November 22, 2024

Stupidest Infotech Policy Contest

James Fallows at the Atlantic recently ran a reader contest to nominate the worst public policy decision of the past fifty years. (<a href="http://jamesfallows.theatlantic.com/archives/2008/05/stupidest_policy_ever_contest_1.php"The winner? Ethanol subsidies.) I’d like to do the same for technology policy.

Readers, please submit your suggestions for the stupidest infotech policy ever. An ideal submission is an infotech policy that (1) was established by a government, (2) did serious damage, (3) had wide support across the political spectrum, (4) failed for reasons that should have been obvious at the time, (5) failed even by the standards of its own supporters. It’s not enough that you would have chosen differently, or that you would have weighed competing public goods differently – we’re looking for a policy that no reasonable person, with the benefit of hindsight, would support.

Submit your suggestions in the comments. Once the discussion has died down, I’ll choose a winner. If this contest is successful, we’ll follow it up with a best policy contest.

Comments

  1. Keep ’em coming. I’m really enjoying this thread.

  2. Jeremy Epstein says

    Since no one else has thrown this in, I’ll say the various government initiatives to require acquisition of secure systems, which are then ignored. The two most prominent are “C2 by 92” (which required that the DoD only buy systems that met the Orange Book C2 requirements starting in 1992) and NSTISSP #11 (a DoD directive from about 2002 that required Common Criteria evaluated products). In both cases, industry saluted smartly, built the requested products … and got burned when the government folks ignored their rules and bought unapproved products. This reduced the incentive of vendors to follow government direction for security in the future. I saw one estimate that vendors collectively spent a billion dollars trying to meet the C2 by 92 requirement… that seems a bit high, but based on personal knowledge, I’d say it’s certainly in the hundreds of millions.

    To address Ed’s five requirements:
    (1) was established by a government: yup, DoD is definitely government
    (2) did serious damage: yup, because it diverted resources away from doing things that would *actually* make products more secure
    (3) had wide support across the political spectrum: well, not clear on this one, since it wasn’t a law, but rather DoD policy
    (4) failed for reasons that should have been obvious at the time: yup, vendors kept warning them (in both C2 by 92 and NSTISSP#11) that this was going to be a disasater if they didn’t buy what they insisted on
    (5) failed even by the standards of its own supporters: yup, no one would claim that it actually made our systems more secure

    So I’ll claim 4.5 out of 5.0 points…

  3. Alumnus of the Shanandoah County Public School System says

    I haven’t verified this myself but I heard from a secretary who works in the Shenandoah County Public Schools told me that they banned web access to http://*.net . She found this to be quite frustrating, because she couldn’t get her webmail from shentel.net….

    Why? They picked up some malware, apparently from a server with a .net DNS domain name… Apparently with complete ignorance of how the underlying TCP/IP, DNS, and malware mechanisms work!

    Too bad they couldn’t pay me nearly enough to come back and educate them on how TCP, DNS, and AD work. There’s even reduced-cost SANS training available for educational institutions in Virginia!

  4. Alumnus of the Shanandoah County Public School System says

    I haven’t verified this myself but I heard from a secretary who works in the Shenandoah County Public Schools told me that they banned web access to http://*.net . She found this to be quite frustrating, because she couldn’t get her webmail from shentel.net….

    Why? They picked up some malware, apparently from a server with a .net DNS domain name…

    Too bad they couldn’t pay me nearly enough to come back and educate them on how TCP, DNS, and AD work. There’s even reduced-cost SANS training available for educational institutions in Virginia!

  5. Forgot one…HIPAA…

    Again, the goals are, I suppose, admirable: make sure that health information is only distributed on a need-to-know basis. In practice, however, it seems that the legislation has only served to protect insurance companies (they have a need to know everything about your health, right?), without much by way of useful protection for individuals.

    The biggest threat to people from sharing of healthcare information was always systematic misuse by insurance companies. Yet this is precisely what is facilitated by HIPAA. It does prevent disclosure of individuals’ information for the sheer fun of it, or for blackmail purposes, but I doubt that this was ever as much of a threat, except for celebrities. And though HIPAA has created a huge, costly bureaucracy and tons of resources are devoted to meet its requirements, people are still not terribly well protected against having their information shared to their detriment.

  6. But my cat is blacker…

    I’d like to squeeze in the entire CIA under the “Infotech policy” headline. After all, it is supposedly an information gathering organisation, even after repeated public demonstrations of massive drug trafficking operations going all the way from late 60’s Vietnam through Oliver North and the “crack” cocaine trade, reaching to modern day Afghanistan and the recent bumper opium harvests.

    Not sure if mentioning the elephant in the room goes outside the rules of the comp.

  7. Mark Christiansen says

    It isn’t so much infotech as most abused by the infotech sector and I can’t meet #5 of the criteria as the supporters love it but …

    Court enforcement of contracts of adhesion and EULAs in particular.

    It is an absolute disaster to allow ordinary goods to be layered with unbounded contract obligations. There is no end to the mischief these cause.

  8. Sarbanes-Oxley, section 404 anyone?

    (Not quite a slam-dunk, but worthy of consideration, IMO)

  9. I’d like to suggest another less recent “infotech policy” decision that may have had more negative influence than any of the ones listed so far: the 1982 forced breakup of AT&T.

    This started with an antitrust lawsuit by the US Justice Department (point 1) in 1974, which wasn’t settled until 1982 — which means that it was pursued by the Ford, Carter, and Reagan administrations (point 3). It did serious damage (point 2) to our technological capabilities, among other things eventually leaving the greatest industrial research laboratory ever, Bell Labs, a shadow of its former self. The costs of this decision should have been — and were — obvious to many at the time (point 4).

    The hardest question is whether the AT&T really should be considered a failure by the standards of those who supported it — point 5. I don’t have the data, but its not clear that telecommunications costs have come down by that much, or any more than they would have without the breakup. The RBOCs that were created by the decision are effectively local monopolies today — and subsequent mergers mean that there aren’t that many of them. There is competition in long distance, and that has likely kept rates down, but this was being implemented (MCI) without the AT&T breakup. For a brief period in the 1990s, it looked as though telecommunications businesses enabled by the breakup were going to be giants, but they have mostly failed or worse, as Bernie Ebbers could tell you from his jail cell. You could attempt to argue that the breakup enabled internet technologies, but the internet is strong worldwide — and stronger in many places than in the US — despite strong, often state-run, telecom monopolies.

    So while too much has happened since the breakup to get a real handle on the counterfactuals, I’d say the level of influence and the loss of one of America’s great science and technology resources makes the AT&T breakup a strong contender for the prize

  10. Tarkeel says

    I’d say that the only reason that DMCA does not meet the fifth criteria, is that it has been selectively enforced. If only the law had been applied equally in the Sony rootkit debacle, they would have been singing a very different song.

  11. supercat says

    Is there anything wrong with Skipjack as a cryptosystem? It seems to lend itself more easily to microcontroller implementation than either DES or AES.

  12. I have to throw my vote in with the first poster. What utter scapegoat BS that is. Seriously, “ping” is illegal?

    Then again, the DMCA is also terrible (if obvious).

    Can we have a joint ballot?

  13. Todd Jonz says

    The Clinton administration’s failure to understand of the uses and abuses of cryptography undoubtedly led to the most misguided information technology policy in recent times.

    The NSA’s advantage in cryptographic technology went unchallenged for a very long time, but by the ’90s dangerous radicals like Bruce Schneier, Ross Anderson, and Phil Zimmerman had brought this technology to the classroom, the corner bank, and the man on the street. In an misguided attempt to control the spread of this technology outside the U.S., the Clinton administration classified any encryption technology stronger than 40 bits as a munition and forbade its export under the Arms Export Control Act. It even went so far as to prosecute Mr. Zimmerman when PGP started to show up on open FTP servers, putting Zimmerman’s employment and financial prospects at serious risk. His prosecution may or may not have been pursued at the behest of RSA Data Security, a company that has always had a close relationship with the NSA and which was engaged at the time in a license dispute with Zimmerman over the use of the public key encryption techniques employed by PGP. As a result of the Clinton administration’s poorly conceived encryption policies, many emerging crypto companies chose to move their headquarters out of the U.S., where the the jobs they created and the revenues they generated contributed to another country’s GDP.

    At the same time, the Clinton administration was a strong advocate of the so-called Clipper chip, which the administration proposed that all companies wishing to do business with the U.S. government would be required to adopt. The Clipper chip employed an algorithm known as Skipjack that was developed by the NSA, and in adherence to the ever popular security through obscurity doctrine, the Skipjack algorithm was classified and not available for review by the research community. A particularly controversial feature of the Clipper chip was the law enforcement access flag, or “LEAF bit”, which, when activated, would give law enforcement unfettered access to the plaintext of encrypted communications (as we all know, law enforcement agencies never abuse such capabilities.) The Clinton administration never seemed to grasp what every first year computer security student accepts as fact: backdoors are a bad idea and will eventually be exploited by the bad guys. (As an interesting historical note, the administration’s point man in this debate was Vice President Al Gore, the father of the information super-highway, who has fortunately turned his attention more recently to issues which will benefit the public good rather than harm it.)

    The Clinton administration’s final insult in this realm was the Communications Assistance for Law Enforcement Act (CALEA), which required all telecommunications carriers to provide a mechanism via which law enforcement could easily install wiretaps on digital circuits, which was a great deal more difficult than it had been in the good old days of analog circuits. The administration established a $500M fund to cover the cost of the implementing this access, but the actual cost nationwide was far greater than this, and the excess costs were passed along to the carriers’ customers in the form of increased rates. Today this ease of access has made it possible for the government to implement a wide electronic dragnet to monitor the communications of U.S. citizens under a cloud of questionable legality, but it wasn’t until the Clinton administration was succeeded by the current administration that the full potential of CALEA was finally realized.

  14. Michael Donnelly says

    If we can’t bag further on the DMCA, then I suggest the “Stupidest Infotech Policy Contest” is actually the stupidest infotech policy. My arguments:

    1) The policy was established by Ed, who is not the “government”, but may be considered a key governor in the scope of this blog.

    2) Look at all the invalid DMCA claims, strange references to standardized units, and other lack of hilarity. That’s damage.

    3) Again, Ed is the majority of the government. This blog post has widespread support from him. Who’s going to oppose it? Halderman?

    4) Ed should have known everyone would immediately pile onto the DMCA.

    5) Disputes about applicability and parody posts (such as this one) are surefire indicators that the policy has failed.

    There, that should settle it.

  15. Michael says

    One more classic failure, back to the 1960s.

    The arpanet:

    1) Dept of defense
    2) Think of the children!
    3) No dissent (not that anyone cared)
    4) A network of networks!?! seriously, who would have been dumb enough to think that would work.
    5) Even the supporters don’t know what ever became of it…

  16. Michael says

    It’s certainly not the stoopidest, but municipal wifi seems to deserve a mention.

  17. I second the DMCA 1201. I think the former customers of MSN Music can vouch as to the harm it’s done.

    Another fun example is CALEA, which requires that digital telephone equipment be designed in such a way that the government can tap it. With the advent of VoIP, all Internet equipment is now (potentially) a telephone. So (according to the FCC) if you have a public wifi router, you have to be prepared to let the FBI tap it. Needless to say this has resulted in lots of hand-wringing by people who wanted to offer public wifi…

  18. Roger: do you think that the 2001 arrest and detention of Dmitry Sklyarov did not constitute objective harm?

    Having said that, I suspect that I agree with Michael that the DMCA may not meet criterion 5.

  19. I’m astonished that nobody has yet mentioned Japan’s “fifth generation” project.

  20. These examples are really bad. None of them meet the contest criteria. While I don’t like the DMCA either, no one has described any objective harm that has resulted from the DMCA.

  21. My vote goes to electronic voting (see especially touch screen systems in Ohio)

    1) Loved by government, hated by all sane tech-savvy people
    2) Depriving American citizens of our most basic right? Priceless…
    3) Was a success in both Democrat and Republican states
    4) Anyone could have predicted that it wouldn’t work if they had thought about the basic issues of accountability and accuracy
    5) Now being rolled back in many jurisdictions just a few years after implementation

  22. Also, while I support putting the DMCA near the top of the list, I think that it doesn’t meet one criteria at all:

    (5) failed even by the standards of its own supporters

    The supporters LOVE, LOVE, LOVE the DMCA. They can’t get enough of it. They would gladly trade their first born to get more of it…

  23. To combat the recency bias, I will toss in an older options, since we’re talking about the past 50 years.

    The metric conversion act of 1975.

    list of Ed’s criteria:
    (1) US government
    (2) damage : poor implementation set back standardization for at least 33 years (and counting)
    (3) wide support : so-so at the time, but enough to pass
    (4) should have been obvious : metric board lacked any authority to enforce standardization… what were they thinking?
    (5) failed even by the standards of its own supporters : what units are your speed limit signs in?

    Note, I’m not saying that going metric is a bad idea, just that this implementation was.

  24. For some reason, I misread the title of the post to mean:

    The Stupidest Contest on Infotech Policy.

    I get it now. Carry on.

  25. Come on guys. the DMCA is just too easy.

    My vote goes to the Universal Service Fund, which has proved to be a gigantic waste of money (and a threat to VOIP and other cutting edge technologies).

    E-Rate, part of the USF, was described as “the classic example of a program that was begun with good intentions and has found itself suffering from corruption, because there wasn’t sufficient oversight.” See: http://www.news.com/Eroding-E-rate/2009-1028_3-5236723.html

    End this stupid waste of money, and give rural Americans a satellite Internet connection instead.

  26. Another vote for the DMCA, albeit I’d like to amend meteorplum’s last paragraph: what the text seems to me to say is that it’s legal to circumvent copy-protection for fair use just as long as you don’t actually read, watch or listen to the product of circumvention.

  27. Michael Donnelly says

    I have to throw my weight behind meteorplum’s excellent synopsis of the DMCA. The realities of the world are in conflict with the text on that paper. And when that happens, the realities typically win (see paragraph 5 above).

    The only salt I’ll add to that wound is the grievious harms inflicted on companies by misuse of the DMCA. It has turned into a cudgel in the hands of many copyright holders, abusing both the takedown process and the anti-circumvention in many ways that were not intended by the authors of the bill. In my opinion, the DMCA’s negative effect on chilling innovation far outweighs the protections it grants.

    The end loser here is the consumer, who is denied any number of cool and clever devices (software and hardware) that cannot be made due to fear of DMCA litigation, as copyright holders hide behind it. Imagine how advanced the typical MP3 player would be now if everything played well together and companies could not use DRM to adhere their customers to a specific platform.

    As a developer and innovator, the loss of these potential breakthroughs is something that I feel very personally.

  28. Another vote in favor of the anti-circumvention provisions of the DMCA. My only additions to the previous nomination would be:

    2. On the harms inflicted by the DMCA’s anti-circumvention provisions, EFF’s Unintended Consequences report is the most exhaustive resource.

    4. The inevitability of failure of the DMCA’s anti-circumvention regime was well articulated by the Microsoft Darknet paper in 2002, which summarized insights that technical folks knew long before that.

    5. The actual failure of the DMCA even when measured against the rubric of its proponents is set out in an article I wrote in 2004.

  29. I wish I knew the exact statute so this will have to be general….

    I’m thinking of the crypto-export regulations that we finally mostly got rid of at the end of the Clinton administration.

    From a general security and technology perspective they did an amazing amount of damage across all computing. They impacted the security of most US developed software, delayed the adoption of strong encryption algorithms around the world, etc.

    While on the surface not as outrageous at the anti-circumvention portions of the DMCA, they in the end impacted a lot more people and set back the state of secure software more than a decade.

  30. HelplessDancer says

    Hands down, it has to be the Clipper chip.

  31. I’d like to nominate the anti-circumvention measure of the DMCA (Section 1201), and by extension, those same measures from the WIPO treaties.

    1. It was signed into law by Bill Clinton in 1998.

    2. It has directly and indirectly prevented companies from creating archiving software/hardware and multi-format hardware such as combo Blu-Ray & HD-DVD players. It has prevented owners of DRM’ed media from easily and legally archive their paid-for content.

    3. It was unanimously approved by the US senate.

    4. Anyone with experience in the trend in personal computer power and the already well established cracker/hacker culture would certainly have expected a distributed, dedicated, and well informed attack on any form of DRM on popular media. DeCSS came out less than two years after the DMCA was signed into law, surprising no one with experience in software engineering and cryptography.

    5. It is now fairly simple to buy software that will “rip” commercial DVDs. It is even easier (and free) to get them via P2P networks, pre-compressed to fit single layer DVD-Rs or CDs. DVD “rips” regularly come from promotional or “screener” copies, or from sources within the disc duplication houses. And to add insult to injury, both HD-DVD and Blu-Ray DRM have been cracked–though not as completely as standard DVD/CSS. As for other forms of DRM, P2P networks are full of “cracked” software, valid keys and key generating applications. At the same time, people with legitimate copies of software regularly run into problems during installation or migration to new hardware.

    Perhaps the most damning comment comes from the US Copyright Office’s own summary of the DMCA:

    Section 1201 divides technological measures into two categories: measures that prevent unauthorized access to a copyrighted work and measures that preventunauthorized copying of a copyrighted work. Making or selling devices or services that2 are used to circumvent either category of technological measure is prohibited in certain circumstances, described below. As to the act of circumvention in itself, the provision prohibits circumventing the first category of technological measures, but not the second.

    This distinction was employed to assure that the public will have the continued ability to make fair use of copyrighted works. Since copying of a work may be a fair use under appropriate circumstances, section 1201 does not prohibit the act of circumventing a technological measure that prevents copying. By contrast, since the fair use doctrine is not a defense to the act of gaining unauthorized access to a work, the act of circumventing a technological measure in order to gain access is prohibited.

    [Emphasis in original text.]

    So this says: it’s legal to copy for Fair Use as long you don’t break copy protections. I believe this should be renamed to “Hobson’s Fair Use Exemption Clause”.

  32. Oh yeah, and the Communications Decency Act/Child Online Protection Act

    Not that the goals aren’t admirable — no nasty, scary stuff for kids — but it should have been obvious that this way of going about it would not be terribly effective, and would hamper legitimate information access.

  33. USA PATRIOT Act

    Carnivore (may not quite count as policy per se, but…)

  34. So many to choose from. I’ll go with two words:

    Software Patents

  35. Oh that’s easy. Three letters: D R M

  36. How about the requirement that domain registrars give a free trial period on new registrations? Spammers love that one.

  37. HAVA: Help America Vote Act

    Although it’s arguable the DRE technology has not “(5) failed even by the standards of its own supporters.”

  38. I’d like to nominate the German “Hacker paragraph” that for example bruce Schneier referenced (http://www.schneier.com/blog/archives/2007/08/new_german_hack.html).

    1) It was made a law by the German government
    2) It made using a computer in Germany (whether for security or hacking purposes or not) pretty much illegal
    3) It had wide support throughout the society because “someone has to do something against hackers!”
    4) It failed for the fact that under that law even “ping” is a hacker tool, a fact every person that has ever used a computer in Germany knew.
    5) It did nothing at all against “hacking”. It created no arrests or punishments, no hackers were captured. It just wasted everyone’s precious time.