Aspen is very pleasant this year. As every year.

Today's speakers have been discussing child safety. There are a tremendous thrust of efforts on the part of various players to alert parents to the dangers of the Net. Of particular interest is a game called "Missing" in which a child or parent searches for a missing child. My sense: these efforts run up against resistance from busy parents, most of whom see little danger to their children--and for the most part, they are right! The risk remains small. But a small risk of great peril is still significant.

I think the law enforcement end, which is more targeted to predators (perhaps easier to identify and target than "at risk" victims) has more potential. But U.S. culture has a built-in skepticism of targeting. I think that today's security environment in a wide variety of contexts require that to some extent we just get over this; on planes, for example, Israelis focus on finding suspicious people, not suspicious weapons. Here, though, we must all endure scrutiny and the oppression of shampoo and toothpaste, because of our love of equality. Ah well. I digress.

One question which arises in my mind as I consider these efforts;; how do efforts to control risks to children, to protect valuable or private content online, to control phishing, spam, and so on--how do these relate to one another? To what extent would the authentication mechanisms being considered for the next generation of Internet protocols help control a wide subset of security problems? To what extent would some new methods or institutions at the law enforcement end help resolve this whole subset of problems?

This overlap is of particular interest to me because in part the battle over new copyright laws is a battle, not over whether the new content will be secured, but who will pay for the network features needed to secure it? Traditionally, the copyright owner has borne most of the expense. Michael Fricklas of Viacom noted yesterday that the content provider is no longer in the best position to do so cheaply; rather, he argued, the network and equipment providers are. This then raises the separate issue of

whether, if this is true (and the content side might and might not fully understand the cost to tech of all of the changes in their practices that would be needed to secure content) it follows that tech should bear the cost--perhaps rather it means a compromise, that the content providers should pay the tech to make the changes they desire. This in turn raises the question of whether that is still a bad deal for tech, because it entangles them in a lot of interoperability and backwards compatibility questions... an individual tech company may prefer not to go there under circumstances where their competitors are enjoying network effects benefits from more open (and also less secure) platforms.

Anyway, if there is at least some overlap between general security solutions and more particular solutions, the amount of value at stake between the "content side" and the "tech side" is smaller. Some of the costs will be borne by the tech side anyway... the remainder of the problem will be more amenable to negotiation. Or does the resistance of the "tech" side to building in specialized security (DRM) also extent to building in general security?

I suspect that no one knows the answers to these questions, there is such a gap between theory and implementation on all levels. The account above does explain one thing!!! It explains why integrated content and platform providers (hardware or software) such as Apple have such an advantage in this market. They do not need to strategize about how and whether to pass security costs along to somebody else, and who the least cost providers of security is. This, ultimately, may be the answer from the content side; integrate with platforms. The pure networks and tech providers may find themselves left with with the content that no one is willing to pay for.

This is all a lot of speculation. I'll stop now.