Aldo Cortesi channels Elinor Ostrom and summarizes what we need to fix Internet security by enticing the providers and users of the Internet to manage it as a commons. But first, some background.
Since at least 1997 ("Is the Internet a Commons?" Matrix News, November 1997) I've been going on about how Garrett Hardin's idea of the tragedy of the commons doesn't have to apply to the Internet, because:
- The resources of the Internet are inexhaustible
- If some parts of the Internet were to be immediately saturated, a few moments later all that bandwidth would be available for use
- Passing data through an IP link doesn’t produce the kind of wear that happens when a machine is used or a plant is consumed
- Using the Internet makes it grow since every new user pays money to an ISP which uses that money to purchase additional equipment.
These arguments may make some rational sense in the traditional sense of the everyday use of the Internet but this does not take into account the problems of Internet security. Distributed Denial of Service (DDoS) attacks occur when a number of machines with vulnerabilities are taken over and controlled by hackers and used to flood a specific machine with worthless packets of data. These have become a serious problem since 1999 and they are at the heart of “the tragedy of the commons” since while everyone might be interested in protecting the shared resource of Internet security, the individual had a stronger incentive to cheat by connecting insecure computers (Yan, J., Early, S. and Anderson, R. (2000) “The XenoService – A Distributed Defeat for Distributed Denial of Service”, Proceedings of Information Survivability Workshop, Boston, Massachusetts, USA.)The Internet is not a zero-sum game, but Internet security can be. This problem is actually being dealt with to some extent by mechanisms such as spam blocklists and web server certificates. They would be dealt with better, except for a much bigger problem: the majority of the end-user Internet in the U.S. at least is owned by only half a dozen companies, which have not yet found it in their interests to make it in the interests of their users to do better.
I agree with Rose and Gordon's point that individual users must also have shared common goals of preserving the commons. But so must service providers, and Rose and Gordon's proposal of making every user put down a deposit before Internet use doesn't really address that point. And indeed to some extent service providers already do; bad BGP routing announcements are noticed immediately and there are reputation systems for naming and shaming their perpetrators. But whatever they've been doing isn't enough.
Last year I noted ( "Debunking the Tragedy of the Commons," Perilocity, 28 Aug 2008):
When Garrett Hardin published his famous article about the "tragedy of the commons" in Science in December 1968, he cited no evidence whatsoever for his assertion that a commons would always be overgrazed; that community-owned resources would always be mismanaged. Quite a bit of evidence was already available, but he ignored it, because it said quite the opposite: villagers would band together to manage their commons, including setting limits (stints) on how many animals any villager could graze, and they would enforce those limits.I cited an article ( "Debunking the `Tragedy of the Commons'," by Ian Angus, Links, International Journal of Socialist Renewal, August 24, 2008) that made this point. Michael Froomkin tracked that post and got some very interesting feedback.
I had no idea how right I was. Some of Prof. Froomkin's commenters did, though, and so did the Nobel Prize committee that awarded the 2009 Nobel Prize in Economics to Elinor Ostrom and Oliver Williamson for their research on economic governance. And Prof. Ostrom's speciality is governance of commons.
Prof. Ostrom goes into a lot of detail about numerous different methods different communities and individuals within them use to manage commons. Aldo Cortesi provides a pithy summary of a major point of Prof. Ostrom's work, "Elinor Ostrom, the commons problem and Open Source," 10 December 2009:
This equation applies to each participant, and the values of each of its elements may be different for each participant. There's no need for a one-size-fits-all solution, and Prof. Ostrom has found that in the field solutions are often complex and tailored to the resources and the participants.BC > BN + CHere, BC is the benefit of contributing, which has to outweigh the cost of contributing (C) plus the benefit of not contributing (BN). The Open Source world has produced an immensely sophisticated set of norms and institutions around the terms of this equation, resulting in some of the most successful self-governance structures on the planet. I'd argue that most of the institutional work in Open Source over the last few decades have focused on reducing C - a lot of the basic technology and accompanying social norms used in Open Source development (mailing lists, bug trackers, version control systems, communications protocols) is lubrication to reduce the cost of contributing. I think you could even make a plausible case that much of what drives the Internet is just a side-effect of Open Source projects trying to reduce C.
Cortesi concentrates on how open source can reduce the costs of changing from one method of dealing with a resource to another. If we think of BN as the old way of dealing with a resource, and BC as the new way, then Rose and Gordon want to decrease the value of the old sloppy way BN by making users put down a deposit. That may or may not work to reduce BN + C below BC, but it doesn't provide a similar solution for service providers. For both users and service providers, one could also concentrate on increasing BC, rather than decreasing BN or C. How can we make secure contributions to the Internet more attractive?
I think part of the answer is already demonstrated in reputation systems for BGP routing.
I think another part of the answer is in Internet neutrality legislation, which is necessary because ISPs, especially the half dozen or so biggest ones that provide more than half of U.S. end-user Internet service, have very strong profit incentives to mine the Internet to their own short-term benefit. At the scale of the world's third most populous country, federal government regulation is how the population manages such a resource. Even better would be to get a lot more providers involved and to reduce the duopoly's dominance of the market; then more cooperative and less governmental solutions could take hold. That's how the Internet was managed before the telcos and cablecos managed to take it over through a combination of deeper pockets and regulatory capture (I may have just repeated myself).
What solutions to apply to which parts of the problem is an ongoing question in search of many answers. The most basic point is established by Prof. Ostrom's work: there doesn't have to be a tragedy just because there's a commons. And there doesn't have to be just one solution.
PS: Plants and animals often cooperatively manage commons, and they do it without privatization or externally-applied coercion. We call that ecology, which I've always heard about because of my aunt, Dr. Elsie Quarterman, a pioneering plant ecologist, 99 years old this year.