Over on the ongoing comment thread about IT Security: Unnatural Industry (which started on Schneier on Security and is also on Spire Security Viewpoint and 1 Raindrop), Pete Lindstrom asked a question I hadn’t yet answered:
Why didn’t people sue their banks for fraud? Why did congress need to write a law about behaviour that is already covered by contract law and fraud?
Well, I think that’s mostly a question about personalities, customs, and precedents.
I was involved in one of the first-ever lawsuits against a spammer, way back in 1997. We won. (I was co-owner of Zilker Internet Park, a local ISP in Austin, Texa.) We used nothing but existing laws. For years I tried to convince people that we didn’t really need anti-spam laws, because anti-fraud laws, contract law, etc. were sufficient. Few people listened. It took the badly flawed CAN-SPAM Act of 2003 before any big cases against spammers were pursued and won. No, that hasn’t wiped out spam, but it has perhaps helped keep it from growing as much. And it has helped people realize that containing spam is going to be very difficult as long as there are inherently insecure OSes out there, especially when one of them is a monoculture.
Now that there are laws saying automobiles have to have seat belts, there is still an aftermarket for seatbelts (and mirrors, and reflectors, etc.). Yet most cars have seat belts already installed, and that means more people use them.
Speaking of banks, yesterday Adam noted on Emergent Chaos that Standard Life Investments publicly admitted a breach, even though there are no disclosure laws in the U.K. He says:
I’ve said before that there’s a new standard out there, even ahead of the laws. It requires owning up to mistakes, and doing so promptly.
I wanna be clear on something: customers prefer it that way. Every customer impacted knew about it (they got someone else’s bank statement.) I bet fewer than 15 leave.
— Disclosure in The UK, by Adam Shostack, Emergent Chaos, 9 May 2007
Once people, especially customers, come to expect something, companies may do it without even being sued or having laws about it.
But people, for all their pride in individuality, are strongly influenced by what everybody else does. There seems to be a lot of psychological research about this; see Stanley Milgram’s experiments, for example. If everybody expects that companies will stonewall on breaches and never say a word, then everybody will let companies get away with that. If expectations change, companies can change.
What changes expectations? Well, one thing that does is laws. Even a law in a different country can change expectations locally.
Another is high profile people saying that something is possible. Bruce Schneier is no stranger to that process. For example, he was a co-author (as was I) of Dan Geer’s paper CyberInsecurity: The Cost of Monopoly" of 2003. I distinctly remember that before that paper Microsoft’s monopoly and the monoculture of software it produces was just not discussed in polite company. Now everybody talks about it. This increases the possibility that something might be done about it.
It appears that Bruce is doing the same thing again. Maybe that’s why he’s a thought leader.