Economists fighting spam
Published by Yazad Jal February 18th, 2004 in Web World, EconomicsFrom the Economist
The short history of society’s fight against spam—usually defined as unwanted commercial e-mail—may be about to pass into a significant third phase. In the first phase, it was geeks who led the resistance, using techie weapons such as e-mail filters with fancy Bayesian mathematics. In the second phase, politicians joined in, eager to get their names on to new legislation—in America, for instance, 36 states and Congress have passed laws of some sort against spam. Now, in the third phase, the economists are taking over.
Solutions proposed include pricing emails, creating email “stamps” and a clearing house that would have ISPs penalise subscribers who send spam.
Another good and amusing solution is put forward by Marginal Revolution’s Alex Tabarrok
The problem of spam is really a negative externality generated by the people who actually buy the products spammers offer. Thus, I suggest sending out fake spam and prominently posting the names of all those who respond….. What product to advertise in the fake spam? I suggest, “length enhancers.”
There is a suggestion floaing around /. that computer users should require a license to use their computer on the internet. This more relates to worms that to spam and as you know worms spread only because there are thousands of ’stupid’ internet users out there who will open attachments thus making life miserable for the rest of us.
The analogy being that if you drive your car recklessly and cause thousands of dollars of damage you are responsible for it (lets assume nobody dies for the sake of arguemnt) but if you use the internet recklessly and cause millions of dollars of damamges (downtime, lost busineess etc) you are not held responsible and are considered a ‘victim’.
I would like to hear comments from others. Just to clarify this is not a “who issues the licenses question of govt. vs. pvt sector” but of the principle of whether internet users should be held responsible for their actions (even if not intentionally destructive) but if you ‘accidently’ run somebody over with your car - you are still held responsible for negligence - it is the difference between manslaughter and murder in the 1st degree.
We should also require licenses for using gas cylinders at home for cooking. It is dangerous to allow untrained and unstable people, especially women, to operate them. If there is an accident because of this, the entire building might get burned to ground.
Intersting point Ravi - which is exactly why Gas regulators come with a little pink tag (at least they used to when I was in India) which shows they have been tested and certified. Also the reason why in a building you will be held responsible if investigations revealed that your house was the cause of the fire. It can be passed off as an accident but if you wilfully left your gas on or used a highly flammable gas you are either guilty of criminal negligence or arson.
The same with computer users. If you are stupid enough not to install a firewall, do not posess anti-virus software and blatantly click on attachments you should be held equally responsible for the millions of $$ of damage you have caused others. The concept of criminal negligence is not new - if a doctor give you the wrong injection even by mistake he is guilty so why not computer users.
No I am not asking for people to be punished for negligience later. Why should we wait for the horse to bolt before shutting the barn door? I am calling for compulsory training, tests and a government mandated licensing of people who wish to light a gas stove.
And it has just occurred to me that we also need a provision for surprise checks by inspectors who will inspect kitchens to see if anyone other than those licensed to do so is switching on the gas stove.
> there are thousands of ’stupid’ internet users
> out there who will open attachments thus making
> life miserable for the rest of us.
There are a few software packages out there (or mostly just one, depending on your perspective) that are responsible for enabling users to do such damage.
So how about this: we make software developers responsible for their products? I maintain that if by merely clicking on an email attachment, it is possible to spread worms, then it is not the inept user that is at fault, but inept software.
>There are a few software packages out there (or mostly just one, depending on your perspective) that are responsible for enabling users to do such damage.
Maybe the people, who are suggesting the ‘license’ are not aware of the immense benefits that have been bestowed upon society and on them because ’stupid’ people everywhere are using computers. How successful would ebay or Amazon (which ’stupid’ people also use) be if only techies were buying their wares, and where exactly would all those techie support jobs come from?
Licensing just paves the way for a closed user group, because then the net would be only be for the techie, by the techie and of the techie, as it was pre Mosaic and WWW. Maybe.. just maybe, the reason that M$Win has been so susccesful is because it has specifically tried to ‘dumbdown’ its product so that ’stupid’ people can use it.
There is a tremendous positive externality that these mortal users of the Internet exert on all the techie users, the fact that they are willing to buy and use computers has led to a real revolution in the way that our society functions and the full import of this has still to be fully felt or even realised. A small example is the way the cost of internet access has spiralled down in the last five years. Licenses would mean higher costs for the license holders both to procure the license adn then the access to the service, which may make even more bussinesses unviable. The fact that so many people continue to use the Internet *despite* spam and worms, implies that at some level the positive externality of the stupid guys outewighs the negative externality that they exert.
BTW, who exactly writes the worms? Techies right? so then why should the licensing regimes not be restricted to techies? who are both eager and willing to pay for the ability to use the internet. If there were perfect discriminatory pricing(Class 1 Monopoly), I’m sure, the techies would be charged more than the non-techie for access. So in a licensing regime why should the techies not be licensed because they would be willing to pay, while the non-techies, who would not pay license fees to access the internet, would get them at near zero-cost?
The problem with the proposal is obvious, all techies would pretend to be non-techies and that would be the end of that. Maybe then you could only require Engineers, Comp. Science Majors and IQ 130+ people to get a license? After all they are the guys most likely to make harmful viruses and spam-filter workarounds…
All we need is this Internet Licensing Authority, and the possibilities would be endless, today the internet tommorow the world ;-).
Licensing would not eliminate internet users - it would just be a way to keep track of them. The reason that cars have license plates and drivers require a driver’s license is because if hey cause damage there is a way to track them down. If cars were not required to have license plate - I gurantee the incidents of hit and run would rise dramtically. If you got into a fender bender and your car did not have a license plate to identify it - you could just hit the accelerator and be out of there.
When driving a car or using the internet, it is no longer just about the rights of the individual but of the entire community which interacts with the individual and could be place in harms way because of his actions.
So you are mistaken if you think licensing paves teh way for a closed user group - driving tests and licensing requirements are stricter than ever- Police and DMV database are fully linked up but the no. of car driver’s hasn’t gone down over the years - it has increased exponentially.
Currently the effect of worms are limited to dDOS attacks and a geneal slowing down but it is only a matter of time before it starts affecting the economy and our lives in much more serious ways. There is already specudlation that part of the reason why the entire eastern US expereinced a black out was dur to the DOS caused by worms. More and more citical services are using the internet and its not unrealistic to assumet that Granny caused a nuclear reactor o melt down because she couldn’t be bothered to install a virus checker. License her and she’ll be far more likely to get the latest patches becuase she know that if she cause a problem - they will catch her and hold her responsible.
Is granny really the one causing the problem? or is it the tech companies and service providers which are unable to find methods in which to track down the origin of the virus and shut that down. Since you draw analogies from the car-drivers, let me build on that.
If someone tampers with your car while it is parked on a street corner, and you don’t know about it. You come back and continue to drive, without knowing that your brake is not working, and when you come upto a signal, your car refuses to stop, you regretably run over a few people, but was it your fault? The chap who tampered with your car, is near by and derives a distinct pleasure from seeing those people mowed down. If you are jailed, will that stop that guy from doing something like this again? What would be his motivation? Compassion?
Incidentally your suggestion is exactly what the RIAA is trying through its scare tactics of arresting 70 year old grandparents for their grandchildren’s Kazaa downloads. The problem with internet music is not with the customers, as Steve Jobs has smashigly demonstrated with iTunes. It is with the companies that don’t want to cut prices to adjust to a new market.
With regard to the viruses again, the problem is not the people with unprotected computers, it is with the standards and practices upon which the network has been built. SMTP and POP3 are pretty old standards developed when the Internet was still a techie domain, I think I read about some suggestions for them to be updated and made more secure. The vigilance has to be on the part of the System Security Professionals that these companies hire, not the users. After all those guys are paid to fix such problems, users are just there to buy the product.
> MS Outlook is a RPC type email server and the
> reason why worms spread is because users leave
> the features turned on. Of course clicking on
> an attachment will launch a worm - just like
> clicking on a Word file will open it - the user
> is running a proceedure. How in the world can
> the program know what you want to do with an
> attachment?
It’s not just the email client (I’m guessing you meant client, not server in your comment). It’s also the operating system.
As far as leaving features turned on — those features that are dangerous should be turned off by default. For instance, the user should not be a privileged user by default as is the case in many single user Windows environments. That is a poor OS configuration and leads to malicious programs being able to execute with superuser privileges.
So, while I agree that the program has no way of knowing what the intention of the user is when an attachment is launched, the environment (OS + Mail reader) should be designed in such a way as to minimize the damage that can be caused by a malicious program. This is not a new concept in OS design — judicious use of a separate superuser account and separate user and system spaces have been implemented successfully in many systems. (Of course, those OS’s were traditionally multi-user systems and thus needed to have such mechanisms in place.)
> It is claimed that sometimes you can get a virus
> just by opening an email - you can but only
> because users view their email as HTML
Again, most HTML-based exploits took advantage of security bugs in Outlook Express — it wasn’t the act of displaying HTML which was inherently flawed.
My point is not to bash on a particular OS/Mail reader. Rather, I would like to see more secure software. This *is* possible. For instance, consider Mac OS X with Mac Mail. It has all the features I want in a mail reader, renders HTML perfectly, is extremely friendly for an inexperienced user, and yet is a much more secure environment than Outlook Express+Windows.
Response to Gautam:
Yup its still your fault. The guy who tampered with your brakes is guilty of 2nd degree murder but you are also guilty of manslaughter. You cannot claim that events beyond your control caused it and even though you were driving the car - it is not your fault. Thats like saying if it snows heavily and my car skids and crashes into another, it is not my fault but God’s fault for making it snow. Sorry the law doesn’t work that way - you will get a lighter punishment but the law (in all countries) is very clear that if your actions (whether intentional or unintentional) caused damage to thers - you are responsible.
Beside in the brake analogy you are required by law to test your brakes before you drive (its the first thing they test in your driver’s test by putting your car in gear and then pressing the brake - though nobody - including myself - actually does it). You are also required to test your headlights, turn signals and wipers as well as make sure your tires are properly inflated). The law is very clear that when you are behind the wheel of your car you are fully responsible both for your driving and the proper funtioning of your car.
It is upto the user t decide what features to turn off. The latest MS security bulletin (till a patch was made avaialble) advises users not to click on a URL in an email but to copy and paste it into IE. Users would howl in protest if MS designed email which could not carry URLs. Most users are willing to risk clicking on a URL for the pure convenience factor and so MS wants it.
Its like trying to sue Ford for providing a radio in all their cars by default. Radios are a known driver distraction and responsible for thousands of accidents every year - but it’s the drive’s responsibility to use the radio carefully - not Fords - they provie an on/off button adn its your responsibility to turn it off if it is distracting you - not Ford’s.
It is a case of convenience winning out over security. We all love to right click on a file and click Send to Mail Recepient - thats actually a high risk way but users still do it everyday and demand that feature - using it responsibly is the user’s problem not MS’s.
“Although the experts MacCentral interviewed for this story admit that to date, they’re unaware of any Mac OS X-specific virus or worm, one thing they all agree on is Mac OS X not immune to a potential hacker attack. Over the years, Unix-based operating systems have been compromised many times, and all of them suspect it’s only a matter of time before someone steps up to the plate with their own Mac OS X virus or worm.”
The reason that there aren’t many Mac viruses so far is because virii are OS specific and need many machines running the same OS to propogate. There just aren’t enough Macs around to make it worth a virus writers while to write one for them. Viruses also propogate on coporate networks and the Mac definitely is not popular in the work place.
Your car analogy is a bit overdone. The way I see it, it’s like someone steals my car and then causes an accident. In this case, I am not responsible for the accident. Hackers who use worms to cause damage are doing just that. Let’s add some spice by saying that I forget to lock my car. And it gets stolen (and involved in an accident). I am still not responsible for the accident. Yes, I may not get the insurance money cause I did not lock the car, but it aint manslaughter!
On another tack, one reason why the govt licences drivers is that they use roads owned by the govt The information superhighway is not owned by the govt.
How will this licence / regulation of internet users be done? What are the modalities and practical aspects? (and is it possible?)
I just wonder, might we not end up in the situation Ravi mentioned some time back?
haha ravi!…I thought that’s one brilliant piece of satire!..just hoping I’m not the target in some indirect way!;)
And hey, I was hoping for some comments on Tabarrok’s anti-spam proposal.
exactly my view on both counts, yazad!
I thought that’s what really happens: The more spam mails you open, more the spam you get!..so, yes in a certain way people who pay attention to spam are penalized more!
Ck,
> The reason that there aren’t many Mac viruses so
> far is because virii are OS specific and need
> many machines running the same OS to propogate.
My point wasn’t that viruses and worms cannot spread through Macs. They can. However, I claim that OS X + Mac Mail is a more secure environment than Windows + Outlook Express — malware, in general, can wreak less havoc.
> advises users not to click on a URL in an email
> but to copy and paste it into IE. Users would
> howl in protest if MS designed email which could
> not carry URLs.
True. And this is an example of badly written software, not a convenience vs. security issue.
Yazad,
Tabarrok’s proposal is funny! I read the article at the provided link and he is trying to be facetious I presume. His “solution” would be as unethical as spamming imo :)
Yazad’s example is more appropriate than mine. But what I was trying to get at was that jailing an Innocent tool (or victim himself) will not stop the actual perptrator from using someone else to commit the crime. Even if more secure methods are adopted by the user, maybe more undetectable methods would emerge from the perpetrators.
Also there already exists a simple way of tracking people - IP address. Everyone on the Internet needs an IP address and people can be easily tracked using them. But that does not mean that determined criminals cannot mask their IPs, its even easier with the Anonymiser service. How can you ensure that a license system would not be broken into and compromised. Also how would you ensure that the licenses are not used to track the regular activities of people, like checking mail, browsing the net etc..
Another thing.. should those users who are concerned about their own security not use more elaborate security? for instance PGP/GPG for secure email, better and more upto date Virus checking and spam blocking software?
I find it a little frightening when CK says: “Licensing would not eliminate internet users - it would just be a way to keep track of them.”
Keep track of them! I noticed in your first post you brushed aside the issue of who would issue the permits. However, that’s the main issue in this case - not if users are ’stupid’ or if software or people are responsible for the spread of viruses. Even if I accepted your contention that users are idiots and are largely responsible for the spread of internet worms, that still would not be a reason to enforce a licencing scheme. In the other examples that you have given (the car and brakes), the harm done is clearly identifiable. If a worm slows down the internet, who does that harm and how much does that harm him? This is an implementation, not a strategic, question. It is still important though, because the liberty that will be lost by answering that question is higher (in my opinion) than the benefit that will accrue from eliminating the negative externality.
Ultimately, it’s a question of freedom.
>How will this licence / regulation of internet users be done? What are the modalities and practical aspects? (and is it possible?)
Girish why are so worried about people keeping ‘tack’ of you? You have been tracked for the last decade. I’ve seen programs that link your visa card to a GIS system and you can already trace a person’s movements during a day.
The NSA already has the capability to read every email sent anywhere in the world and listen in on any telephone conversation anywhere in the world.
The FBI’s Carnivore program can already read email sent anywhere to and from the US.
Stores in the US are already equipping merchandise with RFID tags (which stay on your clothes hidden behind a button) and everytime you enter or leave a store, they will know how many times you have visited, what you have bought and even which competing stores you shop at. This is soon to be extended to food products so now they’ll know what you eat.
On the internet for $49.99 you can already purchase somebody’s entire life history - from credit history, driving tickets, divorces, children, convictions, personal assets, houses you own, your personal telephone number and your home address.
…and you are worried that somebody is ‘tracking’ you? Little late for that I’m afraid.
Ck, No need to be snarky when your “practicality mantra” is tossed back at you. You are right, I ofetn don’t care about it. It’s your principle, so would you please live by it and ANSWER the question?
Well Ck, if people are already tracking you and me, then they already know or have methods of finding out which computers are using which software and are making things bad for the rest of us. So why do you need to implement licensing? All the NSA/FBI/CIA has to do is arrest granny and a few of her malicious cohort of ignorant computer users and they will have solved the heinous problems of internet worms, or better still the worm writers themselves.
Also I think if you consider RealPolitik for a moment, if people don’t know that they are being tracked they won’t raise a hue and cry about it and the real and potential hazards can be tracked by the ‘authorities’ while keeping the rest of the internet ’safe’ for you, me and any innocent 10 year old who wants to start a blog. If you do make people get licenses, you will first have ACLU and all us bloody painful libertarians (on the left and right), and not to mention the whole Liberal-Democratic instiution crying about the end of the free world. So its more “practical” to do the covert tracking no?