Late last year in an article titled “In Zombies We Trust,” Dan Geer suggested that there are two types of users — those who blindly say yes to everything and are probably infected with a dozen viruses and those who say no to most everything and likely escape most virus problems — and that it could be a legitimate practice for websites to further scrutinize the actions of those who always say yes to prevent them from getting into trouble while using their site. The premise is that these virus-infected users end up costing the businesses they frequent a significant amount of money by being such persistent problems.
A member of our lab (I’ll leave it to him to take credit for this idea) suggested last week that maybe this should be taken a step further. If I know that one customer of mine is more likely to be infected with a virus (or has a higher susceptibility to phishing, pick your threat) now or in the future, is it reasonable for me to completely deny him my business?
This can be easily tested using either Dan Geer’s test or by sending my customers random phishing messages for my own business (there’s even a phishing appliance to do it for you!). Ie., Paypal sends you a phishing email for themselves (sent from another domain, self-signed certificate, graphics copied incorrectly, differently formatted e-mail, whatever) and if you fall for it, they calculate your future profitability and weigh it against the costs you’ll incur if you actually do get phished in the future. If you’ve got a negative balance after this calculation, your account will be canceled and PayPal will have saved money.
The observation was also made that this is standard practice in other industries. Insurance and, regrettably, healthcare come to mind. Would this be a bad thing for web services?
Loading …
Why is this practice regrettable when done in healthcare and not regrettable if done in e-business? Should an HMO refuse to insure you if you have bad computing habits? Your electronic health records might no longer be secure if your computer is infected, leaving the HMO open to lawsuits.
I was referring to healthcare companies refusing business to individuals with pre-existing medical conditions. It’s regrettable because no one can change whether they have such a condition and everyone with such a condition requires adequate healthcare.
However, you’re right on target with your comment. As an insecure customer, my computer could become infected, my health records stolen, and then I could try and sue my healthcare company for failing to protect them [my records].
So if this is such an obvious, practical (going by the poll) idea… does anyone know of a website that already does this?