What's really wrong with attention bonds?

[Ad box removed; this image serves to flag pages that need to be updated in my log file.]

Slashdot has an article about "attention bonds", which are one incarnation of the old "spammers have to put up money to get you to read their email" anti-spam idea.  Various people in the Slashdot discussion have posted clueless objections that are already addressed by the system's FAQ or should have obvious solutions for anyone who thinks about them.  For instance, "This is the death of mailing lists!" has the answer:  never pay an attention bond on a mailing list message.  If someone doesn't whitelist the list when they subscribe, then they're stupid, your filter deletes the demand, and it's their problem.  But here are my own thoughts on some problems that are not already solved and cannot be so easily solved.  There's some overlap among them, and they aren't really in an order despite being numbered.  Just some problems that come to mind on thinking about this system.

#1:  It creates a great opportunity for traffic analysis by the government, marketers, etc., because the escrow agents can collect data on who's emailing whom.  The recipient gets to choose their escrow agent, so an individual participant doesn't have the option of only dealing with reputable or privacy-respecting escrow agents.

#2:  It creates a money trail alongside the email trail, making anonymity almost impossible (especially because the recipient can choose the escrow agent, see above).  This issue actually could be turned to an advantage because remailers could use the bond system to collect "postage", clear postage between themselves while obfuscating the money trail, and reduce their own spam problem into the bargain, but it'll be a big headache for them, and the anonymity of the remailers to the escrow agencies is hard to maintain.

#3:  Trolling can become financially profitable.  The business plan goes something like this:  1.  Post something to Slashdot or Usenet that lots of people will want to respond to by email.  2.  Collect a small enough bond from each responder that they'll be willing to pay it.  3.  Profit!  One could argue that that's an acceptable business (because you're only collecting money from the people who decide they're willing to give it to you) but I'd argue that it's a bad thing to encourage this business, because it also imposes on many people who do not want to respond to you, and damages the infrastructure for everyone.  It's like saying "Selling SUVs is morally okay because I'm only selling them to people who are willing to accept the environmental impact" - hello, it's not just your customers who bear the brunt of the environmental impact!

#4:  Participants who are poor, or penniless, just can't have email anymore.  That includes children, the homeless, and many people in developing countries.  Moreover, even among people with nonzero disposable income, it stratifies email along economic lines:  I will demand attention bonds roughly proportional to my income (because otherwise they won't have the intended effect of compensating me for time lost) and then someone with less income than me has to make a disproportionate sacrifice to talk to me, and someone with more income than me can spam me with no hardship.  I have received legitimate, important email from a scholarship student in Uganda, and in an official capacity from the legal department of a multi-billion-dollar US corporation; the value of a dollar to those two parties is totally different.  Note that it's not good enough to say "Oh, we just won't collect the bond from people who are poor" because they still have to have the money in order to promise it in the first place.  Children have no money, not just a small amount - especially if, as would necessarily be the case, enforcement of the bonds is tied to legally binding contracts in jurisdictions where children's right to make commitments is not recognized, so the children wouldn't even be allowed to spend money this way if they got some.

#5:  If only applied to email, it'll encourage spammers to move to other media - Usenet, Web BBSes, and referrer logs, for instance.  Attention bonds can't be easily applied to some of these.

#6:  If you offer to sell your time to all comers for $0.50, then you have to actually do that, and at least glance at all the messages sent to you by people who are willing to put up the $0.50.  If it were actually the case that there were lots of evil perverts out there sending pornography more or less at random to innocent children out of sheer perversity (I don't believe that, but many people do), then this kind of arrangement would make it harder to block them.  Even under a more realistic threat model for pornography in particular (people only sell that stuff to make money, and so will only send it to you if they think there's enough chance you'll pay, to let them turn a profit), you're still legitimizing the religious, the stalkers, and anyone else who thinks they should be able to demand your time and has money they can devote to that effort.  Now they can say "You must pay attention to me because I paid money to you!"

#7:  It could be used for many unintended and arguably antisocial purposes.  For instance:  money-laundering (sender and recipient collude to move money from one hand to another while making it difficult to trace), gambling (send mail to slots@casino.com, pay the small bond it demands, and you might get back a large bond you can cash!), tax evasion (don't pay me that money, send me an expensive email instead!), "camgirl"-style child psuedo-prostitution (wanna send me dirty email, big boy?), the trolling thing mentioned above, use as a billing system for other businesses (free email accounts!  of course, we'll demand and pocket a $0.10 bond from everyone who sends you mail), and so on.  Putting a stop to those, if we decided we wanted to, would be difficult without also damaging things like anonymity which are essential to the intended purpose.

#8:  If you allow the "Yes, I'm willing to post the bond" message to include a description of the content of the message, in order to help address point #6, then spammers will simply include their commercial message in the description so that you'll see it regardless of whether you collect the bond.  If, on the other hand, you use filters and standards to ensure that you ONLY see the amount of the bond, then that's the only information you have for deciding whether it's worth reading.  Both are bad.

#9:  Even without cracking the system, the system can be abused whenever someone knows that you need to send them a message; for instance, companies that don't want to provide technical support on their products can hit their customers with large attention-bond demands.  The customers have to pay, because what else can they do?  The underlying problem is that if I need to contact you, then "the service of reading my email" is not a service I can buy from someone else, so I have to pay your price for it, whatever that is.

#10:  Human beings have trouble with small amounts of money (which is why micropayments are doomed).  Paying any amount of money, no matter how small, is qualitatively different from paying no money at all; if the system requires us to deal with an amount of value in between those two values, or if it requires small amounts of money to be treated on a linear scale, then it'll fail.  I don't think that's a big problem here because the amounts of the bonds are supposed to be real money ($0.50 or whatever) instead of micropayments, but it's worth mentioning.

#11:  It involves creating a complicated, international, multi-party money-handling system similar in scope to credit cards but with even more participants.  Such systems invariably have lots of opportunities for hard-to-detect fraud through technical manipulation (cracking) and human manipulation and confidence tricks.  The existing credit card system is worse than you think, and this one would be much worse than that because of the large number of people receiving money.

#12:  Large companies (say, Microsoft) would be eager, and probably able, to use this system to expand their monopolies - because someone you need to send email to will demand a bond posted through an escrow agent that can only accept bonds posted with a client program that only runs on Windows.  This issue could be addressed by rigid, set-in-stone open standards and an insistence that there can be no intellectual property claims on the system, of any kind, ever, but international standards bodies have a lousy track record on enforcing such rules.

#13:  There are probably already several US Patents and other IP claims that could be argued to cover the system.  We'd hear from the holders of those patents or other claims, but only after it was deployed widely enough that nobody could afford to stop using it.  Who wants to repeat the GIF fiasco, or SCO v.  Linux?

#14:  Like the domain name registration racket, it creates a need for middleman businesses that provide no real value and exist only because the system mandates that they exist.  Many of these businesses would operate in a sleazy manner - and we'd see things like what happened to me recently, where a domain name "registrar" I had dealings with (not by choice, it was someone else's pick and they'd already registered the domain) turned out not to actually be a real "registrar" but actually just a private business that resold the services of another registrar, and the agency in charge of enforcing rules on registrars was powerless to do anything about the fake registrar's sleazy practices because it wasn't a real registrar.

#15:  Even though the FAQ says that escrow demands and responses have to be machine-readable as well as human-readable, it seems highly likely that we'd see in practice schemes like those used by the DNS racketeers, eBay, etc., to prevent non-human participants from being able to send email.  We already see such things in spam, where you'll be sent a picture of text instead of real text, to prevent your filter from recognizing the keywords.  Proving you're a human to an anti-robot scheme usually involves reading text out of a picture of text that has been distorted to prevent machine recognition...  so blind people can't send email anymore.

[What's really wrong with attention bonds?]

[Ad box removed; this image serves to flag pages that need to be updated in my log file.]

Comments

No comments yet.

Add Comment

Your name (required):
Your email address or URL (optional):
Type "bonobo" for anti-spam purposes:

This form is for posting public comments to be read by other people who visit this Web site. If you have a software support question, or other material directed to the page author instead of to the general public, please send email instead.

All the data you enter, and your IP address, will be saved and displayed. Don't enter secret information. HTML is not accepted; it will be displayed as plain text. Your comment will only be added if you enter valid data in all required fields; if it isn't, use the back button and try again.

I, and I alone, reserve the right to remove postings for any reason.

Copyright © 2004, 2007 Matthew Skala
Updates to this entire site: [RSS syndication file]
Updates to this category (spam) only: [RSS syndication file]