My inbox has a fundamental flaw: every email is treated with the same level of “respect” or priority. It contains both forwarded urban legends, and highly critical information related to my banking and financial condition
The problem of phishing happens expressly because there’s no easy way for me to separate legitimate emails in my inbox from illegitimate ones.
My solution comes from a game I regularly play with magazines or catalogs. When I sign up, instead of giving them my first name, I use their company name. For example, when I signed up for a subscription to Wired magazine, I gave my first name as “Wired”. Now, when any mail comes to “Wired Skyberg”, I know exactly who sold their subscriber database.
Here’s my proposal for a solution:
- all email providers become OpenID or OAuth providers
- whenever a 3rd party is asking me for my email address, they must authenticate via my provider
- each sender receives a token which grants some type of access to my email account
- I, as a user, can manage these tokens in any way I choose, via my email provider
This allows me to control who is able to place emails in my inbox, or various other folders of my choosing. It may seem like a lot of overhead, but it would be devilishly easy to manage if done right. The nice part is that the “overhead” can be handled either in-the-moment or entirely in the background.
Here’s a use-case showing one possible scenario:
- I’d like to sign up for a new service, and they ask me for my email
- I give them my email address, and a short temporary PIN I’ve already assigned with my provider
- they do their reg flow, and send me an email, including my temp PIN in the email header or subject
- while scanning my incoming email, my provider recognizes this PIN, and places it in a “Requesting Authorization” folder
- next time I login to my email, I can review their auth request in a special folder
- by clicking a button, I automatically send an email back with a PIN for their use only
- they will need to include this PIN in their email header whenever they wish to contact me in the future
Both the temp PIN and personalized PIN can be stored and accessed via OpenID or OAuth, for complete hands-off use. The personalized PIN could also be a public key if I wanted incoming email encrypted. The temp PIN could also be shared semi-publically on social networking sites or other trusted sites. Multiple active temp PINs could show you exactly where the referral came from, and if that temp PIN had been compromised or abused somehow.
An advantage of this system is that I can stop all incoming spam without resorting to changing my email address for all legitimate users. Too much spam “requesting authorization”? Change your temp PIN and they all silently disappear.
What if a user I’d previously granted access to now is sending me spam? Just revoke their personal PIN and they won’t be able to bother you any more. The personal PIN also has the benefit of making priority filtering easy. Want all financial stuff kept in its own folder? Just tag all PINs given to financial institutions as “money”, and they’re automatically sorted and categorized.
While this system does have a slightly higher bar to entry than existing email, isn’t that what we all really want?
Questions, comments, offers to develop this solution, all highly encouraged!