The Black Hat Tax on consumer Internet businesses

I am a big fan of James Currier. James was the CEO and founder of Tickle (formerly eMode) — one of the top social networking companies (and now a part of so when James says something, I listen.

A couple of months back we were grabbing a smoothie and I was going on and on about consumer internet, how it is so great and easy, yadda yadda … when james chimed in with something very interesting and profound … and something I have not been able to shake since:

Most consumer Internet sites today have an inherent tax of about 25% on them due to scamming, phishing, hacking, and government requests. That 25% is based on time and mind-share. And the 25% is only going to get worse. This is troubling.

I’m calling it the Black Hat Tax. And we’re certainly facing it at Rapleaf.

Since james and I spoke I spent some time talking to a bunch of consumer internet sites — from start-ups to establish companies. these companies, especially those in the dating or social networks space, are increasingly spending their time thwarting bad guys.

A great example is PayPal. The book PayPal Wars details an intense battle the engineering team and even the CEO fought against fraud. This was one of the consuming issues of the company.

Now PayPal is a financial institution, so you would expect lots of fraud. But dating?

After surveying most of the dating sites, I have found that one of their top three issues is fraud. A frequent scam is to contact an unsuspecting middle-age man from a profile of a good looking woman saying “my husband is beating me here in Moscow, please send $2000 so I can buy a plane ticket and escape.” The unsuspecting chap sends the money only to never hear from the person again. Apparently there are scam factories in the Philippines and other places that have thousands of people, paid on 50% commission, working to scam unsuspecting dupes in this way. And one success a month is $1000/mo which compares well to many countries where the avg salary might only be $200/mo.

And this is in addition to people actually hacking into your site. That is a whole other cat-and-mouse game.

James thinks the Black Hat Tax is 25% for most consumer Internet companies right now (with some approaching 40%). I think that is a fair assessment. That means that 25% of your engineering time and 25% of your management team is about preventing fraud. That is a really onerous tax. And James believes this is even getting worse.

Another strain on time is government requests. I talked to an IT person at a social network that was consumed for three days with a government request for information on someone promoting pedophilia. Not only did this person have to get a bunch of information to the federal authorities, but then he had to ensure that the information was backed-up and cannot be erased for at least three years. not to mention that the work was disgusting as the person had to sift through some horrible pictures.

The nefarious characters are getting more sophisticated too. And while thousands of sites are working feverishly to implement best security practices, the bad guys only need to find one hole.

So while my originally point (that launching a consumer internet company is really easy) is still correct, maintaining that site over time is becoming increasingly difficult. More and more mind-share from the engineering team and the executives are going to thwart the bad guys than to actually improve the offering.

This is a really big problem. Really big. The Black Hat Tax is costing consumer Internet companies Billions and billions of dollars. And it is a much higher percentage tax than off-line brick-and-mortar shops invest in security and anti-fraud matters.

3 thoughts on “The Black Hat Tax on consumer Internet businesses

  1. Chris Yeh

    James is 100% correct. The problem with the glorious Darwinian nature of the Internet is it helps black hats as well as white hats.
    Let’s take the example of my first startup, TargetFirst, which used incentives to drive online actions.
    What we found was that as soon as you brought money into the equation, the scammers were drawn in like ants to a picnic.
    Within days of a site launching, someone would come up with some kind of cheat program to try to game the system and rack up rewards. New programs would appear on a daily basis.
    We ended up having to devote a founder, more or less full-time, to beating back the problem with a combination of data mining, legal threats, and creative policing (e.g. getting IRC chat rooms shut down to prevent the spread of new cheats).
    The best thing to do is to assume the worst in advance, and then try to design a system from the ground up that will be able to separate the wheat from the chaff. Keep it flexible so that you can adjust as the evolutionary pressures work their magic in the black hat community.
    It is possible to fix these issues–the next company that I started that offered incentives did several things to eliminate the fraud issue…and if you want to know what they were, you can always email me privately!

  2. Ben Casnocha

    Thanks for sending big man. How Auren of you to coin your phrase around it. It’s a real interesting point and Chris Yeh said everything I could say only better!
    On a related note, a couple weeks ago a pretty jaw dropping piece in the New Yorker
    So long as there are people as dumb as this guy on planet earth, these fraudsters will still have a living.

  3. David Evans

    Most ecommerce co’s are easy to start, difficult to grow and maintain and impossible to secure past a reasonable doubt.
    Costs and resource requirements change over time according to the type of business and popularity. T-shirt shops are low risk, PayPal is huge.
    I think 25% is a very high, but workable number. At Visa, a 5% fraud rate = billions in lost revenue each year. There are lots of companies which promise 1% fraud reduction, an enormous improvement.
    If you think dating fraud is high, look at online pr0n and gambling.
    Reading in between the lines, it’s clear you are testing the waters to see where reputation management can fit into high-risk verticals. There is not ASP-modeled social network or dating site with a checkbox in the a la carte functionality menu called “one-click to answer government request for information.” Yet.


Leave a Reply