Clint Combs at “Thoughts at ccombs.net” has put up a nice, empathetic piece that actually made me feel better about my ongoing spam torture. He then raises great questions about use of InfoCards in exchaning user identities for email.
Kim Cameron's “Oh, And Then There's My Junk Folder” tells an all too common story of a user losing e-mail to SPAM. Whether you know it or not, your SPAM filter has probably destroyed some e-mail that you should have received, would have received – needed to receive. Kim's experience of finding this message is probably not very typical. He went wading through his SPAM folder and found a message that should not have been tagged as SPAM, but it was.
Most users happily delete their SPAM and move on without further investigation. I do it all the time. The other day a recruiter called me. I told him I wasn't interested in the full-time position he had called about, but I would be interested in part-time projects of 10 to 15 hours a week. He said he'd send me an e-mail as follow-up, but he never sent it – or did he? I have no idea. That night, as usual, I blasted my SPAM and moved on, but having read Kim's piece I wonder if it was identified as junk and redirected to the bit bucket.
Kim's story also clicked with me for another reason. The SPAM problem is, at one level, an identity problem. As SMTP servers pass along e-mail messages they can't authenticate a sender's identity. Without this piece of information, these systems have no concrete way of guaranteeing the receipt of messages we really want to receive – InfoCard could be a big help for solving this little segment of the overall SPAM problem.
What if InfoCard-enabled identity systems were already woven into the fabric of internet? Would this have helped Kim and I get our e-mails? His message was from an “anonymous” person that he didn't know whereas my message was from a person whom I had only spoken to on the phone one time. Kim also mentions the loss of e-mail from a friend at the end of his article.
In today's e-mail environment with virtually no use of a real identity system we're forced to filter by sender e-mail address and hope that our friend doesn't change their address. In the future we should be able to trust that a person's identity will follow them via an InfoCard-style system and thus to a new e-mail address or even an entirely different mode of communication such as instant messaging or VoIP.
Infocard and other identity systems solve identity problems in well-known relationships, but what about the e-mail from the recruiter I spoke to on the phone? Can InfoCard be extended to a phone call? In future world I could have said to the caller, “Here's an InfoCard for my home e-mail address. Contact me at this address and we'll discuss this some more”. At that point I press a button on my phone and my InfoCard is transmitted to his phone. He then uses this card to send me an e-mail in Outlook and upon receipt my e-mail client recognizes the new relationship I have with this person and bypasses my SPAM filter.
A much harder problem is the anonymous e-mail to Kim. How can you get the SPAM filter to let this interaction through based on identity? Everyone has an identity, even SPAMMers. Maybe we need some sort of web of trust for this type of situtation. If the sender is a friend of a friend of a colleague, then maybe my filters let it through.
InfoCard has great potential, but it will only be useful with broad adoption across the industry. Verisign recently signed on and I expect others to join the party too. With Microsoft's new-found openness, the flood of SPAM, and our mountains of usernames and passwords, the potential of real Internet identity is too huge to ignore.
After a recent IM chat with Simon Brown I've started looking to move my blog to a new identity and authentication structure. He's weaving the Acegi Security System into Pebble 2.0 – Simon's blogging software I'm using today. While currently unrelated to InfoCard, I can easily see Acegi being extended to support it. Simon's use of Acegi is admission on his part that it's time to move beyond the username/password muck that we're currently enduring on most web sites. Everyone sees the identity problem and it's time to fix it.
The potential for a wide-spread identity system is enormous. In addition to the obvious beneficial side-effect of eliminating my long list of passwords, InfoCard and other identity systems could help crush some of the more annoying effects of SPAM. I'd love to hear from other developers, especially those in the Java “realm”, that are addressing this issue on many levels. Write and tell me how you're identifying your users and crushing your SPAM problems.
This reminds me that one of the things I need to do is post my PHP code showing how I've got InfoCards going on my WordPress blog. I imagine it would translate fairly easy into something that would work on Simon's system as well. Also, I need to move this stuff from my test system to my production system.