Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Parasitic & Symbiotic Business Models

Does your business model thrive as your customer thrives, or does it drain the life from your customers? After a recent1 conversation on the impact of improved privacy tools (i.e., the eventual elimination of third-party tracking cookies), I realized that the most significant effect of these improvements would be to companies with a parasitic business model. A business model which I see no problem in disrupting.

For many years, the web has existed as an advertiser’s dream2 — minimal privacy limitations, technical controls that had little impact, and a strong lobbying arm that has been able to derail many efforts to improve the situation. Now, this is not to say that all advertising is evil, but that it’s ripe for abuse by those that get too greedy. In many cases, this has opened the door to parasitic business models that offer no real value, and in fact, only extract value from the end-user.

What is a Parasitic Business Model? #

A great example of this is data aggregators and location tracking; services that exist to collect, connect, extend, and sell data about users. Too often, this is done without the user having any idea that it’s happening — much less having willfully agreed to it. This business model relies on the ability to collect vast amounts of data on users, and build profiles that can be sold to others, primarily for ad targeting & tracking.

There is no inherent benefit to the user for this activity; it doesn’t enable better services, or allow them to access the applications that collect this data at a lower cost. The value to an application developer is relatively small compared to other revenue sources, as the data they collect has fairly little value of its own. It becomes valuable when it is merged with other datasets that the aggregator has acquired; it is this merging that creates value from noise. So we have a user giving up personal information (often unwittingly) for no benefit, some financial benefit for the application developer (though less than other viable revenue streams), and the bulk of the benefit going to the company collecting and selling the data.

You have to ask, what does this business model add to the end user’s experience? Do they benefit from the relationship, or are they being used in the relationship? If you study the business model these companies employ, it’s clear that only one party benefits, and it’s not the user.

This is just one example of this type of business model that focuses on growth at the cost of the user. As improvements are mode to technical controls around privacy that are now being pushed by browser makers (such as implementing SameSite=Lax by default), life will steadily become more difficult for businesses in parasitic relationships.

Healthy Business Relationships #

A healthy business relationship should be symbiotic for all parties involved; each party becoming happier & healthier as the relationship develops, and thriving due to the relationship — not in spite of it. These relationships often have a few key traits:

  1. Each party is fully aware of the relationship; no parties are being intentionally hidden.
  2. Transactions are mutually beneficial; for example, paying for a service that provides value to the user. The service receives revenue to compensate them for the service, and the user gains the use of something that they see as valuable to them.
  3. Each party has the opportunity to gain greater value from the relationship as the other parties thrive. To continue the paid service example, as the service receives revenue, it is able to invest more in improving the service, providing even greater value.

These symbiotic relationships are a win for everyone involved, unlike parasitic relationships that are full of quick profit for one party and nothing but loss for the other. While parasitic business models do indeed lead to greater short-term profits, there is no loyalty developed, there is no long-term health in relationships, and the business model can break at any time with changes to technology.

In a symbiotic business model, the relationship develops over time, becoming stronger — customers become more loyal, more interested and invested, more passionate, and turn into promoters and ambassadors. Revenue climbs more slowly, but that growth is more likely to continue and expand long-term. This is a relationship built on mutual respect and benefit.

The Costs of a Parasitic Business Relationship #

When you are engaged with a parasitic entity, knowingly or otherwise, there are costs involved. For users, this can be anything from a loss of privacy, revealing secrets, bypassing legal safeguards, or even risking personal safety. For businesses, there are repetitional risks — failing to respect the privacy of users can lead to a substantial backlash. There are also monetary risks for failing to follow legal requirements. And a variety of others — the list keeps going.

There’s only one winner here, just as with any parasitic relationship. Placing these risks and burdens on users is not just risky for a business; it is, in my opinion, highly unethical. Regardless of legal status, it’s morally wrong to exploit users who are acting in good faith and put them at risk for a quick profit — and there are some companies that have turned this practice into a business.

Because of how these relationships are structured, end-users are too often unaware of the relationship and how it impacts them; they aren’t in a position to make an informed decision. Likewise, businesses enter these relationships without an accurate understanding of how data is used, and sometimes without even understanding what data is being collected3 — and may not gain that understanding until it’s been abused and they are in the news.

In Conclusion #

Some business models should be disrupted, as they are fundamentally against the interests of those they interact with. This is not to say that all advertising, analytics, monitoring, or other similar systems are evil or immoral — but some very much are. It is those, those that have become too greedy, those that have abandoned morals for easy profit, those that harm others for their own benefit, those are the ones that need to have their business models disrupted.

Businesses have an ethical obligation to protect those they have a relationship with (directly or indirectly), not exploit them.

  1. By recent, I mean last November when I started writing this blog post. At the time of the original draft, there was a lot of discussion around Google’s push for privacy improvements in the browser; it’s in this context that this was written. ↩︎

  2. It should be noted that the golden age of digital advertising and the golden age of mass surveillance occurred at the same time. The implications of this fact should be clear. ↩︎

  3. It’s especially true for SDKs provided by third parties; their actual behavior isn’t understood, nor is the privacy impact. Blindly incorporating an SDK into an application can easily result in substantial security and privacy risks. ↩︎

Adam Caudill

Related Posts

  • On Software Subscriptions

    Like many in this field, I am always looking for ways to improve my workflow, improve my productivity, achieve more. Part of this is evaluating new tools that help me get work done, tools that become critical to my process. While looking at something that could be useful, I had a startling realization — but there are a couple of things I’d like to cover first. Supporting What You Love I always try to pay for things that make my life better and support businesses that give me real value.

  • Win by Building for Failure

    Systems fail; it doesn’t matter what the system is. Something will fail sooner or later. When you design a system, are you focused on the happy path, or are you building with the possibility of failure in mind? If you suffered a data breach tomorrow, what would the impact be? Does the system prevent loss by design, or does it just fall apart? Can you easily minimize loss and damage, or would an attacker have free rein once they get in?

  • Taking Responsibility for the Spotlight

    Today, something happened that made me think carefully about my platform, my time in the spotlight, and how to best leverage my position to help others. Hopefully, you’ll find this to be thought-provoking and consider your own position and how it can be used. Your Platform & Your Responsibility As a leader, there’s an undeniable responsibility to help others. This may mean being a mentor to someone just joining the industry, or giving opportunities to someone that would otherwise not get the break they need.

  • Communicating With Respect

    Communication can be a real challenge; working across cultures, backgrounds, experiences, and perspectives can result in different interpretations — and this is under the best of circumstances. However, when it’s written communication, the challenge is multiplied due to the lack of feedback cues from facial expressions, body language, and the like. These challenges make it exceedingly easy to create a situation where what a person hears is entirely different from what the speaker (or writer) intended.

  • Crew Resource Management for Security Teams

    Over the last year or so, I’ve become quite a fan of Air Disasters, a television show dedicated to analyzing plane crashes and similar incidents. As I watched the show, I started seeing many ways that the lessons and procedures around aircraft safety also apply to running a security team; this valuable and hard-won wisdom, often born out of tragedy, can be of significant impact if appropriately applied. In this article, I will explore Crew Resource Management and how it can be applied to Information Security to make teams run better.