In this week's Security Levity, I want to talk about spam again -- not email spam, but spam sent via SMS. Also known as text message spam. I want to get to the bottom of whether SMS spam is as big a problem as email spam -- and if not, why not?
The situation varies around the world -- some of this is due to the different views on spam in various cultures, similar to email spam. For example SMS spam in China is much more prevalent than it is in the West, but the locals are far more tolerant of it than Westerners are.
A widely-quoted statistic on SMS spam is from Ferris Research, who estimated that 1.5 billion spammy text messages were received in the U.S. during 2008. That sounds like a big number, but a year is a long time and there are tens of millions of subscribers in the country.
I work that out as about one spam message per person per quarter, on average -- some people will get more, some less. It's occasionally annoying, but incomparable to the email spam problem, where a typical user might receive hundreds of spam messages per day (unless they have a good spam filter, of course!)
So why is this? How come email spam is a 5,000,000% bigger problem than SMS spam? It mainly boils down to three related factors...
Cost of Service
Email is free. Mobile phone service isn't. To be more precise, the marginal cost of sending email is zero, but sending a text message costs of the order of $0.10 (much less in quantity).
Shady marketers and criminals love email. They can send email for free, either by stealing service from innocent users via botnets, or by using so-called "pink contracts" (where ISPs turn a blind eye to a customer's spamming ways).
If the marginal cost per message is zero, who cares if 99% of your email is filtered before reaching your victims' inboxes? Let's say you send a million messages advertising fake ED drugs and 1% gets delivered. Of that, 1% result in a sale. That's 100 sales, each of which might generate, say, a $10 affiliate revenue; $1,000 in total. So, in order to make a profit, your average cost to send each message needs to be less than one tenth of a cent.
However, in the SMS world, the privilege of sending bulk SMS is reserved for those with money and a valid contract. Bulk SMS might cost a few cents per message to send: a couple of orders of magnitude more than email.
Of course, spammers can and do use stolen credit cards to buy service, but the providers are quick to shut down such abuse (see my third point to discover why).
The economics of SMS simply don't make sense for the typical spammer.
Anonymity versus User Authentication
Email is unauthenticated. Of course, your email service wants you to log in to read email and it usually needs your password for you to send email. But because of the history of email, it's entirely possible to send email anonymously.
Anonymity is necessary for spammers to perform irritating, malicious, or criminal acts -- assuming they want to get away with it and not be confronted with an angry mob. It's practically impossible to send large quantities of text messages while remaining anonymous.
The contracts and payment -- which are required before a new sender can send SMS messages -- are enforced by authentication. (I'm not talking here about a handset sending a few messages per day, but about bulk, 3rd-party submission of messages to the networks, typically using a protocol known as SMPP to one or more SMSCs run by the carriers.)
User Acquisition Cost versus Retention Cost
Economics 101 teaches that customer churn is costly. In other words, it's usually less expensive to retain an existing customer than to acquire a new one.
Especially in a saturated market, a wireless carrier should aim to eliminate customer satisfaction issues. When the barrier to switching carriers is low -- e.g. due to number portability -- carriers try to minimize user frustration. (The irritant factor of SMS spam is of course magnified in the few countries that charge subscribers to receive messages, such as the U.S.)
So it's important for carriers to stop SMS spam becoming a problem. That's about as pure an economic motivation as you can find.
Because SMS connectivity is authenticated and contractual, carriers can quickly and easily block spam in a way that's much more difficult with free, anonymous, email spam.
I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!