Download PaperWhen and how should we sanction network (service) providers, software vendors, or application services provider to mitigate the harm of security and privacy risks? Here we apply an economic framework that compares two sanctioning regimes: ex ante and ex post. Specifically, we introduce, translate, and apply the model by Garoupa et al. for security and privacy risks online.
We identify under which conditions the different sanctions are economically efficient. We argue that for well known security risks, such as botnets, the economically efficient solution would be ex-ante sanctions. Simultaneously, privacy risks, which are contextual, poorly understood, new, and whose distribution across demographics would be difficult to estimate, should be managed through ex-post sanctions. To the extent that providers are judgment-proof, the sanctions can be non-monetary, e.g. reputation-based. Finally, resource allocation is suboptimal when privacy risks are treated disjointly from security risks. Thus, the relative merits of either security or privacy investmenta should take into account the opportunity cost of mitigating the other. Finally, we provide an analysis of existing policy measures with the case study of Do Not Track and botnet takedowns
We address two kinds of regulatory regimes for sanctions: 1) ex ante and 2) ex post. Ex Ante, or action-based sanctions, is a regime that prohibits specific actions. For example, for environmental risks it may be illegal to store industrial waste in a container above a certain volume, below a specific tensile strength etc. In automobile safety ex ante. Regulation manifests as speed limits, where it is considered too dangerous for individuals to drive above a certain limit. Thus, ex ante sanctions are action dependent. Online these sanctions are part of policy initiatives like Do Not Track. (Arguably, there is no direct financial sanction to those who do not comply. However, indirect sanctions through reputation loss are equally relevant.)
Ex post, or harm-based regulation, sanctions after the fact. For example, instead of mandating a specific kind of container to store industrial waste, the government might decide that the respective industries can make better decisions. However, if specific companies are lax and there is a spill, that company would be required to provide for damages. Thus, ex post sanctions are harm dependent. If a potentially hazardous activity does not have any negative consequences, there are no sanctions. Online these sanctions manifest as FTC enforcement against Google for privacy breaches due to Buzz.
Currently both sanctioning regimes are being used to develop public policy responses to security and privacy risks online. These sanctions are being enforced by agencies such as Federal Bureau of Investigation (FBI). Often, however, agencies such as the Federal Trade Commission (FTC), traditionally enforcement agencies, are also being tasked with informing and creating policy. The actions of both these agencies, in enforcement as well as policy, have been controversial. FBI takedowns of botnets such at Nitol have been criticized for their collateral damage. FTC initiatives, such as Do Not Track, similarly have been under attack from both who are privacy advocates and those who prefer the free market approach.
It is unclear under what conditions each of these types of sanctions are economically sensible. Given that both ex ante and ex post sanctions are being used, which are more effective for security and privacy risks online?
We begin to answer this question by using an economic framework that compares the effectiveness of the two distinct regimes of ex ante and ex post sanctions. This research is based on previous work by Garoupa et al. We being by introducing the general model. We then extend this model by considering an inequitable distribution of risk. We analyze existing policies using the economic framework being considered. We discuss the broader scope of sanctions and the implications of policy. We conclude with specific insights for enforcement agencies.
