What if answering a CAPTCHA were required to send an email? (A CAPTCHA is one of those pesky things on web forms that require you to type the text displayed in an intentionally-distorted image in order to make sure that you a human, rather than a bot abusing the website.)
If CAPTCHAs were 100% accurate in distinguishing humans from computers, then spam would pretty much cease to exist. (It’s possible to harvest CAPTCHA responses from real people by operating a website that “tricks” users into answering a CAPTCHA, but, as mentioned in the above link, they aren’t very effective.) The researchers behind reCAPTCHA, probably the most popular CAPTCHA program on the Internet with over 400,000 sites using it, appear confident that no computer program can break it, unless the program resorts to randomly guessing words. Since there are 100,000 words in the reCAPTCHA database, the probability of fooling reCAPTCHA is around 1/100,000. (Other CAPTCHA systems based on randomly generated characters are not so reliable, with attacks sometimes 90% successful, according to the reCAPTCHA paper.) Since spam accounts for around 94% of all email, requiring CAPTCHAs to send email would reduce spam to around .000094% of total email (or from 100 billion spams per day to a mere 100,000 spams per day).
There are two problems with this approach. One is solvable, the other is probably not. The first is a technical problem: the way computers send email would have to be changed. But this is not really that hard: in 2007 two researchers published a paper on how to do this (using the SMTP auth mechanism, so it’s not really even a different protocol). The bandwidth savings would not be equivalent to the volume of spam, due to the increased bandwidth sending a CAPTCHA image (or audio file) for every legitimate email (plus some for failed attempts, but this is only ~5% for reCAPTCHA), but given that bandwidth-lean plain-text email has gone the way of the dodo, this isn’t a real problem either.
The real problem is that commercial (non-spam) email could not be sent. Mass mailings from political candidates, retailers, or your order confirmation from Amazon.com would not be able to be sent through email. I think this actually would be a good thing, which I will explain in more detail in another post, but it’s not going to happen unless the Internet is redesigned. CAPTCHAs could still play a role in sorting inboxes into “human” and “computer” email (there might be some benefit to productivity there), but their value as an anti-spam tool would be demoted from panacea, to, say, a marginally more accurate SPF or DomainKeys. This could be circumvented with extensive whitelisting (required to some extent already, especially for AOL users), but it would require users to approve senders before receiving email from them without a CAPTCHA, rather than ISPs handling that responsibility primarily.
Such an approval system would be complicated and in all likelihood require more time than managing spam does today, at least in the early stages of adoption (which would, of course, kill it)… unless it doesn’t take advantage of the approval networks which already exist in social networking sites. The possibilities here are endless, and too much to survey in the remainder of this post (a bad pun which should illustrate that postal metaphors for email are misguided). The crucial point, however, is that email is broken; it isn’t supposed to be a drop-box for arbitrary bytes but an effective communication system, a role which social networking is rapidly usurping.
