E-mail is broken

Four Internet pioneers discuss the sorry state of online communication today. The consensus: It's a real mess.

Published October 2, 2003 7:30PM (EDT)

Somewhere between that spam promoting spyware disguised as a chipper e-greeting and the latest e-mail-borne virus masquerading as an urgent software upgrade, something got lost.

Not just a single overlooked urgent message from your boss, lodged in a sea of ghastly teenage bestiality spam, but something more fundamental, something more essential.

It's impossible to say exactly when the ritual of opening the e-mail in box went from being the lure that brought you online in the first place to a slough of deleting drudgery, full not only of irritating commercial messages that you never signed up to receive, but also of potential threats that could bring down your computer. But there's no use being nostalgic for that earlier, simpler time, whenever you got online, whether that was in 1984 or 1998. You can't go home again, or at least, you can't go back to a home without spam.

The questions now are: Can e-mail be saved? How bad is the problem, really? And what can be done to fix it?

Salon interviewed four Internet pioneers, computer scientists who have been online longer than most of the rest of world and who, in some cases, helped set up the systems we use today. (The four men were interviewed separately, but for clarity their answers have been grouped by subject.)

Dave Farber, who sometimes calls himself "the grandfather of the Internet" because many of his students went on to be its fathers, is now a professor at Carnegie Mellon University's school of computer science. He first went online in 1962 and started on the Internet in the late '60s "near the day it was born," when his student Dave Crocker, now a principal in Brandenburg Consulting but then part of the original Arpanet research community, "got the damn thing working."

Brad Templeton, chairman of the board of the Electronic Frontier Foundation, first used e-mail in 1976 and started the first ".com" company, in 1989. And Jakob Nielsen, a usability expert and principal of Nielsen Norman group, started using e-mail in 1981 and the Internet back in 1985, when he worked at IBM's T.J. Watson Research Center: "Every single time I sent e-mail to a non-IBM address, a screen came up to warn me that we were sending information outside the company and asked the user to confirm that no confidential information was included."

How bad is spam, really?

Farber: I'm seeing a fairly wide variety of people, from old, grizzled network people to major investors in technology companies who say: "Who needs this pain? I get spammed to death. I get viruses. I get the spam caused by viruses. I get forged messages."

One guy sent me a note today saying, "I spend about an hour and a half a day cleaning out my e-mail." And he uses a spam filter, but there's still a major amount of noise.

The reliability of e-mail has suffered incredibly from the need to put in spam filters that don't work that well. I think that there's a danger that people are going to say more and more: Who needs it?

At some point in the game you're going to see people saying: "I can make a phone call; with voice mail, maybe I'm better off.

Over the last six months the amount of spam has gone up phenomenally. This last virus or worm that started generating huge volumes of e-mail sort of broke the back. It's not too late, but I think it's getting to be close to too late. If you believe in the old atomic scientists' clock, it's five minutes to midnight.

During the height of the worm that was generating automatic spam, I was getting close to about 3,000 messages every five hours that were junk. Luckily, I have a broadband connection. If I had had a dial-up connection, I probably would have thrown the computer against the wall.

Crocker: Rather than a slow, regular increase, there have been moments in which spam has jumped up higher. There have been massive increases in bursts. The consensus is that it's happened a number of times in recent years.

A lot of the problem with spam is the distraction; in its current volume it makes it difficult to find the important messages.

There is a huge portion of the e-mail user population that is fed up. Whether they are as fed up as the media are portraying them, I'm not sure. Whether being fed up means that e-mail has become unproductive, I'm not sure about. We need to look at these kinds of statements and assessments in a larger context. People are fed up with gas prices and traffic congestion. We don't have any consumer revolts about any of them. You don't have people demanding alternate forms of mass transit.

Jakob Nielsen: "You've got mail" is not a happy sound anymore. People aren't really looking forward to their e-mail anymore. It's a stressful endeavor.

People are very pressed for time when they process their in box. They are really very, very frustrated with their in box and have no idea why they're getting things.

Spammers poison the well for everybody, because users have no way of really differentiating between legitimate and illegitimate e-mail.

I really do think that we have to do something to change e-mail.

Templeton: Spam has scared people so much that they want to do anything that they can to stop it.

It's the problem of the automation of good and evil. Moving into the online world allowed us to automate all sorts of good things. An ordinary guy with a Web site can reach millions of people and use that automation to change the world.

The downside is that one person can also write a program to automate doing something bad. There have always been bad folks. But there are not very many of them in a decent society. So if you look at Sears, the department store, they don't have a lot of security there. We have mostly built our society on the idea that there will be some bad folks, but they'll be a very small portion of the population.

But if I could build a thousand robots that could come in off the street and take all the merchandise, then they would have to put a gate around the store. That's what happens in the online world. Computers amplify both the good and the bad we can do, and spam is yet another example.

What do you do to protect your own in box?

Farber: I am a big user of e-mail, and I haven't given up yet. All the protection that I put in place has filtered out mail that's important to me. For instance, my tax person sent me stuff as an e-mail attachment. Twice, I never got it. I don't know where it went.

E-mail was always a very sure way of getting things to people. Now it's not so sure. What I eventually said, after two times, is "Fax it to me." And that's not what you want!

I will probably not get to the place where I would give up, because I can put up a lot of defenses, but the average person can't.

Crocker: I'm forced to use the available mechanism -- filtering. And that's pretty much it. I don't think that any of the authentication techniques have gained a critical mass of utility yet.

Nielsen: I have stopped using e-mail and hired staff to do it for me. That's not a scalable option. That's an option that only works if you're the boss of a company.

Templeton: I wrote my own spam-blocking tool in 1997, which was the first of the "challenge-response" tools. It takes a secretary-type approach for my public address, which I put on Web sites and postings.

Will anti-spam legislation have an impact?

Nielsen: I'm in favor of a law against spam, but spammers can set up business overseas. Unless we're going to send in the Marines anytime there is a spammer in another country, we just can't pass a law that's going to work.

Templeton: Legal solutions can have a place. There are some spammers in the U.S. who could be deterred by the laws, no question.

But the most common spam I get is telling me about $42 million in a locked box in Nigeria. That's a confidence trick. It's fraud. You don't need a stronger law against that; you already have a fraud law: the strongest law you're ever going to get.

Most of the laws are bad, and certainly none of them effective. It's worse than useless, actually. It creates debates about how you're going to regulate speech on the Internet.

Farber: The Massachusetts law says you can sue the spammer.

Happy day! How is Jane Housewife or Joe Househusband going to go sue somebody? Unlikely. The problem is tracking down people who are out of the country -- even within the country. It allows me to sue a spammer. That doesn't work. First of all, you have to find them. Then, there are all these questions about jurisdiction. E-mail is a national facility. It's not a state facility. So, I think it's going to take a federal law.

Crocker: Overall the state laws aren't very effective. They're a research activity for a future federal law. Anybody who understands the range of venues realizes that the enforcement scope that a state can work from is too small. The real problem is that so is a country.

Farber: You need somebody out there with the bank account, like the Federal Trade Commission or the Federal Communications Commission. The FCC did a good job with fax spam.

A federal law would not stop the little guy around the corner. What it would stop is the big companies. It would make them behave. It's the same as phone spam. What did we finally do? We passed federal-level law, do-not-call, because the state laws were not working.

Again, it's not a magic cure. It has to be done right. It's too easy to pass laws that don't do anything, laws that don't work.

What about technical solutions?

Farber: Authentication of addresses would help an awful lot. A lot of the spam is forged, and we've know for 30 years that e-mail has this problem, and nobody seems to want to invest in fixing it.

You need to encourage and maybe fund technology that lets a user authenticate that mail comes from who they chose it to come from -- personal "whitelisting." Some of the spam filters do that -- anybody in your address book bypasses your spam filters.

Templeton: Some people wish that e-mail had authentication in it. The U.S. post office -- snail mail -- doesn't have authentication, and you can send something in that that will kill you, which is a lot worse than any spam that I have ever gotten. We survived the Unabomber and anthrax.

Blacklists don't have any accountability, any checks and balances. I've been on them. It's like punish the innocent in order to get at the guilty. Spam has led people to endorse [blacklists]. [People] are very afraid of it, and they do rightfully say that it's damaging e-mail, and you have to find ways to deal with it.

Filtering on the content is generally a bad idea. If you're actually going to really mail someone about Viagra, I don't know how you'd get that through. I'm sure the Nigerians are facing the same problems. The telephone do-not-call list was struck down last week, because it tried to filter by content.

Crocker: Spam is fundamentally a human and social problem. It's not a case of breaking the technology; it's a case of using it in a way that we do not approve of.

We need small, incremental changes. I'm not saying that they have to be done slowly. They should be done carefully but quickly. I think that we need useful but not onerous ways of finding spammers. I think that we need useful but not onerous ways of vetting legit senders.

There's been authentication technology for 10 years, and penetration into the user market is minuscule. So we shouldn't expect that any next technique for authentication is going to take over instantly. When you have half a billion users, when you have many, many thousands of service providers, any change takes a long time.

I think that some spam-control proposals are being overly reactive, rather than trying to go to actual causes of spam, and ignoring the question of balancing the controls against the negative effects. The approach that says you have to show your passport for every interaction obviously is excessive.

My personal favorite for proactive approaches to spam is to increase the accountability. That's not the same as authentication. It says, if I need to find the author of the message, there is a path to them. It does not automatically require that they sign the message but provides a reliable way to link a message back to the originator.

Nielsen: I think basically e-mail does not work anymore, which means that we have to tear it apart.

The combination of spam and viruses makes e-mail a polluted, dirty, unsafe environment. And we can all make jokes about the porn, but at the same time it is also kind of grubby and dirty and unpleasant.

All the spam actually does degrade the environment, and then the viruses are of course the ones that are actually hurtful.

So, for any individual spam, you can just say, "Get a grip and just delete it." But with 100 or 200 or 500 per day, after a while, enough offensive little jabs, and enough five-second productivity losses by scanning the micro-content of subject lines and deleting it, add it up and you can talk an hour a day that's just being stolen from you. In the aggregate, spam is actually incredibly hurtful.

It's not a matter of a little quick fix, like getting a better spam filter. All these spam filters that have been suggested have huge downsides, interfering with legit communication, and the average person doesn't understand how to use it.

Basically start over again from a clean slate. And that's not a popular message.

It would really mean to stop accepting e-mail according to all the existing protocols. I think that the only way to do that is if you know enough important people that you want to talk to who stop using it.

My thought for how to implement this: a number of sufficiently big organizations -- AOL, Microsoft, the federal government -- would have to announce that two years from now no more e-mail will be accepted.

All the companies around the world would have to upgrade.

The reason it's impossible to really upgrade e-mail is that everybody has to upgrade at the same time. The beauty of e-mail -- and it has worked fairly well for a long time -- is that it's fairly ubiquitous.

I think that it would have to be a system that has built-in security and authentication that you can always track down. You know where it's coming from, and it's always encrypted and always secure.

Why do we have to suffer from spam?

Farber: The more people who get on the Net, the more it resembles society -- and society, especially U.S. society, is a commercial world. And you have people who see the opportunities to make a few pennies, and if they're good enough at it they even get to be in the New York Times, with their picture, and they go and do it.

Whether it's ethically right or wrong, until it becomes legally right or wrong, they will do it.

Crocker: Pretty much any institution that grows powerful then attracts people who want to abuse it.

Spam is a syndrome, not a disease. It's multiple diseases, not a single disease. I think that spam is a permanent condition. And so we need to look for multiple ways to control it, just as we need multiple ways to control cockroaches. We need good infrastructure, proper hygiene and good chemicals to deal with infestations.

I have a concern that people continue to look for the magic bullet, and there won't be one.

By Katharine Mieszkowski

Katharine Mieszkowski is a senior writer for Salon.

MORE FROM Katharine Mieszkowski

Related Topics ------------------------------------------