You are viewing mengwong

Strategic Advice for Spammers

« previous entry | next entry »
Nov. 8th, 2005 | 05:43 pm

I learned something in MBA school: as an industry matures, competition moves along five frontiers:

functionality (can we get the damn thing to work at all?)
reliability (will the damn thing please stop crashing?)
convenience (let's shrink it so i can take it with me.)
price (if it's a commodity, give me the cheapest)
fashion (indigo or graphite? hey, maybe key lime.)

Only after one frontier is crossed does a market focus on dimensions relevant to the next.

These frontiers are to innovation what supply and demand curves are to economics. They're fundamental. They're immutable. If you want to cross the chasm, you have to work with them. You can't work around them.

If you try to work around them, historians will look back on your work and sigh "brilliant! but, sadly ahead of his time."

As a spammer, you can exploit this. How?

I tried to fit "security" into those five phases. I tried to shoehorn it into "convenience", but that didn't work. I tried to say it was part of "reliability", but that wasn't really true.

The fact is that "security" is independent of the five-phase lifecycle. It's a function of when the criminals get involved. If criminals decide to exploit a technology as soon as it's born, then industry responds by deciding that security is an essential part of functionality. If criminals decide to exploit a technology when it's moved to the "price" frontier, sellers will differentiate accordingly. Better security will cost more, and worse security will cost less.

So my strategic advice to spammers and organized crime is as follows.

New media appear all the time: in the last decade we've seen a Cambrian explosion of email, websites, instant messaging, voice over IP, blogs. Goodness knows what's next.

When a new medium emerges, you're naturally going to want to exploit it. I hear online greeting cards are now being used to send phishes; that's clever. Well done.

But don't be greedy! You must have patience. You must wait, wait, wait. Wait until the medium has moved through the frontiers, until the industry is competing on price. They must be made to ignore security until it's too late.

Why?

Because protection from criminals costs money. If the entire industry has reached the point of commoditization, they simply aren't going to have the resources to defend themselves. Suppose it costs ten dollars per year per user to implement effective antispam. Suppose, in the absence of spam, an email service provider is now offering mailboxes at commodity prices -- at a dollar a month. Then spam happens. To defend itself, a provider has to double prices!

They'll be stuck between a rock and a hard place. If they price according to the new costs imposed by crime, they price themselves out of the market. If they don't, their customers remain vulnerable.

I'm writing from the joint MAAWG / APWG conference in Montréal. The biggest banks, brands, and ISPs in the world have taken over the hotel, along with the vendors who follow them the way remoras follow a shark. They're all struggling with spam, with phishing, with zombies.

ISPs are surprisingly under-resourced. ISPs aren't as innovative as they used to be. Ten years ago they could roll out a technology because some sysadmin stayed up all night and by 10am he had something that worked. Today, the consolidation phase is over, and now you have to get things championed by product managers, approved by vice presidents, run past legal, and promoted by your public relations and advertising divisions.

Criminals gangs don't have to worry about all that. They've got what the ISPs don't: agility.

Eventually the industry absorbs the protection segment, and the ecosystem equilibrates. It looks like a three-sided triangle: on one side there are users represented by ISPs. On the second, there are the criminal spammers, phishers, and virus gangs. On the third, the antispam and antivirus industry offer a wide variety of antispam and antiphishing products and services.

The spammers and antispammers pretty much split the take. After all, the money's in the medicine. If you elect to pay for protection, the antispam industry collects. If you don't, the criminals collect.

In an ideal world, the right price to pay for antispam is zero. But to get there is nearly impossible. The only way to nip the inevitable rise of crime in the bud is with strong leadership, forward-thinking government regulation, and an organization of competitors to work together in the common interests of the industry. (When I say government regulation, I don't mean the US government, or the United Nations, or ICANN or the IETF. I'm talking about Internet Governance, which doesn't exist yet; I don't know how it'll be funded, and I don't know how it'll exert authority. When I'm done solving spam, maybe I'll tackle that next.)

Strong leadership, forward-thinking government regulation, and a consortium of cooperating competitors. Hah! In their absence, criminals prosper.

The biggest banks, brands, and ISPs in the world are struggling today because you picked the right time to strike: you started spamming in earnest when email was entrenched, when it was too late to fix. When, with the best will in the world, we could no longer do anything about it.

Link | Leave a comment | Share

Comments {0}