<body><pre>
Monoculture, Liability, Certification
Ed Felton

Proposition: If everybody uses the same OS / browser / wordprocessor,
             security will suffer
  - attacks spread more easily
  - analogy to agriculture

What do security economics tell us about monoculture?
  - compatibility for legitimate purposes
  - compatibility for malware, attacks
  - Issue is compatibility, not number of products or vendors.
  - In principle, it could be efficient, even if it's less secure
  - both positive and negative externalities, hard to tell which
    is bigger
  
Liability
  One approach to under-investment problem is to establish
  liability rules.
    
  Lowest cost avoider principle, if Alice can prevent the harm
  with a cost of 1, and Bob a cost of 2, then Alice should be
  liable.

  Risk and Insurance
  -- control practices by adjusting premium on users
  -- work only for large attacks, "uninsured motorist" problem

  User liability vs. Vendor Liability

  Due care requirements
    - requirement for vendors
    - requirement for consumers
  Where do requirements come from?

Certification
  Idea is to mandate a minimum quality level
    - criteria lag state of knowledge
    - regulatory capture, certification used as a barrier
      to entry, to protect from competition

Privacy
  - right to be free of unwanted observation
  - right to control how data about you is used
  - right to make choices

</pre></body>
