Brad Templeton Home
ClariNet

Interviews

EFF

Jokes / RHF

SF Publishing

Software

Articles

Dot!

Packages

Interests

RHF Home

Copyright Myths

Emily Postnews

Africa

The Rules for Guys

Bill Gates
 

This is a preliminary document open for comment and revision at this time.

E-Stamps

One proposal to deal with the problem of unsolicited mass E-mail, also known as SPAM or SPUME (System Polluting UME) is to set up a payment structure for E-mail.

SPUME has arisen because E-mail is very cheap, and thus bulk mail is very cheap. Some assume it's because the cost is shared, with the sender and recipient both picking up their half of the cost of the connection, but the truth is that even if the sender had to pay both ends, E-mail is still very cheap -- it was designed that way.

Some people want laws to punish some types of E-mail, but even the best of those laws would not do much about SPUME coming from outside the country. There will always be countries that don't have or enforce such laws, and short of the totally unacceptable course of cutting nations of the net, there is no legal solution to the problem.

There is a system which can solve the SPAM problem and does not take the questionable step of allowing governments to regulate E-mail. However, it is complex and would take time to implement. Whether it's worth it is hard to decide, but it's best to begin by understanding how it might work.

In a pure E-stamp system, each piece of E-mail would come with a "stamp" -- a string of bytes representing a small amount of money. In this case, however, the stamp would not represent money paid to the electronic "post office" (internet providers) but the potential payment of money from the sender of a message to the recipient. Money intended to compensate for the burden (both in cost and in time) of receiving an unwanted E-mail.

We get SPUME because E-mail is so cheap that there are no checks and balances on sending out immense quantities. Many abusers send out millions of messages without any concern for the net pollution this causes because it costs them only a small sum.

(You'll read below that the stamps would actually be a rarely used system, though still necessary.)

Other media, like postal mail have a cost associated with each message. There is still junk mail, but the volume of it is far below that volume in E-mail. Indeed, if SPUME ever got used by respectable companies the way paper junk-mail is used, the volume would be overwhelming.

Put in a cost structure and the problem goes away, or at least drops to a tolerable level. How do you do this?

Optional Redemption

The key to a workable system is making redemption of a stamp by the recipient optional, and in fact rare. Let's say Alice is sending E-mail to Bob. In its basic form, an E-stamp is in effect an electronic cheque like the following.

"Pay to the order of Bob, up to 32 cents authorized by the Bank of <mybank> -- signed, Alice."

That statement -- a legal cheque by the way -- is signed by Alice. Digitally signed, using highly secure digital signature algorithms based on public key cryptography. They assure, even better than the written signature on a bank cheque that the message, and cheque, came from her..

If the E-mail structure moves the way we expect it to, chances are that Alice's entire message is digitally signed to assure it came from her, unless she is using anonymous mail. If her message is already digitally signed, adding the E-stamp is actually pretty simple.

In such a system, Alice puts a stamp on every piece of E-mail she sends. And Bob refuses to take mail without E-stamps, at least not mail from strangers. If a stranger tries to mail Bob without a stamp, they get back a "bounce" telling them that they need to put a stamp on their mail (or follow certain other guidelines) to get mail through to Bob.

When Bob gets Alice's E-mail, he can, with a click of his mouse, forward the stamp along to his bank for redemption. Click, and the 32 cents (or whatever) is moved to his account. However, since this is a system to stop abuse, Bob actually won't do this unless Alice's mail was the sort of mail he is trying to stop.

So in fact, if Alice is an ordinary person, and not a junk mailer, most or all of her stamps expire unredeemed. She doesn't actually pay any money to send mail, except perhaps some monthly fees to her electronic bank to participate in the digital money system. It may come as part of the service of any digital bank.

If Bob does redeem her stamp, Alice's computer will hear of it. She's out a small sum, and next time she mails Bob, her computer might remind her that Bob redeems stamps on ordinary mail. Rude of him -- and she may decide not to bother mailing him.

Assuming this sort of social system is set up, people will rarely redeem stamps. Except when they get mail that abuses their mailbox -- like junk E-mail. Those sending out a junk E-mail to 100,000 people may find most of them redeeming the stamps, and the mailing now costs $10,000 instead of $200.

For the odd people who redeem just to be rude, the cost will be low enough to not be a major concern.

What is a stamp?

An E-stamp starts with a special digital token issued by some sort of digital money bank. Each token is unique, and digital signatures from the bank assure that. Each one also expires within a short period. A minimum of two days perhaps, but set by the user to typically a week. During that week the money is "on hold." In the basic form, each one also identifies the buyer, so any attempt to use the same stamp twice runs a high risk of getting caught. There's no reason these stamps would not be viewed as cheques under the law -- and there are serious penalties for deliberately writing bad cheques.

(There are a few ways one could design this to make it actually impossible to use the same stamp twice by passing a version of the message [known as a 'hash'] through the bank with every mailing. However, this has some costs that make it unreasonable for most E-mail. More on this later.)

The bank issues the stamp if it feels you are good for the money. That's between the bank and you. If you feel you might mail 50 messages over the expire time on the stamps, you would only need to have $16 on deposit at the bank. That's on deposit, not spent. You only actually pay the money if somebody redeems your stamps. And since stamps will actually sent quite rarely, having as little as a few bucks on deposit might be enough. If you run out, you can always get more -- you only get in advance what you need to use before your next connection to the bank.

A company wanting to do a bulk mailing of 10,000 pieces would need to have $3,200 on deposit, or a line of credit to that amount. If people liked their mailing, the money would not be debited.

Every so often, your bank would send you, in a mail message of their own, enough stamps to handle your likely maximum needs. As long as you had the credit with them, there is no problem. The stamps expire in some short time, such as a week, so you need a new supply at least that often. Your mailer program knows to take them and put them in each outgoing E-mail. (The expiry date is up to you, with the only restriction being that you could not use a stamp that was due to expire in under a day, to give the other person a chance to redeem it.)

If you run out, you can ask the bank for more live over the internet, if you have the money. And we're literally talking tens of dollars here, so this is not a burden. All but the very poorest people might just pick up 100 stamps each week so that they never run out. This is very easy and cheap for the bank to do.

Every piece of mail

Now that I've described the basics of E-stamps, I'm going to say that you actually wouldn't need to use them very often. That's because most people would configure their mail program take mail from people they trust without any stamp, or with a "personally issued" moneyless stamp. You don't have to be a bank to issue a stamp that you yourself will redeem. A "bank" is really just somebody that a stranger can use to mail another stranger -- somebody both parties will know.

So if Bob mailed Alice, and Alice is replying to that message, Bob's computer can know that and won't demand a stamp on the reply. The vast majority of E-mail is actually replies. In fact, if Alice and Bob work for the same company or are on the same site with secure E-mail, they don't need stamps. In fact, if Alice and Bob have ever corresponded in the past and have reason to trust one another not to abuse E-mail, they don't need stamps.

The only mail that turns out to need a stamp is the first time mail from somebody you don't know. Only then is the stamp needed as a statement of good faith. And that's actually pretty rare. How often do you mail a total stranger? Generally not very often. Usually it happens when you reply to a posting in a public forum, or mail an address given on a web page, or initiate mail after meeting some other way, or get a referral from a friend. For most people, just a few times a day. And that means the number of stamps needed -- and the cost of the stamp system -- remains pretty low.

Of course a junk mailer mails thousands of people to whom he is a stranger. But that's who we are trying to curtail..

Site Based Stamps

The system can be made even easier to implement if sites, rather than users, take on the responsibility of putting stamps on mail. IBM, for example, is probably willing to take responsibility, on behalf of its employees, to stamp their mail or certify them as non-abusers.

A site like AOL might not do that for freshly signed-up "free trial" accounts but might be happy to handle the procedure for established accounts with good credit and history, billing their credit cards for anything redeemed. That means nobody at a big site even needs to install any new client software.

Moneyless Stamps

In fact many people need not have a stamp at all. All they really need is a certificate from somebody who is widely trusted that says that they have sworn to act under ethical standards in using E-mail; in particular not to use it as a bulk advertising medium against the will of the recipients.

Most people can swear that easily. And Bob is probably willing to accept mail from somebody who has made that affirmation, and can be held accountable if they break that promise.

So why would we even need the stamps at all? First of all, there might be people who can't make that promise -- not just junk E-mailers but corporate bulk mailers doing more respectable mailings, such as newsletters for their customers.

And secondly, we must protect the right to send mail without giving our identity.

Anonymous mail

Sometimes we need to communicate without revealing who we are. Not just if we're whistleblowing on a lawbreaking employer or publishing a criticism of government policy. Sometimes just to protect our privacy, because the other party has no right to know. "If you have nothing to hide, what are you afraid of?" is one of the greatest fallacies advocated by the regimented society.

Of course, anonymity can be abused -- to harass, commit offenses and disturb the net -- even to send SPUME. E-stamps can strike the balance when it comes to E-mail.

You see, one can design E-stamps that don't contain the identity of the sender. There are a few ways this can happen. They provide different levels of identity protection, with different risks.

E-mail address is not your true name

Large numbers of people use E-mail that is not under their true name. The E-mail address is just one form of identity. But it's all that is needed for E-mail. A stamp is issued to an E-mail address, not a person, though the bank usually wants to know who the person is in order to deal with them if they try to re-use stamps or pass bad ones.

The most common forms of identity hiding simply rely on a "swiss bank" of sorts, that knows who you are but doesn't reveal that in its stamps, just the e-mail address you have. The party that provides your E-mail has to protect you as well -- and they might also be your bank for that matter.

That's actually been the most common method of typical anonymous communication to the public, when people write under a pen name or act as an "unnamed source" to a reporter. Many people trust it, but it's always possible that a court order, or break-in, can get your identity extracted.

Numbered Account Swiss Bank

It's also possible to set up a party that acts as a stamp bank but doesn't know who you are. It only knows the secret pass-number you gave it. You contact it, when you choose, to do transactions.

The disadvantage to this is that bank will actually insist that the money to cover the cost of E-stamps be on deposit. They may never see you again. In addition, you must route your anonymous mail through the bank or some similar party, because they must have a system to stop you from using the same E-stamp twice. In this latter case, the E-stamp is generated and bound to the "hash" of your E-mail. (A hash is a number unique to your message, but doesn't let the bank actually read your message.)

You don't actually have to have the money on deposit, but when you route a message through the "bank" you need to offer the money as digital cash.

Truly Anonymous

David Chaum of Digicash developed a means to provide truly anonymous digital cash that could be used for E-stamps. Currently this system is patented.

I won't explain the details here. However, the one downside is that with true anonymity, you can't easily get information back on who redeemed your stamps. So you will be risking the money every time you make an anonymous mailing to a stranger. If the cost is low this is not much of a burden.

Mailing lists

One large question concerns about legitimate mailing lists? They are often run as hobbies. The sender can't afford to put a stamp on every mail sent out to a list subscriber.

There are a couple of answers. The simplest of course is that you don't require stamps from mailing lists that you join. You either tell your own mail tools about the list when you join, or, alternately when you subscribe you pass along a private stamp of your own for the list owner to use in mailing you. With digital signature technology, this can be a string usable only by that list, so it can't be stolen and used by others. (Digital signature technology in general stops stamps from being stolen by others.)

Another way, similar in some ways to the first, is that when you subscribe to a list, you send a special.stamp that doesn't expire. The list owner keeps it. Then, if you are ever so rude as to redeem a stamp on a list message, the list owner redeems your never-expire stamp and takes you off the list, and it comes out even, or actually negative for you because the never-expire stamp equals a whole day's volume of single message stamps.

But frankly the simplest scheme is to improve the mailing list subscription mechanisms so that when you subscribe to a list, your mailer knows about it and just lets that mail in.

Mail to the list of course still needs its own protection. That can either be simply by only allowing submissions from list members (which many lists do today, though not with the protection of digital signature) or requiring stamps to the list owner (not to the list members.) Lists have to protect themselves from junk e-mail in other ways, including pre-screening of messages that don't come from list members and so on. Many lists do this already.

Lists may also just use a very high stamp value. A list owner who redeemed such a stamp from an ordinary submitter might well not get many more submissions.

No Government

You will notice that none of this involves the government, other than by invoking the already existing laws about writing bad cheques. In fact it's one of the few anti-abuse techniques that doesn't need any government, and that's good because other laws can't stop abuse from outside their jurisdiction, and this system can.

All of this depends on a right you already have -- the power to control your mailbox and who is allowed to send mail to it. Today may people exercise this power using the unverified "From" address that comes on all mail. Digital signature technologies make that address 100% reliable, and thus more useful in controlling who can send you mail.

You can limit your mailbox today. The concept of E-stamps and other uses of digital signature are actually proposed so that people don't have to limit their mailboxes very much at all to stop the junk E-mail problem. It's easy to say "I will only accept mail digitally signed by people I know" and the technology for that is actually available now.

You want a way to get mail from strangers too, without opening up your mailbox to abuse by those strangers. Stamps, and certificates of having sworn to ethical E-mail behavior are two ways to do that. The stamp system doesn't require people to use digital signatures. It simply enables mailbox owners to say, "If you want to mail me, and I don't know you, you need to have a digital signature."

In effect, the stamp becomes an overture of good faith. "You don't know me, and in order to convince you to accept my E-mail, here is a token of my good faith that you can redeem if you feel in the end that I have abused your mailbox."

The stamp is in a way an old-fashioned letter of introduction, or a desired and legitimate bribe.

And it avoids the government regulating who we can E-mail, and about what. Instead, it puts the choice into individual hands.

More Logistics

Fully formed, the stamp system is complex. It requires a new generation of mailing tools. But new generations of mailing tools come about every year or two these days. It's a fast moving world.

Properly implemented, the sender doesn't even see the system once it is configured. It's all automatic -- the arrival of new stamps from the bank, the sending of them on mail to unknowns, etc.

For the receiver, there is just an extra button to click after reading a mail, marked redeem. The system does the rest.

There can be many banks and many stamp technologies, as long as there is one simple way to confirm a stamp is valid. You don't have to redeem a stamp with the bank who issued it. Like any cheque, you go to your own bank to redeem it, and it gathers them up and redeems for you from the issuing bank. That means that just like ordinary cheques, each person keeps a relationship with just one bank.

The system works most easily with non-anonymous mail, but in fact the vast majority of mail is non-anonymous. However, the nice thing about this system is it allows anonymous mail while providing an inherent limit on the abuse.

It should be noted that when I write "non-anonymous" I don't mean "identified." I simply mean "replyable" with some path of accountability. It is not mandated that I send mail under my real name in such a system. I can send it as any made-up E-mail address. When I talk about allowing mail in from people you "know," that doesn't mean knowing their true name. It means knowing a name, and allowing mail in from that name.

How would this all be implemented? It would start first with the creation, already underway, of digital signature infrastructures and certificate systems. People then start signing their mail with a digital signature. The protocols for this are already in place and some mailers already implement them.

As noted, that system, once widespread, lets you identify who is mailing you and quickly and reliably spot people you have corresponded with before.

Divert, not reject

Any technology of this sort, or any other filtering technology doesn't have to reject mail that doesn't fit its criteria. It can instead just divert it into "lower priority" channels or folders. That means you don't have to throw away mail that doesn't come with a stamp or signature, you just put it in a different queue, that you look at less often.

That queue of course is going to be mostly filled with junk E-mail today. Eventually it may get the point that the system is so widely adopted that you just throw away that queue. But the system does not have to be implemented "all or nothing." It can be adopted one user at a time.

Civil Rights Issues

Does this chill speech? In some small ways. Any technology that allows people to block speech will, of course, end up blocking some speech.

Fully open mailboxes with no restrictions means junk E-mail. This we know. The question is how we chill the junk E-mail and avoid chilling desired mail, including legitimate mail that solicits business between strangers. It's up to each individual person to decide what mail is desired and what isn't.

Some people would use this system to tune out all E-mail from strangers. This is their right. Some might require stamps of $10 each, effectively tuning out mail from all but the most eager (or wealthy) of strangers. That again is their right.

Examples of Transactions

You send mail to anybody. Your mail includes a small digital token in it -- perhaps encoded in the message-id, which is usually returned on replies -- which your software can recognize, because it's signed by you. To prevent it leaking out, it only works for mail from the specified user or for a limited time. When they reply, they use this token. Your mailer spots it and lets the mail through. All replies to your mail get back to you.

You send mail to somebody you know. It's digitally signed, either with your real identity if not anonymous, or an "digital pen name" that you use regularly but can't be traced back to you. If the person knows your identity, they remember the key you use to sign things. They will let it through.

You talk to a well known certifying firm, identify yourself and sign a pledge to follow a code of E-mail ethics, including no junk E-mail. They give you a special certificate, usable only for your identity. You include it when you mail. Others recognize it and let your mail through.

You think you know somebody but they don't recognize you. They bounce the mail in a special way, newly defined in protocols that says they insist on a stamp of a certain amount. Your system catches that and either adds the stamp, if you programmed it that way, or bounces the mail back to you.

You are sending mail to somebody you don't know and you know you need a stamp. You take one from your pool, adjust its parameters (amount of money, payee etc.) and sign it along with your message.

You want to send an anonymous message. Use a bank that handles these. You may elect to route through the bank, so they know who you are, or you may use totally anonymous communication. In the latter case, you may only get to know if your stamps that day were redeemed, not by who.

You get a message that annoys you. You save the stamp away. At the end of the day your system gathers all the ones you saved, and forwards them to your bank. Your bank verifies them and distributes them all to the banks that issued them. The money is credited to your account.

Almost no money involved

There's no reason, other than income for the banks, that the "first $10" of stamps for each person could not be free. And of course, the first $10 of redemptions not paid either. (Or the first $15 to make $5 of income for the bank if they are redeemed.)

In such a scheme you only have to pay in money if you start getting a lot of people who redeem your stamps -- ie. if you are a junk mailer. But ordinary people, sending ordinary mail, never getting redeemed, might find themselves never being involved with money at all. That free $10 might come every year, if such a plan worked out.

Lots of money involved

It's also entirely possible that junk E-mailers might accept the cost and pay it anyway. And many people, if they could make 32 cents (or whatever price they want to set that people will pay) for every piece of junk E-mail they receive, might be glad to do it. Some people have been proposing paying people to receive advertising. If people want it, this system could enable that.

Things to Remember

This is largely predicated on the arrival of two things -- a digital signature infrastructure with associated software tools in mail, and a digital money infrastructure including digital cash. Most people think this are almost certain to arrive soon, and without any involvement from the E-stamp concept.

Digital singature on E-mail does not mean signing all E-mail in blood. A digital signatures just assures that a messages came from the holder of a special magic number called the private key. At a minimum it lets you know two messages come from the same party, and it can also be used to allow you to know attributes about a party that were certified by some other trusted 3rd party.

Those attributes might include the person's "real identity" but they need not. They can be anything, from an E-mail address, to just a sex, to just an assurance that the trusted party thinks they are an honest person or that they signed a declaration of ethics over mail.

There is no requirement that the trusted third party be the government. Some people are pushing for that, but short of draconian law, it's up to you to decide who you trust. In this case the primary trusted third parties are digital money banks -- which don't have to be very big entities, and perhaps a network that allows banks to decide to trust one another. You would work with your choice of bank, and it would work out a system for deciding what other banks or networks of banks it trusts. You don't have to worry about that. You have one (or more banks) you trust and they do the rest.