WWS 586F: Information Technology & Public Policy

“In executing the Office of the President, Barack Obama is the bomb.”

This is not necessarily my opinion, but I write it to demonstrate something (the above sentence is inspired by a reddit.com comment I saw, but I cannot find it now).  There is a good chance that an email message or other transmission over the packet-switched communications network we call the internet containing some variation of the above sentence, after being filtered using something called deep packet inspection (where a message is dissected and parts of its contents examined by a computer), could be flagged and sent to, say, the NSA for a real human being to have a second look at it.  Although this scenario may not be what would happen today, the technological capability for this is now a reality, and there is a good deal of debate about how to approach wiretapping and surveillance of digital communications and infrastructure.  Traditional law regarding surveillance in telephone and postal communications is not well-suited for application here.

In our readings for this week, Orin S. Kerr provided a general framework of network surveillance law within a discussion of the USA Patriot Act; Charles Savage reported on wireless eavesdropping abroad; and K. A. Taipale argues that FISA is inadequate and that it should be permissible to programmatically select suspects.  Taipale writes that “FISA did not anticipate” the internet or “advanced technical methods for intelligence gathering.”  He rightly notes that applying FISA strictly now would mean that “no automated monitoring of any kind could occur” in the vast majority of cases.

Taipale suggests that the law should be modified to use computationally-enable analysis techniques to communications previously prohibited by the law.  He suggests content filtering and artificial intelligence techniques to “identify potential threats,” and he suggests traffic analysis to “identify organizations or groups and the key people in them.”

While these capabilities are attractive, their implementation would raise a host of issues regarding legal privacy protections (even where the Fourth Amendment protection against unreasonable search and seizure does not apply) and limited government.  Practically speaking, having a judge or congressional committee sign off on every “internet wiretap” on affecting American citizens would be a tremendous challenge because of the technical savvy likely required to understand a (hypothetical) proposed set of criteria.  From a more general policy perspective, having the technical infrastructure and institutional procedures to touch, examine, and data mine any and all digital communications made by any American is itself a huge concern; the potential for abuse, either by rogue individuals, by small groups within the institution, or by the institutions themselves, is only exacerbated by giving an institution more capabilities, no matter the built-in protections.

Digital eavesdropping capability is an important tool for intelligence gathering and law enforcement, but should be implemented with caution and foresight.  As I see it now, a suitable capability would be, at least when an American is the subject, as specific as possible (e.g., target only one email address) and as simple as possible–a judge should be able to understand and approve or disapprove of its use on a case-by-case basis.

Stuart Anderson points to several recent and serious national cyber-security incidents in “Modern Cyber-Warfare.”  Beyond a growing national security threat, the economic implications of computer security are important.  In a more technical sense, the banking system’s records and many transactions are electronic and that the banking system is hooked into the network; successful attacks on the banking industry’s electronic infrastructure (or internet infrastructure more generally) could be catastrophic.  In a more economic sense, the costs associated with computer viruses, worms, and botnets are large.  Douglas Barnes, in his 2004 piece “Deworming the Internet,” cites 2003 reports of worm damage to be in the range of “$12.5 billion to over $80 billion.”

Computer security in critical and non-critical government systems, as well as in (more) critical private-sector systems raises important issues, but I will focus on policy and the everyday user.

Much of the threat to the everyday consumer arises from market failures in the software industry, which Barnes describes in some detail.  In essence, in a software company’s rush to market for a new product, developers fail prioritize security concerns.  As Barnes explains, “the potential future downside of latent security defects is a cost that is only paid if the publisher wins.”  Even if the publisher wins, the benefits of winning generally outweigh the costs associated with distributing overly vulnerable software.  Once a software product is on the market, even upgrades tend to focus on adding new feature rather than “security retrofitting,” i.e., correcting already existing defects.  Even savvy consumers can have trouble avoiding vulnerably software if the code is closed and proprietary.  The consumer does not have much more to evaluate a publisher’s claims of security than the publisher’s history with security and, well, the publisher’s claims (this information asymmetry is called the lemons problem).

Because of the large threat and the failure of the market to address the problem of security, there may be room for regulation to help correct the problem.  To address the everyday user issue, and without evaluating Barnes’s proposed approaches, I propose one separate regulatory rule that is simple and relatively elegant on a short time-scale (although I am unsure if it is legally plausible, especially regarding open source; the idea is admittedly not yet entirely well thought out).

My proposal is to mandate that operating system publishers include an anti-virus software package in any (non-handheld device) consumer operating system they distribute that has some critical mass of users (say, a few thousand).  The anti-virus software can be free (free packages exist for the major platforms), or should come with a minimum one year free subscription to a paid vendor.  If it is a paid vendor, when the subscription expires, the user should be given the option of extending the paid subscription, or moving to a free alternative.  The included anti-virus software, whether free or paid, should come configured to automatically update and scan on a regular basis (daily or weekly).  The software should also be configured to be as unobtrusive as possible (minimal popups or warning), and the user should also have the option to easily remove the software if s/he wants to do so.

Most users will not be able to tell the difference, and this would offer a good level of protection that many are not getting, either because they do not have protection or because it is outdated.  This is meant to be an effective band-aid to apply while the wider market issues are being resolved.

[Edit: I also assume operating system publishers ship their product with a well-configured, unobtrusive automatic security update service that runs regularly, but this can be an associated regulatory mandate.]

In our readings for this week, Robinson, Yu, Zeller, and (Prof.) Felten argue, in Government Data and the Invisible Hand, for the federal government to offer reusable data with the aim of improving government transparency and enabling private-party solutions to civic needs.  Beth Simone Noveck, in Wiki-Government, takes another approach to technology and government, arguing that new internet-based tools “can make government decision-making more expert and more democratic.”  I will deal here with the direction of government providing data to the public, as it is a good place to start; I believe transparency will drive civic engagement.

It is worth a reminder that (at least in writing) the United States has a government created by, “We the people,” and that the government should be both accountable to the public and operating in the public’s interest.  Transparency is in many ways a means to this end.  When the government exposes its internal workings and shares its knowledge with the public, the public can both benefit from the public knowledge directly, and more indirectly hold the government accountable in performing its enumerated duties.

If we agree that government is an institution derived from the people and to serve the public good, we can see why transparency is beneficial.  Much government data is public data, and, as Robinson et al. argue convincingly, private parties are capable of acting faster and more creatively (and under far fewer restrictions) with technology to make use of government-provided information.  There is tremendous potential for positive social impact in enabling private parties to access public data, as I will mention after looking at some objections to the government providing its data to the public.

I see reasonable objections to the Robinson et al. scenario as follows.  First, data is sensitive and should be guarded.  Second, it is too expensive to aggregate or release government data.  In the case of sensitive data, simply put, it should be excluded from public access (under what criteria or who gets to decide what is sensitive and what is not is another issue).  In the case of cost, the cost of providing the data is insignificant after the initial push to set up the system, and Robinson et al. even assert that, “The overall picture is that the government’s IT costs will decline” in most areas, and these savings will outweigh any places where it has the opposite effect.  This considers only the direct financial costs and benefits, and does not even take into account the social good which could be produced.

For the cynic in me, there is also some worry for me that for self-preservation, politicians and bureaucrats will want to maintain the closed nature of the data in the interest of more control, either because of the informational advantage they have with access or because they are afraid of how the data could be interpreted (i.e., they want to avoid accountability and even retroactive public scrutiny).  These would not seem to be valid (unspoken) objections.

The vision of shared public data in Robinson et al. is one where the “government provides the data,” in the form of permanently-addressed data in a reusable format and using open standards, and “private parties present the data to citizens.”  They mention a few examples of the kinds of innovations that can come from private parties, including the Pro Publica TARP distribution map and Govtrack.us.  Too often with these kinds of projects, it takes data scraping from the private parties to gather the data from government web sites.

The innovation that can happen when there is an abundance of data provided directly in machine-readable formats is worth noting.  The more data is available, the more innovation by private parties can happen and the more the public will benefit.  As a good example of previously-closed data sets being opened up, Hans Rosling’s 20-minute TED talk is instructional (although it is U.N.- and not U.S.-specific).  Vivek Kundra, who was Washington, D.C.’s CTO and spoke at the CITP in the fall, was able to spur an impressive array of innovation by providing D.C. government data in an accessible form.

After a reading of Tim Wu’s The Broadband Debate: A User’s Guide, it is relatively clear that on most principles I tend to come down on the side of the Openists, a group he characterizes as promoting an “innovation commons” vision of the internet, one rooted in a Darwinian theory of innovation where treating the internet as public infrastructure is a priority.  The openists are opposed by what he calls the Deregulationists, who are suspicious of government, believe keeping regulation out of the picture will allow innovation to flourish, and do not believe in a lack of stewardship.  Both camps claim that facilitating innovation is their goal but just have different conceptions about what is best for innovation.

I am more skeptical of the deregulationist position than Wu seems to be.  Instead of pure deregulationists, I see corporatists masquerading as deregulationists.  The limiting-government libertarian position has its merits, but, for me, some minimal regulation is necessary to keep the internet a free platform where innovation can come from any direction.  From the proposals we have seen from the deregulationist camp, deregulation appears to be (to deregulationists) a method to achieving greater return on existing infrastructure, rather than a policy approach to facilitating innovation.  There may certainly be some genuine belief that innovation can be centralized and planned, but I have trouble agreeing with this point of view (or maybe this is not a fair characterization of the deregulationist perspective).

The internet has seen a great deal of innovation since its creation, and it has been based on the principle of end-to-end design and content nondiscrimination.  I see no good reason change the approach that has brought us this far and allowed maximum participation and collaboration.

To take the best of the two approaches, policy should strive to adhere to the end-to-end principle, but with minimum regulation.  As was pointed out in class this evening, at the moment there seems to be little incentive for internet service providers to discriminate based on content.

There is certainly some room for the deregulationist perspective to be included in IT policy. Deregulationists favor what Wu calls the propertization principle, the incentive principle, and the deregulation principle.  Propertization is bound to happen as long as there is private participation in providing internet access; the infrastructure is property.  I have no problem with paying for internet service, but there is also nothing wrong with the government providing (or trying to, at least) internet as a public service.  However, the openists’ conception of the internet as public infrastructure is obsolete.  There is nothing inherently wrong with private ownership (or a combination of public and private ownership) of internet infrastructure, so long as the network is kept free and open; you pay for access (service), but you decide what to do with it and how.

Sam Fischgrund has touched on health information technology (HIT) already in “National Massive Electronic Health Database Proposal for the Benefit of Medical Research.” In his proposal, Sam correctly asserts that there is research indicating “would provide huge benefits to society, both financially and medically,” but he breezes by some important public policy issues on his way to the health database proposal. I would like to drill down a little on some of these issues instead of assuming that the benefits associated with widespread electronic medical record (EMR) adoption far outweigh the risks and costs.

During his recent presidential campaign, Barack Obama promised to spend significantly ($10bn per year for five years) on “electronic health information systems, including electronic health records” (NYTimes.com via Politifact.com). In 2005, Hillestad et al. estimated the cost of implementing EMR systems to be “$28 billion per year during a ten-year deployment, $16 billion per year thereafter.” Most recently, the American Recovery and Reinvestment Act allocated “$20 billion to jumpstart efforts to computerize health records.”

While I am not sure how the numbers work out exactly, it seems to me that government action (and money) to incentivize, subsidize, and guide the adoption of standardized, interconnected EMR systems falls short of the Hillestad et al. estimates and the immediate interventions suggested by Taylor et al.

I see several issues with standardized, interconnected EMR systems, and with having the federal government having a hand in rolling them out (and/or operating them). First, I believe any advocacy for government intervention needs to be strongly justified, and I worry that having the government regulate or guide the process of EMR adoption will make it unnecessarily expensive, make it happen unnecessarily slowly, or make it happen poorly (e.g., leaving us with a system that either does not work properly or is too cumbersome). However, since adoption has not been widespread but is in fact happening gradually, and because different players are adopting different, disparate, and poorly- or in-compatible systems, having the government get involved early on will help prevent a lot of complicated compatibility and networking issues. A standardized EMR system will be best suited to share health information between parties–and information sharing this is one of the main benefits of EMRs. To help ensure that this benefit is realized, early government involvement is indeed justified. The pitfalls of government involvement are still a threat, but it can definitely be done correctly, and if the current state of HIT is any indication, we cannot depend on the health care industry to govern itself optimally in regards to HIT.

Second, I get nervous whenever there is a publicized and publicly-accessible system that collects and stores large amounts of sensitive, personal, private data. The prevalence of electronic financial crime (especially stolen credit card information) makes me wonder whether personal health record (PHR) services like Google Health and Microsoft HealthVault are too closely paired with other services provided by the same companies (because you can access each through your Google Account and Windows Live ID, respectively). The recent “Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information” does an excellent job identifying some of the security and privacy issues, but hardly gets into any detail about addressing them well in real world implementation of HIT. A focus on privacy and security should be included in the core considerations of any EMR system design. Without addressing privacy and security issues, EMRs will either not get off the ground or will leave its users vulnerable to serious problems in the future.

HIT, especially networked EMRs, can offer tremendous benefits to individuals receiving health care, and to society as a whole in the form of reduced medical care costs. The government should ramp up its efforts to have EMRs implemented, but should be wary of design flaws that will impinge user privacy.

[Edit: Jakub S. also posted about HIT while I was in the middle of writing my entry (we also obviously discussed more in class later).]

Mark Gray’s Fighting Ignorance in the Digital Age got me ruminating about how we as a country approach technology, education, and contemporary affairs. Mark seems to identify two wider problems in society relating to technology, although he does not lay them out explicitly. The problems and approaches to addressing them are worth exploring further.

The first problem is a lack of widespread understanding of basic engineering and computer science concepts relating to common technology, meaning the nuts and bolts of how and why things we use or encounter frequently—the cell phone, the ATM machine, the World Wide Web—work the way they do. I will call this issue “technology literacy.” It is about more than knowing how to send a text message or how to boot up your computer and check your email.

The second problem is a lack of widespread awareness about public policy and current events, made poignant by Mark’s anecdote about the New Hampshire woman sued by the RIAA who ignored court document she received, thinking it was a scam. Unawareness or ignorance of this type is not directly the result of flaws in our education system, meaning it is not directly related to foundational technical or historical knowledge. Instead, it may be indicative of a common ignorance about what the government is doing and what is going on in the world, especially regarding technology. This ignorance is accompanied by a general disengagement with information technology policy, and I will call this issue “digital citizenship” (if you think you have a better alternative, please suggest it—I understand that it may be confusing).

Electronic voting is a true embodiment of the issues of digital citizenship, driven home by the recently-exposed election fraud case in Kentucky, the “first documented case of election fraud in the U.S. using electronic voting machines” (Bruce Schneier). Researchers have been publishing security problems in these electronic voting machines for years, and beyond major design flaws, serious bugs and glitches keep cropping up. Yet there has been little public outrage about the use of vulnerable electronic voting machines, at least not enough to incite widespread reform. If people were more informed, one hopes there would be more of an outcry, and we would do more to address the problem.

Unfortunately, I see no simple, direct way to address the issue of digital citizenship and promote awareness of and engagement in technology policy and other technology issues. Digital citizenship ties into larger concepts of democratic participation and an informed, engaged citizenry. I suspect that anything promoting an informed, engaged citizenry in general will also promote digital citizenship—especially if we boost technology literacy among the American public.

Technology literacy is something we can address more directly, through the education system. The objection that the public education system has enough problems as it is (cf. Jonathan Kozol) is a valid one, but I look at promoting technology literacy as a part of more broad education reform an improvement. Teaching technology literacy should not divert resources from what are now considered core subjects. However, because technology is only becoming more and more pervasive, the “learn how to use Word, Excel, and PowerPoint” model is no longer sufficient.

Mark suggests that, “Students could be taught general facts of how data travels on the Internet, the way web pages work,” but that they wouldn’t, “have to learn about the deeper concepts until entering college courses,” so that, “things like security could be glazed over in order to foster a general understanding of the technology that permeates every level of our daily lives.” I basically agree with this, but I would encourage doing more to meld the practical and more theoretical or academic aspects of technical knowledge. I disagree that security should be altogether “glazed over”; we should teach basic best practices like how to choose a strong password and basic steps to manage your privacy online. Beyond examining how some everyday technologies work, a grasp of a few basic computer science concepts would also be valuable, meaning we should consider teaching some basic programming skills, touch on intractability (to have a better idea of what all our computational power can be capable of doing), and so on (take this with a grain of salt; I am a computer science concentrator and so think these things have importance).

If technology literacy and digital citizenship seem abstract or of secondary importance, consider the past and potential impact of technology on American society. Consider, for instance, the implications of vulnerable electronic voting machines for our democracy, or consider the way wireless devices and the internet have transformed the way many of us communicate over just the past ten years. Having policymakers and citizens that are informed, engaged, and knowledgeable in regards to technology will help enable a better future.

Meredith Levinson at CIO appears to be fed up with employers using Google as a vetting tool in the hiring process.  In “Job Seekers to Employers: Stop Snooping!” (via Slashdot), she writes:

But instead of cautioning job seekers to censor their behavior and the information and pictures they post online, we job seekers and defenders of civil liberties should tell employers to stop snooping and stop judging our behavior outside of work. What we do, say and believe in our personal lives in most cases has no bearing on our ability to do a job, barring criminal behavior, of course.

Certainly, a job applicant has privacy protections and is also protected by anti-discrimination statutes.  But the potential employer also has rights regarding the vetting of the applicant.  For instance, the potential employer can require a drug test and can require the applicant to divulge past criminal offenses.

The reach of the potential employer’s vetting can legitimately extend to online searches.  Basically, if there is truthful information online, and the potential employer has ready access to it, there is no valid argument—in regards to civil liberties, at least—against the employer taking the information into account during the hiring process.  It is public information.

It would sit uneasy with me if an employer were to turn down an applicant based solely on information about lifestyle choices, e.g., “this person does X, I disagree with or do not like X, and so I will not be hiring this person.”  To my knowledge, involving this kind of information in the hiring decision is not illegal if the information is not regarding the applicant’s membership in a protected group, but it should be avoided.

But the potential employer may have legitimate grounds to turn down an applicant based on information gathered from Google, especially if, for some reason, the potential employer thought the information could jeopardize business or organizational success in the future.  After all, if the potential employer can find the information by typing the applicant’s name into Google, a potential business partner or potential client could also find the information out easily.

A good employer will be discerning about what kind of Google-gathered information they deem important.  For instance, if the top hit for the applicant’s name is a blog where the applicant slanders a previous employer, it is reasonable to take that into account.  If there is something unclear or something negative, though, it would always be a good idea to bring up the subject in an interview and give the applicant a chance to clarify or explain the information in question.  It may be the case, for instance, that the search hit covered many people sharing a common name, and that it was someone else that was connected to the questionable material.

Practices like running background checks using data brokers would often times be an overly deep kind of vetting for positions that do not have a good level of sensitivity attached to them, and should be avoided.  Here there are more privacy issues, as outlined in “Data Brokers and Privacy Protection.”

In any case, there is no invasion of privacy or civil liberties issue, and Levinson’s objections are unfounded.  Existing law and regulation suffices to protect applicants during the hiring process and to allow employers to vet their employees sufficiently.  However, a hirer should still be judicious in evaluating information gathered online about applicants.  Likewise, an applicant should assume that a potential employer will do a search for her name online, and be both aware of what is there to find and judicious about what she puts online or allows to get online (obviously not always easy, because other people are free to post things).  One place to start thinking about the online persona is Tim Ferriss’s “Tips for Personal Branding in the Digital Age: Google Insurance, Cache-flow, and More.”

Private sector organizations are mining, collecting, aggregating, storing, analyzing, and selling or otherwise disseminating personal—and, what can reasonably be argued, oftentimes private—information about millions of Americans.  Daniel J. Solove and Chris Jay Hoofnagle, in “A Model Regime of Privacy Protection,” call these organizations “data brokers.”  Government agencies also engage in the collection of personal data and in data mining for law enforcement and other purposes.  Government agencies are also among the clients of the data brokers.

Besides general concerns about erosion of civil liberties and the threat of an overbearing state, security and privacy concerns associated with the data brokers have been shown to directly cause authentic financial, physical, and emotional safety hazards.  Solove and Hoofnagle cite a case where a stalker used a data broker to locate Amy Boyer and then murdered her.  Solove and Hoofnagle also mention an FTC report that assesses the costs of identity theft to businesses to be tens of billions of dollars every year, so identity theft is another serious problem.  ChoicePoint, one of the more prominent data brokers, has on more than one occasion sold personal information directly to identity thieves.  On top of physical security and the financial costs of identity theft, identity theft can cause a significant amount of emotional distress to its victims.

While Solove and Hoofnagle make several more detailed recommendations regarding specific issues and how to improve them, three basic policies would vastly improve today’s privacy regulations, especially in regards to the data brokers.  These policies will allow for greater transparency to and accuracy in the data broker industry.

First, only organizations with a direct relationship with a person should be able to store and use that person’s data.  The exception, and it is a big one, is if the person gives informed consent for the data to be shared with third parties.  This way, a book store may have access to my reading habits, but it cannot sell data about my reading habits without my knowledge and permission. Of course, this kind of consent can be buried in the middle of contracts, but the fact that it is there rather than completely absent is important.

Second, people should be made aware of what information data brokers have on them.  Every data broker should be made to provide a simple procedure to allow a person to access her own file.  Every data broker should also have an accuracy appeal process; if a person finds the information on her to be inaccurate, she should have a simple way to correct it.

Finally, people should be informed about how their information is disseminated.  Whenever a data broker provides information to another party, the person should receive notification of who made the request, when, and what type of information was passed along (exception could be made for certain law enforcement purposes). Should a person’s information be incorrectly revealed, such as in a security breach, the data broker should inform her of the time and extent of the leak.

In “America’s Edge,” Anne-Marie Slaughter argues that, “in this world, the measure of power is connectedness.”  With connectivity being shown to be an enabler of economic prosperity and political influence, a policy that promotes connectivity in America will in turn promote American success in a century that Slaughter predicts will be defined by networks. America’s potential in the twenty-first century will be informed by the federal government’s approach to regulating the airwaves.

The Federal Communications Commission (FCC) is tasked with, among other things, regulating use of the radio spectrum, including telecommunications and television and radio broadcasting.  The current regulatory model divides the wireless spectrum into different bands, based on frequencies, and different entities obtain licenses to use different bands of spectrum for a certain number of years from the FCC.  Since 1994, the FCC has used auctions to assign spectrum licenses.  Notably, licensees are not permitted to sell or lease their spectrum in part or in entirety.  Also notably, because many broadcasters obtained their licenses many decades ago, they essentially have control over large amounts of valuable spectrum.

Certain bands of spectrum are intentionally left unlicensed.  Since 1938, under its Part 15 rules, the FCC has allowed these bands to be used by devices following certain conditions, specifically that they operate within these bands and at low enough power.  As Gerald R. Faulhaber and David Farber note in “Spectrum Management: Property Rights, Markets, and the Commons,” “radio engineers have lauded the openness of Part 15 spectrum as a boon to innovation.”  As an example, the wildly successful technology WiFi was developed to exploit unlicensed spectrum.

The current approach to airwave regulation, based on assigning frequency bands, was developed before much of today’s wireless technologies were developed.  Since then, the technological landscape has changed, and the assumptions that inspired the policies are losing their relevance.  Kevin Werbach, in “Radio Revolution: The Coming Age of Unlicensed Wireless,” identifies dynamic wireless techniques that transform the traditional wireless paradigm.  He names spectrum wireless systems, space-time coding, and mesh networking, and software-defined radio (SDR) as technical mechanisms that change the way wireless works, which a regulatory system from the first half of the twentieth century will not be able to accommodate.

Werbach mentions a proposal by Robert Matheson of the National Telecommunications and Information Administration for an “electrospace” model that would replace the current view that frequency bands are the only way to understand “how wireless systems can coexist.”  The electrospace model goes beyond the frequency model, and considers seven different degrees of freedom, which if taken advantage of, would drastically increase the capacity of wireless to transmit useful information.

A wireless world that takes full advantage of the electrospace model as a new paradigm may not seem near.  However, the bottom line is that the policy now creates artificial scarcity and rigidity in the wireless world.

From a policy perspective, the current “command-and-control” approach needs to be updated.  Allowing spectrum license holders to divide up and sell their spectrum would be a siginificant step in the right direction in terms of improving efficiency and eliminating waste.  Werbach makes several further recommendations, all of which also make sense in light of the viability of dynamic wireless systems.  According to Werbach, the FCC should: attempt to provide “more dedicated unlicensed spectrum”; allow for “shared unlicensed underlay”; allow for “opportunistic sharing” (what Faulhaber and Farber call “non-interference easement”); and should create rules in the unlicensed bands that promote “experimentation and research.”

With connectivity playing such a significant role in American’s future, the U.S. can either ‘hamstring’ itself with a spectrum policy that creates unnecessary scarcity in the form of limited spectrum—the status quo—or it can enable innovation and growth with an efficient spectrum policy that accounts for changes in wireless technology.