Why is there spam? The simple answer is that "there is a sucker born every minute" and email is cheap enough to reach millions of potential suckers who might want to buy Viagra, sure-fire investments and fake Rolexes. A new study has discovered that it is enough with one response to every 12.5 million emails sent is enough to be profitable. The most interesting about the study was how it was done: by hacking the spammers own network. But is it OK to hack in order to understand spam?
As the fight against spam has escalated spammers have developed
frighteningly powerful tools to deliver their adverts, including vast
distributed software systems attacking millions of computers. This
obviously requires sophisticated programming and organisation, and suggests that spam has ties to "organized computer crime". In this case the researchers explored the so called Storm botnet. Computers infected by a trojan horse program spread by email spam become part of the network, and be ordered to perform services for whoever runs it. A large part of this consists of sending spam, but the network can also attack computers that are deemed a threat. There is no central node that can be disrupted.
What the researchers did (pdf) was to infiltrate the network to examine just how many positive responses a spam campaign gets. They had a number of infected computers (actually just virtual machines) running inside a controlled environment, where commands to and from the network were automatically rewritten to suit the research goals and hide the infiltration from the bot masters. This way they could hijack spam campaigns by having the links in the email point at sites the researchers controlled rather than the infectious or commercial sites the bot masters would have sent users to. The result was many kinds of useful information, such as the surprising scarcity of "customers", estimated revenues of $3.5 million per year for the network, data on the effect of blacklisting infected computers etc.
However, what is the morality of this kind of research? The researchers were involved in the sending of 500 million email messages, using computers and bandwidth owned by third parties. Were they spammers themselves? And is it immoral to hack somebody’s botnet?
The researchers defined an ethical criterion: their activities should never make a user worse off, and they would reduce harm where there was a risk to user properties. Hence their software did not infect any new computers with the Storm software and the site their spam pointed to would not pick up any personal or payment information (or sell anything). At most a naive user may have lost the opportunity to buy a desired drug, but given the prevalence of spam it is unlikely that such a user would have gone long without a new offer.
Some might think that the researchers had a duty to inform the owners of infiltrated machines about their situation, in analogy with how a researcher doing a scientific study ought to inform a participant about a discovered medical condition. But beside the enormous practical difficulties there is some past experience that this is very ineffective: many such users are inexperienced, do not care or have resources to fix the problem. Unlike the medical condition case the damage done to the user from the infection is relatively minor. Unless one follows an extremely strict duty-ethics that forces one to work very hard for very minor benefits there is no duty to inform in this case.
Similarly ideas for "anti-viruses" are often suggested: if you can infiltrate botnets, why not use them to spread immunizing software? Given the frequency of glitches caused by code it is a potentially risky manoeuvre that could easily backfire (cf. the Welchia worm). From a legal standpoint it is also potentially problematic, since the originators would then be interfering further with a large number of computers – they would be held responsible for hacking them. The medical "first, do no harm" might apply to computer viruses too.
What about hacking spammers? The researchers were not acting in any capacity as law enforcement. On the other hand the Storm botnet is a hoard of stolen computing goods that the bot masters do not have any right to. Since they do not have any right to it, they have no moral grounds for complaining that others infringe on their "ownership". Also, the harm reduction was relatively minor: the research hurt the spammers by intercepting 28
sales and 316 new infections, losing them about $2800. Compared to the estimated income this is minuscule.
A more proactive approach to dealing with botnets it to infiltrate and "pollute" them so that they no longer act in a coordinated fashion (paper here). Again, this does not seem to hurt users in any way, and it reduces the value of the stolen computing goods to the bot masters (without affecting the state of the users). Legally it might still be problematic: in some places Good Samaritan laws might protect people who do this, but in other jurisdictions it would be illegal – and the network is very likely to be transnational.
The power of botnets comes from their ability to aggregate enormous computing resources for someone’s ends. Normally aggregating resources is costly, which causes problems when trying to produce public goods. But botnets exploit security weaknesses to do aggregation cheaply, and then use the resources for further antisocial ends. In many ways they are the antithesis to public goods. The best way of fighting them is probably aggregative: individual users cannot be relied on to patch their machines or not to occasionally fall for false offers, yet networks and societies of users can fight back. Antispam software aggregates information from many users to filter out spam emails. ISPs can cooperate to block spamming machines or even spam-friendly services. Webcrawlers such as Google can identify sites that attack visitors and warn them. It is not inconceivable that states could agree on support for proactive poisoning of botnets or more effective law-enforcement against the spammers. Knowing how the spam economy works is useful to figure out how to fight it – as well as inspiration for considering whether some of the solutions used by spammers might not be used for positive ends.