IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Given at a Full Committee Hearing:
CAN-SPAM Act
Thursday, May 20 2004 - 10:15 AM - SR - 253

The Testimony of Mr. Hans Peter Brondmo
Senior Vice President, Digital Impact, Inc.

Testimony for Senate Committee on Commerce, Science, and Transportation hearing on review of the CAN-Spam Act and new anti-spam initiatives. May 20, 2004

Hans Peter Brondmo Digital Impact, Inc.

My name is Hans Peter Brondmo and I am a Senior Vice President with Digital Impact the largest email service provider in the country. Our company powers the customer communications and marketing email infrastructure for over one hundred large organizations such as the Gap, Hewlett Packard, Yahoo, Washington Mutual Bank and Verizon. In other words, we send emails that notify you about sales at your local Gap store, updates to your Hewlett Packard printer software and keeps you in touch with your bank. I am also the co-chair of the technology working group for the Email Service Provider Coalition, an industry coalition representing over 45 email services providers.

It goes without saying that the spam problem is of great significance to Digital Impact, our customers and the ESPC. When we began to understand the scope of this problem a few years ago we decided that spam can be solved and that the solution can be summarized in one word: accountability. In order to stop spam, organizations sending legitimate email must be able to step into the light to be identified and held accountable for their behavior. Any organization sending email but not willing to be identified can then be treated with suspicion or may simply be blocked altogether. By leveraging the openness of the Internet we can ensure that those abusing the email medium can no longer do so while hiding in the dark corners of cyberspace.

In order to hold senders accountable for the email they send we need to update the email infrastructure to support a new set of authentication, accreditation and reputation services. I will share some of the most recent developments in this space and describe why I agree with the claim made recently by Bill Gates that we will rid the world of the spam plague within two to three years. My perspective on how this is done differs slightly from Mr. Gates, but we agree on the objective and timeframe.

Email is a powerful, timely, efficient, cost effective, convenient and environmentally friendly way to communicate. Those abusing the email infrastructure to spew out unwanted, unsolicited commercial emails by the billions and using email to attack computer users with viruses and identity theft schemes are abusing a public commons for personal gain. I have been an email user since 1982 and have come to rely on it more than any other tool of communication. Email has in fact become the number one preferred medium for business communications and one of the top three for personal communication. The abuse by those using email to broadcast nefarious payloads is threatening the medium. We all agree it must be stopped. Yet the question still remains: how?

The CAN-SPAM Act is an important contribution to the war on spam and I commend Senators Burns and Wyden for their leadership in this effort. While modifying the code of law to impact the behavior of spammers is necessary, it is not sufficient. It is probably too early to determine the effectiveness of the CAN Spam Act, but there does seem to be evidence that the new law has turned up the heat on spammers who prior to January 1st 2004 were able to operate with impunity. Recently there have been media reports of spammers who have taken down their “shingles” because they do not want to risk jail time. Yet according to anti-spam firm Brightmail 64% of all email in April was spam, a record high number. Regrettably the CAN Spam Act is unlikely to eliminate the hard core spammers, especially those sending viruses and perpetrating “phishing” attacks – the most dangerous form of spam.

I received an email recently regarding my Citibank credit card. It claimed that there was a problem with my account and requested that I click on a link verifying my username and password. This cleverly designed message – a phishing email – was designed to capture my username and password to steal personal account information. It was an attempt at identity theft. As I clicked on the link in the email it took me to a fake web page that looked identical to the Citibank web-site. I dug around a bit and discovered that the page was hosted by an ISP in Russia. I have received similar emails over the past year purportedly from eBay, Visa, Earthlink and several other companies with whom I have business relationships. As you may be aware the IRS was recently attacked in similar fashion. Unsolicited and deceptive spam, while annoying and offensive, is no longer my biggest concern. My greatest worry is spam’s evil cousins, phishing and computer viruses.

Email is a carrier of payloads. These payloads take many different forms. They may take the form of a written message from a colleague or a long lost friend, a digital photo from a family member, or a web page with clickable links and images from a company we do business with. As we all know, emails can also contain payloads that we don’t expect, welcome or desire including offers for body altering herbs or undesired lewd images. The worst payloads contain computer worms and viruses that rapidly infect millions of computers and cause enormous economic harm and they contain schemes designed to play on our fears or abuse our trust while attempting to steal our identity in order to defraud us.

I mention these examples because they illustrate the breadth and severity of the threats to the email infrastructure and to remind us that cyberspace knows no boundaries. A recent study conducted by the Anti-Phishing Working Group described 282 unique email phishing attacks in the month of February 2004 alone. Brightmail reports a ten-fold increase in the volume of fraudulent emails from August 2003 to April 2004. Even if the law were to be effective in reducing unsolicited, deceptive commercial email solicitations, the really bad guys will continue to operate without regard for US law. Laws alone will not enable us to solve the core problems we are facing – we must look to changes to the technology infrastructure to address the structural vulnerabilities of email.

Email is currently a very simple and open system. The simplicity of the email protocols is probably responsible for its explosive growth and broad adoption. Yet with the simplicity of email come vulnerabilities. The engineers that designed the protocols used by every email system could not have foreseen the types of uses and the scale of deployment we have today. The vulnerabilities of email are being exploited by spammers and only a change to the email infrastructure can solve this problem and ultimately rid the world of spam, making it safe from identity thieves and making it much more difficult to distribute computer viruses. Such structural changes to email will have wide ranging consequences. I believe that the current discussion needs to shift, and that the legal debate should now be focused on the new changes happening to the way email will work in the future.

Consider the nation’s air transportation infrastructure. It was not very long ago when getting on an airplane was as simple as having a valid ticket and showing up at the airport on time. The ticket did not even have to have your name on it. It was simply required as a proof of purchase. No ID was necessary to fly, nor were there security checks and luggage scans. Today things are very different. Why? Because the security of the infrastructure was compromised by passengers with anti-social motives. They carried dangerous payloads, hijacking planes for financial and political gain. A few bad passengers and their payloads threatened our safety by compromising air transportation. Airplanes were eventually even used as weapons threatening our very national security.

Making hijacking a crime does not make our air transportation infrastructure safer. While it is illegal to carry a weapon onboard a commercial airplane, it does not protect us from true harm. A multitude of security measures have been put in place to ensure that it is difficult to compromise the safety of the air transportation infrastructure. In order to board an airplane today we must present a valid government issued ID and we may be subject to screening to ensure that we don’t have a history of anti-social or threatening behavior.

Returning to email, we are still living in a world where no ID check is required in order to “board” a computer with an email message. We do have the equivalent of airport screeners for email in the form of computer programs, typically called filters, that scan the content of our emails attempting to determine whether the mail is spam or not. In essence, a computer is “guessing” whether emails are spam based on statistical analysis and rules applied to the contents of the message. Unfortunately, screening is far less effective for emails than for passengers boarding an airplane. Even if a great filter catches 99% of all spam, hundreds of millions of junk emails will still get through. Unlike a scanner at the airport, it is not economically feasible for a filter scanning electronic mail to request that a person look at every suspicious email. When a computer is left to guess whether a message is spam based on scanning the content of an email message it will not only miss unwanted messages, but also misclassify wanted mail as spam resulting in a false positives problem. Like spam itself, false positives reduce the value of email and make the medium less reliable. According to research recently commissioned by Goodmail, sixty eight percent of email users reported not having received important emails due to spam filters. A staggering forty eight percent reported not having received personal emails, twenty five percent said they had lost order and shipment confirmations and seventeen percent missed important work email.

Spam continues to persist because it is impossible to trust the origin of email and therefore impossible to determine with certainty whether an email is from a good or bad source. The computer protocols that power our the foundation of our email infrastructure are flawed because they make it very easy for any sender of email to pretend to be whomever they want to be and to continuously change their identity. I can from my laptop computer, with no special software and minimal technical expertise send an email that looks like it comes from any email address of my choosing. In other words, it is trivial to spoof, or fake, the identity of the sender of an email message. If we cannot trust that the sender of a message that may contain important, sensitive, personal or harmful information is in fact who they say they are, we cannot trust the medium. This is the essence of the problem we are faced with, a problem that legislation cannot address. Until we can trust and rely on a message in our inbox to be from the sender that shows up on our computer screen, we will not solve the spam problem. Worse we will continue to be vulnerable to the really bad stuff: phishing and virus attacks.

As mentioned above we can solve the email security and spam problem by making a few changes to the Internet, upgrades that in fact are under way. Here is how it will work: Just like we must present a valid ID in order to board an airplane, the email infrastructure will require the equivalent of an ID be presented by the sending computer in order to deliver mail. If I try to send email using an email from-address that I do not have control of under this scenario it will no longer work because my computer has to present its secure credentials and those credentials will not match the sending address. When I am sending from my own email address, my secure credentials would validate that I am indeed who I claim to be. This is a good first step but the recipient may still not know who I am and therefore not know whether to trust me not to be a spammer or virus hacker. It is therefore also necessary to keep track of the history and reputation of senders, so all recipients can look up the past behavior of unknown senders once they’ve been authenticated. By checking the reputation of a sender, his email credit score if you like, a determination would be made as to whether to let messages from that sender through, quarantine them for further investigation or simply reject them outright. Over time good senders would earn a good score (a good reputation) and spammers with their bad scores would fail to get their mail delivered. We would have accountability because we would have an accessible history of behavior.

Let me emphasize that this is not some academic pipe dream. A number of solutions are already under development by large and small industry players such as Microsoft with its Caller-ID proposal, Yahoo! with Domain Keys, Verisign, Brightmail and Bonded Sender with accreditation and reputation services, Goodmail with email stamps and others such as Sender Policy Framework (SPF) being spearheaded through an open source initiative. The Internet Engineering Task Force (IETF) is playing an active role to standardize the various authentication proposals currently being discussed. As a matter of fact, the IETF is meeting in San Jose, California as we speak to discuss these very issues and coordinate and review existing initiatives.

Let me in closing point out that the authentication proposals outlined above are not intended to track the behavior of individuals. They are intended to authenticate computers and domains, not individual email users and addresses.

The real challenge we face is to facilitate the continued evolution of an email eco-system that supports authentication, accreditation and reputation services, while also protecting the power of open access to information that makes the Internet what it is. Technology and market forces will solve, in fact are now solving, the authentication and reputation problem. Authentication will enable law enforcement to do a better job and in combination with emerging accreditation and reputation services it will also allow the Internet to be more informed and individuals or organizations to make decisions about what sources of email they should trust. The emerging accreditation and reputation systems have many similarities to credit ratings, and there will be a need for transparency, fairness, and equal access that is better guaranteed through regulation than technology. While too early to act, I believe this is where regulatory action and oversight in the email space should be setting its sights.

Updating the Internet as I have described in my comments means that we must create an infrastructure that supports accreditation of senders, implements authentication of the computers sending email and provides generally accessible reputation services. This is no small task, but it can and will be done. And once computers have identities and reputations, we will be able determine whether to trust the source of incoming email allowing desired messages into our inbox or throwing junk it the proverbial bit-bucket based on the recipients’ personal preferences and taste, not laws and regulation.