Internet Security Without Law: How Service Providers Create Order Online
Computer viruses cause a great deal of harm. They steal money from users’ bank accounts, distribute spam email from infected machines, and self-organize into botnets that can be used to temporarily overwhelm websites and other servers. Undesirable though these malicious programs may be, they are also costly to avoid, detect, and deter. Because costs are imposed both by the malicious programs themselves and by their abatement, economic analysis needs to be brought to bear to determine the kinds of policy responses that may be appropriate. Some authors have attempted to do this.
In one important paper on the subject, Lichtman and Posner argue that recent trends in the courts and Congress toward complete immunity for Internet service providers (ISPs) for their role in the propagation of malicious computer code (malware) are economically inefficient. They argue that ISPs should face indirect liability for the damage caused by malware, both on policy grounds and by tort law principles. Although their argument is otherwise very thorough, it omits the fascinating role of informal institutions among ISPs that have arisen to deal with the problem of malware.
This omission is significant but understandable. Conventional economic analysis has often assumed that the legal system is formal and monocentric, that law is made explicitly and solely by the government. Increasingly, many economists and legal scholars have recognized that this assumption is unwarranted. They have begun to study the ways in which informal, nonstate institutions govern individual behavior. These informal institutions carry out the functions of formal legal systems—they establish and enforce rules for the prevention, punishment, and redress of harms—even as they lack formal systems’ threat of violence as an enforcement mechanism.
I argue that the informal institutions that enforce network security norms between ISPs are more efficient than the hypothetical formal legal regime Lichtman and Posner propose. Indeed, because formal and informal enforcement of security norms are substitutes, not complements, the formal legal system’s neglect of ISPs is not merely benign but has also helped the Internet to flourish. The paper proceeds as follows. In the next section, I discuss Lichtman and Posner’s argument and the underlying conventional theory in more detail. In section three, I document the informal rules and enforcement mechanisms that limit the propagation of malware on the Int