A New Solution to Spam: "The Internet Member's License"

I keep hearing about various half-baked proposals for solving spam, so I couldn’t help but add my own half-baked proposal into the mix. Actually my proposal may be more than half-baked — It might be the solution we’ve all been waiting for. I call it the “Internet Member’s License” (IML — pronounced “I-mail”).

Basically what I am proposing is an Internet-equivalent of a driver’s license — only it works very differently. Unlike a driver’s licnese the Internet Member’s License is not about granting permission to use the Net — you don’t need to have one in order to get online or surf etc. — instead, its purpose is to simply encode the holder’s “identity and reputation” in a standardized manner that enables others to test and screen messages and content you create.

So to be very clear — I am not proposing a license-to-surf like Howard Dean just did. I am proposing a license-to-get-listened-to. It’s very different. Having an IML or not having an IML has no effect on your ability to exercise your right to free-speech nor does it affect your ability to get online — rather it enables others to decide if they want to hear your free-speech and enables them to ignore it effectively if they choose to. So the purpose is not to clamp down on Net access — that would be evil — rather it is to provide a new way to filter information according to the reputations of those who post it.

The IML system works as follows: IML certificates would be issued by a central IML registry that runs as a non-profit. Getting an IML is similar to getting a driver’s license from the Registry of Motor Vehicles: Email service providers may apply for these certificates and once they get them, they may then issue sub-certificates off of their identities to their members. Email service providers (such as ISPs, enterprises, etc.) automatically append IMLs onto the end of every outgoing message they route (as ASCII text or a MIME attachment) that authenticate the identity of the service provider as well as the sender of the message. Alternatively individuals can apply for IMLs directly from the IML Registry and/or they can just add their IMLs into their sig files if their email providers are not IML-compliant yet. IML’s can also be put into the metadata for content that individuals and services post onto the Net in order to authenticate that content as “not spam.”

Every IML starts with a certain number of “points” on it — just like a driver’s license. Individual email client applications (whether Webmail or desktop mail clients) can then simply screen each incoming message for a valid IML certificate. Messages with valid IML’s are accepted and the sender’s may also be automatically whitelisted; incoming messages without valid IML’s can be blocked or go into a “suspect e-mail folder” and can get a bounced message informing the sender that their IML was missing or invalid.

Now here’s where it gets interesting: If you get a message from someone that you feel is “spam” you can simply mail it to the IML registry to report abuse. If a certain number of “spam” citations are filed against any IML holder per unit of time, the holder gets a “traffic violation citation” — in other words a ticket. The “cost” of the ticket depends on how far over the “spam limit” they are. The ticket deducts points from their IML certificate, based on the cost, as well as from the IML certificate for their ISP. Lost points can be regained with good behavior (every IML earns back 1 point per month), or from community service (to the IML Registry perhaps), or by paying a fine to the IML Registry.

Now what’s nice about this system is that the IML Registry can dynamically re-issue new IMLs to ISPs and their users based on their current status. So for example, if a user gets a ticket they get a new IML that replaces their previous one and which encodes the new number of points remaining on their license. Because each IML holder’s current license points can be encoded in their IML (cryptographically), spam filters and recipient apps can not only check for valid IMLs on incoming mail, but if they wish they can even prioritize or screen messages by the number of points on the IMLs of the senders and their ISPs. Those who have very few points may be considered to be “on probation” or “likely to be spam.” If any party loses all their points they may still send email, but their IML certificate will reflect that they have no points on their license. Thus IML-compliant spam filters can simply screen them out or treat them as suspect senders.

Another nice feature of this system is that the reputation of email providers is linked to the reputations of their members, and vice-versa. This helps to reinforce good behavior at both levels of the community (ISPs and their users, mutually; a nice cybernetic feedback loop.) Thus if an email provider allows misuse they could lose points on their provider-IML, which in turn is then inherited down to the member-IMLs of all their members (because their members’ IMLs are sub-certificates of their certificate). So as an email sender, I will want to use an ISP that has a sterling IML, because I don’t want my own reputation tarnished. Similarly as an ISP I will want to be careful about not routing spam because if I route spam for my members then it harms my reputation, which means messages from my service may not be accepted by others, and that may cause my members to go elsewhere — therefore as an ISP my policy may be that I only allow members with IMLs that have a certain number of points: if one of my member’s IML goes below a certain number of points I may kick them out of my service.

The central IML Registry can charge a modest fee to applicants to get an IML and renew it every year, and this can support the cost of running the Registry as a non-profit. Furthermore, the IML Registry can open up an API that lets other applications query it by inputting an IML certificate to it in order to get the current status of that license (e.g. whether or not it is valid and the number of points remaining on it). Ultimately this entire infrastructure could be decentralized such that every ISP could run their own sub-Registry. Thus the central Registry would issue and maintain IMLs for ISPs, and then ISPs would issue and maintain the IMLs for their members — this is similar to the global DNS infrastructure, only better, hopefully.

I think it’s time for something like the IML proposal. The IML system would help to prevent the current “tragedy of the commons” that is taking place on the Internet by providing a community-based feedback mechanism that everyone could benefit from. While still ensuring everyone’s right to free-speech, it would provide protection for a new and perhaps unacknowledged basic freedom that we should all have as well: “Freedom from Speech.” Just as we all need to freedom to say what we want, we should all have the freedom to not have to hear what others say unless we want to. I think the IML proposal accomplishes both freedoms and may be the answer to the spam problem.

I am sure some people will not like this proposal because they will doubtless object to having their reputation encoded on messages they send — however I would point out that reputation-encoding has been a key reason why marketplaces such as eBay work. The key is to do it in a way that protects privacy (by encrypting the contents of IMLs so that they cannot be tampered with or read, but can be verified and matched against) and that protects individual liberties (by making sure that IMLs are not used to give permission to senders to publish content, but rather are used to filter what is published by recipients). Finally I believe this service should be a non-profit so that it can spread far and wide and not be co-opted by any one commercial entity.

I am putting this idea in the public domain because I don’t want anyone to patent it. I think this should be a non-profit and should be used by all ISP’s and email software providers.