Adam Caudill

Security Engineer, Researcher, & Developer

Parasitic & Symbiotic Business Models

Does your business model thrive as your customer thrives, or does it drain the life from your customers? After a recent1 conversation on the impact of improved privacy tools (i.e., the eventual elimination of third-party tracking cookies), I realized that the most significant effect of these improvements would be to companies with a parasitic business model. A business model which I see no problem in disrupting.

For many years, the web has existed as an advertiser’s dream2 — minimal privacy limitations, technical controls that had little impact, and a strong lobbying arm that has been able to derail many efforts to improve the situation. Now, this is not to say that all advertising is evil, but that it’s ripe for abuse by those that get too greedy. In many cases, this has opened the door to parasitic business models that offer no real value, and in fact, only extract value from the end-user.

What is a Parasitic Business Model? #

A great example of this is data aggregators and location tracking; services that exist to collect, connect, extend, and sell data about users. Too often, this is done without the user having any idea that it’s happening — much less having willfully agreed to it. This business model relies on the ability to collect vast amounts of data on users, and build profiles that can be sold to others, primarily for ad targeting & tracking.

There is no inherent benefit to the user for this activity; it doesn’t enable better services, or allow them to access the applications that collect this data at a lower cost. The value to an application developer is relatively small compared to other revenue sources, as the data they collect has fairly little value of its own. It becomes valuable when it is merged with other datasets that the aggregator has acquired; it is this merging that creates value from noise. So we have a user giving up personal information (often unwittingly) for no benefit, some financial benefit for the application developer (though less than other viable revenue streams), and the bulk of the benefit going to the company collecting and selling the data.

You have to ask, what does this business model add to the end user’s experience? Do they benefit from the relationship, or are they being used in the relationship? If you study the business model these companies employ, it’s clear that only one party benefits, and it’s not the user.

This is just one example of this type of business model that focuses on growth at the cost of the user. As improvements are mode to technical controls around privacy that are now being pushed by browser makers (such as implementing SameSite=Lax by default), life will steadily become more difficult for businesses in parasitic relationships.

Healthy Business Relationships #

A healthy business relationship should be symbiotic for all parties involved; each party becoming happier & healthier as the relationship develops, and thriving due to the relationship — not in spite of it. These relationships often have a few key traits:

  1. Each party is fully aware of the relationship; no parties are being intentionally hidden.
  2. Transactions are mutually beneficial; for example, paying for a service that provides value to the user. The service receives revenue to compensate them for the service, and the user gains the use of something that they see as valuable to them.
  3. Each party has the opportunity to gain greater value from the relationship as the other parties thrive. To continue the paid service example, as the service receives revenue, it is able to invest more in improving the service, providing even greater value.

These symbiotic relationships are a win for everyone involved, unlike parasitic relationships that are full of quick profit for one party and nothing but loss for the other. While parasitic business models do indeed lead to greater short-term profits, there is no loyalty developed, there is no long-term health in relationships, and the business model can break at any time with changes to technology.

In a symbiotic business model, the relationship develops over time, becoming stronger — customers become more loyal, more interested and invested, more passionate, and turn into promoters and ambassadors. Revenue climbs more slowly, but that growth is more likely to continue and expand long-term. This is a relationship built on mutual respect and benefit.

The Costs of a Parasitic Business Relationship #

When you are engaged with a parasitic entity, knowingly or otherwise, there are costs involved. For users, this can be anything from a loss of privacy, revealing secrets, bypassing legal safeguards, or even risking personal safety. For businesses, there are repetitional risks — failing to respect the privacy of users can lead to a substantial backlash. There are also monetary risks for failing to follow legal requirements. And a variety of others — the list keeps going.

There’s only one winner here, just as with any parasitic relationship. Placing these risks and burdens on users is not just risky for a business; it is, in my opinion, highly unethical. Regardless of legal status, it’s morally wrong to exploit users who are acting in good faith and put them at risk for a quick profit — and there are some companies that have turned this practice into a business.

Because of how these relationships are structured, end-users are too often unaware of the relationship and how it impacts them; they aren’t in a position to make an informed decision. Likewise, businesses enter these relationships without an accurate understanding of how data is used, and sometimes without even understanding what data is being collected3 — and may not gain that understanding until it’s been abused and they are in the news.

In Conclusion #

Some business models should be disrupted, as they are fundamentally against the interests of those they interact with. This is not to say that all advertising, analytics, monitoring, or other similar systems are evil or immoral — but some very much are. It is those, those that have become too greedy, those that have abandoned morals for easy profit, those that harm others for their own benefit, those are the ones that need to have their business models disrupted.

Businesses have an ethical obligation to protect those they have a relationship with (directly or indirectly), not exploit them.


  1. By recent, I mean last November when I started writing this blog post. At the time of the original draft, there was a lot of discussion around Google’s push for privacy improvements in the browser; it’s in this context that this was written. ↩︎

  2. It should be noted that the golden age of digital advertising and the golden age of mass surveillance occurred at the same time. The implications of this fact should be clear. ↩︎

  3. It’s especially true for SDKs provided by third parties; their actual behavior isn’t understood, nor is the privacy impact. Blindly incorporating an SDK into an application can easily result in substantial security and privacy risks. ↩︎

Adam Caudill


Related Posts

  • On Software Subscriptions

    Like many in this field, I am always looking for ways to improve my workflow, improve my productivity, achieve more. Part of this is evaluating new tools that help me get work done, tools that become critical to my process. While looking at something that could be useful, I had a startling realization — but there are a couple of things I’d like to cover first. Supporting What You Love I always try to pay for things that make my life better and support businesses that give me real value.

  • Jumping through hoops…

    There are two ways to implement security: Real security, based on empirical evidence and analysis. Checklist security, based on the latest checklist somebody says is important. When security is based on real evidence and analysis, policies are enacted based on real gain and measured against the business impact. Risks are considered, and the costs versus benefits are well understood so that policy choices are based on real, useful information.

  • Checklist: Starting a Security Consulting Firm

    Recently a friend of mine asked for input on what would be needed to launch a new security consulting company, to help him out I drafted a detailed list of what would need to be done for a successful launch. Here is an expanded version of that list, hopefully others will find this useful as well. This isn’t the simplest route to setting up a new business, but is intended to set the business up for long-term success.

  • GetSatisfaction: Is it worth it?

    While working on the list of tools and services to write about as part of my Start-up Tools series, Get Satisfaction has been the hardest to decide on. After a lot of reading, I decided against recommending it, though I had to write about it because so many companies have opted to use it. Get Satisfaction is a great concept for the most part – what it boils down to is a specialized forum service for your customers to discuss issues and ideas about your products.

  • Declaring War on Ransomware

    It’s time for everyone from the industry, developers, and the government to declare war on ransomware and make it as hard as possible for them to ply their insidious trade. There have been false starts and baby steps, diligent fighters without enough resources, and vendors that have only given a nod to the issue. It’s time to use every tool reasonably available to stop this scourge. For so many in the industry that have dedicated so much of their time and effort to this fight, this statement may seem to diminish their efforts, but that is not my intent.