Future Imperfect
By
David D. Friedman
Draft: 2/10/03
This book is dedicated to
Eric Drexler
Tim May
Eric Raymond
Verner Vinge
And all the other friends whose ideas
I have shamelessly, but selectively, appropriated.
Part I: Prolog
Chapter I: Introduction
I recently attended an event where the guest speaker was a
cabinet member. In conversation afterwards, the subject of long term petroleum
supplies came up. He warned that at some point, perhaps a century or so in the
future, someone would put his key in his car's ignition, turn it, and nothing
would happen–because there would be no more gasoline.
What shocked me was not his ignorance of the economics of
depletable resources--if we ever run out of gasoline it will be a long slow
process of steadily rising prices, not a sudden surprise--but the astonishing
conservatism of his view of the future. It was as if a similar official, a
hundred years earlier, had warned that sometime around the year 2000 we were
going to open the door of the carriage house only to find that the horses had
starved to death for want of hay. I do not know what the world will be like a
century hence. But it is not likely to be a place where the process of getting
from here to there begins by putting a key in an ignition, turning it, and
starting an internal combustion engine burning gasoline.
This book is about technological change, its consequences
and how to deal with them. In this chapter I briefly survey the technologies.
In the next I discuss how to adjust our lives and institutions to their
consequences.
I am not a prophet; any one of the technologies I discuss
may turn out to be a wet firecracker. It only takes one that does not to remake
the world. Looking at some candidates will make us a little better prepared if
one of those revolutions happens. Perhaps more important, after we have thought
about how to adapt to any of ten possible revolutions, we will at least have a
head start when the eleventh drops on us out of the blue.
Much of the book grew out of a seminar I teach at the law
school of Santa Clara University. Each Thursday we discuss a technology that I
am willing to argue, at least for a week, will revolutionize the world. On
Sunday students email me legal issues that revolution will raise, to be put on
the class web page for other students to read. Tuesday we discuss the issues
and how to deal with them. Next Thursday a new technology and a new revolution.
Nanotech has just turned the world into gray goo; it must be March.
Since the book was conceived in a law school, many of my
examples deal with the problem of adapting legal institutions to new
technology. But that is accident, not essence. The technologies that require
changes in our legal rules will affect not only law but marriage, parenting,
political institutions, businesses, life, death and much else.
Possible Futures
We start with three technologies relevant to privacy–one
that radically increases it, two that radically decrease it.
Privacy x 3 or
Now You Have It, Now
You Don't
Public Key encryption makes possible untraceable
communications intelligible only to the intended recipient. My digital
signature demonstrates that I am the same online persona you dealt with
yesterday and your colleague dealt with last year, with no need for either of you
to know such irrelevant details as age, sex, or what continent I am living on.
The combination of computer networking and public key encryption makes possible
a level of privacy humans have never known, an online world where people have
both identity and anonymity–simultaneously. One implication is free speech
protected by the laws of mathematics, arguably more reliable and certainly with
broader jurisdiction than the Supreme Court. Another is the possibility of
criminal enterprises with brand name reputation–online pirate archives selling
other people's intellectual property for a penny on the dollar, temp agencies
renting out the services of forgers and hit men.
On the other hand …
In the not too distant future you may be able to buy an
inexpensive video camera with the size and aerodynamic characteristics of a
mosquito. Even earlier, we will see–are already seeing–the proliferation of
cameras on lamp posts designed to deter crime. Ultimately this could lead to a
society where nothing is private. Science fiction writer David Brin has argued
that the best solution available will be not privacy but universal
transparency–a world where everyone can watch everyone else. The police are
watching you–but someone is watching them.
It used to be that a city was more private than a village,
not because nobody could see what you were doing but because nobody could keep
track of what everybody was doing. That sort of privacy cannot survive modern
data processing. The computer on which I am writing these words has sufficient
storage capacity to hold at least a modest amount of information about every
human being in the U.S. and enough processing power to quickly locate any one
of those by name or characteristics. From that fact arises the issue of who has
what rights with regard to information about me presently in the hands, and
minds, of other people.
Put all of these technologies together and we may end up
with a world where your realspace identity is entirely public, with everything
about you known and readily accessible, while your cyberspace activities, and
information about them, are entirely private--with you in control of the link
between your cyberspace persona and your realspace identity.
Commerce in Cyberspace
The world that encryption and networking creates requires a
way of making payments–ideally without having to reveal the identity of payer
or payee. The solution, already worked out in theory but not yet fully
implemented, is ecash–electronic money, privately produced, potentially
untraceable. One minor implication is that money laundering laws become
unenforceable, since large sums can be transferred by simply sending the
recipient an email.
A world of strong privacy requires some way of enforcing
agreements; how do you sue someone for breach of contract when you have no idea
who, what or where (s)he is? That and related problems lead us to a legal
technology in which legal rules are privately created and enforced by
reputational sanctions. It is an ancient technology, going back at least to the
privately enforced Lex Mercantoria from
which modern commercial law evolved.
But for most modern readers, including most lawyers and law professors, it will
be new.
Property online is largely intellectual property, which
raises the problem of how to protect it in a world where copyright law is
becoming unenforceable. One possibility is to substitute technological for
legal protection. A song or database comes inside a piece of
software–Intertrust calls it a digibox–that regulates its use. To play the song
or query the database costs ten cents of ecash, instantly transmitted over the
net to the copyright owner.
Finally and perhaps most radically, a world of fast, cheap,
communication greatly facilitates decentralized approaches to production. One
possible result is to shift substantial amounts of human effort out of the
context of hierarchically organized corporations into some mix of marketplace
coordination of individuals or small firms and the sort of voluntary
cooperation, without explicit markets, of which open source software
development is a recent and striking example.
Crime, Cops and Computers
Some technologies make the job of law enforcement harder.
Others make it easier–even too easy. A few years ago, when the FBI was pushing
the digital wiretap bill through Congress, critics pointed out
that the capacity they were demanding the phone companies provide them added up
to the ability to tap more than a million telephones–simultaneously.
We still do not know if they intend to do it, but it is
becoming increasingly clear that if they want to, they can. The major cost of a
wiretap is labor. As software designed to let people dictate to their computers
gets better, that someone can be a computer converting conversation to text,
searching the text for key words or phrases, and reporting the occasional hit
to a human being. Computers work cheap.
In addition to providing police new tools for enforcing the
law, computers also raise numerous problems for both defining and preventing
crimes. Consider the question of how the law should classify a "computer
break-in"–which consists, not of anyone actually breaking into anything,
but of one computer sending messages to another and getting messages in reply.
Or consider the potential for applying the classical salami technique–stealing
a very small amount of money from each of a very large number of people–in a
world where tens of millions of people linked to the internet have software on
their computers designed to pay bills online.
Designer Kids, Long Life and Corpsicles
The technologies in our next cluster are biological.
Two–paternity testing and in vitro fertilization–have already abolished several
of the facts on which the past thousand years of family law are based. It is no
longer only a wise child who knows his father–any child can do it, given access
to tissue samples and a decent lab. And it is no longer the case that the woman
from whose body an infant is born is necessarily its mother. The law has begun to adjust. One
interesting question that remains is to what degree we will restructure our
mating patterns to take advantage of changes in the technology of producing
babies.
A little further into the future are technologies to give us
control over our children's genetic heritage. My favorite is the libertarian
eugenics sketched decades ago by science fiction author Robert
Heinlein–technologies that permit each couple to choose, from among the
children they might have, which ones they do have, selecting the egg that does
not carry the mother's tendency to nearsightedness to combine with the sperm
that does not carry the father's heritage of a bad heart. Run that process
through five or ten generations, with a fair fraction of the population
participating, and you get a substantial change in the human gene pool. Alternatively,
if we learn enough to do real genetic engineering, we can forget about the wait
and do the whole job in one generation.
Skip next from the beginning of life to the end. Given the
rate of progress in biological knowledge over the past century, there is no
reason to assume that the problem of aging will remain insoluble. Since the
payoff is not only enormously large but goes most immediately to the currently
old, some of whom are also rich and powerful, if it can be solved it is likely
that it will be.
In a sense it already has been. There are currently more
than a hundred people
whose bodies are not growing older–because they are frozen, held at the
temperature of liquid nitrogen. All are legally dead. But their hope in
arranging their current status was that it would not be permanent–that with
sufficient medical progress it will some day be possible to revive them. If it
begins to look as though they are going to win their bet, we will have to think
seriously about adapting laws and institutions to a world where there is an
intermediate state between alive and dead and quite a lot of people are in it.
The Real Science Fiction
Finally we come to three technologies whose effects, if they
occur, are sufficiently extreme that all bets are off, with both the extinction
and the radical alteration of our species real possibilities within the
lifespan of most of the people reading this book.
One such is nanotechnology–the ability to engineer objects
at the atomic scale, to build machines whose parts are single atoms. That is
the way living things are engineered: A DNA strand or an enzyme is a molecular
machine. If we get good enough at working with very small objects to do it
ourselves, possibilities range from microscopic cell repair machines that go through
a human body fixing everything that is wrong to microscopic self-replicating
creatures dedicated to turning the entire world into copies of themselves–known
in nanocircles as the "gray goo" scenario.
Artificial intelligence might beat nanotech in the annihilation
stakes–or in making heaven on earth. Raymond Kurzweil, a well informed computer
insider, estimates that in about thirty years there will be programmed
computers with human level intelligence. At first glance that suggests a world
of science fiction robots–if we are lucky, obeying us and doing the dirty work.
But if in thirty years computers are as smart as we are and if current rates of
improvement–for computers but not for humans–continue, that means that in forty
years we will be sharing the planet with beings at least as much smarter than
we are as we are smarter than chimpanzees.
Kurzweil's solution is for us to get smarter too–to learn to do part of our
thinking in silicon. That could give us a very strange world–populated by
humans, human/machine combinations, machines programmed with the contents of a
human mind that think they are that human, machines that have evolved their own
intelligence, and much else.
The final technology is virtual reality. Present versions
use the brute force approach: feed images through goggles and headphones to
eyes and ears. But if we can crack the dreaming problem, figure out how our
nervous system encodes the data that reaches our minds as sensory perceptions,
goggles and headphones will no longer be necessary. Plug a cable into a socket
at the back of your neck for full sense perception of a reality observed by
mechanical sensors, generated by a computer, or recorded from another brain.
The immediate payoff is that the blind will see–through
video cameras–and the deaf hear. The longer run may be a world where most of
the important stuff consists of signals moving from one brain to another over a
network, with physical acts by physical bodies playing only a minor role. To
visit a friend in England there is no need to move either his body or
mine–being there is as easy as dialing the phone. That is one of many reasons
why I do not expect gasoline powered automobiles to play a major role in
transportation a century from now.
A few pages back, we were considering a world where
realspace was entirely public, cyberspace entirely private. As things presently
are, that would be a very public world, since most of us live most of our lives
in realspace. But if deep VR reverses the ratio, giving us a world where all the
interesting stuff happens in cyberspace and realspace activity consist of
little more than keeping our bodies alive, it will be a very private world.
Having labeled the section science fiction, I could not
resist adding a chapter on ways in which current and near future technologies
may make possible the old sf dream--space travel, space habitats, in time,
perhaps, the stars.
Alternatives
Any of the futures I have just sketched might happen, but
not all. If nanotech turns the world into gray goo in 2030, it will also turn
into gray goo the computers on which artificial super intelligences would have
been developed in 2040. If nanotech bogs down and A.I. does not, the programmed
computers that rule the world of 2040 may be more interested in their own views
of how the human species should evolve than in our view of what sort of
children we want to have. And, closer to home, if strong private encryption is
built into our communication systems, with the encryption and decryption under
the control not of the network but of the individuals communicating with each
other–the National Security Agency's nightmare for the past twenty years or
so–it won't matter how many telephone lines the FBI can tap.
That is one reason this book is not prophecy. I expect parts
of what I describe to happen but I do not know which parts. My purpose is not
to predict which future we will get but to use possible futures to think about
how technological change will affect us and how we can and should change our
lives and institutions to adapt to it.
That is also one reason why, with a few exceptions, I have
limited my discussion of the future to the next thirty years or so. Thirty
years is roughly the point at which both A.I. and nanotech begin to matter. It
is also long enough to permit technologies that have not yet attracted my
attention to start to play an important role. Beyond that my crystal ball,
badly blurred at best, becomes useless; the further future dissolves into
mist.
Chapter II
Living With Change
New technologies change what we can do. Sometimes they make
what we want to do easier. After writing a book with a word processor, one
wonders how it was ever done without one. Sometimes they make what someone else
is doing easier–making it harder for us to prevent him from doing it. Enforcing
copyright law became more difficult when photo typesetting made the cost of
producing a pirate edition lower than the cost of the authorized edition it
competed with, and more difficult again when inexpensive copying put the tools
of piracy in the hands of any college professor in search of reading material
for his students. As microphones and video cameras become smaller and cheaper,
preventing other people from spying on me becomes harder.
The obvious response is to try to keep doing what we have
been doing. If that is easier; good. If it is harder, too bad. The world must
go on, the law must be enforced.
"Damn the torpedoes, full speed ahead."
Obvious–and wrong. The laws we have, the ways we do things,
are not handed down from heaven on tablets of stone. They are human
contrivances, solutions to particular problems, ways of accomplishing
particular ends. If technological change makes a law hard to enforce, the best
solution is sometimes to stop enforcing it. There may be other ways of accomplishing
the same end–including some enabled by the same technological change. The
question is not "how do we continue to do what we have been doing"
but "how do we best achieve our objectives under new circumstances?"
Insofar as this book has a theme, that is it. "Full
speed ahead; damn the torpedoes" is the wrong answer.
A Simple Example: The Death of Copyright
Copyright law gives the author of a copyrightable work the
right to control who copies it. If copying a book requires an expensive
printing plant operating on a large scale, that right is reasonably easy to
enforce. If every reader owns equipment that can make a perfect copy of a book
at negligible cost, enforcing the law becomes very nearly impossible.
So far as printed material is concerned, copyright law has
become less enforceable over the past century, but not yet unenforceable. The
copying machines most of us have access to can reproduce a book, but the cost
is comparable to the cost of buying the book and the quality worse. Copyright
law in printed works can still be enforced, even if less easily than in the
past.
The same is not true for intellectual property in digital
form. Anyone with a computer equipped with a floppy drive can copy a hundred
dollar program onto a one dollar floppy. Anyone with a CDR drive can copy a
four hundred dollar program onto a one dollar CD. And anyone with a reasonably
fast internet connection can copy anything available online, anywhere in the
world, to his hard drive.
Under those circumstances, enforcing copyright law against
individual users is very nearly impossible. If my university decides to save on
its software budget by buying one copy of Microsoft Office and making lots of
copies, a discontented employee with Bill Gates' email address could get us in
a lot of trouble. But if I choose to provide copies to my wife and
children–which under Microsoft's license I am not permitted to do–or even to a
dozen of my friends, there is in practice little that Microsoft can do about
it.
That could be changed. If we wanted to enforce present law
badly enough, we could do it–with suitable revisions on the enforcement end.
Every computer in the country would be subject to random search. Anyone found
with an unlicensed copy of software would go straight to jail. Silicon valley
would empty and the prisons would fill with geeks, teenagers, and children.
Nobody regards that as a tolerable solution to the problem.
Although there has been some shift recently in the direction of expanded
criminal liability for copyright infringement,
software companies for the most part take it for granted that they cannot use
the law to prevent individual copying of their programs and so fall back on
other ways of getting rewarded for their efforts.
Holders of music copyrights face similar problems. As
ownership of tape recorders became common, piracy became easier. Shifting to
CD's temporarily restored the balance, since they provided higher quality than
tape and were expensive to copy–but then cheap CD recorders and digital audio
tape came along. Most recently, as computer networks have gotten faster,
storage cheaper, and digital compression more efficient, the threat has been
from online distribution of MP3 files encoding copyrighted songs.
Faced with the inability to enforce copyright law against
individuals, what are copyright holders to do? There are at least three
answers:
1. Substitute technological protection for legal protection.
In the early days of home computers, some companies sold
their programs on disks designed to be uncopyable. Consumers found that
inconvenient, either because they wanted to make copies for their friends or
because they wanted to make backup copies for themselves. So other software
companies sold programs designed to copy the copy protected disks. One company
produced a program–SuperUtility Plus–designed to do a variety of useful things,
including copying other companies' protected disks. It was itself copy
protected. So another company produced a program–SuperDuper–whose sole function
in life was to make copies of SuperUtility Plus.
Technological protection continues in a variety of forms.
All face a common problem. It is fairly easy to provide protection sufficient
to keep the average user from using software in ways in which the producer does
not want him to use it. It is very hard to provide protection adequate against
an expert. And one of the things experts can do is to make their expertise
available to the average user in the form of software designed to defeat
protection schemes.
This suggests a possible solution: technological protection
backed up by legal protection against software designed to defeat it. In the
early years, providers of copy protection tried that approach. They sued the
makers of software designed to break the protection, arguing that they were
guilty of contributory infringement (helping other people copy copyrighted
material), direct infringement (copying and modifying the protection software
in the process of learning how to defeat it) and violation of the licensing
terms under which the protection software was sold. They lost.
More recently, owners of intellectual property successfully
supported new legislation–Section 1201 of the Digital Millennium Copyright
Act–which reverses that result, making it illegal to produce or distribute
software whose primary purpose is defeating technological protection. It
remains to be seen whether or not that restriction will itself prove
enforceable.
2. Control only large scale copying:
Anyone with a
video recorder can copy videos for his friends [check
this–how effective is current protection?]. Nonetheless, video rental
stores remain in business. They inexpensively provide their customers with an
enormously larger selection than they could get by copying their friends'
cassettes. The stores themselves cannot safely violate copyright law, buying
one cassette for a hundred outlets, because they are large, visible
organizations. So producers of movies continue to get revenue from video
cassettes, despite the ability of customers to copy them.
There is no practical way for music companies to prevent one
teenager from making copies of a CD or a collection of MP3's for his
friends–but consumers of music are willing to pay for the much wider range of
choice available from a store. The reason Napster threatened the music industry
was that it provided a similar range of choice at a much lower cost. Similarly
for software. As long as copyright law can be used to prevent large scale
piracy, customers will be willing to pay for the convenience provided by a
legal, hence large scale and public, source for their software. In both cases,
the ability of owners of intellectual property to make piracy inconvenient
enough to keep themselves in business is threatened by the internet, which
offers the possibility of large scale public distribution of pirated music and
software.
3. Permit copying; get revenues in other ways:
"Most successful lecturers will
in whispered tones confide to you that there is no other journalistic or
pedagogical activity more remunerative–a point made by Mark Twain and Winston
Churchill."
(William F. Buckley,
Jr.)
A century ago, prominent authors got a good deal of their
income from public lectures. Judging by
the quote from Buckley—and my own observations–some still do. That
suggests that, in a world without enforceable copyright, some authors could
write books, provide them online to anyone who wanted them, and make their
living selling services to their readers–public lectures, consulting services,
or the like. This is not a purely conjectural possibility. Currently I provide
the full text of three books and numerous articles on my web page, for free–and
receive a wide range of benefits, monetary and non-monetary, by doing so.
This is one example of a more general strategy: Give
away the intellectual property and get your income from it indirectly. That is
how both of the leading web browsers are provided. Netscape gives away
Navigator and sells the server software that Navigator interacts with;
Microsoft follows a similar strategy. Apple provides a competing browser--which
is available for free, but only runs on Apple computers. It is also how radio
and television programs pay their bills; give away the program and get revenue
from the ads.
As these examples show, the death of copyright does not mean
the death of intellectual property. It does mean that producers of intellectual
property must find other ways of getting paid for their work. The first step is
recognizing that, in the long run, simply enforcing existing law is not going
to be an option.
Defamation Online: A Less Simple Example
A newspaper publishes an article asserting that I am a
wanted criminal, having masterminded several notorious terrorist attacks.
Colleagues find themselves engaged when I propose going out to dinner. My
department chair assigns me to teach a course on Sunday mornings with an
enrollment of one. I start getting anonymous phone calls. My recourse under
current law is to sue the paper for libel, forcing them to retract their false
claims and compensate me for damage done.
Implicit in the legal solution to defamation are two
assumptions. One is that when someone makes a false statement to enough people
to do serious damage, the victim can identify either the person who made the
statement or someone else responsible for his making it–the newspaper if not
the author. The other is that at least one of the people identified as
responsible will have enough assets to be worth suing.
In the world of twenty years ago, both assumptions were
usually true. The reporter who wrote a defamatory article might be too poor to
be worth suing, but the newspaper that published it was not–and could
reasonably be held responsible for what it printed. It was possible to libel
someone by a mass mailing of anonymous letters, but a lot of trouble to do it
on a large enough scale to matter to most victims.
Neither is true any longer. It is possible, with minimal
ingenuity, to get access to the internet without identifying yourself. With a
little more technical expertise, it is possible to communicate online through
intermediaries–anonymous remailers–in such a way that the message cannot be
linked to the sender. Once online, there are ways to communicate with large
numbers of people at near zero cost: mass email, posts on Usenet news, a page
on the worldwide web. And if you choose to abandon anonymity and spread lies
under your own name, access to the internet is so inexpensive that it is
readily available to people without enough assets to be worth suing.
One possible response is that we must enforce the
law–whatever it takes. If the originator of the defamation is anonymous or
poor, find someone else, somewhere in the chain of causation, who is neither.
In practice, that probably means identifying the internet service provider
through whom the message passed and holding him liable. A web page is hosted on
some machine somewhere; someone owns it. An email came at some point from a
mail server; someone owns that.
That solution makes no more sense than holding the U.S. Post
Office liable for anonymous letters. The publisher of a newspaper can
reasonably be expected to know what is appearing in his pages. But an ISP has
no practical way to monitor the enormous flow of information that passes
through its servers–and if it could, we wouldn't want it to. We can–in the
context of copyright infringement we do–set up procedures under which an ISP
can be required to take down webbed material. But that does no good against a
Usenet post, mass email, webbed defamation hosted in places reluctant to
enforce U.S. law, or defamers willing to go to the trouble of hosting their web
pages on multiple servers, shifting from one to another as necessary.
Defamation law is of very limited use for preventing online defamation.
There is–has always been–another solution to the problem.
When people tell lies about me, I answer them. The technological developments
that make defamation law unenforceable online also make possible superb tools
for answering lies, and thus provide a substitute, arguably a superior
substitute, for legal protection.
My favorite example is Usenet News, a part of the internet
older and less well known than the web. To the user, it looks like a collection
of online bulletin boards, each on a different topic–anarchy, short-wave
radios, architecture, cooking history. When I post a message to a newsgroup,
the message goes to a computer–a news server–provided by my ISP. The next time
that news server talks to another, they exchange messages–and mine spreads
gradually across the world. In an hour, it may be answered by someone in
Finland or Japan. The server I use hosts nearly thirty thousand groups. Each is
a collection of conversations spread around the world–a tiny non-geographical
community united, and often divided, by common interests.
Google, which hosts a popular web search engine, also
provides a search engine for Usenet. Using it I can discover in less than a
minute whether anyone has mentioned my name anywhere in the world any time in
the last three days–or weeks, or years–in any of more than thirty thousand
newsgroups. If I get a hit, one click brings up the message. If I am the David
Friedman mentioned (the process would be easier if my name were Myron
Whirtzlburg), and if the message requires an answer, a few more clicks put my
response in the same thread of the same newsgroup, where almost everyone who
read the original post will see it. It is as if, when anyone slandered me
anywhere in the world, the wind blew his words to me and my answer back to the
ears of everyone who had heard them.
The protection Usenet offers against defamation is not
perfect; a few people who read the original post may miss my reply and more may
choose not to believe it. But the protection offered by the courts is imperfect
too. Most damaging false statements are not important enough to justify the
cost and trouble of a lawsuit. Many that are do not meet the legal requirements
for liability. Given the choice, I prefer Usenet.
Suppose that instead of defaming me on a newsgroup you do it
on a web page. Finding it is easy–Google provides a search engine for the web
too. The problem is how to answer it. I can put up a web page with my answer
and hope that sufficiently interested readers will come across it, but that is
all I can do. The links on your web page are put there by you, not by me–and
you may be reluctant to add one to the page that proves you are lying.
There is a solution to this problem–a technological
solution. Current web browsers show only forward links–links from the page
being read to other pages. It would be possible to build a web browser, say Netscape Navigator 9.0,
that automatically showed back links, letting the user see not only what pages
the author of this page chose to link to but also what pages chose to link to
it.
Once such browsers are in common use, I need only put up a page with a link to
yours. Anyone browsing your page with the back link option turned on will be
led to my rebuttal.
There is a problem with this solution–a legal problem. Your
web page is covered by copyright, which gives you the right to forbid other
people from making either copies or derivative works. A browser that displays
your page as you intended is making a copy, but one to which you have given
implicit authorization by putting your page on the web. A browser that displays
your page with back links added is creating a derivative work–one that you may
not have intended and, arguably, did not authorize. To make sure your lies
cannot be answered, you notify Netscape that they are not authorized to display
your page with back links added.
The issue of when one web page is an unauthorized derivative
work of another is currently being fought out in the context of
"framing"–one web site presenting material from another along with
its own advertising. If my view of online defamation is correct, the outcome of
that litigation may be important to an entirely different set of issues. The
same legal rule–a strong reading of the right to prevent derivative works
online–that would protection a site from other people free riding on its
content would also provide protection to someone who wants to spread lies
online--unanswered.
Unsteady Ground
"My mother was a
test tube, my father was a knife."
Friday, Robert A. Heinlein
Technological changes alter the cost of doing things. But
they may also affect is in a more subtle way–by making obsolete the categories
we use to talk and think about the world around us.
Consider the category of "parent." It used to be
that, while there might be some uncertainty about the identity of a child's
father, there was no question what "father" and "mother"
meant. Laws and social norms specifying the rights and obligations of fathers
and mothers were unambiguous in meaning, if not always in application.
That is no longer the case. With current reproductive
technology there are at least two biological meanings of "mother" and
will soon be a third. A gestational mother is the woman in whose womb a fetus
was incubated. An egg mother is the woman whose fertilized egg became the
fetus. Once human cloning becomes an established technology, a mitochondrial
mother will be the woman whose egg, with its nucleus replaced by the nucleus of
the clone donor but with its own extra-nuclear mitochondrial DNA, developed
into the fetus. And once genetic engineering becomes a mature technology,
permitting us to produce offspring whose DNA is a patchwork from multiple
donors, the concept of "a" biological mother (or father) will be very
nearly meaningless.
The Child With Five Parents
A California couple wanted a child. The husband was sterile.
His wife was doubly sterile–she could neither produce a fertile egg nor bring a
fetus to term. They contracted with a sperm donor, an egg donor, and a
gestational mother. The donated egg was impregnated with the donated sperm and
implanted in the rented womb. Then, before the baby was born, their marriage
broke up, leaving the courts with a puzzle: What person or persons had the
legal rights and obligations of parenthood?
Under California law read literally, the answer was clear.
The mother was the woman from whose body the child was born. The father was her
husband. That was a sensible enough legal rule when the laws were written. But
it made no sense at all in a world where neither that woman nor her husband was
either related to the child or had intended to parent it.
The court that finally decided the issue, like some but not
all other California courts presented with similar conundrums, sensibly ignored
the literal reading of the law, holding that the parents were the couple who
had set the train of events in motion, intending at that time to rear the child
as their own. They thus
substituted for the biological definition that had become technologically
obsolete a social definition–motherhood by neither egg nor womb but by
intention.
This is a true story. If you don't believe me, go to a law
library and look up John A. B. Vs. Luanne H. B (72
Cal. Rptr. 2d 280 (Ct. App. 1998)).
The Living Dead
Consider someone whose body is preserved at the temperature
of liquid nitrogen while awaiting the medical progress needed to revive and
cure him. Legally he is dead; his wife is a widow, his heirs have his estate.
But if he is in fact going to be revived, then in a very real sense he is not
dead–merely sleeping very soundly. Our legal system, more generally our way of
thinking about people, takes no account of the special status of such a person.
There is a category of alive, a category of dead, and–outside of horror movies
and computer games–nothing between them.
The absence of such a category matters. It may, quite
literally, be a matter of life and death.
You are dying of a degenerative disease that will gradually
destroy your brain. If you are cured today, you will be fine. If a year later,
your body may survive but your mind will not. After considering the situation,
you decide that you are more than willing to trade a year of dying for a chance
of getting back your life. You call up the Alcor Foundation and ask them to
arrange to have your body frozen–tomorrow if possible.
They reply that while they agree with your decision they
cannot help you. As long as you are legally alive, freezing you is legally
murder. You will simply have to wait another year until you are declared
legally dead–and hope that somehow, some day, medical science will become
capable of reconstructing you from what by that time is left.
This too is, allowing for a little poetic license, a true
story. In Donaldson v. Van de Kamp, Thomas Donaldson went to court in an unsuccessful
attempt to get permission to be frozen before, rather than after, his brain was
destroyed by a cancerous tumor.
The issues raised by these cases–the meaning of parenthood
and of death–will be discussed at greater length in later chapters. Their
function here is to illustrate the way in which technological change alters the
conceptual ground under our feet.
All of us deal with the world in terms of approximations. We
describe someone as tall or short, kind or cruel, knowing that the former is a
matter of degree and the latter both of degree and of multiple dimensions. We
think of the weather report as true, although it is quite unlikely that it
provides a perfectly accurate description of the weather, or even that such a
description is possible–when the weather man says the temperature is 70 degrees
in the shade, just which square inch of shade is he referring to? And we
classify a novel as "fiction"
and this book as "nonfiction," although quite a lot of the
statements in the former are true and some in the latter are false.
Dealing with the world in this way works because the world
is not a random assemblage of objects–there is pattern to it. Temperature
varies from one patch of shade to another, but not by very much; while a
statement about "the" temperature in the shade may not be precisely
true, we rarely lose much by treating it as if it were. Similarly for the other
useful simplifications of reality that make possible both thought and
communication.
When the world changes enough, some simplifications cease to
be useful. It was always true that there was a continuum between life and
death; the exact point at which someone is declared legally dead is arbitrary.
But, with rare exceptions,
it was arbitrary to within seconds, perhaps minutes–which almost never
mattered. When it is known that, for a large number of people, the ambiguity
not only exists but will exist for decades, the simplification is no longer
useful. It may, as in the case of Thomas Donaldson, become lethal.
It's Not Just Law, It's Life
So far my examples have focused on how legal rules should respond to
technological change. But similar issues arise for each of us in living his own
life in a changing world. Consider, for a story now in part played out, the
relations between men and women.
The Decline of Marriage
For a very long time, human societies have been based on
variants of the sexual division of labor. All started with a common
constraint–women bear and suckle children, men do not. For hunter gatherers,
that meant that the men were the hunters and the women, kept relatively close
to camp by the need to care for their children, the gatherers. In more advanced
societies, that became, with many variations, a pattern where women specialized
in household production and men in production outside the household.
A second constraint was the desire of men to spend their
resources on their own children rather than on the children of other men–a
desire rooted in the fact that Darwinian selection has designed organisms,
including human males, to be good at passing down their own genes to future
generations. Since the
only way a man could be reasonably confident that he was the father of a
particular child was for its mother not to have had sex with other men during
the period when it was conceived, the usual arrangement of human societies,
with a few exceptions, gave men sexual exclusivity. One man might under some
circumstances sleep with more than one woman, but one woman was supposed to,
and most of the time did, sleep with only one man.
Over the past few centuries, two things have sharply altered
the facts that led to those institutions. One is the decline in infant
mortality. In a world where producing two or three adult children required a
woman to spend most of her fertile years bearing and nursing, the sexual
division of labor was sharp–one profession, "mother," absorbed close
to half the labor force. In today's world, a woman need bear only two babies in
order to end up with two adult children.
A second change, the increased division of labor, has
drastically reduced the importance of household production. You may still wash
your own clothes, but most of the work was done by the people who built the
washing machine. You may still cook your own dinner, but you are unlikely to
cure your own ham or make your own soap. That change eliminated a good deal of what
wives traditionally did, freeing women for other activities.
As being a wife and mother went from a full to a part time
job, human institutions adjusted. Market employment of women increased. Divorce
became more common. The sexual division of labor, while it still exists, is
much less sharp–many women do jobs that used to be done almost exclusively by
men, some men do jobs that used to be done almost exclusively by women.
The Future of Marriage
One consequence of married women working largely outside of
the home is to make the enforcement of sexual exclusivity, never easy,
very nearly impossible. Modern societies developed a social
alternative--companionate marriage. A wife who is your best friend instead of
your subordinate or slave is less likely to want to cheat on you--a good thing
if you have no practical way of stopping her. Modern society also produced,
somewhat later, a technological alternative: Paternity testing. It is now
possible for a husband to know whether his wife's children are his even if he
is not confident that he is her only sexual partner.
This raises some interesting possibilities. We could
have–are perhaps moving towards–a variant of conventional marriage institutions
in which paternal obligations are determined by biology, not marital status. We
could have a society with group marriages but individual parental
responsibilities, since a woman would know which of her multiple husbands had
fathered any particular child. We could have a society with casual sex but well
defined parental obligations–although that raises some practical problems,
since it is much easier for a couple to share parental duties if they are also
living together, and the fact that two people enjoy sleeping together is
inadequate evidence that they will enjoy living together.
All of these mating patterns exist already–for a partial
sample, see the Usenet newsgroup alt.polyamory. Whether any become common will
depend in large part on the nature of male sexual jealousy. Is it primarily a
learned pattern, designed to satisfy an instinctual preference for one's own
children? Or is it itself instinctual–hard wired by evolution as a way of
improving the odds that the children a male supports carry his genes?
If the former, then once the existence of paternity testing makes jealousy
obsolete we can expect its manifestations to vanish, permitting a variety of
new mating patterns. If the latter, jealousy is still obsolete but, given the
slow pace of evolutionary change, that fact will be irrelevant to behavior for
a very long time, hence we can expect to continue with some variant of
monogamy, or at least serial polygamy, as the norm.
The basic principle here is the same as in earlier examples
of adjustment to technological change. Our objective is not to save marriage.
It is to accomplish the purposes that marriage evolved to serve. One way is to
continue the old pattern even though it has become more difficult–as
exemplified by the movement for giving couples the option of covenant marriage,
marriage on something more like the old terms of "till death do us
part." Another is to take advantage of technological change to accomplish
the old objective–producing and bringing up children–in new ways.
Doing Business Online
Technology affects law and love. Also business. Consider the
problem of contract enforcement.
Litigation has always been a clumsy and costly way of
enforcing contractual obligations. It is possible to sue someone in another
state, even another country–but the more distant the jurisdiction, the harder
it is. If online commerce eventually dispenses with not only geography but real
world identity, so that much of it occurs between parties linked only to an
identity defined by a digital signature, enforcing contracts in the courts
becomes harder still. It is difficult to sue someone if you do not know who he
is.
There is an old solution–reputation. Just as in the case of
defamation, the same technology that makes litigation less practical makes the
private substitute more practical.
Ebay provides a low tech example. When you win an auction
and take delivery of the goods, you are given an opportunity to report on the
result–did the seller deliver when and as scheduled, were the goods as
described? The reports on all past auctions by a given seller are available,
both in full and in summary form, to anyone who might want to bid on that
seller's present auctions. In a later chapter we will consider more elaborate
mechanisms, suitable for higher stakes transactions, by which modern
information technology can use reputational enforcement to substitute for legal
enforcement.
Brakes? What Brakes?
When considering the down side of technologies–Murder
Incorporated in a world of strong privacy or some future James Bond villain
using nanotechnology to convert the entire world to gray goo–your reaction may
be "Stop the train, I want to get off. " In most cases, that is not
an option. This particular train is not equipped with brakes.
Most of the technologies we will be discussing can be
developed locally and used globally. Once one country has a functional
nanotechnology, permitting it to build products vastly superior to those made
with old technologies, there will be enormous pressure on other countries to
follow suit. It is hard to sell glass windshields when the competition is using
structural diamond. It is even harder to persuade cancer patients to be
satisfied with radiation therapy when they know that, elsewhere in the world,
microscopic cell repair machines are available that simply go through your body
and fix whatever is wrong.
For an example already played out, consider surrogacy
contracts–agreements by which a woman bears a child, either from her own or
another woman's egg, for another couple to rear as its own. The Baby M case
established that such contracts are not in enforceable, at least in New Jersey.
State legislation followed, with the result that in four states merely signing
such a contract is a criminal act and in one, Michigan, arranging a surrogacy
contract is a felony punishable by up to five years and $50,000.
None of this mattered very much. Someone who could afford
the costs of hiring a host mother, still more someone who could afford the cost
necessary to arrange for one mother to incubate another's egg, could almost
certainly afford the additional cost of doing it in a friendly state. As long
as there was one state that approved of such arrangements, the disapproval of
others had little effect even on their own citizens. And even if the contracts
were legally unenforceable, it was only a matter of time before people in the
business of arranging them learned to identify and avoid potential host mothers
likely to change their mind after the child was born.
Or consider research into the causes of aging. Many people
believe (I think mistakenly) that the world suffers from serious problems of
overpopulation. Others argue (somewhat more plausibly) that a world without
aging would risk political gerontocracy and cultural stasis.
Many would–some do–argue that even if the problem of aging can be solved, it
ought not to be.
That argument becomes less convincing the older you get. Old
people control large resources, both economic and political. While arguments
against aging research may win out somewhere, they are unlikely to win out
everywhere–and the cure only has to be found once.
For a more disturbing example, consider artificial
intelligence–a technology that might well make human beings obsolete. At each
stage, doing it a little better means being better able to design products,
predict stock movements, win wars. That almost guarantees that at each stage,
someone will take the next step.
Even if it is possible to block or restrict a potentially
dangerous technology, as in a few cases it may be, it is not clear that we
should do it. We might discover that we had missed the disease and banned the
cure. If an international covenant backed by overwhelming military power
succeeds in restricting nanotechnological development to government approved
labs, that might save us from catastrophe. But since government approved labs
are the ones most likely to be working on military applications of new
technology, while private labs mostly try to produce what individual customers
want, the effect might also be to prevent the private development of
nanotechnological countermeasures to government developed mass destruction. Or
it might turn out that our restrictions had slowed the development of
nanotechnology by enough to leave us unable to defend against the result of a
different technology–a genetically engineered plague, for example.
There are legitimate arguments for trying to slow or prevent
some of these technological developments. Those arguments will be made–but not
here. For my purposes, it is more interesting to assume that such attempts, if
made, will fail, and try to think through the consequences–how new technologies
will change things, how human beings will and should adapt to those changes.
Technological progress means learning more about how to do
things; on the face of it, one would expect that to result in an improvement in
human life. So far, with few or no exceptions, it has. Despite a multitude of
dire prophesies over the past two centuries, human life almost everywhere is
better today than it was fifty years ago, better fifty years ago than a hundred
years ago, and better a hundred years ago than two hundred years ago.
Past experience is not always a reliable guide to the
future. Despite the progress of the past two hundred years, quite a number of
people continue to predict future catastrophe from present progress—including a
few sufficiently well informed and competent to be worth taking seriously.
In my final chapter, I will return to the question of whether, how, and under
what circumstances they might be right.
Part II: Privacy and Technology
Chapter III: A World of Strong Privacy
There has been a lot of concern in recent years about the
end of privacy. As we will see in the next two chapters, there is reason for
such fears; the development of improved technologies for surveillance and data
processing does indeed threaten our ability to restrict other people’s access
to information about us. But a third and less familiar technology is working in
precisely the opposite direction. If the arguments of this chapter are correct
we will soon be experiencing in part of our lives–an increasingly important
part–a level of privacy that human beings have never known before. It is a
level of privacy that not only scares the FBI and the National Security Agency,
two organizations whose routine business involves prying into other people's
secrets, it sometimes even scares me.
We start with an old problem: How to communicate with
someone without letting other people know what you are saying. There are a
number of familiar solutions. If you are worried about eavesdroppers, check
under the eaves before saying things you do not want the neighbors to hear. To
be safer still, hold your private conversation in the middle of a large, open
field, or a boat in the middle of a lake. The fish are not interested and
nobody else can hear.
That approach no longer works. Even the middle of a lake is
within range of a shotgun mike. The eaves do not have to contain
eavesdroppers–just a microphone and a transmitter. If you check for bugs,
someone can still bounce a laser beam off your window pane and use it to pick
up the vibration from your voice. I am not sure that satellite observation is
good enough yet to read lips from orbit–but if not, it soon will be.
Furthermore, much of our communication is now indirect, over phone wires,
airwaves, the internet. Phone lines can be tapped, cordless or cell phone
messages intercepted. An email bounces through multiple computers on its way to
its destination—anyone controlling one of those computers can, in principle,
save a copy for himself.
A different set of old technologies was used for written
messages. A letter sealed with the sender's signet ring could not protect the
message, but at least it let the recipient know if it had been opened–unless
the spy was very good with a hot knife. A letter sent via a trusted messenger
was safer still–provided he deserved the trust.
A more ingenious approach was to protect not the physical
message but the information it contained, by scrambling the message and
providing the intended recipient with the formula for unscrambling it. A simple
version was a substitution cipher, in which each letter in the original message
was replaced by a different letter. If we replace each letter with the next one
in the alphabet, we get "mjlf uijt" from the words "like this."
"mjlf uijt" does not look much like "like
this," but it is not very hard, if you have a long message and patience,
to deduce the substitution and decode the message. More sophisticated
scrambling schemes rearrange the letters according to an elaborate formula, or
convert letters into numbers and do complicated arithmetic with them to convert
the message (plaintext) into its coded version (ciphertext). Such methods were
used, with varying degrees of success, by both sides in World War II.
There were two problems with this way of keeping secrets.
The first was that it was slow and difficult–it took a good deal of work to
convert a message into its coded form or to reverse the process. It was worth
doing if the message was the order telling your fleet when and where to attack,
but not for casual conversations among ordinary people.
That problem has been solved. The computers most of us have
on our desktops can scramble messages, using methods that are probably
unbreakable even by the NSA, faster than we can type them. They can even
scramble–and unscramble–the human voice as fast as we can speak. Encryption is
now available not merely to the Joint Chiefs of Staff but to you and me for our
ordinary conversation.
The other problem is that in order to read my scrambled
message you need the key–the formula describing how to unscramble it. If I do
not have a safe way of sending you messages, I may not have a safe way of
sending you the key either. If I sent it by a trusted messenger but made a
small mistake as to who was entitled to trust him, someone else now has a copy
and can use it decrypt my future messages to you. This may not be too much of a
problem for governments, willing and able to send information back and forth in
briefcases handcuffed to the wrists of military attaché's, but for the ordinary
purposes of ordinary people that is not a practical option.
About twenty-five years ago, this problem was solved. The
solution was public key encryption, a new way of scrambling and unscrambling
messages that does not require a secure communication channel for either the
message or the key.
The software to implement that solution is now widely available.
Public key encryption works by generating a pair of
keys–call them A and B–each a long number that can be used to unscramble what
the other has scrambled. If you encrypt a message with A, someone who possesses
only A cannot decrypt it–that requires B. If you encrypt a message with B, you
have to use A to decrypt it. If you send a friend key A (your public key) while
keeping key B (your private key) secret, your friend can use A to encrypt
messages to you and you can use B to decrypt them. If a spy gets a copy of key
A, he can send you secret messages too. But he still cannot decrypt the
messages from your friend. That requires key B, which never leaves your
possession.
How can one have the information necessary to encrypt a
message yet be unable to decrypt it? How can it be possible to produce two keys
with the necessary relationship but not, starting with one key, to calculate the
other? The answer to both questions depends on the fact that there are some
mathematical processes that are much easier to do in one direction than
another.
Most of us can multiply 293 by 751 reasonably quickly, using
nothing more sophisticated than pencil and paper, and get 220043. Starting with
220043 and finding the only pair of three digit numbers that can be multiplied
together to give it takes a lot longer. The most widely used version of public
key encryption depends on that asymmetry–between multiplying and
factoring–using very much larger numbers. Readers who are still puzzled may want
to look at appendix I of this chapter, where I describe a very simple form of
public key encryption suited to a world where people know how to multiply but
have not yet learned how to divide, or check one of the webbed descriptions of
the mathematics of the RSA algorithm, the most common form of public key
encryption.
When I say that encryption is unbreakable, what I mean is
that it cannot be broken at a reasonable cost in time and effort. Almost all
encryption schemes, including
public key encryption, are breakable given an unlimited amount of time. If, for
example, you have key A and a message a thousand characters long encrypted with
it, you can decrypt the message by having your computer create every possible
thousand character message, encrypt each with A, and find the one that matches.
Alternatively, if you know that key B is a number a hundred digits long, you
could try all possible hundred digit numbers, one after another, until you
found one that correctly decrypted a message that you had encrypted with key A.
Both of these are what cryptographers describe as
"brute force" attacks. To implement the first of them, you should
first provide yourself with a good supply of candles–the number of possible
thousand character sequences is so astronomically large that, using the fastest
available computers, the sun will have burned out long before you finish. The
second is workable if key B is a sufficiently short number–which is why people
who are serious about protecting their privacy use long keys, and why people
who are serious about violating privacy–the National Security Agency, for
example–try to make laws restricting the length of the keys that encryption software
uses.
Encryption Conceals …
Imagine that everyone has an internet connection and
suitable encryption software, and that everyone's public key is available to
everyone else–published in the phone book, say. What follows?
What I say
One obvious result is that we can have private
conversations. If I want to send you a message that nobody else can read, I
first encrypt it with your public key. When you respond, you encrypt your
message with my public key. The FBI, or my nosy neighbor, is welcome to tap the
line–everything he gets will be gibberish to anyone who does not have the
corresponding private key.
To Whom
Even if the FBI does not know what I am saying, it can learn
a good deal by watching who I am saying it to–known in the trade as
"traffic analysis." That problem too can be solved using public key
encryption and an anonymous remailer, a site on the internet that forwards
email. When I want to communicate with you, I send the message to the remailer,
along with your email address. The remailer sends it to you.
If that was all that happened, someone tapping the net could
follow the message from me to the remailer and from the remailer to you. To
prevent that, the message to the remailer, including your email address, is
encrypted with the remailer's public key. When he receives it he uses his
private key to strip off that layer of encryption, revealing your address, and
forwards the decrypted message. Our hypothetical spy sees a thousand messages
go into the remailer and a thousand go out, but he can neither read the email
addresses on the incoming messages–they are hidden under a layer of
encryption–nor match up incoming and outgoing message.
What if the remailer is a plant–a stooge for whoever is
spying on me? There is a simple solution. The email address he forwards the
message to is not actually yours–it is the email address of a second remailer.
The message he forwards is your message plus your email address, the whole
encrypted with the second remailer's public key. If I am sufficiently paranoid,
I can bounce the message through ten different remailers before it finally gets
to you. Unless all ten are working for the same spy, there is no way anyone can
trace the message from me to you.
Readers who want a more detailed description of how remailers
work will find it in appendix II.
We now have a way of corresponding that is doubly
private–nobody can know what we are saying and nobody can find out whom we are
saying it to. But there is still a problem.
Who I Am
When interacting with other people, it is helpful to be able
to prove your identity–which can be a problem online. If I am leading a
conspiracy to overthrow an oppressive government, I want my fellow conspirators
to be able to tell which messages are coming from me and which from the secret
police pretending to be me. If I am selling my consulting services online, I
need to be able to prove my identity in order to profit from the reputation
earned by past consulting projects and make sure that nobody else free rides on
that reputation by masquerading as me.
That problem too can be solved by public key encryption. In
order to digitally sign a message, I encrypt it using my private key instead of
your public key. I then send it to you with a note telling you who it is from.
You decrypt it with my public key. The fact that what comes out is a message
and not gibberish tells you that it was encrypted with the matching private
key. Since I am the only one who has that private key, the message must be from
me.
My digital signature not only demonstrates that I sent the
signed message, it does so in a form that I cannot later disavow. If I try to
deny having sent it, you point out that you have a copy of the message
encrypted with my private key–something that nobody but I could have produced.
Thus a digital signature makes it possible for people to sign contracts that
they can be held to–and does so in a way much harder to forge than an ordinary
signature.
And Who I Pay
If we are going to do business online, we need a way of
paying for things. Checks and credit cards leave a paper trail. What we want is
an online equivalent of currency–a way of making payments that cannot later be
traced, either by the parties themselves or anyone else.
The solution, discussed in some detail in a later chapter, is
anonymous ecash. Its essential feature is that it permits people to make
payments to each other by sending a message, without either party having to
know the identity of the other and without any third party having to know the
identity of either of them. One of the many things it can be used for is to pay
for the services of an anonymous remailer, or a string of anonymous remailers,
thus solving the problem of how to keep remailers in business without
sacrificing their customers' anonymity. Another, as we will see later, is to
help us eliminate one of the chief minor nuisances of modern life--spam email.
Combine and Stir
Combine public key encryption, anonymous remailers, digital
signatures and ecash, and we have a world where individuals can talk and trade
with reasonable confidence that no third party is observing them.
A less obvious implication is the ability to combine
anonymity and reputation. You can do business online without revealing your
real world identity--your true name.
You prove you are the same person who did business yesterday, or last year, by
digitally signing your messages. Your online persona is defined by its public
key. Anyone who wants to communicate with you privately uses that key to
encrypt his messages; anyone who wants to be sure you are the person who sent a
message uses it to check your digital signature.
With the exception of fully anonymous ecash, all of these
technologies already exist, implemented in software that is currently available
for free. At present,
however, they are mostly limited to the narrow bandwidth of email–sending
private text messages back and forth. As computers and computer networks get
faster, that will change.
Twice in the past month I traveled several hundred
miles–once by car, once by air–in order to give a series of talks. With only mild improvements in current
technology I could have given them from my office. Both I and my audience would
have been wearing virtual reality goggles–glasses with the lenses replaced by
tiny computer screens. My computer would be drawing the view of the lecture
room as seen from the podium–including the faces of my audience–at sixty frames
a second. Each person in the audience would have a similar view, from his seat,
drawn by his computer. Earphones take care of sound. The result would be the
illusion, for all of us, that we were present in the same room seeing and
hearing each other.
Virtual reality not only keeps down travel costs, it has
other advantages as well. Some lecture audiences expect a suit and tie–and not
only do I not like wearing ties, all of the ties I own possess a magnetic
attraction for foodstuffs in contrasting colors. To give a lecture in virtual
reality, I do not need a tie–or even a shirt. My computer can add both to the
image it sends out over the net. It can also remove a few wrinkles, darken my
hair, and cut a decade or so off my apparent age.
As computers get faster, they can not only create and
transmit virtual reality worlds, they can also encrypt them. That means that
any human interaction involving only sight and sound can be moved to cyberspace
and protected by strong privacy.
Handing out the Keys:
A Brief Digression
In order to send an encrypted message to a stranger or check
the digital signature on a message from a stranger, I need his public key. Some
pages back, I assumed that problem away by putting everyone's public key in the
phone book. While that is a possible solution, it is not a very good one.
A key published in the phone book is only as reliable as
whoever is publishing it. If our hypothetical bad guy can arrange for his
public key to be listed under my name, he can read messages intended for me and
sign bogus messages from me with a digital signature that checks against my
supposed key. A phone
book is a centralized system, hence vulnerable to failures at the center,
whether due to dishonesty or incompetence.
There is, however, a simple decentralized solution; as you
might guess, it too depends on public key encryption.
Consider some well known organization, say American Express,
which many people know and trust. American Express arranges to make its public
key very public–posted in the window of every American Express office,
printed--and magnetically encoded--on every American Express credit card,
included in the margin of every American Express ad. It then goes into the
identity business.
To take advantage of its services, I use my software to
create a public key/private key pair. I then go to an American Express office,
bringing with me my passport, driver's license and public key. After
establishing my identity to their satisfaction, I hand them a copy of my public
key and they create a message saying, in language a computer can understand,
"The public key of David D. Friedman, born on 2/12/45 and employed by Santa
Clara University, is 10011011000110111001010110001101000… ." They
digitally sign the message, using American Express's private key, copy the
signed message to a floppy disk, and give it to me.
To prove my identity to a stranger, I send him a copy of the
digital certificate from American Express. He now knows my public key–allowing
him to send encrypted messages that only David Friedman can read and check
digital signatures to see if they are really from David Friedman. Someone with
a copy of my digital certificate can use it to prove to people what my public
key is, but he cannot use it to masquerade as me because he does not possess
the matching private key.
So far this system has the same vulnerability as the phone
book; if American Express or one of its employees is working for the bad guy,
they can create a bogus certificate identifying someone else's public key as
mine. But nothing in a system of digital certificates requires trust in any one
organization. I can email you a whole pack of digital certificates–one from
American Express, one from the U.S. Post Office, one from the Catholic Church,
one from my university, one from Microsoft, one from Apple, one from AOL–and
you can have your computer check all of them and make sure they all agree. It
is unlikely that a single bad guy has infiltrated all of them.
So far I have been assuming that real world identities are
unique--each individual has only one. But each of us has, in a very real sense,
multiple identities--there are different things about us that are relevant
identifiers to different people. What my students need to know is that a
message really came from the professor teaching the course they are taking.
What my daughter needs to know is that it really came from her father. One can
imagine circumstances where it is important to keep multiple real world
identities separate--to conceal from some of the people you are interacting
with identifying features that you want to be able to reveal to others. A
system of multiple certifying authorities makes that possible--provided you
remember which certificates to send to which correspondent. Sending your
superior in the criminal organization you are infiltrating the certificate
identifying you as a police officer might be hazardous.
A World of Strong Privacy
One of the attractive features of the world created by these
technologies is free speech. If I communicate online under my own name, using
encryption, I can be betrayed only by the person I am communicating with. If I
do it using an online persona, with reputation but with no link to my realspace
identity, not even the people I communicate with can betray me. Thus strong
privacy creates a world which is, in important ways, safer than the one we now
live in–a world where you can say things other people disapprove of without the
risk of punishment, legal or otherwise.
Which brings me to another digression–one directed
especially at my friends on the right wing of the political spectrum.
The Virtual Second Amendment
The second amendment to the U.S. constitution guarantees
Americans the right to bear arms. A plausible interpretation of its history
views it as a solution to a problem of considerable concern to 18th
century thinkers–the problem of standing armies. Everyone knew that professional armies beat amateur
armies. Everyone also knew–with Cromwell's dictatorship still fairly recent
history–that a professional army posed a serious risk of military takeover.
The Second Amendment embodied an ingenious solution to that
problem. Combine a small professional army under the control of the federal
government with an enormous citizen militia–every able bodied adult man. Let
the Federal government provide sufficient standardization so that militia units
from different states could work together but let the states appoint
officers–thus making sure that the states and their citizens maintained control
over the militia. In case of foreign invasion, the militia would provide a
large, if imperfectly trained and disciplined, force to supplement the small
regular army. In case of an attempted coup by the Federal government, the
Federal army would find itself outgunned a hundred to one.
The beauty of this solution is that it depends, not on
making a military takeover illegal, but on making it impossible. In order for
that takeover to occur, it would first be necessary to disarm the militia. But
until the takeover had occurred, the second Amendment prevented the militia from being disarmed, since any
such attempt would be seen as a violation of the Constitution and resisted with
force.
It was an elegant solution two hundred years ago, but I am
less optimistic than some of my friends about its relevance today. The U.S. has
a much larger professional military, relative to its population, than it did
then, the states are much less independent than they were, and the gap between
civilian and military weaponry has increased enormously.
Other things have changed as well over two hundred years. In
a world of broad based democracy and network television, conflicts between the
U.S. government and its citizens are likely to involve information warfare, not
guns. A government that wants to do bad things to its citizens will do them by
controlling the flow of information in order to make them look like good
things.
In that world, widely available strong encryption functions
as a virtual second amendment. As long as it exists, the government cannot
control the flow of information. And once it does exist, eliminating it, like
disarming an armed citizenry, is extraordinarily difficult–especially for a
government that cannot control the flow of information to its citizens about
what it is doing.
If You Work for the IRS, Stop Here
Freedom of speech is something most people, at least in this
country, are in favor of. But strong privacy will also reduce the power of
government in less obviously desirable ways. Activities that occur entirely in
cyberspace will be invisible to outsiders–including ones working for the
federal government. It is hard to tax or regulate things you cannot see.
If I earn money selling services in cyberspace and spend it
buying goods in realspace, the government can tax my spending. If I earn money
selling goods in realspace and spend it buying services in cyberspace, they can
tax my income. But if I earn money in cyberspace and spend it in cyberspace,
they cannot observe either income or expenditure and so will have nothing to
tax.
Similarly for regulation. I am, currently, a law professor
but not a member of the California bar, making it illegal for me to sell
certain sorts of legal services in California. Suppose I wanted to do so
anyway. If I do it as David D. Friedman I am likely to get in trouble. But if I
do it as Legal Eagle Online, taking care to keep the true name--the real world
identity--of Legal Eagle a secret, there is not much the California Bar can do
about it.
In order to sell my legal services I have to persuade
someone to buy them. I cannot do that by pointing potential customers at my
books and articles, because they were all published under my own name. What I
can do is to start by giving advice for free and then, when the recipients find
that the advice is good–perhaps by checking it against the advice of their
current lawyers–raise my price. Thus over time I establish an online reputation
for an online identity guaranteed by my digital signature.
Legal advice is one example; the argument is a general one.
Once strong privacy is well established, legal regulation of information
services can no longer be enforced. Governments may still attempt to maintain
the quality of professional services by certifying professionals–providing
information as to who they believe is competent. But it will no longer be
possible to force customers to act on that information–to legally forbid them
from using uncertified providers, as they currently are legally forbidden to
use unlicensed doctors or lawyers who have not passed the bar.
The Down Side of
Strong Privacy
Reducing the government's ability to collect taxes and
regulate professions is in my view a good thing, although some will disagree.
But the same logic also applies to government activities I approve of, such as
preventing theft and murder. Online privacy will make it harder to keep people
from sharing stolen credit card numbers or information on how to kill people,
or organizing plots to steal things or blow things up.
This is not a large change; the internet and strong
encryption merely make it somewhat easier for criminals to do things they are
doing already. A more serious problem is that, by making it possible to combine
anonymity and reputation, strong privacy makes possible criminal firms with
brand name reputation.
Suppose you very much want to have someone killed. The big
problem is not the cost; so far as I can gather from public accounts, hiring a
hit man costs less than buying a car, and most of us can afford a car. The big
problem–assuming you have already resolved any moral qualms–is finding a
reliable seller of the service you want to buy.
That problem, in a world of widely distributed strong
encryption, we can solve. Consider my four step business plan for Murder
Incorporated:
1. Arrange for mystery billboards on major highways. Each
contains a single long number and the message "write this down."
Display ads with the same message appear in major newspapers.
2. Put a full page ad in the New York Times, apparently
written in gibberish.
3. Arrange a multiple assassination with high profile
targets, such as film stars or major sports figures–perhaps a bomb at the
Academy Awards.
4. Send a message to all major media outlets, pointing out
that the number on all of those bulletin boards is a public key. If they use it
to decrypt the New York Times ad they will get a description of the
assassination, published the day before it happened.
You have now made sure that everyone in the world has, or
can get, your public key–and knows that it belongs to an organization willing
and able to kill people. Once you have taken steps to tell people how to post
messages where you can read them, everyone in the world will know how to send
you messages that nobody else can read and how to identify messages that can
only have come from you. You are now in business as a middleman selling the
services of hit men. Actual assassinations still have to take place in
realspace, so being a hit man still has risks. But the problem of locating a
hit man–when you are not yourself a regular participant in illegal markets–has
been solved.
Murder Incorporated is a particularly striking example of
the problem of criminal firms with brand name reputations, operating openly in
cyberspace while keeping their realspace identity and location secret, but
there are many others. Consider "Trade Secrets Inc.–We Buy and Sell."
Or an online pirate archive, selling other people's intellectual property in
digital form, computer programs, music, and much else, for a penny on the
dollar, payable in anonymous digital cash.
Faced with such unattractive possibilities, it is tempting
to conclude that the only solution is to ban encryption. A more interesting
approach is to find ways of achieving our objectives–preventing murder,
providing incentives to produce computer programs–that are made easier by the
same technological changes that make the old ways harder.
Anonymity is the ultimate defense. Not even Murder Incorporated
can assassinate you if they do not know who you are. If you plan to do things
that might make people want to kill you–publish a book making fun of the
prophet Mohammed, say, or revealing the true crimes of Bill (Gates or
Clinton)–it would be prudent not to do it under a name linked to your realspace
identity. That is not a complete solution–the employer of the hit man might,
after all, be your wife, and it is hard to conduct a marriage entirely in
cyberspace–but it at least protects many potential victims.
Similarly for the more common, if less dramatic, problem of
protecting intellectual property online. Copyright law will become largely
unenforceable, but there are other ways of protecting property. One–using
encryption to provide the digital equivalent of a barbed wire fence protecting
your property–will be discussed at some length in a later chapter.
Why It Will Not Be Stopped
For the past two decades powerful elements in the U.S.
government, most notably the National Security Agency and the FBI, have been
arguing for restrictions on encryption designed to maintain their ability to
tap phones, read seized records, and in a variety of other ways violate privacy
for what they regard as good purposes. After my description of the down side of
strong privacy, readers may think there is a good deal to be said for the idea.
There are, however, practical problems. The most serious is
that the cat is already out of the bag–has been for more than twenty-five
years. The mathematical principles on which public key encryption is based are
public knowledge. That means that any competent computer programmer with an
interest in the subject can write encryption software. Quite a lot of such
software has already been written and is widely available. And given the nature
of software, once you have a program you can make an unlimited number of
copies. It follows that keeping encryption software out of the hands of spies,
terrorists, and competent criminals is not a practical option. They probably
have it already, and if they don't they can easily get it.
Banning the production and possession of encryption software
is not a practical option, but what about banning the use of encryption--at
least of encryption that cannot be broken by law enforcement agents? To enforce
such a ban law enforcement agencies would randomly monitor a substantial
fraction of all communications, taking advantage of the massive wiretapping
capacity that current law requires the phone companies to provide them and
expanding the legal requirements to apply to other communication providers as
well. Any message that looked like gibberish and could not be shown to be the
result of a legal form of encryption would lead to legal action against its
author.
One practical problem is the enormous volume of information
flowing over computer networks. A second problem is that while it is easy
enough to tell whether a message consists of text written in English, it is
very much harder--in practice impossible--to identify other sorts of content
well enough to be sure that they do not consist of, or contain, encrypted
messages.
Consider a three million pixel digital photo. It is made up
of three million colored dots, each described by three numbers--intensity of
red, intensity of blue, intensity of green.
Each of those numbers is, from the standpoint of the computer, a string of ones
and zeros. Changing the rightmost digit--the "least significant
bit"--from one to zero or zero to one will have only a tiny effect on the
appearance of the dot, just as changing the rightmost digit in a long decimal
number, say 9,319,413, has only a very small effect on its size.
To conceal a million character long encrypted message in my
digital photo, I simply replace the least significant bit of each of the
numbers in the photo with one bit of the message. The photo is now a marginally
worse picture than it was--but there is no way an FBI agent, or a computer
working for an FBI agent, can know precisely what the photo ought to look like.
This is a simple example of steganography--concealing messages.
It is not practical for law enforcement to keep
sophisticated criminals, spies, or terrorists from possessing and using strong
encryption software. What is possible is to put limits on the encryption
software publicly marketed and publicly used–to insist, for example, that if
AOL or Microsoft builds encryption into their programs it must contain a back
door permitting properly authorized persons–a law enforcement agent with a
court order, say–to read the message without the key.
The problem with such an approach is that there is no way of
giving law enforcement what it wants without imposing very high costs on the
rest of us. To see why, consider the description of adequate regulation given
by Louis Freeh, who was at the time the head of the FBI. He said that what he
needed was the ability to decrypt any encrypted message in half an hour.
The equivalent in realspace would be legal rules that let properly authorized
law enforcement agents open any lock in the country in half an hour. That includes
not only the lock on your front door but the locks protecting bank vaults,
trade secrets, lawyers' records,
lists of contributors to unpopular causes, and much else.
While access would be nominally limited to those properly
authorized, it is hard to imagine any system flexible enough to meet Freeh's
schedule that was not vulnerable to misuse. If being a police officer gives you
access to locks with millions of dollars behind them, in cash, diamonds, or
information, some cops will become criminals and some criminals will become
cops. Proper authorization presumably means a court order–but not all judges
are honest, and half an hour is not long enough for even an honest judge to
verify what the officer applying for the court order tells him.
Encryption provides the locks for cyberspace. If nobody has
strong encryption, everything in cyberspace is vulnerable to a sufficiently
sophisticated private criminal. If people have strong encryption but it comes
with a mandatory back door accessible in half an hour to any police officer
with a court order, than everything in cyberspace is vulnerable to a private
criminal with the right contacts. Those locks have millions, probably billions,
of dollars worth of stuff behind them–money in banks, trade secrets in computers.
One could imagine a system for accessing encrypted documents
so rigorous that it required written permission from the President, Chief
Justice and Attorney General and only got used once every two or three years.
Such a system would not seriously handicap online dealings. But it would also
be of no real use to law enforcement, since there would be no way of knowing
which one communication out of the billions crisscrossing the internet each day
they needed to crack.
In order for encryption regulation to be useful, it has to
either prevent the routine use of encryption or make it reasonably easy for law
enforcement agents to access encrypted messages. Doing either will seriously
handicap the ordinary use of the net. Not only will it handicap routine transactions,
it will make computer crime easier by restricting the technology best suited to
defend against it. And what we get in exchange is protection not against the
use of encryption by sophisticated criminals and terrorists–there is no way of
providing that–but only against the use of encryption by ordinary people and
unsophisticated criminals.
Readers who have followed the logic of the argument may
point out that even if we cannot keep sophisticated criminals from using strong
encryption, we may be able to prevent ordinary people from using it to deal
with sophisticated criminals--and doing so would make my business plan for
Murder Incorporated unworkable. While it would be a pity to seriously handicap
the development of online commerce, some may think that price worth paying to
avoid the undesirable consequences of strong privacy.
To explain why I do not expect that to happen requires a
brief economic digression.
Property Rights and Myopia
You are thinking of going into the business of growing
trees–hardwoods that mature slowly but produce valuable lumber. It will take
forty years from planting to harvest. Should you do it? The obvious response is
not unless you are confident of living at least another forty years.
Like many obvious responses, it is wrong. Twenty years from
now you will be able to sell the land, covered with twenty year old trees, for
a price that reflects what those trees will be worth in another twenty years.
Following through the logic, it is straightforward to show that if what you
expect the trees to sell for will more than repay your investment, including
forty years of compound interest, you should do it.
This assumes a world of secure property rights. Suppose we
assume instead that your trees are quite likely, at some point during the next
forty years, to be stolen–legally via government confiscation or illegally by
someone driving into the forest at night, cutting them down, and carrying them
off. In that case you will only be willing to go into the hardwood business if
the return from selling the trees is enough larger than the ordinary return on
investments to compensate you for the risk.
Generalizing the argument, we can see that long run planning
depends on secure property rights.
If you are confident that what you own today you will still own tomorrow–unless
you choose to sell it–you can afford to give up benefits today in exchange for
greater benefits tomorrow, or next year, or next decade. The greater the risk
that what you now own will be taken away from you at some point in the future,
the greater the incentive to limit yourself to short term projects.
Politicians in a democratic society have insecure property
rights over their political assets; Clinton could rent out the White House but
he could not sell it. One consequence is that in such a system government
policy is dominated by short run considerations–most commonly the effect of
current policy on the outcome of the next election. Very few politicians will
accept political costs today in exchange for benefits ten or twenty or thirty
years in the future, because they know that when the benefits arrive someone
else will be in power to enjoy them.
Preventing the development of strong privacy means badly
handicapping the current growth of online commerce. It means making it easier
for criminals to hack into computers, intercept messages, defraud banks, steal
credit cards. It is thus likely to be politically costly, not ten or twenty
years from now but in the immediate future.
What do you get in exchange? The benefit of encryption
regulation–the only substantial benefit, since it cannot prevent the use of
encryption by competent criminals–is preventing the growth of strong privacy.
From the standpoint of governments, and of people in a position to control
governments, that may be a large benefit, since strong privacy threatens to
seriously reduce government power, including the power to collect taxes. But it
is a long run threat, one that will not become serious for a decade or two.
Defeating it requires the present generation of elected politicians to do
things that are politically costly for them–in order to protect the power of
whoever will hold their offices ten or twenty years from now.
The politics of encryption regulation so far fits the
predictions of this analysis. Support for regulation has come almost entirely
from long lived bureaucracies such as the FBI and NSA. So far, at least, they
have been unable to get elected politicians to do what they want when doing so
involves any serious political cost.
If this argument is right, it is unlikely that serious
encryption regulation, sufficient to make things much easier for law
enforcement and much harder for the rest of us, will come into existence, at
least in the U.S. Hence it is quite likely that we will end up with something
along the lines of the world of strong privacy described in this chapter.
In my view that is a good thing. The attraction of a
cyberspace protected by encryption is that it is a world where all transactions
are voluntary: You cannot get a bullet through a T1 line. It is a world where
the technology of defense has finally beaten the technology of offense. In the
world we now live in, our rights can be violated by force or fraud; in a
cyberspace protected by strong privacy, only by fraud. Fraud is dangerous, but
less dangerous than force. When someone offers you a deal too good to be true,
you can refuse it. Force makes it possible to offer you deals you cannot
refuse.
Truth to Tell
In several places in this chapter I have simplified the
mechanics of encryption, describing how something could be done but not how it
is done. Thus, for example, public key encryption is usually done not by
encrypting the message with the recipient's public key but by encrypting the
message with an old fashioned single key encryption scheme, encrypting the
single key with the recipient's public key, and sending both encrypted message
and encrypted key. The recipient uses his private key to decrypt the encrypted
key and uses that to decrypt the message. Although this is a little more
complicated than the method I described, in which the message itself is
encrypted with the public key, it is also significantly faster.
Similarly, a digital signature is actually calculated by
using a one way hash function to create a message digest of the original
message and encrypting the digest with your private key, then sending both
message and digest. The recipient decrypts the digest, creates a second digest
from the message using the same hash function, and compares them to make sure they
are identical, as they will be if the message has not been changed and the
public and private keys match.
Such complications make describing the mechanics of
encryption more difficult and are almost entirely irrelevant to the issues
discussed here, so I ignored them.
A second set of complications, also ignored but more
important, concerns indirect ways in which cryptographically protected
anonymity might be attacked. One example is textual analysis. A perceptive
reader or sufficiently sophisticated software might recognize stylistic
similarities between the books of David Friedman and the written legal advice
of Legal Eagle. The odds that the same person has read work by both identities
closely enough to identify them as the same may not be very high--but software
designed for textual analysis could create a database linking a very large
number of known authors to stylistic identifiers for their writing. A simple
one for me would be the overuse of "hence."
Another problem is that most of what I have described
depends on your having complete control over your computer--or at least over a
smart card containing your private key and enough software to use it to encrypt
and decrypt. If someone else can get at your private key by either a physical
or virtual intrusion, all bets are off. If someone else can get control of your
computer, even without access to your private key, he can use that control to
mislead you in a variety of ways--for instance, by falsely reporting that a
message has a valid digital signature. As Mark Miller puts
it, "people don't sign, computers sign." And encrypt, decrypt, and
check signatures. So a crucial element of strong privacy is the ability of
individuals to control the computers they use. And, in practice, a secure
system is likely to include provisions for publicly canceling private keys that
may have fallen into the wrong hands.
[Note: Both of these could be virtual footnotes instead]
Appendix I:
Public Key
Encryption: A Very Elementary Example
Imagine a world in which people know how to multiply numbers
but not how to divide them. Further imagine that there exists some mathematical
procedure capable of generating pairs of numbers that are inverses of each
other: X and 1/X. Finally, assume that the messages we wish to encrypt are
simply numbers.
I generate a pair X, 1/X. To encrypt the number M using the
key X, I multiply X times M. We might write
[M,X]=MX,
Meaning “Message M encrypted using the key X is M times X.”
Suppose someone has the encrypted message MX and the key X.
Since he does not know how to divide, he cannot decrypt the message and find
out what the number M is. If, however, he has the other key, 1/X, he can
multiply it times the encrypted message to get back the original M:
(1/X)MX=(X/X)M=M
Alternatively, one could encrypt a message by multiplying it
by the other key, 1/X, giving us
[M,1/X]=M/X.
Someone who knows 1/X but does not know X has no way of
decrypting the message and finding out what M is. But someone with X can
multiply it times the encrypted messages and get back M:
X(M/X)=M
So in this world, multiplication provides a primitive form
of public key encryption: a message encrypted by multiplying it with one key
can only be decrypted with the other.
Public key encryption in the real world depends on mathematical
operations which, like multiplication and division in my example, are very much
easier to do in one direction than the other. The RSA algorithm, for example,
at present the most widely used form of public key encryption, depends on the
fact that it is easy to generate a large number by multiplying together several
large primes but much harder to start with a large number and factor it to find
the primes that can be multiplied together to give that number. The keys in
such a system are not literally inverses of each other, like X and 1/X, but
they are functional inverses, since either one can undo (decrypt) what the
other does (encrypts).
Appendix II: Chaining Anonymous Remailers
M is my actual message; [M,K] means "message M
encrypted using key K." Kr is the public key of the intended
recipient of my message, Er is his email address. I am using a total
of three remailers; their public keys are K1, K2, K3
and their email addresses are E1, E2, E3. What
I send to the first remailer is:
[([([([M,Kr]+Er),K3] +E3),K2]
+E2),K1]
The first remailer uses his private key to strip off the top
layer of encryption, leaving him with:
[([([M,Kr]+Er),K3]
+E3),K2] +E2
He can now read E2, the email address of the
second remailer, so he sends the rest of the message to that address. The
second remailer receives
[([([M,Kr]+Er),K3] +E3),K2]
and uses his
private key to strip off a layer of encryption, leaving him with:
[([M,Kr]+Er),K3]
+E3
He then sends to the third remailer
[([M,Kr]+Er),K3]
The third remailer strips the third layer of encryption off,
giving him
[M,Kr]+Er
and sends [M,Kr] to the intended recipient at Er–who
then uses his private key to strip off the last level of encryption, giving him
M, the original message.
Chapter IV: Information Processing: Threat or Menace?
Or
If Information is Property, Who Owns it?
Some years ago I decided to set up my own web site. One
question was how much of my life to include. Did I want someone looking at my
academic work–perhaps a potential employer–to discover that I had put a good
deal of time and energy into researching medieval recipes, a subject unrelated
to either law or economics, thus (arguably) proving that I was a dilettante
rather than a serious scholar? Did I want that same potential employer to discover
that I held unfashionable political opinions, ranging from support for drug
legalization to support for open immigration? And did I want someone who might
be outraged at my political views to be able to find out what I and my family
members looked like and where we lived?
I concluded that keeping my life in separate compartments
was not a practical option. I could have set up separate sites for each part,
with no links between them–but anyone with a little enterprise could have found
them all with a search engine. And even without a web site, anyone who wanted
to know about me could find vast amounts of information by a quick search of
Usenet, where I have been an active poster for more than ten years. Keeping my
virtual mouth shut was not a price I was willing to pay, and nothing much short
of that would do the job.
This is not a new problem. Before the internet existed, I
still had to decide to what degree I wanted to live in multiple worlds–whether,
for example, I should discuss my hobbies or my political views with
professional colleagues. What has changed is the scale of the problem. In a
large world where personal information was spread mostly by gossip and
processed almost entirely by individual human brains, facts about me were to a
considerable extent under my control–not because they were secret but because
nobody had the time and energy to discover everything knowable about everyone
else. Unless I was a major celebrity, I was the only one specializing in me.
That was not true everywhere. In the good old days–say most
of the past three thousand years–one reason to run away to the big city was to
get a little privacy. In the villages in which most of the world lived,
anyone's business was everyone's business. In Sumer or Rome or London the walls
were no more opaque and you were no less visible than at home, but there was so
much going on, so many people, that nobody could keep track of it all.
That form of privacy–privacy through obscurity–cannot
survive modern data processing. Nobody can keep track of it all but many of us
have machines that can. The data of an individual life is not notably more
complicated than it was two thousand years ago. It is true that the number of
lives has increased thirty or forty fold in the last two thousand years,
but our ability to handle data has increased a great deal more than that. Not
only can we keep track of the personal data for a single city, we could, to at
least a limited degree, keep track of the data for the whole world, assuming we
had it and wanted to.
The implications of these technologies have become
increasingly visible over the past ten or fifteen years. Many are highly
desirable. The ability to gather and process vast amounts of information
permits human activities that would once have been impossible; to a
considerable extent it abolishes the constraints of geography on human
interaction. Consider two examples.
Thirty some years ago, I spent several summers as a
counselor at a camp for gifted children. Many of the children, and some of my
fellow counselors, became my friends–only to vanish at the end of the summer.
From time to time I wondered what had become of them.
I can now stop wondering, at least about some. A year or two
ago, someone who had been at the camp organized an email list for ex-campers
and counselors; membership is currently approaching two hundred. That list
exists because of technologies that make possible not only easy communication
with people spread all over the country but also finding them in the first
place–searching a very large haystack for a few hundred needles. Glancing down
a page of Yahoo-Groups, I find nearly a thousand such lists, each for a
different camp; the largest has more than three hundred members.
For a second example, consider a Usenet Newsgroup that I
stumbled across many years ago, dedicated to a technologically ingenious but
now long obsolete video game machine of which I once owned two–one for my son
and one for me. Reading the posts, I discovered that someone in the group had
located Smith Technologies, the firm that held the copyright on the Vectrex and
its games, and written to ask permission to make copies of game cartridges. The
response, pretty clearly from the person who designed the machine, was an
enthusiastic yes. He was obviously delighted to discover that there were people
still playing with his toy, his dream, his baby. Not only were they welcome to
copy cartridges, if anyone wanted to write new games he would be happy to
provide the necessary software. It was a striking, to me heartwarming, example
of the ability of modern communications technology to bring together people
with shared enthusiasms.
"Vectrex had cheats back when they were still known as
bugs"
(from
an faq by Gregg Woodcock)
The Market for
Information
My examples so far are small and non-commercial–people
learning other people's secrets or getting together with old friends or
strangers with shared interests. While such applications of informational
technology are an increasingly important feature of the world we live in, they
are not nearly as prominent or politically contentious as large scale
commercial uses of personal information. A first step in understanding such
activities is to think about why some people would want to collect and use
individual information about large numbers of strangers. Consider two examples.
You are planning to open a new grocery store in an existing
chain–a multi-million dollar gamble. Knowledge about the people who live in the
neighborhood–how likely they are to shop at your store and how much they will
buy–is crucial. How do you get it?
The first step is to find out what sort of people shop in
your present stores and what they buy. To do that you offer customers a
shopping card. The card is used to get discounts, so shoppers pass the card
through a reader almost every time they go through the checkout, providing you
lots of detailed information about their shopping patterns. One way you use
that information is to improve the layout of existing stores; if people who buy
spaghetti almost always buy spaghetti sauce at the same time, putting them in
the same aisle will make your store more convenient, hence more attractive,
hence more profitable.
Another way is to help you decide where to locate your new
store. If you discover that old people on average do not buy very much of what
you are selling, perhaps a retirement community is the wrong place. If couples
with young children do all their shopping on the weekend when one parent can
stay home with the kids while the other shops, singles shop after work on
weekdays (weekends are for parties), and retired people during the working day
(shorter lines), then a location with a suitable mix of all three types will
give you a more even flow of customers, higher utilization of the store, and
greater profits. Combining information about your customers with information
about the demography of alternative locations, provided free by the U.S. census
or at a higher price by private firms, you can substantially improve the odds
on your gamble.
For a higher tech application of information technology,
consider advertising. When I read a magazine, I see the same ads as everyone
else–mostly for things I have no interest in. But a web page can send a
different response to every query, customizing the ads I see to fit my interests.
No TV ads, since I do not own a television, lots of ads for high tech gadgets.
In order to show me the right ads, the people managing the
page need to know what I am interested in. Striking evidence that such
information is already out there and being used appears in my mailbox on a
regular basis–a flood of catalogs.
How did the companies sending out those catalogs identify me
as a potential customer? If they could see me, it would be easy. Not only am I
wearing a technophile ID bracelet (Casio calls it a databank watch), I am
wearing the model that, in addition to providing a calculator, database, and
appointment calendar, also checks in three times a day with the U.S. atomic
clock to make sure it has exactly the right time. Sharper Image, Techno-Scout, Innovations et. al
cannot see what is on my wrist–although if the next chapter's transparent
society comes to pass that may change. They can, however, talk to each other.
When I bought my Casio Wave Captor Databank 150 (the name would have been longer but they ran out of
room on the watch), that purchase provided the proprietors of the catalog I
bought it from with a snippet of information about me. They no doubt resold
that information to anyone willing to pay for it. Sellers of gadgets respond to
the purchase of a Casio Wave Captor the way sharks respond to blood in the
water.
As our technology gets better, it becomes possible to create
and use such information at lower cost and in much more detail. A web page can
keep track not only of what you buy but of what you look at and for how long.
Combining information from many sources, it becomes both possible and
potentially profitable to create databases with detailed information on the
behavior of a very large number of individuals, certainly including me,
probably including you.
The advantages of that technology to individual customers
are fairly obvious. If I am going to look at ads, I would prefer that they be
ads for things I might want to buy. If I am going to have my dinner interrupted
by a telephone call from a stranger, I would prefer it be someone offering to
prune my aging apricot tree–last year's crop was a great disappointment–rather
than someone offering to refinance my nonexistent mortgage.
As these examples suggest, there are advantages to individuals
to having their personal information publicly available and easy to find. What
are the disadvantages? Why are many people upset about the loss of privacy and
the misuse of "their" private information? Why did Lotus, after
announcing its plan to offer masses of such data on a CD, have to cancel it in
response to massive public criticism?
Why is the question of what information web sites are permitted to gather about
their customers, what they may do with it, and what they must tell their customers about what they are
doing with it, a live political and legal issue?
One gut level answer is that many people feel strongly that
information about them is theirs. They should be able to decide who gets
it; if it is going to be sold,
they should get the money.
The economist's response is that they already do get the
money. The fact that selling me a gadget provides the seller with a snippet of
information that he can then resell makes the transaction a little more
profitable for the seller, attracts additional sellers, and ultimately drives
down the price I must pay for the gadget. The effect is tiny–but so is the
price I could get for the information if I somehow arranged to sell it myself.
It is only the aggregation of large amounts of such information that is
valuable enough to be worth the trouble of buying and selling it.
A different response, motivated by moral intuition rather
than economics, is that the argument confuses information about me–located in
someone else's mind or database–with information that belongs to me. How can I
have a property right over the contents of your mind? If I am stingy or
dishonest, do I have an inherent right to forbid those I treat badly from
passing on the information? If not, why should I have a right to forbid them from
passing on other information about me?
There is, however, a vaguer but more important reason why
people are upset at the idea of a world where anyone willing to pay can learn
almost everything about them. Many people value their privacy not because they
want to be able to sell information about themselves but because they do not
want other people to have it. While it is hard to come up with a clear
explanation of why we feel that way–a subject discussed at greater length in
the final chapter of this section–it is clear that we do. At some level,
control over information about ourselves is seen as a form of self protection.
The less other people can find out about me, the less likely it is that they
will use information about me either to injure me or to identify me as someone
they wish to injure–which brings us back to some of the issues I considered
when setting up my web page.
Towards Information as Property
Concerns with privacy apply to at least two sorts of
personal information. One is information generated by voluntary transactions
with some other party–what products I have bought and sold, what catalogs and
magazines I subscribe to, what web pages I browse. Such information starts in the possession of both parties to
the transaction–I know what I bought from you, you know what you sold to me.
The other kind is information generated by actions I take that are publicly
visible–court records, newspaper stories, gossip.
Ownership of the first sort of information can, at least in
principle, be determined by contract. A magazine can, and some do, promise its
subscribers that their names will not be sold. Software firms routinely offer
people registering their programs the option of having their names made or not
made available to other firms selling similar products. Web pages can, and many
do, provide explicit privacy policies limiting what they will do with the
information generated in the process of browsing their sites.
To understand the economics of the process, think of
information as a produced good; like other such goods, who owns how much of it
is determined by agreement among the parties who produce it. When I subscribe
to a magazine, I and the publisher are jointly producing a piece of information
about my tastes–the information that I like that kind of magazine. That
information is of value to the magazine, which may want to resell it. It is of
value to me, either because I might want to resell it or because I might want
to keep it off the market in order to protect my privacy. The publisher can, by
selling subscriptions at a lower price without a privacy guarantee than with,
offer to pay me for control over the information. If the information is worth
more to me than he is offering, I refuse; if it is worth less, I accept.
Control over the information ends up with whoever most values it. If no
mutually acceptable terms can be found, I do not subscribe and that bit of
information does not get produced.
This seems to imply that default rules about privacy, rules
specifying who starts out owning the information, should not matter. A magazine
subscription has one price with a privacy guarantee, another and slightly lower
price without it. If the law assumes that magazines have the right to resell
names unless they agree not to, then the ordinary subscription price is the
price without privacy, the higher price with a guarantee the price with. If it
assumes subscribers have the right not to have their names sold unless they
agree to waive it, then the ordinary subscription price is the price with privacy,
the lower price charged customers willing to sign a waiver the price without.
Either way, control of the information goes to whichever party values it more
and the price of that control is included in the cost of the subscription.
That would be a correct conclusion in a world where
arranging contracts was costless–a world of zero transaction costs. In the
world we now live in, it is not. Most of us, unless we care a great deal about
our privacy, do not bother to read privacy policies. Even if I prefer that
catalogs and mailing lists not resell information about me, it is too much
trouble to check the small print on everything I might subscribe to. It would
be still more trouble if every firm I dealt with offered two prices, one with
and one without a guarantee of privacy, and more still if the firm offered a
menu of levels of protection, each with its associated price.
The result is that most magazines and websites, at least in
my experience, offer only a single set of terms; if they allow the subscriber
some choice, it is not linked to price, probably because the amounts involved
are too small to be worth bargaining over. Hence default rules matter and we
get political and legal conflicts over the question of who, absent any explicit
contractual agreement, has what control over the personal information generated
by transactions.
That may change. What may change it is technology–the
technology of intelligent agents. It is possible in principle, and is becoming
possible in practice, to program your web browser with information about your
privacy preferences. Using that information, the browser can decide what
different levels of privacy protection are or are not worth to you and select
pages and terms accordingly. Browsers work cheap.
For this to happen we need a language of privacy–a way in
which a web page can specify what it does or does not do with information
generated by your interactions with it in a form your browser can understand.
Once such a language exists and is in widespread use, the transaction costs of
bargaining over privacy drop sharply. You tell your browser what you want and
what it is worth to you, your browser interacts with a program on the web
server hosting the page and configured by the page's owner. Between them they
agree on mutually satisfactory terms–or they fail to do so, and you never see
the page.
This is not a purely hypothetical idea. Its current
incarnation is The Platform for Privacy Preferences, P3P,
supported by both of the leading web browsers (Microsoft's Internet Explorer
and Netscape's Navigator). Web pages provide information about their privacy
policies, users provide information about what they are willing to accept, and
the browser notifies the user if a site's policies are inconsistent with his
requirements. Presumably a web site that misrepresented its policies could be
held liable for doing so, although, so far as I know, no such case has yet
reached the courts.
How Not to Protect Privacy
Safe
to tell a secret to one,
Risky
to two,
To
tell it to three is folly,
Everyone
else will know.
(Havamol, c. ninth century)
Suppose we solve the transaction cost problems, permitting a
true market in personal information. There remains a second problem–enforcing
the rights you have contracted for. You can check the contents of your safe
deposit box to be sure they are still there, but it does no good to check the
contents of a firm's database to make sure your information is still there. They can sell your information
and still have it.
The problem of enforcing rights with regard to information
is not limited to a future world of automated contracting–it exists today. As I
like to put it when discussing current privacy law, there are only two ways of
controlling information about you and one of them doesn't work.
The way that doesn't work is to let other people have
information about you and then make rules about how they use it. That is the
approach embodied in modern privacy law. If you disagree with my evaluation, I
suggest a simple experiment. Start with five thousand dollars, the name of a
random neighbor, and the Yellow Pages for "Investigators." The
objective is to end up with a credit report on your neighbor–something that,
under the Federal Fair Credit Reporting Act, you are not allowed to have. If
you are a competent con man or internet guru, you can probably dispense with
the money and the phone book.
That approach to protecting privacy works poorly when
enforcing terms imposed by federal law. It should work somewhat better for
enforcing terms agreed to in the marketplace, since in that case it is
supported by reputational as well as legal sanctions–firms do not want the
reputation of cheating their customers. But I would still not expect it to work
terribly well. Once information is out there, it is very hard to keep track of
who has it and what he has done with it. It is particularly hard when there are
many uses of the information that you do not want to prevent–a central problem
with the Fair Credit Reporting Act. Setting up rules that permit only people
with a legitimate reason to look at your credit report is hard; enforcing them
is harder.
The other way of protecting information, the way that does
work, is not to let the information out in the first place. That is how the
strong privacy of the previous chapter was protected. You do not have to trust
your ISP or the operator of an anonymous remailer not to tell your secrets; you
haven't given them any secrets to tell.
There are problems with applying that approach to
transactional information. When you subscribe to a magazine, the publisher
knows who you are, or at least where you live–it needs that information to get
the magazine to you. When you buy something from me, I know that I have sold it
to you. The information starts in the possession of both of us–short of
controlled amnesia, how can it end in the possession of only one?
In our present world, that is a nearly insuperable problem.
But in a world of strong privacy, you do not have to know who you are selling
to. If, at some point in the future, privacy is sufficiently important to
people, online transactions can be structured to make each party anonymous to
the other, with delivery either online via a remailer (for information
transactions) or the less convenient realspace equivalent of a physical forwarding
system. In such a world, we are back with one of the oldest legal rules of
all–possession. If I have not revealed the information to you, you do not have
it, so I need not worry about what you are going to do with it.
Returning to something more like our present world, one can
imagine institutions that would permit a considerably larger degree of
individual control over the uses of personal information than now exists,
modeled on arrangements now used to maintain firms' control over their valuable
mailings lists. Individuals subscribing to a magazine would send the seller not
their name and address but the name of the information intermediary they
employed and the number by which that intermediary identified them. The
magazine's publisher would ship the intermediary four thousand copies and the
numbers identifying four thousand (anonymous) subscribers, the intermediary
would put on the address labels and mail them out. The information would never
leave the hands of the intermediary, a firm in the business of protecting
privacy. To check its honesty, I establish an identity with my own address and
the name "David Freidmann," subscribe to a magazine using that
identity, and see if David Freidmann gets any junk mail.
Such institutions would be possible and, if widely used, not
terribly expensive.
My guess is that it will not happen. The reason is that most people either do
not want to keep the relevant information secret (I don't, for example; I like
gadget catalogs) or do not want to enough to go to any significant trouble. But
it is still worth thinking about how they could get privacy if they wanted to,
and those thoughts may become of more practical relevance if technological
progress sharply reduces the cost.
Two Roads to Property in Personal Information
These discussions suggest two different ways in which the
technologies that help to create the problem could be used to solve it. Both
are ways of making it possible for an individual to treat information about
himself as his property. One is to use computer technologies, including
encryption, to give me or my trusted agents direct control over the
information, permitting others to use it only with my permission--for instance,
to send me information about goods they think I might want to buy--without ever
getting possession of it.
The other is to treat information as we now treat real
estate--to permit individuals to put restrictions on the use of property they
own which are binding on subsequent purchasers. If, for example, I sell you an
easement permitting you to cross my land in order to reach yours and later sell
the land, the easement is good against the buyer. Even if he did not know it
existed, he now has no right to refuse to let you through.
That is not true for most other forms of property.
If I sell you a car with the restriction that you agree not to permit it to be
driven on Sunday, I may be able to enforce the restriction against you, I may
be able to sue you for damages if, contrary to our contract, you sell it to
someone else without requiring him to abide by the agreement. But I have no way
of enforcing the restriction on him.
One plausible explanation of the difference is that land
ownership involves an elaborate system for recording title, including
modifications such as easements, making it possible for the prospective
purchaser to determine in advance what obligations run with the land he is
considering. We have no such system for recording ownership, still less for
recording complicated forms of ownership, for most other sorts of property.
At first glance, personal information seems even less
suitable for the more elaborate form of property rights than pens, chairs, or
computers. In most likely uses, the purchaser is buying information about a
very large number of people. If my particular bit of information is only worth
three cents to him, a legal regime that requires him to spend a dollar checking
the restrictions on it before he uses it means that the information will never
be used.
A possible solution is to take advantage of the same data
processing technologies that make it possible to aggregate and use information
on that scale to maintain the record of complicated property rights in it. One
could imagine a legal regime where every piece of personal information had to
be accompanied by a unique identification number; using that number, a computer
could access information about the restrictions on use of that information in
machine readable form at negligible cost. Again, it does not seem likely in the
near future, but might become a real possibility further down the road.
Chapter V: Surveillance Tech: The Universal Panopticon
"The trend began in Britain a decade ago, in
the city of King's Lynn, where sixty remote controlled video cameras were
installed to scan known "trouble spots," reporting directly to police
headquarters. The resulting reduction in street crime exceeded all predictions;
in or near zones covered by surveillance, it dropped to one seventieth of the
former amount. The savings in patrol costs alone paid for the equipment in a
few months. Dozens of cities and towns soon followed the example of King's
Lynn. Glasgow, Scotland reported a 68% drop in citywide crime, while police in
Newcastle fingered over 1500 perpetrators with taped evidence. (All but seven
pleaded guilty, and those seven were later convicted.) In May 1997, a thousand
Newcastle soccer fans rampaged through downtown streets. Detectives studying
the video reels picked out 152 faces and published eighty photos in local
newspapers. In days, all were identified."
David Brin, The Transparent Society, Chapter 1 p. 5.
In
the early 19th Century Jeremy Bentham, one of the oddest and most
original of English thinkers, designed a prison where every prisoner could be
watched at all times. He called it the Panopticon. Elements of his design were
later implemented in real prisons in the hope of better controlling and
reforming prisoners. If Brin is correct, it is now in the process of being
implemented on a somewhat larger scale.
The
case of video surveillance in Britain suggests one reason–it provides an
effective and inexpensive way of fighting crime. In the U.S., cameras have long
been used in department stores to discourage shoplifting. More recently they
have begun to be used to apprehend drivers who run red lights. While there have
been challenges on privacy grounds, it seems likely that the practice will
spread.
Crime
prevention is not the only benefit of surveillance. Consider the problem of
controlling auto emissions. The current approach imposes a fixed maximum on all
cars, requires all to be inspected, including new cars which are almost certain
to pass, and provides no incentive for lowering emissions below the required
level. It makes almost no attempt to selectively deter emissions at places and
times when they are particularly damaging.
One
could build a much superior system using modern technology. Set up unmanned
detectors that measure emissions by shining a beam of light through the exhaust
plume of a passing automobile; identify the automobile by a snapshot of the
license plate. Bill the owner by amount of emissions and, in a more
sophisticated system, when and where they were emitted.
None
of these useful applications of technology poses, at first glance, a serious
threat to privacy. Few would consider it objectionable to have a police officer
wandering around a park or standing on a street corner, keeping an eye out for
purse snatchers and the like. Video cameras on poles are merely a more
convenient way of doing the same thing–comfortably and out of the wet. Cameras
at red lights, or photometric monitoring of a car's exhaust plume, are cheaper
and more effective substitutes for traffic cops and emission inspections.
What's the problem?
The
problem comes when we combine this technology with others. A cop on the street
corner may see you, he may even remember you, but he has no way of combining
everything he sees with everything that every other cop sees and so
reconstructing your daily life. A video camera produces a permanent record. It
is now possible to program a computer to identify a person from a picture of
his face. That means
that the video tapes produced by surveillance cameras will be convertible into
a record of where particular people were when. Add in the ability of modern
data processing to keep track of enormous amounts of information and we have
the possibility of a world where a large fraction of your doings are an open
book to anyone with access to the appropriate records.
So
far I have been discussing the legal use of surveillance technology, mostly by
governments–already happening on a substantial scale and likely to increase in
the near future. A related issue is the use of surveillance technology, legally
or illegally, by private parties. Lots of people own video cameras and those
cameras are getting steadily smaller. One can imagine, a decade or two down the
road, an inexpensive video camera with the size and aerodynamic characteristics
of a mosquito. The owner of a few dozen of them could collect a lot of
information about his neighbors–or anyone else.
Of
course technological development, in this area as in others, is likely to
improve defense as well as offense. Possible defenses against such spying range
from jamming transmissions to automated dragon flies programmed to hunt down
and destroy video mosquitoes. Such technologies might make it possible, even in
a world where all public activities were readily observable, to maintain a zone
of privacy within one's own house.
Then
again, they might not. We have already had court cases over whether it is or is
not a search to deduce marijuana growing inside a house by using an infrared
detector to measure its temperature from the outside.
We already have technologies that make it possible to listen to a conversation
by bouncing a laser beam off a window and reconstructing from the measured
vibrations of the glass the sounds that cause them. Even if it is not possible
to spy on private life directly, further developments along these lines may
make it possible to achieve the same objective indirectly.
Assume,
for the moment, that the offense wins out over the defense–that preventing
other people from spying on you becomes impractical. What options remain?
Brin
argues that privacy will no longer be one of them. More interestingly, he
argues that that may be a good thing. He proposes as an alternative to privacy
universal lack of privacy–the transparent society. The police can watch you–but
someone is watching them. The entire system of video cameras, including cameras
in every police station, is publicly accessible. Click on the proper web page–read, presumably, from a
hand held wireless device–and you can see anything that is happening in any
public place. Parents can keep an eye on their children, children on their
parents, spouses on each other, employers on employees and vice versa,
reporters on cops and politicians.
The Up Side of Transparency
Many
years ago I was a witness to a shooting; one result was the opportunity for a
certain amount of casual conversation with police officers. One of them advised
me that, if I ever happened to shoot a burglar, there were two things I should
make sure of–that he ended up dead and that the body ended up inside my
house.
The
advice was well meant and perhaps sensible–under U.S. law a homeowner is in a
much stronger legal position killing an intruder inside his house than outside,
and a dead man cannot give his side of the story. But it was also, at least
implicitly, advice to commit a felony. That incident, and a less friendly one
in another jurisdiction where I was briefly under arrest for disturbing the
peace (my actual offense was aiding and abetting someone else in asking a
policeman for his badge number), convinced me that at least some law enforcers,
even ones who are honestly trying to prevent crime, have an elastic view of the
application of the law to themselves and their friends. The problem is old
enough to be the subject of a Latin tag–Qui custodes ipsos custodiet. Who shall guard the
guardians?
The transparent society offers a possible solution. Consider the Rodney King
case. A group of policemen captured a suspect and beat him up–a perfectly
ordinary sequence of events in many parts of the world, including some parts of
the U.S. Unfortunately for the police, a witness got the whole thing on video
tape–with the result that several of the officers ended up in prison. In Brin's
world, every law enforcement agent knows that he may be on candid camera–and
conducts himself accordingly.
It
is an intriguing vision and it might actually happen. But there are problems.
Selective Transparency
The
first is getting there. If transparency comes, as it is coming in England, in
the form of cameras on poles installed and operated by the government, Brin's
version does not seem likely. All of the information will be flowing through
machinery controlled by some level of government. Whoever is in charge can
plausibly argue that although much of that information can and should be made
publicly accessible, there ought to be limits. And even if they do not argue for
limits, they can still impose them. If police are setting up cameras in police
stations, they can arrange for a few areas to be accidentally left uncovered.
If the FBI is in charge of a national network it can, and on all past evidence
will, make sure that some of the information generated is accessible only to
those who can be trusted not to misuse it–most of whom are working for the FBI.
The
situation gets more interesting in a world where technological progress enables
private surveillance on a wide scale, so that every location where interesting
things might happen, including every police station, has flies on the wall
watching what happens and reporting back to their owners. A private individual,
even a large corporation, is unlikely to attempt the sort of universal
surveillance that Brin imagines for his public system, so each individual will
be getting information about only a small part of the world. But if that
information is valuable to others, it can be shared. Governments might try to
restrict such sharing. But in a world of strong privacy that will be hard to
do, since in such a world information transactions will be invisible to outside
parties. Combining ideas from several chapters of this section, one can imagine
a future where Brin's transparent society is produced not by government but by private surveillance.
A
universal spy network is likely to be an expensive proposition, especially if
you include the cost of information processing–facial recognition of every
image produced and analysis of the resulting data. No single individual,
probably no single corporation, will find it in its interest to bear that cost
to produce information for its own use, although a government might. The
information will be produced privately only if there is some way in which it
can be resold, giving the producer not only the value of his use of the
information but the value of everyone's use of the information. So a key
requirement for a privately generated transparent society is a well organized
market for information.
The Down Side of Transparency
Following
Brin, I have presented the transparent society as a step into the future,
enabled by video cameras and computers. One might instead view it as a step
into the past. The privacy that most of us take for granted is to a
considerable degree a novelty, a product of rising incomes in recent centuries.
In a world where many people shared a single residence, where a bed at the inn
was likely to be shared by two or three strangers, transparency did not require
video cameras.
For a more extreme example, consider a primitive society–say
Samoa. Multiple families share a single house–without walls. While there is no
internet to spread information, the community is small enough to make gossip an
adequate substitute. Infants are trained early on not to make noise. Adults
rarely express hostility.
Most of the time, someone may be watching–so you alter your behavior
accordingly. If you do not want your neighbors to know what you are thinking or
feeling, you avoid clearly expressing yourself in words or facial expression.
You have adapted your life to a transparent society.
Ultimately this comes down to two strategies, both familiar
to most of us in other contexts. One is not to let anyone know your secrets–to
live as an island. The other is to communicate in code–words or expressions
that your intimates will correctly interpret and others will not. For a milder
version of the same approach, consider parents who talk to each other in a
foreign language when they do not want their children to understand what they
are saying–or a 19th century translation of a Chinese novel I once
came across, with the pornographic passages translated into Latin instead of
English.
In Brin's future transparent society, many of us will become
less willing to express our opinions of boss, employees, ex-wife or present
husband in any public place. People will become less expressive and more self
contained, conversation bland or cryptic. If some spaces are still private,
more of social life will shift to them. If every place is public, we have
stepped back at least several centuries, arguably several millennia.
Say It Ain't So
So far I have ignored one interesting problem with Brin's
world–verification. Consider the following courtroom drama:
My wife is suing me for divorce on grounds of adultery. In
support of her claim, she presents video tapes, taken by hidden cameras, that
show me making love to three different women, none of them her.
My attorney asks for a postponement to investigate the new
evidence. When the court reconvenes, he submits his own videotape. The jury
observes my wife making love, consecutively, to Humphrey Bogart, Napoleon, her
attorney and the judge. When quiet is restored in the courtroom, my attorney
presents the judge with the address of the video effects firm that produced the
tape.
With modern technology I do not, or at least soon will not,
need your cooperation to make a film of you doing things; a reasonable
selection of photographs will suffice. As Hollywood demonstrated with Roger
Rabbit, it is possible to combine real and
cartoon characters in what looks like a single filmstrip. In the near future
the equivalent, using convincing animations of real people, will be something
that a competent amateur can produce on his desktop. We may finally get to see
John F. Kennedy making love to Marilyn Monroe–whether or not it ever happened.
In that world, the distinction between what I know
and what I can prove becomes critical. Our world may be filled with video
mosquitoes, each reporting to its owner and each owner pouring the information
into a common pool, but some of them might be lying. When I pull information
out of the pool I have no way of knowing whether to believe it.
There are possible technological fixes–ways of using encryption
technology to build a camera that digitally signs its output, demonstrating
that that sequence was taken by that camera at a particular time. But it is
hard to design a system that cannot be subverted by the camera's owner. Even if
we can prove that a particular camera recorded a tape of me making love to six
women, how do we know whether it did so while pointed at me or at a video
screen displaying the work of an animation studio? The potential for forgery
significantly weakens the ability of surveillance technology to produce
verifiable information.
For many purposes, unverifiable information will do–if my
wife wants to know about my infidelity but does not need to prove it. As long
as the government running a surveillance system can trust its own people it can
use that system to detect crimes or politically unpopular expressions of
opinion. And video evidence will still be usable in trials, provided that it is
accompanied by a sufficient evidence trail to prove where and when it was
taken–and that it has not been improved since.
Should We Abolish the Criminal Law?
Modern societies have two different systems of legal
rules-criminal law and tort law–that do essentially the same thing. Someone
does something that injures others, he is charged, tried, and convicted, and
something bad happens to him as a result, which gives other people an incentive
not to do such things. In the criminal system prosecution is controlled and
funded by the state, in the tort system by the victim. In the criminal system a
compromise is called a plea bargain, in the tort system an out of court
settlement. Criminal law provides a somewhat different range of punishments–it
is not possible to execute someone for a tort, for example, although it was
possible for something very much like a tort prosecution to lead to execution
under English law a few centuries back–and operates under somewhat different
legal rules. But in
their general outlines, the two systems are no more than slightly different
ways of doing the same thing.
This raises an obvious question–is there any good reason to
have both? Would we, for example, be better off abolishing criminal law
entirely and instead having the victims of crimes sue the criminals?
One argument against such a pure tort system is that some offenses
are hard to detect. A victim may conclude that catching and prosecuting the
offender costs more than it is worth–especially if the offender turns out not
to have enough assets to pay substantial damages. Hence some categories of
offense may routinely go unpunished.
In Brin's world that problem vanishes. Every mugging is on
tape. If the mugger chooses to wear a mask while committing his crime we can
trace him backwards or forwards through the record until he takes it off. While
a sufficiently ingenious criminal might find a way around that problem, most of
the offenses that our criminal law now deals with would be cases where most of
the facts are known and only their legal implications remain to be determined.
The normal crime becomes very much like the normal tort–an auto accident, say,
where (except in the case of hit and run, which is a crime) the identity of the
party and many of the relevant facts are public information. In that world it
might make sense to abolish criminal law and shift everything to the
decentralized, privately controlled alternative. If someone steals your car you
check the video record to identify him, then sue for the car plus a reasonable
payment for your time and trouble recovering it.
Like many radical ideas, this one looks less radical if one
is familiar with the relevant history. Legal systems in which something similar
to tort law dealt with what we think of as crimes–in which if you killed
someone his kinsmen sued you–are common in the historical record. Even as late
as the 18th century, while the English legal system distinguished
between torts and crimes, both were in practice privately prosecuted, usually
by the victim. One
possible explanation for the shift to a modern, publicly prosecuted system of
criminal law is that it was a response to the increasing anonymity that
accompanied the shift to a more urban society in the late 18th and
early 19th century. Technologies that reverse that shift may justify
a reversal of the accompanying legal changes.
Where Worlds Collide
In the previous chapter I described a cyberspace with more
privacy than we have today. In this chapter I have described a realspace with
less. What happens if we get both?
It does no good to use strong encryption for my email if a
video mosquito is sitting on the wall watching me type and recording every
keystroke. Hence strong privacy in a transparent society requires some way of
guarding the interface between my realspace body and cyberspace. This is no
problem in the version where the walls of my house are still opaque. It is a
serious problem in the version in which every place is, in fact if not in law,
public. A low tech solution is to type under a hood. A high tech solution is
some link between mind and machine that does not go through the fingers–or
anything else visible to an outside observer.
The conflict between realspace transparency and cyberspace
privacy goes in the other direction as well. If we are sufficiently worried
about other people hearing what we say, one solution is to encrypt face to face
conversation. With suitable wireless gadgets, I talk into a throat mike or type
on a virtual keyboard (keeping my hands in my pockets). My pocket computer
encrypts my message with your public key and transmits it to your pocket
computer, which decrypts the message and displays it through your VR glasses.
To make sure nothing is reading the glasses over your shoulder, the goggles get
the image to you not by displaying it on a screen but by using a tiny laser to
write it on your retina. With any luck, the inside of your eyeball is still
private space.
We could end up in a world where physical actions are
entirely public, information transactions entirely private. It has some
attractive features. Private citizens will still be able to take advantage of strong
privacy to locate a hit man, but hiring him may cost more than they are willing
to pay, since in a sufficiently transparent world all murders are detected.
Each hit man executes one commission then goes directly to jail.
What about the interaction between these technologies and
data processing? On the one hand, it is modern data processing that makes the
transparent society such a threat–without that, it would not much matter if you
videotaped everything that happened in the world, since nobody could ever find
the particular six inches of video tape he wanted in the millions of miles
produced each day. On the other hand, the technologies that support strong
privacy provide a possibility of reestablishing privacy, even in a world with
modern data processing, by keeping information about your transactions from
ever getting to anyone but you. That is a subject we will return to in a later
chapter when we discuss digital cash–an idea dreamed up in large part as a way
of restoring transactional privacy.
Chapter VI: Why Do We Want Privacy Anyway?
In Chapter IV, I touched briefly on the question of why
people care about their privacy; it is now time to consider it at greater
length. The first step is to define my terms a little more precisely.
In this chapter I use “informational privacy” as shorthand
for an individual’s ability to control other people’s access to information
about him. If I have a legal right not to have you tap my phone but cannot
enforce that right–the situation at present for those using cordless phones
without encryption–then I have little privacy with regard to my phone calls. On
the other hand, I have almost complete privacy with regard to my own thoughts,
even though it is perfectly legal for other people to use the available
technologies–listening to my voice and watching my facial expressions–to try to
figure out what I am thinking.
Privacy in this sense depends on a variety of things, including both law and
technology. If someone invented an easy and accurate way of reading minds, privacy
would be radically reduced even if there were no change in my legal rights.
There are two reasons to define privacy in this way. The
first is that I am interested in its consequences, in the ways in which my
ability to control information about me benefits or harms myself and
others—whatever the source of that ability may be. The second is that I am
interested in the ways in which technology is likely to change the ability of
an individual to control information about himself—hence in changes in privacy
due to sources other than changes in law.
What is Informational privacy and why does it matter?
Many people go to some trouble to reduce the amount others
can find out about them. Many people, sometimes the same people, make an effort
to get information about other people. This suggests an interesting question:
On net, is an increase in privacy good or bad? Do I gain more from your being
unable to find out things out about me than I lose from my being unable to find
out things about you?
Most people seem to think that the answer is “yes.” It is
common to see some new product, technology, or legal rule attacked as reducing
privacy, rare to see anything attacked as increasing privacy. Why?
The reason I value my privacy is straightforward:
Information about me in the hands of other people sometimes permits them to
gain at my expense. They may do so by stealing my property–if, for example,
they know when I will not be home. They may do so by getting more favorable
terms in a voluntary transaction–if, for example, they know just how much I am
willing to pay for the house they are selling.
They may do so by preventing me from stealing their property–by, for example,
not hiring me as company treasurer after discovering that I am a convicted
embezzler.
Information about me in other people’s hands may also
benefit me–for example, the information that I am honest and competent. But
privacy does not prevent that information from being available to them. If I
have control over information about myself I can release it when, and only
when, doing so is in my interest.
My examples included one–where my privacy protects me from
burglary–in which privacy produced a net benefit, since the gain to a burglar
is normally less than the loss to his victim. It included one–where my privacy
permitted me to steal from others–in which privacy produced a net loss. And it
included one case–bargaining–where the net effect appeared to be a wash, since
what I lost someone else gained.
So while it is clear why I am in favor of my having privacy, it is not clear why I should expect my gains
from my having privacy to outweigh my losses from your having it. It becomes
even less clear if we look at the case of bargaining a little more carefully.
Consider a real world example:
Before my wife and I moved from Chicago to California, we
spent some time looking for a house. We found, in the entire South Bay,
precisely one house that we really liked—a lovely ninety year old home, set in
its own tiny island of green surrounded by walls and hedges, in a neighborhood
of fifties ranch houses. As an added bonus, the current owners, having bought
the house in dilapidated condition, had put time and thought into undoing the
effects of decades of neglect. Apparently our tastes were almost as uncommon as
the house—judged by the fact that the owners were offering it at price
comparable to new houses of similar size and having a sufficiently hard time finding a buyer to be willing
to consider offers somewhat below their asking price.
We did not, probably could not, conceal the fact that we
liked the house. But we did make some attempt to conceal how much we liked the
house—and how much, if necessary, we were willing and able to pay for it. If we
had had no privacy, if the sellers had been able to listen in to all of our
thoughts and conversations, we would have ended up paying noticeably more for
it than we did. Conversely, if they had had no privacy, we might have been able
to discover that they were willing to accept a lower price than the one we
eventually paid.
So far it looks as though the effect of more or less privacy
is a wash—one side of the bargain gains what the other side loses. So long as
we end up buying the house, that may be true.
At some stage in the bargaining, we make a final offer and
they do or do not accept it. Our offer is based in part on what the house is
worth to us and in part on what we think it is worth to them—our estimate of
the lowest offer they will accept. Whether they accept it depends in part on
the worth of the house to them, in part on whether they really believe it is
our final offer or think that by refusing it they can get a better one.
If one side or the other guesses wrong, if they refuse to
accept our offer because they think we will raise it or we refuse to raise it
because we think they will accept it, the bargain falls through and we end up
with our second or third choice instead. Such bargaining breakdown represents a
real loss—both sides are worse off than if they had sold us the house at some
price above their value for it and below ours. Privacy, by making it harder for
each side to correctly interpret the other’s position, makes such breakdown
more likely.
Generalizing the argument, it looks as though privacy
produces, on average, a net loss in situations where parties are seeking
information about each other in order to improve the terms of a voluntary
transaction, since it increases the risk of bargaining breakdown.
In situations involving involuntary transactions, privacy produces a net gain
if it is being used to protect other rights (assuming that those rights have
been defined in a way that makes their protection desirable) and a net loss if
it is being used to violate other rights (with the same assumption). There is
no obvious reason why the former situation should be more common than the
latter. So it remains puzzling why people in general support privacy rights–why
they think it is, on the whole, a good thing for people to be able to control
information about themselves.
Privacy Rights and Rent Seeking
I have a taste for watching pornographic videos. My boss is
a puritan who does not wish to employ people who enjoy pornography. If I know
my boss is able to monitor my rentals from the local adult video store I
respond by renting videos from a more distant and less convenient outlet. My
boss is no better off as a result of the limitation of my privacy; I am still
viewing pornography and he is still ignorant of the fact. I am worse off by the
additional driving time required to visit the more distant store.
Privacy—embodied in a law forbidding the video store from
telling my boss what I am renting--not
only saves me time, it also discourages my boss from spending time and effort
worming information out of the clerk at the local video store. It thus reduces
both my costs and his—mine because I can do what I want to do more easily, his
because he can’t do it at all. A different form of the same argument should be
obvious to anyone who has ever closed a door behind him, loosened his tie,
taken off his shoes, and put his feet up on his desk. Privacy has permitted him
to maintain his reputation as someone who behaves properly without having to
bear the cost of actually behaving properly—which is why there is no window
between his office and the adjacent hallway.
There are two problems with this explanation of why people
support privacy. The first is that the argument could as easily go the other
way. One can readily imagine situations where making it harder for me to
protect my privacy means that I stop trying--saving me the cost of protecting
my information and other people the cost of trying to defeat my protection. The
second is that while some information about me starts under my control, much
does not. Consider court records of my conviction on a criminal charge or a
magazine’s mailing list with my name on it. Protecting my privacy with regard
to such information requires some way of removing that information from the
control of those people who initially possess it and transferring control to
me. That is, in most cases, a costly process. If we do nothing to give people
rights over such information about them, the information will remain public and
nothing will have to be spent to restrict access to it.
Privacy as Property
For a very different argument in favor of privacy, consider
a point made earlier: if I have control over information about me but
transferring that information to someone else produces net benefits, I can give
or sell that information to him. By protecting my control over information
about me we establish a market in information. Each piece of information moves
to the person who values it most, maximizing net benefit.
This is a good argument for private property in general, but
there are problems in applying it to information. Transacting over information
is difficult because it is hard to tell the customer what you are selling
without, in the process, giving it to him. And information can be duplicated at
a cost close to zero, so that while the efficient allocation of a car is to the
single person who has the highest value for it, the efficient allocation of a
piece of information is to everyone to whom it has positive value.
That implies that legal rules that treat information as a commons, free for
everyone to make copies, usually lead to the efficient allocation.
One function of property rights is to allocate existing
things; another is give people an incentive to produce things in the first
place. You cannot read my book unless I first write it, so if I cannot charge
you for reading it the book may never get written. But while that may be a
legitimate argument for property rules in contexts such as copyright or patent,
it is hard to see how it applies to individual privacy. Information about me is
either produced by me as a byproduct of other activities, such as subscribing
to a magazine, or else produced by other people about me--in which case giving
me property rights in the information will not give them an incentive to
produce it.
Privacy and Government
“It would have been
impossible to proportion with tolerable exactness the tax upon a shop to the
extent of the trade carried on in it, without such an inquisition as would have
been altogether insupportable in a free country.”
(Adam Smith’s explanation of
why a sales tax is impractical; Wealth of Nations Bk V, Ch II, Pt II, Art. II)
“The state of a man’s fortune varies from day to
day, and without an inquisition more intolerable than any tax, and renewed at
least once every year, can only be guessed at.” (Smith’s explanation of why an income tax is
impractical, Bk V Article IV)
Although private parties occasionally engage in involuntary
transactions such as burglary, most of our interactions with each other are
voluntary ones. Governments engage in involuntary transactions on an enormously
larger scale. And governments almost always have an overwhelming superiority of
physical force over the individual citizen. While I can protect myself from my
fellow citizens with locks and burglar alarms, I can protect myself from
government actors only by keeping information about me out of their hands.
The implications depend on one’s view of government. If
government is the modern equivalent of the philosopher king, individual privacy
simply makes it harder for government to do good. If, on the other hand, a
government is merely a particularly large and well organized criminal gang,
stealing as much as it can from the rest of us, individual privacy against
government as an unambiguously good thing. Most Americans appear, judging by
expressed views on privacy, to be close enough to the latter position to
consider privacy against government as on the whole desirable, with an
exception for cases where they believe that privacy might be used to conceal
crimes substantially more serious than tax evasion.
Seen from this standpoint, one problem with Brin's
transparent society is the enormous downside risk. Played out under less
optimistic assumptions than his, the technology could enable a tyranny that
Hitler or Stalin might envy. Even if we accept Brin's optimistic assumption
that the citizens are as well informed about the police as the police about the
citizens, it is the police who have the guns. They know if we are doing or
saying anything they disapprove of and respond accordingly, arresting, imprisoning,
perhaps torturing or executing their opponents. We have the privilege of
watching. Why should they object? Public executions are an old tradition,
designed in part to discourage other people from doing things that might get
them executed.
It does not follow that Brin's prescription is wrong. His
argument, after all, is that privacy will simply not be an option, either
because the visible benefits of surveillance are so large or because the
technology will make it impossible to prevent it. If he is right, his
transparent society may at least be better than the alternative–surveillance to
which only those in power have
access, a universal Panopticon with government as the prison guards.
Part III: Doing Business Online
The growing importance of Cyberspace is one revolution we
can be confident of, since it has already happened. An earlier chapter
discussed implications for privacy. This section deals with how to do business
in a world in which physical location and physical identity are becoming
increasingly irrelevant. The issues are connected, since tools for doing
business in cyberspace may also provide ways of maintaining control over
personal information while doing so.
We start, in Chapter VII, with the problem of how to pay for
things. One possible answer is anonymous ecash–money that can be passed from
one computer to another by sending messages, with no need to transmit anything
physical. Such a system has the potential to provide, among other things, a
simple solution to the irritation of spam email. It also makes some current law
enforcement strategies, notably the attempt to enforce laws by monitoring and
controlling the flow of money, unworkable. And it raises the interesting
possibility of a future of private currencies competing with each other and
with government moneys in both cyberspace and realspace.
Chapter VIII considers a different problem–enforcing
contracts online. Online interactions are, in a sense, entirely voluntary; you
(or your computer) can be tricked into doing something you do not want to but
you cannot be forced to do something you do not want to, since you are the one
with physical control over your computer. In the worst case you can always pull
the plug. In an entirely voluntary world, most legal issues can be reduced to
contract law. As enforcement of online contracts through the court system
becomes increasingly difficult it may be in large part replaced by private
alternatives based on reputational sanctions.
We consider next property–intellectual property. A world of
easy and inexpensive copying and communication is a world where enforcing
copyright is extraordinarily difficult. Are there other, perhaps better, ways to give creators control over what
they create? That brings us to the recent and increasingly controversial issue
of technological protection of intellectual property–the online equivalent of
the barbed wire fences whose invention revolutionized western agriculture. It
also brings us back to the possibility of treating personal information as
private property, protected not by law but by technology.
The final chapter of this section deals with ways in which
the new technologies, by greatly reducing the cost of communication and
information, can change how we organize our lives. One interesting and
attractive possibility is a shift away from formal organizations such as
corporations and universities towards more decentralized models, such as
networks of amateur scholars and open source programmers.
Chapter VII: Ecash
I pay for things in one of three different ways–credit card,
check or cash. The first two let me make large payments without having to carry
large amounts of money. What are the advantages of the third?
One is that a seller does not have to know anything about me
in order to accept cash. That makes money a better medium for transactions with
strangers, especially strangers from far away. It also makes it a better medium
for small transactions, since using cash avoids the fixed costs of checking up
on someone to make sure that there is really money in his checking account or
that his credit is good. It also
means that money leaves no paper trail, which is useful not only for criminals
but for anyone who wants to protect his privacy—an increasingly important issue
in a world where data processing threatens to make every detail of our lives
public.
The advantage of money is greater in cyberspace, since
transactions with strangers, including strangers far away, are more likely on
the internet than in my realspace
neighborhood. The disadvantage is less, since my ecash is stored inside my
computer, which is usually inside my house, hence less vulnerable to theft than
my wallet.
Despite it’s potential usefulness, there is as yet no
equivalent of cash available online, although there have been unsuccessful attempts
to create one and successful attempts to create something close.
The reason is not technological; those problems have been solved. The reason is
in part the hostility of governments to competition in the money business, in
part the difficulty of getting standards, in this case private monetary
standards, established. I expect both problems to be solved sometime in the
next decade or so.
Before discussing how a system of electronic currency,
private or governmental, might work, it is worth first giving at least one
example of why it would be useful–for something more important than allowing
men to look at pornography online without their wives or employers finding out.
Slicing Spam
My email contains much of interest. It also contains READY
FOR A SMOOTH WAY OUT OF DEBT?, A Personal Invitation from make_real_money@BIGFOOT.COM,
You've Been Selected..... from friend@localhost.net,
and a variety of similar messages, of which my favorite offers “the answer to
all your questions.” The internet
has brought many things of value, but for most of us unsolicited commercial
email, better known as spam, is not one of them.
There is a simple solution to this problem—so simple that I
am surprised nobody has yet implemented it. The solution is to put a price on
your mailbox. Give your email program a list of the people you wish to receive
mail from. Mail from anyone not on the list is returned, with a note explaining
that you charge five cents to read mail from strangers–and the URL of the stamp
machine. Five cents is a trivial cost to anyone with something to say that you
are likely to want to read, but five cents times ten million recipients is
quite a substantial cost to someone sending out bulk email on the chance that
one recipient in ten thousand may respond.
The stamp machine is located on a web page. The stamps are
digital cash. Pay ten dollars from your credit card and you get in exchange two
hundred five cent stamps–each a morsel of encrypted information that you can
transfer to someone else and that he, or someone he transfers it to, can
eventually bring back to the stamp machine and turn back into cash.
A virtual stamp, unlike a real stamp, can be reused; it is
paying not for the cost of transmitting my mail but for my time and trouble
reading it, so the payment goes to me, not the post office. I can use it the
next time I want to send a message to a stranger. If lots of strangers choose
to send me messages, I can accumulate a surplus of stamps to be changed back
into cash.
How much I charge is up to me. If I hate reading messages
from strangers, I can make the price a dollar, or ten dollars, or a hundred
dollars–and get very few of them. If I enjoy junk email, I can set a low price.
Once such a system is established, the same people who presently create and
rent out the mailing lists used to send spam will add another service–a
database keeping track of what each potential target charges to receive it.
What is in it for the stamp machine–why would someone
maintain such a system? Part of the answer is seignorage–the profit from
coining money. After selling a hundred million five cent stamps, you have five
million dollars of money. If your stamps are popular, many of them may stay in
circulation for a long time–leaving the money that bought them in your bank
account accumulating interest.
In addition to the free use of other people’s money, there
is a second advantage. If you own the stamp machine, you also own the wall behind
it–the web page people visit to buy stamps. Advertisements on that wall will be
seen by a lot of people.
One reason this solution to spam requires ecash is that it
involves a large number of very small payments. It would be a great deal
clumsier if we used credit cards–every time you received a message with a five
cent stamp, you would have to check with the sender's bank before reading it to
make sure the payment was good. A second reason is privacy. Many of us would
prefer not to leave a complete record of our correspondence with a third
party–which we would be doing if we used credit cards or something similar.
What we want is not merely ecash but anonymous ecash–some way of making
payments that provides no information to third parties about who has paid what
to whom.
Constructing Ecash
Suppose a bank wants to create a system of ecash. The first
and easiest problem is how to provide people with virtual banknotes that cannot
be counterfeited.
The solution is a digital signature. The bank creates a banknote
that says "First Bank of Cyberspace: Pay the bearer one dollar in U.S.
currency." It digitally signs the note, using its private key. It makes
the matching public key widely available. When you come in to the bank with a
dollar, it gives you a banknote in the form of a file on a floppy disk. You
transfer the file to your hard disk, which now has a one dollar bill with which
to buy something from someone else online. When he receives the file he checks
the digital signature against the bank's public key.
The Double Spending Problem
There is a problem—a big problem. What you have gotten for
your dollar is not one dollar bill but an unlimited number of them. Sending a
copy of the file in payment for one transaction does not erase it from your
computer, so you can send it again to someone else to buy something else. And
again. That is going to be a problem for the bank, when twenty people come in
to claim your original dollar bill.
One solution is for the bank to give each dollar its own
identification number and keep track of which ones have been spent. When a
merchant receives your file he sends it to the bank, which deposits the
corresponding dollar in his account and adds its number to a list of banknotes
that are no longer valid. When you try to spend a second copy of the note, the
merchant who receives it tries to deposit it, is informed that it is no longer
valid, and doesn't send you your goods.
This solves the problem of double spending, but it also
eliminates most of the advantages of ecash over credit cards. The bank knows
that it issued banknote 94602… to Alice, it knows that it came back from Bill,
so it knows that Alice bought something from Bill, just as it would if she had
used a credit card.
The solution to this problem uses what David Chaum, the
Dutch cryptographer who is responsible for many of the ideas underlying ecash,
calls blind signatures. It is a way in
which Alice, having rolled up a random identification number for a dollar bill,
can get the bank to sign that number (in exchange for paying the bank a dollar)
without having to tell the bank what the number they are signing is. Even
though the bank does not know the serial number it signed, both it and the
merchant who receives the note can check that the signature is valid. Once the dollar bill is spent, the
merchant has the serial number, which he reports to the bank, which can add it
to the list of serial numbers that are now invalid. The bank knows it provided
a dollar to Alice, it knows it received back a dollar from Bill, but it does
not know that they are the same dollar. So it does not know that Alice bought
something from Bill. The seller has to check with the bank and know that the
bank is trustworthy, but it does not have to know anything about the purchaser.
Curious readers will want to know how it is possible for a
bank to sign a serial number without knowing what it is. I cannot tell them
without first explaining the mathematics of public key encryption, which
requires more math than I am willing to assume my average reader has. Those who
are curious can find the answers in the virtual footnotes, which point to
webbed explanations of both public key encryption and blind signatures.
So far I have been assuming that people who receive digital
cash can communicate with the bank that issues it while the transaction is
taking place–that they and the bank are connected to the internet or something
similar. That is not a serious constraint if the transaction is occurring
online. But digital cash could also be useful for realspace transactions–and
the cabby or hotdog vendor may not have an internet connection.
The solution is another clever trick (Chaum specializes in
clever tricks). It is a form of ecash that contains information about the
person it was issued to but only reveals that information if he tries to spend
the same dollar bill twice. For an explanation of how it works, you must again
go to the virtual footnotes.
Skeptical readers should at this point be growing
increasingly unhappy at being told that everything about ecash is done by
mathematics that I am unwilling to explain–which they may reasonably enough
translate as "smoke and mirrors." For their benefit I have invented
my own form of ecash–one that has all of the features of the real thing and can
be understood with no mathematics beyond the ability to recognize numbers. It
is a good deal less convenient than Chaum's version but a lot easier to
explain, and so provides at least a possibility proof for the real thing.
Low Tech Ecash
I randomly create a very long number. I put the number and a
dollar bill in an envelope and mail it to the First Bank of Cybercash. The FBC
agrees–in a public statement–to do two things with money it receives in this
way:
I. If anyone walks into the FBC and presents the number, he
gets the dollar bill.
II. If the FBC receives a letter that includes the number
associated with a dollar bill it has on deposit, instructing the FBC to change
it to a new number, it will make the change and post the fact of the
transaction on a publicly observable bulletin board. The dollar bill will now
be associated with the new number.
Lets see how this works:
Alice has sent the FBC a dollar, accompanied by the number
59372. She now wants to buy a
dollar's worth of digital images from Bill, so she emails the number to him in
payment. Bill emails the FBC, sending them three numbers–59372, 21754, 46629.
The FBC checks to see if it has a dollar on deposit with
number 59372; it does. It changes the number associated with that dollar bill
to 21754, Bill's second number. Simultaneously, it posts on a publicly
observable bulletin board the statement "the transaction identified by
46629 has gone through." Bill reads that message, which tells him that
Alice really had a dollar bill on deposit and it is now his, so he emails her a
dollar's worth of digital images.
Alice no longer has a dollar, since if she tries to spend it
again the bank will report that it is not there to be spent–FBC no longer has a
dollar associated with the number she knows. Bill now has a dollar, since the
dollar that Alice originally sent in is now associated with a new number and
only he (and the bank) knows what it is. He is in precisely the same situation
that Alice was before the transaction, so he can now spend the dollar to buy
something from someone else. Like an ordinary paper dollar, the dollar of ecash
in my system passes from hand to hand. Eventually someone who has it decides he
wants a dollar of ordinary cash instead; he takes his number, the number that
Alice's original dollar is now associated with, to the FBC to exchange for a
dollar bill.
My ecash may be low tech, but it meets all of the
requirements. Payment is made by sending a message. Payer and payee need know
nothing about the other's identity beyond the address to send the message to.
The bank need know nothing about either party. When the dollar bill originally
came in, the letter had no name on it, only an identifying number. Each time it
changed hands, the bank received an email but had no information about who sent
it. When the chain of transactions ends and someone comes into the bank to
collect the dollar bill he need not identify himself; even if the bank can
somehow identify him he has no way of tracing the dollar bill back up the
chain. The virtual dollar in my system is just as anonymous as the paper
dollars in my wallet.
With lots of dollar bills in the bank there is a risk that
two might by chance have the same number, or that someone might make up numbers
and pay with them in the hope that the numbers he invents will, by chance,
match numbers associated with dollar bills in the bank. But both problems
become insignificant if instead of using five digit numbers we use hundred
digit numbers. The chance that two random hundred digit numbers will turn out
to be the same is a good deal less than the chance that payer, payee, and bank
will all be struck by lightning at
the same time.
Robot Mechanics
It may have occurred to you that if you have to roll up a
hundred digit random number every time you want to buy a dollar of ecash from
the bank and two more every time you receive one from anyone else, not to
mention sending off one anonymous email to the bank for every dollar you
receive, ecash may be more trouble than it is worth. Don't worry--that's your
computer's job, not yours. With a competently designed ecash system, the
program takes care of all mathematical details; all you have to worry about is
having enough money to pay your (virtual) bills. You tell your computer what to
pay to whom; it tells you what other people have paid to you and how much money
you have. Random numbers, checks of digital signatures, blind signing, and the
all the rest is done in the background. If you find that hard to believe,
consider how little most of us know about how the tools we routinely use, such
as cars, computers or radios, actually work.
Ecash and Privacy
When Chaum came up with the idea of ecash, email was not yet
sufficiently popular to make spam an issue. What motivated him was the problem
we discussed back in chapter IV–the loss of privacy created by the ability of
modern information processing to combine publicly available information into a
detailed portrait of each individual.
Consider an application of ecash that Chaum has actually
worked on–automated toll collection. It would be very convenient if, instead of
stopping at a toll booth when getting on or off the interstate, we could simply
drive past, making the payment automatically in the form of a wireless
communication between the (unmanned) toll booth and the car. The technology to
do this exists and has long been used to provide automated toll collection for
busses on some roads.
One problem is privacy. If the payment is made with a credit
card, or if the toll agency adds up each month's tolls and sends you a bill,
someone has a complete record of every trip you have taken on the toll road,
every time you have crossed a toll bridge. If we deal with auto pollution by
measuring pollutants in the exhaust plumes of passing automobiles and billing
their owners, someone ends up with detailed, if somewhat fragmentary, records
of where you were when.
Ecash solve that problem. As you whiz past the toll booth,
your car pays it fifty cents in
anonymous ecash. By the time you are thirty feet down the road, the (online)
toll booth has checked that the money is good; if it isn't an alarm goes off, a
camera triggers, and if you do not stop a traffic cop eventually appears on
your tail. But if your money is good you go quietly about your business–and
there is no record of your passing the toll booth. The information never came
into existence, save in your head. Similarly for an automated system of
pollution charges.
It works for shopping as well. Ecash–this time encoded in a
smart card in your wallet or a palmtop computer in your pocket–provides much of
the convenience of a credit card with the anonymity of cash. If you want the
seller to know who you are, you are free to tell him. But if you prefer to keep
your transactions private, you can.
Private Money: A New Old Story
My examples so far assumed that ecash will be produced and
redeemed by private banks but denominated in government money. Both are likely,
at least in the short run. Neither is necessary.
Private money denominated in dollars is already common. My
money market fund is denominated in dollars, although Merrill Lynch does not
actually have a stack of dollar bills in a vault somewhere that corresponds to
the amount of money "in" my account. My university I.D. card doubles as a money card, with some
number of dollars stored on its magnetic strip—a number that decreases every
time I use the card to buy lunch on campus. A bank could issue ecash on the
same basis. Each dollar of ecash represents a claim to be paid a dollar bill.
The actual assets backing that claim consist not of a stack of dollar bills but
of stocks, bonds, and the like–which have the advantage of paying the bank
interest for as long as the dollar of ecash is out there circulating.
While I do not have to know anything about you in order to
accept your ecash, I do have to know something about the bank that issued
it–enough to be sure that the money will eventually be redeemed. That means
that any ecash expected to circulate widely will be issued by organizations
with reputations. In a world of almost instantaneous information transmission,
those organizations will have a strong incentive to maintain their reputations,
since a loss of confidence will result in money holders bringing in virtual
banknotes to be redeemed, eliminating the source of income that the assets backing
those banknotes provided.
Some economists, in rejecting the idea of private money,
have argued that such an institution is inherently inflationary. Since issuing
money costs a bank nothing and gives it the interest on the assets it buys with
the money, it is always in the bank's interest to issue more.
The rebuttal to this particular error was published in 1776.
When Adam Smith wrote The Wealth of Nations,
the money of Scotland consisted largely of banknotes issued by private banks,
redeemable in silver.
As Smith pointed out, while a bank could print as many notes as it wished, it
could not persuade other people to hold an unlimited number of its notes. A
customer who holds a thousand dollars in virtual cash–or Scottish
banknotes–when he only needs a hundred is giving up the interest he could have
been earning if he had held the other nine hundred dollars in bonds or some
other interest earning asset instead. That is a good reason to limit his cash
holdings to the amount he actually needs for day to day transactions.
What happens if a bank tries to issue more of its money than
people wish to hold? The excess comes back to be redeemed. The bank is wasting
its resources printing up money, trying to put it into circulation, only to
have each extra banknote promptly returned for cash–in Smith's case, silver.
The obligation of the bank to redeem its money guarantees its value, and at
that value there is a fixed amount of the money that people will choose to
hold.
"Let us
suppose that all the paper of a particular bank, which the circulation of the
country can easily absorb and employ, amounts exactly to forty thousand pounds;
and that for answering occasional demands, this bank is obliged to keep at all
times in its coffers ten thousand pounds in gold and silver. Should this bank
attempt to circulate forty-four thousand pounds, the four thousand pounds which
are over and above what the circulation can easily absorb and employ, will
return upon it almost as fast as they are issued." (Bk I Chapter 2)
So far I have assumed that future
ecash will be denominated in dollars. Dollars have one great advantage–they
provide a common unit already in widespread use. They also have one great
disadvantage–they are produced by a government, and it may not always be in the
interest of that government to maintain their value in a stable, or even
predictable, way. On past evidence, governments sometimes increase or decrease
the value of their currency, inadvertently or for any of a variety of political
purposes. In the extreme case of a hyperinflation, a government tries to fund
its activities with the printing press, rapidly increasing the amount of money
and decreasing its value. In less extreme cases, a government might inflate in
order to benefit debtors by inflating away the real value of their
debts–governments themselves are often debtors, hence potential beneficiaries
of such a policy–or it might inflate or deflate in the process of trying to
manipulate its economy for political ends.
Dollars have a second
disadvantage, although perhaps a less serious one. Because they are issued by a
particular government, citizens of other governments may prefer not to use
them. This has not prevented dollars from becoming a de facto world currency, but it is one reason why a national currency might not be the best standard to base
ecash on. The simplest alternative would be a commodity standard, making the
unit of ecash a gram of silver or gold, or some other widely traded commodity.
Under such a commodity standard
the monetary unit, while no longer under the control of a government, is
subject instead to the forces that affect the value of the particular commodity
it is based on. If large amounts of gold are discovered, or if someone invents
new and better techniques for extracting gold from low grade ore, the value of
gold, and of gold based money, will decline.
If, on the other hand, important new uses for gold are found, and no new
supplies, the value of gold will rise and prices fall. Thus a commodity money
carries with it at least some risk of unpredictable fluctuations in its value,
and hence in prices measured in it.
That problem is solved by
replacing a simple commodity standard with a commodity bundle. Bring in a
million Friedman Dollars and I agree to give you in exchange ten ounces of
gold, forty ounces of silver, ownership of a thousand bushels each of grade A
wheat and grade B soybeans, a ton of grade S30040 stainless steel, … . If the purchasing power of a
million of my dollars is less than the value of the bundle, it is profitable
for people to assemble a million Friedman dollars, exchange them for the
bundle, and sell the contents of the bundle–forcing me to make good on my
promise and, in the process, reducing the amount of my money in circulation. If
the purchasing power of my money is more than the worth of the commodities it
trades for, it is in my interest to issue some more money. Since the bundle
contains lots of different commodities, random changes in commodity prices can
be expected to roughly average out, giving us a stable standard of value.
A commodity bundle is a good
theoretical solution to the problem of monetary standards, but implementing it
has a serious practical difficulty–all the firms issuing ecash have to agree on
the same bundle. If they fail to establish a common standard, we end up with a
cyberspace in which different people use different currencies and the exchange
rates between them vary randomly.
That is not an unworkable
situation–Europeans have lived with it for a very long time–but it is a nuisance.
Life is easier if the money I use is the same as the money used by the people I
do business with. On that fact our present world system–multiple government
moneys, each with a near monopoly within the territory of the issuing
government–is built. It works because most transactions are with people near
you, and, unless you happen to live next to the border, people near you live in
the same country you do. It works less well in Europe than in North America
because the countries are smaller--which is why the European countries are
moving from national currencies to the Euro.
A system of monopoly government
moneys works less well in cyberspace because in cyberspace national borders are
transparent. For information transactions, geography is irrelevant–I can
download software or digital images from London as easily as from New York. For
online purchases of physical objects geography is not entirely irrelevant,
since the goods have to be delivered, but less relevant than in realspace
shopping. With a system of multiple national currencies, everyone in cyberspace
has to juggle multiple currencies in the process of figuring out who has the
best price and paying it. The obvious solution is to establish a single
standard of value, either by adopting one national currency, probably the
dollar, or by establishing a private standard, such as the sort of commodity
bundle described above.
That may not be the only solution.
The reason that everyone wants to use the same currency as his neighbors is
that currency conversion is a nuisance. But currency conversion is arithmetic,
and computers do arithmetic fast and cheap. Perhaps, with some minor
improvements in the interfaces on which we do online business, we could make
the choice of currency irrelevant, permitting multiple standards to coexist.
I live in the U.S.; you live in
India. You have goods to sell, displayed on a web page, with prices in rupees.
I view that page through my brand new browser–Netscape Navigator v 9.0. One
feature of the new browser is that it is currency transparent. You post your
prices in rupees but I see them in dollars. The browser does the conversion on
the fly, using exchange rates read, minute by minute, from my bank's web page.
If I want to buy your goods, I pay in dollar denominated ecash; my browser
sends it to my bank which sends rupee denominated ecash to you. I neither know
or care what country you are in or what money you use–it's all dollars to me.
Currency transparency will be
easiest online, where everything filters through browsers anyway. One can
imagine, with a little more effort, realspace equivalents. An unobtrusive tag
on my lapel gives my preferred currency; an automated price label on the store
shelf reads my tag and displays the price accordingly. Alternatively, the price
is displayed by a dumb price tag, read by a smart video camera set into the
frame of my glasses, converted to my preferred currency by my pocket computer,
and written in the air by the heads up display generated by the eyeglass
lenses.
As I write, the countries of
Europe are in the final stages of replacing their multiple national currencies
with the Euro. If the picture I have just painted turns out to be correct, they
may have finally achieved a common currency just as it was becoming
unnecessary.
We now have three possibilities
for ecash. It might be produced by multiple issuers but denominated in dollars
or (less probably) some other widely used national money. It might be
denominated in some common non-governmental standard of value–gold, silver, or
a commodity bundle. It might be denominated in a variety of different
standards, perhaps including both national monies and commodities, with
conversion handled transparently, so that each individual sees a world where
everyone is using his money. Any of these forms of ecash might be produced by
private firms, probably banks, or by governments.
Will It Happen?
During World War II, George Orwell
wrote regular articles for Partisan Review, an American magazine. Near the end of the war, he wrote a
retrospective in which he discussed what he had gotten right and what wrong.
His conclusion was that he was generally right about the way the world was
moving, wrong about how fast it would get there. He correctly saw the logical
pattern but failed to allow for the enormous inertia of human society.
Similarly here. David Chaum's
articles, laying out the groundwork for fully anonymous electronic money, were
published in technical journals in the 1980's and summarized in a 1992 article
in Scientific American. Ever since then
various people, myself among them, have been predicting the rise of ecash along
the lines he sketched. While pieces of his vision have become real in other
contexts, there is as yet nothing close to a fully anonymous ecash available
for general use. Chaum himself, in partnership with the Mark Twain Bank of
Saint Louis, attempted to get a semi-anonymous ecash into circulation–one which
permitted one party to a transaction be identified by joint action by the other
party and the bank. The effort failed and was abandoned.
One reason it has not happened is
that online commerce has only very recently become large enough to justify it.
A second reason, I suspect but cannot prove, is that national governments are
unhappy with the idea of a widely used money that they cannot control, and so
reluctant to permit (heavily regulated) private banks to create such a money. A
third and closely related reason is that a truly anonymous ecash would
eliminate a profitable form of law enforcement. There is no practical way to
enforce money laundering laws once it is possible to move arbitrarily large
amounts of money anywhere in the world, untraceably, with the click of a mouse.
A final reason is that ecash is only useful to me if many other people are
using it, which raises a problem in getting it started.
These factors have slowed the
introduction of ecash. I do not think they will stop it. It only takes one
country willing to permit it and one issuing institution in that country
willing to issue it, to bring ecash into existence. Once it exists, it will be
politically difficult for other countries to forbid their citizens from using
it and practically difficult, if it is forbidden, to enforce the ban. There are
a lot of countries in the world, even if we limit ourselves to ones with
sufficiently stable institutions so that people elsewhere will trust their
money. Hence my best guess is that some version of one of the monies I have
described in this chapter will come into existence sometime in the next decade
or so.
Chapter VIII: Contracts in Cyberspace
You hire someone to fix your roof,
and (imprudently) pay him in advance. Two weeks later, you call to ask when he
is going to get the job done. After three months of alternating promises and
silence, you sue him, probably in small claims court.
Suing someone is a nuisance, which
is why you waited three months. In cyberspace it will be even more of a
nuisance. The law that applies to a dispute depends, in a complicated way, on
where the parties live and where the events they are litigating over happened.
A contract made online has no geographical location and the other party might
live anywhere in the world. Suing someone in another state is bad enough; suing
someone in another country is best left to professionals–who do not come cheap.
If, as I suggested in an earlier chapter, the use of online encryption leads to
a world of strong privacy, where many people do business without revealing
their realspace identity, legal enforcement of contracts becomes not merely
difficult but impossible. There is no way to sue someone if you do not know who
he is.
Even in our ordinary, realspace
lives, however, there is another way of enforcing contracts, and one that is
probably more important than litigation. The reason department stores make good
on their "money back, no questions asked" promises, and the reason
the people who mow my lawn keep doing it once a week even when I am out of town
and so unable to pay them, is not the court system. Customers are unlikely to
sue a department store, however unreasonable its grounds for refusing to take
something back, and the people who mow my lawn are unlikely to sue me, even if
I refuse to pay them for their last three weeks of work.
What enforces the contract in both
cases is reputation. The department store wants to keep me as a customer, and
won't if I conclude that they are not to be trusted. Not only will they lose
me, they may well lose some of my friends, to whom I can be expected to
complain. The people who mow my lawn do a good job at a reasonable price, such
people are not easy to find, and I would be foolish to offend them by refusing
to pay for their work.
When we shift our transactions
from the neighborhood to the internet, legal enforcement becomes harder.
Reputational enforcement, however, becomes easier. The net provides a superb
set of tools for collecting and disseminating information–including information
about who can or cannot be trusted.
On an informal level, this happens
routinely through both Usenet and the Web. Some time back, I heard that my
favorite palmtop–a full featured computer, complete with keyboard, word
processor, spreadsheet, and much else, that fits in my pocket and runs more or
less for ever on its rechargeable battery–was available at an absurdly low
price from a discount reseller, apparently because the attempt to sell it in
the U.S. market had failed
and the company that made that attempt was dumping its stock of rebranded Psion
Revos (aka Diamond Makos). I went on the web, searched for the reseller, and in
the process discovered
that it had been repeatedly accused of failing to live up to its service
guarantees and was currently in trouble with authorities in several states. The
same process works in a somewhat more organized fashion through specialist web
pages–MacIntouch for Macintosh users, the Digital Camera Resource Page for
consumers of digital cameras, and many more.
For a different version of
reputational enforcement online, consider Ebay. Ebay does not sell goods; it
sells the service of helping other people sell goods, via an online auction
system. That raises an obvious problem. Sellers may be located anywhere and, at
least for the goods I have bid on, are quite likely to be located outside the
U.S. Most transactions, although not all, involve goods of modest value, so
suing for failure to deliver, especially suing someone outside the U.S. for
failure to deliver, is rarely a practical option. With millions of buyers and
sellers, each individual buyer is not likely to buy many things from any
particular seller, so the seller need be only mildly concerned about his
reputation with that particular buyer. Why don't all sellers simply take the
money and run?
One reason is that Ebay provides
extensive support for reputational enforcement. Any time you win an Ebay
auction you have the option, after taking delivery, of reporting your
evaluation of the transaction–whether the goods were as described and delivered
in good condition, and anything else you care to add. Any time you bid on an
Ebay auction, you have access to all past comments on the seller, both in
summary form and, if you are sufficiently interested, in full. Successful Ebay
sellers generally have a record of many comments, very few of them negative.
There are, of course, ways that a
sufficiently enterprising villain could try to game the system. One would be by
setting up a series of bogus auctions, selling something under one name, buying
it under another, and giving himself a good review. Eventually he builds up a
string of glowing reviews and uses them to sell a dozen non-existent goods for
high prices, payable in advance.
It's possible, but it isn't cheap.
Ebay, after all, will be collecting its cut of each of those bogus auctions.
The nominal buyers will require many different identities in order to keep the
trick from being obvious, which involves additional costs. Meanwhile all the
legitimate sellers have to do in order to build up their reputation is honest
business as usual. And Ebay itself, in order to maintain its reputation as a
good place to buy and sell, attempts in various ways to prevent buyers and
sellers from abusing the reputational mechanisms it has created.
I am confident, on the basis of no inside information at all, that at least one
villain has done it successfully–but there don't seem to be enough to seriously
discourage people from using Ebay.
Alternatively, a dishonest seller
could try to eliminate competitors by buying goods from them under a false name
and then posting (false) negative information about the transaction. That might
be worth doing in a market with only a few sellers–and for all I know it has
happened. But in the typical Ebay market, with many sellers as well as many
buyers, defaming one competitor merely transfers the business to another.
The Logic of Reputational Enforcement
While a relatively informal sort
of reputational enforcement, along the lines of what Ebay currently provides,
is adequate for many purposes, it would be useful to have systems that are
harder to cheat on. Before looking at how they might work, it is worth thinking
a little more about the logic of reputational enforcement.
Criminal law and tort law exist,
in large part, as ways of punishing bad behavior. In the case of reputational
enforcement, in contrast, punishment is not the objective, merely an indirect
consequence. Consider an (imaginary) example:
The news that Charley bought an
expensive suit jacket at the local department store, his wife made him take it
back, and they refused to return his money, gives me no reason to want to
punish the store. Ever since Charley told me what he really thought of my
latest book, I have regarded his misfortunes as no more than he deserves. As
the story spreads, more and more people stop shopping at that particular store.
The reason is not that we wish to punish them--Charley's unfortunate habit of
telling people what he really thinks has left him few friends. The reason is to
protect ourselves. We too might some day buy something our wives disapproved
of. Reputational enforcement works by spreading true information about
bad behavior. People who receive that information modify their actions
accordingly, which imposes costs on those who have behaved badly.
As this example suggests, one
thing determining how well reputational enforcement works is the ability of
interested third parties to get information about who cheated whom. To see this, suppose we change the
story a little by making Charley not merely tactless but routinely dishonest.
Now when he complains that the store refused to take the jacket back even
though it was in good condition, we conclude that his idea of good condition
probably included multiple ink stains and a missing sleeve, due to his wife's
reaction to how he had been wasting their money–we know her too–and we continue
patronizing the store.
One reason information costs are
important is that if interested third parties do not know who is at fault, they
do not know who to avoid future dealings with. A more subtle reason is that if
third parties cannot easily find out who is at fault in a dispute, the dispute
may never become public. If I accuse you of swindling me, you will of course
deny it. Reasonable third parties, unable to check either side's claims,
conclude that at least one of us is a crook. They have no way of finding out
which, and it is therefore prudent to avoid both. Anticipating that result, I
decide not to make my accusation public in the first place. So reputational
enforcement requires a framework that makes it easy for interested third
parties to determine who is at fault.
Such a frameworks exists and is
extensively used to settle intra-industry disputes in many different
industries. It is called arbitration.
You and I make an agreement and
specify the private arbitrator who will settle disagreements over its terms.
Such a disagreement occurs; you demand arbitration. The arbitrator gives a
verdict. If I refuse to go along, the arbitrator can make that fact public. An
interested third party, typically another firm in the same industry, does not
have to know the facts of the dispute to know who is at fault. All it has to
know is that both of us agreed to the arbitrator and that the arbitrator we
agreed to says that I reneged on that agreement.
This works well within an industry
because the people involved know each other and are familiar with the
industry's institutions for settling disputes. It works less well for disputes
between a firm and one of its many customers–because other customers, unless
they too are part of the industry, are unlikely to know enough about the institutions
to be confident who was cheating whom. What about in cyberspace?
Very Close to Zero: Third Party Costs in Cyberspace
You and I agree to a contract
online. The contract contains the name of the arbitrator who will resolve
disputes and his public key–the information necessary to check his digital
signature. We both digitally sign the contract and each keeps a copy.
A dispute arises; you accuse me of
failing to live up to my agreement and demand arbitration. The arbitrator rules
for you and instructs me to pay you five thousand dollars in damages. I refuse.
The arbitrator writes his account of how the case came out–he awarded damages,
I refused to pay them. He digitally signs it and sends you a copy.
You now have a package–the
original contract and the arbitrator's verdict. My digital signature on the
original contract proves that I agreed to that arbitrator; his digital
signature on the verdict proves that I reneged on that agreement. That is all
the information that an interested third party needs in order to conclude that
I am not to be trusted.
You put the package on a web page,
with my name all over it for the benefit of any search engines looking for
information about me, and email the URL to anyone you think might want to do
business with me in the future. Anyone who accesses the page can check the
facts–more precisely, his computer can check the facts for him, by checking the
digital signatures–in something under a second. Having done that, he knows that
I am the one who reneged on the agreement. The most likely explanation is that
I am dishonest. An alternative possibility is that I was fool enough to agree
to a crooked arbitrator–but he probably doesn't want to do business with fools
either. Thus the technology of digital signatures makes it possible to reduce
information costs to third parties to something very close to zero, making
possible effective reputational enforcement online.
Private enforcement of contracts along these lines solves
the problems raised by the fact that cyberspace spans many geographical
jurisdictions. The relevant law is defined not by the jurisdiction but by the
private arbitrator chosen by the parties. Over time, we would expect one or
more body of legal rules with regard to contracts to develop, as common law
historically did develop, with many different arbitrators or arbitration firms
adopting the same or similar legal rules.
Contracting parties could then choose arbitrators on the basis of reputation.
For small scale transactions, you simply provide your
browser with a list of acceptable arbitration firms; when you contract with
another party, the software picks an arbitrator from the intersection of the
two lists. If there exists no arbitrator acceptable to both parties, the
software notifies both of you of the problem and you take it from there. For
larger transactions, the choice of arbitrator is one of the things that the
human beings negotiating the contract can bargain over.
Private enforcement also solves the problem of enforcing
contracts when at least one of the parties is, and wishes to remain, anonymous.
Digital signatures make it possible to combine anonymity with reputation. A
computer programmer living in Russia or Iraq, where anonymity is the only way
of protecting his income from private or public bandits, has an online identity
defined by his public key; any message signed by that public key is from him.
That identity has a reputation, developed through past online transactions; the
more times the programmer has demonstrated himself to be honest and competent,
the more willing people will be to employ him. The reputation is valuable, so
the programmer has an incentive to maintain it–by keeping his contracts.
The Reputation Market
"(On Earth they) even
have laws for private matters such as contracts. Really. If a man's word isn't
any good, who would contract with him? Doesn't he have reputation?"
(Manny in The Moon is a Harsh Mistress by Robert Heinlein)
There is one way in which the online world I have been
describing makes contract enforcement harder than in the real world. In the
real world, my identity is tied to a particular physical body, identifiable by
face, finger prints, and the like. I do not have the option, after destroying
my realspace reputation for honesty, of spinning off a new me, complete with
new face, new fingerprints, and an unblemished reputation.
Online I do have that option. As long as other people are
willing to deal with cyberspace personae not linked to realspace identities, I
always have the option of rolling up a new public key/private key pair and
going online with a new identity and a clean reputation.
It follows that reputational enforcement will only work for
people who have reputations–sufficient reputational capital so that the cost of
abandoning the current online persona and its reputation outweighs the gain
from a single act of cheating. Someone who wants to deal anonymously in a trust
intensive industry may have to start small, building up his reputation to the
point where its value is sufficient to make it rational to trust him with
larger transactions. The same thing happens today in industries where
enforcement is primarily through reputational mechanisms.
The problem of spinning off new identities is not limited to
cyberspace. The realspace equivalent of rolling up a new pair of keys is filing
a new set of incorporation papers. Marble facing for bank buildings and
expensive advertising campaigns can be seen as ways in which a new firm posts a
reputational bond in order to persuade those who deal with it that they can
trust it to act in a way that will preserve its reputation.
Cyberspace personae do not have the option of marble, at least if they want to
remain anonymous, but they do have the option of investing in a long series of
transactions or in other costly activities, such as advertising or well
publicized charity, in order to establish a reputation that will bond their
future performance.
What about entities–firms or individuals–that are not
engaged in long term dealings and so neither have a valuable reputation nor are
willing to pay to acquire one? How are they to guarantee their contractual
performance in this world?
One solution is to piggyback on the reputation of another
entity that is engaged in such dealings. Suppose I am an anonymous online
persona forming a contract that it might later be in my interest to break. How,
absent a reputation, do I persuade the other party that I will keep my word?
What is to keep me from making the contract, agreeing to an arbitrator,
breaking the contract, ignoring the arbitrator's verdict, and walking off with
my gains, unconcerned by the damage to my nonexistent reputation?
I solve the problem by offering to post a performance bond
with the arbitrator—in anonymous digital currency. The arbitrator is free to
allocate all or part of the bond to the other party as damages for breach. This
approach–taking advantage of a third party with reputation–is not purely
hypothetical. Purchasers on Ebay at present can supplement direct reputational
enforcement with the services of an escrow agent–a trusted third party that
holds the buyer's payment until the goods have been inspected and then releases
it to the seller.
This approach still depends on reputational enforcement, but
this time the reputation belongs to the arbitrator. With all parties anonymous,
he could simply steal bonds posted with him–but if he does, he is unlikely to
stay in business very long. If I am worried about such possibilities, I can
require the arbitrator to sign a contract specifying a second and independent
arbitrator to deal with any conflicts between me and the first arbitrator. My
signature to that agreement is worth very little, since it is backed by no
reputation—but the signature of the first arbitrator to a contract binding him
to accept the judgment of the second arbitrator is backed by the first
arbitrator’s reputation.
Conclusion
If the arguments I have offered are correct, we can expect
the rise of online commerce to produce a substantial shift towards private law
privately enforced via reputational mechanisms. While the shift should be
strongest in cyberspace, it ought to be echoed in realspace as well. Digital
signatures lower information costs to interested third parties whether the
transactions being contracted over are occurring online or not. And the
existence of a body of trusted online arbitrators will make contracting in
advance for private arbitration more familiar and reliance on private
arbitration easier for realspace as well as cyberspace transactions.
Relative Prices Rule the World
When I was little, one of my favorite adults was a friend of
my parents named Dorothy Brady. One reason was her habit of bringing small
gifts for myself and my sister when she came to visit. A more important reason
was that she was always doing interesting things.
One of her projects involved apple peeling machines--the
gadgets that you stick an apple on, turn a handle, and--if all goes well--end
up with a peeled, cored and sometimes even sliced apple. The conclusion of her
research--done by exploring New England museums--was that over a period of
about two hundred years the design stayed the same but the materials changed.
The earlier you went back, the more of the machine was made of wood and the
less of metal.
In real life Dorothy was an economic historian; in addition
to giving her an excuse to poke around museums, her research provided an
example of a very common pattern in economic history. How people do things
depends on the relative costs of the alternatives. When metal is expensive,
wood and the labor to shape it cheap, you make things mostly out of wood, use
metal only where it is essential. As steel gets less and less expensive
relative to wood and labor, people shift to using more and more of it.
This chapter is about a newer example of the same logic. The
technology of the internet reduces the cost of doing business with people far
away--so we do more of it. It used to be that, as a practical matter, I only
bought things from England when I was in England. Today buying a book from
England is only marginally more trouble than buying it from the local Barnes
and Noble. Routinely doing
business with people far away raises the cost of settling disputes by use of
the government court system, since the jurisdiction of courts is in large part
based on geography.
Modern communications technology makes sharing information
much easier than it used to be and encryption technology, in the form of
digital signatures, does the same for verifying the shared information. You no
longer have to check your informant's reputation and biases or look over the
evidence to make sure nobody has tinkered with it. One calculation tells you a
verdict came from the arbitrator it says it came from; one more tells you that
that arbitrator was the one I agreed to accept. I agreed to accept his verdict,
he says I reneged on that agreement, case closed.
Government courts and private reputation are alternative
ways of achieving the same objective--making people keep their word. The cost
of using government courts has gone up. The cost of information to interested
third parties--the key ingredient in private enforcement through
reputation--has gone down. The predictable result is a shift away from the one
means and towards the other.
Find an apple peeler in a kitchen gadget catalog. The handle
might be wood--or plastic. The rest will be steel.
Chapter IX: Watermarks and Barbed Wire
Authors expect to be paid for their work. So do programmers,
musicians, film directors, and lots of other people. If they cannot be paid for
their work, we are likely to have fewer books, movies, songs, programs.
This creates a problem if what is produced can be
inexpensively reproduced. Once it is out there, anyone who has a copy can make
a copy, driving the price of copies down to the cost of reproducing them.
Copyright law is an attempt to solve that problem by giving the creator of a
work the legal right to control the making of copies. How well it works depends
on how easily that right can be enforced.
Copyright in Digital Media
"The rumors of my
death have been greatly exaggerated."
Mark Twain–perhaps
also copyright
To enforce his legal rights, the owner of a copyright has to
be able to discover illegal copying and take legal action against those
responsible. How easy that is depends in large part on the technology of
copying.
Consider the old fashioned printing press, c. 1910. It was
large and expensive; printing a book required first setting hundreds of pages
of type by hand. That made it much
less expensive to print ten thousand copies of a book on one press than a
hundred copies each on a hundred different presses. Since nobody wanted ten
thousand copies of a book for himself, a producer had to find customers–lots of
customers. Advertising the book, or offering it for sale in bookstores, brought
it to the attention of the copyright owner. If he had not authorized the
copying, he could locate the pirate and sue.
Enforcement becomes much harder if copying is practical on a
scale of one or a few copies–the current situation for digital works such as computer
programs, digitized music, or films on DVD. Individuals making a copy for
themselves or a few copies for friends are much harder to locate than mass
market copiers. Even if you can locate them, it is harder to sue ten thousand
defendants than one. Hence, as a practical matter, firms mostly limit the
enforcement of their copyright to legal action against large scale infringers.
The situation is not entirely hopeless from the standpoint
of the copyright holder. If the product is a piece of software widely used in
business–Microsoft Word, for example–there will be organizations that use, not
one copy, but thousands. If they choose to buy one and produce the rest
themselves, someone may notice–and sue.
Even if copying can be done on a small scale, there remains
the problem of distribution. If I get programs or songs by illegally copying
them from my friends I am limited to what my friends have, which may not
include what I want. I may prefer to buy from distributors providing a wide
range of alternatives–and they, being potential targets for infringement suits,
have an incentive to buy what they sell legally rather than produce it
themselves illegally. So even in a world where many expensive works in digital
form–Word, for example–can easily be copied, the producers of such works can
still use copyright law to get paid for some of what they produce.
Or perhaps not. As has now been demonstrated with MP3's,
distribution over the Internet makes it possible to combine individual copying
with mass market distribution, using specially designed search tools to find
the individual who happens to have the particular song you want and is willing
to let you copy it. A centralized distribution system is vulnerable to legal
attack, as Napster discovered. But shutting down a decentralized system such as
Gnutella or Freenet, which allows individuals on the net to make their music
collections available for download in exchange for the ability to download
songs from other people's collections, is a more difficult problem. If each
user is copying one of your songs once, but there are a hundred thousand of
them, can you sue them all?
Perhaps you can–if you take proper advantage of the
technology. A decentralized system must provide some way of finding someone who
has the song you want and is willing to share it. Copyright owners might use
the same software to locate individuals who make their works available for
copying–and sue all of them, perhaps in a suit that joins many defendants.
Since copyright law sets a $500 statutory minimum for damages, suing ten
thousand individuals each of whom has made one copy of your copyrighted work
could, in principle, bring in more money than suing one individual who had made
ten thousand copies.
So far as I know, it has not yet been tried. Currently [check this], it is hard to force multiple defendants
into a single suit–but one could imagine modifications in the relevant legal
rules, perhaps applicable only to copyright suits, that would change that
situation. And under current law it is unclear whether noncommercial file
exchanges are illegal--although that situation might be changed by Congress or
the courts.
While this approach might work for a while, its long run
problems should be clear from the earlier discussion of strong privacy. A well
designed decentralized system would locate someone willing to let you copy a
song but would not identify him. You do not need name, face or social security
number in order to copy the file encoding the song you want, merely some way of
getting messages to and from him.
There remains, for some forms of intellectual property, the
possibility of collecting royalties from business customers–corporations that
use Word, movie theaters performing movies. In the longer run, even that option
may shrink or vanish. A world where strong privacy is sufficiently universal
would permit virtual firms–groups of individuals linked via the net but
geographically dispersed and mutually anonymous. Even if all of them use
pirated copies of Word–or whatever the equivalent is at that point–no whistle
blower can report them because nobody, inside or outside the firm, knows who
they are.
Digital Watermarks
Consider the problem in a different context–images on the
world wide web. Each image originated somewhere and may well belong to someone.
But once webbed, anyone can copy it. Not only is it hard for the copyright
owner to prevent illegal copying, it may be hard for even the copier to prevent
illegal copying, since he may not know who the image belongs to or whether it
has been put in the public domain.
An increasingly popular way of dealing with these problems
is digital watermarking. Using special software, the creator of the image
imbeds in it concealed information identifying him and claiming copyright. In a
well designed system, the information has no noticeable effect on how the image
looks to the human eye and is robust against transformation–meaning that it is
still there after a user has converted the image from one format to another,
cropped it, edited it, perhaps even printed it out and scanned it back in.
Digital watermarking can be used in a number of different
ways. The simplest is by embedding information in an image and making the
software necessary to read the information widely available. That lowers the cost to users of
avoiding infringement, by making it easy for them to discover that an image is
under copyright and who the copyright owner is. It raises the cost of
committing infringement, at least on the web, since search engines can search
the web for copyrighted images and report back to the copyright owner—who
checks to see if the use was licensed and if not takes legal action. The
existence of the watermark will help him prove both that the image is his and
that the user knew or should have known it was his, hence is liable for not
only infringement but deliberate infringement.
A deliberate infringer might try to remove the watermark
while preserving the image. A well designed system can make this more
difficult. But as long as the watermark is observable, the infringer can try
different ways of removing it until he finds one that works. And making
software for reading the watermark publicly available makes it harder to keep
secret the details of it works, hence easier to design software to defeat it.
So this form of watermark provides protection against inadvertent infringement,
raises the cost of deliberate infringement–the infringer must go to some
trouble to remove the watermark–but cannot prevent or reliably detect
deliberate infringement.
The obvious solution is an invisible watermark–designed to
be read only by special software not publicly available. That is of no use for
preventing inadvertent infringement but substantially raises the risks of
deliberate infringement, since the infringer can never be sure he has
successfully removed the watermark. By imprinting an image with both a visible
and an invisible watermark, the copyright holder could get the best of both
worlds–provide information for those who do not want to infringe and a risk of
detection for those who do.
There is another way in which watermarking could be used to
enforce copyright, in a somewhat different context. Suppose we are considering,
not digital images, but computer programs. Further suppose that enforcing
copyright law against the sellers of pirated software is not an option–they are
located outside of the jurisdiction of our court system, doing business
anonymously, or both.
Even if the sellers of pirated copies of our software are
anonymous, the people who originally bought the software from us are not. When
we sell the program, each copy has embedded in it a unique watermark–a
concealed serial number, sometimes referred to as a digital fingerprint. We
keep a record of who got each copy and make it clear to our customers that permitting
their copy of the program to be copied is a violation of copyright law for
which we will hold them liable. If copies of our software appear on pirate
archives we buy one, check the fingerprint, and sue the customer from whose
copy it was made.
Digital watermarking is one example of a new technology that
can be used to get back at least some of what other new technologies took away.
The ease of copying digital media made enforcement of copyright harder–at first
glance, impossibly hard–by
enabling piracy at the individual level. But the ability of digital
technologies to embed invisible, and potentially undetectable, information in
digital images, combined with the ability of a search engine to check a billion
web pages looking for the one that
contains an unlicensed copy of a watermarked image, provide the possibility of
enforcing copyright law against individual pirates. And the same technology, by
embedding the purchaser's fingerprint in the purchased software, provides a
potential way of enforcing copyright law even in a world of strong privacy–not
against anonymous pirates or their anonymous customers but against the known
purchaser from whom they got the original to copy.
While these are possible solutions, there is no guarantee
that they will always work. Invisible watermarking is vulnerable to anyone
sufficiently ingenious–or with sufficient inside information–to crack the code,
to figure out how to read the watermark and remove it. The file representing
the image or program is in the pirate's hands. He can do what he wants with
it–provided he can figure out what needs to be done.
An individual who wants to images or software is unlikely to
have the expertise to figure out how to remove even visible watermarks, let
alone invisible ones. To do so he needs the assistance of someone else who does
have that expertise–most readily provided in the form of software designed to
remove visible watermarks and identify and remove invisible ones. That raises
the possibility of backstopping the technological solution of digital
watermarks with legal prohibitions on the production and distribution of
software intended to defeat it. That is precisely the approach used by the
recent–and highly controversial–Digital Millenium Copyright Act.
It bans software whose purpose is to defeat copyright management schemes such
as digital watermarking. How enforceable that ban will be, in a world of
networks and widely available encryption, remains to be seen.
Each of the approaches to enforcing copyright that I have
been discussing has serious limitations. The use of digital fingerprints to
identify the source of pirated copies only works if the original sale is
sufficiently individualized so that the seller knows the identity of the
buyer–and while it would be possible to sell all software that way, it would be
a nuisance. Perhaps more important, the approach works very poorly for software
that is expensive and widely used. One legitimate copy of Word could be the
basis for ten million illegitimate copies, giving rise to a claim for a billion
dollars or so in damages–and if Microsoft limits its sales to customers both
capable of satisfying such a claim and willing to put that much money at risk,
it will not sell very many copies of Word. The use of digital watermarks to identify
pirated copies only works if the copies are publicly displayed–for digital
images on the web but not for a pirated copy of Word on my hard drive. These limitations suggest
that producers of intellectual property have good reason to look for other ways
of protecting it.
One way of solving these problems would be to make my hard
drive public–to convert cyberspace, at least the parts of it residing on
hardware under the jurisdiction of U.S. courts, into a transparent society. My
computer is both a location in cyberspace and a physical object in realspace;
in the latter form it can be regulated by a realspace government, however good
my encryption is. One can imagine, in a world run by copyright owners, a legal
regime that required all computers to be networked and all networked computers
to be open to authorized search engines, designed to go through their hard
drives looking for pirated software, songs, movies, or digital images.
I do not think such a legal regime will be a politically
viable option in the U.S. anytime in the near future, although the situation
might be different elsewhere. There are, however, private versions that might
be more viable, technologies permitting the creator of intellectual property to
make it impossible to use it save on computers that meet certain conditions–one
of which could be transparency to authorized agents of the copyright holder.
For a much simpler version of the same approach, consider
possible copyright enforcement strategies if each computer’s central processing
unit has a built-in serial number, unique to that particular computer. A
software company customizes each copy of its product to run on a single
computer, identified by the serial number of its cpu. The user can freely make
backups. The user can give copies to his friends. But the copies will only run
on his computer. Unless, of course, someone figures out a way to either modify
the part of the program that checks the serial number or modify other software,
perhaps part of the computer's operating system, to lie to the program about
what its serial number is.
Most readers would regard the idea of enforcing the terms of
a software license by allowing a human being to randomly search their hard
drive as outrageous, but might react very differently to the idea of allowing a
program on their computer to check their cpu to see what its serial number is.
Some may be worried about the problems that will arise if they get a new
computer and want to transfer their old software to it. But nobody is likely to
see such a system as an intolerable violation of privacy.
The two approaches appear very different--but consider
something halfway between. Your hard drive must be open to searches--but the
searches may be done only by computer programs. The only information the programs
are capable of reporting to a human being is the fact that they found
copyrighted software on your drive that you are not entitled to--at which point
the copyright holder can go to court to ask for legal authority to look at your
hard drive.
The issue raised by these examples--to what degree does
being spied on by a machine violate your privacy--is one we will return to in a
later chapter, where we consider the implications of using computers instead of
human beings to listen to phone taps.
Digital Barbed Wire
If using technology to enforce copyright law in a world of
easy copying is not always workable, perhaps we should instead use technology
to replace copyright law. If using the law to keep trespassers and stray cattle
off my land doesn't work, perhaps I should build a fence.
You have produced a collection of songs and wish to sell
them online. To do so, you digitize the songs and insert them in a
cryptographically protected container–what Intertrust, one of the pioneering
firms in the industry, called a digibox.
The container is a piece of software that protects the contents from
unauthorized access while at the same time providing, and charging for,
authorized access. Once the songs are safely inside the box you give away the
package by making it available for download on your web site.
I download the package to my computer; when I run it I get a
menu of choices. If I want to listen to a song once, I can do so for free.
Thereafter, each play costs five cents. If I really like the song, fifty cents
unlocks it forever, letting me listen to it as many times as I want. Payment is
online by ecash, credit card, or an arrangement with a cooperating bank.
The digibox is a file on my hard disk, so I can copy it for
a friend. That's fine with you. If he wants to listen to one of your songs more
than once, he too will have to pay for it.
It may have occurred to you that there is a flaw in the
business plan I have just described. The container provides one free play of
each song. In order to listen for free, all the customer has to do is make lots
of copies of the container and use each once. Alternatively, if I want to make
copies for friends, I can pay fifty cents once to unlock the file and make
copies—unlocked copies—for them. It might be prudent for the digibox to have
some way of making sure that the computer it is running on is the same as the
computer it was unlocked on.
Making a new copy every time you play a song is a lot of
trouble to go to in order in order to save five cents. Intertrust does not have
to make it impossible to defeat its protection, whether in that simple way or
in more complicated ways, in order for it and the owners of the intellectual
property it protects to make money. It only has to make defeating the
protection more trouble than it is worth.
As in the case of digital watermarking, how easy it is to
defeat the protection depends very largely on who is doing it. The individual
customer is unlikely to be expert in programming or encryption, hence unlikely
to be able to defeat even simple forms of technological protection. The risk
comes from the person who is an expert and makes his expertise available,
cheaply or for free, in the form of software designed to crack the protection.
One approach to dealing with that problem is by making it
illegal to create, distribute, or possess such software–the strategy put into
law by the Digital Millenium Copyright Act. That law currently faces legal
challenges by plaintiffs who argue that publishing information, including
information about how to defeat other people's software, is free speech, hence
protected. Even if the court declines to protect that particular sort of
speech, the arguments of an earlier chapter suggest that in the online world
free speech may itself be technologically protected–by the wide availability of
encryption and computer networks–making the relevant parts of the DMCA in the
long run unenforceable.
If law cannot provide protection, either against piracy or
against computerized safecracking tools designed to defeat technological
protection, the obvious alternative is technological–safes that cannot be
cracked. Is that possible?
For some forms of intellectual property--songs, for
example--it is not. However strong the digibox, at some point in the process
the customer gets to play the song–that, after all, is what he is paying for.
But if a customer is playing a song on his own computer in his own home, he can
also be playing it into his own tape recorder–at which point he has a copy of
the song outside the box. If he prefers an MP3 to a cassette he can play the
song back to the computer, digitize it, and compress it. If he wants to
preserve audio quality, he can short circuit the process, feeding the
electrical signals from his computer to his speakers back into the computer to
be redigitized and recompressed. A similar approach could be used to hijack a
book, video or any other work that is presented to the customer in full when he
uses it. Technological protection may make the process of getting the work out
of the digibox and into some usable form a considerable nuisance–but once one
person has done it, in a world where copyright law is difficult or impossible
to enforce, the work is available to all. Short of making everybody's hard disk
searchable, the only way of protecting works of this kind is to limit their
consumption to a controlled environment–showing the video in a movie theater
with video cameras banned, for instance.
For other sorts of works, secure protection may be a more
serious option. Consider, for example, an (imaginary) database compiled by
Consumer Reports, designed to advise a user what car to buy. A query describes
price range, preferences, and a variety of other relevant information. The
answer is a report tailored to that particular customer.
Having received the report, he can copy it and give it to
his neighbor. But his neighbor is unlikely to want it, since he is unlikely to
have all the same tastes, circumstances, and constraints. What the neighbor
wants is his own customized report–which requires that he make his own payment.
With enough time, energy, and money, a pirate could ask a
million questions and use the answers to reverse engineer the protected
data–but why should he? The pirate can give away what he steals, he can use it
himself, but he has only a very limited ability to sell it. As long as the
protection raises the cost of reconstructing the database high enough, it
should be reasonably safe.
For a real world example of almost precisely that strategy, consider Lexis and
Westlaw, the legal databases on which lawyers and legal academics rely. There
is, in practice, nothing to keep me from downloading a law case from Lexis and
then passing it on to a colleague who has not paid for the privilege—but the
odds that my colleague is looking for the same case I am are low.
For a different approach to the problem of protecting
intellectual property, consider a program that does something very useful–high
quality speech recognition, say. I divide it into two parts. One, which
contains most of the code and does most of the work, I give away to anyone who
wants it. The rest, including the key elements that make my program special,
resides on my server. In order for the first part to work, it must continually
exchange message with the second part–access to which I charge for by the
minute.
One elegant feature of this solution is that the disease is
also the cure. Part of what makes copyright unenforceable is the ready
availability of high speed computer networks, enabling the easy distribution of
pirated software. But high speed computer networks are precisely what you need
for the form of protection I have just described, since they allow me to make
software on my server almost as
accessible to you as software on your hard disk–and charge for it.
Adding it all Up
Putting together everything in this chapter, we have a
picture of intellectual property protection in a near future world of widely
available high speed networks, encryption, easy copying. Intellectual property
used publicly, such as images on the web, can be legally protected provided it
is not valuable enough to make it worth going to the trouble of removing hidden
watermarks and provided also that it is being used somewhere that copyright law
can reach. That second proviso means that if we move all the way to a world of
strong privacy such protection vanishes, since copyright law is useless if you
cannot identify the infringer. But even in that world, some intellectual
property can be protected by fingerprinting each original and holding the purchaser
liable for any copies made from it.
Where intellectual property cannot be protected by law, it
may still be possible to protect it by technology. That approach is of limited
usefulness for works that must be entirely revealed every time they are accessed,
such as a song. It may work considerably
better for more complicated works, such as a database or a computer
program. For both sorts of works, protection will be easier if it is practial
to use the law to suppress software designed to defeat it–but it probably won't
be.
Does this mean that, in the near future, songs will stop
being sung and novels stop being written? That is not likely. What it does mean
is that those who produce that sort of intellectual property will have to find
ways of getting paid that do not depend on control over copying. For songs, one
obvious possibility is to give away the digitized version and charge for
concerts. Another is to rely on the generosity of fans–in a world where it will
be easy to email a ten cent appreciation to the creator of the song you have
just enjoyed. A third is to give away the song along with a digitally signed
thank you to the firm that paid you to write it–and hopes to profit from your
fans' goodwill.
Similar options are available for authors. The usual royalty
payment for a book is between five and ten percent of its face value. Many
readers may be willing to voluntarily pay the author that much in a world where
the physical distribution of books is essentially costless. Other books will
get written in the same way that articles in academic journals are written
now–to spread the author's ideas or to build up a reputation that can be used
to get a job, or consulting contracts, or speaking opportunities.
And For Our Next Trick
Several chapters back I raised the possibility of treating
transactional information as private property, with ownership allocated by
agreement at the time of the transaction. Such information is a form of
intellectual property and can be protected by the same technologies we have
just discussed.
Suppose, for example, that you are happy to receive catalogs
in the mail (or email) but do not want strangers to be able to compile enough
information about you to enable identity theft, spot you as a target for
extortion, or in other ways use your personal information against you. You
achieve both objectives by making personal information generated by your
transactions–purchases, employment, car rental, and the like–available only in
a very special sort of database. The database allows users to create address
lists of people who are likely customers for what they are selling but does not
allow them to get individualized data about those people. It will be
distributed inside a suitably designed and cryptographically protected
container or on a protected server, designed to answer queries but not to
reveal the underlying data. If the catalogs are going out by email, the
database is combined with a forwarding service. One copy of the catalog goes to
the service, along with suitable payment, and a thousand copies from there to a
thousand email addresses—none of which need be revealed to the catalog company.
The information in the database was created by your
transactions. In the highest tech version, you conduct all of them anonymously,
so nobody but you has the information to start with, and you can control who
gets it thereafter. In a lower tech version, both you and the seller start with
the information–the fact that he sold you something–but he is contractually
obliged to erase the record once the transaction is complete.
In either version, you arrange for the information to be available only within
the sort of protected database I have just described–and, if access to such a
database is sufficiently valuable, get paid for doing so.
Chapter X: Reactionary Progress–Amateur Scholars and Open Source
A list of the half dozen most important figures in the early
history of economics would have to include David Ricardo; it might well include
Thomas Malthus and John Stuart Mill. A similar list for geology would include
William Smith and James Hutton. For biology it would surely include Charles
Darwin and Gregor Mendel, for physics Isaac Newton.
Who were they? Malthus and Darwin were clergymen, Mendel a
monk, Smith a mining engineer, Hutton a gentleman farmer, Mill a clerk and
writer, Ricardo a retired stock market prodigy. Of the names I have listed,
only Newton was a university professor–and by the time he became a professor he
had already come up with both calculus and the theory of gravitation.
There were important intellectual figures in the
seventeenth, eighteenth and early nineteenth centuries who were professional
academics–Adam Smith, for example. But a large number, probably a majority,
were amateurs. In the twentieth century, on the other hand, most of the major
figures in all branches of scholarship have been professional academics. Most
started their careers with a conventional course of university education,
typically leading to a PhD degree.
Why did things change? One possible answer is the enormous
increase in knowledge. When fields were new, scholars did not need access to
vast libraries.
There were not many people in the field, the rate of progress was not very
rapid, so letters and occasional meetings provided adequate communication. As
fields developed and specialization increased, the advantages of the
professional–libraries, laboratories, colleagues down the hall–became
increasingly important.
Email is as easy as walking down the hall. The web, while not a complete
substitute for a library, makes enormous amounts of information readily
available to a very large number of people. In my field and many others it is becoming common for the
authors of scholarly articles to make their datasets available on the web so
that other scholars can check that they really say what the article claims they
say.
An alternative explanation for the shift from amateur to
professional scholarship is that it was due to the downward spread of
education. In the 18th century, someone sufficiently well educated
to invent a new science was likely to be a member of the upper class, hence had
a good chance of not needing to work for a living. In the twentieth century, the correlation between education
and wealth is a good deal weaker.
We are not likely to return to the class society of 18th
century England. But by the standards of that society, most educated people
today are rich–rich enough to make a tolerable living and still have time and
effort left to devote to their hobbies. For a large and increasing fraction of
the population, amateur scholarship, like amateur sports, amateur music,
amateur dramatics, and much else, is an increasingly real option.
These arguments suggest that, having shifted from a world of
amateur scholars to a world of professionals, we may now be shifting back. That
conjecture is based in large part on my own experiences. Two examples:
Robin Hanson is currently a professor of economics. When I
first came into (virtual) contact with him, he was a NASA scientist with an odd
hobby. His hobby was inventing institutions. His ideas–in particular an
ingenious proposal to design markets to generate information–were
sufficiently novel and well thought out to make corresponding with him more
interesting than corresponding with most of my fellow economists. They were
sufficiently interesting to other people to get published. Eventually he
decided that his hobby was more fun than his profession and went back to school
for a PhD in economics.
One of my hobbies for the past thirty years has been cooking
from very early cookbooks; my earliest source is a letter written in the sixth
century by a Byzantine physician named Anthimus to Theoderic, king of the
Franks. When I
started, one had to pretty much reinvent the wheel. There were no published
translations of early cookbooks in print and almost none out of print. Almost
the only available sources in English, other than a small number of unreliable
books about the history of cooking, were a few early English cookbooks–in
particular a collection that had been published by the Early English Text
Society in 1888. I managed to get one seventeenth century source by finding a
rare book collection that had a copy of the original and paying to have it
microfilmed.
The situation has changed enormously over the past thirty
years. The changes include the publication of several reliable secondary
sources, additional English sources, and a few translations–all of which could
have happened without the internet. But the biggest change is that there are
now at least six English translations of early cookbooks on the web, freely
available to anyone interested, as well as several early English cookbooks.
Most of the translations were done by amateurs for the fun of it. There are
hundreds of worked out early recipes (the originals usually omit irrelevant
details such as quantities, times and temperature) webbed. There is an email
list that puts anyone interested in touch with lots of experienced enthusiasts.
Some of the people on that list are professional cooks, some are professional
scholars. So far as I know, none is a professional scholar of cooking history.
Similar things are happening in other areas. I am told that
amateur astronomers have long played a significant role–because skilled labor
is an important input to star watching. There seems to be an increasing amount
of interaction between historians and groups that do amateur historical
recreation–sometimes prickly, when hobbyists claim expertise they don't have,
sometimes cordial. The professionals, on average, know much more than the
amateurs–but there are a lot more amateurs and some of them know quite a lot.
And the best of the amateurs have access not only to information but to each
other–and to any professional more interested in the ability of the people he
corresponds with than their credentials.
Open Source Software
Amateur scholarship is one example of the way in which
rising incomes and improved communication technology make it easier to produce
things for fun. Another is open source software.
The best known example is Linux, a computer operating
system. The original version was created by a Finnish graduate student named
Linus Torvalds.
Having done a first draft himself, he invited everyone else in the world to
help improve it. A lot of them accepted–with the result that Linux is now a
sophisticated operating system,
widely used for a variety of different tasks. Another open source
project, the Apache web server, is the software on which a majority of World
Wide Web pages run.
When you buy a copy of Microsoft Word you get the object
code, the version of the program that the computer runs. With an open source
program, you get the source code–the human readable version that the original
programmer wrote and that other programmers need if they want to modify the
program. You can compile it into object code to run it, but you can also modify
it and then compile and run your new version of the program.