"Fallout From the Fall of CAPTCHAs"

posted Jul 15, 2008
in Bloviation

Slashdot has an unusually interesting discussion on the rise and fall of CAPTCHAs, which is why I give that link precedence over the original story.

I mention this because I keep waiting for someone to discuss the root problem, and it's so rarely done that I guess I'm just going to have to do it myself. The root problem of spam comes from the following simple tension:

  1. We want to be able to contact or be contacted by anybody.
  2. We don't want to be contacted by just anybody.

Without understanding this fundamental dynamic, the whole "spam" situation won't make any sense.

I use "spam" in a broader sense than just email spam, to include the whole range of undesirable communication that occurs in a medium where you allow someone to push information at you with a default "accept" policy. This includes email, but also includes blog comments, online reviews on sites such as Amazon, eBay listings, and anything else where your default policy is "accept".

Note that while spammers will definitely take advantage of something like eBay or blog comments that goes out to many people at once, the fact that they so aggressively pursue individual emails shows this is the frosting on the cake and not their primary goal.

So, given that I've identified the root problem of generalized spam, what's my inevitably proposed solution? Well... there isn't one. I think the tension is as fundamental as the baldly-stated sentences above. If you want to be able to receive communication from anybody at any time, I simply do not see a way around the fact that of the six billion other people who might be that "anybody" today, a significant proportion of them will bend their efforts towards jamming your channel full of ads (or worse), thanks to the other significant proportion who rewards them for doing that, in both cases a proportion likely far larger than the one of people who actually have something interesting to say to you.

Filtering is one of the better solutions for now, but while it ended up better than I thought it would, it also never reached the Total Victory over spam its most-dedicated advocates claimed it would. Filtering requires a lot of maintenance to keep the accuracy up, and also extracts an inevitable attention-fee of false positives. And there isn't much else even in the running.

The only other solution that works is to get rid of the "want to be contacted by anybody" criterion. Then you get social networking software where you have to "subscribe" somehow, or blogs, or Twitter, or a number of other models based on either on "pull" or explicitly-requested push. But you intrinsically lose the ability to get an email out-of-the-blue, and any attempts to put anything like that capability back, like Technorati does for blogs, inevitably succumbs to spam in a virtual heartbeat.

This problem has an almost mathematical certainty to it, and there's simply no way to beat it.

If I did have a modest proposal, it would be to get used to it, and resign yourself to using pull instead of push.

(Disclaimer: I work for a company that sells an anti-spam product, but I do not work on the anti-spam product and this commentary is entirely my own, a continuation of my interest in the subject extending many year before I'd ever heard of the company. Both the company and I prefer not to mention the exact name.)


Site Links


All Posts