Is it Time for a Driver's License for the Information Superhighway?

I don't know about you, but I'm tired of the SoBig.F worm and its variants. Several zillion mail servers have been sending me messages telling me that I sent them a virus--when of course I didn't. (And why haven't administrators shut off these now-pointless, Internet bandwidth-wasting messages?) Other mail servers keep telling me that they couldn't deliver some virus-carrying email message that, again, I didn't send.

The email overload isn't merely a matter of annoyance. In the past few months, SoBig variants have generated so much email traffic that they've affected the Internet's ability to move data around. And who's at fault?

This virus isn't like the MSBlaster worm; it doesn't exploit a hole in Microsoft Outlook or Outlook Express. Instead, it exploits the fact that some people--many people, sadly--are still opening email attachments without a care. That thought is absolutely stunning.

In the past few years, we've seen dozens of email-attachment viruses, from Melissa to Klez to Sircam. It's hard to believe that so many people are still completely clueless about attachments. So I'm proposing an "Internet user certification."

Email viruses would essentially go away if I could teach everyone with an email account a few simple things: I'd explain that sometimes bad people write special email attachments that can do bad things if opened, even without a single "Are you sure?" dialog box. I'd caution these users that opening the wrong attachment can start a chain reaction that can bring down a company's network or even the Internet. Therefore, everyone must examine attachments before opening them--and the best way to do that is by using antivirus software. But I'd caution them that antivirus software needs to know the characteristics of all current viruses, so everyone must periodically go to the antivirus vendor's Web site and download the latest virus information, called "pattern files." If these users received an attachment that they weren't expecting, I'd instruct them to contact the sender, if possible, and ask whether he or she meant to send that attachment. I'd add one final thought to instill that a responsible email user will have downloaded the latest pattern files and can scan the attachment for a virus before opening it.

I wrote that last paragraph to demonstrate that teaching users how not to spread email viruses is simple and would take less than 15 minutes. Then, to obtain a certificate, users would pay $10 and take a simple test that reviews their knowledge of safe attachment handling. After you pass the test, you'd receive an email public/private key pair. (The $10 would help pay for running the certificate authority--CA).

After a sizeable population of people had their email training and were using their certificates in their email messages, we could start combating email viruses. We could set up our software to delete or reject messages that don't have a valid certificate from one of the recognized Internet certificate-issuing authorities. Less-picky folks could configure their servers to place the uncertified items in another folder, to be looked at later. I think most of the email-using world would have a certificate in fairly short order.

Then, when someone opens a virus-laden attachment and the virus sends out tons of virus-laden email containing his or her certificate, everyone would know who launched the virus. Perhaps that person would lose his or her certificate for a time or face tort lawsuits? Maybe we could even use these certificates to throttle spammers.

Let me close here by freely admitting that I haven't worked out all the details. In fact, when I first started talking to people about the concept of Internet user certification, I had my tongue just a bit in my cheek. However, I think the idea is worth considering, and I herewith offer it as a kind of open-source project. And yes, I know that in reality a worm wouldn't send out email with a certificate. But perhaps once certificates were widespread, we could think about email server software that works only with certified mail. Shoot the idea down or sketch it out; I look forward to your thoughts.