A mission to stop the spam army

With America braced for a weekend of computer mayhem, Clayton Hirst meets Bill Gates's commander-in-chief in the battle against junk emails
Click to follow
The Independent Online

But the flurry of unwanted spam emails that will be delivered to unsuspecting computer users will contain more than just advertisements for drugs to enlarge male body parts and pornographic websites. Spam is increasingly being used by criminals to trick computer users into handing over their personal details.

Many of the spam attacks are done over software developed by Microsoft, be it its pervasive Windows operating system or its free Hotmail email service. The man in charge of fighting this ever-growing tide is Peter Cullen. The former Royal Bank of Canada executive is the head of privacy at Microsoft. His job description is simple, but the scale of the task is huge.

Speaking at last year's World Economic Forum in Davos, Microsoft's founder, Bill Gates, famously declared that spam would be history by 2006. Two years on and this statement is almost laughable.

Some 65 per cent of all emails sent over the internet are spam, and Cullen refuses to put a date on when this 21st-century nuisance will be eliminated. "Oh boy, that's a difficult one," he says. "We hope to get to a point where life will become so difficult for spammers they just won't bother."

Microsoft is doing its bit in two ways. First, it is hunting down spammers and then passing their details to the law enforcement agencies. Recently it handled a case where hundreds of spam emails were mailed from a computer in Idaho owned by a 71-year-old man. The spam was sent via an internet service provider in Austria, which was routed back to a company in the US. The offender was eventually tracked down and identified as a 21-year-old who was borrowing his father's computer. He is now being questioned by the FBI.

That case highlights just how easy it is to spam. "If you are a criminal then you have a choice. You can put on a Balaclava and go and rob a bank, or you can sit at home in front of a computer," says Cullen.

The tools of the spammers' trade are not difficult to come by. Cullen says that a "bot farm" - a collection of around 1,000 home computers that have been hijacked by a hacker - can be hired for as little as $29.95 (£17) a day to send out the nuisance emails.

But as well as hunting down the criminals, Microsoft is attempting to make spammers' lives more difficult. For example, it has developed software that automatically blocks spam emails; made it difficult for people to create multiple Hotmail accounts; and developed a system that can prove the identity of a person sending an email.

"We see the internet as a battlefield. We look for all the possible vulnerable points and figure out ways of closing them off," says Cullen.

Microsoft has, however, had to face criticism that it has failed to do enough to address security threats on the internet. In 2003, the software giant was forced to agree to changes to its online authentication system, Passport. This allowed users to access affiliated websites without having to continuously re-enter passwords and personal details. But the system fell foul of the European Commission, which claimed that it broke data protection laws. The US Federal Trade Commission also accused Microsoft of exaggerating Passport's security and privacy features and threatened to fine the company $2,200bn (£1,300bn) over the matter. Even Bill Gates might find that amount taxes his wallet.

Cullen, who joined Microsoft in July 2003, admits that Microsoft's Passport strategy was a mistake. "Passport was a big learning experience for us. We learnt that no single company should be in a position to provide a single solution to identity management," he says.

In response to the growing consumer concern over privacy issues, new releases of Microsoft software are packed with features to safeguard the user's identity. For example, the next, much-hyped version of the Windows operating system - dubbed Longhorn - will have Cullen's stamp all over it.

"Longhorn will have a strict set of standards. The amount of information it collects and sends back to Microsoft will be minimal," says Cullen. "We have worked hard to make sure that it is 'discoverable' - that the information is sent back to Microsoft only with the user's consent."

Details of Longhorn, which is due to be released next year and will take on Apple's acclaimed Tiger operating system, are still under wraps. But Cullen reveals that it will contain a number of new security features. "One will be Windows Secure Startup," he says. "Studies have shown that the life expectancy of a new PC that is not protected by security patches and antivirus updates is 20 minutes before getting taken over [by a hacker].

"With Secure Startup, when the PC is turned on the first time, it will let the user go only to certain secure designated sites. This is a way of hardening the computer's perimeter fence."

In the meantime, US computer users have to brace themselves for the weekend's "spam fest". Cullen's advice is not to open any suspicious-looking email. This might seem obvious, but if all computer users heeded the warning, then spam would quite literally be history tomorrow.