Earlier this week I testified at a New Jersey General Assembly hearing on Internet security. In my testimony I cautioned lawmakers about the unintended consequences of any legislative response to dangers posed by new technologies and suggested ways to make new laws more effective.
First of all, lawmakers need to understand that e-commerce companies take security very seriously. Customer trust is hard to win, easy to lose, and often impossible to regain. If customers don’t feel safe shopping on the Internet they won’t become customers in the first place.
Lawmakers must also understand that new technology doesn’t create criminal behavior. For example, "phishing" for personal information started way back when our most advanced communications device was the ordinary telephone. These days careless consumers are still giving up sensitive personal information in response to emails from people they don’t know. That’s hardly the fault of the Internet, the telephone, or any other new technology. It’s just a matter of criminals taking advantage of human nature.
As a firm believer in the benefits of the Internet, I often feel like that little boy who was asked why he was digging through a huge pile of horse manure and responded with a smile, "Well there must be a pony in here somewhere."
Lawmakers need to understand that e-commerce, instant communication, and global information sharing are worth digging for. To help them do that I offer a simple three-part formula: consumer education, industry responsibility, and law enforcement.
Government and industry have a shared responsibility to educate consumers about online risks and encourage the use of security and fraud prevention tools. Nobody wants their children talking to strangers on the street or online.
Industry has a responsibility to cooperate with law enforcement and to provide customers with the tools they need to be safe on the Internet.
Government has a responsibility to provide the resources necessary to enforce existing laws and carefully craft new laws where necessary.
The key word is "carefully." Criminals who violate existing laws are just as likely to violate new laws. Anti-spam regulations are a perfect example. Legitimate companies pay big bucks to comply, while criminals go right on clogging the system with spam.
If new laws are needed, I suggest that legislators follow three simple rules to avoid unintended consequences.
Rule number one – regulate behavior, not technology.
New technology isn’t the problem, it’s how people use that new technology. For example, legislators need to understand that the same technology that enables bad things like spyware and adware is also behind good things like virus scanning, firewalls, instant messaging, authentication systems, and parental controls.
Rule number two – don’t smother the Internet under a patchwork quilt of conflicting state laws.
State laws regulating the Internet are a lot like snowflakes. Each is a wonder to behold. No two are exactly the same. And just like snowflakes, these laws can make a mess when too many of them accumulate. Especially when one state’s regulation conflicts with other states, and a multi-state e-commerce business simply can’t comply with them all.
Rule number three — watch out for special interest legislation:
In a rapidly changing marketplace it is always tempting for old business models to seek new regulations that restrict online competition.