Bona Fide

I received an email from Santa.

It was probably my sophomore year in college, though it might have been a year earlier or later. There was the address in the sender field: SANTA@NPOLE.COM. I don’t remember anything else about the message, but the sender was curious. I had never seen a spoofed email before. This was still years before we started using the word “spam” to refer to unwanted email. I did a little digging, and realized that it was possible — trivial even — to send email from anybody. All you had to do was change the headers in the message.

Image source: Greenville Journal

At the time, email still relied heavily on the postal service metaphor. It’s like regular mail, except that it’s electronic. You can send a letter to someone else, but instead of taking days to get there, it takes seconds. It was amazing. It’s still amazing.

When you receive a letter in your mailbox, how do you know who it’s from? You look in the upper-left corner, and see the return address. But that relies on the sender telling you who they are. Technically, I could send a letter with any return address, and it would still be delivered. Sure, there are some laws that prohibit impersonation of government agencies, and mail fraud is a serious crime (at least in the U.S.). But there’s little to prevent faking a return address. Following the same principles, electronic mail used the same system. The sender tells the recipient who they are, and the recipient has no reason to not believe them.

The difference is that postal mail is expensive, and email is not. It costs 60 cents to send a letter, and 0 cents to send an email. Multiplying that cost by a thousand or a million makes email a very affordable communication tool. The tech industry recognized this as a problem, and eventually implemented measures to alleviate it. Technologies like SPF, DKIM, and DMARC allow recipients of email to verify where the message is coming from. The solutions are technical and complicated, but they work (or they would work, if everybody would use them). These days, if you receive a message from me, either it’s actually from me or your email program should warn you not to trust it. It took a long time, but we mostly solved the problem.

A decade after that email from Santa, I was working with a telecommunications provider on a new phone system for my school. “Here’s where you enter the caller ID,” the trainer said.

“What do you mean by that?”

“When someone gets a call from you, what do you want the caller ID to say? Put that number here.”

I couldn’t believe it was that easy. I could put in whatever number I wanted, and all outgoing calls would appear to originate from that number. I was appalled. That was twenty years ago.

Two weeks ago, we received a bomb threat at one of our elementary schools. That’s not unusual. There have been more than 200 false bomb threats called in to American schools so far this year. In our case, it meant evacuating the building, implementation of our reunification plan, significant disruption for our schools, families, and law enforcement, and yet another thing that our students shouldn’t need to worry about. No one was in real danger. There was no bomb. But we have to take these reports seriously.

I don’t know anything about the investigation, and if I did, I wouldn’t be able to share it here. But I do know this: we don’t have a comprehensive system for verifying caller ID. There are efforts to solve this, but the telecommunications companies have been dragging their feet on it for years. As it turns out, there’s a lot of money to be made in spoofing caller ID. If you really knew who was calling you all the time, you’d be much less likely to pick up the phone when it rings. The telemarketers don’t like that. And you know what they buy a LOT of? Phone service.

We’ve reached the point where we can’t take people’s word for it anymore. When you visit a web site, you look for the little lock or key that tells you that you’re actually visiting the site you think you’re visiting. And really, most of the time you don’t even NEED to look for that anymore, because your browser will tell you if you’re on an insecure site. It’s time for the phone industry to get serious about this too.