Monday, June 12, 2006

When private property becomes the commons

While thinking about Jonathan Adler's presentation at the Skeptics Society conference, it occurred to me that the problem of botnets is, in effect, a tragedy of the commons. The private personal computers of consumers which are connected full-time to the Internet and are not kept up-to-date on patches have, in effect, become a commons to be exploited by the botherders. The owners of the computers are generally not aware of what's going on, as the bots generally try to minimize obtrusiveness in order to continue to operate. The actual damages to each individual are typically quite small (with some notable exceptions--botherders can steal and make use of any data on the machine, including personal identity information and confidential documents), and the individual consumer doesn't have sufficient incentive to prevent the problem (say, by spending additional money on security software or taking the time to maintain the system).

Similarly, the typical entry-level casual blogger may not have incentives to keep their blogs free of spam comments. Neither, for that matter, does commons-advocate Larry Lessig, whose blog's comments are full of spam, making them less useful than they otherwise would be--I think this is an amusing irony about Lessig's position in his book Code. He argues that we need to have some subsidized public space on the Internet, but it seems to me private companies have already created it largely without public subsidy, and I think Declan McCullagh has the better case in his exchange with Lessig. (By contrast, Blogger does have incentive to prevent spam blogs, which consume large amounts of its resources and make its service less useful--and so it takes sometimes heavy-handed automated actions to try to shut it down.)

Bruce Schneier has argued that the right way to resolve this particular problem is by setting liability rules to shift incentives to players who can address the issue--e.g., software companies, ISPs, and banks (for phishing, but see this rebuttal). I agree with Schneier on this general point and with the broader point that economics has a lot to teach information security.

No comments: