Below is an example of how technology and the law could work together,
with both camps bringing essential pieces of the puzzle to the table.
What should be most obvious from this exercise is that there needs to be
somebody willing to intermediate between the legislature and the
engineers. Otherwise, they will produce ineffective laws and we will
produce ineffective technologies, both in isolation.
Objectives:
minimize the need for post-transfer spam detection
- provide technical measures for refusing mail prior to transfer
- provide legal backup for when the technical measures are ignored
fundamental premise is preservation of property rights
- my bandwidth/storage/cpu is my property
- this extends into privacy realm; some users may choose to put
up virtual "no trespassing" signs and those prohibitions
should be protected under the same principles (gradeschool
children, emergency-responder mailboxes, hermits, etc)
Technical measures:
Short-Term
- RCPT TO response codes signifying acceptance levels, EG:
- 250 (default) what the law allows by default
- 255 (stiff) no solicitations at all
- 259 (extreme) no trespassing -- authorized senders only
- 25x allows interoperability but other codes may be more useful,
- especially considering different jurisdictions will likely need
their own codes
- organizations can set default as policy requires, or can allow
users to set according to preference
Medium-Term
- improve accountability measures in email
- possibile work areas include encouraging authentication, PTRs,
TLS and certificates, etc.
Long-Term
- reinvention of mail transfer service
- eg, recursive signatures of modernized "Received" headers allow
path validation at any hop
- global directory technologies for key retrieval and other uses
Legal Measures:
Must be defined per-jurisdiction but some US examples might be:
Definitions
- define problem messages as any solicitation, such as for money
or action (eg "click here")
- some exceptions such as charities, government, others, MAYBE
- violations after grace period (1 year?) subject to law
Protection
- default case, recent prior relationship is okay
- recipients may always refuse (eg, stronger response codes)
- recipients may opt-out even if a current relationship exists
- no opt-in explicitly required but encouraged by penalties
Penalties
- recipient has private civil recourse
- $500 per unlawful recipient, treble for willful violations
- can file against beneficiary if invalid recipient
- can file against bulk-mailer if response codes ignored
- "loser pays" written into law to prevent abuses
- state reserves felony penalties for egregious violators
- bulk-mailers implicitly encouraged to use documented opt-ins
So who would the IETF community trust to take something like (better than)
this to their jurisdictional legislature(s) and asks for feedback?
<cynic>and have they made the right campaign contributions</cynic>
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/