Prof. Jim Gibson, University of Richmond School of Law
May 1, 2009

Given a choice, which would you prefer:  A world in which it is easier to encrypt information than to decrypt it?  A world in which decryption is easier than encryption?  A world in which the two stand in a cost/benefit equipoise?

When the question is put like that, the answer seems to depend on how we weigh certain core values.  For example, if we prefer privacy over order, we might prefer the first world.  If we value order more than privacy, perhaps the second world is more to our liking.

As it happens, we live in the first world.  Modern encryption technology is cheap, widely available, and nearly unbreakable (when compared to its decryption counterparts).  Yet we did not arrive at this state of affairs because we affirmatively decided as a society that we prefer the first world.  We arrived here because encryption happens to be easier to achieve than decryption.  That’s simply the way the technology works out.  It’s a creature of happenstance.

Of course, more purposeful forces can and do influence the state of technology.  The law is one such force: having been presented with the state of encryption technology, we could try to shift from the first world to the second by outlawing the use of encryption.  The market is another force: a promising or badly needed technology will attract more research dollars, increasing the chances of invention.

But in an important sense technology is prior to these other forces.  We would need no legal response to encryption were it not for the fact that encryption exists in the first place, and is cheaper than decryption.  And all the market demand in the world will not create cheap, foolproof decryption if the technology simply isn’t there to be discovered.

I offer this observation because public debates about regulation of technology often devolve into one side accusing the other of interfering in some natural technological order.  “Hands off the Internet,” say the opponents of net neutrality legislation, as if Internet technology is governed by an invisible hand that will quietly set things right as long as the government stays away.  There is such an invisible hand in the marketplace; there are known conditions under which interfering in the market will do more harm than good.  But with technology, there is no such mechanism even in theory, and laissez faire carries no weight as a general principle.

As another example, consider digital rights management (“DRM”), the technology that copyright owners use to protect their works from unauthorized use.  In 1998, Congress passed the Digital Millennium Copyright Act, which (among other things) made it illegal to hack through any DRM that protects a copyrighted work.

The DMCA has been rightly criticized on several grounds, but there is nothing wrong with the idea of regulating DRM technology per se—nothing sacred about the unregulated world that would exist without legislation.  If we don’t regulate DRM, then digital architecture becomes a Wild West of technological one-upmanship, a competition between protecting and hacking.  If it is easier to enclose than liberate, copyright owners prevail, and public entitlements fall by the wayside.  If it is easier to liberate than enclose (as it probably is), hackers prevail, and private incentive is undermined.

As with encryption, then, we need to ask ourselves what world we want to live in.  If we think that protection does more good than hacking, then DMCA-like legislation has some theoretical merit.  If we like hacking more than protection, then not only would we oppose the DMCA, but we might also go so far as to use the law to privilege hacking—e.g., by forbidding certain types of DRM.

Whatever our preference, there is no reason to think that an absence of regulation necessarily gets us there.  As Larry Lessig famously pointed out, technology is not the market.  If we leave technology alone, there’s no reason to believe (even in theory) that it will produce a socially optimal allocation of goods and distribution of wealth.

Even in a world of “perfect” technological competition, where the hackers and the protectors have the same resources and are equally unconstrained by legal regulation, the result of their battle may not increase social welfare.  Sometimes protection technologies will prevail (the encryption example) and sometimes penetration technologies will prevail (the DRM example).  In either case, after the dust settles we must determine whether the state of technology accords with our policy preferences.  If it does not, then regulation is a real possibility.

In closing, let me make it clear that I am not saying that regulating technology is always the answer.  Here an analogy to the market is appropriate: even when the market fails to produce an optimal allocation of property and proceeds, government regulation might not do better.  The same is true of technology: it may give us a world we don’t like, but regulating it might be even worse.

My point is simply that we err when we assume that technology naturally evolves in any socially beneficial way.  When it does, great.  But when it does not, there is at least a case for (considering) regulation of technology.

Comments From Our Readers

Stephen Hinkle: I beleive that DRM and encryption should not be viewed as fool-proof, as history has shown they can and will continue to be defeated.
If you look, almost every DRM from disk protection back in the 1980s to the software license checks over the LAN in the 1990s to BluRay discs in the
late 2000s have been cracked!   A determined freeware, open source, or
hacker will often go to great lengths to crack DRM and eventually succeed.

Next, regulating technologies idea is very bad, too.   I think that we
should not create an enviornment in which the biggest companies have more rights to innovate over the paesants.  After all, many inventions start out small before they are mass marketed.  More importantly, I think we should not give the media industry more ownership rights to control our computers and other devices than the owners of the devices have.  This is why I beleive that we must keep innovation open, and preserve fair use in the digital realm, even if it is not the most profitable for the biggest companies.

Fred von Lohmann: I agree with this insight — those who favor less regulation (whether of technology, markets, whatever) need to have a story to tell about why that state is preferable. And I happen to have written on that topic, as have Tim Wu, and many others. There’s a pretty rich body of work about why regulation of new technologies is frequently a bad idea, and how important the *timing* of regulation can be.

I will also point out another important example of how changes in technology changed the policy environment — the fact that computers rely on copying vasty extended the reach of copyright. So the debate here is not simply about justifying your view on DRM. It also must ask for a justification of the current shape of copyright as applied to digital technologies. Should we treat every operation of a computer as a copyright relevant event?