InfoTech & Public Policy

More often than not, I am skeptical of American policy decisions that are justified with appeals to fear of terrorism. This is the case because such debates tend to be driven by appeals to sentimentality rather than sound reason (as several class members deftly pointed out in seminar), and because I believe politicians have exploited this. Nevertheless, I would like to play devil’s advocate this week and examine VoIP technology and NSA wiretapping in the context of being sensitive to concerns of terrorism.

I am torn about VoIP. From a purely technological point of view, I almost certainly think it should be allowed to flourish unregulated. The costs are lower than those of using a dedicated telephone line, and as broadband becomes increasingly ubiquitous, quality concerns should diminish. Furthermore, as I noted earlier in the semester, I think there is inherent flexibility and value from building diverse technologies over a single neutral platform. The ideal platform thus far seems to be the Internet, so I see no obvious reason to artificially keep the phone system separate and highly regulated.

Two aspects of VoIP, however, concern me with regard to issues of public safety. The first is 911 service as discussed in class. I would venture to guess that most people do not know the phone number for their local police or fire station, and it is certainly the case that many children would not know how to respond in cases of emergency. So long as VoIP technology does not allow for geolocation, it will be flawed as a means of primary communication. At the same time, cell phones are already widely used as substitutes for land lines by many young people and while they will connect to a local emergency response center, they also do not have geolocation, so perhaps not much is practically lost with VoIP.

The more troubling aspect is related to one that I brought up in class. Since the Internet is an open network, and operates as infrastructure for VoIP in the same way that the closed private networks of telephone carriers serve as infrastructure for the existing network, the risk of a malicious attack to voice service is much higher. Professor Felten cited some unbelievable statistic in class indicating the high rate of reliability with the existing telephone network. The Internet is certainly less reliable; but more concerning is its frequent vulnerability to being slowed to crawl by malicious worms and viruses. As a vital means of communication, this is dangerous to voice networks. Infrastructure attacks are often discussed as a starting point for terrorist attacks, and this only makes these easier. One could envision, for example, terrorists jamming VoIP lines with a cleverly written worm in advance of an attack.

With respect to the NSA wiretapping discussion in class, I was struck by two thoughts. My first was skepticism with some members of the class that the kind of dragnet searches suspected to be in use cannot really be very effective. On the other hand, the NSA does have vast resources (physical, financial and intellectual), so if they are really investing substantial amounts of money into these efforts, they probably have some understanding of the efficacy. I think that arguments in class premised around the fallibility of keywords searches are entirely misplaced since they grossly underestimate the likely sophistication of filtering algorithms in use.

Personally, I think that oversight is important for an agency like the NSA that operates in such secrecy. Given how many warrants have been approved, it seems unlikely that the oversight hinders functionality of the agency. I would support efforts to accelerate the pace with which the NSA can add new terms and names to their algorithms, since clearly most all requests are approved anyway. I am also of the opinion that the NSA should only need to obtain permission in order to set the filtering parameters on software— I personally have no problem with a computer scanning my communications so long as I have confidence that appropriate oversight is limiting the frequency with which these data get viewed by human agents. In the interests of public safety, I hardly find it unreasonable that some computer will scan some of my correspondence. While opponents often speak of the ‘slippery slope’ and steady erosion of privacy rights, I’m afraid I simply do not see this risk present in this particular case. It seems like a small price to pay for increased national security.

My reaction to discussion in class and to what I have read about the current state of technology is that the radical transformation video content delivery is both beneficial and inevitable. While I feel unqualified to make highly precise policy recommendations, I would tend to advocate for those that allow greater freedom to innovate in this case, with less deference to the broadcasters. This is not out of any hostility towards the broadcasters as “big corporations”, but is founded rather in my view that their current business model is pretty clearly antiquated.

As broadband infrastructure continues to develop, video will increasingly be available through alternatives to broadcast television (whether digital or analog). The Video on Demand services offered by many cable companies, in addition to web services YouTube, iTunes video and direct streaming video broadcasts (NFL, MLB, ABC) make clear that a paradigms shift is ahead of us. These technologies allow a greater selection of video (no spectrum limitations), ease of distribution and increased user flexibility about when and where to watch.

Avi astutely pointed out that the emergence of these technologies does not need to happen at the expense of all derivatives of traditional TV distribution. Rather, they can nicely complement existing technology. Traditional modes of video distribution (broadcast television) still have the very significant advantage of quality control, and the access to expensive production studios, which reduces time a consumer might waste looking for ‘good’ video on the Internet.

At the same time, when products like Slingbox blur the lines between Internet delivery and broadcast delivery of television signal. My general expectation is that in time, traditional broadcasters will move to Internet on demand distribution. The quality control present in broadcast television today can be replaced by careful branding. For example, video from the ABC website is more likely to be of good quality than video from YouTube. In this way, traditional broadcast companies can be involved in the business of providing on demand video over the Internet.

Narrowcasting technologies seem clearly advantageous to consumers. They have flexibility in how the content is delivered, presumably a wider selection of programming, and the video on demand eliminates the traditional schedules that bind people to sitting in front of their televisions at certain hours. While there are tremendous policy hurdles to accomplishing this state, it pretty clearly outdoes the existing system by orders of magnitude. The only exception is that the emergency broadcast system may falter.

Perhaps the most convincing argument for the widespread adoption of narrowcasting in the future is the brutally honest arguments from those who are opposed to new technologies. Discussion in class established pretty unequivocally that new content delivery systems (particularly on the Internet) give the consumer enhanced control and options. The opposition to these technologies seems to have so little to do with normative rights or technology! For example, the way that the NFL maximizes profit by separating regions and using the network/syndicate system is threatened by technology like the Slingbox. The potential lost profit is literally presented as an argument against such technology. Similarly, a reluctance to change the antiquated model of television ad revenues due to comfort is actually put forth as an argument for why emerging technologies are dangerous. The spurious nature of these claims should be apparent. Consumers clearly benefit from enhanced technology in this realm, and the total lack of normative justification for slowing the enhancement shows with glaring clarity that the only reason to slow the development of new content delivery mechanisms is to maintain the current system of profits for a few lucky companies. How can we possibly design policy around this?

Well I reject this spurious logic wholeheartedly, and with the pace of infrastructure development, I think the ubiquitous availability of video on demand is both desirable and inevitable. The companies benefiting from the current model are not enabling any optimal social welfare and their iron grip on old business models and dated technology is indicative of their natural tendency towards survival at any cost.

Much of the conversation in class this week centered around the difficulty in quantifying the costs of viruses and worms due to inherent shortcomings in measures like productivity and due to butterfly effects, whereby we can continue assigning cost to a series of consequences. I would argue, however, that the market should be able to compute this cost through individual agents. Given this basic assumption, it becomes apparent that the market is probably not efficiently accounting for the costs of poorly designed software. An argument for market failure is highly likely on two grounds: information asymmetry and externalities. 

First, consider information asymmetry. We talked about grandma’s inability to secure herself on the Internet, but the problem is far more deep-rooted than that. Ari did much to describe the complexity of computer security and the inevitable vulnerability in any widely used flexible computing system. Most people who have infected computers (or botnet machines) have no idea their machines are infected, let alone how to go about preventing it from happening in the future! As an RCC who helps highly educated, intelligent people with their computers, I can certainly attest to this anecdotally. At the heart of all market efficiency theory is symmetric and complete access to information. The market here is fundamentally flawed to this end, so in the absence of positive information otherwise, market failure should be our default assumption. 

The second feature of the market for computer technology in the era of the Internet is the rampant existence of externalities. For example, having your machine infected by a Trojan could cause serious harm to a third party if your computer is used in a denial of service attack. Worms, almost by definition, exact most of their cost externally. Other people are infected with the worm and network traffic slows down. The infected user typically bears only a fraction of these costs. Given these characteristics, it again seems unlikely that the market is naturally maximizing welfare. 

So without any computation, in the absence of information otherwise, I conjecture that based on its market structure, the market for security in computer technology should be expected to be inefficient. It would be presumptuous and inappropriate to think otherwise. 

That being said, I’m not sure about how to address this problem through policy. I took the position in class that there might be a theoretical argument for holding people financially liable for damages caused by their insecure machines. Certainly, this would seem to address the externalities and provide impetus for people to better equip themselves with information. In practice, however, I don’t think this is a good idea. I think Avi made an excellent point about the digital divide, and I am weary of any policy that is likely to disproportionately hurt the poor and uneducated. 

In closing, I note that I think a rating system would be beneficial in terms of the information asymmetry. Academics and other experts could develop meaningful security criteria with which to classify software so that products could have a large sticker on the box indicating their security level. Like the restaurant system, I think this would provide motivation to technology developers to make more secure products. It also takes some of the responsibility of processing complex information away from the individuals who simply do not know enough to do their own informed analysis. 

Public reaction to the widespread availability of CPNI has shown that the public should be dissatisfied with the wireless carriers’ protection of consumer information. The failure of the carriers to adequately protect that information suggests that- at a minimum- if the information cannot be protected, consumers should at least have a right to know when their CPNI has been fraudulently transferred. Our study of notification policies has focused on the idea that notification of security breaches involving CPNI is useful to prevent pretexting and potentially rogue insiders, but such policies are unlikely to address cyber attack or physical theft security. Nevertheless, given the predominance of pretexting as a suspected means of CPNI access, we support EPIC’s proposal that notification be used as a tool to protect CPNI. We consider three cases of CPNI data: large scale breaches, routine transfers, and pre-verification for highly sensitive data.

The first category involves situation where large-scale security breaches have led to exposed personal information for many people. These breaches of CPNI are likely to result from cyber attacks or physical theft. We believe there is a strong case to be made for notifying all affected users in these cases. In addition to fulfilling the public’s right to know about such incidents, such notification would also encourage companies to institute better security measures to avoid public embarrassment. Numerous states already have independently proposed legislation for such cases. We respectfully support such legislative efforts, but question whether additional rules from the Commission might be redundant, given these legislative efforts.

Far more pervasive than cases of massive theft are routine transfers of CPNI. CPNI may be frequently transferred for legitimate business purposes. We do not know the extent of such transfers, but it is easy to imagine that within a carrier, CPNI may be transferred between marketing and billing departments. We believe that requiring carriers to notify customers of routine CPNI transfers is too burdensome and adds little value to the consumer who wants to protect his CPNI. The costs may be very high for the carriers, and the benefit is dubious. At the very least, if carriers are required to notify users of routine transfers, it might be advisable to give consumers the choice about whether or not to receive notification.

Finally, we consider the case of transfers of highly sensitive data that should not be routinely transferred. As an example, consider a personal call log tagged with identifying information. While users may occasionally request such information, occasions of this should be irregular. Since these types of accesses are most susceptible to pretexting, we believe that notification policy could be most effective here. There is a strong case to be made for regular notice, on the grounds that it creates incentives for carriers to act more securely and with greater vigilance. Carriers could freely choose from any number of reporting options; for example, including a byline on a regular account statement. Another possibility is using known secure channels to pre-verify these sorts of data releases. For instance, this could take the form of fulfilling requests only from the phone number associated with the account. Alternatively, carriers could contact the affected customer in a known way (email, phone call or text message, for example) and confirm that the user is requesting the release of the sensitive data. While pre-verification of this sort may be the most effective preventative method against pretexting, there is the concern that it could be significantly burdensome to the consumer and to the carriers.

Thus, we find strong evidence that the use of notification can reduce the occurrence of fraudulent release of CPNI. CTIA and the wireless carriers generally failed to provide comment on the costs or possible benefits of providing consumers notification of any level, other than to note that they believe additional Commission rules to be unnecessary.  CTIA urged stricter enforcement of existing laws and, naturally we concur.  But stricter law enforcement is not enough. We have outlined three different types of transfer which we believe are best addressed by varying levels of notification requirement.

Having missed seminar this week due to illness, I will hold comment on virtual worlds to avoid repeating class discussion. Rather, I comment briefly on network neutrality, in light of yesterday’s news that the House Energy and Commerce subcommittee rejected an amendment to legislation that would have supported network neutrality (from CNET). In my post this week, I (briefly) consider arguments for and against the idea.

Ed Markey, a Democrat and one of the sponsors, contends that by rejecting the amendment, the committee is “about to break with the entire history of the Internet.” In the absence of network neutrality regulation, companies that control network infrastructure could provide preferential bandwidth to their affiliates or design their infrastructure to favor their own content. For example, your broadband Internet connection through Verizon might be designed such that Verizon content arrives much faster than other third-party content. Much of the excitement around the Internet centers around its decentralized design, which allows anybody to efficiently publish and disseminate information. We have spoken in this class about the ability of anybody to easily publish and disseminate large files using peer to peer technology. Markey’s ominous statement hearkens to this basic idea: that on the Internet, everybody has access, and this openness has facilitated a great deal of creative content development and technological innovation. By allowing non-neutral networks, this characteristic is lost, and content (at least easily accessed content) may become increasingly homogenized and determined by a few large companies.

On the other hand, Verizon CEO Mark Wegleitner argues that network neutrality regulation will interfere with the carriers’ ability to provide an efficient network (from CNET). Wegleitner’s argument is that providing efficient access to high bandwidth applications such as streaming video requires the ability to differentiate priorities among data flowing through a network. I read this argument as effectively choosing to give superior service to those customers willing to pay for it rather than giving everybody mediocre service. Whether or not one believes the arguments by the carriers, there is a level on which they are entitled to prioritize service on their own networks. The companies have, after all, invested significant capital and exposed their shareholders to business risk to develop the infrastructure; private property rights suggest that we should allow them to use and design the network as they please. This is precisely the kind of laissez faire market logic that (mostly Republican) legislators used to justify denying the amendment.

The irony, however, is that in allowing ‘the market mechanism’ to dictate regulation of the carriers’ and treatment of their networks, the free market of ideas that defines the Internet today is threatened. Thus, while a doctrinal “we must respect their property rights and let the market operate” approach suggests not regulating network providers, a more subtle appreciation of the way that a market mechanism works suggests that network neutrality might preserve the market characteristics of the Internet. These are, namely, limited barriers to entry and equal market access to all providers and consumers of ideas. That being said if bandwidth ultimately *is* limited and this becomes a bottleneck for the Internet, the carriers might actually be improving the efficiency of the network by prioritizing service and eliminating the dogma of network neutrality.

Still, my guess is that legislators were less motivated by these arguments and more motivated by the fact that “AT&T, Comcast, Time Warner, and Verizon spent $230.9 million on politicians from 1998 until the present, while Amazon, eBay, Google, Microsoft and Yahoo spent only a combined $71.2 million” (CNET).

My post this weeks responds to concerns raised in class about the effectiveness of providing notice to clients when their CPNI data has been accessed, as described in 21-23 of the NPRM. Many students rejected the usefulness of this proposed solution on the premise that once data has been accessed, it is ‘out’ and since it can’t be taken back, notice serves no useful purpose. I happen to think that notice is one of the strongest proposals in this document, and attempt to provide an emphatic defense. I assume that internal accesses do not warrant notification, since this might prove too burdensome to the end user. Furthermore, I believe (but will not argue in this post) that the carrier has a right to analyze these data.

First, consider the proposal where end users might receive regular notification (say on their bill) about when their CPNI data was accessed or transferred. The strongest argument for such a system is that it provides incentives to many parties to act more responsibly. Notifying end users would lead to more investigations, since users could complain if they know that somebody else unlawfully asked for their data. Coupled with effective audit trails, this could lead to increased enforcement action against people who pretext. The increased likelihood of their being caught will inherently reduce the number of people taking part in this illegal behavior. Even more compelling, however, is the incentive that mandatory notice will give carriers to improve their security systems. If end users are being made aware of accesses to their data, they are likely to switch away from carriers with whom it happens often. Thus, carriers who have shoddy security systems will likely suffer because users will switch to the carriers with a reputation for better security. This market mechanism will motivate carriers, so that the occurrence of breaches should fall. Furthermore, coupled with the use of audit trails, customer complaints could lead to the companies identifying rogue ‘insiders’, so that incidences would be further reduced. The claim that providing notice does no good since the information could already have been leaked is wrong on two counts; first, the inability to take back the information does not render the end user’s right to know invalid or less important. Secondly, this argument is terribly myopic and completely fails to understand the positive long term effects of notice because of the behavioral incentives created.

Another proposal is that notice of requests for data be given to end users through a secure channel for preauthorization to release. For example, if somebody requests my call records, the carrier would contact me at a known phone number (or email address) and confirm that I wanted these records released. This type of authorization actually does have the effect of directly refuting the claim made by detractors; indeed, notice for preauthorization will prevent sensitive data from being improperly released. The worry with such a policy is that it might be too cumbersome, both to the carrier and to the end user. I would argue that if this type of notice is limited to specific delineated instances of highly sensitive data, it might not be too burdensome, and the benefits are quite strong. For example, I can’t think of a legitimate reason a third party would need to obtain my detailed call log with identifiers, so possibly this information is only transferred out of the carrier when the end user requests it. If this is the case, then the end user requests are probably infrequent enough (I haven’t ever asked for this information) that it would not be overly burdensome to the end user or to the carrier. I would welcome other members of the class to suggest legitimate transfers of these data to third parties that I have overlooked, but barring these, the request is rare enough to make preauthorization reasonable and highly effective.

Thus, there is a strong case to be made for regular notice, on the grounds that it creates incentives for carriers to act more securely and with greater vigilance. Further, there is a normative claim that end users have a right to know when their data has been wrongly transferred, irrespective of whether or not they can get it back. Finally, for certain types of sensitive data that should not be regularly transferred (for example detailed call logs), notice for preauthorization can reduce leaks and should not be overly burdensome.