Two apparently-related news stories from the week:
- Sign up for Gmail
-
PWNtcha – captcha decoderUPDATE: this link may be a troll; see below.
Gmail is now, for the first time, open to anyone in the U.S. for account signups, even if the person who wants an account doesn’t know anyone, and can’t find anyone, to give them an invitation. The one restriction is that the account applicant has to have a U.S. cell phone number, and give that number to Google during the sign-up process. Google uses the number to authenticate the applicant by asking them to enter a special code sent to the phone as a text message. Since spammers create thousands of accounts to avoid detection, and each phone number can only be used to create a few accounts, a mobile phone requirement will make mass account creation, and thus spamming from Gmail, much more difficult.
I had the same initial reaction as many other people when I read about this — namely, that Google, by asking for something as private as my cell phone number, was now just a few tented fingers away from the evil of C. Montgomery Burns. I’m sure there will be a good number of people who walk away on that reaction and don’t come back.
(Based on my own experiments with text messaging, I suspect there are also plenty of people who will assume that their phones can’t get such messages, even though they can. The WSJ reports, however, that the U.S. is figuring out text messaging to the tune of US$2.5 billion in 2004, so apparently this is a declining problem.)
Looking at it more closely, though, I think the Gmail team done as good a job as they can to implement this in a reasonable way. If you look at the sign-up page that asks for your phone number, you’ll see that you can select whether or not you want them to use your number for future Gmail features, like text message alerts. Google will still save your number for the purposes of ensuring it isn’t used to create too many accounts, but they make a reasonable promise to use it only for that if you indicate that preference.
But why ask for your phone number at all? Well, read the second article, which talks about how to defeat the most common test, known as CAPTCHA, used to prevent spam account creation. Given that CAPTCHAs are failing, what we’re seeing is the next step in the arms race. While the Gmail signup also uses a CAPTCHA test, it verifies that test with a secondary test (originally an invite process, which requires you to have an existing email address, and now the phone number alternative). This idea, of using your cell phone as a second factor to confirm your identity, isn’t a new one — Bruce Schneier pointed to a New Zealand bank using the same idea last year, and a long and interesting discussion of the technique followed in the comments on his post. I think it’s a good idea, and one that will see a lot more adoption very soon.
Of course, the more sites use this technique, the more sites will have your cell phone number, and the ability to send text message spam to it. The dollar cost of spam for the recipient is much higher for text messages than email, if your cell provider charges you by message (and that US$2.5 billion figure suggests that they do, and will). Maybe using two-factor authentication through text messages will allow Google to stem spam coming from Gmail, but the overall spam problem may just get worse if the same technique allows other sites to build text-message-capable cell phone number databases. The arms race will, of course, continue.
It probably comes down to this: do you trust Google (the corporation, not any particular founder or employee) will live up to its “Don’t be evil” promise? If presented with the same type of sign-up form at another site, would you trust that site? What’s the second factor you can use to verify your trust?
UPDATE: In the comments, Ben Bennett points out some good reasons for suspicion of the PWNtcha link. There are, though, other reports of attacks on CAPTCHA systems — for instance, see Greg Mori and Jitendra Malik’s work, “Breaking a Visual CAPTCHA.”