background: phishing leads to direct losses in the
$500,000,000/y range. I argue that given $500,000 in
funding we can make a significant dent in that figure.
Investments in antispam standards development pays society
back at something like a 10,000% rate of return --- it's the
same kind of public good as, say, electricity, an effective
legal system, or running water and sewage. without it,
things fall apart.
This is why I've been working on finding funding to take
SPF+SRS+SES+DK to the next level. I have already seem some
verbal commitments in the five-figure range from big
enlightened companies. Yahoo, for example, is to be
applauded. I am also seeking funding from government
bodies, eg. HSARPA and ida.gov.sg.
But if funding never shows up, at a macroeconomic level,
what that really means is that the world wants to retire
email and move on to the next new messaging infrastructure
which can generate new fortunes --- for example, p2p email
is probably 12 to 24 months away.
These are some thoughts that crystallized over the last few
months of this fundraising activity. The question foremost
in my mind was "why isn't industry more willing to fund
actual code development?" The flip answer is that there's
nothing in it for them. Stretched out over a few more
paragraphs, it's less flip and begins to make more sense.
Traditionally, the goal of a business is to compete in a
given environment. Changing the environment is not
something that most businesses contemplate --- notable
exceptions include Shell, with their scenario planning, and
BP ... petroleum companies have gotten it into their heads
(at least at the top) that they're really in the energy
business, not the oil business.
You would think that a rational bank manager would spend $X
to save $Y, as long as $X < $Y. In practice, two things get
in the way of that decision. First, there is an uncertainty
discount because we're only about 20% confident that the
plan will work and $Y will be saved. Second, budgeting
creates domains of irrationality. The bank manager is not
actually motivated to act in the interest of the overall
firm; he is motivated to act in the interest of his
division, and his division (technology development) is in
direct competition with the other division (risk management
and fraud) for resources. So the internal competition model
of the firm is a failure, at least in this case. As an
industry we haven't crossed the Prigoginian boundary of
complexity yet where competition gives way to cooperation.
Banks are a business. They compete with each other. So, in
the face of the phishing problem, what does a bank seek to
do? It does not seek to end phishing --- that constitutes
changing the environment, which is not the job of an
incumbent, established business. Instead, it seeks to
compete in that environment.
Rational banks would desire to not lose any money at all on
phishing fraud.
Instead, banks only desire to lose less money on phishing
than their competitors.
This is the sort of thing that drives the engine of
disruptive technologies and brings innovations to market.
Stupid, selfish incumbents caught on the horns of the
innovator's dilemma are a necessary antithesis to the
technology startup. They are both essential ingredients of
innovation.
Bibliography
http://www.amazon.com/exec/obidos/tg/detail/-/0671872346/ Waldrop, Complexity
http://www.amazon.com/exec/obidos/tg/detail/-/0679758941/ Wright, Nonzero
http://www.amazon.com/exec/obidos/tg/detail/-/1576752933/ Kahane, Solving Tough
Problems
http://www.amazon.com/exec/obidos/tg/detail/-/1576752933/ Schwartz, The Art of
the Long View
http://www.amazon.com/exec/obidos/tg/detail/-/0875845851/ Christensen,
Innovator's Dilemma