Between spam and viruses, email is taking a battering as users’ favourite online application. Add to that privacy concerns and a few emerging alternatives such as messaging and voice telephony, and the killer app may be losing favour, according to some experts at the recent Email Technology Conference in San Francisco.
No single product or technology would keep our inboxes clean or our computers safe, speakers and attendees agreed. But some said it wouldn’t be possible to sufficiently stem the tide.
The first step to secure email is to force accountability by identifying who is sending the message.
Two promising email authentication systems are under development. One is Sender ID, which combines Pobox.com’s Sender Policy Framework (also known as Sender Permitted From) and Microsoft’s Caller ID for email. The other is Yahoo’s DomainKeys.
Sender ID maintains lists of IP addresses from which sent email can be traced. DomainKeys uses a set of private and public encryption keys to validate the IP address (or domain) of the sender, and to verify that the message’s contents haven’t been altered.
Even the developers admit spammers and phishers will find ways to fool these security techniques by making their messages appear to originate from trusted domains. Authentication alone was insufficient, said John Levine, who chairs the Anti-Spam Research Group, at the conference’s ‘email and Free Speech’ wrap-up session. “All SPF can say is ... this message is domain-verified,” he said.
Similarly, the speakers agreed nearly unanimously that the US Federal Trade Commission’s recent rejection of a Do Not email registry was correct. Sponsor Senator Charles Schumer and other members of Congress had hoped to model a list after the successful Do Not Call list for telemarketers. But unlike phone calls, which can nearly always be traced to the originator, spam is rarely sent from the address in the “From” field, and spammers’ use of open relays makes messages untraceable. Also, securing such a list is essential, the speakers said. If a list of valid email addresses fell into the hands of spammers, they’d use it for nefarious purposes.
Another point of contention is the role of users in email security, particularly as viruses are primarily spread through email. Internet pioneer, Dr Vinton Cerf, described his concept of “cyberhygiene” in a keynote address.
“We really need to educate ourselves and our colleagues to update [our] virus protection,” he said.
Even the most conscientious email user finds it difficult to keep up with the virus writers, however. Current antivirus defences are outdated, said Mark Sunner, chief technical officer with email security service provider MessageLabs, in a session on email‘s Future: Trends, Trials, and Tribulations.
“The model of virus protection has not changed in a decade, but the model of viruses has changed dramatically,” Sunner said.
Viruses do the most damage in the first few hours of their attack, before antivirus vendors can isolate them and develop defences for customers to download during regular updates. Speakers cited new early-alert services by several email vendors. The services monitor a large swath of worldwide email traffic, watching for patterns similar to those preceding a virus attack. When that occurs, the service warns customers to raise their email defenses until patches for the new virus become available.
Email appliance vendor, IronPort Systems, offers such a service with its Virus Outbreak Filters. The company uses its SenderBase email reputation service to give customers an early warning of a virus release. SenderBase analyses about 3 billion email messages a day from about 28,000 ISPs, large organisations, and universities. IronPort estimates that this represents one-quarter of global email traffic.
New options emerge
Email could also slip in popularity, several conference speakers suggested.
Already threatened by spam and viruses, email technology is becoming less user-friendly, they said. As new messaging alternatives emerge, some users may prefer instant messaging or other methods.
Our reliance on email could quickly become slavery, Cerf said. He gave the example of an exchange that might entail a three-day email chain, but which could be handled in a five-minute phone call.
Adopting a new messaging medium may bring short-term relief, however. Several attendees predicted that as people migrate to IM, voice over IP, and other new means of communication, spammers and virus writers will be close behind.
Privacy was also cited as a threat to email’s effectiveness, possibly greater than viruses. But people are also more accepting of an erosion of privacy in the current political environment, creator of the Pretty Good Privacy (PGP) encryption system, Philip Zimmermann, said in a keynote address.
“The erosion of privacy [is] a by-product of Moore’s Law,” Zimmerman said, citing the Intel founder’s declaration that computing power doubles every 18 months.
Applied to privacy, he said, the capability of computers to track us was doubling every 18 months.
Next: privacy erodes?
Zimmermann expressed disappointment that so few people encrypt their email. “The power users, the cognoscenti, will use PGP, but your mom won’t,” he said. Encryption technology was not likely to be widely adopted until there was a way to keep users from having to deal with “distractions”, Zimmermann said.
“Users need to deal with an invisible encryption proxy that links to the mail server without them being aware of it,” he said. The Hushmail Web- based encryption service was an example.
ISPs regularly filter the contents of email to identify viruses and suspected spam, but Google’s Gmail service has raised concern from some privacy advocates by going a step further, presenting ads based on the message’s content. Filtering presents a slippery slope, senior staff attorney with the Electronic Frontier Foundation, Lee Tien, said in a session on email and free speech.
“Spam has made people comfortable with the idea that someone is filtering their email ,” he said.
From a legal perspective, this eroded any argument that you had an expectation of privacy in your email, Tien said. He pointed out that the profile Gmail creates, and the subsequent ads it serves based on that profile, could be subpoenaed. While people trusted Google with their personal information, the service could someday be sold to another company that might not be as trustworthy.