InfoTech and Public Policy

Imagine a government, where people would be allowed to propose legislative bills, comment and vote in every law that may affect them. This would be a real democratic system the way my ancestors envisioned it, a democracy that holds true to its meaning: the rule (‘kratos’) of the people (‘demos’). Professor Noveck’s article on Wiki-Government claims that such a system, if well implemented, would be far better than the current expert-based decision process which admittedly has limited success so far. She also claims that this is not infeasible to realize any more since technological advances, such as the internet, have allowed us to communicate, learn and interact with ease.

The idea of people having the power to comment and vote on important social decisions is something that I support. It has been successfully implemented in courts, where important decisions of life and death are taken by ordinary people without the intervention of any higher authority. Our society has many remarkable paradigms of self-sustaining, self-assembling collaborative projects to demonstrate and most of them are feasible because of the underlying technologies that have been developed: open-source software communities, wiki knowledge databases, peer2peer and financial support networks are just some of them. However when it comes to important civic decisions, at what level would our society feel comfortable to allow direct intervention from any person? A public forum where people can comment on the existence, need or proper enforcement of a law would be by all means beneficial for our legislative system and in some cases this already happens. But such “suggestive” or advisory forum would have no or limited power. On the other hand, one can imagine a society where people would actually vote on a diverse set of subjects, a risky tactic that can also have its own benefits.

The idea of inviting public assessment of current or upcoming work can be easily implemented in other fields, one of which is the academic peer review system. There is a plethora of examples where the peer review system has failed to ensure the integrity of scientific research, most notably in the case of peer review drug practices according to a New York Times article.

Currently, if someone wants to publish his work, has to send it as a paper to the editor of a journal, who will in turn send it to a few experts (two to five) that will review it. This process can take a considerable amount of time and there are several caveats such as not truthful or sloppy assessment of the research, conflicts of interest etc. An alternative solution might be to have a database where all papers can be added and publicly viewed and commended. Journals will be given the option to select what they would like to consider for publication and then send it to review with the permission of the author(s). Finally, journal editorial boards may opt to enter a bid or offer an acceptance for publication to the author(s) who may have a deadline to decide which – if any – of the offers would interest him. Such system would make the selection for publication based more on merit and less to the (maybe biased) opinion of the few (also would give controversial research, like the one generated by the Princeton’s notorious PEAR lab more visibility). Fortunately, there are several moves lately towards this direction including the ArXiv of the physics community, the PLOS ONE and Harvard’s recent move on an open access free publication service (which has already been approved).

 Imagine driving down the freeway with your eye intensely gazing at the speedometer needle.  Its right under 55 and you nervously brake to keep from speeding.  The road slopes a bit and you head slightly downhill and you cringe as the speedometer crosses 55 and hits 57.  Sirens begin to sound but there are no cop cars within miles of you.  No, the sirens sound from within your car, and a $10 fine has been added to your tab of speeding violations that you will pay off at the end of the month.

Seems a bit absurd right?  Well, it wouldn’t be terribly difficult.  All it would take is some type of general surveillance between your car and the road that you were on that kept track of you speed and checked to make sure you were not violating any traffic laws.  It should be easy enough of with the technology we have today, but the sheer idea of a surveillance system of this nature would drive shivers up my spine.  The mere hassle of being constantly fined for driving would seriously motivate me to find new means of transportation.  While that might not seem like a horrible result, you have to understand it would greatly hinder our efficiency as a society by placing unnecessary restrictions and penalties on ourselves.   

We currently use a model that is dependent on the fact that it is impossible to have cops patrolling everywhere in order to detect traffic violations.  But with the addition of traffic video cameras and overhead speed traps, you can see our America slowly gravitating towards an Orwellian future.  Perhaps that’s a bit extreme, but you should get the idea.  You are probably wondering why should we have speed limits if we do not want people to follow them?  Well the idea is that we do want people to follow them and they set up guidelines, but we also do not want people to feel like “the government is out to get them.”   

If you frequently speed, you are more likely to get caught by a random speed check.  While you won’t get caught every time, you should get caught often enough to dissuade you from speeding.  Furthermore, the penalties are strong enough to make such a breach of the law a serious issue.  Obviously, they could make the penalties for speeding less significant while increasing their surveillance efforts, but I would contend that significantly increases inefficiencies in society.  For starters, it creates more physical costs/paper work.  But beyond that, it causes distrust between people and the government by making it a “permissions culture.”  In other words, if the government is going to monitor ALL our activities to ensure we are not breaking any laws then we are yielding our rights to the government and giving them control over our actions.  There should be a certain level of trust between people and the ruling body, similar to the relationship between parents and children.  This of course goes beyond things like speeding tickets.  Technology will continue to make increased surveillance a very real option, but if we are to avoid an authoritarian type government, the government must continue to trust the judgment of its people, even if that means laws get broken more often (when calculated in absolute terms).  We have some very scary decisions to make over the next couple of decades, but when it comes down to the government monitoring daily activities of our lives, I will always come down in favor of a hands off approach.    

My first encounter with web cookies back in the mid 90’s was accompanied with joy, admiration and fear. Joy, because I was no longer obligated to put my login information every single time to authenticate myself, while I was more than happy to learn that - finally - ads will depict sports cars instead of pregnancy pills. Admiration was only natural, given how this small piece of data achieved so much without significant complexity or effort from my part. And fear, because I could see a future where I would no longer be the poor lonesome cowboy surfing the world wild web carefree and certain that no one knows what I am doing without my consent. Almost ten years later, this future is finally here: Government agencies can clone and analyze private communications, malicious users attack me daily with worms and viruses, while advertising companies try to predict what I like in order to deliver more relevant ads. At least in the case of ads, they can’t possibly track every single click I make. Or can they?

Custom tailored ads exist for quite some time now, almost immediately after web cookies started to appear in the web. In the next few months though, their power and predictive potential will be increased significantly thanks to the appearance of two new companies called NebuAd and Phorm. Both these companies want to enhance the effect of ads and marketing by installing devices on the networks of the participating ISPs. These devices will then monitor all unsecured WWW traffic that each user produces, including searches and Web page hits, and will look for ways to match want may interest you with a database of product and services. This way, participating vendors and websites will be able to display ads of higher relevance than before, potentially highly increasing their revenue. According to New York Times, already 3 major ISPs in UK have made deals with Phorm to implement its technology, and although NebuAd declines to reveal its partners (why is that I wonder ? Also read this New York Times blog entry on the same topic), Washington Post has revealed two of its ISP partners.

The implications of this technological partnership are tremendous. ISPs, who traditionally were out of the advertisement game, will now get a part of the multi-billion revenues related to internet advertisements. Internet advertising agencies and vendors are happy to be able to target the right market (according to Microsoft there is as much as 76% more chance that a visitor would click on an ad enhanced by behavioral targeting technology) with higher accuracy, while web site owners that will be able to charge more in order to host ads. As for the user, he will be able to get more relevant information about products that are closer to his interests than before. Nevertheless, all the above will come at a potentially high cost to user privacy, as each user action will be recorded by third party software, something that forced the Foundation of Information Policy Research (FIPS) to write an open letter to UK’s Information Commissioner urging to pass legislation that would render any technology of this kind illegal. Similar legislation, although with a much broader scope, is also sponsored by Democrat NY assemblyman Richard Brodsky who wants to make it a crime for certain Web companies to use personal information about consumers for advertising without their consent (New York Times Article).

Personally, I am up for any technology that enhances the user experience. I believe that systems like those discussed here can contribute to this, by enhancing the level of prediction that a content provider can have on your interests and character. Additionally this technology may have some beneficial side-effects, as for example Phorm software is able to identify fake websites and thus protect user privacy. It may also foster collaboration, innovation, internet entrepreneurship and emergence of free services, fueled by higher revenues in industry and internet markets. However, in order for me to wholeheartedly support such efforts, I need to be certain that certain conditions are satisfied. First, all parties involved must make sure that at no stage can the personal information of a person be associated with his identity. Given the way the current technology is implemented, I think it is very difficult for these companies to ensure that this will be the case, even with the randomization and no-storage policy assurances that they provide. This kind of association is what is dreadful to most people, from ordinary users to internet pioneers (for example see Sir Tim Berners-Lee BBC interview on net tracking). As a computer scientist I see a number of ways that similar results can be achieved with no such danger to privacy, but at the cost of higher bandwidth requirements.

Additionally, I believe that opting-in the service must be the default and not vice versa. Currently, this is not happening and even opting-out is painful according to this blog entry about Embarq ISP NebuAd opting out option. Legislation can make clear that users should have the option to opt-in and out, with the earlier to be the default mandatory practice and frankly a lot of other sectors would benefit from converting opt-out actions to their opt-in counterparts. This way, ISPs and companies like Phorm can even give monetary incentives to users in order to opt-in, returning some of the profits to the end-user base.

Finally, I have some ethical concerns over what kind of information such companies should be allowed to collect. Should they try to predict your need of cancer or funeral related services? You would be surprised on some of the choices that the coalition of marketing, advertising, ISPs and related software companies have agreed to (dis)allow. There is also the question of whether all the above will lead to increased utterly useless for the average user purchases, something that does not benefit the society as a whole. And since at the end of the day this is the only single objective function that we have to optimize, i.e. allow actions that increase short and long term social benefit, we have to ensure that the implementation and evolution of such techniques and technologies are leading to a more stable, humane and robust society rather than increasing the revenues of a selected few organizations and people.

For further reading there are several articles in the Bits blog of New York Times including what Saul Hansell calls “The Mother of All Privacy Battles“, interviews with Phorm and NebuAd chief executives, and more information on how Phorm cookies work.

The benefits  of technology have made people live longer, enjoy a higher quality-of-life, and increased our daily enjoyment and health in countless ways. So, as technology has progressed, there is no reason NOT to let it enter into the world of police enforcement and lawmaking. To that end, it is very important to consider the unintended consequences of any new surveillance policy.

Like Sam, I respect the institution of law, and think that if we pass laws, it is silly to argue against enforcement because it is TOO efficient. The proliferation of laws that are not easily enforceable nor universally accepted degrades public respect for the institution of government. Therefore, the ability to create laws that are ACTUALLY enforced would be very beneficial for society. Imagine if thugs could not get away with murder, or thieves would be caught red-handed. These are the benefits of increased surveillance in the best case. As such, society would actually be more efficient if technology were to be used increasingly in law enforcement.

However, the gulf between policy intention and policy as executed is wide. There are certain important, likely unintended consequences from any unanticipated shock to the level of sophistication in law enforcement. First we must acknowledge that laws on the books are not some objective force of morality keeping people from committing harmful acts. Rather, they are a set of rules passed by those in power through sophisticated mechanisms of favor-trading and political game-playing. One need look no further than the dramatic difference in punishment for crack versus cocaine use to see the arbitrary nature of many of the laws in America.

While increased enforcement would certainly provide greater reason to refrain from committing illegal acts, it would likely come at the cost of greater arbitrariness in the application of the law. It is fair to say that few white collar crimes would be caught on a CCTV television. Also, the drug delivery services in metropolitan areas provide their services to rich clientèle within the safe, protected walls of the upper west and east sides of Manhattan. On the other hand, those more prone to making use of public services, like the poor and most minority groups, would be increasingly monitored with an increase in public surveillance. Given this increased surveillance would unfairly spread the burdens of government spying, certain groups would likely be targeted and the arbitrariness of our legal system would only increase.

Another unintended side-effect of a hastily-created surveillance system is crime displacement. The argument put forth by many criminologists is that crime would simply move down the street, away from the densest camera coverage. Also, stepping up prosecution for laws that were passed with the intention that they would be hard to efficiently enforce (for, example, to create a deterrent effect) would be a retroactive increase in the punishment for a certain crime. The principle of retroactive prosecution is not one favored by American jurisprudence.

These concerns are only the most easily apparent upon contemplation of new policy. Thus, it is safe to say that a strategic plan is needed to fairly increase the efficiency of law enforcement. Without realization of the potentially harmful and non-negligible unintended consequences of new policy, good intentions can (and often do) create more problems than those they set out to solve.

The stability and future trajectory of a society is heavily dependent on the level of protection and robustness that it has. In other words, it is in a society’s best interest to be able to defend itself and create mechanisms that would quickly and efficiently absorb any destabilizing fluctuations. And of course, defense shouldn’t only be confined to a reflexive response to environmental events, but should encompass preemptive actions guided by accurate predictions of future events and phenomena. And here is where communication monitoring comes into play, since in order to be able to predict the future you need to have a good perception of the current dynamic environment around you. Along these lines, it is not only a right but also an obligation for governments – and any other entity of a similar protective role for that matter – to fully exploit technology and resources for the social good.

Naturally, regulatory mechanisms should be in place in order for governments and their agencies not to overstep their authority, misinterpret and misuse this social mandate: it should be absolutely clear who can do what, and in what circumstances. There is a plethora of cases where these lines are blurring. For example, should a school camera installed to catch trespassers, fights and harassment be used to report intimate moments of students (article)? What about personal text messages in a cell phone that has been confiscated (article)? Should a program that analyses employee video streams and uses this information to infer the stress levels be also used to calculate the productivity and overall performance of a worker, something that can lead to his lay-off or promotion (article and patent)?

The threat of misusing sensitive data becomes more imminent with technological progress. Pervasive computing and sensor networks open endless possibilities that the Big Brother always wanted but couldn’t afford. Universality and data integration increase the processing efficiency but also make the effect of a potential leak even more devastating to human privacy. Often technology precedes regulatory and safety mechanisms and some may claim that this is what is happening in the recent attempt of the federal government to launch a system that would bring together thousands of city-owned video cameras that would feed video into a central office at the D.C. Homeland Security and Emergency Management Agency (article).

Questions like who will have access and analyze the data, and for how long these data will be stored will also determine the risk to privacy in such monitoring systems. As algorithms become more sophisticated we can transition from a supervised or semi-supervised monitor scheme to a fully unsupervised one, where image processing and machine learning techniques will render any human-data interaction in the majority of cases unnecessary. This in turn reduces the risk of leaks and malicious human actions, one of the major concerns today. Regarding the storage of the personal data, there is again a trade-off between privacy and enhanced protection. Although the amount of information that passes through an ISP is vast and prohibiting to be stored for large periods of time, this may change in the near future. Storing everything can provide a fossil record of communication that may prove valuable to future investigations, but also seriously increasing the harmful effect of a severe security breech.

For all these reasons we have to push for a close regulation - not prohibition - of governmental monitoring of human communication. The question of who is going to watch over the watchers is always there, but I am optimistic that in a mature democracy sufficient regulatory mechanisms will be implemented and updated whenever necessary (as was the case with the creation of FISA in the 70’s).

Threat Level on Wired.com (cite) reports that a nonpartisan group in Durham, NC by the name of “Women’s Voices, Women Vote” has used a voice recording to telephone numerous black voters throughout North Carolina and remind them to register to vote.  While normally this would be considered of net benefit to society, they fail to mention that the deadline for registration was almost a month ago, and many of the phone calls were to citizens who have already registered to vote.  With such a contentious presidential primary season coming up, it seems as though this may be an attempt to confuse and intimidate black voters into not showing up to the North Carolina primary.  While a bill submitted by Illinois representative Rahm Emanuel in 2007 would make such misdirection obviously a crime, of utmost concern here is the extent of damage that may be caused by such fraud.  To see the exact extent to which fraud can quickly change the face of an election, look no further than the allegations of fraud against Swift Boat Veterans For Truth in 2004 (cite).

While voter intimidation has always been a serious crime in the United States, only with the advent of recent communications technology has the need for prevention begun to outstrip the need for enforcement.  Whereas in previous decades, the criminality of voter suppression was enough to keep most politicians and their surrogates from intimidating voters, in recent years it has now become possible for one person to suppress a large number of votes before being caught, allowing them to get their candidate elected and then “take a fall.”  Thus, rather than only being concerned with voter suppression detection and prosecution, it may be wise to look into voter suppression prevention as well.

Much of this would depend upon the medium through which the suppression is being communicated, however, there may be some bundle solutions.  One might be to require that any political organization registered with the government provide a degree of transparency about their actions, such as agreeing to be wiretapped.  This would help to focus the fraud prevention efforts of the FEC, giving them time to catch such things as the voter registration phone calls soon after they begin.

Another possibility would be to create a committee for the sole purpose of electoral fraud detection (separate from the FEC).  While this is a very cost-ineffective option, allowing a committee the ability to aggressively detect and block certain specific behaviors without a court order could dramatically decrease the amount of damage those behaviors could do.

One final way would be to dramatically increase the penalty for election fraud, so that it would be more of a deterrent to individuals who may be prepared to take a fall for their candidate.  In particular, there should be no situation in which intentional voter fraud could be found a misdemeanor.

By increasing the penalty for election fraud, creating a committee not within the FEC but with the power to detect and block certain fraudulent behaviors upon seeing them, and requiring that political organizations commit to having their communications with the outside world revealed and scrutinized before things go public, it may be possible to create a fraud prevention scheme that will work in the information age.

People may agree or disagree with the need and appropriateness of content-based searches of communications by the government, but they seem to be happening whether we like it or not and whether they are authorized are not. Given this reality, the two options are a serious clampdown on the intelligence agencies or to formalize some kind of mechanism for oversight of these searches. I’d say the first is impractical with so much secrecy surrounding budgets and practices. It also may not be good if there might be legitimate uses of theses searches. This leaves the other option of creating a mechanism to approve and oversee these searches, perhaps as part of the FISA court system or as a separate but similarly structured entity. Sort of the logic: “If you can’t beat ‘um, join ‘um” — and then maybe you can exercise some control through that.

Of course, criteria would have to be set for this type of court/formal approval system. Requests for these searches would have to present the exact algorithms that would be used to search, the generically-defined but intended target of the search, the exact types of communications to be searched and reasons for each of those, perhaps some geographic limitations as far as message origins and destinations, the private sector providers to be cooperated with and utilized for the search, and the expected level of false positives from these searches. There of course could be more criteria as well as more limited qualifications for each category. Further, there could be review after a specified period(s) of these sorts of searches as far as the level and type of false positives actually occurring and, if possible, the national security gains derived thus far from a content search. These reviews could inform the court/system on the need for continuance of the search and any changes in the criteria that initially justified it. It could further offer refined information to apply to other approvals as far as predictability of false positives and the reasonable scope that should be allowed. The point is, rules can be set up that offer some way to control such searches vs. the alternative of complete intelligence agency/presidential discretion.

Such formalization would also be helpful legally. With so much secrecy surrounding even the existence of such programs, companies are stuck in limbo on how to cooperate and how to defend themselves. Leaving it like this could lead to further pushes for dangerous laws that extend sovereign immunity to anyone government works with, sometimes called “government contractor defense.” Such blanket proposals could lead to severe losses in accountability and open the door to further abuses. Even without such laws, under-the-table dealing for such arrangements and the judicial stalemate are serious problems. Having a formal court approve such searches would make these arrangements between government and the private sector at least somewhat more legitimate, reducing private sector and judicial uncertainty as well as some potential for abuse. It’s not a perfect solution, but it would clarify some present issues and keep the worst abuses in check.

Bringing these activities out through some sort of mechanism of approval is possible and far more ideal than the alternative of leaving them completely unregulated. Though such a system might legitimize these activities and perhaps lead to a slightly higher usage of such searches, it is important to keep in mind that these searches will occur either way at some level, and they might be a reasonable response to changes in technology and communications. FISA was a response to the abuses of the Nixon administration, and has generally been thought to work. A new court or expanded FISA might be a reasonable response to current abuses, needs, and loopholes.

I am a criminal, and with high probability, so are you. Whether it be driving over the speed limit, drinking underage, littering, jaywalking, pirating music, or any number of other misdemeanors, most of us have been guilty at one point or another if not regularly. This raises the question of surveillance; since many of these crimes are public, if “big brother” was watching over you at all times, we would all be regularly fined large amounts.

One possible conclusion that could be drawn from this observation is that increased surveillance in the form of CCTV cameras and EZ-pass speeding tickets are a bad idea because they would lead to the enforcement of laws that people regularly break. This view seemed to be held by a number of people during yesterday’s seminar. This belief was defended with a cynicism against government; its proponents argued that “stupid” laws exist, will continue to exist, and slowly encroach on our freedom as improved technology leads to increased enforcement.

Perhaps I have a naive faith in democracy, but for some reason I’m not willing to believe the idea that a politician supporting regularly enforced $1,000 fines for littering would ever win a reelection campaign. While one possible political solution is to avoid surveillance or not to enforce stupid laws, I would prefer to see the government modernize the stupid laws so they can coexist with modern enforcement methods. I believe that the government has an obligation to minimize crime in as effective and economically efficient way as possible, and these forms of modern technology can help accomplish those goals while minimizing invasion of privacy. The main point of this post is to address effective and fair law enforcement, not privacy; I am working under the assumption that surveillance in public areas is not an unfair invasion of privacy because the public is definitionally not private.

With 20th century enforcement techniques like police cars using radar detectors to catch speeders, penalties have to be relatively high to deter the crime due to the low probability of being caught. Being fined this amount every time the EZ-pass catches you going 1 mph over the speed limit seems unfair. This law could be modernized to lower the penalty for speeding through an EZ-pass since you will be caught every time you speed on the tollways. As an institution, speeding laws are good because they protect the safety of all drivers on the road. Improving their enforcement would improve public safety at low economic cost. If the speed limit is unreasonably low, democratic forces will hopefully lead to an adjustment in these laws.

While I disagree with many laws on the books, I support law in general. I may occasionally engage in civil disobedience along with my fellow highway drivers, but I don’t fear the day when the government can effectively make me obey the speed limit. Law enforcement is intended to make our lives safer, even if individual laws sometimes stray from this ideal. We should spend our energy engaging the democratic process to oppose the laws we disagree with rather than opposing law enforcement.

In his paper, Mr. Orin Kerr argued that the Patriot Act “added several key privacy protections.”  While Mr. Kerr’s assertions are still points of contention, I want to move beyond the debate about what the law means, and focus on the implementation of the law. 

Legislation, by its intrinsic nature, is vague.  Laws often leave the details to be filled in by the applicable agencies.  At the same time, agencies are conditioned to protect its “turf” and, if possible, expand their scope, size, and ultimately their budgets. 

The director of the FBI, Robert Muller, echoed this tendency when he proposed that his agency should have the authority to monitor all internet activities.  Currently, the Department of Homeland Security is responsible for protecting (and monitoring) government networks, pursuant to the “secret” January 2008 directive signed by President Bush.  The National Security Agency already proposed in a January 2008 Congressional hearing that it needs warrantless access to U.S. citizens’ Google search histories, private e-mails and file transfers, in order to spot the cyber-terrorists.  In many ways, we can see there is a multiple-department race to be the “internet security czar,” despite the fact that each department was created under different mandates, with different (albeit overlapping) missions.  The message from the departments, however, was the same – “Trust us.  Give us more power.  We will be responsible.”

The problem with that message is the history of governmental spying is littered with cases straddling the legal divide.  Most recently, in October of 2007, the NSA was implicated in spying of American citizens inside the U.S.  The NSA was allowed to conduct warrantless (including rove wiretapping) spying using all available resources beyond America’s borders.  However, in order to capture all communication messages, the NSA needed access to domestic communication system, something that it could not legally do.  So, it decided to ask American telecommunication companies to help.  Some companies cooperated; one balked.  Quest Communications refused NSA’s requests that came without a court order.  When details of this warrantless spying program was leaked to the public, many major communication companies (AT&T, Verizon, etc) asked for immunity, arguing that government officials should be held liable (and not the telecom) if the programs a telecom helped with were found to be illegal.  According to the FISA legislation, it is a crime to spy on Americans, except when authorized by law. 

The NSA director went even as far as asking for immunity for everyone who participated in that program.  At the same time, he had the audacity to turn around, and asked for expanding the NSA’s power to infiltrate domestic internet service providers and telecoms.  What would happen if Congress grants that authority to the NSA?  As a spy agency, what the NSA does is classified, and often, the only answer we will ever get is, “We assure you that our warrantless spying cases happened because getting the Court’s approval is impossible.  We cannot discuss anymore without going into classified materials.  End of discussion.”

As with many people, I agree that preventing and defeating terrorists’ attacks is a legitimate and important goal; and we need to change the law to catch up with technological changes.  However, we also need to understand that many agencies, by their very nature, would “push the envelope” on privacy protections built into the law.  The discussion of privacy and constitutional protection should never stop when the law is passed.  It should continue in the halls of Congressional committees’ hearings.  After all, who would keep the bureaucracy in check if Congress skirts its oversight responsibility? 

Today the Seattle Times covered a new Microsoft product, which was certainly not surprising given Microsoft’s large Seattle presence.  However, this new device was something of a novelty for Microsoft:  it was a software toolkit designed to help law enforcement extract information from computers that had been used in crimes.  The new software, called COFEE (Computer Online Forensic Evidence Extractor), which fits on a USB flash drive, contains tools such as password crackers, memory and hard disk readers, and internet traffic analyzers.  While this is certainly a departure from Microsoft’s more traditional products, what is even more surprising is COFEE’s cost—nothing.  Microsoft is giving it away to law enforcement around the country for free. 

It’s relatively easy to see Microsoft’s motivation for doing something like this.  By giving free support to law enforcement, Microsoft is hoping that it can help decrease (or at least slow the increase in) the number and severity of computer crimes.  Since most computer crimes in the world today target Windows or other Microsoft products (such as Internet Explorer or Outlook), Microsoft is helping mainly itself by (essentially) funding law enforcement (note that many banks and other companies that are frequently attacked use Microsoft products under their own software as well).   Thus, Microsoft’s move is very sound economically. 

While it may be sound for Microsoft to help fund law enforcement (and improve computer security in general—Microsoft has a significant number of researchers and programmers in the fields of computer security and cryptography), it is unlikely that it would ever be economically sound for just about any other company to unilaterally fund law enforcement or (public) computer security research in such a way.  With the exception of possibly Google and maybe IBM, no other companies have an incentive to do so.  This is due to the free rider problem.  For instance, if Amazon.com spends a sum of money to help fund law enforcement, it will probably benefit, but Buy.com and Amazon’s other competitors will derive just as much benefit from this action.  Thus, Amazon and the vast majority of companies out there have little reason to spend money on law enforcement or publicly available research.  Companies that rely extensively on the internet do tend to do their own private research on various topics in security, but this research has only very limited benefits (Amazon’s security research probably only deals with making your Amazon transaction secure and isn’t going to help stop viruses).       

Thus, it seems to me that both law enforcement and computer security/cryptography research are not being allocated enough resources by society.  The only players in the current system that have an incentive to allocate resources to this would be monopolists or near-monopolists like Microsoft.  So, even though I typically oppose government regulation and spending, it seems to me like government spending on increased law enforcement and computer security research would be a good thing.