Spam and Telemarketing

Scott E. Fahlman

 

This web page contains some additional information and discussion related to my paper “Selling interrupt rights: A way to control unwanted e-mail and telephone calls”, published in the Technical Forum section of IBM Systems Journal, Volume 41, Number 4, 2002, pages 759-766.  The online version of the paper is here.

This page contains details and special cases that were not included in the paper, either for reasons of space or to avoid overwhelming casual readers.  If you are interested in this topic, I suggest you go read the paper before trying to make sense of the material collected here.

I have organized this material in the form of a FAQ (“Frequently Asked Questions”) list.

 

Precedents and Related Work

What is original in this paper?

Most of the ideas described in this paper – “E-stamps”, optional collection of a fee, a third-party token-agent, an “accept list” – have been floating around the Internet community in various combinations for some time.  Brad Templeton’s web-site, cited in my paper, mentions several of these elements.  I developed my scheme independently, and only discovered Templeton’s site later, but it appears that his site pre-dates my first write-up of these ideas. There is also the Sundsted patent, discussed below.

However, until now, these ideas have not been widely adopted, nor do they figure prominently in public discussions of how to control spam and telemarketing.

My contribution in this paper is to describe a specific combination of these elements that (I claim) has several desirable properties:

• The system as a whole is convenient its users and for their non-spamming friends and associates.  So it is possible that this version may be widely adopted.
• The system requires no new legislation and no new E-payment mechanisms beyond those already in use.  Nor does it require substantial changes to the world’s communications infrastructure.
• The system can be adopted one customer at a time.  There is no need to wait for universal agreement on new standards.  This scheme is more convenient for everyone if it is implemented by existing phone companies and internet service providers (ISPs), but there is no need to wait for these companies if they drag their feet.

An additional contribution of the paper is to suggest that the same token-based approach can be used to limit both E-mail spam and unwanted telephone calls.  While others have suggested similar ideas in the E-mail world, I haven’t seen anything like this in discussions about how to combat aggressive telemarketing.

If I can popularize this kind of approach and help to move the anti-spam debate away from its current focus on legislation and message filters, that will be an accomplishment.  If this scheme is widely adopted, that would be a great accomplishment.

What about the Sundsted patent?

After my IBM Systems Journal paper was in press, I learned about the existence of U. S. patent 5,999,967, issued December 7, 1999 to Todd Sundsted.  (For some reason, this patent had not turned up in my earlier keyword-based searches of the USPTO patent database.)  You can view the Sundsted patent by going to the USPTO site and putting the patent number into the search window.

Sundsted’s patent covers the general idea of using an electronic stamp on E-mail.  The electronic stamp – a pattern of bits attached to the message – costs the sender some amount of money.  The recipient (or the recipient’s mail software) can examine the value of the stamp and, based on that, decide whether to read the message.

The patent also describes the possibility that the recipient of the message may actually collect the face value of the stamp from the sender. The receiver would have to bill the sender for the agreed amount if he accepts the electronic mail – not a very practical system.  Alternatively, some third party (a “bank”) could sell a stamp to the sender.  The recipient of the message could then return the stamp to the bank and receive compensation.

Clearly, some elements of the anti-spam system described in my paper are similar, in a general way, to ideas described in this patent.  My scheme adds some additional elements, such as the ability of the recipient to issue free tokens in cases where that is appropriate.   Note that the claims of the Sundsted patent refer only to E-mail, not to the use of E-stamps or tokens in controlling unwanted telephone calls.

An important question is whether a company implementing the token-based scheme I described for E-mail would infringe the Sundsted patent, and would therefore have to obtain a license.   I am not a patent expert, and I cannot predict how the courts would view this.  There are two key questions:

• Is the kind of interrupt token I describe an “electronic stamping means having intrinsic value” – the language used in the key independent claim of the Sundsted patent?  In my scheme, the tokens are created and controlled by the ultimate recipient of the message.  In effect, such a token is a personally issued license to deliver a message to me.  That’s not quite the same as the E-stamps Sundsted describes.  Does any random pattern of bits or digits have “instrinsic value”?
• Is there prior art that would invalidate this patent?  The idea of “E-stamps for E-mail” has been around for some time, but establishing the exact date when the idea first appeared could be difficult.

 

Business and Social Issues

Would phone companies actually implement this scheme?  Don’t telemarketing calls generate significant revenues for them?

I don’t know how much income the phone companies actually make from telemarketing calls, once we subtract the costs associated with handling such calls.  Right now, it appears that they make money from both sides: they lease high-capacity lines and auto-dialing equipment to telemarketers, and then they charge their customers for access to various weak call-blocking schemes.

But however much the phone companies may profit from the current situation, it is generally bad business to continue a practice that infuriates the vast majority of your customers.  Phone companies with a local monopoly may not immediately embrace any new scheme for controlling telemarketers, especially if that scheme actually works. But as soon as there is competition in a given market, one of the companies (probably the hungriest one) is likely to offer token-based call filtering.  And then the other companies will be at a disadvantage unless they do likewise.

Such competition now exists in the cell-phone market in most parts of the U.S., and (we are told) it is coming soon to land-line phone service in most areas.  Also, cell phones are increasingly being used by customers as their primary phones, so the cell-phone companies are beginning to compete directly with the traditional local-phone monopolies.

Even in a monopoly situation, a phone company may choose to offer this service in order to keep its customers happy – and to avoid having some solution imposed on them by state or federal regulators.

Since individual customers can adopt the token-based filtering scheme on their own, without the phone company’s cooperation, the companies may decide to offer this service (and collect some revenue from it) before their customers take matters into their own hands. So the possibility that individual customers could implement this scheme on their own probably ensures that they won’t have to do this.

Don’t phone companies already offer a service to block telemarketing calls?

In addition to unlisted numbers, there are currently three anti-telemarketing services that are commonly offered by phone companies.  Usually a local phone company will only offer one of these services.

·        A service that blocks all calls except those from users on an accept-list.  Usually the list is limited to 10-12 entries, and the service typically costs $2.50 per month.  This is not useful for people with complicated lives who get legitimate calls from many different sources.

·        A service that intercepts non-caller-ID calls and asks the caller to state his name.  Then the recipient’s phone rings, and he can decide whether to answer.  This normally costs about $4 per month.  The problem is that as long as the caller is willing to give some name, your phone is going to ring.  But it apparently does trip up the current generation of auto-dialers.

·        A service like the one above, but that forwards your call to voice mail if you don’t accept the call.  This typically costs about $10 per month, bundled with voice-mail and a package of other services.

If I implement this scheme, asking callers and correspondents for money, won’t people think I’m greedy or perhaps trying to rip them off?

If you’re worried about this, you could arrange for your token agent to donate all collected fees to some worthy charity, and to inform callers of this.  If you want to reduce spam, the important thing is to make the spammers pay when they bother you.  Actually receiving the fees they pay may be less important to some users.

How would senders/callers actually pay for an interrupt token?

As mentioned in the paper, the fee could just be added you the caller’s phone bill if the telephone companies decide to help implement this scheme.

An independent token agent could accept standard credit cards (Visa, MasterCard…)That would probably be the most popular payment option in the near term, since almost everyone has access to some credit or debit card.  Another option would be to pay via some online payment system such as PayPal. 

If this token-based system becomes widely used, and if there are only one or two large token agents, callers may keep a pre-paid balance with each token agent, paid for with a check or with cash.  A $10 balance might last a long time, since non-spammers would seldom have their tokens redeemed.

Token agents could band together and issue pre-paid cards, similar to the cards many people now use for long-distance calling.  Perhaps the same cards could be used for both long-distance and for buying tokens.  These could be sold online or in stores.

At present, credit-card transactions over the phone or on the internet (that is, transactions where no physical signature exists) can easily be repudiated by customers.  The customer merely has to claim that he never made the charge.  The burden of proof then falls on the merchant to prove otherwise, and that can be more trouble than it is worth for small transactions.  This is a large and growing problem for online merchants, and could be a problem for token agents as well: a spammer could use a credit card to purchase a few thousand tokens, send out the spam messages, and then repudiate the charges.  Fortunately, both Visa and MasterCard have developed new verification schemes for online purchases that will make it much harder for a validated customer to repudiate a charge.  These new systems are supposed to be in widespread use by mid-2003.

Suppose some stranger wants to contact you to do you a favor of some kind.   Perhaps your car is about to be towed.  Perhaps the stranger has read something you have published and has a suggestion.  If you ask this good Samaritan to pay for the privilege of contacting you, he will probably just give up.

This is a legitimate concern.  By creating a barrier high enough to discourage the spammers and telemarketers, you also run the risk of driving away some strangers whose messages would be welcome.  If these people really want to contact you, they will offer the token fee – the barrier is not very high, after all, and you’re unlikely to actually collect the fee. But if the sender is just doing you a favor, he might not bother.

So it’s a trade-off: you can eliminate most spam, and be paid for receiving the rest, but at the cost of scaring away some strangers whose messages might actually be welcome.  You can affect this tradeoff by setting you interrupt fee higher or lower, but you can’t make the barrier disappear completely.

The cost to uninvited strangers has three components:

·        Monetary cost.  Even if you set your fee at $1 or more, this is probably not a big deterrent to well-meaning strangers if they understand that you probably will not collect the fee.  But if the sender doesn’t know you, he can never be sure, so your fee shouldn’t be higher than necessary.

·        Time and inconvenience.  Buying a token may eventually be as simple as pressing a key or two on your phone or clicking a button in your token-aware E-mail software.  But in the short term, the sender would have to visit the token-agent’s web site, enter a credit-card number, get a ten-digit token, and paste that token into his E-mail message or key it into his phone.  That’s a non-trivial inconvenience, especially the first time the sender has to do this.

·        Outrage. “How dare this guy ask me for money just to contact him?  What arrogance!”  If the caller’s first contact with this token scheme is a message on someone’s phone asking for money, the caller may indeed react with outrage.  But if we explain this scheme to the public in advertising, news reports, or whatever, callers will understand that this is part of a system used by many people to eliminate spam and telemarketing.  A caller may not choose to adopt this system for himself, but at least he will understand that it’s not just an arrogant or greedy act on the part of the person they are trying to contact.

All of these costs should come down as the system gains in popularity.  Better online payment schemes, with lower overhead, would make it possible to charge lower interrupt fees.  Buying a token would be much less hassle after the first time, especially if the purchaser has set up an account with a given token agent.  The outrage factor should vanish almost entirely once people become accustomed to the system.

Wouldn’t credit-card transaction costs force token agents to charge several dollars for a token?

Token agents would make most of their money from subscriber fees, but they must at least break even on the cost of selling a token.

Current Visa and Mastercard fees for online merchants are about 30 cents per transaction plus about 3% of the amount charged.  So if each interrupt fee is paid via an individual credit-card transactions, the minimum fee might be 50 cents, and almost all of that would go to overhead costs, not to the recipient of the message.  If the fee were $1, the recipient would get about half of it.  (If the token is not redeemed by the message recipient, the credit card would never actually be charged, so this overhead cost would not be incurred.)

If overhead costs were not an issue, some users might prefer to set their interrupt fees at only a few cents.  But until some electronic payment scheme with much lower overhead becomes popular, this will not be possible.

It would be possible for a token agent to sell ten-cent token credits, but to require customers to buy at least $1 worth of these at a time.  The customer could then send a message using some number of these credits, and the rest would be kept in the customer’s account for later use.  This still creates a higher-than-optimal barrier for first-time customers, but subsequent transactions would be easy until the account is empty.

 

Can I really ask everyone who calls me to give their credit-card information to some token agent they don’t know?  That seems a lot to ask.

Several points should be kept in mind:

• Only uninvited callers will have to offer payment.  People who call you frequently will be on your “accept list”.  When you invite someone to call you, you give them a token.  So we’re not talking about imposing this burden on all your friends and associates – just on uninvited callers.
• Once people get used to this system, it will be considered very rude for a recipient to collect the fee for a reasonable (non-spam) call.  If you call a friend and he actually collects the fee, you’ve just learned a lot about your friend’s character and values for not very much money.  So I believe that once this system is in widespread use, most people won’t think twice about offering the fee when they call someone – even a stranger – for some reasonable purpose.
• If the phone companies implement this scheme, most people would feel comfortable authorizing a specific charge on their phone bill.  It feels safer to do this than to give some token agent your credit-card number.
• If a caller must deal with a third-party token agent, it would help if these agents are associated with existing companies (banks, large retailers), already known to the caller. Then callers won’t worry that it’s all some kind of scam to steal their credit-card numbers.  Most people are now comfortable giving their credit-card numbers to online merchants they know, though some people still resist doing this.
• Really suspicious callers would probably me more comfortable with a pre-paid payment card.  That limits the amount of money they could possibly lose.

Will the token agents’ subscriber fees be reasonable?  Phone companies now charge high monthly fees for unlisted numbers and other anti-telemarketing services.

In situations where some competition exists, market forces will drive the cost of this token-based service to some reasonable level – a function of the inherent cost of providing the service and to the number of people using the service.  If this token-based filtering becomes very popular, the monthly fee for token-agent service should be just a few dollars a month.

If the phone company serves as your token agent, the token-based call filtering would probably be bundled with a number of other services, sold as a “deluxe package” for an attractive monthly rate.  We already see such packages being offered in the cell-phone world, where competition is fierce.  Cell-phone plans emphasize both price and features – walkie-talkie, charging by the second, calling circles, and so on. Traditional phone companies are beginning to offer similar packages.  An effective way to block telemarketers would be a very attractive feature in any such plan.

How important is standardization?

There must be some agreed-upon signaling conventions between a user’s token-aware phone set or E-mail software and the token agent he uses.

If there are multiple incompatible systems, all implementing the same general scheme but differing in details, that would not be fatal, but it would create confusion and perhaps slow the growth of this market.  The situation is similar to what we see at present in the instant-messaging world, with several systems that are incompatible and proprietary.  This unfortunate situation has probably slowed the growth of instant messaging, but certainly has not stopped it.

So it would be very useful for all the parties involved to work together to create some open standards for such signaling.  Some standardization of the user interface would also be beneficial for customers.

Who will pay for the deployment of this system?

That’s the beauty of it: there’s no need for a huge up-front investment.

Some company has to take the risk of producing token-aware phone sets, but this is a relatively minor redesign of existing phones – mostly a change in the phone’s software.  This is an opportunity to make some money.  Each customer pays when he buys one of the new phone sets.

For E-mail, some company has to take the risk of creating token-aware mail software.  Again, this is an opportunity to make some money from people who buy the software.

Some company has to set up a token-agent service, but this is paid for by monthly subscriber fees and by taking a cut of any token fees that actually change hands.

If the whole system is implemented by phone companies, there is an up-front investment for them, but it’s not a huge change for a system that already supports services such as voice-mail, caller ID, and call-waiting.  The phone company would make back its investment by charging a monthly fee for this service, or by using it to gain an advantage over competitors – or to catch up with them.

Some people object in principle to paying anything to eliminate intrusions due to spam and telemarketing.  Why should people have to pay for peace and quiet?  But if the cost is relatively low and the system actually works, I think that these objections will eventually fade away.  I don’t like having to buy locks for my doors either, but I do it.  It’s an imperfect world.

If this system is implemented at the phone company, aren’t there privacy issues?  I don’t want them telling others who is on my accept list.

Well, if the phone company decides to invade your privacy, they can do worse things than telling others who is on your accept list.  They could keep track of every call you make and even tap the calls.  That’s illegal without a court order, and giving away your caller-permission information should be as well.  The token vendors should also be required to keep your information private.  We may need some legislation to extend existing privacy protections to these new domains.

 

Technical Issues (Telephone)

What if I pick up my phone to make a call while it is busy negotiating with an incoming caller?

No big deal.  Instead of hearing a dial tone, you hear a bit of the negotiation between the phone and the caller.  Just hang up and try again in 30 seconds.  A token-aware phone could have a little light on it to tell you when it is busy.

Will this scheme work with caller ID?

You need caller ID service in order to use the “accept list” part of the scheme.  There’s no reason why this smart phone could not remember the caller’s number (if it is supplied) and display it later, when the phone actually rings.  If you like, the ID could be used to choose a distinctive ring for certain callers on your accept list.

Will this scheme work with call-waiting?

In call-waiting, if you are talking to someone and a second call (perhaps from a telemarketer) arrives, you hear an audio tone.  You may then choose to put the current caller on hold while you talk to the second one.  This signaling and switching is implemented at the phone company, not in your own equipment, so there is no need for a second phone line.

If token-based filtering is implemented at the phone company, it would be possible for the negotiation about tokens to take place while you are talking to someone else.  If the system decides that the second caller is allowed to “make your phone ring”, you would then hear the call-waiting tone and could handle that as you do now – switch to the new call or ignore it.  If you never switch to the new call, you would not be able to collect the interrupt fee.

If the blocking is implemented in your own phone set,  the situation is not so attractive.  Assuming you have only one phone line, you cannot continue the old call while your phone set negotiates with the new caller.  So, unless you disable call-waiting, the new caller would hear a “ring” tone until you either switch to the new call or the caller gives up.  You can either ignore the call-waiting signal, or switch to the new caller. This might be a telemarketer who just got through without the usual screening.  At least, in this case, you can dump the new caller quickly and get back to your original call.  Since you were already talking on the phone, it probably was less of an interruption than if you were doing something else – sleeping, perhaps.

Will this scheme work with an answering machine or voice mail?

This should work with an answering machine.  The answering-machine functionality could easily be built into the token-aware phone set.  If the call is put through, one way or another, but you don’t answer the phone, the caller ends up talking to your voice-mail instead.  If the caller supplied a token, the call recipient can still collect his when he finally hears the message, as long as not too much time has elapsed since the call was received.  (After some amount of time – 24 hours? – an unredeemed purchased token would expire.)

It is perhaps a bit unfair to charge the caller if he only reached your machine and not you, but the caller still has placed a demand on your attention.  Perhaps the caller should only be charged some fraction of the token’s value if he only was able to leave a message.  But if the caller is a telemarketer, I would collect the fee in any case.

It wouldn’t work for voice mail to be implemented at the phone company and for the token-based filtering to be in your home phone set.  The voice-mail system would see that someone (or something) has answered the phone and would never store a message.  But it seems unlikely that anyone would want to split things up in this odd way.

What if I have several extension phones in my home?

There are several cases:

• If the token-based filtering is implemented at the phone company, there will be no problem with customers having multiple phone sets.  If the filtering allows the call to go through, all your phones will ring.
• If the filtering is done at the customer’s end, and if all his phones are new token-aware phones, there should be no problem.  One is designated the master phone.  It does all the filtering and negotiating.  The slave phones do not ring until the master sends them a special “everybody ring” signal over the shared phone wiring in the house.  Aside from this unusual ringing behavior, these extensions act just like normal phones.  It would be easy to convert a legacy phone to one of these slaves, simply by disconnecting its bell and (optionally) putting a token-aware ringer box on the same line.
• Finally, the phone lines in the house could be split into two parts.  The master token-aware phone would have two connection points.  One would be connected to the outside phone line; the other would be connected to the extension-phone wiring running through the rest of the house.  Any number of conventional phones can be connected to the interior network.  They only ring if the master phone sends them a ring signal.  This may or may not be practical, depending on the existing wiring pattern in the house.

My dentist uses an old database (or electronic organizer) for all his phone contacts.  I can give him a multiple-use token but where will he store it?

Most current software that stores phone numbers will allow the user to store multiple numbers for each person: home, work, mobile, fax…  One reason I chose 10 digits as the length for a token is that it will fit into one of these “extra phone number” slots (for U.S. phone numbers, anyway).  So this number should fit into one of the fields in your dentist’s DB.

If your dentist’s DB can’t handle multiple phone numbers per person, storing tokens is the least of his problems – time for him to upgrade!  Ironically, really old-fashioned people who store their contact information on paper or index cards should have no problem finding a bit of space to add the token.

Remember that you can always put the dentist on your accept list, and then he won’t need a token.  Tokens are only really necessary for people who block caller ID or who don’t always call you from the same phone.  Or you could just promise your dentist that if he authorizes an interrupt fee, you won’t collect it – if you double-cross him, he’s the one holding the drill…

 

Technical Issues (E-Mail)

I use Microsoft Outlook and don’t want to change my mail software.  What if Microsoft doesn’t offer a version of Outlook that includes this token-based spam-blocking scheme?

An independent software vendor could package this spam-blocking technology as a proxy mail-server.  You tell your favorite E-mail client (Outlook or whatever) that this proxy is the server where it should obtain your E-mail.  The proxy, in turn, accesses the real POP3 or IMAP server where your mail actually lives.  All the filtering takes place in the proxy, and only “approved” messages get through to your mail client.  The advantage to the vendor is that this proxy software would work with just about any E-mail client.  (Thanks to Shumeet Baluja for suggesting this.)  Of course, it’s simpler for users if the makers of popular E-mail clients do include the token-based technology.

What if the spammers can guess some name on my “accept list” and create a message that appears to come from that address?

Well, it certainly is extra work for the spammer, but it could happen.  In this case, assuming your friend doesn’t want to change his E-mail address, you would have to take him off your accept list and give him a multiple-use token instead.  We can hope that by the time this problem becomes widespread (if it ever does), all our correspondents will have token aware mail software that fills in the token field without extra work on the sender’s part.

We may soon find that most E-mail is sent using a digital signature scheme so that it is impossible (or at least extremely difficult) to forge the sender’s signature.

This might also be an area where legislation could do some good.  It is probably easier to pass a clean, enforceable law prohibiting the forgery of electronic signatures than it is to pass a law defining what is an is not illegal spam.

A ten-digit token is not very secure.  With enough effort, the spammers could crack this.

It’s true that a ten-digit code is not very secure, especially since hundreds or thousands of the ten billion codes might be “live” tokens for a given recipient.  But even if the spammers do somehow guess a valid token code, it’s no big deal.  They can’t delete all your files or steal your credit-card number.  The only consequence is that you get one or two unwanted messages and then have to rescind that token.

If I give your E-mail address to a friend, must I also give him the token I use?  Will that token work for him?

In general, a valid multiple-use token will work for anyone who gets hold of it.  We could also implement a class of tokens that is tied to a given E-mail sender or phone number, but this type of token wouldn’t be useful for senders who move from one account (or phone number) to another.

You probably should not give your friend a copy of the token you use for sending messages to me.  If that token becomes compromised, you will face the (minor) hassle of contacting me and getting a new token.

It is probably better for you to contact me and ask me to send your friend a token of his own.  Or just tell your friend that I’m a reasonable person and if he contacts me, saying you sent him, I’m not going to collect the fee.  Unless he becomes a persistent pest…

 

More Acknowledgments

In addition to the people mentioned in the published version of the paper, I would like to thank Brad Templeton for providing much useful feedback on these ideas, even though he is now generally opposed to “E-stamp” schemes.

 

Additional References

Aspects of the Problem

• An amusing article by Steve Outing in Editor and Publisher, describing the problems that can arise if ISP’s try to identify and block spam before it reaches their subscribers.
• A cnn.com story on the arms race between telemarketers and the public, and how phone companies are profiting from both sides of this.
• An MSNBC/Slate article by Kevin Werbach: spam is killing E-mail as we know it, driving people to use white-lists and to refuse all mail from strangers.

Anti-Spam and Anti-Telemarketing Sites

• This seems to be the most-cited anti-spam site.  And it points to most of the others.
• Junkbusters is a popular site aimed at controlling all forms of “junk” communication, including E-mail spam and telemarketing.

 

Other Proposed Solutions

• An MSNBC/Reuters article describing various devices and services aimed at blocking telemarketers.
• A web-page from Avinta Communications Inc. that describes many of the anti-telemarketing services and devices currently on the market.  Avinta sells PBX products that, they point out, can frustrate telemarketers – their auto dial machines are not usually programmed to dial an extension.  Whatever their self-interest, there is lots of good info on this page.
• An article by David Mertz analyzing various technical approaches to spam-filtering.
• An article by Randy Cassingham on things E-mail users can do to reduce the amount of spam they receive.
• More analysis and ideas from Brad Templeton on how to fight spam.
• A proposal by Adam Back for a “CPU currency” scheme that would force uninvited senders of E-mail to perform a time-consuming computation for each message they send.  The idea is that this would be a minimal burden on small-scale mailers, and a prohibitive burden on mass mailers.
• A project at Microsoft Research aimed at combating spam.  They currently are focusing on imposing a cost in CPU cycles on the sender rather than any sort of cash-based scheme.