If you’ve maintained the same e-mail address for more than a few months, you know the feeling. You sit down with a cup of coffee to read through the daily mail, anticipating glad tidings from friends, but message after message turns out to be worthless, or worse. Your in-box is filled with Viagra ads, strange garbled documents that appear to be written in code, enticements to view pornography.
Untold billions of dollars have been poured into the problem of combating spam, and untold millions of hours have been wasted scrolling through unwanted messages. President Bush waved a wand and promised the problem would disappear when he signed into law the CAN-SPAM Act of 2003, “imposing limitations and penalties on the transmission of unsolicited commercial electronic mail via the Internet.” Anybody notice any less spam since that law was passed? By some estimates, the percentage of Internet traffic that is spam now exceeds 60 percent.
So why have all the efforts to control spam been so ineffectual? The answer may be that we’ve wrongly assumed we should treat spam like a disease, relying on various digital antibiotics to contain the infectious spread of unwanted e-mails. Developers of spam-protection software have created blacklists of “known spammers” whose e-mail addresses are automatically rejected from our in-boxes. They’ve compiled elaborate inventories of junk mail content used to block specific messages. And they’ve developed intelligent pattern-recognition software that can detect telltale signs of spam, even if the message has been sent for the first time. The disease model is based on the premise that spam is going to be ubiquitous and that the best thing we can do is build up the antibodies in our computers’ immune systems to protect us from it.
Maybe we just need a new model: Spam as a digital version of pollution. We can fight pollution in two ways: Either invest in technologies that protect individuals from the effects of environmental hazards or try to identify and eliminate the root cause of those hazards. Right now, we’re following the first approach with spam. It’s as though we’ve decided to shield ourselves from toxic air by installing air filters in every window and handing out gas masks to those who venture outdoors. To get to the root cause of the problem, we have to confront one crucial fact: Spam pays. We can build all the filters and blacklists we want, but the spammers have an incentive to find ways around those defenses because sending spam continues to be a relatively easy way to make money.
Over the past two decades, environmentalists have refined a methodology that is sometimes called true-cost accounting. The crux of this methodology is that the costs associated with polluting the environment and wasting precious natural resources are often hidden. When you buy a gallon of gasoline, for example, you’re paying for the costs of extracting that fuel from the ground, refining it, and shipping it to your corner gas station, along with other business overhead. But you are not paying for the damage you do to the environment or to other people’s health.
The same analysis can be applied to spam. The price of sending spam doesn’t account for the cost of receiving it. E-mail is essentially free, whether you’re sending a two-sentence birthday greeting to your mother or a hundred thousand “free Viagra” spam messages. You have to pay money to get connected to the Internet, usually through a service provider like AOL or Earthlink. But once you’ve paid your monthly flat-rate bill, you can send as many messages as you want. As your total sent mail rises in number, the cost of sending an individual message approaches zero. Even the most implausible business can make money if the cost of reaching new customers is zero. You might fool only one in 10,000 recipients with your plea to wire money to a bank account in Nigeria, but if it costs almost nothing to send your plea to 100 million people, you’re left with a tidy profit at the end of the day.
Meanwhile, the true costs of those bulk e-mail messages are carried by nonspammers—directly in terms of time wasted separating the wheat from the chaff or installing new spam-blocking software but also indirectly in higher rates from Internet service providers.
Last year AOL alone blocked nearly 500 billion spam messages and fielded nearly 20.4 million complaints in a single day from customers. Industry analysts at Ferris Research estimate that the total cost to businesses of fighting spam in 2003 was $10 billion.
The magnitude of this problem has led a number of influential thinkers to conclude that sending e-mail is simply too cheap. We won’t need fancy spam-blocking tools if spam stops being profitable. Reflect the true cost in the price of sending an e-mail and the market will eliminate spam. You may get more paper catalogs than you would like via postal mail, but your real-world mailbox isn’t flooded with paper advertisements for penis enlargement services because sending postal mail costs money. That cost weeds out the lowest form of spam better than any pattern-recognition software could ever hope to.
So what’s a fair price for sending mail? And how should that price be implemented? The Internet is a famously open system, designed to encourage the free flow of information. There is no easy way to convert all the mail servers in the world to a new pricing scheme, one that would accept currency or credit card numbers from every country on the planet. And even if we could implement such a payment system, we wouldn’t want to make sending mail unaffordable to the millions of nonspammers who have grown dependent on the medium. To that end, some have proposed a penny stamp tax on sending mail. Even if you’re an e-mail addict and send a hundred messages a day, that’s still only about the price of a cup of coffee. But for a bulk spammer sending a million messages, it’s a major investment.
Perhaps the most intriguing solution comes from a company that has a major financial stake in the elimination of spam: Microsoft. Cynthia Dwork, a senior researcher, has proposed adding to the cost of sending mail by taking to heart the old adage “time is money.” Computation time, to be precise. Right now, sending a message over the Internet involves your computer talking directly to a mail server: The two computers identify themselves to each other speaking in the language of the SMTP protocol, and once that identification has been made, your computer passes along the message to the mail server, which then dispatches it across the Net to its eventual destination. Dwork’s solution is to slow that exchange down and force a computer on the sending side to solve a mathematical puzzle built out of the specific details of the message: the sender’s e-mail address, the date and time, and the message content. Messages sent at slightly different times, or to different addresses, would generate a different puzzle. “That way, if spammers want to send the same message to many different people, they will have to perform many different calculations,” she says. “Similarly, if spammers want to send to a fixed receiver lots of different messages, or the same message over and over, they will have to recompute each time, since either the message is changing or the date and time is changing.”
Dwork’s approach throws in a wildcard variable that she calls k to ensure that the puzzle solving is challenging enough to keep up with Moore’s law, the widely held assumption that the processing speed of computer chips doubles every 18 months. “The value of k is initially chosen so that computation takes about 10 seconds, and it is increased when machines get faster,” Dwork says. The end result of this approach is that instead of being able to send an e-mail message in an instant, the sending computer would have to think for 10 seconds, after which it would be allowed to pass the message along.
The time lag would be largely meaningless to ordinary e-mail users: If you had 10 messages queued up to be delivered, it might take a little longer to send them, but you’d be able to do other things with your computer while it solved the puzzle. “Most people have lots of unused computational cycles on their computers and send relatively few messages,” Dwork explains. But that kind of computational time would be disastrous for the spammers. Right now, a spammer can send millions of messages a day from a single machine. If you add a time stamp to each message that costs 10 seconds of computing time, then a single computer can send only about 8,000 messages a day. To keep up with the old rate of outbound messages, the spammer would have to buy more machines, which would raise the cost of doing business. And you don’t need to raise those costs very high to make spam unprofitable.
There is an elegance to Dwork’s approach that is almost as appealing as its practical value: After years of humans wasting time deleting spam from their in-boxes, the ultimate spam-blocking solution may turn out to be wasting the computer’s time—on purpose.