Last week, Russian hacker Pyotr Levashov was arrested in Barcelona in an operation jointly undertaken by Spain and the US FBI. Levashov is allegedly the hacker behind the Kelihos botnet, a network of up to 100,000 compromised computers that have been used to run a giant, distributed spam operation (all unknownst to the owners of the computers in the network.) While security experts quickly discounted the rumors that Levashov was the hacker behind Russia’s meddling in the US election, there was nonetheless a palpable aura of celebration surrounding the arrest: maybe we didn’t get the Russian hacker, but we got a Russian hacker, and a prolific hacker at that.
The interest in this arrest is driven by more than recent headlines about Russian hacking, however. It’s the kind of arrest that provokes twin strands of incredulity: You mean you can actually be the target of a transnational crime sting for sending email? And also: How come we haven’t solved this spam problem already?
For answers to both questions, ask your friendly neighborhood economist. It turns out that spam is kind of a fascinating problem, in economic terms: Justin Rao and David Reiley describe it as their favorite teaching example of “a negative externality that cannot be described as a form of pollution.” What they mean is that spam is a problem that someone else creates for you: the people who send spam email profit from it, while the cost of spam (in bandwidth, email infrastructure, and inconvenience) is paid by everyone else.
In one sense, it’s not a new problem. As Rao and Reiley note in their article “The Economics of Spam“:
a similar externality has been present for decades in other forms of unsolicited advertising, including junk mail, telemarketing, and billboards. These intrusive activities also impose claims on consumer attention without offering compensation or choice. However, email spam is breathtakingly larger in magnitude, with quantities in the absence of automated spam filters equal to hundreds of emails per user per day if our email inboxes stood unguarded, they would quickly become totally useless. (In contrast, junk mail has not yet reduced our unguarded postal mailboxes to this fate.) One can purchase unsolicited email delivery on the black market for a price at least a thousand times less than that to send bulk postal mail.
The low, low price of spam doesn’t make it unprofitable. It just means you have to run a truly massive operation in order to make any kind of money. But you can’t send tens of thousands of emails from a single computer without getting blocked by the big email providers, so you need a way of distributing your spam delivery so it doesn’t all come from the same place. That’s where botnets come in: big networks of zombie computers enslaved by malicious software, so that the personal computers of many individual users can be turned into invisible, unsuspecting spam factories.
Security expert Brian Krebs estimated that Levashov’s botnet was capable of sending 1.5 billion emails a day, and attributes more than $438,000 in revenue from online pharmacy spam sent through that botnet over a 3-year period. Economics research suggest that the scale and the profitability of spam are inseparable: in their article on “The Economics of Online Crime,” Moore et al. cite the results of a research project that
infiltrated a large botnet and altered the spam e-mails sent out so that they linked to a benign duplicate website under the researchers’ control. They were able to provide the first independent answer to a long-standing question: how many people respond to spam? It turns out that 28 sales resulted from 350 million spam e-mails advertising pharmaceuticals—a conversion rate of 0.00001 percent.
If we follow Rao and Reiley, and assume an average transaction value of $50, then $438,000 represents 8,760 transactions — which, with a conversion rate of 0.00001%, reflects the results of something like 8.7 billion emails. It sounds like a lot of email, but if Krebs’ information is correct, it only take a week for Levashov to generate that kind of volume.
The warrant to dismantle Levashov’s botnet was issued under the recently revised Rule 41 of the Federal Rules of Criminal Procedure, thanks to a set of changes which were highly controversial. The revisions were far-reaching in the most literal sense, amending procedures for search and seizure so that US law enforcement can get a warrant to access devices anywhere in the world. That’s how sending too much email can make you the target of a transnational bust.
It also speaks to what economists know about why this spam problem just ain’t going away. We can— sort of—come up with a rough estimate of how many millions of dollars a Levashov rakes in. It’s a lot harder to estimate the total cost his spamming imposes on the rest of us: as Rao and Reiley note, spam costs us all real money, from increasing server demands (the article says we need five times as much server hardware to handle the volume) to the many layers of spam protection service. But “the chief challenge in totalling up the social cost is credibly estimating the number of hours lost by people dealing with spam,” Rao and Reiley argue. “Estimating the amount of spam that beats spam filters is difficult—after all, if we knew it was spam, we would have filtered it.”
In 2012, Rao and Reiley floated $20 billion as the annual cost of spam for American consumers and firms—a number they note is “more conservative than the $50 billion figure often cited by other authors, and we also note that the figure would be much higher if it were not for private investment in anti-spam technology by firms.” On the flip side, they note, “spammers and spam-advertised merchants collect gross worldwide revenues on the order of $200 million per year. Thus, the ‘externality ratio’ of external costs to internal benefits for spam is around 100:1.”
Any political scientist will tell you that when you’ve got a situation where the costs of a problem are widely distributed, but the benefits are narrowly concentrated, you’re probably going to have trouble building support for any kind of remedy. In the case of spam, the most frequent proposal is to somehow change email so that spammers (and the rest of us) have to pay micro-charges, but that is problematic for reasons identified by Benjamin Edelman in “Priced and Unpriced Online Markets” :
Processing e-mail payments would require robust authentication and tracking—a far cry from current openness of e-mail. Furthermore, most implementations of detailed message tracking entail centralized records of who sent mail to whom, but such records would invite both litigation and regulation. Additional complexity would come from inevitable pressure to exclude certain mailings from fees: for example, e-mails for announcements, notifications, mailing lists, and the like. Finally, the necessary institutions simply do not exist; no single e-mail provider is large enough to start the process. Thus, the price of e-mail remains zero, and spam remains widespread.
In the absence of a pricing mechanism, there is one thing that could slow down spammers like Levershov, and that’s if the rest of us made his work harder. Spamming depends on botnets, and botnets depend on people leaving their computers un- or under-defended. But it takes time and a little money and the willingness to learn about your computer if you’re really going to keep your computer secure—or at least secure enough to notice if someone else has enslaved it. Spam and botnets thrive because not everyone is willing or able to do that basic security work, creating a problem that is the mirror image of the externality of spam itself: as Moore et al. note, “someone who connects an insecure computer to the Net is creating a negative externality, as the computer can be used by others to attack third parties.”
Yes, we now have the legal tools that, for better or for worse, enable transnational action against spammers like Levashov. But that’s not enough to stop spammers in their tracks. To truly stop spam, we have to secure our own computers.
We have seen the enemy in the war on spam, and the enemy is us.