Let Big Brother Hawk Anti-Virus Software 405
This requires a discussion of "positive externalities," which may seem pedantic to you if you remember the concept from econ class, in which case you can skim the next five paragraphs. When you buy anti-virus software, some of the benefits accrue to you — less risk of your data being lost to a virus, or of annoying spyware infecting your computer with pop-up ads — but some of the benefits also accrue to other people. Prior to anti-virus software being installed on your computer, your machine might have been infected and taken over by criminals who used it to send spam. Or it might have helped to propagate the virus to other people. (Note: I am using "virus" to incorporate related things like "worms" and not worrying about the distinction.) Or you might have thought there was a problem with your computer, not realizing the problem was caused by a virus, and wasted time calling the tech support line for your computer manufacturer or for some other product on your computer. (If the company charges for tech support, then you're paying the cost of your call rather than passing those costs on to others, but if the call is free, then the costs have to be passed on to the company and hence indirectly to their other customers.) When you install anti-virus software, the chances of all these things happening are reduced, and those are the benefits that accrue to others — positive externalities, in economics jargon.
The key assumption is that you can put a price on all of the positive externalities generated by a given person installing the anti-virus software. It's different for every person, but it always adds up to some value, something that is not microscopic, but also not fantastically larger than the purchase price of the anti-virus program. It's on the order of adding 1/100,000th of a penny's worth of value to the lives of 100 million other people, for a total positive externality of $10.
To see that this is a reasonable assumption, suppose that if I had a choice between living in a world where all 100 million other Internet users in the US had no anti-virus software installed (using round numbers to make things simpler), and living in a world where all of the other users in the US had anti-virus software installed, I would pay $10 more per year to live in the latter, counting only the benefits to me and not factoring in any altruistic desire to help protect fellow citizens. (I personally would pay a lot more than $10 because I use the Internet so much, but the average might be closer to $10. Also, what I'd really like is for more people in certain other countries to install anti-virus software — China comes to mind — but I'm leaving them out of this discussion because it would be harder for the US government to encourage that.) When everyone else in the US is using anti-virus software, the benefits are returned to me in various ways, such as it being easier for me to send and receive e-mail because there aren't so many botnet-infected machines sending spam. (This is independent of my decision as to whether to buy anti-virus software for myself or not.)
Now, once I've decided I'd pay $10 more to have all my fellow Americans install anti-virus software, I could draw a graph (while my friends are out snowboarding with their girlfriends) with "how many other US users have hypothetically installed anti-virus software" on the x-axis, and "how much would I pay to live in that world" on the y-axis. At the point on the graph where no other people have anti-virus software, I'm willing to pay $0 to live in that world. (Well, of course I'd pay a lot more than $0 to be alive in any world, but I'm comparing other worlds to that one, so I'm just using $0 as my baseline.) At the point on the x-axis where all 100 million other users have installed anti-virus software, I'm willing to pay $10 to live in that world instead. What does the graph look like in between those points? Well, I can assume it's upward-sloping — the more other people install anti-virus software, the better it is for me. I could also adopt the simplifying assumption that it's a straight line — so I would pay $3 to live in a world where 30 million other people have anti-virus software installed, $6 to live in a world where 60 million other people have it installed, etc. It's not really a straight line, because when the first 50 million Americans install anti-virus software, that still leaves 50 million others to get infected and do damage, but when the next 50 million install it, that has eliminated all the unguarded computers in the US, and made it a lot harder for viruses to spread, at least within our borders. In other words, the line representing the quality of life to me as a function of how many other people installed anti-virus software, would rise more slowly in the range 0-50 million than it would rise in the range 50-100 million. But as long as the curve doesn't make any sudden jumps — for example, I know that the 30-millionth person installing anti-virus software isn't suddenly going to make my quality of life go up by $1 — I know the curve generally has to rise smoothly. So for a really rough approximation I'll treat it as a straight line.
If the graph is a straight line with the value $0 when nobody else installs anti-virus software, and $10 when everybody else installs anti-virus software, then each additional user installing anti-virus software creates an additional benefit to me of 1/100,000th of a penny (so 1/100,000th of a penny, times 100 million, comes out to $10).
You may think it's ridiculous or meaningless to say that someone else installing anti-virus software can benefit me to the tune of 1/100,000th of a penny. I myself can't wrap my head around it. But I can use the necessary properties of the graph — that it starts at $0, ends at $10, must curve upward, and doesn't make any sudden jumps — to reason that it should be approximately true.
And then, if each other US Internet user derives an average of 1/100,000th of a penny's worth of benefit when you install anti-virus software, then the total benefit that you confer on other people by installing the software, comes out to 1/100,000th of a penny times 100 million, or $10. And that's not even counting all the spillover benefits to users in other countries each time an American installs anti-virus software, something that we could consider a kind of off-the-books foreign aid. (Even if we would really like for it to be reciprocated by all users in countries like China installing anti-virus software as well.)
This is actually not hard to reconcile with people's attitudes toward installing anti-virus software. It's recommended as something you should do not only for your own protection, but also as something you should do to be a "good Netizen" so as not to impose inconveniences on other people. If your installing anti-virus software only conferred about 1 penny's worth of total benefit on the rest of the world, nobody would bother exhorting you to do it as a kind of civic duty. On the other hand, if your installing anti-virus software conferred thousands of dollars' worth of good on the world (or, equivalently, not installing anti-virus software exposed the rest of the world to thousands of dollars' worth of risk or damage), then people would not only be exhorted to install it, it would probably be required by law, like functioning car brakes. The kind of pressure that we see today to install anti-virus software — gentle prodding but not outright compulsion — feels commensurate with a value between $1 and $100 of the benefits that a person confers on the rest of the world by installing it.
But this logic also means is that we are missing an opportunity to make everybody better off on average, by actually subsidizing the purchase of anti-virus software for some people who otherwise would not have bought it. Suppose each user confers $10 worth of positive externalities on other American Internet users when they install anti-virus software. Now first consider the case of an a program like Norton Anti-Virus which costs $40.
For anybody who personally values their own anti-virus protection at $40 or more, great — they'll buy the software, they get the value they want from it, and everybody else gets the positive externalities of that person's virus protection, for free. But consider the people who value the anti-virus software at somewhere between $35 and $40. With no government rebate, they won't buy the software.
But now suppose the government offers a $5 rebate (funded by a tax on all 100 million Internet users) to anyone who buys anti-virus software. Everybody who would have bought the software before, will obviously still buy it now that the government rebate has effectively lowered the price to $35, and now, all the people who value the software between $35 and $40 will buy it as well. For each person who purchases the software at the new price of $35, the following is true:
- The person who bought the anti-virus software is better off — they valued the software at at least $35, and they got it for $35. (Otherwise, they wouldn't have bought it.)
- The taxpayers who subsidized the purchase are better off. Each rebate cost the taxpayer one-hundred-millionth of $5. But when that user installed the anti-virus software, they conferred $10 worth of total benefit on all other Internet users in the US, so that benefits each Internet-using taxpayer one-hundred-millionth of $10. So they're ahead.
If this seems fanciful, we're still in the domain of standard economics textbook stuff. When positive externalities are involved, the free market by itself will usually not reach the optimal outcome; by adding in some government subsidies, you can achieve an outcome that leaves everyone better off than they were before (even after subtracting the cost of the taxes to fund the subsidies). Call them "subsidies even a libertarian could love." Steven Landsburg's books The Armchair Economist and More Sex Is Safer Sex, and Tim Harford's books The Undercover Economist and The Logic Of Life, explain the logic of externalities probably better than I can, and give other interesting examples. When I say "subsidies even a libertarian could love," consider that Landsburg once wrote that George W. Bush's tax plan was unfairly burdensome to the rich, because "it seems patently unfair to ask anyone to pay over 30 times as much as his neighbors." That's pretty, uh, libertarian. But even Landsburg has argued, in More Sex Is Safer Sex, that LoJack anti-car-theft devices should be heavily subsidized by the government, because they create positive externalities — when more people buy LoJacks, thieves are deterred from stealing everyone's cars, because there's no way to tell whether a particular car has a LoJack installed or not. To the extent that anti-virus software creates positive externalities, it should be subsidized as well.
A modified version of this logic applies even to free anti-virus programs like AVG Anti-Virus. AVG is only "free" if you don't count the costs of finding out about it in the first place, then downloading it, installing it, and leaving it running. All of these add up to costs that, for whatever reason, have led to many people choosing to run nothing at all, rather than to run AVG even though it's free. If the government ran a campaign announcing the rebates for purchasers of anti-virus software, they could also use the campaign to recommend certain free programs -- thus effectively offsetting the "costs" by providing a "subsidy" for those programs in the form of free advertising.
When I ran this past some people for comment, two respondents, Steven Landsburg and Esther Dyson, independently recommended versions of a popular alternative idea, which was to penalize people directly for spreading computer virus infections. Landsburg commented:
I certainly think there are huge externalities here, and they derive from the fact that idiots who don't know what they're doing insist on administering their own mail clients. I don't have a mail client on my machine precisely because I am one of those idiots and I don't want to be responsible for a virus grabbing my address book and running with it.
So I have long thought that mail clients should be taxed and/or (if it were technologically feasible) that individual users should be fined heavily if viruses spread from their machines (or send spam from their machines).
Esther Dyson suggested something similar:
One method to consider is — rather than subsidy — requiring the ISPs to post a bond for their customers and assume responsibility for their actions. They can ask their customers in turn either to buy an antivirus package, to sell one that the ISP will offer for free, or to post a bond guaranteeing that they know what they're doing and will do no harm. The ISP is then liable for the misbehavior of its customers and may forfeit the bond if some specified level of disruption is caused by its customers.
In theory, this works better than my idea because it precisely targets the undesirable behavior: We don't really want to penalize people for not running anti-virus software, we want to penalize people for not running anti-virus software and imposing costs on others as a result. It's not possible for 100 million people to charge one person 1/100,000th of a penny each for the inconvenience and risk that person creates by not installing anti-virus software, but it might be possible for one recipient of the virus to seek to punish the person who gave it to them.
However, I think this scheme would have more practical problems:
- You can only penalize the virus spreader if you know exactly who was responsible for passing it on to you. This works for old-school viruses that spread as e-mail attachments, but not for worms like Code Red that probe the network looking for other machines to infect — if you're infected as a result of a remote IP address probing your machine, it's unlikely that you would ever find out exactly when or how it happened, much less the owner of the IP address that infected you.
- If you found out that a friend spread a computer virus to your machine, you'd probably be under a lot of pressure from your friend not to turn them in.
- For people who did get taken to court for spreading viruses, there would be overhead costs associated with processing the case, over and above the actual fine that may be levied against the individual. (If the penalty happens outside the court system — for example by ISPs keeping the bond posted to them by a customer — at least some of those customers will probably feel wronged and sue the ISP, generating court costs either way.)
- If someone accidentally spread a virus to a large number of other machines, that could make their total liability far greater than what they could actually pay.
The idea of fining or otherwise punishing people for accidentally spreading viruses is something I've thought about too, but usually in a moment of venting. As Steven Landsburg dryly says, "Your solution (subsidized antivirus software) might be more effective, but mine would be more satisfying (to me)." I think the option of punishing people for propagating viruses is something that should be explored in more detail, but I can't offhand think of any solutions that would avoid the problems listed above. The fact is that anybody with an Internet connection has the potential to do enormous damage if their machine gets infected, and in most cases it would be too hard to track the harm back too them, and too harsh to make them pay the real cost of the damage.
On the other hand, the option of a government publicity campaign to get people to install anti-virus software — at least the free ones, which should be a no-brainer — is something that seems like it should start bringing benefits right away. Government advertisements for free programs would require the least amount of paperwork to set up, because all the government would have to do would be to produce the TV ads and buy the airtime. (Other proposals, such as subsidies for non-free anti-virus software, or paying people outright to install anti-virus software, would require more overhead to implement. That doesn't mean they shouldn't be tried, but go for the low-hanging fruit first.) Now, what the ads should look like would be a question for advertising experts, but I would really hammer home the point: "Go to this government website and we have a list of recommended FREE anti-virus programs. These are not 'free trials' for something you have to pay for later. They are FREE. If you're not using anything at all, at least go get one of these." Along a list of the non-free programs for people who want even more protection, and links to third-party reviews of those.
More generally, I think that government-funded action to encourage better computer security is something that has not been given enough consideration. I think this is partly due to hostility to anything that smacks of government intervention (because of, among other things, numerous times the US government has attempted to censor the Internet), and partly because of an assumption that the free market will provide the best solution by itself. But if the government is actually on the right side of an issue — the side of promoting better computer security — then there's no reason to be petty and foul up their campaign just because we're still resentful that they once tried to make the Internet into a no-cussing zone. Hey, if the government thugs start to care more about computer viruses than about Internet porn, then they're learning! Give them a pat on the head and help them get the word out! And meanwhile, economic theory predicts that because of the externalities problem, the free market by itself won't lead to the optimal number of people using anti-virus software or keeping their computers secure. That's precisely the situation where a government-funded push toward more computer security can bring everyone more benefits than it costs. If you wear a Ron Paul t-shirt, but you found out about free anti-virus software software from a state-sponsored TV ad, nobody has to know.
Why not just a Windows tax? (Score:5, Interesting)
If the government imposed a flat tax, Mac and Linux users would end up taking up a disproportionate amount of the burden for the risks that they pose.
Let's just tax Windows.
Take a third of the proceeds to subsidize antivirus software and awareness ads and use the rest to pay people to switch to a better OS.
It could work!
Just have the media sensationalize it ... (Score:3, Interesting)
Causation & Fines (Score:4, Interesting)
One problem with trying to penalize people who spread viruses (at least on a tort theory) is the problem of causation, since you have to be both the cause-in-fact and the proximate cause to be liable for a tort. Here's an example of what that means and why it could be difficult to blame any single person for the spreading a virus, except maybe for the person who unleashed it in the first place:
Say there's a worm like Conficker that is very prolific and is being spread by many different means over the open Internet and where there are many exposed hosts. Say that for whatever reason I get infected, but that I happen to have detailed logs of the network traffic I received that shows that one A. Dumas who lives in Blackacre owned the IP address that I got my infection from. Say that further, this isn't some fluffy case where Dumas can claim it wasn't his computer or that he wasn't using it, instead Dumas was indeed sloppy and got himself infected with Conficker negligently. The problem is that while Dumas is the direct cause of me getting Conficker, he is likely going to be able to claim that he was not necessarily a but-for cause, meaning if he didn't infect me, somebody else would have. To make matters worse, with a worm like Conficker it would be likely that the "somebody else" would infect me in a very short period of time, possibly only minutes or seconds, after Dumas did it.
So the end result could go two ways depending upon how a court would look at causation. Some courts might let Dumas off from liability since you really couldn't prove he was the but-for cause, but instead only one random cause amongst millions of possibilities. Other courts would say that yes, Dumas is the cause, but that the damages would be whatever the cost to me is of having Conficker... for 5 minutes or however long I would reasonably had an uninfected computer but for Dumas's infecting me. That would likely lower the damage amounts greatly, and make suing somebody else pretty unattractive.
Of course, Tort law isn't the only way to handle this. The government could always come out an slap fines on people and the only thing they need to prove is that you were spreading the virus. I'm pretty pro-security, but I frankly think that would be a very bad idea that would lead to losses in freedoms much greater than anything people on Slashdot would imagine. If you are paranoid that some international phone calls were being intercepted before, imagine what it would be like when it is necessary to monitor everybody's network traffic to prove who had a virus and when they had it. Further, imagine all the insane regulations that would follow. For those of you naively thinking that this would somehow lead to Windows being banned from the Internet, think again. Given how the government works it would likely lead to any OS except for Windows and OS X being banned from use entirely. The reason would be that only Apple & Microsoft could effectively afford to pay the massive "licensing fees" and hire armies of lawyers to cut through the red-tape needed to get government approval to connect to the Internet.... not a pretty scenario at all.
Re:What about the standard way ? (Score:4, Interesting)
They're effectively a blacklist (with some mostly ineffective greylist heuristics), and blacklists aren't really useful against continual new threats.
I can think of four ways to keep viruses and worms from spreading: operating system security, blacklists, greylists, and whitelists. Blacklists and greylists in mainstream antivirus software for Windows are less than perfect, as you point out. Whitelists implemented in non-free operating systems (such as Authenticode and game console lockouts) have tended to be unfriendly to microISVs and free software developers. This leaves OS security. OLPC's web site describes Bitfrost [laptop.org], an interesting security layer that provides finer-grained security than is seen on most Linux or Windows desktop installations without depending entirely on lists. For instance, an app's installer can request directory scanning privileges (P_DOCUMENT_RO) or network privileges (P_NET), not both.
Negative Externality First (Score:3, Interesting)
I'm all for educating users about the harm they are causing by using insecure operating systems and engaging in dangerous behavior.
However:
subsidizing the purchase of anti-virus software
Don't dip your damned hand into my pocket and hand money to McAfee before we first educate these people. Then start holding them accountable for the damage they cause. Then, and only then, as a last resort if nothing else works, can we talk about holding their hands because there is no other way out.
I support methadone clinics, but first I support putting junkies who steal in jail. Same thing here. People are wantonly engaged in destructive behavior and you propose that we first harvest the positive externality, before addressing the negative externality of their destructive behavior. I am a strong believer in externalities and the balancing thereof. But let's start with the negative side, with holding the junkies accountable for their behavior.
De-Fense! (clap clap) (Score:5, Interesting)
Where in the constitution would be the mandate for the feds to promote something like this? I know people try to squeeze everyting into the 'general welfare' statement
From the Constitution:
The Congress shall have power to lay and collect taxes, duties, imposts and excises, to pay the debts and provide for the common defense and general welfare of the United States
Other countries have used military botnets. Therefore, a campaign against botnets might even count as "defense", in addition to the "welfare" and "commerce" arguments that others have made.
National Security Threat (Score:2, Interesting)
Although I'm no fan of AV s/w - I completely agree. At what point does a T-1 connected grandma become an officially recognized threat to national security? The U.S. at least, seems about one attack shy (using history as a guide) of such a designation...
profiteering (Score:5, Interesting)
One big problem with this proposal is profiteering. Any time government offers to inject some money into the private sector, powerful commercial interests will line up to feed at the public trough. We saw it in the Iraq war, with Halliburton. We're seeing it with banks that are gaming the federal bailout system, maneuvering so that they can be subsidized without accountability. And it's always the most politically well connected private interests that are able to play this game successfully, e.g., it sure didn't hurt that Halliburton was in bed with Dick Cheney. So if this proposal were enacted, I predict that Symantec, for instance, would make out like bandits, while zero money would flow to ClamAV
Another problem is that this kind of thing takes on its own momentum, and tends to continue indefinitely long after its justification is gone. We've seen this with farm subsidies, which were meant as an emergency measure to try to help family farms survive the Great Depression. Now it's just a subsidy to agribusiness. As far as antivirus software, IMO it's already long outlived its usefulness; it's become a kind of snake oil, a kind of difficult-to-remove malware in and of itself, used by people would would rather pay $40 for a bandaid rather than taking proper security precautions.
And yet another problem is that this kind of thing subsidizes dumb behavior. In the case of antivirus software, it subsidizes MS's poor design of its operating system, which makes it more vulnerable to viruses than MacOS or Linux. It also subsidizes dumb behavior by users who click on executable email attachments from strangers.
As far as the economic justification, I don't buy it for a second. Since I don't run Windows, I don't suffer a lot of direct negative economic effects from viruses. The effects I do suffer are small and indirect. Mostly I get a negative effect because I get spam from botnets. However, I don't believe for one second that increasing adoption of antivirus software by some percentage will have any significant effect on the amount of spam I get from botnets.
Re:Nope (Score:3, Interesting)
That's not true. Libertarians believe that government should not interfere absent a market failure, or defined instances where the free market will not work properly. Libertarians would support the SEC, to some extent, to cure the problem of asymmetric information. The SEC regulation regime is basically founded on truthful and standardized disclosure of material facts.
Libertarians would regulate pollution because there are negative externalities. A business can spend $10,000 to install pollution control systems, or dump toxins into a creek for free, causing $10,000,000 in damages to the surrounding area that no one would know about until it was too late. Without government regulation, businesses would pollute because they don't have to pay for the suffering of others from their pollution. Consumers are on the Internet without knowing how to secure their systems. It's causing everyone else to get spammed and DDOS'd but the nitwits don't care because their computers still work. It's time for the government to walk in and take some sort of action to reallocate the responsibility onto those parties best situated to prevent costs.
No thanks for an Internet License (Score:5, Interesting)
And thank you for proving exactly why I wouldn't support such an initiative.
It would give the government the go-ahead to truly regulate the internet for our own good. It would be for the children, against the terrorists, and ... progressive.
You would be giving the government the authority to limit your speech in the guise of protection. Very likely worthless protection with a whole helping of surveillance and record keeping.
Then, when you step out of line, your license is not renewed. Or, more likely, since you run Linux, a dangerously mutable untrustworthy operating system, you wouldn't be granted a license at all.
No thanks, I don't need or want a license to exercise my rights.
Re:Right to keep and bear AVG (Score:2, Interesting)
The government should be responsible for protecting infrastructure, not home or work computers. Libertarians wouldn't argue that the government should buy homeowners guns to protect themselves at home, just that they should allow homeowners to buy their own guns if they choose to do so.
Re:You Seem to Forget a Generation (Score:3, Interesting)
Sure, now you're paying $12.50 instead of $10.00 but at least my retired grandfather isn't paying for your Slashdot habit.
Say, that gives me an idea. Since as we all know (we being slashdot users) that those of us on Slashdot are the most informed of all internet-goers on the planet... Why not just mandate Slashdot readership for all internet users? Hell, maybe even subsidize subscriptions. If more people read Slashdot and knew the things WE know... Well, no problem can hide from one hundred million pairs of eyes.
Re:Why not just a Windows tax? (Score:2, Interesting)
You want to tax Americans to fund Microsoft's incompetence?
Re:What about the standard way ? (Score:3, Interesting)
NSA already distributes Linux improvements (Score:3, Interesting)
Re:What about the standard way ? (Score:4, Interesting)
Under your immensely broad determination, just about anything could be considered commerce.
The Supreme Court has ruled that a farmer who eats his own wheat is engaging in interstate commerce (Wickard v. Filburn). So yeah, anti-virus software could easily fall into that chasm of a loop hole, too.
You don't have to agree with something on principle to recognize the truth of it.
Re:Can't Pay Me (Score:3, Interesting)
That's the classic hallmark sign of a wrong solution. To the problem of Windows insecurity, that is. It's sort of like a scientist who keeps getting surprised at each new discovery and never thinks that maybe there's something wrong with his theory when it has zero ability to make successful predictions. There's something drastically and fundamentally wrong with the design of Windows if you have to put up with all of that BS just to achieve an acceptable level of security. The only thing I don't fully understand is why so many people with no financial ties to Microsoft don't want to admit this.
Re:Hmmph. (Score:4, Interesting)
The only OS security model which is bette than Windows in any meaningful, practical way is SE Linux. Eveyone else uses user-based access, which is no defense at all against a user who doesn't care about security. Any modern consumer OS (by which I mean: you don't have to recompile the kernel to add a new driver) will make it trivial for malware to install itself if the user can be convinced to enter the root password - and that's just not a very high bar.
The SE Linux model does a little better: by restricting access based on process profiles, and not based on users. The only real advantage there is that the user is conditioned to only needing the root password when installing software, so at least the bar is raised a notch as you have to trick the user into *knowingly* installing software. Not much better.
Combine that model, however, with a trusted host for software downloads (as any good package management system should have), and you raise the bar yet again. That would mostly limit malware to users who torrent cracked sofware or otherwise deliberately go outside the normal path for software installation. That would be a significant reduction in targets, but perhaps not enough to really matter (does reducing the number of infected systems by 90% really help much?).
Re:What about the standard way ? (Score:3, Interesting)
If you catch some weird disease, the CDC has the right to quarantine your ass. The government forces people to get vaccinations as well.
So why are economically damaging computer viruses spreading through the internet less deserving of government action than real viruses spreading through social networks?
I can see a lot of arguments for the reverse, namely that a single computer can infect far more machines than a single person can infect other people...