends well, I suppose, but to me, the inclusion of hidden programs with children’s CD-ROMs, the installation of these programs even when you specifically choose not to use them, the use of encryption to scramble network communications and the failure to document any of this to the public or to users in any meaningful way represent a bad omen for the future of the consumer software industry.
A growing number of companies clearly think that it’s acceptable to build covert monitoring systems into their programs. Proposed legislation specifically allows software vendors to exercise “self-help” in enforcing their copyrights — actions that could include disabling your computer if they think you have violated the terms of your license agreement. Meanwhile, the ubiquitous Internet connectivity afforded by cable modems and DSL will make it harder and harder for us to know when these sorts of programs are active.
To be sure, the DSSAgent never should have tried to take my computer online when I was flying over the Atlantic. “That sounds like a product malfunction,” Galdin said. “The agent normally detects when a user is online only to do its transactions; it is not designed to try to connect independently. We would be happy to look into it.”
But were it not for the bug, I would have never discovered that Mattel’s DSSAgent was running on my laptop. Were the company so inclined, it could have used this technology to do far more than retrieve a JPEG image from a server.
What concerns me most is that there are simply no rules or regulations inside the United States that set limits on how invasive consumer software can be. Under Canada’s newly enacted C-6 privacy legislation, for example, there is a requirement for Canadian firms to inform their customers about what kind of personal information is collected and how it is protected, and to make sure that it is discarded when it is no longer needed. But in the United States, we’ve already seen several examples of programs — such as last year’s Real Audio Jukebox troubles — that covertly spy on a person’s actions and report them back to a central location.
Surveillance software represents one of the greatest threats to privacy in the coming years. A program that uses undocumented protocols for transmitting information to or from the user, even if it is just to tell a person that a new version of a program is ready for download, is a huge, terrible step in that direction. I’m glad that Mattel says it has decided to remove the DSSAgent technology from its CD-ROM offerings. The fact that the company was only motivated to take this action after a law was passed in Washington demonstrates the importance of legislation as a tool for dealing with privacy issues in the future.
If we want computers to be easier to use — and who doesn’t? — a good place to start would be with that all-important command, “Undo.” Although many of today’s computer systems have some sort of undo capability, few of them work consistently throughout the system, or even in one application. As a result, users can’t depend upon it, and lots of people lose a lot of work.
The need for a better undo is one of the important ideas in designer Jef Raskin’s first book, “The Humane Interface,” published earlier this year by Addison-Wesley. Although Raskin is perhaps best known as the creator of the Apple Macintosh project, his book is not a rant arguing why the Mac has a better user interface than Windows. Of course the Mac is better, says Raskin, but both computer systems have fundamental problems that make using them an unpleasant experience for both novices and experts alike.
Raskin bases his arguments not on opinion but on nearly 30 years of research by people around the world who have studied how the human brain interoperates with engineered systems from aircraft to computers. Raskin suggests that we should apply this research to the design, or redesign, of today’s operating systems.
One of Raskin’s early observations is that people quickly become habituated to routine processes and procedures. This works to both the advantage and the detriment of the interface designer. Habituation lets an experienced person use a well-designed interface more quickly. But that same habituation can also lead to errors — sometimes catastrophic ones. And that’s when it would be great if we had a truly workable undo.
Consider the Yes/No or OK/Cancel questions that many computer systems ask. “Do you really want to empty your trash? (Y/N)” “Are you sure you want to permanently delete the selected items?” People become so accustomed to these questions and pop-up boxes, Raskin writes, that after seeing them a few times they habitually click “OK,” even when they should click “Cancel.” Hence, they click right through something like: “WARNING: All data on non-removable Disk Drive C: will be lost. Proceed with format? (Y/N)”
Far better than giving the user a Yes/No or OK/Cancel choice would be to create a general undo facility that worked consistently throughout the entire computer system. When, weary from slaving for hours on that paper you’re writing, you mistakenly tell your word processor to shut down without saving the final version, you don’t want it to ask, “Are you sure?” You want it, when you realize your mistake, to promptly undelete any work you’ve foolishly trashed.
Raskin’s words became especially poignant to me last month, when a minor user-interface tick and an OK/Cancel alert caused me to lose the minutes of a board meeting that I had been taking on my Palm Pilot. It was an hour into the meeting, and one of the organization’s board members asked me to beam my minutes into her Palm VII. Trying to be helpful, I clicked the button to display my computer’s pull-down menu, selected “Beam Memo” and was prompted with a pop-up box asking: “Beam current memo? OK/Cancel.” I clicked “OK” and suddenly the memo vanished.
Of course, I hadn’t clicked “Beam Memo” on the Pilot’s menu, but “Delete Memo.” As Raskin notes, I had been so focused on the idea of beaming my memo to the board member that I had misread the confirmation box — a box that was designed to prevent me from doing precisely what I had then proceeded to do.
Instead of a confirmation box, a far better design would be to have the computer always delete the menu, but then to allow the ability to undo the last action. The ubiquitous OK/Cancel box is a terrible user-interface design, writes Raskin, because it slows you down the majority of the times you are actually trying to do something, and the few times that you really, really need the confirmation box — when you are habituated to a user interface and about to make a mistake that will cause you to irrevocably lose data — you don’t stop to read it. You don’t stop because you have become habituated.
Of course, the Palm operating system does have an undo feature. Unfortunately, it doesn’t work all the time. Undo works for undoing modification to text in the memo pad application, for example, but it can’t undo the deletion of a memo. There’s an undo option on the Palm’s appointment book program, but it can’t undo changes you might make to an appointment’s date or time. These limitations aren’t the result of the Palm’s low-powered microprocessor or small memory; they’re the result of poor design — poor design of both the memo pad application and the underlying operating system. And they are design problems shared by many systems.
Speaking as a programmer and as a designer, creating a generalized undo feature is hard work. To do it, you must remember every change that affects the user’s data so that you can undo those changes if the user asks. Few application frameworks provide an undo facility, so each programming team has to create its own. Although this shouldn’t be hard to do in principle, in practice it enforces a discipline that few of today’s programmers are up to. One of the reasons, I think, is that they lack good examples: Since no program currently on the market today does undo properly, there is little incentive for other programmers to do better.
Consider the undo feature in Microsoft Word. Overall it’s pretty good, but it frequently behaves in an unpredictable manner. For example: Type a paragraph of text. Select the paragraph with your mouse and choose the “Copy” command. Now select the last sentence of the paragraph and choose the “Cut” command. Now click undo, click the mouse at the end of the paragraph and choose the command “Paste.” What happens? You should get the entire paragraph, but, instead, you get just the last sentence. That’s because Microsoft’s undo doesn’t really undo your last command; instead, it reverts to the last change to your document. In this example, the last command also affected the clipboard, which Word’s undo command doesn’t restore.
Many applications don’t even have an undo facility. Last year, for instance, I received an e-mail from a reader who was furious at Intuit. The reader had lost a significant amount of time because Intuit’s Quicken lacks an undo feature and he had inadvertently made a change to a transaction in his checking register. Of course, he didn’t know what the change was — it was, after all, inadvertent — and he spent several hours trying to figure out why a reconciled transaction had disappeared but his register still balanced. The man eventually discovered that he had changed the year of a credit card charge from 1999 to 1909. An undo feature that would undo a change to the last transaction would have saved him much work and frustration.
The computer industry has technical standards that describe everything from the voltage transmitted on an Ethernet cable to procedures that companies must follow for ensuring the “quality” of their products. But few standards ensure that these products will be usable or, to use Raskin’s word of choice, humane. Building an undo feature that always works would be a good place to start.
Last week I received an e-mail message from Caldera Systems. “Finally, there’s a Linux operating system that’s as obsessed about the Internet as you are,” it read. “Caldera Systems’ OpenLinux eDesktop 2.4 is chock full of goodies to make your connection to the World Wide Web a craving like none other.”
If I were obsessed with anything, it wasn’t whatever new version of its operating system that Caldera happened to be pushing. I was far more interested in finding out how the company had gotten my e-mail address and why it was messaging me when I had never agreed to receive product promotions.
I called up Caldera spokeswoman Nancy Pomeroy. After much head-scratching, we decided that Caldera must have taken my e-mail address from an OpenLinux 2.3 registration card that I had filled out back in February, and added it to the company’s mailing list. When I told her that I was offended, Pomeroy was confused: Surely, she said, I must have realized that Caldera would use my e-mail address to send me notices about new products. Why else would they ask for it?
Why else indeed! I had foolishly thought that Caldera might want my e-mail address so that I would be approved for tech support, or so that if there were a security problem with OpenLinux 2.3 it could have sent me an urgent e-mail. To be honest, I never really considered that it might use my e-mail to send me an advertisement without first asking my permission. I guess I was a little too trusting. I thought legitimate companies would know better than to spam.
Of course, Caldera is not alone. A growing number of companies are using e-mail for direct marketing. These aren’t fly-by-night spammers with get-rich-quick schemes or steaming come-ons to hot sex sites. No, these are legitimate businesses — companies that think they have the right to send me unsolicited mail simply because they have my e-mail address. Consider:
In March, I received spam from Sony, which was advertising its new Music Clip MP3 player. I imagine Sony got my e-mail address when I registered my VAIO notebook computer.
In early February, I received the Bloom Report No. 3 from KaBloom, a Massachusetts chain of flower shops, inviting me to send a dozen roses for Valentine’s Day. I’m not really sure where the company got my e-mail address, and when I tried to find out, KaBloom didn’t return my telephone calls.
Late last year, I received multiple e-mail messages on the same day from JuniorNet, an online service provider that targets young children. The e-mail was sent to several accounts I haven’t actively used in years, and looking at the messages’ headers, I discovered that they had been sent out from MessageMedia, a marketing firm in Colorado that specializes in sending bulk e-mail.The mail-abuse coordinator from MessageMedia told me that JuniorNet had purchased the e-mail addresses from an electronic mailing list merchant who had assured them that the addresses were voluntarily given names from an opt-in mailing list. When MessageMedia discovered that the addresses on the list were from spam sources, it blacklisted both the list and the supplier.
I’ve also received unsolicited e-mail from a Jewish dating service in Washington, a European computer security firm and a variety of other businesses. In some cases the companies got my e-mail address when I registered at a Web site or downloaded software. In other cases the e-mail addresses seem to materialize out of thin air. But in none of the cases did I give these companies permission to send me advertisements.
We all complain about the inane messages we get from fly-by-night spammers, but as I sift through the contents of my in box, I think the real threats to our electronic mailboxes won’t be from shady businesses and unskilled entrepreneurs trying to make a fast buck, but from established businesses that see e-mail marketing as a legitimate tool for finding new customers.
“We are currently setting up opt-out checkboxes on our online partner/customer/download registration forms,” says Caldera’s webmaster in an e-mail forwarded to me by Nancy Pomeroy. “I’ve put it at the top of my team’s queue to create an opt-out checkbox on every form on the Web site. We’ll make sure that all future e-mail addresses we pull from the master contact database exclude those that opt out from receiving e-mail.”
Unfortunately, this only solves half the problem. It’s good for companies like Caldera to create opt-out checkboxes on their Web forms and registration cards, but in the absence of these forms, these companies should completely refrain from sending out advertisements.
E-mail marketing is a serious threat to the future of the medium. E-mail is cheap to send, and e-mail addresses are plentiful. Imagine how unworkable e-mail will become if, every time you open your mailbox, a few hundred companies that you’ve bought products from in the past send you a note telling you about their new offerings. What if every time you booked a trip to New York or Dallas or San Francisco, half the restaurants in town e-mailed you a menu and a 20 percent-off coupon?
One of e-mail’s most miraculous characteristics is its ability to bring us casual e-mail messages from long-lost friends, potential business associates or strangers across the globe who saw something we posted and want to make our acquaintance. And spammers exploit this ability to send casual, unbidden e-mail messages.
Of course, there are technical solutions to help limit the spam you receive. The most effective is to simply block all messages from addresses that aren’t on a “white list” of pre-defined correspondents you want to receive e-mail from.
I’ll never put Caldera on my white list, so I’ll never get its advertisements. Unfortunately, this also means that I’ll never get answers to my tech-support questions. Obviously there’s a big downside to such mail management: You’d never hear from any of those long-lost friends or acquaintances in waiting — or anyone else you’d forgotten to include in your list. Ultimately, white lists and blacklists are no solution to the spam problem.
Instead, I think that our only salvation from spam will be in the form of strong federal legislation that prohibits sending certain kinds of unsolicited e-mail without prior permission, and that creates statutory damages for those who violate the law. This is the approach that Congress took in the 1960s when a growing number of companies started sending pornographic catalogs through the mail, and it worked. It also worked to stem the tide of junk faxes in the early 1990s.
Congress should order the Federal Communications Commission to create a nationwide list of people who do not wish to receive junk e-mail. Then it should target pornographers by making it a crime, with a $1,000-per-violation penalty, to send e-mail that advertises a sexually explicit Web site to any of those registered e-mail addresses. If this system works, it could then be expanded to other domains, such as “get rich quick” schemes and eventually to unsolicited advertisements of any kind.
Without strong legislation, our in boxes will soon resemble a typical Sunday newspaper, with more advertisements than content.
I doubt anyone would sign up for dozens
of daily e-mail messages promoting
strange herbal remedies and CD-ROMs that
contain 55 million e-mail addresses. But
when it comes to avoiding spam, your
options are, unfortunately, limited.
Many of the most effective techniques
for protecting your mailbox from spam
have the side effect of limiting the
ways that you can use the Internet.
There are two fundamental ways to keep
spam out of your in box. The first is to
prevent spammers from getting your
e-mail address in the first place. The
second is to filter out the incoming
spam from the e-mail that you actually
want to see.
Go stealth
If you are going to try to keep your
e-mail address from the spammers, you’ll
need to apply constant vigilance.
Spammers have written programs that
harvest e-mail addresses from
practically every location you can
imagine: Web pages, Internet provider
directories, chat rooms and mailing list
archives. These robots are silent and
extremely effective: A friend of mine
who is a school teacher in Los Angeles
visited the “Parent Soup” chat room on
America Online; two days later, her
mailbox was filled with messages pushing
pornographic Web sites.
The easiest way to hide your e-mail
address is to withdraw from Internet
communications: Don’t visit chat rooms,
don’t post, don’t participate on mailing
lists and don’t put your e-mail address
on your Web page. Follow these
techniques and you’ll get little spam;
unfortunately, you probably won’t get
much other mail, either.
A simple variant of the stealth
technique is to cycle your e-mail
addresses — get a new one every two or
three months. Naturally, this is easier
to do if you own your own domain. Alas,
a constantly changing e-mail address
will be difficult on your
correspondents.
A less anti-social technique is called
“address munging.” With this technique,
instead of participating in online
discussions using your real e-mail
address, you use an e-mail address
that’s not valid, but from which your
correct e-mail address is easily
discerned. For example, if you were
President Clinton, instead of using
president@whitehouse.gov, you might use
president@remove-me.whitehouse.gov, or
president@whitehouse.nospam.gov. Address
munging throws off the current
generation of address-scraping robots,
although it’s only a matter of time
before spammers have their robots
automatically prune out the most common
munging names.
If you do choose to go stealth, make
sure that your e-mail address doesn’t
appear in online directories, like
target="new"
href="http://www.bigfoot.com">Bigfoot
> or the America Online membership
pages. Many of the early spammers built
their vast collection of e-mail
addresses by milking UNIX servers at
universities and businesses.
Unfortunately, stealth techniques won’t
help you if you have a common e-mail
address. That’s because spammers are
increasingly resorting to what’s called
“dictionary attacks.” Instead of trying
to find a valid e-mail address, the
spammers simply guess which e-mail
addresses might work. For example, the
spammer might send e-mail to
tom@hotmail.com, dick@hotmail.com and
harry@hotmail.com, without knowing that
those addresses actually exist. A more
creative spammer might try
toma@hotmail.com through
tomz@hotmail.com, and so on throughout
the dictionary of first and last names.
Try filtering
Since ultimately there is no way to
prevent the spammers from sending
messages to your mailboxes, many people
have turned to filtering — automated
techniques for identifying spam and
sending it to the trash can without
human intervention.
Filtering is somewhat error prone.
Filter the words “business opportunity”
in the subject line and you’ll can a lot
of spam messages, but you’re likely to
also throw away the e-mail about that
new job offer. Throw away e-mail that’s
in ALL CAPS and you’re likely to miss
the HAPPY BIRTHDAY e-mail from your
grandmother, who still doesn’t really
understand the Caps Lock key.
Some filters work on domain names in the
“From:” address. You can’t go wrong
blocking e-mail from
href="http://www.annoy.com/
">annoy.com, a Web site which was
created to send out annoying e-mail. On
the other hand, a lot of spam that gets
sent shows a return addresses from
popular services like AOL.com, Yahoo.com
and Hotmail.com; block those and you’ll
be blocking a lot of legitimate e-mail
as well.
You could filter messages based on the
IP address of the computer from which
they originate. The
href="http://www.mail-abuse.org">Mail
Abuse Prevention System maintains
three Internet blacklists. The most
widely used is the Realtime Blackhole
List (RBL), which lists known
“spamhausen” — computers with
high-speed
Internet connections that have been
known to originate millions of messages
at a time. Many ISPs subscribe to the
RBL and automatically block any e-mail
originating from one of the blacklisted
computers. Other ISPs simply add a mail
header to e-mail that is received from
blacklisted sites, so that customers can
filter on these as well.
One of the most technically
sophisticated filtering systems is
maintained by a company called
Brightmail.
href="/tech/view/1999/11/01/sunil_paul/i
ndex.html">Brightmail has set up
e-mail boxes all over the world that
exist solely to receive spam. When these
mailboxes get a message, the message is
sent back to Brightmail’s 24-hour
operations center. A person looks at the
message, identifies it as spam and
constructs a special-purpose filter for
that message. This filter is then
distributed to all of the businesses and
ISPs that subscribe to the Brightmail
service. The theory behind Brightmail is
that spammers tend to send the same
message to millions of different
mailboxes; once a message is identified
as spam, that message won’t bother any
Brightmail customers.
“The number you have reached is not in service at this time. Please check the number you are dialing or contact your operator for assistance. This is a recording.”
Remember that message? The time was the 1970s, and Bell Telephone was in the process of upgrading phone switching systems all over the country. Ma Bell, it seems, was fearful that a technologically unsophisticated customer might mistake Bell’s recorded messages for an unresponsive, unfriendly, human being. Rather than risk an upset customer, the Bell system prefaced every message with a few tones, and concluded each with those oft-parodied words, “this is a recording.”
Perhaps Ma Bell was being too cautious. Today those four magic words have largely been banished from the telecom lexicon, yet there’s little fear among telco executives that somebody’s grandma will start e-mailing complaints about rude and insensitive operators.
Ironically, if Grandma did write an e-mail about poor service, it’s increasingly likely that her message might be read and replied to by a machine — a machine engaged in the elaborate deception of pretending to be a human being.
Already, most of the e-mail sent to President Clinton at the White House is intercepted, categorized and replied to by a sophisticated mail handling system. Originally designed by researchers at the Massachusetts Institute of Technology Artificial Intelligence Laboratory, the system determines the purpose of the e-mail that has been sent to the president and chooses a response from one of many that have been previously written by a human staffer.
According to MIT professor Tom Knight, the White House system then displays the e-mail message and the selected response to a human operator who nominally checks the machine’s work before clicking the send button. The system keeps track of how many times each constituent writes; if this is the second time you have written on a particular subject, you automatically receive a different form-letter response — one designed for people who are especially concerned about a topic. Of course, the White House system also keeps track of how many letters have been sent on each subject and their stated opinions, so that the executive branch gets some kind of feedback from the people it allegedly represents.
Automated technology for handling e-mail is rapidly moving into the world of e-commerce as well. The January issue of MIT’s Technology Review magazine includes a profile of General Interactive, whose EchoMail product is currently used by Nike, J.C. Penney and other companies to automatically screen and route incoming e-mail.
Interestingly, the article credits EchoMail with J.C. Penney’s rapid decision to cancel its sponsorship of the television show “Ellen” in May 1997 after actress Ellen DeGeneres’ TV character came out as a lesbian. According to the article by Deborah Shapley, EchoMail analyzes each incoming e-mail to determine which product is referenced, the kind of request, the issue and the “attitude” of the person who composed the e-mail message. Back in 1997, EchoMail determined that lots of hostile e-mail messages were coming into J.C. Penney and alerted its human supervisor that they demanded immediate attention.
Unlike callers receiving those recorded telephone messages of the 1970s, most people receiving a canned response from the White House or J.C. Penney today probably don’t realize that their e-mail was read and replied to by a machine.
Unlike a recorded message, there’s no easy way to tell if an e-mail message is a canned response or has been personally composed and sent to the recipient. Indeed, it’s reasonable to assume that, as e-mail becomes more and more pervasive, Internet-enabled organizations will go to great lengths to make sure that their automatically generated replies appear as human as possible. Perhaps they’ll delay responding to a message for a few hours or pepper their missives with occasional grammar or punctuation errors.
In the world of e-commerce, little matters as much as the appearance of “customer care” and its resulting customer loyalty. Personalized e-mail encourages warm feelings on the part of a customer, whereas nothing poisons a customer as surely as bulk-reply e-mail containing canned responses.
Automated systems work because people tend to send e-mail on similar topics. Form-letter replies work great if you can pick the appropriate form response to a particular letter. But the precedent that these systems are creating — a precedent that makes it OK for computers to imitate people — is dangerous. It’s a precedent that could eventually tear at the social fabric of the online world.
Today, exchanging e-mail is probably most people’s favorite Internet activity. We use it to catch up with friends, make dinner plans, exchange ideas. E-mail is also a great way to make new friends — I know of more than one couple who met and fell in love as the result of speaking their minds on a mailing list.
Despite all these positive associations with e-mail, though, there are times when e-mail brings the most hateful of Net experiences — a deluge of spam. Junk e-mail turns the pleasures of e-mail inside out. Instead of a pleasing exchange with friends, a blast of junk e-mail is an attack by someone who is trying to take advantage of you. The only silver lining to spam is that you can frequently identify it — and therefore delete it — without even opening it.
But, what if the people who spam you were to borrow a trick from EchoMail? What if instead of receiving an e-mail message shrieking, “BUY THIS BOOK NOW!” you received an e-mail message from a woman at that company — an employee who stumbled across your Web page and shared some of your interests. Say you engaged in an e-mail conversation for a few weeks, and then one day this woman wrote that she was reading a book and really enjoying it. Over the next week, she sends a number of e-mails, telling you how wonderful the book is. Then she insists that you get a copy of the book, so that the two of you can talk about it on a deeper level.
Technologically speaking, there’s no reason why marketers can’t adopt this sort of aggressive, agent-based reach-out marketing. And economically speaking, there is no reason why markets wouldn’t embrace it. Computers and bandwidth are getting cheaper every day. By comparison, the number of consumers in the world is increasing only nominally. In the future, e-commerce companies will come under increasing pressure to use advanced technology to sell products; simulated human beings and electronic replicant friends will surely prove a cost-effective method.
I don’t mean to suggest that companies like Nike and J.C. Penney will resort to reach-out marketing in the coming years. But some companies will, and it won’t take many companies adopting these technologies before the online community is irreparably poisoned. Today, when you receive an e-mail message from a person you’ve never heard of, there’s a reasonably good chance that, if it’s not recognizable as spam, another human being is trying to make contact with you. But if reach-out marketing becomes widely used by even a few bad actors, there won’t be any way to know for sure.
Technologists might argue that public key cryptography could provide an easy answer to this problem: Simply require that each person who sends e-mail have a signed public key, and then make sure that the organizations issuing the signatures do not sign keys belonging to computer programs. But even ignoring the privacy implications of such a regime, the technological solution won’t work: There is no way to prevent a marketer from sharing his public key with an intelligent reach-out agent.
I think that the only real solution to the eventual problem of reach-out marketing will be legislative. One approach would be to adopt Ma Bell’s strategy from the 1970s: Require computer programs that send e-mail to identify themselves as such, and require that each computer-generated e-mail include instructions for contacting a real human being. Another approach would be to simply ban the practice before it becomes widespread.
Whatever the solution, I hope we can get proactive — and quick. The last thing I want to see is a crowd of intelligent agents causing the destruction of our online communities.
