AOL Statement: Protecting Email Integrity for Members…
AOL: Protecting Email Integrity for Members is About Safety, Security and Trust
Statement of Purpose
Nicholas J. Graham, AOL Spokesperson:
“AOL and Yahoo! use of Certified Email is a necessary and natural extension of our ongoing efforts to protect our members’ email safety and security – as we stated clearly in October 2005 when this was first announced.
“This program, structure and purpose is not new to the internet. In fact, it is one that Microsoft in many ways spearheaded in May 2004, when it announced the use of the like-minded ‘Bonded Sender’ for its MSN/Hotmail email accounts – and again when it signed up for ‘Habeas’ in June 2005: special handling and delivery, a cost/fee structure, and so forth. Other companies are at this too, via Bonded Sender, or Habeas: Adelphia, Apple, Charter, Covad, Cox, Earthlink, Excite, Frontiernet, Google’s gmail, Juno, Lycos, Mindspring, SBC Global, SW Bell.net, Verizon, Yahoo!.
“So, much of what has been heard today falls into three clear categories: political fundraising, competitive chatter, and the omnipresent fear of change – even when it’s for the better.
“The realities and facts of the situation deserve a fair airing. AOL is moving from a dual layer of spam and phishing protection for our members to a beneficial tri-layer system of email delivery – with the additional layer being optional, voluntary, and at absolutely no cost to the email recipient.
“We believe more choices, and more alternatives, for safety and email authentication is a good thing for the internet, not bad. Everything that AOL has in place today free for email senders remains – and will only improve. We take great pride that AOL’s exceptional, industry-leading email policies have played a key role in helping deliver emails that have provided a voice and platform for political discourse and charitable fundraising on the internet – which has included coming to the aid of the sometimes troubled email delivery efforts by organizations like MoveOn.org, and many others.
“There’s been a lot of misinformation generated about this effort. Here is a compendium of phony charges and the facts to rebut them:
FICTION: Certified Email is an ‘email tax’…
FACT: No. This term is perhaps an eye-catching, political fundraising tool, but just plain bad information. The consumer pays nothing. Certified Email is an additional, optional, voluntary way for large email senders to deliver authenticated, legitimate, previously opted-in email. A ‘tax’ is an involuntary charge mandated by federal, state and local governments. AOL opposes the concept of any kind of an email tax, if one ever comes forward. Happily, we’ve never seen one. And this is not it.
FICTION: This Certified Email program will not only disadvantage consumers, it will cost them…
FACT: Good news: email recipients under this program get all of its advantages and benefits for FREE. Consumers pay nothing. Zero. Nada. Rather, they get to: 1) recognize clearly in their email inbox legitimate, authenticated email they want, via a non-spoofable email icon that stands out; 2) as a result, their predilection towards falling for hard-to-differentiate phishing and spam emails is vastly curtailed; 3) renews consumer faith and confidence in email as a definitive, trusted means of communicating online – whether its donating to the American Red Cross, or confirming financial and other vital transactions, and so forth.
FICTION: Certified Email is exactly what proponents of ‘Net Neutrality’ have warned about…
FACT: An alarming ‘reach’. Offering up a new service that is, at its core, about safety and security, and is purely a voluntary option that replaces nothing that AOL currently offers, has absolutely nothing to do with so-called ‘Net Neutrality’. It’s not an ‘apples-and-oranges’ comparison. It’s more like ‘apples and kumquats’.
FICTION: Certified Email creates a ‘two-tier’ system of communicating on the internet…
FACT: The ‘Chicken Littles’ of many advocacy groups have made this claim since, well, the internet was created. It’s never come to pass. Everything that commercial and non-commercial senders use – for free – today on AOL to send their emails (the WhiteList and Enhanced WhiteList) remains. Nothing changes. We continue to provide exceptional service to all email senders who conform to our antispam guidelines. In fact, CertifiedEmail serves as a valuable, new standard and threshold for the delivery of legitimate email that will serve as a guidepost for other email senders to follow and adhere to – even if they choose not to participate in the program.
FICTION: We have AOL to thank for breaching, for the first time, the idea of ‘paid email’…
FACT: Not so. Certified Email, first of all, is a product developed by Goodmail. Yahoo! – and AOL – are its first major ISP clients. Many, many other ISP’s (Yahoo!, Microsoft, Earthlink, Google) and cable/telecom companies (Adephia, Charter, Covad, Cox, SBC, Verizon) with email customers have long engaged in the practice of using a third-party company to help authenticate and help deliver email to recipients, using a variety of paid programs.That’s right – companies like Bonded Sender and Habeas have marketed and deployed programs similar to Ceritifed Email for years. And, there has been absolutely no ‘rattle and hum’ from the naysayer crowd about these services at all – and these programs have not caused the ‘demise of email on the internet’. At all.
FICTION: Non-profits and charities and political organizations will get left behind as commercial emails can afford to use Certified Email.
FACT: Sorry – but these organizations already get premium, industry-leading, above-board, exceptional treatment and service on a daily basis through AOL’s free, existing Postmaster, Whitelist and Enhanced WhiteList services. Solid arguments can be made that AOL has helped establish and elevate the online voice of organizations like – say, MoveOn.org. And so many others.
FICTION: Ceritified Email is just a way for spammers to send unwanted email to consumers…
FACT: Incorrect. Certified Email prevents and blocks spammers from sending emails to online users! Goodmail’s program is 100% opt-in; Goodmail strictly disallows those who have not previously secured the expressed consent of consumers from signing up for Goodmail tokens. Given AOL’s phenomenal public track record on spam – no one can credibly assert that AOL would sign up for a pay-to-spam program. Get real.
FICTION: Certified Email circumvents and replaces AOL’s existing antispam tools and filters…
FACT: Wrong. AOL always has, and always will, retain the absolute right to make final determinations about who does and does not email to our members, in accordance with their wishes and our solid antispam and UBE policies. Besides, the Goodmail sender verification process is comprehensive, thorough, and strict – weeding out any sender that hasn’t met the most above-board antispam/antiphishing criteria. If they didn’t have this vetting process, AOL would never have signed up with Goodmail in the first place.
FICTION: With Certified Email, end users won’t have say in what emails they will or will not get…
FACT: Entirely false. With AOL’s enhanced and improved ‘Spam Controls’, recipients will always have the choice and option of blocking emails from certain senders. Or, they should just ‘unsubscribe’ from that email list. Remember, Goodmail will only sign up email senders who prove they have a pre-existing, commercial, opt-in relationship with AOL members.
FICTION: Certified Email will render traditional email obsolete…
FACT: Certified Email complements, enhances and adds to the variety of choices on the internet for communicating and doing business; most important, it provides additional tools to combat phishing, spamming, scammers and hoaxers. By the way, when the U.S. Postal Service introduced ‘Next Day’ delivery, did everyone abandon ‘parcel post’? Or ‘First Class’ stamps? Or did commercial bulk emailers balk at the USPS discounted postage rate? Did consumers throw away all the mail in their mailbox that wasn’t delivered ‘Next Day’ mail or ‘Return Receipt Requested’. Don’t think so.
FICTION: CertifiedEmail is just a money-making scheme for AOL…
FACT: About as much of a revenue stream as setting up a lemonade stand on the corner. The impetus for this enterprise is nothing other than the safety & security of our AOL members; AOL has spent tens of millions of dollars on their behalf to protect them from viruses, spam, identity theft, hoaxes, scams, trojans and worms, and the evildoers behind them. Any revenue derived from this effort will be incremental and materially intangible. Further, any derived revenue will simply be ploughed right back into AOL’s ongoing antispam and anitphishing efforts, and to further develop and improve the email experience on AOL for members and users.
FICTION: Phishing problem? What phishing problem? And, hasn’t AOL already tackled spam?
FACT: When a marathon runner reached mile marker 24 or 25 in a 26-mile race, with a pack of runners 5 paces behind, does he or she take a break? Absolutely not. Spam on AOL is way down, thanks to our ongoing efforts, by over 75% since its peak in late 2003. But AOL’s guard is way up. Vigilance isn’t a luxury in today’s internet environment – it’s a necessity. We intend to stick to it despite the propaganda peddlers and competitive chatter. Members come first. If you doubt how bad phishing has gotten lately, check out the latest stats at the Anti-Phishing Working Group (www.apwg.org), or our own survey with the National Cyber Security Alliance.
FICTION: Certified Email will just slow down the delivery of emails compared to the ‘regular’ way of sending, making ‘traditional’ delivery more difficult, less reliable, and less ‘trusted’…
FACT: AOL goes to great lengths to help so-called ‘troubled’ emailers mend their ways and get their mail delivered – such as the work we’ve done over the past 2-3 years with – well, MoveOn.org, among others. With our 24×7x365, always-helpful Postmaster team, and our constant enhancement of the email delivery process for senders, we can’t think of one unhappy or dissatisfied email sender – except for the spammers and the phishers. They are decidedly not happy with us. By the way, check out this statistic from Pivotal Veracity: “In the past two months, 91.7 percent of Pivotal Veracity customers’ e-mails reached AOL inboxes, compared with 86.5 percent at Yahoo, 81 percent at MSN, 80.9 percent for Hotmail and 74.5 percent to Gmail.”
FICTION: The result of today’s disparate coalition will be an end to AOL’s Goodmail project…
FACT: Never. Not going to happen. Implementation of this timely and necessary safety & security measure for our members takes place in the next 30 days. Mark it on your calendars.
4 Comments so far
Leave a reply
FACT: All of these hacks work around the brokeness and weaknesses inherent in e-mail. Fix that first.
OK, maybe SMTP is not perfect in some way. But from a transport protocol standpoint, it works just fine. What areas do you propose we “fix” and maybe even suggestions on how?
I know a lot of people think SMTP is “broken” but I wonder if it is or not? Most spam today is sent through a users PC connected to a cable modem. That PC has been infected by one of many vriuses/trojan/worms that opens a back door on that machine. The machine is now an open proxy/relay for a spammer to use. Is this security issue the fault of SMTP? Not sure it is because the same infected PC can certainly do harm on Port 80 (DOS/DDOS attacks against websites) and many other application ports as well.
But maybe you are thinking about SMTP being “broken” in another way. Please comment!
SMTP is broken because a third party is allowed to send an e-mail on my behalf, with no checking. Mailing lists abuse this.
Domain keys and SPF go some way to fixing this, but they’re not SMTP.
The prime complainers against phising are banks and big companies.
Pick ten banks, and look for an SPF or domain keys record. I bet you won’t find many.
But I suppose this is getting off topic.
It doesn’t matter whether AOL are charging for e-mail now, or (more importantly) _why_ they are charging for mail, what matters is what they will do in the future. Why involve money at all? Will poor countries get a discount? If something better comes along, and paid e-mail becomes popular, can you see them adopting it if it doesn’t bring in a revenue stream?
I suppose my problem is that Ican’t see the benefits that paid e-mail brings over other systems like SPF/Domainkeys coupled with a reputation system.
SPF and Domainkeys and SenderID are authentication technologies and supposed to prevent people from using your address when they send mail (spoofing). These technologies simply tell the receiving system/user that the identity of the sender has been checked and validates (at least from ISP to ISP as long as the first ISP implemented good security on their side with SMTP Auth, etc). This might be similar security checking your driver’s license/ID at the airport in the security line. This simple check does NOT get you onto the airplane.
To know whether or not the sender is someone you can “trust”, SPF, DK and SenderID technologies need some form of system that can show they are good senders. This can be either a “reputation” based system or an “accreditation” based system. These ARE different although they provide similar end results.
Reputation systems measure past performance of a mailer (or sender) and measure things about that sender that indicate whether or not they are a “good mailer”. Most big ISPs (AOL, YHOO, GOOG, and MSN just to name a few ) use these approaches today by measuring member complaints (report spam), bounce rates, volumes and changes in volume, and similar attributes. Spam Cop is a peer to peer network which does a similar thing as well. SenderBase (Ironport) publishes stats on senders for anyone to see. Each system has its own rating algorithms but basically the better your stats, the better your mail is treated (in general). AOLs EWL is based on this today as is our regular whitelist.
Accreditation is another approach. This type of system allows you to pre-qualify and essentially receive a reputation at the beginning by leveraging the reputation of the accreditation service (Goodmail, Bonded Sender, Habeas, ISIPP, etc). There is a lot of work required to “fully vet” an organization wanting to be accredited much like a Bank must do to grant a loan to a small business which is why these services are not free.
Maybe the big beef is AOL getting some change from the goodmail approach? I know this sounds like the wrong incentive plan for AOL, but in truth I doubt we would be able to go overboard on this and demand people pay to play. I just can’t see us being able to get away with blocking legit mailers and telling them to do goodmail or be blocked. It just would not make sense as AOL currently hears from members when we make a blocking mistake immediately . Can you imagine if we blocked moveon or the EFF? :-)
Thanks for your constructive comments.
-Carl