Schneier on Security
A blog covering security and security technology.
« Top Ten Privacy Stories |
| RFID Zapper »
January 3, 2006
How Profitable is Cybercrime?
The Treasury Department says that cyber crime has now outgrown illegal drug sales in annual proceeds, netting an estimated $105 billion in 2004, the report said.
Posted on January 3, 2006 at 7:31 AM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I wonder where they get the numbers from. Whereas in drugs for example every kilo sold yields a profit, in cybercrime every credit card number or identity stolen doesn't as they are not all used.
What I'm trying to say is, is this hype or fact?
That's a bit staggering to me. After all, from the reporting, the number of reports is 55 million. Simple figures tell us that on average that's roughly $1909.00 per individual reporting the item to the authorities. That's not an amount I'd be caught dead carrying in cash.
With that, one cannot deny that at that kind of an average it seems somewhat feasable. Still, with 55 million affected individuals in the US, one can't help but wonder why we haven't heard of it happening to at least one person we know. Still, if they can back these figures it makes one wonder how many losses go unreported given the awareness level of the normal internet user. Guess that means I'm as curious as everyone else as to whether this is "hype or fact?"
The numbers seem suspect to me as well. Assuming for the moment that they are correct, then where is the "War on Cybercrime"?
I've heard this before. Someone said they include software and music piracy. So I mean every time some kid downloads a song off a p2p network its counted as theft.
"The numbers seem suspect to me as well. Assuming for the moment that they are correct, then where is the 'War on Cybercrime'?"
I think the RIAA is fighting that one.
You posted similar claims in your November 30, 2005 Article 'Cybercrime Pays'
"Fraud is fundamentally fuelling the growth of organised crime in the UK, earning more from fraud than they do from drugs,"
See the discussion in the comments section about how these numbers were estimated...
Yeah, it really kills me how they count each pirated copy of the software or song as a lost sale. How very stupid. But no reporter ever seems to point out the silliness of those figures, even though it must be obvious to a lot of them.
Government numbers are political and only rarely based on fact.
"Government numbers are political and only rarely based on fact."
One very Good summation.
I've done a little poking around with regard to this article...this $105 billion number is pretty shakey as far as I can tell. My comments are on my blog at www.gocsi.com/blog
The piracy numbers aren't government numbers, though. They're mainly RIAA and BSA numbers.
The devil is in the details as they say :) It would be interesting to see how they back up those numbers. However, maybe we should ask the criminals ;)
It would be more interesting if they gave a basis for the figure...
I've yet to see a significant effect of any specific "cybercrime" incident on the international markets, which makes me doubt the "The XXX virus cost us YYY billion" scaremongering.
There is always propaganda about how many $ are lost because of road accidents, bad weather, lost revenue because people don't pay their bills on time, because people are ill so many days a year, cars or houses are not locked and got broken into, because people don't spend enough on Christmas presents, because of delays at airports, because people smoke etc. etc.
That's just life.
Yet all this propaganda is designed to hook you into feeling bad because you might be spending your money prudently and sensibly or because you might have scooped some free stuff over the net.
Does every pirated copy of Photoshop count as a few hundred dollars in cybercrime? If so, my old high school is contributing about $1M to that figure.
"Government numbers are political and only rarely based on fact."
I think that the "War on Drugs" scares more people into voting for this information than any "War on Cybercrime" could. It seems odd, but with Congress trying to cut the deficit this seems that it's a press release for a future budget fight
Aren't those number based on "projections" like the Media Industry is doing? For example, if they will expect to earn amount X in the next 3 months based on last year averages but they only get Y < X, then X-Y is the amount "stolen". It doesn't matter if they got less money because of the poor quality of their "product". And the list goes on...
I don't know why, but when I read such enormous numbers everything sounds less credible..
I am absolutely shocked! I've been lied to my whole life, told that crime doesn't pay!
I can't believe I've been duped into wasting my time at a college so I can get a "real" job!
This is utter nonsense, of course. Why publish such obviously outlandish claims?
I said it before and I say it again. This claim is pure BS.
I was afraid this would happen. Some wag at a conference in Ryhad was cornered by a stringer from Reuters. Ms Valerie McNiven has done consulting for the US Treasury and World Bank and she made up the figure of $105 billion. I was hoping it would not become a oft quoted stat. Most journalists did a little digging and found out that the ex-Chief Privacy officer of the State of Colorado was not an "expert" after all.
First of all, World wide drug trade exceeds $400 billion. Second of all cybercrime is about two orders of magnitude less than $105 billion. Maybe close to $1 billion according to Gartner and others.
"Does every pirated copy of Photoshop count as a few hundred dollars in cybercrime?"
Why wouldn't it?
"Why wouldn't it?"
Why would it. As a software development manager I get this all the time. Don't confuse unauthorized use with potential sales. Just because someone is using a product doesn't imply that same person can afford to purchase the product.
So, in this case, it is likely that the user of a pirated copy of Photoshop would never have paid for the product anyway, so there is no lost sale.
In fact, Adobe will actually benefit from unauthorized use of their product by those who can't afford to buy it. They will achieve product "lock in", with potential customers taking time to learn a complex product like Photoshop, there is more likelyhood that users would eventually buy the product when they can afford it.
Once users take the time to learn a company's products, they are more likely stay with those products for life.
I can vouch for that. I was introduced to Photoshop via shady copies, but eventually (probably at least a year later) bought a full copy (and I bought GoLive too, for some reason.) If I hadn't had access to earlier versions I would never have shelled out the money for the full version.
It would be interesting to contrast the drop in cd sales against the performance of other music merchandising (such as concert ticket sales and video sales.) Anyone know where I can find some stats?
It may help to consider the question with respect to "regular" crime.
Suppose you steal a truckload of 100 plasma-screen TVs. Each TV has a retail price of $3k (but is usually discounted to $2.5k) and a wholesale price of $2k. You keep one for yourself, give three to family members, and sell the other 96 sets to a fence for $250 each.
If we measure "proceeds" the same way that the treasury department did in this study, what are the "proceeds" of this crime?
@DoesntAddUp: Your argument doesn't add up, either, at least, not in exclusion. The truth is that some pirated use is converted into real use, some pirated use contributes to lack of use of a competitor, but that most pirated use is of no benefit to the vendor. A portion of that is of significant loss to the vendor, because it's not someone willingly pirating it for their own use, it's someone paying close to regular price to a 'consultant' who sells them a pirated version while convincing them that it's real.
Content theft is damaging to the owners of the content rights. Content theft is beneficial to those who steal the content. Content theft is not always beneficial to those who use the stolen content.
How profitable is cybercrime? Don't you have a partial answer to that question in your own paycheque? People like you (and like me) are able to make a living partly on the basis that there are perceived risks to computing.
If we're on the side of the angels, we focus on those perceived risks that are real, but it's worth our customers making sure that we are not selling them invisible elephant powder (here's a tesimonial from one of my customers - he has never been trampled by invisible elephants, proving that the powder works).
"Content theft is damaging to the owners of the content rights. Content theft is beneficial to those who steal the content. Content theft is not always beneficial to those who use the stolen content."
None of that is false. I would certainly say that most of the time, illicit copying costs vendors money. However, the question is whether a product for sale for $100, copied illegally 10k times, costs the company $1m. Since only some percentage would have translated into real sales, and some percentage still will, the true cost is actually somewhere below $1m. How much, I'm sure, differs from product to product. Things that are cheap with little learning involved probably lose a bigger percentage than things which are expensive and take a lot of investment to learn to use.
Hmmm... Everyone is questioning the numbers for cybercrime, but no one has said anything about the bogus figures for drugs. The drug numbers are notoriously overstated for a range of political reasons. Typically the "value" of product seized is computed by dividing it into the smallest theoretically possible saleable units (e.g. single joints of marijuana or rocks of crack cocaine), and then multiplying by the notional street price (itself unsubstantiated and often inflated) to give a huge dollar amount that never was and never will be. For busts of clandestine labs, the amount of target product (or even a *possible* target product) will be calculated based on the precursors present, and on a generally implausible efficiency of synthesis, even when *no* product is actually found on the premises. Federal (US) sentencing guidelines actually codify some of this bogosity.
Well I'm not arguing that the cybercrime numbers are believable; more that both sets are way too high, and in any case pretty meaningless. What are the "proceeds" of a downloaded music file or a dose of ecstacy never manufactured?
@ Tony H
The War on Drugs makes money for law enforcement through 'asset forfeiture' (read 'confiscating liquid assets attributed to anyone they accuse'), and so it makes good business sense for them to scare the public by hyping up the 'street value' (even if the 'drug seizure' is a pile of drywall scrap, and they never subtract the street value of the drugs stolen from evidence lockers).
I don't think any faction of the US federal government is making money out of this, so if Treasury is hyping this, it probably isn't on their own behalf. My guess would be they are pimping for a DHS-friendly industrty, such as information security.
Yay. This means that we'll start seeing hackers at the core of organized crime related movies. I was getting tired of the briefcase exchange and piercing the bag with a knife cliches. Traceroute will replace car chase scenes. Joy!
"it really kills me how they count each pirated copy of the software or song as a lost sale."
I have downloaded music that I decided to delete quickly and never buy. If I had not listended to the albumn first I would have paid $20 for it. That counts as a lost sale. :)
In the past 6 months I have bought 3 CDs and gone to two concerts for bands whose music I found via p2p and downloaded because they had neat names.
I stopped listening to commercial radio. I can't stand the annoying DJs and all of the ads. I believe it would help sales if record distributors streamed low quality MP3s for free with different streams for different genres and had the band/song name scrolling. Bandwidth is probably cheaper than buying air time on mainstream radio stations.
Some guys who worked on the maya graphics program gave a talk at a school. One guy said "we know none of you who have a copy at home paid for it. we don't care about that. just buy it when you use it for work."
I may have to change my name to Captain Obvious.
I thought if you weren't telling the truth, you were lying. These numbers do seem really big. Pirating is bad, like any kind of stealing but isn't the "big" one. I think the big numbers are coming from damages from virus/spyware estimates. It's pretty easy to pump up charges by using secondary damages, like lost time, money spent on buying anti virus, money spent on psychiatrist prescribed Prozac, money spent on gub'mnt lobbying efforts to push P2P into the Patriot Act, etc.
"I think the RIAA is fighting that one."
But they haven't lost any money because of it. They're losing money because their business model is all wrong and they can't adapt to changes. Then there's bad PR, constrantly degrading sound quality (they have to cut all their shit so hot it hurts freaking ears) just to mention a few.
Oh, and did I mention their idiotic copy protections?
If we measure "proceeds" the same way that the treasury department did in this study, what are the "proceeds" of this crime?
That's pretty obvious:
$3000 x 100 for the TVs
+ new value of the truck
+ ransom value of the driver
+ value of unused gas still in tank
We could borrow a little from Economics to find out the value of content that has been stolen.
If we can get the sales figures for a specific CD and find out how well it sold at each price point, then estimate how many copies were pirated at a price of zero dollars, then we can construct a demand curve.
Constructing a supply curve is more difficult, but it's safe to assume that music companies would be willing to sell zero CDs at a price of zero dollars and that the quantity sold at the mode price is on the supply curve, which gives us two points that we can use to calculate a linear approximation.
If you plot both curves, then take the minima at every point, the integral under this curve will grant the maximum amount that the content companies could have made off of a given piece of content.
If you integrate underneath the demand curve, you'll see the amount of value actually generated to consumers.
From the sales figures we'll know how much revenue was actually generated.
Just from having worked with curves like these and knowing their shape, I'd say that the following are likely true:
1. Content companies have monopolistic pricing power. My gut reaction on seeing their curves, knowing nothing about what they make or who they are, would probably be to suggest government regulation.
2. The quantities extracted by consumers through content theft are minimal because the bulk of the theft takes place at the tail of the curve; i.e. many of the people who steal Leonard Nimoy's version of "Bilbo Baggins" off of P2P networks would, in fact, have not purchased it had it had any price at all, for example.
As a wholly separate line of reasoning, it is likely that a market could exist for consumers and for musicians that would allow musicians to make more and consumers to pay less and exclude the rent-extracting middlemen. The rent-extracting middlemen would have a powerful incentive to try and stop this market from emerging by any means necessary.
Does this mean that if I download a copy of Woo Hoo by 5678 a Japanese Punk group, from a Russian P2P site because my friend in China said to look for it there and I sent it to my friend in another state to help him feel better from a cold, would I be a International, Interstate, Multinational Cybercriminal guilty of prescribing without having seen the patient. Could this account for maybe a half million in this scheme of evaluating crime? But, further consider that I used SKYPE to talk to my friend in China. With the FBI placing groups on there terrorism lists such as the ACLU, Fresno Peace, rape counciling groups, and associations of Catholic priests why shouldn't music traders be monitored by the NSA? And you know what it costs to run the NSA. And, and if the President is guilty of violating the Fourth Amendment and the deficit is the Presidents fault this whole cybercrime this is huge. So now you know how they figured it.
"it is likely that a market could exist for consumers and for musicians that would allow musicians to make more and consumers to pay less and exclude the rent-extracting middlemen. The rent-extracting middlemen would have a powerful incentive to try and stop this market from emerging by any means necessary"
I think that's a fair bit of reasoning, but it's also useful to remember that recording companies historic value proposition was to provide "access" to otherwise obscure or distant artists.
Some might argue that they "discovered" talent, but I think they really were just a collection and distribution system. To claim any value in discovery they would have to prove a higher batting average than the usual record label, and it might bring up the thorny issue of the Milli Vanilli phenom.
Thus, they aren't so much trying to stop the market as much as they are trying to monopolize the movement of goods between artist and consumer, like a utility, in order to ensure consumers pay for access regardless of the fact that it is known to be obsolete, unfair and inefficient. So you might say the ISPs are in competition with the Labels for control of the market of distribution, which is why the Labels what liability on the ISP's head for file-sharing.
The Federal Trade Commission did a reasonable looking survey of identity theft in the Spring of 2003.
This survey seems to be the basis for the claim that there's $50b in identity theft annually: the survey estimated 10m Americans were affected in the prior year, and that an incident typically cost $4800, with about $500 of that falling on the victim and the rest on businesses.
Not all this identity theft is due to cybercrime. In 25% of cases, the victims were aware of theft of a credit card. However, in 50% of cases, the victim didn't know how their personal information was lost.
It seems to me likely, given the volume of identity compromises we know now of from the mandatory reports in the last year, that some decent fraction of this $50b is probably due to cybercrime. It's likely the fraction is increasing rapidly. The $50b may also have increased since early 2003. Given that, I find the Gartner number of $1b for cybercrime losses implausibly small.
It's staggering to me that identify theft is a $50b industry. For comparison, the contribution of the US software industry to GDP last year was about $150b, so identity theft is an industry one third as big as the legitimate software industry in terms of total payments by its "customers".
@drix: "Still, with 55 million affected individuals in the US, one can't help but wonder why we haven't heard of it happening to at least one person we know."
Hm. I know one person who spend 90 Euro for an unwanted dialer connection, and another one, who lost about 400 Euro by paying for hardware from an ebay auction, which never reached him.
I guess both is counted as cybercrime.
A lot of victims feel ashamed of being a victim, and will not make it public, and I'm not sure whether I would.
And I guess a lot of people wouldn't pay for virus-protection, without being a victim first.
Cybercrime profit exceeds drug profits? So much for the "War on Drugs" eh? At least it is sorta reassuring to know when the politicians end this failed war they will have something new to piss away tax dollars on.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.