Hey, I'm not allowed to say this is a fantastically dumb idea in proper journalism, am I? This was lesson I learnt on my first day working at a magazine. My initial assignment was to attend ANSI C++ standards committee meeting. I went along, carefully collected up all the drunken gossip, came back, and wrote up how incredibly doomed I thought it looked. My editor pointed out that yes, it was doomed, but some of my audience didn't think that, and they'd be the ones who'd really like to know what went on there without all this editorialising, thank you very much. This is not to say that I agree with that, which is why we ended up doing NTK. Some things are just too stupid not to pass comment.

Aaaanyway. Habeas is basically MAPS on a stronger legal footing. But do blackhole lists work? Dunno. You're suspicious about them, because they seem very manually-entered, very arbitrary, very prone-to-corruption, and very anti-connectivity. But there's a whole bunch of people - sysadmins mainly - who love 'em. All of your criticisms work, I think, for any blackhole system, not just Habeas, so it's a bit harsh to say that these are all flaws exclusively of their system.

 I think Habeas' problem is less that their plan completely sucks, and more that the one group who really applaud the idea of blackholes will be suspicious of clever legal hacks. I spoke to a few sysadmins yesterday, and they were very "Hmmm. Neat. Yeah, that sounds okay.". It was interesting to wake up and watch the slashdot hive-mind turn against it.

I dunno -- the point isn't so much to damn this (as you would in editorial), but to point out that it raises as many questions as it answers.

For example:

* If blackholes solved spam, then why isn't spam solved?

* Since the majority of spammers are already engaged in illegal activity, how will making some minority of spammers' activities slightly more illegal help us solve the spam problem?

* How will Habeas prosecute anonymous 419 scammers in corrupt kelptocracies where the rule of law has been all but eliminated?

* How can Habeas possibly police the use of its haiku in a way that's cost-effective?
Of course, it's hard to do this without getting an actual interview with the Habeas people -- that's the key difference between editorial and reportage; instead of asking the impossible questions rhetorically, you ask them of real people.

I really like the piece, Danny, just in case that wasn't clear, but I think that your experiment needs the investigative side of things in order to attain actual journalism.

Jesus, I can't believe I missed this bit:

"Legitimate bulk mailers (with double opt-in agreements), or other companies whose mail caught in spam filters, can pay Habeas to put the haiku in their headers too, dodging the filtering bullet."

So every time anyone on the Internet wants to send a non-personal email to anyone else, s/he'll have to PAY HABEAS in order to be kept out of spam filters? Habeas wants to collect a royalty on every single non-personal email sent?

HOLY MOTHERFUCKING FUCK! That is the single most ridiculous thing I've ever heard.

I think requiring any sort of special code in a message
to get it past some very dump filter is akin to not
accepting postal mail unless the address is written in
green ink. Most legit people will not want to comply
and you shoot yourself in the foot as only spammers
bother to send you anything (all without the tag).

one thing blackhole lists do a good job of fixing, in my experience, is unintended open mail relays.

user puts up a public mail server, gets spammed through, ISP gets blackholed & suddenly has a big incentive to get that user to fix the open relay.

i saw that countless times in isp tech support days.

If I understand it correctly, the whole scheme depends on Habeas's having bona fide claims for copyright and trademark infringement against unauthorized users of the haiku. I don't believe that that there are such claims. There are no copyright damages because there's no intrinsic market value to the haiku. (The haiku's use as a passphrase has nothing to do with the copyrightable content of the haiku; you could presumably use anything as the haiku.) There is no trademark because the haiku isn't being used to market a product or service.

Given the novelty of the scheme, I can't say for certain that a court wouldn't find a potentially valid legal claim here. But I would say the chances of that are no greater than 25%. And absent a high degree of certainty that the legal underpinnings of the scheme are sound, I don't think people are going to turn their e-mail infrastructure upside down to implement it.

Lucky for these folks, the DMCA doesn't require them to show damages or market value for the haiku; the infrigement is sufficient.

Edited by author 08-20-2002 06:00 PM
>So every time anyone on the Internet wants to send a non-personal email to anyone else, s/he'll have to PAY HABEAS in order to be kept out of spam filters? Habeas wants to collect a royalty on every single non-personal email sent?

I don't read it that way. The Habeas system provides a means for an individual or business to positively state that their message meets some criteria [that it's a "Habeas Compliant Message" - http://www.habeas.com/faq/index.htm#2.2]. It's like a Good Housekeeping Seal for email.

If I, as an business, want to assert that my mailings meet that standard, I pony up for the license and add the headers. If don't pony up and use it anyways, I get sued. If I pony up and break the terms, I get sued.

Just like the Good Housekeeping Seal. If I want to put the GHS on my product, I have to advertise in GH and submit my product for testing in their labs.

If I don't do that and I put the GHS on my product, I get sued. If I do that, then put the GHS on some other unapproved widget, I get sued.

As a widget manufacturer, I have no obligation to put the GHS on any product I want to sell. Similarly, if I want to send non-personal email, I have no obligation to pay Habeas anything. I only pay them if their stamp of approval is something I think will provide value to me.

A grocery store could decide to stock only products that carry the GHS, but their stock would be very limited. Similarly, an ISP could decide to pass only email bearing the Habeas mark, but they'd be dumping almost everything currently. I don't think that's really likely.

Ahem. Let's keep the basics in mind, folks:

"Kill 'em all, God will know his own."

"If I, as an business, want to assert that my mailings meet that standard, I pony up for the license and add the headers. If don't pony up and use it anyways, I get sued. If I pony up and break the terms, I get sued.

"Just like the Good Housekeeping Seal. If I want to put the GHS on my product, I have to advertise in GH and submit my product for testing in their labs."

You've gotta be kidding me! In order for this ridiculous system to work, it will have to be widely deployed. IOW, people are going to expect to be able to disregard all messages not bearing the authentication token.

So these people will have a 95-year copyright and an open-ended trademark (plus a 17 year patent!) on this authentication scheme. Any communications between users of this system depend ultimately on the goodwill of the system operators, who have no visible qualifactions to be arbiters of all communication (remember, it's at their discretion as to whether you qualify for their auth token on a free or for-pay basis) by email.

Moreover, if we assume that:

* These will not ever interfere with one-to-one communication (which means that they'll be useless in regard to 419 scams)

* These people, their heirs, successors and assigns, will, in perpetuity, honor this covenant

* These people will never go out of business and have their IP assets acquired by someone who violates the covenant

We are still faced with the fact that we are asking these people to sit in judgement as to which bulk communications are acceptable and which ones are unacceptable (is the EFF's weekly newsletter spam? What about mass-email devoted to informing people of the dangers of spam vigilantism?). We are granting them a license to levy a fee against all bulk communicators (if I have a blog with fifty readers on its mailing-list and a PayPal tipjar, do I have to pay these people royalties for the use of their haiku? What if EFF goes from 30,000 email subscribers to 100,000 subscribers? Do our royalties escalate? Do we go broke paying these Internet postmasters for their imprimaturs?)

I'm hardly a First Amendment purist, but this is raw, steaming Stalinism.

Woah, woah.

Okay, first up, I *did* interview Mitchell, and mentioned specifically: how are you supposed to stop Nigerian spammers. And it boiled down to this. If they can't get the legal sanction, it becomes a RBL blackhole database of haiku infringers. Which means that all the objections against MA apply, but no more.

Second - and I think the real Wired article made this clearer - the absence of the haiku isn't an indicator of spam. The *existence* of the haiku is a mark that it's someone is vouching that it's not spam.

There is no spam-filtering system that could possibly use this as a way of throwing away all other mails. You will never be in a position where you throw away all mails without the haiku. It will just be another score (+1.0 or whatever if it doesn't work, -1.0 if it does), another clue.

About the only truly novel dodgy thing in this scheme is the patent on the idea of using headers. The rest of it is just a debate over whether blackholes are bad (on which I think the court's still out), and whether copyright law is strong enough to catch spammers where every other law has failed.

Edited by author 08-21-2002 04:03 AM
Some misconceptions about the Habeas approach are driving objections.

The idea is not that any mail without the SWE headers will be bounced; rather mail with the SWE headers will be let in. So an important point is: this makes other spam-filtering mechanisms work better. The biggest problem with spam-filters is false-positives: losing one truly important mail per 100 spams could offset all the savings of killing the spam.

The SWE headers make it easier for legitimate mail to make it through. Wide use could thus boost the use of other spam-killing options, because people are more confident they won't lose legitimate mail.

Faking the SWE headers risks international penalties above-and-beyond the repercussions (if any) for normal spamming. It ups the ante for spammers: and with SWE-forgery, a court doesn't even have to consider broader issues of whether unsolicited communication is allowable, it just has to consider whether spammers are allowed lie and fraudulently appropriate Habeas' valuable signalling labels. That's a cut and dried case.

Looking at some of Cory's concerns:

Cory: "In order for this ridiculous system to work, it will have to be widely deployed."

It works better with wider adoption, but as soon as legit mailing lists and individuals start using it, less of their mail will be killed by mistuned filters. (The real key thing for the system to work is a few successful prosecutions of SWE-forgers.) This will allow more people, at the margin, to confidently adopt (or turn up the sensitivity of) spam filters.

Cory: "useless in regard to 419 scams"

419 mail is unsolicited and sent to multiple people unrelated to the sender. Thus, it can't use the SWE headers. So whereas before, no one person had enough economic incentive to go after 419ers, if they start unauthorized use of Habeas headers, Habeas has an incentive to hunt them and seek judgements.

Cory: what if they break their covenant/get acquired/etc?

If their mark comes to mean nothing useful, because they drift from their initial promises, fail to effectively enforce its use, whatever -- then you just stop using it as a passthrough expeditor. You're never at the mercy of their changing org; use their mark as a passthrough aid if it's helpful, ignore it if not. There's only an upside, no downside, for mail recipients.

Cory: "we are asking these people to sit in judgement as to which bulk communications are acceptable and which ones are unacceptable"

Not really; it's not a case-by-case judgement call. They have a very compact, simple description of "Habeas Compliant Mail" which qualifies for use the SWE headers. Any mailing list which requires an explicit, address-verifying subscription confirmation step qualifies.

You'll never *need* to use them on any list, large or small. You could always figure that your opt-in subscribers have cleared some other path for your messages through their mailwalls. I also suspect that there will be a proliferation of similar ways to warrant that mail is not spam -- see Ironport Systems' Bonded Sender Program, for example -- and whichever ones provide the best guarantee at an economically reasonable price will thrive.

Cory: "I'm hardly a First Amendment purist, but this is raw, steaming Stalinism."

Oh come on. Stalin lied to, oppressed, starved, and killed millions with a reign of poltical violence. These people provide a voluntary system of email sorting hints. Is this your "Hyperbole Valenti" impression?

At worst, Habeas might sue you if you use their labels without permission.

I *am* a First Amendment absolutist, and I hope this idea -- spam control through accurate labelling, with creative penalties for forgery -- takes off.

Gordon: 419 mail is unsolicited and sent to multiple people unrelated to
the sender. Thus, it can't use the SWE headers. So whereas
before, no one person had enough economic incentive to go after
419ers, if they start unauthorized use of Habeas headers, Habeas
has an incentive to hunt them and seek judgements.

Me: Huh? How is Habeas going to track down and collect judgements on scam artists in Nigeria? Did I miss the part of the Habeas proposal where they will restore the rule of law to broken-down kleptocracies so that they can persecute malefactors there?

Gordon: If their mark comes to mean nothing useful, because they drift
from their initial promises, fail to effectively enforce its
use, whatever -- then you just stop using it as a passthrough
expeditor. You're never at the mercy of their changing org; use
their mark as a passthrough aid if it's helpful, ignore it if
not. There's only an upside, no downside, for mail recipients.

Me: If this was a reasonable assumption, Craig Shergold would have never gotten another postcard after his cancer was cured.

Gordon: Not really; it's not a case-by-case judgement call. They have a
very compact, simple description of "Habeas Compliant Mail"
which qualifies for use the SWE headers. Any mailing list which
requires an explicit, address-verifying subscription
confirmation step qualifies.

Me: Just like MAPS had a strong definition of what constituted spam, which definition was torqued and deformed to cover MAPS political opponents.

Gordon: You'll never *need* to use them on any list, large or small.

Me: Only lists where you think it's important that the recipients actually receive it.

Anybody else think Cory got out of bed the wrong side today?

;)

Edited by author 08-21-2002 02:29 PM
Cory: Huh? How is Habeas going to track down and collect judgements on scam artists in Nigeria? Did I miss the part of the Habeas proposal where they will restore the rule of law to broken-down kleptocracies so that they can persecute malefactors there?

I look forward to seeing them try -- it can't hurt! (Note that past people who have 'played around with' 419ers have had real individuals behind the scam show up for meetings in legally-advanced countries, and been given real addresses to complete the operation.)

Before Habeas, if you get 419 mail, it's below the interest of both overworked criminal prosecutors and the cost-benefit threshold of a civil suit. If 419ers use SWE marks, the cost-benefit threshold swings way in the favor of prosecution. That might not gurantee they can be found and made to pay up, but it improves the chances.

Cory: Just like MAPS had a strong definition of what constituted spam, which definition was torqued and deformed to cover MAPS political opponents.

MAPS were/are vigilantes, as much about making a point as practically solving a problem. Blackholing people is the only weapon in their arsenal, and it can be used against people who've never even heard of MAPS, so naturally they overuse it to exert their influence.

Habeas is a profit-seeking corporation, which enters into long-term, enforceable agreements with its paid customers. At a certain level, they don't care if people spam -- as long as people don't put the SWE marks on their spam. The enforcement path is clear -- a lawsuit and their own blocking list -- but you can *only* attract their ire if you misappropriate their protected labels. You have to be really dumb and malicious aforethought to have Habeas after you, whereas innocent third parties get pulled into the MAPS scheme.

Me: You'll never *need* to use them on any list, large or small.

Cory: Only lists where you think it's important that the recipients actually receive it.

You seem to be assuming that your subscribers are so sick of spam, and so glad to see the SWE approach, that they'll adopt draconian filters that only SWE mail can get through. And, they won't set up passthrough for your lists. And, they won't adopt any other technologies at all for receiving wanted mail -- presumably because SWE alone works perfectly.

That doesn't seem likely, but if it does come to pass, and that's the common user choice about the mail they want to receive, so be it! Why is individual discretion over what mail people receive a problem?

Gordon: Before Habeas, if you get 419 mail, it's below the interest of both overworked criminal prosecutors and the cost-benefit threshold of a civil suit. If 419ers use SWE marks, the cost-benefit threshold swings way in the favor of prosecution. That might not gurantee they can be found and made to pay up, but it improves the chances.

Me: You think that "overworked criminal prosecuters" are more interested in minor DMCA violations in spam than in international wire fraud?

Gordon: MAPS were/are vigilantes, as much about making a point as practically solving a problem....Habeas is a profit-seeking corporation...

Me: Run by MAPS people

Gordon: That doesn't seem likely, but if it does come to pass, and that's the common user choice about the mail they want to receive, so be it! Why is individual discretion over what mail people receive a problem?

Me: Because the downside of such a system would only become apparent after certain irreversible adoption decisions (like a non-technical person getting a mailer sent to him by his ISP with a Habeas filter in place) -- i.e., if every bulk messenger needs to buy a "stamp" from Habeas, but Habeas is RAND in its distribution, we may get widespread Habeas adoption. But if Habeas is then acquired, or decides to change its behaviour, we will see that these people have the power to bottleneck some substantial fraction of mass communication. A claim in copyright to the haiku will last for 95 years. Moreover, their patent application means that we can't even mint our own stamps.

Habeas doesn't require overworked criminal prosecutors to participate at all. Copyright and trademark violation can be pursued completely in civil courts. That's the innovation: removing a dependence on new anti-spam laws, uninterested public prosecutors, or dispersed private interest. Habeas creates a concentrated private interest with the motivation and means to go after fraudulent spammers privately.

Also check their FAQ: the DMCA has nothing to do with their enforcement strategy.

They're ex-MAPS people who have addressed some of the major flaws and abuses inherent in the MAPS approach.

Your "downside" scenario seems vanishingly unlikely to me: they become *the* single dominant mail-guarantor, users become locked into ISPs that kill almost everything that doesn't have SWE-marks, Habeas renegs on its initial promises, ISPs still stick with Habeas despite this change, there are no competitive email providers or mail-guarantors... then, and only then, could some future "evil Habeas" significantly impinge on others' legit communication. (And at that point, lots of competitive/legal countermeasures would be available against an abusive owner of the SWE-marks. I also believe there are similar ways to achieve the same benefits not covered by their pending patent.)

Lets not squint and speculate to imagine oppression, coming from a currently tiny startup, at some imagined point in the distant future -- when there's plenty of actual oppression, by truly large and powerful entities, in the here-and-now.