The idea of people having the power to comment and vote on important social decisions is something that I support. It has been successfully implemented in courts, where important decisions of life and death are taken by ordinary people without the intervention of any higher authority. Our society has many remarkable paradigms of self-sustaining, self-assembling collaborative projects to demonstrate and most of them are feasible because of the underlying technologies that have been developed: open-source software communities, wiki knowledge databases, peer2peer and financial support networks are just some of them. However when it comes to important civic decisions, at what level would our society feel comfortable to allow direct intervention from any person? A public forum where people can comment on the existence, need or proper enforcement of a law would be by all means beneficial for our legislative system and in some cases this already happens. But such “suggestive” or advisory forum would have no or limited power. On the other hand, one can imagine a society where people would actually vote on a diverse set of subjects, a risky tactic that can also have its own benefits.

The idea of inviting public assessment of current or upcoming work can be easily implemented in other fields, one of which is the academic peer review system. There is a plethora of examples where the peer review system has failed to ensure the integrity of scientific research, most notably in the case of peer review drug practices according to a New York Times article.

Currently, if someone wants to publish his work, has to send it as a paper to the editor of a journal, who will in turn send it to a few experts (two to five) that will review it. This process can take a considerable amount of time and there are several caveats such as not truthful or sloppy assessment of the research, conflicts of interest etc. An alternative solution might be to have a database where all papers can be added and publicly viewed and commended. Journals will be given the option to select what they would like to consider for publication and then send it to review with the permission of the author(s). Finally, journal editorial boards may opt to enter a bid or offer an acceptance for publication to the author(s) who may have a deadline to decide which – if any – of the offers would interest him. Such system would make the selection for publication based more on merit and less to the (maybe biased) opinion of the few (also would give controversial research, like the one generated by the Princeton’s notorious PEAR lab more visibility). Fortunately, there are several moves lately towards this direction including the ArXiv of the physics community, the PLOS ONE and Harvard’s recent move on an open access free publication service (which has already been approved).

Seems a bit absurd right?  Well, it wouldn’t be terribly difficult.  All it would take is some type of general surveillance between your car and the road that you were on that kept track of you speed and checked to make sure you were not violating any traffic laws.  It should be easy enough of with the technology we have today, but the sheer idea of a surveillance system of this nature would drive shivers up my spine.  The mere hassle of being constantly fined for driving would seriously motivate me to find new means of transportation.  While that might not seem like a horrible result, you have to understand it would greatly hinder our efficiency as a society by placing unnecessary restrictions and penalties on ourselves.   

We currently use a model that is dependent on the fact that it is impossible to have cops patrolling everywhere in order to detect traffic violations.  But with the addition of traffic video cameras and overhead speed traps, you can see our America slowly gravitating towards an Orwellian future.  Perhaps that’s a bit extreme, but you should get the idea.  You are probably wondering why should we have speed limits if we do not want people to follow them?  Well the idea is that we do want people to follow them and they set up guidelines, but we also do not want people to feel like “the government is out to get them.”   

If you frequently speed, you are more likely to get caught by a random speed check.  While you won’t get caught every time, you should get caught often enough to dissuade you from speeding.  Furthermore, the penalties are strong enough to make such a breach of the law a serious issue.  Obviously, they could make the penalties for speeding less significant while increasing their surveillance efforts, but I would contend that significantly increases inefficiencies in society.  For starters, it creates more physical costs/paper work.  But beyond that, it causes distrust between people and the government by making it a “permissions culture.”  In other words, if the government is going to monitor ALL our activities to ensure we are not breaking any laws then we are yielding our rights to the government and giving them control over our actions.  There should be a certain level of trust between people and the ruling body, similar to the relationship between parents and children.  This of course goes beyond things like speeding tickets.  Technology will continue to make increased surveillance a very real option, but if we are to avoid an authoritarian type government, the government must continue to trust the judgment of its people, even if that means laws get broken more often (when calculated in absolute terms).  We have some very scary decisions to make over the next couple of decades, but when it comes down to the government monitoring daily activities of our lives, I will always come down in favor of a hands off approach.    

Custom tailored ads exist for quite some time now, almost immediately after web cookies started to appear in the web. In the next few months though, their power and predictive potential will be increased significantly thanks to the appearance of two new companies called NebuAd and Phorm. Both these companies want to enhance the effect of ads and marketing by installing devices on the networks of the participating ISPs. These devices will then monitor all unsecured WWW traffic that each user produces, including searches and Web page hits, and will look for ways to match want may interest you with a database of product and services. This way, participating vendors and websites will be able to display ads of higher relevance than before, potentially highly increasing their revenue. According to New York Times, already 3 major ISPs in UK have made deals with Phorm to implement its technology, and although NebuAd declines to reveal its partners (why is that I wonder ? Also read this New York Times blog entry on the same topic), Washington Post has revealed two of its ISP partners.

The implications of this technological partnership are tremendous. ISPs, who traditionally were out of the advertisement game, will now get a part of the multi-billion revenues related to internet advertisements. Internet advertising agencies and vendors are happy to be able to target the right market (according to Microsoft there is as much as 76% more chance that a visitor would click on an ad enhanced by behavioral targeting technology) with higher accuracy, while web site owners that will be able to charge more in order to host ads. As for the user, he will be able to get more relevant information about products that are closer to his interests than before. Nevertheless, all the above will come at a potentially high cost to user privacy, as each user action will be recorded by third party software, something that forced the Foundation of Information Policy Research (FIPS) to write an open letter to UK’s Information Commissioner urging to pass legislation that would render any technology of this kind illegal. Similar legislation, although with a much broader scope, is also sponsored by Democrat NY assemblyman Richard Brodsky who wants to make it a crime for certain Web companies to use personal information about consumers for advertising without their consent (New York Times Article).

Personally, I am up for any technology that enhances the user experience. I believe that systems like those discussed here can contribute to this, by enhancing the level of prediction that a content provider can have on your interests and character. Additionally this technology may have some beneficial side-effects, as for example Phorm software is able to identify fake websites and thus protect user privacy. It may also foster collaboration, innovation, internet entrepreneurship and emergence of free services, fueled by higher revenues in industry and internet markets. However, in order for me to wholeheartedly support such efforts, I need to be certain that certain conditions are satisfied. First, all parties involved must make sure that at no stage can the personal information of a person be associated with his identity. Given the way the current technology is implemented, I think it is very difficult for these companies to ensure that this will be the case, even with the randomization and no-storage policy assurances that they provide. This kind of association is what is dreadful to most people, from ordinary users to internet pioneers (for example see Sir Tim Berners-Lee BBC interview on net tracking). As a computer scientist I see a number of ways that similar results can be achieved with no such danger to privacy, but at the cost of higher bandwidth requirements.

Additionally, I believe that opting-in the service must be the default and not vice versa. Currently, this is not happening and even opting-out is painful according to this blog entry about Embarq ISP NebuAd opting out option. Legislation can make clear that users should have the option to opt-in and out, with the earlier to be the default mandatory practice and frankly a lot of other sectors would benefit from converting opt-out actions to their opt-in counterparts. This way, ISPs and companies like Phorm can even give monetary incentives to users in order to opt-in, returning some of the profits to the end-user base.

Finally, I have some ethical concerns over what kind of information such companies should be allowed to collect. Should they try to predict your need of cancer or funeral related services? You would be surprised on some of the choices that the coalition of marketing, advertising, ISPs and related software companies have agreed to (dis)allow. There is also the question of whether all the above will lead to increased utterly useless for the average user purchases, something that does not benefit the society as a whole. And since at the end of the day this is the only single objective function that we have to optimize, i.e. allow actions that increase short and long term social benefit, we have to ensure that the implementation and evolution of such techniques and technologies are leading to a more stable, humane and robust society rather than increasing the revenues of a selected few organizations and people.

For further reading there are several articles in the Bits blog of New York Times including what Saul Hansell calls “The Mother of All Privacy Battles“, interviews with Phorm and NebuAd chief executives, and more information on how Phorm cookies work.

Like Sam, I respect the institution of law, and think that if we pass laws, it is silly to argue against enforcement because it is TOO efficient. The proliferation of laws that are not easily enforceable nor universally accepted degrades public respect for the institution of government. Therefore, the ability to create laws that are ACTUALLY enforced would be very beneficial for society. Imagine if thugs could not get away with murder, or thieves would be caught red-handed. These are the benefits of increased surveillance in the best case. As such, society would actually be more efficient if technology were to be used increasingly in law enforcement.

However, the gulf between policy intention and policy as executed is wide. There are certain important, likely unintended consequences from any unanticipated shock to the level of sophistication in law enforcement. First we must acknowledge that laws on the books are not some objective force of morality keeping people from committing harmful acts. Rather, they are a set of rules passed by those in power through sophisticated mechanisms of favor-trading and political game-playing. One need look no further than the dramatic difference in punishment for crack versus cocaine use to see the arbitrary nature of many of the laws in America.

While increased enforcement would certainly provide greater reason to refrain from committing illegal acts, it would likely come at the cost of greater arbitrariness in the application of the law. It is fair to say that few white collar crimes would be caught on a CCTV television. Also, the drug delivery services in metropolitan areas provide their services to rich clientèle within the safe, protected walls of the upper west and east sides of Manhattan. On the other hand, those more prone to making use of public services, like the poor and most minority groups, would be increasingly monitored with an increase in public surveillance. Given this increased surveillance would unfairly spread the burdens of government spying, certain groups would likely be targeted and the arbitrariness of our legal system would only increase.

Another unintended side-effect of a hastily-created surveillance system is crime displacement. The argument put forth by many criminologists is that crime would simply move down the street, away from the densest camera coverage. Also, stepping up prosecution for laws that were passed with the intention that they would be hard to efficiently enforce (for, example, to create a deterrent effect) would be a retroactive increase in the punishment for a certain crime. The principle of retroactive prosecution is not one favored by American jurisprudence.

These concerns are only the most easily apparent upon contemplation of new policy. Thus, it is safe to say that a strategic plan is needed to fairly increase the efficiency of law enforcement. Without realization of the potentially harmful and non-negligible unintended consequences of new policy, good intentions can (and often do) create more problems than those they set out to solve.

Naturally, regulatory mechanisms should be in place in order for governments and their agencies not to overstep their authority, misinterpret and misuse this social mandate: it should be absolutely clear who can do what, and in what circumstances. There is a plethora of cases where these lines are blurring. For example, should a school camera installed to catch trespassers, fights and harassment be used to report intimate moments of students (article)? What about personal text messages in a cell phone that has been confiscated (article)? Should a program that analyses employee video streams and uses this information to infer the stress levels be also used to calculate the productivity and overall performance of a worker, something that can lead to his lay-off or promotion (article and patent)?

The threat of misusing sensitive data becomes more imminent with technological progress. Pervasive computing and sensor networks open endless possibilities that the Big Brother always wanted but couldn’t afford. Universality and data integration increase the processing efficiency but also make the effect of a potential leak even more devastating to human privacy. Often technology precedes regulatory and safety mechanisms and some may claim that this is what is happening in the recent attempt of the federal government to launch a system that would bring together thousands of city-owned video cameras that would feed video into a central office at the D.C. Homeland Security and Emergency Management Agency (article).

Questions like who will have access and analyze the data, and for how long these data will be stored will also determine the risk to privacy in such monitoring systems. As algorithms become more sophisticated we can transition from a supervised or semi-supervised monitor scheme to a fully unsupervised one, where image processing and machine learning techniques will render any human-data interaction in the majority of cases unnecessary. This in turn reduces the risk of leaks and malicious human actions, one of the major concerns today. Regarding the storage of the personal data, there is again a trade-off between privacy and enhanced protection. Although the amount of information that passes through an ISP is vast and prohibiting to be stored for large periods of time, this may change in the near future. Storing everything can provide a fossil record of communication that may prove valuable to future investigations, but also seriously increasing the harmful effect of a severe security breech.

For all these reasons we have to push for a close regulation - not prohibition - of governmental monitoring of human communication. The question of who is going to watch over the watchers is always there, but I am optimistic that in a mature democracy sufficient regulatory mechanisms will be implemented and updated whenever necessary (as was the case with the creation of FISA in the 70’s).

While voter intimidation has always been a serious crime in the United States, only with the advent of recent communications technology has the need for prevention begun to outstrip the need for enforcement.  Whereas in previous decades, the criminality of voter suppression was enough to keep most politicians and their surrogates from intimidating voters, in recent years it has now become possible for one person to suppress a large number of votes before being caught, allowing them to get their candidate elected and then “take a fall.”  Thus, rather than only being concerned with voter suppression detection and prosecution, it may be wise to look into voter suppression prevention as well.

Much of this would depend upon the medium through which the suppression is being communicated, however, there may be some bundle solutions.  One might be to require that any political organization registered with the government provide a degree of transparency about their actions, such as agreeing to be wiretapped.  This would help to focus the fraud prevention efforts of the FEC, giving them time to catch such things as the voter registration phone calls soon after they begin.

Another possibility would be to create a committee for the sole purpose of electoral fraud detection (separate from the FEC).  While this is a very cost-ineffective option, allowing a committee the ability to aggressively detect and block certain specific behaviors without a court order could dramatically decrease the amount of damage those behaviors could do.

One final way would be to dramatically increase the penalty for election fraud, so that it would be more of a deterrent to individuals who may be prepared to take a fall for their candidate.  In particular, there should be no situation in which intentional voter fraud could be found a misdemeanor.

By increasing the penalty for election fraud, creating a committee not within the FEC but with the power to detect and block certain fraudulent behaviors upon seeing them, and requiring that political organizations commit to having their communications with the outside world revealed and scrutinized before things go public, it may be possible to create a fraud prevention scheme that will work in the information age.

Of course, criteria would have to be set for this type of court/formal approval system. Requests for these searches would have to present the exact algorithms that would be used to search, the generically-defined but intended target of the search, the exact types of communications to be searched and reasons for each of those, perhaps some geographic limitations as far as message origins and destinations, the private sector providers to be cooperated with and utilized for the search, and the expected level of false positives from these searches. There of course could be more criteria as well as more limited qualifications for each category. Further, there could be review after a specified period(s) of these sorts of searches as far as the level and type of false positives actually occurring and, if possible, the national security gains derived thus far from a content search. These reviews could inform the court/system on the need for continuance of the search and any changes in the criteria that initially justified it. It could further offer refined information to apply to other approvals as far as predictability of false positives and the reasonable scope that should be allowed. The point is, rules can be set up that offer some way to control such searches vs. the alternative of complete intelligence agency/presidential discretion.

Such formalization would also be helpful legally. With so much secrecy surrounding even the existence of such programs, companies are stuck in limbo on how to cooperate and how to defend themselves. Leaving it like this could lead to further pushes for dangerous laws that extend sovereign immunity to anyone government works with, sometimes called “government contractor defense.” Such blanket proposals could lead to severe losses in accountability and open the door to further abuses. Even without such laws, under-the-table dealing for such arrangements and the judicial stalemate are serious problems. Having a formal court approve such searches would make these arrangements between government and the private sector at least somewhat more legitimate, reducing private sector and judicial uncertainty as well as some potential for abuse. It’s not a perfect solution, but it would clarify some present issues and keep the worst abuses in check.

Bringing these activities out through some sort of mechanism of approval is possible and far more ideal than the alternative of leaving them completely unregulated. Though such a system might legitimize these activities and perhaps lead to a slightly higher usage of such searches, it is important to keep in mind that these searches will occur either way at some level, and they might be a reasonable response to changes in technology and communications. FISA was a response to the abuses of the Nixon administration, and has generally been thought to work. A new court or expanded FISA might be a reasonable response to current abuses, needs, and loopholes.

One possible conclusion that could be drawn from this observation is that increased surveillance in the form of CCTV cameras and EZ-pass speeding tickets are a bad idea because they would lead to the enforcement of laws that people regularly break. This view seemed to be held by a number of people during yesterday’s seminar. This belief was defended with a cynicism against government; its proponents argued that “stupid” laws exist, will continue to exist, and slowly encroach on our freedom as improved technology leads to increased enforcement.

Perhaps I have a naive faith in democracy, but for some reason I’m not willing to believe the idea that a politician supporting regularly enforced $1,000 fines for littering would ever win a reelection campaign. While one possible political solution is to avoid surveillance or not to enforce stupid laws, I would prefer to see the government modernize the stupid laws so they can coexist with modern enforcement methods. I believe that the government has an obligation to minimize crime in as effective and economically efficient way as possible, and these forms of modern technology can help accomplish those goals while minimizing invasion of privacy. The main point of this post is to address effective and fair law enforcement, not privacy; I am working under the assumption that surveillance in public areas is not an unfair invasion of privacy because the public is definitionally not private.

With 20th century enforcement techniques like police cars using radar detectors to catch speeders, penalties have to be relatively high to deter the crime due to the low probability of being caught. Being fined this amount every time the EZ-pass catches you going 1 mph over the speed limit seems unfair. This law could be modernized to lower the penalty for speeding through an EZ-pass since you will be caught every time you speed on the tollways. As an institution, speeding laws are good because they protect the safety of all drivers on the road. Improving their enforcement would improve public safety at low economic cost. If the speed limit is unreasonably low, democratic forces will hopefully lead to an adjustment in these laws.

While I disagree with many laws on the books, I support law in general. I may occasionally engage in civil disobedience along with my fellow highway drivers, but I don’t fear the day when the government can effectively make me obey the speed limit. Law enforcement is intended to make our lives safer, even if individual laws sometimes stray from this ideal. We should spend our energy engaging the democratic process to oppose the laws we disagree with rather than opposing law enforcement.

Legislation, by its intrinsic nature, is vague.  Laws often leave the details to be filled in by the applicable agencies.  At the same time, agencies are conditioned to protect its “turf” and, if possible, expand their scope, size, and ultimately their budgets. 

The director of the FBI, Robert Muller, echoed this tendency when he proposed that his agency should have the authority to monitor all internet activities.  Currently, the Department of Homeland Security is responsible for protecting (and monitoring) government networks, pursuant to the “secret” January 2008 directive signed by President Bush.  The National Security Agency already proposed in a January 2008 Congressional hearing that it needs warrantless access to U.S. citizens’ Google search histories, private e-mails and file transfers, in order to spot the cyber-terrorists.  In many ways, we can see there is a multiple-department race to be the “internet security czar,” despite the fact that each department was created under different mandates, with different (albeit overlapping) missions.  The message from the departments, however, was the same – “Trust us.  Give us more power.  We will be responsible.”

The problem with that message is the history of governmental spying is littered with cases straddling the legal divide.  Most recently, in October of 2007, the NSA was implicated in spying of American citizens inside the U.S.  The NSA was allowed to conduct warrantless (including rove wiretapping) spying using all available resources beyond America’s borders.  However, in order to capture all communication messages, the NSA needed access to domestic communication system, something that it could not legally do.  So, it decided to ask American telecommunication companies to help.  Some companies cooperated; one balked.  Quest Communications refused NSA’s requests that came without a court order.  When details of this warrantless spying program was leaked to the public, many major communication companies (AT&T, Verizon, etc) asked for immunity, arguing that government officials should be held liable (and not the telecom) if the programs a telecom helped with were found to be illegal.  According to the FISA legislation, it is a crime to spy on Americans, except when authorized by law. 

The NSA director went even as far as asking for immunity for everyone who participated in that program.  At the same time, he had the audacity to turn around, and asked for expanding the NSA’s power to infiltrate domestic internet service providers and telecoms.  What would happen if Congress grants that authority to the NSA?  As a spy agency, what the NSA does is classified, and often, the only answer we will ever get is, “We assure you that our warrantless spying cases happened because getting the Court’s approval is impossible.  We cannot discuss anymore without going into classified materials.  End of discussion.”

As with many people, I agree that preventing and defeating terrorists’ attacks is a legitimate and important goal; and we need to change the law to catch up with technological changes.  However, we also need to understand that many agencies, by their very nature, would “push the envelope” on privacy protections built into the law.  The discussion of privacy and constitutional protection should never stop when the law is passed.  It should continue in the halls of Congressional committees’ hearings.  After all, who would keep the bureaucracy in check if Congress skirts its oversight responsibility? 

It’s relatively easy to see Microsoft’s motivation for doing something like this.  By giving free support to law enforcement, Microsoft is hoping that it can help decrease (or at least slow the increase in) the number and severity of computer crimes.  Since most computer crimes in the world today target Windows or other Microsoft products (such as Internet Explorer or Outlook), Microsoft is helping mainly itself by (essentially) funding law enforcement (note that many banks and other companies that are frequently attacked use Microsoft products under their own software as well).   Thus, Microsoft’s move is very sound economically. 

While it may be sound for Microsoft to help fund law enforcement (and improve computer security in general—Microsoft has a significant number of researchers and programmers in the fields of computer security and cryptography), it is unlikely that it would ever be economically sound for just about any other company to unilaterally fund law enforcement or (public) computer security research in such a way.  With the exception of possibly Google and maybe IBM, no other companies have an incentive to do so.  This is due to the free rider problem.  For instance, if Amazon.com spends a sum of money to help fund law enforcement, it will probably benefit, but Buy.com and Amazon’s other competitors will derive just as much benefit from this action.  Thus, Amazon and the vast majority of companies out there have little reason to spend money on law enforcement or publicly available research.  Companies that rely extensively on the internet do tend to do their own private research on various topics in security, but this research has only very limited benefits (Amazon’s security research probably only deals with making your Amazon transaction secure and isn’t going to help stop viruses).       

Thus, it seems to me that both law enforcement and computer security/cryptography research are not being allocated enough resources by society.  The only players in the current system that have an incentive to allocate resources to this would be monopolists or near-monopolists like Microsoft.  So, even though I typically oppose government regulation and spending, it seems to me like government spending on increased law enforcement and computer security research would be a good thing.

The figure of $20 for a voucher was tossed around in class, and examining current offerings on the market, it seems as though $20 would cover the entire cost of a reputable anti-virus program for one year for a single computer (for example, Symantec offers Norton 360 with a 1-year subscription for $80 with licenses for 3 computers). Let us assume that one $20 voucher will be given to any individual who purchases anti-virus protection for the year. Additionally, operating under the liberal assumption that there are about 100 million household computers connected to the internet in the US, the total cost of this program would amount to $2 billion.

Now, while $2 billion would seem like a staggering figure, to put it in perspective, the Love Bug virus cost over $8 billion to exterminate (cite). It is difficult to determine the total cost of virus and worm attacks in the US but it is a figure that is sure to be in the billions. The $2 billion cost of the program seems justifiable if some small percentage of attacks are stopped as a result.

While the goal of getting anti-virus onto every individual’s computer is important, the question remains as to why vouchers to individuals are needed. Vouchers to computer manufacturers or ISPs would surely lead to greater anti-virus usage. However, it alters the dynamics of the market. Manufacturers and ISPs would presumably choose the anti-virus to be distributed based on which company is offering the sweetest deal as opposed to which anti-virus company is offering the best product. If consumers are offered a voucher and are forced to pick between several different products, then for a given price, their decision will be motivated on quality. Competitive forces in the anti-virus market will still drive manufacturers towards creating the best possible product. However, if anti-virus purchasing decisions are now placed in the hands of ISPs and manufacturers, the dynamics of the market would be shifted.

The need for a mandate stems from the similarities between anti-virus and vaccinations, for anti-virus software to have the greatest effect, to realize the greatest benefits to anti-virus everyone must be using some type of the software. As for enforcement of a mandate, ISPs could be forbidden from allowing individuals without anti-virus from accessing the internet. To further improve security, ISPs may also be required to remove computers that are believed to be infected with a virus or worm, much as Princeton’s Dormnet does. Given the negative externalities that unprotected individuals place upon other users, justification for the use of an individual mandate seems available as well.

Vouchers could be implemented as in the form of a tax-rebate, etc, but the exact manner in which it is to be distributed is not the greatest concern. Another benefit of the voucher is that it would greatly expand the market for anti-virus software and given that the marginal cost of distributing more software is very low as most of the costs involved in the creation of software lies in research and development, increasing the size of the market for anti-virus software would allow companies to spend more on research since their revenues have increased. All things considered, if the best means to improving internet security is to ensure that all individuals are running anti-virus software, individual vouchers and mandates should be considered as a possible solution.

Another thing we should keep in mind when looking at these estimates is what is really being measured. Laura Koetzle, an IT consultant, states that estimates can measure “hard costs” like employee hours and hardware costs, but do a bad job in measuring loss of productivity or reputation. Perhaps what is even more costly is that companies have to reallocate their IT staff during virus crises and this can compromise general network stability and operations.

The scariest part is that we are becoming increasingly dependent on the internet and we require network security for our economy to operate. Could you imagine the cost of an internet blackout that lasted even an hour? It is naïve to measure the size of the problem in terms of dollar figures because it forces us to live in a constant state of fear regarding the safety of e-commerce, data storage, and general network dependency. For example, would it be fair to measure the cost of the September 11^th attacks by only considering the cost of lost lives and damage to structures? One would have to consider the general loss of productivity, the increased requirement for preventive measures, and the fear it creates. Network security is no different. There are still plenty of people who refuse to do online transactions because they do not believe it is safe. A single network attack is enough to bring a company’s operations to a halt for several days or to destroy years of unbacked up data on personal computers.

The good news is, the majority of these costs are currently from the corporate side. This means that the problem can really be isolated to having better corporate network security and this makes implementation considerably easier because we do not need vouchers or mandates. Education classes on safe network use can easily be handled in-house by companies who would like to preserve their network safety. At the same time, the government should look at network security as a “national security” issue. In other words, their main concern should be to consider the worst case blackout scenario and figure out how to circumvent any such national internet failure. Overall, I think network safety is a problem that will be propelled into the forefront over the next decade or so, but we should be careful at calculating the costs associated with it and also realizing that the main threat is not on the personal computer level.

http://www.cnn.com/2007/US/09/18/traffic.congestion.ap/index.html

Sam’s post from Tuesday contained the following argument: “the government should first and foremost follow the ‘do no harm’ principle when concocting new regulations.” I wholeheartedly agree and would like to point out why exactly the harm from security regulation could (would) happen.

If the government regulates security, it will have three avenues: overseeing development of security software, choosing/setting standards, or running a program for the public. Either scenario will intend deadweight losses that vastly exceed the opportunity for gain from better security.

First it must be reiterated that somewhere in the realm of $10-100 B dollars is the extent of harm. America’s GDP in 2006 was around $12 T, or 100-1000x greater than this problem. That means we are dealing with 0.1-1% of societal harm. Many other things likely cause much more harm than the “I Love You” virus. More importantly, the costs of remedy are probably lower. Consider the following examples.

Our broadband network is deplorable compared to much of the developed world (Mossberg), and our economic productivity will likely suffer in the future if this harm is not rectified. 40,000 people per year (a substantial fraction of the population born) dies from a car accident, and countless more are injured. Even more inocuous harms like traffic pose a serious threat: the average American worker sits in traffic for 40 hours a year (CNN), or an average work week. Given Americans work 50 weeks a year (an entire week is 2% of productivity), traffic alone causes more harm that viruses. This is not to mention the other harms from traffic (pollution, inconvenience, etc.). In fact, we wasted about $80 B alone in 2005 from cars sitting in traffic. A 10% improvement in idling efficiency is sizable compared to the harms of computer viruses.

If we are to engage in a costly procedure of standardizing software security, educating the general population about the virtues of network externalities, or (gasp) disseminating specific “government backed” security programs, a proper cost accounting is crucial. If the solution costs greater than $10-100 B per year, it is certainly not welfare improving. Even if it is less, it will likely entail a sizable opportunity cost relative to the alternatives (remember 50 cents on the dollar in government is lost to waste (Pritchett, 1996)).

This is not to say that the threat from destructive computer hackers is not serious, especially if these types of harms have historically followed an exponential trajectory. Rather, endorsing private solutions (which create other public benefits like employment) or diverting funds to be used on security improvements to other areas instead of spending resources on questionable returns is simply wiser. Government staking claims of authority over the issue is the first step towards a wasteful endeavor.

While both these problems are legitimate, placing the federal government in a role that allows them to standardize standardizations would allow them to manage a complex system in a simple and easy to achieve way, and to create a program that only certifies security systems that not only meet the minimum standard, but can move beyond it.
The idea is this: the federal government’s security standards committee would license security standards providers. The providers would be able to leverage this by providing security programs the ability to stamp their systems with a government seal recognizing that they have achieved a certification from a government-issued certifier. To be given certification from the government, security standards providers must be able to show that the following are a part of their business process:

1.) Prove that an adequate level of security is available before the user is accesses any part of the internet other than the security provider’s servers.
2.) Prove that security updates made by providers are created and distributed in a timely and effective manner when new viruses are discovered, or that the infrastructure is in place for doing so for new software
3.) Prove that software from security providers does not do damage to a user’s computer
4.) Show a willingness to update their standards based on both new viruses and an advance in virus detection, quarantine, or removal.

By certifying standardization businesses that adhere to these four principles, the federal government can ensure the manpower is available to certify security programs while still keeping businesses from playing to the minimum standard. The key to eliminating play to the minimum standard is the second part of #4 – if standards can change based on new technology, it is in a businesses’ favor to make inroads in that technology in the hope of getting other companies to lose their certification until they can catch up. Rule number 4 in fact lets this policy promote innovation, rather than stifling it.

One answer which could work in the case of computer security is defaults. It is a strategy that is becoming more popular for everything from savings plans to organ donation. Essentially, people will tend to follow the default outcome (the one they are placed into when a proactive step is not taken otherwise) even though they are free to choose to do other things. Therefore, if something is made a default, then more people “choose” it than if it is merely an option that would take proactive steps to pursure. This happens both because people are lazy but also because they are uninformed about many things and take defaults as a sort of advice of what the norm is. Socially desirable outcomes can thus be set as default outcomes to increase the instance of their being chosen without restricting the actual choice of the individual. Instead of mandating a behavior, which is rather parternalistic and would lead to calls for offsetting new burdens through funding, the government could simply make certain behaviors default so that choice is maintained but allowing the cost to be bourne by the chooser.

So, how can this be applied to the computer security and software market? First, the government would have to make a mandate of sorts, but on either computer manufacturers or ISPs. This mandate, however, would only require either of these entry points to computers or the internet to make virus software and other protections available to consumers as the default choice when they begin to use the product/service. For instance, on each new computer bought, virus software could figure automatically into the price quoted to the consumer and will come on the machine, unless it is requested to be taken off. This happens with cars all the time. Features are automatically thrown in and added as line items to the price, but can be taken off or not automatically added should the request be made. Thinking long-term, the pre-installed software can be automatically set up and paid for for a few years to avoid lapses in security at later dates. Consumers could still opt out of these costs at will, but they will have to actively choose insecurity, which is much less likely to happen.  And if all computer sellers are required to build this cost into their price automatically, then companies do not have as much room to gain an edge over competitors by offering cheaper comptuers without these protections.  Such requirements for virus software can be placed on ISPs instead, just perhaps in a more complicated way.  When consumers sign up for internet access, they can be steered into packages with antivirus protections.  That, or when starting to use an ISP, their machine is checked to detect virus software, and if it is lacking, then they can be presented with prompts to buy software and warnings of its importance. The prompts could automatically check off a reasonable protection package, but offer a variety of other options, and the consumer would have to take several steps to actively avoid purchasing protection. To really push this, such annoying prompts could appear every time the internet is used by an unprotected consumer to remind them of dangers and to help internalize the externalities they cause in being unprotected. This may ultimately influence them to buy software to end the prompts and pop-ups. Again, choice is maintained, but people are steered into a socially desirable result.

In either the case of computers sellers or ISPs, the costs of such a change are minimal in that it only requires direct offering of protections to consumers. Consumers would end-up bearing the costs, but through their own choice. Some may wish to defend consumers against this cost, but in all honesty, it would not be much. Decent software is not expensive, and if demand goes way up due to default changes, the price is likely to fall.  As for government, it would have to spend very little to enforce a rule as simple as requiring companies to offer software in an automatic fashion.

The question may still remain as far as standards for the level of default that is automaticlaly offered and how to avoid the race to the bottom. But these are issues that can be overcome perhaps by structuring some expert panels or boards to set standards. And these can be very broad. Further, I want to reiterate, a race to the bottom has very little place to go when the cost of decent protection is already rather small, so it may not be a huge problem.

Anyway, default policies can be one option to increase end-user adoption that may work. Along with research and bounties, this combinaiton of approaches would be a good start to containing the computer security threat without overbearing government and ridiculous cost.

Let’s first consider the case where the government directly subsidizes the end users. As an example of this case, the government might give out twenty dollar vouchers to all US residents with a registered internet connection that could be spent only on anti-virus software. A typical consumer wouldn’t be able to tell the difference between good and bad security software, and would likely end up buying something that cost right about twenty dollars since they wouldn’t want to waste any extra money on a product for which they cannot assess the quality. This, of course, assumes that average people would actually spend the time to buy the software and use the voucher, which many might not if it is both relatively difficult to acquire the software (say it has a long download time, which is a reasonable assumption) and if no one is requiring that they have this software. As an aside, in the past many electronics companies have offered mail-in rebates on a wide variety of products (you have probably seen these in a Best Buy or Circuit City, for instance). However, while it may seem like a bargain to the consumer, the companies tend to view it as money in the bank due to the very low response rate, despite the fact that it is “free money.” If people are too lazy to address and stamp an envelope for cash, would they be willing to use a voucher to download anti-virus software that they don’t know too much about if it is not required by the government? I doubt a government subsidy without a mandate would do much good, and, as we discussed in class, a government mandate requiring everyone to run anti-virus software of a certain quality on all of their computers would be a terrific mess.

Now let’s move on to the case where the government subsidizes the ISPs in some way. Rewarding the ISPs based on performance seems silly—there is no accurate or precise way to gauge this. If you look at figures of the size of botnets, the number of computers infected by given viruses/worms, or the number of spam e-mails send over a given network in a certain time period, you will notice that they are typically very, very imprecise. Since there is no accurate way to measure the performance of an ISP in terms of security, it just does not make sense to reward the ISPs monetarily based on this. Finally, requiring the ISPs to be responsible for making sure that all of their end users run anti-virus software runs into all of the same problems as the case where the government directly subsidizes the end users, except it is worse, because generally the ISPs would have less of an incentive to force the users to run a good anti-virus program than the government would due to the spillover effects of the market for computer security.

Unfortunately, the computer security market seems to be a place where the government is hamstrung and cannot effectively directly attack the problem from an economic standpoint. All it can do is fund initiatives like research or more law enforcement, which, while not ideal, still will have good results in the long run.

Like a good doctor, the government should first and foremost follow the “do no harm” principle when concocting new regulations. While Barnes is well intentioned, his ideas for regulating the software industry would most likely come at a high cost to innovation. He correctly identifies several market failures in the software industry due to externalities like network traffic from worms and lemon effects from closed source standards monopolies. However, he underestimates the power of the market as a whole. As suggested in the article, significantly raising the bar for security expectations would lead to slower product development with fewer features, which customers want. If this comes at the price of a little more network traffic and a few distributed denial of service (DDoS) attacks, who is the government to say that is a bad thing?

Before you try to burn me in effigy for suggesting DDoS attacks might not be such a bad thing, I am rather suggesting that it is not worth sacrificing the wealth of software solutions currently available and spending millions of dollars regulating the software industry in a quixotic quest to rid the world of software bugs. Market forces already do a decent (but not perfect) job of promoting security. The biggest targets for security exploits are the biggest players in a given market (namely, Windows, Internet Explorer, and Office). In the early part of this decade, a number of horrendously embarrassing worms and viruses exploited these programs, causing Microsoft public humiliation and damaging their once more valuable brand name. As a result, Microsoft has focused much more on security and things have generally improved. Smaller companies, like startups, are generally less targeted and thus it is less necessary for them to spend the resources to adhere to the absolute best practices with regard to security. This allows more innovation, which is good for the economy. It would be impossible for any government regulation scheme to balance what is best for the economy with regard to both Microsoft and a small startup.

It would be nice to create incentives to improve overall network security through measures like firewalls and anti-virus software. Doing so at the consumer level is probably worse than hopeless; I imagine if you sent everyone in the country virus scanning software on a CD, you would not significantly increase the number of computers protected. Most end users lack the economic motivation or technical know-how to protect themselves. The one place Barnes’s article really resonates with me is the paragraph before the conclusion:

To a certain extent, the answer may lie with ISPs, rather than users themselves. Some ISPs have taken to cutting off internet access for a period of time when user equipment becomes worm infected. This approach has merit because ISPs are already motivated to reduce worm traffic; requiring a consistent response from ISPs with respect to worm-infected users would eliminate any tendency of ISPs to compete on the basis of turning a blind eye.

If only we could somehow hold ISPs responsible for the BotNet activity and worms coming from their users, maybe they would force users to install virus scanning software, as Princeton University DormNet does. I’ll leave the exact policy implementation for someone else to ponder…

The software market is a lemon market.  Typical consumers cannot distinguish bad software from good software. Software publishers face perverse incentives to release software as soon as possible to gain market shares.  Once the software is bought, consumers have no recourse to return the products, except if the medium was defective.  With the proliferation of “medium-less license” software (download via the internet), when a consumer buys a piece of software, he or she has crossed a point of “no-return.”

The intervention for this case is rather straightforward.  Software publishers should be required to allow for a grace-period of 10 days, which should be long enough for the consumers to test the software.  The software should be fully functional during this period.  Many software publishers do this already in the form of demo, but the government should take a step further, mandating a baseline grace period for all software sold.  This should create incentives for software publishers to test for security flaws more thoroughly.  Many markets for other products are already under similar mandates.  For example, the state of California requires a grace period for used cars. 

The other reason for intervention is the consumers themselves.  Humans, unfortunately, are over-optimistic when estimating their chances of getting infected by worms and other evil lurkers on the internet.  It is a well-documented phenomenon in the psychology field.  People tend to see the future through “rose-colored glasses,” as the saying goes.  Hence, most people do not spend extra money to buy security software, if it does not come with the computer already. One possible solution is for the government to create a clear, immediate, and easy incentive for people to buy security software to protect their computers.  The easiest form is a voucher.  Anytime a person buys a computer, he or she will automatically get a voucher, which subsidizes most of the cost of basic security software.  If most consumers take advantage of the vouchers, they would inoculate themselves (and others) against most viruses and worms.  This will not be the first time nor the last time our government gives out technological related vouchers.  Our government is currently offering vouchers for digital television converters to help people with the transition to digital television.

Government intervention is warranted when there is a market failure and the intervention will make consumers better off.  Any intervention will face political obstacles, including opposition from the computer industry.  I believe that the clamor for intervention will happen when a hacker uses a crippling known software breach to render most personal computers useless for a considerable period of time.  The clamor for a “flyer’s bill of rights” erupted when there were massive airlines’ delays due to factors within the airlines’ control.  When will the software industry face the call?

            Let’s backtrack a bit for those who may not fully comprehend the revolution that Napster started.  This is what the RIAA used as the basis of their lawsuit:  “Napster is about facilitating piracy, and trying to build a business on the backs of artists and copyright owners.”  Napster responded with, “We’re this tiny company caught between two industries: the Net and music industry.  We look forward to working with the RIAA to create laws for the good of artists and music lovers.”  Well the truth was somewhere in between the press releases from the two companies.  It is true that Napster facilitated the violation of copyright by individuals, but at the same time it served legal purposes.  Moreover, it’s arguable how much it really hurt the artists and copyright owners. 

The constitutional justification for copyright has very little to do with a personal entitlement to have ownership over your work, but rather, belongs to the more vague reasoning of “promoting the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”  Well what does this actually mean?  The argument can be made that copyright exists to promote the spread of the arts to as many people as possible.  So then, is it possible that the breach of copyright, through a program like Napster, does far more to spread music to all income levels, than protecting copyright ensures the creation of more art.  In other words, if our objective is to maximize the promotion of music, it is unclear if we should focus on its creation or its distribution.

Now, let’s return to the case of Napster.  Even if we assume that the primary usage of Napster was for illegal activity, one has to wonder if it is fair that someone else gets the complete benefits of the product they created.  The entire MP3 revolution and the iTunes revolution would have never existed without Napster.  Napster created a whole new way to distribute music and popularized a rapidly growing form of music compression.  However, the “rents” from this new distribution channel were quickly captured by Apple, the music industry, and the artists, while the innovator behind the entire process was left with lawsuits.  Of course, I do not bring up Napster just to reminisce.  Napster is particularly pertinent in today’s world because we are faced with an extremely situation with YouTube and it is interesting to see if YouTube will be rewarded for revolutionizing the way video media is distributed or if the courts will come down hard on the company. 

Now, the impetus for ISPs is clear. One ISP representative stated that “The fact is, P2P is (from my point of view) a plague - a cancer, that will consume all the bandwidth that I can provide. It’s an insatiable appetite.”, while another said that “P2P applications can cripple a network, they’re like leaches. Just because you pay 49.99 for a 1.5-3.0mbps connection doesn’t mean your entitled to use whatever protocols you wish on your ISP’s network without them provisioning it to make the network experience good for all users involved.” (cite) When ISPs have such a large incentive and desire to interfere with traffic, action needs to be taken so that customers are indeed receiving the internet connection they are expecting to receive.

The problem with Comcast’s tactics is not simply that they were interfering with individual’s traffic but the manner in which they were doing so. Comcast appears to have not disclosed what it was doing until it was discovered through independent investigation. Net neutrality has often been thrown around as a solution to such situations. Nevertheless, looking at ISPs recent failure to even show up at a recent conference on net neutrality, forcing net neutrality on ISPs would seem to be a difficult proposition. (cite) As I will argue, rather than mandating some form of net neutrality, it is far important regulation that ISPs are far more transparent in the services they are providing.

With a more transparent system in place, consumers will be better enabled to decide what ISPs best suit their needs. However, better disclosure of information would not only allow consumers to better decide what type of ISP they need but would presumably improve ISPs’ ability to price their plans. Individuals who only use the internet to check their email presumably do not require the same connection that a dedicated file sharer would need. With better price discrimination, more consumers would then presumably purchase internet access. Furthermore, ISPs would be able to extract more revenue from consumers so they too may support such a measure.

Net neutrality is indeed a noble concept but it seems unlikely that it will ever gain the support of the ISPs. More stringent disclosure requirements for ISPs would presumably have a similar effect, while giving individuals more choice.

http://www.dol.gov/_sec/media/reports/annual2001/strgoal2s3.htm

http://www.heritage.org/Research/labor/bg334.cfm

http://economistsview.typepad.com/economistsview/2006/03/what_jobs_shoul.html

http://en.wikipedia.org/wiki/H1B_visa#Quotas_and_changes_in_quotas

http://en.wikipedia.org/wiki/H1B_visa#Quotas_and_changes_in_quotas

http://jobsearchtech.about.com/od/careerplanning/l/aa010300_chart.htm

http://www.chiefexecutive.net/ME2/Audiences/Default.asp?AudID=328DCF73ACA1493ABBD34BF8AB37D74A

Immigration, hiring, and outsourcing/offshoring policy are three very interlinked topics. Let’s start with hiring (and firing). Companies hire and fire workers frequently. The number of jobs created/lost each quarter is about 8% of the total workforce, or 12 million jobs every 3 months (NYTimes). That’s 50 million jobs a year, much more than the number lost/gained from year to year. Between 1992 and 1999 net of turnover the economy gained about 3 million jobs which equates to 500,000 jobs per year, or 1% of the annual frictional turnover.

With very high turnover like this, companies can and do try to reduce costs with each labor change. Firing a group of people who can be replaced by fewer new employees is one cost cutting measure. Another is using technology or developing worker-technology process improvements to reduce the reliance on labor.

When rehiring, you can choose anyone/anything. Companies are increasingly turning to technology to replace workers, and those who need people seek to hire the cheapest labor available. That entails outsourcing, or hiring illegal immigrants if possible. Both solutions are attractive to companies because these hiring pools are cheaper, easier to hire and fire in the future, and do not require or expect healthcare, etc.

Companies have been avoiding US workers more and more insistently. The CEO Confidence Index, which polls hundreds of CEOs each month, is peppered every survey with comments from CEOs saying things along the following lines: they want to hire, but US employees worth what they cost are hard to find (ChiefExecutive). Thus we can see that the trend away from US to illegal and foreign workers is one made out of the quest for economic efficiency. The quest for efficiency is also what has created and dislodged each monopoly in the modern industrial era, at least according to Joseph Schumpeter, whose name has been dropped in previous readings.

American Federal Government finds itself in the precarious position to either: a) retrain workers to keep the jobs here, or b) let in enough immigrants to raise the wage levels of certain job pools to a more competitive level. It is doing neither. Only about one in four fired workers eventually gets a new job from retraining. And immigration of just 1 million per year (Wiki) is not enough, even assuming all immigrants are seeking jobs. H1B visas, 90,000 of which will be issued in 2009, are just a drop in the turnover bucket.

It is easy to understand the push for offshoring after considering the points above. Without adequate and legal hiring prospects domestically, the need for foreign labor (illegal or offshore) will only increase. We will find ourselves even more out-trained and uncompetitive if nothing is done. A good place to start is increasing immigration quotas and retraining more workers. If even conservative advocacy groups like the Heritage Foundation see a role for government in retraining workers (Heritage policy paper) and Republican presidential nominee John McCain supports more sensible immigration policy, a political compromise appealing to both the left and the right can probably be found. Both of the options above seem like more sensible policies than some of the alternatives. Look at Russia, who is dealing with its problems by hyping national “procreate” days.

In this blog I will not discuss the reasons behind wanting to implement a policy to require authenticated internet use, but rather the feasibility of implementing it. The discussion of whether or not it would be useful could be a book unto itself.

The major issue with respect to implementing such a policy would be the ability to guarantee that a given computer was not stealing the information being used to identify the individual. Imagine, if you will, going to an internet cafe in your hometown and then three days later being charged with libel because your account was hacked. While this is not necessarily an everyday situation, it may well be a frequent one, and the ease with which one might get such information from a public computer is a paramount concern.

There are ways to protect your information even with a public computer, however. Many companies and even the US Department of Defense have begun to use “smart cards” that cycle through passwords for you based on criteria such as the date and time (cite). As long as you have the card, all you have to do is look at the current password, type it in, and it identifies you.

The problem with such a system is twofold: on the one hand, it would be very difficult to institute a change in software to allow for personal identification overnight. On the other, such a system may be prohibitively expensive for many people who would use the internet in, say, public high schools, public libraries, or other public places. To lighten the load of infrastructure issues, it seems to me that the best defense may be to require that the government have a central authentication server.

A central authentication server allows users to log in to websites using a third party. In the case of national personal authentication, users would log on to a government website using information such as their name, home address, SSN, or other identifiable information. When they next tried to access a web page, the page would ask the government servers to provide a verification that the computer is logged in. When the server responded yes, the website would begin accepting correspondence.

This would effectively share the burden of privacy. The government would be able to tag IP addresses to specific individuals at specific times, and private hosts would be able to tell what those IP addresses were doing on the internet. Without the government’s control over session variables, it would be difficult to determine who was who, but government involvement could provide accountability in the event of disorderly conduct.

One possible issue with might be the scale of such a system. A database with 600 million entries would be bad enough – imagine a database with 600 million entries, personal information, and session variable records for each internet access! Not only that, but the act of government servers verifying users would require that the government be able to keep track of which websites a user was visiting. There are, of course, ways to make such a system more appealing to internet users (for example, provide a private buffer that routes these session variables to and from the government without saving any records), but such a prospect is difficult and would take time.

The moral of the story, as I see it, is that it is possible to get nearly the same level of authentication over the internet as you would from a driver’s license, given the time and money to create the infrastructure. The question of whether everyone who uses the internet should be authenticated, however, I leave to you.

A particular risk many industries face that also applies to the IT sector involves product integrity. It may be cheaper to make something in China, India, or Bangladesh, but is the output really the same? There can be all sorts of checks on quality control, training, strict processes, and screening of employees, but when operations are made more remote, assurance of integrity diminishes. From tainted food products, to inconsistent clothing, to faulty parts on vehicles, many manufacturing industries have trouble upholding the same standards that would be expected in a domestic factory.

While business in the IT world is unique, it faces potentially the same problems and perhaps more in this regard. Its products often require consistency just to be useful, let alone satisfactory. Standardization with overall product lines is critical. The individual product may be responsible for for endless other functions making problems or failure that much more consequential. Competition is fierce and trade secrets can be vital. Finally, private information is often transmitted in incredible volumes and is also easier to compromise in such volumes. These aspects and perhaps others make IT outsourcing especially vulnerable should there be losses in integrity of processes or products. As more parties put their hands on a product and as the central authority has less and less oversight capability, there can be intentional and unintentional breakdowns in what occurs. While the IT specialists may be plentiful and cheap in a foreign place, and while measures may be taken to ensure good outcomes, those measures cost money themselves (most likely more than would be required to implement the same techniques and oversight locally) and the gaps that must be bridged are often hard to anticipate and correct for.  This risk in outsourcing of losing precision and quality is often misjudged or ignored but absolutely necessary for industries, including IT, to recognize when deciding what to send out.

In some cases, companies have discovered outsourcing for certain products and services is overly complicated, and some are moving back to the States. Granted this is not the overall trend, but illustrates how outsourcing brings in all sorts of hidden troubles that can be costly themselves. While basic calculations of savings show cheaper labor, lower costs of inputs, and lower taxes, the costs of oversight, quality, and public relations often get ignored, even though they may ultimately outweigh the “savings.”

The point is that the choice to outsource should not be made so hastily as to overlook the benefits of keeping things on more familiar and more controllable territory. This message is even more important for those industries like IT where high quality output is critical, standardization of output is important, and where sensitive information is exchanging hands. The decision to outsource may still be a good idea for many, but it should not be taken as a given that it is universally necessary or postive. Without these calculations, the risks being taken on have the potential to destroy businesses, endanger clients, and undermine critical operations.

Imagine if the US Postal Service looked through your mail. Or, worse, you didn’t put your mail in an envelope but rather handed it over to the USPS. They would look through it, decide whether its legitimate mail or not, and then give it a priority rating. If it was high-priority, it would get wherever it needed to go faster. Even if the USPS was replaced with FedEx or UPS, who you can choose to patron, it would still be a bothersome development from the point of privacy. What if you disagree with FedEx’s judgment of how important your mail is? Or, even more importantly, what if you don’t want them to know what is in it in the first place?

Nobody really cares what you ship or where you ship it, unless it’s anthrax or plans to blow up a building. However, the internet is a much more complex place, and interests are much more diverse. Comcast recently caught a lot of bad press for delaying BitTorrent traffic, the p2p communication tool that many young people use to pirate music and videos through the internet (CNet). Comcast met a storm of worried consumer advocate groups, even in the case of making it hard to partake in illegal activities, which BitTorrent most often enables.

If it’s going to be hard for someone like Comcast to stop BitTorrenters from sending gigabytes of pirated media across the internet, imagine how hard the sell for Verizon is going to be. Verizon and other major ISPs are major opponents to the new internet doctrine of network neutrality, which seeks to endow all internet traffic with equal rights. Under network neutrality, we won’t have the scary scenario envisioned above for physical shipping become a reality in the world of internet traffic routing.

Verizon’s intentions are economically efficient or greedy depending on who you ask. People who use the internet obviously have different willingnesses to pay for routing services, as well as for the speed of delivery. A business like eBay can’t afford to have traffic delayed that informs users when its auctions end because mere seconds can be the difference between winning that life-size Marilyn Monroe blow-up doll and crying yourself to sleep every night, all alone. A different user of the internet, like Grandma, is probably less worried if her email telling you she figured out how to turn the TV on gets to you a few minutes later. Being able to figure out the difference between the two implies a lot of revenue for Verizon. With this ability to price discriminate, it can then lay fiber optic cables all over the country. More efficient pricing means higher quality provision of services.

However, the issue is not so simple as economic efficiency. Verizon is not just an ISP. It offers mobile phone service, and now is jumping into the world of TV (VZW links). Verizon-as-telephone company and Verizon-as-media-company have vastly different interests than Verizon-as-provider-of-routing-services. Consider the following two scenarios:

1) VCast: Verizon’s video and audio download service allows you to access movies and songs on your mobile phone. Any VP in the VCast division worth his chair is likely preparing operations to roll VCast or some similar service across the fiber Verizon is laying to the home. After all, Verizon offers its TV services on cell phones now, under the name mobileTV. Without network neutrality, Verizon could delay movie purchases you make through the iTunes store, with a nice little delay message advertising its movie download service. Worse, it could block iTunes in totality and redirect people seeking songs & movies to its own service.

2) Skype: The concept of paying a large chunk of money to be able to talk to someone else is rapidly becoming ridiculous. Many service providers are offering free telephony services through the internet. Verizon, on the other hand, charges $100 per month for unlimited cellphone calling and about $30 a month for a land line telephone. If you can get Skype for free on your computer, or worse, Skype mobile on your 3G-enabled cell phone, why pay for phone services? Verizon could block access to Skype or similar services, limiting consumer choice.

However, without price discimination, many people will not even have FiOS in the first place. What’s worse no-FiOS, or FiOS with the requirement that you play by Verizon’s rules? While competition in the ISP provider space would hopefully relegate these fears to the realm of conspiracy theory, these services are provided by a very concentrated industry, and the opportunity for collusion is non-negligible.

One the one hand we have the simultaneous fears of a loss of privacy and vertical market failure. On the other, we have the slower deployment of broadband services because of lower profit opportunities. Technology experts are starting to agree that the state of US broadband is deplorable, and we definitely shouldn’t make it harder for companies to solve this problem (electronista).

Given the importance of keeping infrastructure development current (my thesis estimates a 10% improvement in infrastructure services could double US growth, adding $360 billion dollars to our economy), as well as the importance if privacy and competition concerns (the government could have adopted the open-access model for the 700 mhz spectrum like Google proposed, but it refused), no matter which hand you grab this sword by, you’re likely to get cut.

Some surprising facts on H1-B visas:  of the ten companies that were issued the most H1-B visas in 2006, seven of them had the majority of their employees located in India, and six are headquartered outside of the United States.  In 2006, the two companies that were issued the most H1-B visas were Wipro and Infosys.  Wipro applied for 20,000 H1-B visas but only 160 green cards; Infosys applied for 20,000 H1-B visas and only 50 green cards.  While there certainly are some companies that use the H1-B visas as we had anticipated in class (Microsoft, IBM, and Oracle, for instance), it seems like these companies are in the minority. 

This information leads us to several new conclusions.  Rather than being used by US firms to fill jobs in which there are not enough native skilled workers, H1-Bs are being used by foreign firms to build up a presence in the United States.  Additionally, it would seem that, based on the number of green cards applied for, these foreigners tend not to stay in the US and much prefer to return to their home country (which is most likely India) after their H1-Bs expire.

This information has many implications for policy.  This information really doesn’t change the general opinion on the matter for people that believe in an almost completely free economy and relatively open borders (that would be me).  However, if more people were aware of this, it would make Congress much less likely to issue H1-Bs.  Instead of supporting US corporations as many would think, these H1-B workers support mostly foreign companies.  Additionally, it seems that most people with an H1-B head home after working, taking the skills and training they received in the US back with them.  So for opponents of these visas, a really simple populist argument can be made:  does the US really want foreign workers working for foreign countries taking American jobs and then going back to their home country, taking their training and education with them?  I’d be willing to bet that if this issue were polled after people heard this argument, the vast majority of Americans would support reducing or even eliminating the H1-B visa.  It looks like Bill Gates may never get his loose immigration policies after all.