"Two years from now, spam will be solved."
Microsoft Chairman Bill Gates, Jan. 24, 2004
"Spam doubles, finding new ways to deliver itself"
The New York Times headline, Dec. 6, 2006
As was recently described in Communications,2 anti-spam researchers are in an arms race. Deploying ever-more-sophisticated identification and filtering technologies, they have kept one step ahead of the spammers, and the amount of junk email in our inboxes has remained tolerable. By that standard at least, Bill Gates was correct in his prediction. But, the achievement has come at a price. There are direct costs, borne and passed on by ISPs, plus less-tangible costs such as when filters falsely classify important email as spam. And, as the newspaper headline above attests, the spammers are not giving up. Rather, they are commandeering an ever-growing amount of the Internet bandwidth we all pay for.
An arms race, such as the Cold War, can end in capitulation if each new round of spending by side A leaves side B worse off. Side B then faces a choice between quitting the race or diverting more resources to countermeasures. If, unconventionally, more spending by side A were somehow to make side B better off, there would be no way for side A to win just by spending more. It seems to us that the anti-spam community is, so far, proceeding as if it is in a conventional arms race. The hope is that better filtering eventually will drive the spammers out of business (or, at least, make them shift their attention away from email).
Research into the economics of the spam industry suggests, to the contrary, that the deployment of filters leads to an arms race that is not like the Cold War.6 As filters improve, the information assets of spammers become more valuable and lead to more, not less, overall spamming activity. This is troubling to contemplate, because it means no amount of spending on better filters will be enough. The next levels of escalation might then involve sender-receiver prearrangement, a new accounting infrastructure or, perhaps, payment or bonding prior to email delivery. We would characterize these steps as capitulation to the spammers, should they occur, because they would mean the end of the free, anonymous, and neutral email that we know today. To avoid capitulation, we argue that researchers should look beyond new spam-identification technologies and consider the information-economic implications of their deployment.
The idea that improved filters might eventually eliminate spam is seductive, because analogous outcomes have occurred in other sales-related industries. In the U.S., the door-to-door sales model once practiced by such companies as Fuller Brush disappeared as the post-war generation of stay-at-home housewives entered the workforce and no longer answered their doors.3 Deploying a spam filter is a bit like disconnecting your doorbell: A determined salesperson might still find a way to get your attention and sell you something, but most will be frustrated. However, spammers will not give up the way the Fuller Brush Company did. To see why, one must understand the economics that governs the equilibrium level of spamming activity.
Conventional industries with low barriers to entry are often highly competitive, and economic theory predicts that price competition will lead to equilibrium at a point where industry profits are eroded away.a In the spam industry low entry barriers will have a similar effect, but the mechanism is quite different. Spammers compete for a share of email users' attention, which is a fixed, limited resource.7 If a bit of attention is allocated to noticing, opening, and reading a spam message, the spammer who sent it might eventually get a payoff. But, if the number of spam messages hitting an inbox gets large enough, just noticing them will take up all of the recipient's available time. As more spam is sent, the total, fixed attention resource of the owners of the target email inboxes will become depletedeventually to the point where total spam-industry profit will go down when a new spammer joins in. Thus, low entry barriers will lead to active spammers quitting when they find their profits have disappeared and new spammers starting up whenever a marginal profit opportunity exists. The average spammer will have no economic profit at equilibrium.
If other things were equal, a spammer would be better off if his own messages were never blocked by filters. But, improved filters simultaneously block messages from all spammers. Thus, when filters are in place everywhere and a spam message does happen to be delivered, it reaches a comparatively uncluttered inbox. This improves the chances of a payoff for the spammer. Models predict that the total volume of spam sent over the Internet will increase, not decrease, as the result of better filtering,5 because each individual spammer will enjoy a greater return from the marginal delivered message. This prediction aligns with trends currently being observed and reported.
The well-described common-pool-resource framework is better than the arms-race analogy for analyzing anti-spam strategies. The commons framework captures the market failure that occurs when users of a resource do not bear the full costs of their decisions to consume more of it. This arises, for example, in the fishing industry: An individual fishing boat has an incentive to increase its own catch, and an unfettered market will lead to the depletion of the fishery. Spammers are more like fishermen than door-to-door salesmen (see Figure 1). Because the profit from the marginal spam message is pocketed by the individual who sends it, while the economic costs associated with depletion of the common attention resource are borne by all spammers as a group, there will always be "overspamming," just as (without regulation) there will be overfishing. (Such market failure is often called the "tragedy of the commons," after a fable about sheep grazing on a village green.)
To identify useful anti-spam policies and practices, it will be helpful to focus on economics rather than on social constructs. That means we should think of spam as an economic good, not a social bad, and we should look for new policies or practices that will change the spammers' relationship to the digital common-pool resource on which they depend. Such policy innovations can change the equilibrium level of spamming activity in a direction that theory can predict.
Spammers need high-quality information to access their common-pool resource, and various practices followed by the Internet-service industry can affect the quality of spammers' information assets. For example, spammers use tools that improve the quality of their mailing-list information by automatically exploiting dropped connections from ISPs to purge invalid addresses. Thus, the spammers are inadvertently helped by a handshaking convention that was adopted simply to make email more convenient. There can also be unrecognized information effects attached to well-considered anti-spam policy decisions. For example, because it is not costless to send spam,4 a spammer who knows of inboxes that few others have discovered will have an advantage as would a fisherman with secret knowledge of where fish are plentiful. Although our instinct is to keep our email addresses private, models show that fewer spam messages would be aimed at the average inbox if all addresses were public knowledge.6 The discussion surrounding a proposed do-not-spam registry in the U.S. is an example of this particular information effect interacting with anti-spam policy.1
It seems to us that the anti-spam community has so far viewed its opponent in the arms race as a gaggle of individual bad actors to be identified and stymied rather than an industry that has arisen to satisfy economic demand for its product. Putting any number of individual spammers out of business would not be hard, since they already make little profit on the average. But this would not eliminate junk email there will always be new spammers willing to step in and serve any unmet demand. An information-compatible strategy, on the other hand, would relentlessly seek to shift the equilibrium level of spamming activity in a favorable direction through an assault on the quality of spammers' information assets. A range of information-compatible actions could be devised, some more proactive than others. Two basic principles should guide such actions: make it hard for spammers to get good information, and make it easy for them to get bad information.
The practice of spending money on spam-identification technologies that are then used to construct publicly deployed email filters and sender blacklists can be viewed as incompatible with the first principle. Spammers can costlessly find out which of their messages are being diverted by filters and which of their servers have been blacklisted, making it easy for them to react with countermeasures. The anti-spam side spends heavily to develop strategic information and, perversely, the spammers spend nothing for the information they need to react. (It is as if NATO had let the Warsaw Pact log into computers at Ft. Meade to find out which codes had been broken and which were still secure.)
To be more proactive, the anti-spam community should seek to turn the tables, spending less themselves while making the spammers spend more. For example, they might use disinformation to advance the second principle. The purpose of disinformation in warfare is to make one's adversaries waste resources. (That is why the U.S. built empty ICBM silos during the Cold War and Gen. Patton commanded a phantom army in eastern England during World War II.) The anti-spam community has the ability to thoroughly corrupt the spammers' information assets with disinformation. For instance, ISPs could deploy electronic equivalents of Patton's plywood army: legions of robotic email accounts realistic enough to pass any spammer's Turing test.
If this were done, spammer's costs would be driven upward, because they would waste resources sending email to phony targets. And, because the anti-spam side would no longer be telling the spammers what is known about them, data gathered by spam-identification algorithms could be used to fine-tune the disinformation for maximum effectiveness on each individual spammer. With practice and refinement, the anti-spam forces could get very good at monitoring and manipulating the spammers' information assetsto the point where spammers eventually would have no idea what the quality of their information really is. With a bit more work, the robotic email accounts could be programmed to respond to spam, generating fake back-traffic for spammers to deal with. The equilibrium level of spamming activity occurs when the marginal revenue from one additional spam campaign equals the marginal cost of conducting it. If the spammers were made to spend individually on costly technology to sort out which responders are real and which are robots, the equilibrium would shift dramatically downward.
Using these or other information-compatible policy initiatives, an innovative anti-spam strategy could focus on reducing the value of the information assets on which spammers depend. Then, although email spam would not go away entirely, a sustainable level of anti-spam spending might be effective enough that email can be kept free and neutralthe characteristics that have so quickly changed it from a fringe, techie phenomenon into the default medium for both business and personal communications.
6. Plice, R. Pavlov, O. and Melville, N. Spam and beyond: An information-economic analysis of unwanted commercial messages. Journal of Organizational Computing and Electronic Commerce 18, 4, (2008) 278306.
a. To simplify the discussion, we are ignoring the distinction between economic profits and accounting profits. Perfect competition drives economic profits toward zero, but industry participants may still realize net accounting income.
©2009 ACM 0001-0782/09/0500 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
No entries found