Spam externality cost ratio higher than stealing cars: what to do about that?

Spammers only make about $200 million a year, yet they cost everybody else around $20 billion a year, for an externality cost 100 times spam income. That turns out to be higher externality than stealing cars. What can we do about that?

Alexis C. Madrigal wrote for The Atlantic 7 August 2012, All the Spammers in the World May Only Make $200 Million a Year

Now, in a new paper in the Journal of Economic Perspectives, Justin Rao of Microsoft and David Reiley of Google (who met working at Yahoo) have teamed up to estimate the cost of spam to society relative to its worldwide revenues. The societal price tag comes to $20 billion. The revenue? A mere $200 million. As they note, that means that the “‘externality ratio’ of external costs to internal benefits for spam is around 100:1. Spammers are dumping a lot on society and reaping fairly little in return.” In case it’s not clear, this is a suboptimal situation.

Many activities impose costs on society that are not “internalized” by the firms or individuals. Air and water pollution are the paradigmatic examples. You get to drive your car around emitting particulates and various other smog-causing molecules that increase the cost of treating asthma and other illnesses for other people by a tiny bit.

Spam has a remarkably high externality ratio, not just relative to driving an automobile, but stealing one, too. Here’s a chart that Rao and Reiley include in their paper, which just looks at the direct costs of spam to end users (which they estimate at $14-$18 billion):

The article examines those costs more, and then gets to the point:

So what’s the way forward? The researchers gloss a variety of techniques like “attention bonds,” in which you’d be paid some tiny amount (say, $0.05) for reading unsolicited emails, and government interventions. But their preferred solution is to find ways to raise the cost of business for spammers, so that their campaigns become unprofitable.

“We advocate supplementing current technological anti-spam efforts with lower-level economic interventions at key choke points in the spam supply chain, such as legal intervention in payment processing, or even spam-the-spammers tactics,” they conclude. “By raising spam merchants’ operating costs, such countermeasures could cause many campaigns no longer to be profitable at the current marginal price of $20-50 per million emails.”

Interesting ideas, but legal intervention requires dealing with multiple legal regimes throughout the world, while spammers can shift from a botnet in one regime to another elsewhere, as just demonstrated by the Grum botnet takedown being followed by a huge surge in spam from Festi botnet including from Turkey where even when one infested organization (TTNET) ejected Festi, spammers just moved to another (KOCNET). Oh, and Grum botnet is staging a comeback.

I would argue the first thing to do is to make it more obvious which organizations are infested by what, when, and where, as in for example Reputation alone may then cause the infested organizations themselves to take action. At the least, long experience indicates that if nobody knows about such infestations, the infested organizations will not try to stop outbound spam, which they also consider an externality.