washingtonpost.com
Alliance Raised Hope in Fight Against Spam
Mistrust of Microsoft Ended Effort to Use Single Standard

By Ariana Eunjung Cha
Washington Post Staff Writer
Sunday, July 3, 2005

In 2003, Meng Wong and a friend wrote a program with the bold goal of helping to save e-mail. Wong, a 29-year-old tech entrepreneur, worried that the worldwide message system was in danger of being overwhelmed by spam, phishing and other online scourges. He released the software on the Internet for everyone to use free.

It drew the notice of software company Microsoft Corp., which had been working on a similar product of its own. Nearly a dozen other companies, including Yahoo Inc. and Cisco Systems Inc., also were trying to come up with a way to make the e-mail system more reliable, but none could agree on a common approach.

So when Wong got a message from Microsoft in May 2004 about a possible partnership, he jumped at the opportunity. But so far efforts to get everyone else on board have failed, and now problems with the e-mail system are worse than ever. Spam grew from 50 percent of all worldwide e-mail in July 2003 to about 69 percent today.

"Stopping spam is something everybody wants to do and it has been this hard," Wong said.

The fact that the industry has failed to adopt a solution that all agree is necessary is a lesson in the complicated nature of who controls the online world. Big companies have clashed over who should take responsibility for a resource, e-mail, that no one owns. Individuals have accused the companies of being too concerned about their bottom lines to be trusted.

Like the Internet itself, e-mail is an innovation born out of idealism that has found itself stymied by abuse.

When the e-mail system we use today was written in 1977, around the time when Wong was born, a lone researcher at the University of California at Berkeley had control over how it evolved.

Eric Allman designed the program, Sendmail, to make it easier for messages to be sent to and from any computer.

The goal was convenience, not security. While Allman's invention made it easy for the University of California academics to reach each other, it also made it easy for those with less admirable motives to do the same.

No one had a chance to change the system before it tumbled out into the rest of the world. Now, with billions of e-mails flashing around the globe every hour, the problems threaten to overwhelm the system.

This is why mighty Microsoft was eager to meet last year with Wong, a little-known computer engineer from the University of Pennsylvania who had started an e-mail company, Pobox.com.

Wong and Microsoft had separately concluded that the best way to fight spam in the short term was to make it harder for people to "spoof," or fake, their identities on e-mail. E-mail authentication works by checking with the host company, government or Internet service provider whether the sender is legitimate and registered -- providing a virtual return address.

"The Internet has changed from a small town where you can leave your doors unlocked to a big city where you don't even want to talk to some strangers on the street anymore. So when you don't want to know your neighbors you need a way for people to be accountable to each other," said Wong, who co-wrote his e-mail authentication program with Mark Lentczner.

As an advocate of free, open-source software for more than a decade, Wong loathed Microsoft's philosophy of keeping computer code proprietary. He was uneasy about working with the company.

But he thought the e-mail issue was too important to ignore. In May 2004, he met in a locked conference room in a D.C. hotel with three Microsoft engineers. Two more were outside, guarding the door.

In the PC-centric world of the 1980s and early 1990s, Microsoft was a king, a dictator. If something was wrong with its technology or needed to be upgraded, the company simply fixed it in a subsequent version and everyone had no choice but to accept it. The emergence of the Internet, with more than a billion distinct parts owned by governments, companies and individuals, has changed everything. Microsoft can no longer order someone like Wong to use its technology; it has to persuade.

The discussion in the conference room between Wong and Microsoft dragged on, then continued over the next few days at a meeting of e-mail providers in San Jose, on a plane en route to the company's Redmond, Wash., headquarters and at an office on the software giant's corporate campus. Finally, they emerged with a compromise

They agreed to merge their e-mail authentication programs into something called Sender ID and to promote it jointly.

Harry Katz, one of the three Microsoft engineers present at the meeting, said that at first he felt "nervousness" and "uncertainty" because previous discussions with authentication providers had gone nowhere. But he left feeling victorious, like that week would go down as a "very important moment" in the evolution of e-mail, he said.

Allman and several other industry heavyweights voiced their support for the project.

The group took its solution to the Internet Engineering Task Force, a standards group made up of volunteers from hundreds of companies, academic institutions and governments. While it has no legal authority to force anyone to accept its decisions, it has great influence.

The computer scientists who were reviewing and tweaking the Wong-Microsoft proposal moved quickly, and by the fall of 2004 they felt they were almost ready to finalize the standard.

Then, as one engineer put it, came the "train wreck."

News broke that Microsoft was trying to patent some of the technology in question. Accusations started to fly on an e-mail discussion group, saying the company had taken advantage of the standards process to promote its corporate interests.

"We have been fooled once by the likes of MS," one participant wrote. "Let's not let it happen again."

"For all I preach about not blaming Microsoft here's an instance where I'll gladly say it," another person said. "The words 'BLAME MICROSOFT' creep across my crystal ball."

Microsoft said it had the best intentions when it patented the technology: It wanted to make sure no one else would do so and then abuse it.

"We were open and honest from the very beginning. Anyone can grab and use Sender ID and Microsoft will never come back and charge for it," said Ryan Hamlin, general manager for the technology care and safety group at Microsoft.

But their efforts were too late. Trust had been lost. The IETF's e-mail group, unable to agree on whether to proceed with the Microsoft proposal, was disbanded.

Wong was pummeled with criticism from colleagues. He said he knew nothing about the patent applications until a friend told him, and that after analyzing them he thinks the company's public promises of a royalty-free license should be enough to assuage any concerns.

"I don't think that at any point I went over to the dark side," he said.

"We've done a lot of soul-searching and looking back at the process and we believe we did exactly the right thing," Hamlin said. "Unfortunately, there were differing options there and it definitely stalled some of the momentum."

Allman said he thinks Microsoft was not given a fair chance and that people overreacted because of the company's past practices.

He and representatives of other companies such as Bigfoot Interactive that use Sender ID said they believe Microsoft has lived up to its pledges so far.

"I don't think the world realizes that Microsoft realizes that this is different from what they usually do," Allman said.

With efforts to create a single standard stalled, several companies this year began rolling out their own e-mail authentication systems.

This month, Microsoft and Yahoo, which recently announced it would merge its program with Cisco's, separately began offering consumers a note on e-mails informing them whether the sender has been authenticated.

Some e-mail monitoring companies already report a leveling off of spam. But having multiple e-mail authentication programs is causing confusion.

While Microsoft tries to flag e-mails that are potentially "bad," Yahoo does the opposite, labeling e-mails that are "good." And while Microsoft and Yahoo say their systems are "complementary," neither has plans to implement each other's system, although they say they have not ruled out the possibility.

There are also other, unresolved questions -- for example, about whether it is fair to just delete an e-mail from an unauthenticated address before the intended recipient sees it, and about how to keep people such as political dissidents anonymous in the new system.

Meanwhile, Wong has said his role as an evangelist for e-mail authentication has given him "a new appreciation for politicians and politics."

"At some point I had to stop being a programmer and turn into a politician," Wong said. "I can only imagine what it's like for politicians to try to do something that not everybody wants to do."

© 2005 The Washington Post Company