Spam and Telemarketing

Scott E. Fahlman


This web page contains some additional information and discussion related to my paper “Selling interrupt rights: A way to control unwanted e-mail and telephone calls”, published in the Technical Forum section of IBM Systems Journal, Volume 41, Number 4, 2002, pages 759-766.  The online version of the paper is here.

This page contains details and special cases that were not included in the paper, either for reasons of space or to avoid overwhelming casual readers.  If you are interested in this topic, I suggest you go read the paper before trying to make sense of the material collected here.

I have organized this material in the form of a FAQ (“Frequently Asked Questions”) list.


Precedents and Related Work

What is original in this paper?

Most of the ideas described in this paper – “E-stamps”, optional collection of a fee, a third-party token-agent, an “accept list” – have been floating around the Internet community in various combinations for some time.  Brad Templeton’s web-site, cited in my paper, mentions several of these elements.  I developed my scheme independently, and only discovered Templeton’s site later, but it appears that his site pre-dates my first write-up of these ideas. There is also the Sundsted patent, discussed below.

However, until now, these ideas have not been widely adopted, nor do they figure prominently in public discussions of how to control spam and telemarketing.

My contribution in this paper is to describe a specific combination of these elements that (I claim) has several desirable properties:

An additional contribution of the paper is to suggest that the same token-based approach can be used to limit both E-mail spam and unwanted telephone calls.  While others have suggested similar ideas in the E-mail world, I haven’t seen anything like this in discussions about how to combat aggressive telemarketing.

If I can popularize this kind of approach and help to move the anti-spam debate away from its current focus on legislation and message filters, that will be an accomplishment.  If this scheme is widely adopted, that would be a great accomplishment.

What about the Sundsted patent?

After my IBM Systems Journal paper was in press, I learned about the existence of U. S. patent 5,999,967, issued December 7, 1999 to Todd Sundsted.  (For some reason, this patent had not turned up in my earlier keyword-based searches of the USPTO patent database.)  You can view the Sundsted patent by going to the USPTO site and putting the patent number into the search window.

Sundsted’s patent covers the general idea of using an electronic stamp on E-mail.  The electronic stamp – a pattern of bits attached to the message – costs the sender some amount of money.  The recipient (or the recipient’s mail software) can examine the value of the stamp and, based on that, decide whether to read the message.

The patent also describes the possibility that the recipient of the message may actually collect the face value of the stamp from the sender. The receiver would have to bill the sender for the agreed amount if he accepts the electronic mail – not a very practical system.  Alternatively, some third party (a “bank”) could sell a stamp to the sender.  The recipient of the message could then return the stamp to the bank and receive compensation.

Clearly, some elements of the anti-spam system described in my paper are similar, in a general way, to ideas described in this patent.  My scheme adds some additional elements, such as the ability of the recipient to issue free tokens in cases where that is appropriate.   Note that the claims of the Sundsted patent refer only to E-mail, not to the use of E-stamps or tokens in controlling unwanted telephone calls.

An important question is whether a company implementing the token-based scheme I described for E-mail would infringe the Sundsted patent, and would therefore have to obtain a license.   I am not a patent expert, and I cannot predict how the courts would view this.  There are two key questions:


Business and Social Issues

Would phone companies actually implement this scheme?  Don’t telemarketing calls generate significant revenues for them?

I don’t know how much income the phone companies actually make from telemarketing calls, once we subtract the costs associated with handling such calls.  Right now, it appears that they make money from both sides: they lease high-capacity lines and auto-dialing equipment to telemarketers, and then they charge their customers for access to various weak call-blocking schemes.

But however much the phone companies may profit from the current situation, it is generally bad business to continue a practice that infuriates the vast majority of your customers.  Phone companies with a local monopoly may not immediately embrace any new scheme for controlling telemarketers, especially if that scheme actually works. But as soon as there is competition in a given market, one of the companies (probably the hungriest one) is likely to offer token-based call filtering.  And then the other companies will be at a disadvantage unless they do likewise.

Such competition now exists in the cell-phone market in most parts of the U.S., and (we are told) it is coming soon to land-line phone service in most areas.  Also, cell phones are increasingly being used by customers as their primary phones, so the cell-phone companies are beginning to compete directly with the traditional local-phone monopolies.

Even in a monopoly situation, a phone company may choose to offer this service in order to keep its customers happy – and to avoid having some solution imposed on them by state or federal regulators.

Since individual customers can adopt the token-based filtering scheme on their own, without the phone company’s cooperation, the companies may decide to offer this service (and collect some revenue from it) before their customers take matters into their own hands. So the possibility that individual customers could implement this scheme on their own probably ensures that they won’t have to do this.

Don’t phone companies already offer a service to block telemarketing calls?

In addition to unlisted numbers, there are currently three anti-telemarketing services that are commonly offered by phone companies.  Usually a local phone company will only offer one of these services.

·        A service that blocks all calls except those from users on an accept-list.  Usually the list is limited to 10-12 entries, and the service typically costs $2.50 per month.  This is not useful for people with complicated lives who get legitimate calls from many different sources.

·        A service that intercepts non-caller-ID calls and asks the caller to state his name.  Then the recipient’s phone rings, and he can decide whether to answer.  This normally costs about $4 per month.  The problem is that as long as the caller is willing to give some name, your phone is going to ring.  But it apparently does trip up the current generation of auto-dialers.

·        A service like the one above, but that forwards your call to voice mail if you don’t accept the call.  This typically costs about $10 per month, bundled with voice-mail and a package of other services.

If I implement this scheme, asking callers and correspondents for money, won’t people think I’m greedy or perhaps trying to rip them off?

If you’re worried about this, you could arrange for your token agent to donate all collected fees to some worthy charity, and to inform callers of this.  If you want to reduce spam, the important thing is to make the spammers pay when they bother you.  Actually receiving the fees they pay may be less important to some users.

How would senders/callers actually pay for an interrupt token?

As mentioned in the paper, the fee could just be added you the caller’s phone bill if the telephone companies decide to help implement this scheme.

An independent token agent could accept standard credit cards (Visa, MasterCard…)That would probably be the most popular payment option in the near term, since almost everyone has access to some credit or debit card.  Another option would be to pay via some online payment system such as PayPal. 

If this token-based system becomes widely used, and if there are only one or two large token agents, callers may keep a pre-paid balance with each token agent, paid for with a check or with cash.  A $10 balance might last a long time, since non-spammers would seldom have their tokens redeemed.

Token agents could band together and issue pre-paid cards, similar to the cards many people now use for long-distance calling.  Perhaps the same cards could be used for both long-distance and for buying tokens.  These could be sold online or in stores.

At present, credit-card transactions over the phone or on the internet (that is, transactions where no physical signature exists) can easily be repudiated by customers.  The customer merely has to claim that he never made the charge.  The burden of proof then falls on the merchant to prove otherwise, and that can be more trouble than it is worth for small transactions.  This is a large and growing problem for online merchants, and could be a problem for token agents as well: a spammer could use a credit card to purchase a few thousand tokens, send out the spam messages, and then repudiate the charges.  Fortunately, both Visa and MasterCard have developed new verification schemes for online purchases that will make it much harder for a validated customer to repudiate a charge.  These new systems are supposed to be in widespread use by mid-2003.

Suppose some stranger wants to contact you to do you a favor of some kind.   Perhaps your car is about to be towed.  Perhaps the stranger has read something you have published and has a suggestion.  If you ask this good Samaritan to pay for the privilege of contacting you, he will probably just give up.

This is a legitimate concern.  By creating a barrier high enough to discourage the spammers and telemarketers, you also run the risk of driving away some strangers whose messages would be welcome.  If these people really want to contact you, they will offer the token fee – the barrier is not very high, after all, and you’re unlikely to actually collect the fee. But if the sender is just doing you a favor, he might not bother.

So it’s a trade-off: you can eliminate most spam, and be paid for receiving the rest, but at the cost of scaring away some strangers whose messages might actually be welcome.  You can affect this tradeoff by setting you interrupt fee higher or lower, but you can’t make the barrier disappear completely.

The cost to uninvited strangers has three components:

·        Monetary cost.  Even if you set your fee at $1 or more, this is probably not a big deterrent to well-meaning strangers if they understand that you probably will not collect the fee.  But if the sender doesn’t know you, he can never be sure, so your fee shouldn’t be higher than necessary.

·        Time and inconvenience.  Buying a token may eventually be as simple as pressing a key or two on your phone or clicking a button in your token-aware E-mail software.  But in the short term, the sender would have to visit the token-agent’s web site, enter a credit-card number, get a ten-digit token, and paste that token into his E-mail message or key it into his phone.  That’s a non-trivial inconvenience, especially the first time the sender has to do this.

·        Outrage. “How dare this guy ask me for money just to contact him?  What arrogance!”  If the caller’s first contact with this token scheme is a message on someone’s phone asking for money, the caller may indeed react with outrage.  But if we explain this scheme to the public in advertising, news reports, or whatever, callers will understand that this is part of a system used by many people to eliminate spam and telemarketing.  A caller may not choose to adopt this system for himself, but at least he will understand that it’s not just an arrogant or greedy act on the part of the person they are trying to contact.

All of these costs should come down as the system gains in popularity.  Better online payment schemes, with lower overhead, would make it possible to charge lower interrupt fees.  Buying a token would be much less hassle after the first time, especially if the purchaser has set up an account with a given token agent.  The outrage factor should vanish almost entirely once people become accustomed to the system.

Wouldn’t credit-card transaction costs force token agents to charge several dollars for a token?

Token agents would make most of their money from subscriber fees, but they must at least break even on the cost of selling a token.

Current Visa and Mastercard fees for online merchants are about 30 cents per transaction plus about 3% of the amount charged.  So if each interrupt fee is paid via an individual credit-card transactions, the minimum fee might be 50 cents, and almost all of that would go to overhead costs, not to the recipient of the message.  If the fee were $1, the recipient would get about half of it.  (If the token is not redeemed by the message recipient, the credit card would never actually be charged, so this overhead cost would not be incurred.)

If overhead costs were not an issue, some users might prefer to set their interrupt fees at only a few cents.  But until some electronic payment scheme with much lower overhead becomes popular, this will not be possible.

It would be possible for a token agent to sell ten-cent token credits, but to require customers to buy at least $1 worth of these at a time.  The customer could then send a message using some number of these credits, and the rest would be kept in the customer’s account for later use.  This still creates a higher-than-optimal barrier for first-time customers, but subsequent transactions would be easy until the account is empty.


Can I really ask everyone who calls me to give their credit-card information to some token agent they don’t know?  That seems a lot to ask.

Several points should be kept in mind:

Will the token agents’ subscriber fees be reasonable?  Phone companies now charge high monthly fees for unlisted numbers and other anti-telemarketing services.

In situations where some competition exists, market forces will drive the cost of this token-based service to some reasonable level – a function of the inherent cost of providing the service and to the number of people using the service.  If this token-based filtering becomes very popular, the monthly fee for token-agent service should be just a few dollars a month.

If the phone company serves as your token agent, the token-based call filtering would probably be bundled with a number of other services, sold as a “deluxe package” for an attractive monthly rate.  We already see such packages being offered in the cell-phone world, where competition is fierce.  Cell-phone plans emphasize both price and features – walkie-talkie, charging by the second, calling circles, and so on. Traditional phone companies are beginning to offer similar packages.  An effective way to block telemarketers would be a very attractive feature in any such plan.

How important is standardization?

There must be some agreed-upon signaling conventions between a user’s token-aware phone set or E-mail software and the token agent he uses.

If there are multiple incompatible systems, all implementing the same general scheme but differing in details, that would not be fatal, but it would create confusion and perhaps slow the growth of this market.  The situation is similar to what we see at present in the instant-messaging world, with several systems that are incompatible and proprietary.  This unfortunate situation has probably slowed the growth of instant messaging, but certainly has not stopped it.

So it would be very useful for all the parties involved to work together to create some open standards for such signaling.  Some standardization of the user interface would also be beneficial for customers.

Who will pay for the deployment of this system?

That’s the beauty of it: there’s no need for a huge up-front investment.

Some company has to take the risk of producing token-aware phone sets, but this is a relatively minor redesign of existing phones – mostly a change in the phone’s software.  This is an opportunity to make some money.  Each customer pays when he buys one of the new phone sets.

For E-mail, some company has to take the risk of creating token-aware mail software.  Again, this is an opportunity to make some money from people who buy the software.

Some company has to set up a token-agent service, but this is paid for by monthly subscriber fees and by taking a cut of any token fees that actually change hands.

If the whole system is implemented by phone companies, there is an up-front investment for them, but it’s not a huge change for a system that already supports services such as voice-mail, caller ID, and call-waiting.  The phone company would make back its investment by charging a monthly fee for this service, or by using it to gain an advantage over competitors – or to catch up with them.

Some people object in principle to paying anything to eliminate intrusions due to spam and telemarketing.  Why should people have to pay for peace and quiet?  But if the cost is relatively low and the system actually works, I think that these objections will eventually fade away.  I don’t like having to buy locks for my doors either, but I do it.  It’s an imperfect world.

If this system is implemented at the phone company, aren’t there privacy issues?  I don’t want them telling others who is on my accept list.

Well, if the phone company decides to invade your privacy, they can do worse things than telling others who is on your accept list.  They could keep track of every call you make and even tap the calls.  That’s illegal without a court order, and giving away your caller-permission information should be as well.  The token vendors should also be required to keep your information private.  We may need some legislation to extend existing privacy protections to these new domains.


Technical Issues (Telephone)

What if I pick up my phone to make a call while it is busy negotiating with an incoming caller?

No big deal.  Instead of hearing a dial tone, you hear a bit of the negotiation between the phone and the caller.  Just hang up and try again in 30 seconds.  A token-aware phone could have a little light on it to tell you when it is busy.

Will this scheme work with caller ID?

You need caller ID service in order to use the “accept list” part of the scheme.  There’s no reason why this smart phone could not remember the caller’s number (if it is supplied) and display it later, when the phone actually rings.  If you like, the ID could be used to choose a distinctive ring for certain callers on your accept list.

Will this scheme work with call-waiting?

In call-waiting, if you are talking to someone and a second call (perhaps from a telemarketer) arrives, you hear an audio tone.  You may then choose to put the current caller on hold while you talk to the second one.  This signaling and switching is implemented at the phone company, not in your own equipment, so there is no need for a second phone line.

If token-based filtering is implemented at the phone company, it would be possible for the negotiation about tokens to take place while you are talking to someone else.  If the system decides that the second caller is allowed to “make your phone ring”, you would then hear the call-waiting tone and could handle that as you do now – switch to the new call or ignore it.  If you never switch to the new call, you would not be able to collect the interrupt fee.

If the blocking is implemented in your own phone set,  the situation is not so attractive.  Assuming you have only one phone line, you cannot continue the old call while your phone set negotiates with the new caller.  So, unless you disable call-waiting, the new caller would hear a “ring” tone until you either switch to the new call or the caller gives up.  You can either ignore the call-waiting signal, or switch to the new caller. This might be a telemarketer who just got through without the usual screening.  At least, in this case, you can dump the new caller quickly and get back to your original call.  Since you were already talking on the phone, it probably was less of an interruption than if you were doing something else – sleeping, perhaps.

Will this scheme work with an answering machine or voice mail?

This should work with an answering machine.  The answering-machine functionality could easily be built into the token-aware phone set.  If the call is put through, one way or another, but you don’t answer the phone, the caller ends up talking to your voice-mail instead.  If the caller supplied a token, the call recipient can still collect his when he finally hears the message, as long as not too much time has elapsed since the call was received.  (After some amount of time – 24 hours? – an unredeemed purchased token would expire.)

It is perhaps a bit unfair to charge the caller if he only reached your machine and not you, but the caller still has placed a demand on your attention.  Perhaps the caller should only be charged some fraction of the token’s value if he only was able to leave a message.  But if the caller is a telemarketer, I would collect the fee in any case.

It wouldn’t work for voice mail to be implemented at the phone company and for the token-based filtering to be in your home phone set.  The voice-mail system would see that someone (or something) has answered the phone and would never store a message.  But it seems unlikely that anyone would want to split things up in this odd way.

What if I have several extension phones in my home?

There are several cases:

My dentist uses an old database (or electronic organizer) for all his phone contacts.  I can give him a multiple-use token but where will he store it?

Most current software that stores phone numbers will allow the user to store multiple numbers for each person: home, work, mobile, fax…  One reason I chose 10 digits as the length for a token is that it will fit into one of these “extra phone number” slots (for U.S. phone numbers, anyway).  So this number should fit into one of the fields in your dentist’s DB.

If your dentist’s DB can’t handle multiple phone numbers per person, storing tokens is the least of his problems – time for him to upgrade!  Ironically, really old-fashioned people who store their contact information on paper or index cards should have no problem finding a bit of space to add the token.

Remember that you can always put the dentist on your accept list, and then he won’t need a token.  Tokens are only really necessary for people who block caller ID or who don’t always call you from the same phone.  Or you could just promise your dentist that if he authorizes an interrupt fee, you won’t collect it – if you double-cross him, he’s the one holding the drill…


Technical Issues (E-Mail)

I use Microsoft Outlook and don’t want to change my mail software.  What if Microsoft doesn’t offer a version of Outlook that includes this token-based spam-blocking scheme?

An independent software vendor could package this spam-blocking technology as a proxy mail-server.  You tell your favorite E-mail client (Outlook or whatever) that this proxy is the server where it should obtain your E-mail.  The proxy, in turn, accesses the real POP3 or IMAP server where your mail actually lives.  All the filtering takes place in the proxy, and only “approved” messages get through to your mail client.  The advantage to the vendor is that this proxy software would work with just about any E-mail client.  (Thanks to Shumeet Baluja for suggesting this.)  Of course, it’s simpler for users if the makers of popular E-mail clients do include the token-based technology.

What if the spammers can guess some name on my “accept list” and create a message that appears to come from that address?

Well, it certainly is extra work for the spammer, but it could happen.  In this case, assuming your friend doesn’t want to change his E-mail address, you would have to take him off your accept list and give him a multiple-use token instead.  We can hope that by the time this problem becomes widespread (if it ever does), all our correspondents will have token aware mail software that fills in the token field without extra work on the sender’s part.

We may soon find that most E-mail is sent using a digital signature scheme so that it is impossible (or at least extremely difficult) to forge the sender’s signature.

This might also be an area where legislation could do some good.  It is probably easier to pass a clean, enforceable law prohibiting the forgery of electronic signatures than it is to pass a law defining what is an is not illegal spam.

A ten-digit token is not very secure.  With enough effort, the spammers could crack this.

It’s true that a ten-digit code is not very secure, especially since hundreds or thousands of the ten billion codes might be “live” tokens for a given recipient.  But even if the spammers do somehow guess a valid token code, it’s no big deal.  They can’t delete all your files or steal your credit-card number.  The only consequence is that you get one or two unwanted messages and then have to rescind that token.

If I give your E-mail address to a friend, must I also give him the token I use?  Will that token work for him?

In general, a valid multiple-use token will work for anyone who gets hold of it.  We could also implement a class of tokens that is tied to a given E-mail sender or phone number, but this type of token wouldn’t be useful for senders who move from one account (or phone number) to another.

You probably should not give your friend a copy of the token you use for sending messages to me.  If that token becomes compromised, you will face the (minor) hassle of contacting me and getting a new token.

It is probably better for you to contact me and ask me to send your friend a token of his own.  Or just tell your friend that I’m a reasonable person and if he contacts me, saying you sent him, I’m not going to collect the fee.  Unless he becomes a persistent pest…


More Acknowledgments

In addition to the people mentioned in the published version of the paper, I would like to thank Brad Templeton for providing much useful feedback on these ideas, even though he is now generally opposed to “E-stamp” schemes.


Additional References

Aspects of the Problem

Anti-Spam and Anti-Telemarketing Sites


Other Proposed Solutions