August 22, 2001

The Internet has created many points of legal friction.

• Spammers vs. anti-spammers

• Music swappers vs. copyright defenders

• Surveillance proponents vs. privacy advocates

This essay looks at these points of friction from the standpoint of an economic approach to law. Such an approach often is called law and economics.

Why have a legal system? I think of it as a means for encouraging good behavior. If all people were always inclined to do good or all people were inclined to do evil, then a legal system would not accomplish much. However, suppose that we classify people in terms of their moral inclinations into three groups:

I assume that people fall along a continuum, with most people clustered in the morally lazy category. Because most people are morally lazy, a change in the costs and benefits of different behaviors can affect significantly the average behavior in the population. Both the legal system and the technological environment affect the costs and benefits of doing wrong.

A legal system can induce better behavior on the part of the morally lazy by creating a set of incentives (including penalties and risks for doing evil) that foster good behavior. A legal system also can serve as a framework for punishing and incarcerating villains.

In my opinion, our legal system is far from optimal. There are too many laws, laws are changed too frequently, and enforcement is haphazard. If the goal is to affect behavior, then it seems to me that what we want are a few laws that are well understood, stable, with the intent of being enforced.

Examples of laws that we have little or no intention to enforce include minor traffic laws (such as the speed limit), drug laws, and prostitution laws. Politically, it would be unthinkable to repeal these laws. The only thing that is more unthinkable would be comprehensive enforcement.

I wish that it were feasible politically to enact more rational laws. In the case of traffic laws, I would like to see a system in which only major infractions or combinations of infractions are crimes.

For example, simply exceeding the speed limit would not be a crime. Exceeding the speed limit by more than 40 percent would be a crime. A combination of exceeding the speed limit while closing to within a few yards of the car in front of you would be a crime. Exceeding the speed limit while intoxicated would be a crime.

Each of these crimes might carry jail terms. My guess is that the minimum threshold for defining a crime is that it ought to be serious enough to warrant sending someone to jail.

There should be no such thing as a simple speeding violation where you pay a fine. The current system is simply a very costly and inefficient form of taxation. On the other hand, if we define the violations correctly and enforce them properly, we may reduce speeding, or at least reduce the forms that impose social costs.

When we have laws on the books that we do not truly intend to enforce, this colors our view of technology. For example, suppose that drug-sniffing dogs had the ability to smell any amount of marijuana at any distance. This would pose a threat to our current equilibrium in which white middle-class college students can smoke marijuana with impunity. Some might argue that such drug-sniffing dogs pose a civil liberties issue.

Instead, I would argue the reason that we would feel threatened by a new enforcement technology for drug laws is that we do not really believe in the drug laws themselves. One of the reasons that we would find it intrusive to be searched for drugs is that in most cases drug possession is a victimless crime. Although banning the technology to search for drugs is one solution, a better approach would be to write a drug law that we can enforce without flinching.

The Internet affects the costs and benefits of compliance with existing laws. That is what is creating the friction.

For example, spam differs from direct mail and telemarketing in that the marginal cost of sending an unsolicited email is zero. This changes the cost-benefit calculation for the sender.

Our legal environment is relatively lenient toward junk mail and toward telemarketing. Legal leniency is possible because there are other costs of trying to use the phone or postal mail for intrusive marketing. A telemarketer has to pay people to give their spiel (although computerized telemarketing threatens to change that). Junk mailers have to pay for postage.

With spam, the marketer does not pay the cost. Almost all of the costs are imposed on others. Users have to spend time deleting unwanted email. Internet service providers have to expand capacity in order to carry it.

Another example of technology affecting behavior is in sharing music files. The so-called music copyright controversy reflects the fact that the combination of the Internet and digital music has changed the cost of distributing music. The marginal cost of distributing music has fallen.

In the absence of government intervention, what I would expect to see in the music industry is that distributors would develop systems that are consistent with the reduced marginal cost of distributing music. That is, I would expect music distributors to set up Napster-like systems and find revenue models to support such systems.

Regular readers of these essays know that I favor a model in which members pay flat subscription fees for very broad access. See The Club vs. the Silo.

The music industry claims that the issue is copyright and artists getting paid. However, the issue of artists getting paid is one of supply and demand. See Equilibrium in the Market for Rock'n'Roll.

What the music industry is fighting is disruptive technology. Nobody likes it when their business model is threatened by technological change. However, we should not allow an industry to use the legal system to retard progress.

(For an example of an industry adapting its pricing rather than fighting technology, consider the movie industry and video rentals. Hal Varian's New York Times essay describes how the industry used to charge $70 per tape to video rental stores, but changed to a model that is more consistent with actual distribution costs.)

Assuming that enforcement is feasible, I would like to see a law against spam. On the other hand, I wish that we did not have a law that can be used to shut down music file sharing systems.

What an anti-spam law and an anti-file-sharing law have in common is that either law would run into the challenge posed by anonymity on the Internet. The Internet is an environment in which the cost of surveillance is high.

Ironically, the Internet helps to lower the cost of surveillance in the physical world. In the physical world, surveillance cameras are becoming more powerful and less expensive. Attaching cameras to the Internet further reduces the cost of using them for surveillance.

As I indicated earlier, our discomfort with surveillance is related to our discomfort with the underlying laws that surveillance is used to enforce. Most of us are happy to see enforcement of laws banning handguns on airplanes. Few of us would be happy with the results of strict enforcement of speed limits or marijuana laws.

Surveillance is particularly loathsome when dissent from the government is regarded as a crime. Most of us would be in favor of technology that creates obstacles to the enforcement of laws that suppress dissent.

I would like for Chinese dissidents to be able to send email anonymously. However, I would not like them or anyone else to send me spam anonymously. That poses a challenge.

Here are some general principles that I would apply to issues of surveillance and anonymity.

1. Putting someone under surveillance without their knowledge is like wiretapping. Laws should be written to restrict this type of surveillance. Just as the laws place tight restrictions on wiretapping, they should place tight restrictions on the use of surreptitious surveillance. Just as you need a court order to tap someone's phone, you should need a court order to put someone under surveillance without their knowledge.

   This principle leans more toward privacy than does our current practice. Currently, I believe that surreptitious surveillance is too common. Most businesses that put customers and employees under surveillance do not post clear warnings to that effect. Web sites and ad networks definitely do not put up warnings saying that they put customers under surveillance. If it were up to me, they would have to do so.

2. Authentication services should have clear policies concerning how they protect the identity of their users. I want to accept mail from a service that protects Chinese dissidents. I do not want to accept mail from a service that protects spammers.

   An authentication service is a service that validates the authenticity of someone's online identity. Right now, authentication is a hodgepodge. At the web site for my bank, I have a user name, a password, and a PIN number. With my email account, I have a user name and a password. With one-click ordering, I am authenticated by a browser cookie.

   Ultimately, I believe that authentication services will be less idiosyncratic. That is, I will have to remember fewer passwords and fewer procedures in order to identify myself on the Internet.

   However, I do not think that removing all of the idiosyncrasies would be safe from the standpoint of security. I would not want to rely solely on Microsoft for security, because Microsoft is a tempting target for hackers. But a security system that has a Microsoft layer plus another idiosyncratic layer supplied by a small provider would make me feel better.

   Authentication services face a trade-off between ease of use and security. However, right now, the hodgepodge is so inefficient that we have the worst of all worlds: the Internet is harder to use than it should be, and it is less secure than it should be.

   Once authentication becomes more efficient, then I expect to regain control of my email inbox. If you want to send me email, it will have to have come through your authentication service. If your authentication service cannot verify that you are not a spammer (either because you might be a spammer or because it does not believe in exposing spammers), then I will not accept the email. On the other hand, I will be happy to receive mail from an authentication service that will hide your identity as a political dissident.

   If we are all anonymous, all of the time, then the villains have too many advantages and the rest of us have too many disadvantages. We need to move in the direction of having more control over how we interact with others who choose to remain anonymous. I think that authentication services, such as Microsoft Passport, have the potential to move us in the right direction.

As an economist, I have looked at various legal friction points created by the Internet. Here is where I come down on the issues.

• Spam email is bad. However, the problem cannot be solved unless authentication becomes more efficient. Without better authentication on the Internet, a legal remedy is unworkable. With better authentication, a legal remedy may be unnecessary.

• What the music industry portrays as a threat to copyright is really a change in the economics of music distribution. Eventually, the music industry has to change. The court decision against Napster will reduce the pressure on the music industry to give consumers the benefit of lower distribution costs. The legal ruling will slow down the adoption of cost-saving innovation, and I cannot see any offsetting social benefit.

• On the Internet, villains enjoy too much anonymity and innocent people are subject to too much surreptitious surveillance. I hope that with better authentication we can improve both of these. However, I would like to see strict laws against surreptitious surveillance, both online and in the physical world. Right now, it takes too much effort and know-how on the part of consumers to protect your privacy.