1. Negative Externalities and The Law’s Response (Or Lack Thereof), and More Richard Warner rwarner@kentlaw.edu

2. What Is An Externality? An externality is an effect of a decision on those who did not make the decision and whose interests were not taken into account in making the decision. If the effect is beneficial, the externality is labeled positive. If the effect is harmful, the externality is labeled negative. Consumers’ privacy harms tend to be negative externalities.

3. Examples Externality: effect of a decision on those who did not make the decision and whose interests were not taken into account in making the decision.  Electronic banking UK experience  Reservoirs  Pollution  Malware  Tenured full professors

4. The Negative Externality Claim System owners inefficiently under-invest in protection against unauthorized access.  Because the harm is an externality.  An increased investment would reduce the expected harm to third-parties by an amount greater than the investment;  hence, as a society, we waste money we could use for other purposes. Compare The T. J. Hooper.

5. Legal Responses Criminal Enforcement Civil Liability No response

6. Assumptions Subjects of the information cannot efficiently defend ourselves.  Reasonableness requirement in torts. Subjects of the information should not bear the loss.  Insurance.

7. When Is A Legal Solution Required? Legal regulation is not always the solution. Market solutions  Rely on market forces to produce the needed incentive Cultural solutions  Rely on social norms and other cultural factors to produce the needed incentive.

8. The Standard Legal Solution (1) Where an activity imposes a risk of harm on third-parties, and (2) those engaging in the activity inefficiently under-invest in protecting the third parties; 3) the law imposes on a duty to take reasonable steps to prevent harm to third- parties, where (4) other things being equal, a reasonable step is one that reduces expected damage to third-parties by an amount greater than the total cost of the step.

9. Elements of Negligence You are liable for harms to others if you do not act  As a reasonable person would in the circumstances, thereby  Causing harm to others, where  The harm was a foreseeable consequence of your action (or inaction).

10. Kline v. 1500 Mass. Ave. Kline was assaulted in the common areas of the apartment building in which she lived. She sued for negligence alleging that the building owner unreasonably failed to provide adequate security. The court decides in her favor.

11. The Court’s Reasoning “The landlord is the only one in the position to take the necessary acts of protection required. He is not an insurer, but he is obligated to minimize the risk to his tenants... the landlord best equipped to guard against the predictable risk of intruders,... even as between landlord and the police power of government, the landlord is in the best position to take the necessary protective measures...

12. Defending Oneself In Kline  El Salvador In The T. J. Hooper Trespass to chattels versus trespass to land

13. Bearing the Loss The economic loss rule: without a physical impact, there is no tort recovery for purely economic loss. Rationale:  To limit losses to a bearable amount.  To distinguish between losses that should be addressed by contractual provisions or by insurance.

14. Tort Extent of physical impact Economic impact

15. “Predictable Losses” “ The landlord best equipped to guard against the predictable risk of intruders.” The standard model assumes the expected harm is predictable.  Kline,  The T. J, Hooper  Driving  Blasting  Reservoirs

16. The Guin Holding The Guin court holds that the laptop theft was not foreseeable because  Wright lived in a relatively safe neighborhood,  had taken reasonable steps to prevent burglary,  and was unaware of any recent burglaries in his immediate neighborhood. Compare Kline.  The court held that the attack on Kline was foreseeable because the landlord was aware that violence, robbery, and assault were occurring with increasing frequency on the premises of the apartment building.

17. The Significance of Guin Those who store information online are typically in a situation more analogous to Kline than Guin.  Online computers and computer networks are typically attacked 24 x 7 by those seeing unauthorized access. So Guin suggests that online storer’s of information may be liable in negligence. But things are more complicated than this suggests.

18. Recent Cases A mere increased risk of harm is not a basis for a negligence liability. Forbes v. Wells Fargo Bank The economic harm rule prevents recovery. Banknorth, N.A. v. BJ's Wholesale Club

19. Estimates Impossible? Special cases aside, system owners cannot obtain the information they need to make reasonable estimates of the expected damage to third-parties. The information a system owner needs to “drive safely”–to take appropriate precautions to avoid the accident of a security breach–may be distributed over millions of people.

20. Estimates Impossible? The expected damage from theft of sensitive financial information, for example, imposes on any individual among these millions depends on a variety of factors. Without accurate statistical studies, an entity storing this information has no feasible way to acquire and analyze the relevant information about millions of people. With rare exceptions, such studies do not, and are not likely, to exist.

21. Insurance: Basics These claims may seem wrong because there is an active insurance market offering insurance against liability to third-parties for inadequate information security. Insurance companies calculate the expected loss from the occurrence of an event and then offer insurance against that event at a price greater than the expected loss. Typically, you can buy insurance against any event for which an insurance company can calculate the expected loss.  Which is why you cannot, for example, buy insurance against death resulting from the crash of a private plane.

22. Third-Party Liability Insurance The market currently offers insurance against legal liability to third-parties for inadequate information security. This just means that the insurance companies can calculate the expected legal liability. That just requires information to predict the outcomes of lawsuits.

23. Statutes and the “Possible to Estimate Assumption” HIPAA and GLB assume that those storing information online can make reasonable estimates of harm to third parties.

24. Disclosure Statutes: California Civil Code Section 1798.82 (a) Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

25. Disclosure Statutes: California Civil Code Section 1798.82  (b) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

26. What Is Personal Information? The statute defines “personal information” as consisting in a name (first, last, middle) or a social security number, a driver’s license number, a California identification card number, or a credit or debit card account number, and any related information necessary to use the account.  §1798.82(c)

27. Does This Make Sense? The point of the statute is to allow people to defend themselves against losses from the misuse of their information.  When asked what actions were taken following a security incident, 22 percent of respondents stated that they notified individuals whose personal information was breached and 17 percent stated that they provided new security services to users or customers (i.e. credit monitoring, issuing new credentials).

28. Make Sense? The cost--in time, effort, and money--of taking steps to prevent the loss is typically greater the average expected loss, which is actually quite small (well under $20).  Federal Trade Commission: Identity Theft Survey Report 10 – 16 (2003),  Thomas M. Lenard and Paul H. Rubin, An Economic Analysis of Notification Requirements for Data Security Breaches.

29. FTC Alternative Under 15 U.S.C. §45(n), the Federal Trade Commission may declare an act or practice unlawful if it  “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” In the Matter of BJ’s Wholesale Club, Inc. In re: Sony BMG CD Technologies Litigation

30. Criminal Enforcement The Computer Fraud and Abuse Act Liability for unauthorized access to computers that is  Unauthorized, or  Exceeds authorization,  where...

31. Information relevant to national security? NoYes 1030(a)(1) Intentionally causing damage? Yes 1030(a)(5)(A)(i) No Intent to defraud? Yes No 1030(a)(4) Obtaining information? YesNo 1030(a)(2) Governmental computer? YesNo Recklessly causing damage? 1030(a)(3) YesNo 1030(a)(5)(ii) causing damage? YesNo 1030(a)(5)(iii) No CFAA liability

32. Liability under the CFAA 1030(a)(2)(C) imposes liability on whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains... information from any protected computer if the conduct involved an interstate or foreign communication.”  Computers used in “interstate or foreign commerce or communication” are “protected.” 1030(e)(2).

33. Liability under the CFAA 1030(a)(5) imposes liability on anyone who  (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;  (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or  (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.  The difference between (B) and (C) is relevant to punishment.

34. Liability Under The CFAA 1030(g): “Any person who suffers damage or loss by reason of a violation of the section, may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”

35. Damage Defined 1030 (e)(8): the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information, that--  (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals;  (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;  (C) causes physical injury to any person; or  (D) threatens public health or safety

36. Criminal Enforcement Ineffective? That depends on what it is supposed to do. (1) Keep crime at an acceptable level  (a) Assuming a cultural of general obedience.  (b) Not assuming a cultural of general obedience. (1)(b) is not a goal one can realize in a democracy. Assuming a national culture of obedience can we adequately constrain international crime within our borders?

37. Trademarks and Gambling Trademark infringing knockoffs: the seller is liable (it is not illegal to possess it). Sellers are easy to identify, stay in one place, and have assets. Online gambling: go after credit card companies for aiding and abetting.

38. Criminals, intermediaries, targets IntermediariesCriminalstargets IntermediariesCriminalstargets IntermediariesCriminalstargets

39. ISPs As Intermediaries: Copyright Compare the proposal to make ISPs liable for copyright violations by their users. ISPs are the intermediary.

40. ISPs as Intermediaries: Privacy and Security “Nothing in society poses as grave a threat to privacy as ISPs. ISPs carry their users’ conversations, secrets, relationships, acts, and omissions. Until the very recent past, they had left most of these alone because they had lacked the tools to spy invasively, but with recent advances in eavesdropping technology, they can now spy on people in unprecedented ways. Meanwhile, advertisers and copyright owners have been tempting them to put their users’ secrets up for sale, and ISPs are giving in to the temptation. This is only the leading edge of invasive ISP surveillance.”  Paul Ohm, The Rise and Fall of Invasive ISP Surveillance, 5 U.. Ill. L. Rev. 1417 (2009)

42. Insider Access Versus Malware Losses from insider abuse have declined, and one assumes this is the result of better detection. Deep packet inspection.technology may be part of the explanation.  “SEE EVERYTHING ON THE NETWORK. With a complete historical record, there are no more secrets; every action taken on the network is recorded and stored.” Solera Networks, Top 10 Reasons for Deep Packet Capture and Stream-to- Storage,

43. Insider Access Versus Malware Should we expect the same result in the case of malware? A decline after the rise? There is reason to think not. It does not help as much to “see everything on the network.”

44. The Interdependence Problem Viruses, worms, Trojans, botnets  The likelihood that I will be invaded depends in part on how secure you are. To maximize efficiency, where N people can all take precautions to prevent a loss, they should adopt the combination of measures which is more efficient than any other combination.  The three little pigs. But the investment decision is made individually.

45. The Law’s Response Statutory standards, but  They are often wrong,  Slow to change even if once right,  and sometimes biased Industry capture

46. Top-Down Or Bottom-Up? “Top-down” refers to central planning through legislation and court decisions.  Top-down planning regulates commerce directly by defining what, when, how, and/or with whom market participants may buy and sell “Bottom-up” refers to ordering via property rights and non-legal norms.  Bottom-up planning leaves decisions about what, when, how, and with whom to buy and sell far more in the hands of market participants than in the case of central planning.

47. A Matter of Degree The top-down/bottom-up distinction is a matter of degree. The more an approach leaves decisions in the hands of market participants the more bottom-up it is; the more it takes those decisions out of their hands, the more top- down it is.

48. Efficiency Other things being equal, bottom-up planning is more efficient. Top-down planning is necessary when  “other things” are not “equal”, or  when we want to impose values that bottom-up planning will not realize.

49. Top-Down Worries Inefficiencies of bureaucracy.  Detection  Enforcement  Slow to change Both statutes and the common law Group decision-making defects  Condorcet Jury Theorem Where group members do no better than random at making the right choice, the larger the group the less likely the right decision. Hard to get right in the first place.

50. Lemons Market Akerlof’s Nobel-prizewinning paper, “The Market for Lemons” introduced asymmetric information Suppose a town has 100 used cars for sale: 50 good ones worth $2000 and 50 lemons worth $1000. Sellers know lemons from non-lemons, but buyers cannot tell the difference. What is the equilibrium price of used cars?

51. How Much Should You Pay? I have two lottery tickets—one with a 50-50 change of winning $2000, and one with a 50- 50 change of winning $1000. You want to buy the tickets. How much should you pay? (50% of $2000) + (50% of %$1000) = $1500. Buying the car in the lemons market is like buying the two lottery tickets. A buyer will only pay $1500, and no good cars will be offered for sale.

52. Legal Responses Get the necessary information to buyers  Create statutory disclosure requirements  Create incentives to disclose from potential liability  Rely on consumer watch-dog groups, other market forces Lemons markets in security and privacy:  We do not know whether the security software is good or bad  We do not read privacy policies  Same legal solutions have been proposed

53. Monopoly Problems Operating systems: The economics is very complex, but there are obvious efficiencies in having one, dominant operating system. Telecommunications: high initial costs, very low marginal costs, and strong network effects create a tendency toward monopoly.  Skype

54. Monopolization Section 2 of the Sherman Act is violated if:  (1) A business has market power, and  (2) uses that market power in an anti- competitive way to maintain and extend that power. Market power: the power–in a given market–to raise prices or exclude competition.

55. Why Do We Care? The goal of antitrust law is to promote competition Conditions for perfect competition: The industry is characterized by  Many small sellers  Selling a homogenous product  Where entry and exit are easy  And there perfect information for buyers and sellers In such a situation, firms cannot raise prices above costs without losing sales

56. Monopolization Section 2 of the Sherman Act is violated if:  (1) A business has market power, and  (2) uses that market power in an anti-competitive way to maintain and extend that power. Market power: the power–in a given market– to raise prices or exclude competition.

57. Tests for Market Power Market share.  Courts virtually never find monopoly power when market share is less than 50%; market share over 70% is almost always sufficient. Market power is relative to a particular market. What are the geographical limits of the relevant markets?

58. Bounded Rationality and Decisional Bias People not act perfectly rationally. How is that news? But we use a model of perfectly rational, free and fully informed actors to predict the outcome of public policies. Useful to the extent reality approximates the model. But there are important cases where reality does not approximate the model.

59. Privacy Polices People do not read Cannot get all the information they need if they did And, should not read and decide.

60. Norms As the Solution Norms are the solution in the case of privacy. In the case of security?

61. Getting Statistics Via disclosure statutes But this gets information only about financial loss And, can it reliably reveal non-quantifiable losses?

62. What Should the Law’s Role Be? Without a supporting culture, the law is an ineffective tool for controlling and directing behavior. Legal regulation can contribute to the creation of a supporting culture, but its contribution is limited. We need to develop a supporting culture, it is just a pipedream to think that the law is the main tool that we can use to accomplish that goal.

63. Market Solutions: Many Minds and Money Where Your Mouth Is A market solution relies primarily on monetary, non-legal incentives to achieve a desired result. Sunstein on many minds and money: There is considerable evidence that non- deliberative pooling of expertise can outperform deliberation  Especially when monetary gain rewards correctness and monetary loss penalizes incorrectness.

64. Three Market Solutions The market solutions focus on vulnerabilities in software.  Software vulnerabilities are one key aspect of the problem. There are three market solutions.

65. First Market Solution: Open Source Software Software is “open source” if its source code is publicly available. Open source software may be the product of many programmers, scattered all over the world, who contribute to the source code. Open source software has advantages.  Fewer defects  No proprietary problems. Legal issues:  Liability for intellectual property violations Sco Group v. IBM

66. Open Source Economics Open source software works best when it is  Based on non-proprietary techniques No “blends” of open source and proprietary code.  Subject to network effects  The application is sensitive to failure  Verification requires peer review  Sufficiently important (business critical) that people will cooperate to find bugs  Eric Raymond, The Magic Cauldron Security has all the above features (Anderson). Many software vendors pursue an anti-interoperability strategy incompatible with open source software.  Prohibitions on reverse engineering in End User License Agreements.

67. Second Market Solution: Vulnerability Disclosure Markets A vulnerability disclosure market provides a mechanism for those who discover vulnerabilities to communicate them to software manufacturers/vendors. There four possibilities.

68. First Possibility: Market-Based A business—like iDefense—pays for information about the existence of vulnerabilities and communicates this information to its clients.  Markets are generally very successful in aggregating dispersed information. They are accurate and efficient. Unless precautions are taken, clients could be hackers. This is true also in all following cases.

69. iDefense Vulnerability Challenge “This challenge sets the bar quite high, focusing on core Internet technologies likely to be in use in corporate enterprises. Because of this, we are merging Q2 and Q3 challenges into one, effectively extending the research time. The following technologies are the focus of this challenge:  Apache httpd  Berkeley Internet Name Domain (BIND) daemon  Sendmail SMTP daemon  OpenSSH sshd  Microsoft Internet Information (IIS) Server  Microsoft Exchange Server iDefense will pay $16,000 for each submitted vulnerability that demonstrates the execution of arbitrary code.”

70. Second Possibility: CERT-type Organizations No money is paid to those who discover vulnerabilities. No money is charged for the disclosure of the vulnerability.  One would expect this not to perform as well as a market mechanism. Kannan, Telang, and Xu, Economic Analysis of the Market for Software Vulnerability Disclosure, contend CERT-type organizations sometimes outperform market mechanisms, but they assume that relevant information is costlessly available. This ignores precisely that at which markets excel.  Available on SSRN.

71. Third Possibility: Consortium Mechanism Those concerned to gain information about vulnerabilities form a consortium.  The consortium pays for information about vulnerabilities.  Members may share information for free. Examples  Information Sharing Analysis Centers (ISACs) Governmental. Does not yet deal with vulnerabilities in the above way.  Industry consortiums. Similar to CERT-type organizations with the added complexity of conflicting business motives.

72. Fourth Possibility: Federally Funded Centers This does not exist. The center would pay for the discovery of vulnerabilities, but Would not charge for the disclosure of the information. Kannan, Telang, and Xu, Economic Analysis of the Market for Software Vulnerability Disclosure, contend this type of approach performs best, but again they assume that relevant information is costlessly available.

73. Lemon Markets and Their Solution Nothing we have said so far addresses the lemon markets problem. The basic lemon markets’ mechanism:  Consumers cannot pre-purchase tell the difference between a good product and a lemon; so  the price drops (the expected value of the purchase is reduced by the expected value of getting a lemon); and  good products disappear from the market. Solution: Get information to buyers before they purchase.

74. Prediction Markets A prediction market would accomplish the purpose. In the market, investors buy futures in which the speculate on which products will have this or that type of vulnerability. Such markets have proven remarkably accurate in predicting a wide variety of events. http://www.consensuspoint.com/index.php The prediction markets might work well where there are active disclosure markets which reveal the existence of vulnerabilities.

75. An Example Why not set up a prediction market in which investors by futures on when vulnerabilities will be discovered in iDefense challenge with regard to:  Apache httpd  Berkeley Internet Name Domain (BIND) daemon  Sendmail SMTP daemon  OpenSSH sshd  Microsoft Internet Information (IIS) Server  Microsoft Exchange Server Investors could speculate on the time, number, and rank order in the list. The activity in the market could guide purchase decisions prior to discovery of the vulnerability.