|Cops, Robbers and Unintended Consequences:
Why Bounties Won't Make the Net Safer
Microsoft has recently pursued a new tactic to help make ensure security: offering bounties for writers of commercially destructive viruses. But this tactic may end up being a classic illustration of the law of unintended consequenes, because offering bounties may have the perverse effect of not only helping legitimize and create markets for malware, but also creating a self-selection effect, where only the highest quality viruses get released.
Offering a bounty alters the expected cost of writing a virus in an indirect way. It doesn’t change the punishment one expects, but rather, changes the probability of getting caught. Assuming that the costs to writing a virus stay the same – whatever they might be – the expected value of punishment has increased, because it’s now more likely that you will get caught.
But the more obscure effect is that offering a bounty also alters the gains to writing a virus. This happens for two reasons. First, placing a bounty permanently changes the future payoffs to further criminal behavior. Second, offering a bounty sends a signal to the market about a given criminals’ quality.
In short, offering bounties legitimizes markets for criminal services. By legitimizing markets, I mean that bounties help create formal market mechanisms where there were formerly only informal and unreliable means to find counterparties and offer contracts to them. This point is intuitive: virus writers who get a bounty placed on them will have more valuable reputations than virus writers without bounties.
Such market mechanisms naturally create a selection effect. Only the highest quality, least risk-averse virus writers will write viruses to earn a bounty, because the price is steep: the expected value of punishment has increased. Because the price of writing a virus has gone up, virus writers who are risk-averse or simply low quality can’t pay it. So the end result will be a smaller number of more potent viruses.
But that’s not all: building a market mechanism for reputation creates a barrier between outlaws and citizens. Think about the Wild West: why did the institution of bounties help fuel a class of vicious career criminals? One reason is because once a bounty is placed on your head, you’re forever an outlaw. The costs of you living as a law-abiding citizen increase dramatically, because people are trying to catch you. In a sense, bounties remove future choices from past criminals.
The same thing will happen in the online world. A bounty on a virus writer raises the costs of his living as a law-abiding netizen from that moment on. Conversely, we can say that it’s more economic for him to live as an outlaw. So it becomes cheaper for him to write viruses – from the moment the bounty is placed on his head. This dynamic explains why bounties help create criminals.
Neo Vs Agent Smith
Pretend, for a moment, that you are a highly skilled writer of viruses. Given the bounty, your probability of getting caught has increased dramatically – in fact, let’s say that it now stands at 100%. So you know you will be punished. What kind of virus must you write in order to earn benefits commensurate with this high cost? Well, you must write a virus that earns you at least as much in reputation as being punished will cost you.
But strategically, a better move, since you know you will be punished, is to write a virus that earns you the greatest reputation, or the highest bounty. The highest bounty will be placed on viruses that do the greatest amount of commercial damage. So your best strategy is this: write the most destructive virus you can, in order to earn a huge bounty, and thus reputation.
Let’s extend our example. Let’s assume that you know that after writing this virus, a bounty will be placed on your head. This means that you will have already factored into your decision the fact that writing future viruses will be always be cheaper for you than writing viruses now. So you won’t write a virus in the first place, unless you’re confident that you can write future viruses – unless you’re a high quality virus writer.
In other words, we can say that the expected payoff to all the viruses you write has to be greater than the cost of becoming an outlaw. So you’ll only select yourself as a virus writer if you’re confident in your ability as an outlaw. Because once you’ve done so, you change your payoffs and costs to writing viruses permanently.
Basically, a bounty represents the expected future damage from your actions as an outlaw. But offering the bounty itself changes alters incentives on the micro-level: it changes the decision any potential virus writer makes in releasing a virus in two crucial ways. First, your expected payoff to writing viruses more certain now, because bounties enable you to signal your quality or reputation to potential buyers and others. Second, since your reputation is now dependent on the size of your bounty, and it’s cheaper for you to write viruses because you are an outlaw, your best strategy is to keep upping your bounty, by sending signals that you can do more and greater damage in the future. How can you send such signals? By writing more and more destructive viruses.
Furthermore, on the macro-level, offering bounties will enable markets for malware: they will enable buyers and sellers of viruses to come together more efficiently. This means that it will be easier, in the future, to match high-quality virus writers with people who wish to buy their services, such as spammers. This happens because transaction and search costs are reduced. Currently, it takes time and effort to find a skilled virus writer. This is what economists sometimes call the ‘double coincidence of wants’ – in the absence of a functioning market, you’ve got to find someone whose preferences are compatible with your own: not a trivial task. But in an efficient market, finding such a counterparty is trivial: it’s as easy as placing a bid.
In other words, we can say that bounties help offset issues of asymmetrical information. Currently, it’s hard for virus buyers to tell the quality of virus sellers, because there are few efficient signaling mechanisms in the market. But a bounty changes all that: in fact, it’s hard to think of a more efficient third-party signaling mechanism for quality than a bounty, because it represents the future expected damage from a particular virus writer.
Finally, there’s the ethical argument. Offering bounties for virus writers is a slippery slope: what if, tomorrow, Microsoft decides to offer everyone $1000 to inform on their neighbors?
I’ve argued that bounties are a bad tactic if Microsoft’s goal is really to help the Net become a safer place, because bounties change incentives for virus writers to write better viruses, and because bounties create a market mechanism, legitimizing malware markets. Of course, the more tantalizing possibility is that Microsoft’s goal is actually to make the Net an unsafer place, so that it’s push for ‘trusted computing’ gains more credibility and urgency. But that’s a matter for conspiracy theorists.
Recent & upcoming sessions:
Supernova 2007 (video)
the big picture
uhaque (dot) mba2003 (at) london (dot) edu