Tragedy of the network commons

A recent survey found that 75 percent of Dartmouth students have shared their network passwords. “They like having people who know their password,” explained Denise Anthony, a sociologist who spoke at the PKI summit conference I attended earlier this month. “They like having someone who can check their e-mail for them or log them in to places where they’re supposed to be.” The latter scenario echoes a recent New York Times story about cell phone users who form “alibi clubs” — that is, ad-hoc networks of people who “help each other skip work, get out of dates, or give a loved one the slip.”

The conference began with a series of talks by PKI experts at a number of universities: Virginia, Wisconsin, Texas, MIT. Their PKI deployment stories were fascinating. Jim Jokl, an IT director at Virginia, described a clever workaround for the thorny problem of checking for revoked certificates. They partition the CRL (certificate revocation list) so that applications need not download an unwieldy combined list. Barry Ribbeck, who directs systems integration for the University of Texas Health Science Center at Houston, showed a great implementation of Web access control. By placing just three lines of JSP code at the top of any Web page or template, UTHSC-H’s developers can invoke either certificate-based or username/password (LDAP) authentication. Jeff Schiller, MIT’s network manager, talked about the heroic efforts required to issue client certificates to a diverse population of browsers.

Professor Anthony’s talk was dramatically different and showed why it was a really smart move to attach a sociologist to Dartmouth’s PKI research group. As security technologists, we’re easily dazzled by our shiny cryptographic swords. But while we’re brandishing our swords, our users — like Indiana Jones in that famous scene from Raiders of the Lost Ark — might simply pull out their guns and shoot us. Better security protocols alone can’t thwart such game-changing behavior. We need to understand what motivates the behavior and figure out which carrots and sticks will influence it.

It’s a given that most people take the path of least resistance. So, for example, two-thirds of Dartmouth students never change their passwords during their four years of enrollment. And most reuse their internal passwords for external sites such as The New York Times and Amazon.com. How do they perceive the risk associated with such behavior? According to Anthony, it’s a tragedy of the commons. The network is a collective resource, but people connected to the network feel that they’re consuming a private good. Their subjective view, she says, is this: “I’m in my office. I’m using my computer. It doesn’t feel like I’m part of a group. I don’t recognize how my behavior affects you.”

That insight can help us design the right carrots and sticks. The carrot must appeal to selfish interest. Many of these universities are now rolling out hardware-assisted authentication. Will students regard USB tokens as personal property that they will share less willingly than abstract name/password credentials? In a couple of years, we’ll know the answer.

An effective stick might be a virtual wall of shame listing the names of polluters of the commons. At universities, of course, senior faculty might show up on that list, just as senior executives would surface in corporate settings. Social engineering may be necessary, but it won’t be easy.