E-MAIL AT A CROSSROAD
SPAM, PHISHING AND OTHER ABUSES ARE THREATENING TO UNDERMINE CONFIDENCE IN THE INTERNET. WHAT WILL IT TAKE TO SOlVE THE CRISIS BEFORE IT'S TOO LATE?
E-mail is arguably the most pervasive application on the Internet, but it's under attack by an onslaught of abuses that are eroding its usefulness. If not reined in soon, these threats could change the nature of the Internet as we know it.
Problems plaguing e-mail and the Internet in general have hit epidemic proportions. Few users have escaped the insidious nature of spam, and more are falling victim to phishing, a growing form of online identity theft. Viruses often carry malicious code able to turn an unsuspecting user's PC into a "zombie" that, when summoned, becomes a spam-blasting mail server.
These aren't problems that a new version of Microsoft Exchange or some additional disk space can fix.The Internet community is hard at work developing technology responses to these threats, while U.S. regulators seek to use the few legislative tools they've been given to crack down on e-mail crime. Unwanted e-mail has become such a global headache that international organizations are spearheading efforts toward multinational anti-spam laws and regulatory bodies.
"We see what is at stake is no less than the protection and preservation of the Internet as we know it," says Robert Shaw, Internet strategy and policy adviser with the International Telecommunications Union.
Yet all these interested parties agree that there is no practical cure to e-mail abuse, there's only containment.
Statistics tell the story of a problem that isn't about to go away The ITU estimates that spam makes up about 80% of all e-mail sent across the Internet and costs the global economy $25 billion annually In July alone, 1,974 unique phishing attacks were reported, according to the AntiPhishing Working Group (see graphic for more statistics, page 50).
Worse yet, no one knows what's lurking around the corner. Spammers have notoriously been able to stay one step ahead of technology and in their wake have created an entire industry of spam filtering vendors that scramble to keep up with the latest tricks. Phishers create e-mails and Web sites that are practically identical to those they're spoofing, luring even savvy computer users into identity theft traps. The viruses that are turning computers into spam-sending zombies damage an innocent user's reputation and make it impossible to determine the real source of the e-mail.
In the world of e-mail, the abusers are calling the shots, and the technology industry is being led around by the nose.
"If you talk to people who use e-mail, certainly within the consumer ranks, they're saying it's too much trouble now, there's too much junk, and it's just too dangerous," says Greg Olson, founder and chairman of e-mail software maker Sendmail. "The whole thing is in jeopardy!'
Yet few would go so far as to say e-mail will cease to be a popular communication mechanism. Not only have businesses invested too much time and money in building their messaging infrastructures and online customer relation strategies, but e-mail has become ingrained in Americans' work and lifestyles.
"We've built such a tremendous dependency on e-mail, i don't think we're in a position where we'll go back and say Tm going to start calling people or writing letters again"' says Howard Schmidt, chief information security officer at eBay and former White House special adviser for cybersecurity'As we look at the evolution of technology, we've overcome things and moved forward; this is just another thing to overcome."
Still, the days of sending and receiving messages without risk or nuisance appear to be gone.
The only way to rid the world of spam is to make sending it not economically viable. The overhead associated with blasting spam across the Internet is so low that spammers require only the narrowest response rate to make money If e-mail users ceased responding to myriad offers to refinance their mortgages or buy prescription drugs, spammers would stop sending them.
Short of making sending unsolicited commercial e-mail illegal - which Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) does, but only under specific circumstances - there appears to be no way to stop spam.
Clamping down on phishing, a more serious abuse that is considered a form of fraud and therefore a federal offense, means having to find the offenders and quantify the damages to their victims - something federal agencies have found challenging. Meanwhile, the Federal Trade Commission reports that identity theft continues to grow; the agency received 214,905 complaints in 2003, up from 86,212 in 2001.
With eradication of e-mail abuse an unobtainable goal, technology companies, industry associations, lawmakers and even international bodies such as the UN. have set their sights on making e-mail's problems less severe.
While opinions differ on the best way to cut down on abuse, everyone seems to agree it will take a combination of new technology strong legislation with serious consequences, vigorous law enforcement, end-user education and international coordination to fight the problem.
On the technology front, the industry seems to be coalescing around the idea of adding sender authentication to e-mail, letting recipients verify the source of a message (see "Sender authentication hits roadblocks," page 50). By verifying a message's sender (or in the case of the most popular proposals, the domain from which a message was sent), such technology would close the loophole left open by SMTP that allows Internet mail to be anonymous.
The Internet wasn't originally designed with sender authentication in mind because no one predicted the need for such a safeguard."When I took the [Internet] project over at DARPA in 76, the system didn't have a specific authenticator for every message.... We were assuming the [user] community was trustable.Now we know that's not true," says Vint Cerf, senior vice president of technology strategy at MCl, who is widely acknowledged as one of the inventors of the Internet.
Some purists say that adding authentication changes the essence of Internet, which has been lauded for allowing a free flow of communication that transcends economical, geographical and cultural barriers.
But most observers take a more pragmatic view - with so many people using the Internet and so much money to be made exploiting it,some form of accountability was bound to be necessary
"It's inevitable that when you have this kind of wide deployment [of the Internet] you have to encounter issues like this,"says Sanjay Pol [stet], vice president of the anti-spam initiative at Cisco."It's a shame, but it's also inevitable."
Until spammers can be identified, the only federal law passed to help fight spam remains largely useless. CAN-SPAM, which went into effect Jan. !,has done little to stop unwanted messages, in part because it requires enforcers to be able to find violators. That is a tricky task on the Internet where senders easily can masquerade as someone they're not and where a large percentage of spam originates from overseas, outside the scope of the law.
"That's probably been the primary problem [in fighting spam],being able to find the people"sending it,says FTC staff attorney Michael Goodman. "For e-mail without authentication, it's too easy for spammers to violate the law without being detected."
Before creating a "Do Not E-mail" registry, much like the "Do Not Call" list that prevents telemarketers from dialing members' numbers, the FTC will wait for sender authentication to take hold, Goodman says. The agency is hosting a conference next week to examine the different sender authentication proposals and ensure "the whole spectrum of interests are represented, not just the big players," he says.
The goal of CAN-SPAM was not to cut down on the amount of unwanted messages hitting in-boxes, Goodman adds. Instead, its endorsement of the opt-out approach - preventing marketers from sending e-mail to recipients who have asked to cease receiving it - only makes sending spam illegal when marketers violate that agreement. "With opt out, you can say 'I don't want to hear from you,' but the law doesn't have a lot of tools to reduce the volume of spam,"Goodman says.'That's where technology has the biggest role to play".
With phishing incidents on the rise, there has been some movement in Congress to address this form of online identity theft. In July Sen. Patrick Leahy (D-Vt.) introduced the Anti-phishing Act of 2004, designed to make phishing a federal crime that could put offenders away for up to five years. Current law states phishing is a crime only after someone has been defrauded, while Leahy's bill would outlaw attempting to deceive e-mail users.