InfoTech & Public Policy

            Many networks have begun offering their television shows online for a small fee.  For $1.99 most of today’s most popular shows can be downloaded through a service like iTunes.  This approach has been the most common for all of the major networks.  Recently however ABC has launched a new service which allows users to watch four of their current shows for free with limited commercial interruption.  These shows include two of the most popular shows on television: Lost and Desperate Housewives.  It also includes Commander and Chief, a show which has struggled to take off.  From this selection of shows, it would seem clear that ABC is attempting to test the waters for a service like this and see how popular the service is and what it does for ratings of different shows.

            I have had the opportunity to play around with this new service a bit.  Its construction is very clever for a few reasons.  First, they do not post a new episode of a show until the next morning after the show has aired.  This means the fastest way to gain access to the show is still to watch it live when it is aired.  However, for many viewers this is not possible or not convenient for one reason or another.  This service allows them to view the episode later on without having to remember to set their VCR or Tivo to record.  In effect, this service allows ABC to take some control over time shifting. 

            For ABC it would seem there would be a number of advantages to offering this service.  First, many of their popular shows build on an ongoing plotline from week to week.  New viewers will often feel lost if they begin watching the series in the middle of the season.  This service allows those who discover the show midway through the season to catch up.  Other viewers who might have to just miss a single episode would also be able to stay caught up in the series without having to remember to record the missed episode.  All of these different considerations can only lead to increased overall ratings.  Even if some users switch from watching the show live to watching the show online the overall number of viewers should still increase.  If one is a fan of a particular show, one will not watch it less because it is available more.

            The one potential way for the number of viewers to decline is if less people are exposed to new shows through commercials.  However, this new system can expose people to even more shows.  For example, when going to ABC’s homepage to find an episode of one show advertisements for all of the other shows can be placed throughout the website or even as commercials during the show. 

            ABC’s method for including commercials during internet viewing is very clever.  There are three or four sections in each show that are briefly interrupted by commercials.  Each commercial spot lasts for only 30 seconds.  By making the commercial interruptions so brief, ABC accomplishes two things.  First there is a better chance people will actually pay attention to the commercials because their brevity provides less incentive for a person to find some other activity to occupy themselves during a commercial. The commercials are also short enough that people will not view at as too much of a nuisance compared to recording a show themselves and then fast forwarding or downloading a commercial free copy illegally. 

            Time shifting has been around for a long time and now with products such as Sling Box place shifting is likely here to stay as well.  With this in mind ABC has found a way to embrace these two technologies and take control of them.  The one major hindrance to the service thus far when I have used it is connection problems.  There are times when the network slows down to the point where an episode can no longer play.  It is unknown where the bottlenecks that hinder playback are occurring.  However, these bottlenecks could potentially add to the debate surrounding network neutrality as networks might prefer to pay extra to give their shows priority over the network to ensure quality. 

            There is more than one way to set policy.  One way is to have congress or a governmental agency create a set of rules or laws.  The other way is to carefully craft a case that will provide a precedent.  The makers of Slingbox seem to have worked hard to carefully construct their product to push the limits of the law only far enough to force the law to bend, not break.  In many ways it seems that they learned a lesson from many of the failed file-sharing networks.  Companies like Napster created software that blatantly advertised infringing uses.  These companies seemed to operate on the assumption that p2p file sharing networks were legal despite their infringing uses.  Rather than trying to slowly build towards such a precedent they confronted it head on without any good faith efforts.  Slingbox seems to be making a good faith effort to find itself a niche within Sony v. Betamax.  In many ways a court case brought against them might do more good than harm for them. 

            The makers of Slingbox made design decisions that make Slingbox as neutral as possible.  They limited all sorts of potential features that could make Slingbox more attractive for no real compelling technical reasons.  For example, whatever someone is watching through a Slingbox will also be displayed on the local television set the Slingbox is attached to.  Additionally only one user can receive streaming media from the Slingbox at a time.  These limitations really emphasize the technology’s main purpose of place shifting.  One can make a strong argument that place shifting in this manner should be legal.  A person pays for their television service and through it their right to watch certain shows.  If they are away on a holiday or business trip why should they not be allowed to still view their favorite programming that they are paying for?  Time shifting is considered fair use despite the fact that networks target certain audiences based upon the time they put that show on.  If time shifting is legal it would seem natural to allow place shifting.  Slingbox has implemented place shifting in the least offensive way possible. 

           If and when place shifting is made legal Slingbox can begin to push the precedent further.  For example, if five people share a residence and the subscription costs to cable why should they all not be allowed to watch the same programming from different locations when they are on a short trip?  It would not seem reasonable to allow a small number of people (larger than one) to receive the stream if it is already allowed for one person to; especially if they are all still watching the same thing.  The technology could still require a login and password to receive the stream.  Now take things a step further.  People might have a TV in each person’s bedroom in a residence.  Each TV can watch different programming.  So if each of these people can watch separate programming within their house why shouldn’t they each be allowed to watch separate programming from outside their house? 

           Of course some or even many people might abuse this technology.  However, according to Sony v. Betamax there need merely be a significant amount of fair use involved in order for a product to be considered ok.  Even if illegal use runs rampant chances are there would also be a large amount of fair use.  To call place shifting unfair use would seem to create a precedent to reopen the case about time shifting.  If time shifting were disallowed VCRs, Tivos and all other recording devices would be made illegal.  The utility of a cable subscription would go down.  It would seem very difficult for a court to rule against Slingbox.  Their business strategy has opened the door for Slingbox to slowly shift the norm into accepting space shifting.  If and when it reaches wide spread use it will become very difficult to shut it back down.  With this in mind it would seem the only thing that can stop space shifting is a lack of user demand. 

            It is relatively easy to make the argument that the market undervalues security in the technology industry.  For example, a denial of service attack could essentially shut down a website like Google.  This attack likely is facilitated by individuals’ computers with minimal if any security.  The users whose computers are hijacked for this attack do not incur a very high cost.  If anything, their computer might run a little slower but for all intensive purposes it works fine as far as they are concerned.  These people would have little incentive to try to figure out how to better protect their computer as from their perspective there is not a problem.  On the other hand, Google has a major problem despite the fact that they have taken every practical security precaution.  One can easily point to many situations similar to this hypothetical scenario and claim that security is undervalued.  However it is very difficult to accurately quantify exactly how big a problem this is.  This difficulty can lead one to point to anecdotal evidence instead of statistics which can lead to inaccurate assumptions. 

            People often put to much emphasis in individual stories.  Consider this hypothetical scenario:  Bob was riding the train while on vacation in New York when he was mugged in broad daylight.  Bob returns home and recounts the story to Larry.  Both Bob and Larry agree that clearly more security is needed on the train.  However, Bob and Larry fail to recognize that for the one mugging Bob and Larry suffered, law enforcement prevented 99 other such attacks that day.  If instead of hearing Bob’s story Larry had heard the statistic that 99% of muggings on the train are prevented than Larry would probably have agreed that law enforcement is doing an adequate job.  

            When people discuss security against computer attacks the anecdotal stories are more readily available than the statistics.  One can point to a number of worms or viruses and the damage they caused and argue that clearly the market is failing to adequately address security.   However these viruses do not necessarily mean that the market is failing.  Searching for bugs or weaknesses in code is much like trying to prevent the next terrorist attack.  One can be successful 100 times in a row.  Then one attack succeeds and the current security measures are viewed as a failure.  One could consider computer viruses and worms in a similar way.  It would be very difficult to quantify the number of viruses and worms that were prevented by current security.  Quantifying the number of prevented attacks would likely be even more difficult than quantifying the damage caused by successful attacks.  However to fully consider the effectiveness of the market one must consider the number of attacks which are prevented.  Millions of people use computers and the internet every single day without incident.  Their stories are less sensational but no less important. 

            As stated during class there will always be a tradeoff between security, functionality and cost.  The goal of this post is not to claim that the market is correctly valuing security.  Rather it is to caution against an argument that begins with “it is difficult to accurately quantify…”  More often than not this can lead to people putting too much emphasis on specific scenarios and not fully understanding the overall issue.  It is easy to see flaws in the current system and question its effectiveness.  However as these flaws are identified we must always remember to consider the strengths of the current system as well.  None of the solutions that have been proposed to this point are without drawbacks.  The system is not perfect and can always be improved upon but in discussing the negatives to the current system one must also acknowledge the positives.

     In response to the FCC’s inquiries regarding passwords, we believe passwords can be an effective deterrent against unauthorized access to a user’s phone records.  While passwords would only be effective against pretexting, the CTIA has stated that “overwhelmingly, the vast majority of cell phone records are being fraudulently obtained through the use of ‘pretexting.’”   Because the CTIA itself acknowledges that pretexting is a rampant problem steps should be taken to attempt to curb pretexting.  One such method is the requirement of a special password from users in order to access their records. Because there have been many comments from expert sources including EPIC, lawmakers, and the CTIA we will not attempt to provide a detailed proposal for a solution.  Rather we would like to comment from the perspective of the consumer.

     We acknowledge that companies such as Verizon Wireless, Cingular, Sprint Nextel, and T-Mobile are all more qualified to present information on their internal cost of implementing more rigorous password policies.  We also recognize that as technology evolves the requirements on passwords as well as the threat of pretext will change, and as such any solution must be made flexible enough to allow easy adaptability.  It is possible that a new security technology will make the use of passwords obsolete.  Despite this fact, we believe the importance of passwords can be easily overlooked.

     Many consumers do not fully understand the necessary balance between convenience and security.  It is likely that there are a significant number of people who, when asked, will be wary of a complicated password system which places an added burden on them.  Extra time is required to enter the password as well as to memorize the password.  However, consumers will also usually state they want companies to protect their personal information.  Unfortunately, present technology limits practical implementation that allows high security as well as high convenience.  A significant number of consumers will undoubtedly find any relatively secure password system burdensome.  Their frustration will often be voiced to phone carriers.  In addition to an extra cost inflicted on these carriers to implement a more complicated password system, phone companies also face the added customer service issues related to disgruntled customers.  If one company lessens their security to increase convenience they might receive a competitive advantage over companies more concerned about security as the number of breaches will remain relatively small while added convenience will satisfy a larger pool of customers.  However, it is not clear that the cost to the small group of customers whose personal information is breached does not outweigh the added inconvenience to the many. 

     Following the logic above, it is clear that both companies and many consumers have an incentive to speak out against additional rules regarding passwords even if it is in the best interest of everyone to make them required.  However, we urge the FCC to consider that the added cost to individual parties might be necessary for security despite resistance.  We acknowledge the argument of the CTIA that the most effective method to prevent pretexting might be to target the pretexters themselves.  However, this solution does not preclude also creating additional rules regarding passwords. 

     While we are not calling for the mandatory use of consumer-set passwords we do believe service providers should require safer password practices as the default option even if they also provide the customer an option to opt-out.  For example, individual companies should be allowed to allow their customers to opt out of the company’s password protection policies only after they have been informed of the importance of a password and the risks involved with opting out.  Lost and forgotten passwords should only be revealed or reset if a customer writes a non-electronic letter or physically enters a store with customer service facilities for the phone service.  This process would be inconvenient but not unreasonable.

     Whatever solution is adapted it is clear that pretexting is a significant problem that must be addressed by the FCC.  There are many instances where the government requires minor inconveniences in order to ensure people’s safety.  For example everyone is required to wear a seatbelt in a car regardless of the fact that the vast majority of the time a person is safe in the car without a seat belt.  Airline security also illustrates the need for minor inconveniences to ensure security.  Password requirements could be viewed in the same way.

            For this week’s posts (Scott’s and ER’s) I wanted to add to and begin to consolidate to previous posts on passwords:

In response to the FCC’s inquiries regarding passwords, we believe passwords can be an effective deterrent against unauthorized access to user’s phone records.  Of the different ways to acquire another person’s phone records, passwords would only be effective against pretexting.  However the CTIA itself has stated that “overwhelmingly, the vast majority of cell phone records are being fraudulently obtained through the use of ‘pretexting.’”  Pretexting is when one attempts to obtain information by lying about one’s identity or authority to access this information.  Because the CTIA itself acknowledges that pretexting is a rampant problem steps should be taken to attempt to curb pretexting.  One such method is requiring a special password from users in order to access their records. 

            While passwords can never be 100% effective they do provide an important first line of defense against those who wish to illegally obtain other people’s phone records.  In discussing the effectiveness of passwords there is a necessary tradeoff that must be acknowledged.  The stronger a password is the more of a burden it will place on a legitimate user.  For example one could set up a system that required three separate passwords unique to this system made up of numbers, letters, and symbols.  While this would provide a high level of security it would also require the user to remember each of these passwords.  On the other hand, one could choose a password that would be easy to remember which they use often such as their mother’s maiden name. 

            We also feel it is important to acknowledge that different people would prefer a different balance between security and convenience.  Some might be unconcerned with who has access to their record of calls as long as they have easy access.  Others might prefer the hassle of a complicated set of passwords in order to help ensure their information is not compromised.  We believe that any solution involving passwords must attempt to address both of these potential customers.

            Finally, any potential solution must not only address the passwords themselves but also the system for dealing with lost passwords.  This system can often act as a back door for those wishing to gain access to otherwise secure information.  As with passwords themselves, we believe there should be some flexibility for the user.  If they prefer tighter security then the procedure for dealing with lost passwords should be more complex secure than if they prefer convenience. 

            With these considerations in mind we propose the following solution.  Existing and new users would initially be given a medium level of security.  This would mean they would have a user-defined password that would be unrelated to any personal information.  Also, if they forgot their password they would have to physically send a written request to the phone company requesting their password be reset.  If the customer preferred there would also be a heightened level of security for which there would be two passwords.  One password assigned by the phone company and one chosen by the consumer.  Again a physical letter would have to be sent to the company in order to reset the passwords.  When the passwords are reset a letter would be sent to the billing address informing the customer of the new passwords.  The customer could even request that their phone records only be made available by a written request.  Their record would then be sent to their billing address.  This would provide the highest level of security against pretexting.  Finally, we would have a low level of security option for which the user could choose a simple password and the system for resetting a lost password would be tired to some piece of personal data.  In order to get this level of security the customer should be required to sign a waver indicating they understand the risks involved with such as system.  In this way, we aim to allow the customer to choose what level of security is appropriate.

            The major weakness with this system is in the users themselves.  Many will not be concerned with the heightened risk until their information is actually targeted.  At this point they likely will prefer a heightened level of security.  Some will not fully understand the risks with the lower level of security until it is too late.  However passwords would likely prove ineffective for these users anyways because they will likely store them in such a way that will be easy for would be data minders to find. 

            The CTIA is adamantly opposed to any new rules being imposed on them to protect data.  Rather they assert that the most effective measures against pretexting would be to strengthen the laws against pretexting.  In essence, they prefer an offensive approach which targets the pretexters rather than a defensive approach which would target themselves.  While they are obviously motivated by their own self-interest their arguments should be addressed.  It is important to stress that requiring more effective passwords and targeting pretexters are not mutually exclusive.  Rather the two measures would act as complements.  While it is illegal to steal a car it would be foolish for the owner of the car to leave the car unlocked and the keys in the ignition.  As discussed above passwords will not and cannot be 100% effective.  However, they are more effective than no passwords at all.  While one could argue they provide a false sense of security the solution is not to eliminate the security altogether but to attempt to inform people that it they are not 100% effective. 

            The .xxx domain has been the source of all sorts of different controversy.  Many civil rights groups worry that its creation could legitimize the pornography industry or increase the amount of porn on the internet.  Free speech advocates fear that it could lead to internet censorship.  Of course there are many potential positives to the creation of a .xxx domain.  Those who wish to view pornographic material would have an easier time finding it while those wishing to avoid it or block it would also have an easier time.  This reasoning recently motivated two US Senators to propose a bill which would create the .xxx domain and require all pornographic websites located in the main top level domains such as .com, .net, etc. to relocate to this new domain.  Beyond adding to the controversies above, this proposed bill could intensify an already heated debate over control of ICANN and the DNS servers. 

            The fact that two senators even proposed such a law implies that they believe the US has the right to actually directly influence ICANN policy without the input of the rest of the world.  Consider the implications of implementing this bill.  The US could not enforce this law without ICANN’s involvement.  Their jurisdiction is only over countries in the US.  If a pornographic website has all of its operations overseas the US can do little to force it to move to the .xxx domain.  Furthermore any such efforts could potentially drive US porn companies to move over seas costing the US a significant amount of money.  Because the internet is global as long as some pornographic sites remain in the main stream domains this law would have virtually no effect in terms of removing pornography from the those domains. 

            Therefore for the law to be effective it must require all pornographic websites to move to the .xxx domain whether or not they are based in the US.  The only way for the US to do this would be to have ICANN force these sites off of the other domains like .com, .net etc.  This approach is in fact the one the senators suggest in their bill.  The fact that US senators would even propose such a bill serves to confirm other countries worst fears about US oversight of ICANN.  Until recently the US could always claim that it never exercised its power over ICANN and that all of these countries concerns were only theoretical.  However this bill demonstrates US lawmaker’s willingness to consider directly influencing major ICANN policy. 

            The most ironic thing about this proposal is that when the .xxx domain was initially proposed it was US intervention that postponed its creation indefinitely.  This initial intervention helped fuel calls for international oversight of ICANN from countries like the EU.  The bill is facing heavy resistance and will likely be defeated however the damage could still be done.   Merely proposing the bill is a reminder of the potential power the US could wield over the internet.  Passage of this bill could very well be the final straw to lead to the US losing its oversight power over ICANN.  Rather than supporting these countries fears, the US should be doing everything it can to demonstrate that these fears are unfounded. 

            When issues involving competition, monopolies and technology are mentioned Microsoft is involved more often than not.  The company has grown so large and covers so many different sectors of software development that they are a major player in almost every industry related to software.  Many companies have tried to go up against Microsoft before and failed.  The list of defeated include companies such as Netscape and Apple.  The battle with Netscape culminated with Microsoft being taken to Court by the US government.  Microsoft is constantly criticized for pushing the limits (and sometimes breaking them) of antitrust law.  In many other industries Microsoft’s business practices would have completely obliterated all competition.  However, a new company has emerged that seems poised to give Microsoft a run for its money in a way they never would have expected.

            Companies have tried time and time to beat Microsoft by specializing in a specific sector of software.  Google too has focused its development on a specialized sector of software (search) but it has structured its entire business model in a completely innovative and unprecedented way. All of Google’s products are completely free (although some of them sell items such as videos).  All of its revenue came from ads that were strategically chosen and placed in such a way that actually increased the utility of Google’s search engine.  Rather than acting as a distraction, ads often times provide better results to a user using Google’s search engine than the primary results.  The vast majority of Google’s products also all carry a remarkably high level of quality.  The result is a fast growing company that has once again captured the attention of Microsoft.

            Microsoft has tried many of its normal business strategies to squash Google and all have failed thus far.  In 2003, Microsoft even tried to buy Google but Google refused to sell.  Because of the effectiveness of Google’s search engine people use it far more often than Microsoft’s despite the fact that Microsoft’s search engine is the built in default for internet explorer.  Microsoft cannot use its size to adjust prices or offer its product in conjunction with another product as it did in previous battles with companies like Netscape because Google’s main product is already free.  

            One could make a strong argument that Google’s innovative business structure is in part due to Microsoft’s aggressive history towards anyone it considers competition.  Google’s creators’ knew that in order to create a business that would be able to withstand the inevitable Microsoft attack it would have to completely reinvent the way business is done.  Thus, while Microsoft’s attempts to stifle competition created barriers of entry which likely destroyed some chances for innovation it also arguably led to an even greater innovation that could change the very way in which business is done.  Instead of stifling innovation one could argue that Microsoft raised the bar, weeding out lesser innovation and forcing people to come up with even better ideas in order to survive.  Of course the battle between Microsoft and Google is just beginning and Google’s ultimate triumph or downfall is yet to be determined.  However, even if Google fails it will undoubtedly have left a mark and forced Microsoft to adjust its own business model in order to defeat the threat it once posed.  Either way innovation wins.  And if history has shown us anything, it is that if Google is defeated someone new will come along to take their place in the battle just like Google took the place of their predecessor.