I testified today in front of a subcommittee of the California State Senate (actually, basically just Senator Florez); I basically discussed the technology underpinnings of email, how messages are delivered etc. My brief was “explain it at an elementary school level”, which I think I accomplished fairly well. I then hung around for the rest of the testimony from other folks, including AOL/Goodmail.

One thing I had encouraged the Senator to ask them about, was what sort of liability the two companies believed they might have in cases where illegitimate mail was “certified” by the companies, resulting in damage to an AOL user who relied on that stamp of trust. Amazingly, on the record, both companies emphatically stated that they would be fully liable in such a case. I was utterly amazed. The potential liability is enormous, and goes some good way towards possibly explaining why Goodmail charges such seemingly high rates for its stamps — Goodmail’s CEO said in testimony that the price sheet ranges from 1 cent per email at low volumes for commercial senders to 0.25 cents per email at high volume (over 1,000,000 stamps per month) to 1/25 cent per email for 501(c)(3) and 501(c)(4) not-for-profits. Ebay apparently sends somewhere on order of 1 billion emails per month, so a Goodmail stamp deal there at list price would generate somewhere on the order of 250 million in revenue per month for Goodmail. Now, I would expect Ebay is capable of bargaining themselves a discount. There aren’t any particularly good data on the financial scale of damages due to individual phishing attacks or virus outbreaks (if there are, I haven’t seen them anyway), but picture that a Goodmail stampee is somehow compromised, and a certified message is sent out which is either a phish, or is perhaps infected with a virus. That email arrives in AOL users’ inboxes with a “Certified utterly reliably good” stamp on it, and the user opens the mail, and hands over their entire life savings. Times a few hundred thousand AOL users. Now all of a sudden, $250MM per month isn’t looking like all that much revenue any more.

And of course that assumes that the spammers/phishers/virus-infectors will even bother compromising a valid Goodmail sender. If AOL continues to provide its “enhanced” whitelist which allows senders with historic patterns of good behavior to be able to include embedded images and links, then I can easily forsee spammers/phishers gaming that system to earn “enhanced whitelist” status, and then embedding the goodmail “CertifiedEmail” logo in the message body of a bogus email. I can tell you right now with no specific user testing on this, that a huge percentage of users wouldn’t notice that the “CertifiedEmail” stamp is in the message body, and not in a special area of the message display UI that the AOL client uses for valid use of that logo. Now in this situation, where Goodmail hasn’t actually certified the email, but it appears to AOL users that the email is indeed certified by AOL/Goodmail, and they lose their life savings, is AOL liable? Remember that AOL granted “enhanced whitelist” status to this sender. And remember that they were adamant in hearings in the CA Senate that they were liable.

Aside: Does anyone know if Goodmail’s message-hash-in-an-x-header system actually works in the face of the usual 2822 munging that goes on in the real world, or does it suffer from the same issues that DKIM seems to not have yet been able to solve, in that munging breaks the message hash? And if it does suffer from hash-breaking in some cases, then do you get a refund for those stamps which end up being useless?