[Infowarrior] - OpEd: The MS 'net tax'

[Richard Forno]

The Charney-Charge: The Health Care Model is Appropriate Framework
Richard Forno
First published on 2010-03-10.
(c) 2010 by author. Permission granted to reproduce with appropriate  
credit.

Source URL: http://www.infowarrior.org/articles/ms-net-tax.html
During remarks at last week's RSA conference, Scott Charney,  
Microsoft's vice president for Trustworthy Computing, pitched the idea  
of a "tax" on Internet usage as a public service fee to help defray  
the costs of providing cybersecurity to the public.

(I'll wait for the laughter and howls of disdain to die down. There's  
serious commentary ahead!)

While light on details, Charney's proposal - what I refer to as the  
'Charney-Charge' - would send taxpayer money to Internet companies to  
do things they should be doing already to improve Internet security;  
specifically, developing secure and securable products.

"I actually think the health care model ... might be an interesting  
way to think about the problem," he said.

Charney picked his words carefully. The health care model -  
specifically, health insurance - charges outrageous monthly premiums  
yet still retains the right to decide whether or not it will cover a  
given ailment or treatment. Customers then are forced to purchase  
additional insurance to better protect themselves -- such as what  
America's senior citizens do with their prescription drug coverage.  
The insurance companies also have (for the moment) antitrust  
protections. As a result, their customers are trapped in a bad  
situation with limited recourse or ability to improve their position.  
That's just how the insurance industry likes it, too. (Note: Charney  
did use other health care analagies more appropriately.)

Similar protections exist for technology industry vendors resulting in  
similar situations for their customers. Contained in the End-User  
License Agreement (EULA) that accompanies software products is a  
requirement forcing customers to indemnify the product vendor for any  
damages, losses, or incidents arising from their use of that product.  
Moreover, since the customer's costs of switching products can be  
extraordinary, it's akin to the vendor holding a monopoly over its  
customers. Again, customers are trapped in a bad situation with  
limited recourse or ability to improve their position. That's just how  
the product vendors like it, too.

Unfortunately, history shows that 'good enough' is the unofficial  
standard for technology products and services, and that customer  
problems, damages, or losses resulting from such standards of quality  
-- many of which are preventable -- generally are accepted as the  
'price of doing business' in cyberspace. Accordingly, there's no  
economic incentive for vendors to accept responsibility for fixing the  
products they sell or develop ones that are more resilient and secure.

In the absence of serious product quality, the ability to seek legal  
recourse against product vendors, or being compensated for damages or  
losses under the terms and conditions of their EULAs, customers are  
forced to purchase additional Internet 'insurance' from cybersecurity  
vendors to better protect themselves. This, in turn, creates an  
artificial need for the cybersecurity industry; an industry that  
depends on the continued insecurity of the underlying products and  
environment they purportedly 'protect.' The cybersecurity industry  
likes this setup since this situation justifies and sustains its  
business model.

Customers clearly are the losers in this scenario. As with the health  
insurance industry, neither product vendors nor the cybersecurity  
industry want patient conditions to improve because it's less  
profitable. Sick or sickly people mean revenue; well and healthy ones  
don't. Instead, these companies prefer making money through prescribed  
tests, chronic treatments, new therapies, and vists by specialists to  
diagnose and alleviate the short-term symptoms of their patients'  
sickness while the ignoring the underlying long-term causes.

In this regard, Charney is correct: the health care model indeed is an  
appropriate analagy for use within the cybersecurity community.

Put another way, a product vendor is proposing to extract money from  
all Internet users to compensate itself for fixing problems it is  
under no obligation to fix anyway given the insidious nature of EULAs  
and a constrained marketplace environment for its customers. In  
essence, this is a proposed (and stealthy) profit windfall for the  
Internet industry being marketed as something necessary for improving  
public safety in cyberspace: by taxing everyone, the cybersecurity  
costs become socialized while the profits are privatized, and the  
business models of the product vendors and cybersecurity industry  
remain intact. After all, it works for the health insurance industry!

In fairness, Charney's idea for a net-tax may be a red herring  
intended to foster discussion on innovative ways of addressing (or  
even fixing) national cybersecurity problems. However, such a proposal  
not only is arrogant and irresponsible in its purpose but also shifts  
the accountability for cybersecurity problems into the abstract and  
away from the specific. Such an idea coming from Microsoft should come  
as no surprise given that the company's products are responsible for  
many of the major cybersecurity problems in recent years. Therein lies  
another of the absurdities regarding this propsal.

If Microsoft, or any vendor, wants a proposal for a "net tax" to help  
offset the costs of implementing better public cybersecurity to be  
taken seriously, the company first must change its EULAs to accept  
legal and financial responsibility for its product quality. To  
continue the health care analogy, customers then would be free to file  
malpractice suits against - and seek compensation from - product  
vendors who are negligent and endanger their customers' cyber-health  
and well-being.

Otherwise, there's another word for the Charney-Charge if it ever gets  
enacted -- extortion.

# # #

Richard Forno is a Washington, DC-based security researcher.