CyberInsecurity: The Cost of Monopoly
How the Dominance of Microsoft's Products Poses a Risk to Security
Table of Contents
- 1. Author Listing
- 2. Introduction by Computer & Communications Industry Association (CCIA)
- 3. CyberInsecurity Report
- 4. Biographies of Authors
Authors of the report
Daniel Geer, Sc.D -- Chief Technical Officer, @Stake
Charles P. Pfleeger, Ph.D -- Master Security Architect, Exodus Communications, Inc.
Bruce Schneier -- Founder, Chief Technical Officer, Counterpane Internet Security
John S. Quarterman -- Founder, InternetPerils, Matrix NetSystems, Inc.
Perry Metzger -- Independent Consultant
Rebecca Bace -- CEO, Infidel
Peter Gutmann -- Researcher, Department of Computer Science, University of Auckland
Introduction by Computer & Communications Industry Association
No software is perfect. This much is known from academia and every-day experience. Yet our industry knows how to design and deploy software so as to minimize security risks. However, when other goals are deemed more important than security, the consequences can be dangerous for software users and society at large.
Microsoft's efforts to design its software in evermore complex ways so as to illegally shut out efforts by others to interoperate or compete with their products has succeeded. The monopoly product we all now rely on is thus both used by nearly everyone and riddled with flaws. A special burden rests upon Microsoft because of this ubiquity of its product, and we all need to be aware of the dangers that result from reliance upon such a widely used and essential product.
CCIA warned of the security dangers posed by software monopolies during the US antitrust proceeding against Microsoft in the mid and late 1990's. We later urged the European Union to take measures to avoid a software "monoculture" that each day becomes more susceptible to computer viruses, Trojan Horses and other digital pathogens.
Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier.
CCIA and the report's authors have arrived at their conclusions independently. Indeed, the views of the authors are their views and theirs alone. However, the growing consensus within the computer security community and industry at large is striking, and had become obvious: The presence of this single, dominant operating system in the hands of nearly all end users is inherently dangerous. The increased migration of that same operating system into the server world increases the danger even more. CCIA is pleased to have served as a catalyst and a publisher of the ideas of these distinguished authorities.
Over the years, Microsoft has deliberately added more and more features into its operating system in such a way that no end user could easily remove them. Yet, in so doing, the world's PC operating system monopoly has created unacceptable levels of complexity to its software, in direct contradiction of the most basic tenets of computer security.
Microsoft, as the US trial record and experience has shown, has added these complex chunks of code to its operating system not because such programming complexity is necessary, but because it all but guarantees that computer makers, users and consumers will use Microsoft products rather than a competitor's.
These competition related security problems have been with us, and getting worse, for years. The recent spate of virus attacks on the Internet is one more sign that we must realize the danger we are in. The report CyberInsecurity -- The Cost of Monopoly is a wake up call that government and industry need to hear.
September 24, 2003
CYBERINSECURITY: THE COST OF MONOPOLY
HOW THE DOMINANCE OF MICROSOFT'S PRODUCTS POSES A RISK TO SECURITY
Computing is crucial to the infrastructure of advanced countries. Yet, as fast as the world's computing infrastructure is growing, security vulnerabilities within it are growing faster still. The security situation is deteriorating, and that deterioration compounds when nearly all computers in the hands of end users rely on a single operating system subject to the same vulnerabilities the world over.
Most of the world's computers run Microsoft's operating systems, thus most of the world's computers are vulnerable to the same viruses and worms at the same time. The only way to stop this is to avoid monoculture in computer operating systems, and for reasons just as reasonable and obvious as avoiding monoculture in farming. Microsoft exacerbates this problem via a wide range of practices that lock users to its platform.
The impact on security of this lock-in is real and endangers society. Because Microsoft's near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow. The goal must be to break the monoculture. Efforts by Microsoft to improve security will fail if their side effect is to increase user-level lock-in. Microsoft must not be allowed to impose new restrictions on its customers -- imposed in the way only a monopoly can do -- and then claim that such exercise of monopoly power is somehow a solution to the security problems inherent in its products. The prevalence of security flaw in Microsoft's products is an effect of monopoly power; it must not be allowed to become a reinforcer.
Governments must set an example with their own internal policies and with the regulations they impose on industries critical to their societies. They must confront the security effects of monopoly and acknowledge that competition policy is entangled with security policy from this point forward.
The threats to international security posed by Windows are significant, and must be addressed quickly. We discuss here in turn the problem in principle, Microsoft and its actions in relation to those principles, and the social and economic implications for risk management and policy. The points to be made are enumerated at the outset of each section, and then discussed.
1. THE PROBLEM IN PRINCIPLE
To sum up this section:
- Our society's infrastructure can no longer function without computers and networks.
- The sum of the world's networked computers is a rapidly increasing force multiplier.
- A monoculture of networked computers is a convenient and susceptible reservoir of platforms from which to launch attacks; these attacks can and do cascade.
- This susceptibility cannot be mitigated without addressing the issue of that monoculture.
- Risk diversification is a primary defense against aggregated risk when that risk cannot otherwise be addressed; monocultures create aggregated risk like nothing else.
- The growth in risk is chiefly amongst unsophisticated users and is accelerating.
- Uncorrected market failures can create and perpetuate societal threat; the existence of societal threat may indicate the need for corrective intervention.
Computing is essential to industrialized societies. As time passes, all societal functions become more deeply dependent on it: power infrastructure, food distribution, air traffic control, emergency services, banking, telecommunications, and virtually every other large scale endeavor is today coordinated and controlled by networked computers.
Attacking national infrastructures is also done with computers -- often hijacked computers. Thus, threats to computing infrastructures are explicitly and inherently risk harm to those very societies in proportion to those society's dependence on them. A prior history of catastrophe is not required to make such a finding. You should not have to wait until people die to address risks of the scale and scope discussed here.
Regardless of where or how it is used, computing increases the capabilities and the power of those who use it. Using strategic or military terminology that means what it sounds like, computing is a "force multiplier" to those who use them -- it magnifies their power, for good or ill. The best estimates of the number of network connected computers show an increase of 50% per year on a worldwide basis. By most general measures what you can buy for the same amount of money doubles every eighteen months ("Moore's Law"). With a conservative estimate of a four year lifetime for a computer -- in other words, consumers replace computers every four years on average -- the total computing power on the Internet therefore increases by a factor of 2.7 per annum (or doubles every 10 months). If a constant fraction of computers are under threat of misuse, then the force available to misusers will thus double every 10 months.
In other words, the power available to misusers -- computer hackers, in popular parlance -- is rising both because what they can buy grows in power per dollar spent and because the total number of networked computers grows, too. Note also that this analysis does not even include attacks enabled by storage capacity, which doubles in price-performance twice as fast as CPU (doubles every nine months rather than eighteen).
Internetworked computing power makes communication feasible. Communication is of such high value that it has been the focus of much study and much conjecture and not just recently. For one-way broadcast communication, the value of the network itself rises proportionally to N, the potential number of listeners ("Sarnoff's Law"). By way of example, advertisers pay for television time in rough proportion to the number of people viewing a given program.
For two-way interactive communications -- such as between fax machines or personal email -- the value of the network rises proportionally to N2, the square of the potential number of users ("Metcalfe's Law"). Thus, if the number of people on email doubles in a given year, the number of possible communications rises by a factor of four.
Growth in communications rises even more when people can organize in groups, so that any random group of people can communicate with another. Web pages, electronic mailing lists and online newsgroups are good examples of such communications. In these cases, the value of the network rises proportionally to 2N, the potential number of groups being an exponential growth in N ("Reed's Law").
Assume for now that the Internet is somewhere between the Metcalfe model, where communications vary according to the square of the number of participants (N2), and the Reed model, where communications vary according to two raised to the Nth power (2N).
If we make this assumption, then the potential value of communications that the Internet enables will rise somewhere between 1.52 = 2.3 and 21.5 = 2.8 times per annum. These laws are likely not precisely accurate. Nonetheless, their wide acceptance and historic record show that they are good indicators of the importance of communication technology.
To extend this simple mathematical model one final step, we have assumed so far that all communications are good, and assigned to the value of the network a positive number. Nonetheless, it is obvious that not all communications (over computer networks, at least) are positive. Hackers, crackers, terrorists and garden-variety criminals use the network to defraud, spy and generally wreak havoc on a continual basis. To these communications we assign a negative value.
The fraction of communications that has positive value is one crucial measure, and the absolute number of negative communications is another. Both are dependent on the number of networked devices in total. This growth in the number of networked devices, however, is almost entirely at the "edges" of networked computing -- the desktop, the workstation, the home, the embedded system, the automated apparatus. In other words, the growth in "N" is not in the core infrastructure of the Internet where highly trained specialists watch over costly equipment with an eye towards preventing and responding to attacks. Growth, rather, is occurring mostly among ordinary consumers and non-technical personnel who are the most vulnerable to illegal intrusions, viruses, Trojan horse programs and the like. This growth at the periphery, furthermore, is accelerating as mobile, wireless devices come into their own and bring with them still more vulnerabilities.
Viruses, worms, Trojan horses and the like permit malicious attackers to seize control of large numbers of computers at the edge of the network. Malicious attackers do not, in other words, have to invest in these computers themselves -- they have only to exploit the vulnerabilities in other people's investments.
Barring such physical events as 9/11, an attack on computing is a set of communications that take advantage of latent flaws already then present in those computers' software. Given enough knowledge of how a piece of software works, an attacker can force it to do things for which it was never designed. Such abuse can take many forms; a naturalist would say that attacks are a broad genus with many species. Within this genus of attacks, species include everything from denial of service, to escalation of authority, to diversion of funds or data, and on. As in nature, some species are more common than others.
Similarly, not all attacks are created equal. An annoying message that pops up once a year on screen to tell a computer user that he has been infected by Virus XYZ is no more than that; an annoyance. Other exploitations cost society many, many dollars in lost data, lost productivity and projects destroyed from data crashes. Examples are many and familiar including the well known ILOVE YOU, NIMDA, and Slammer attacks not to mention taking over users' machines for spamming, porn distribution, and so forth.
Still other vulnerabilities, though exploited every day and costing society substantial sums of time and money, seldom appear in the popular press. According to Londonbased computer security firm, mi2g Ltd., global damage from malicious software inflicted as much as $107 billion in global economic damage this year. It estimates that the SoBig worm, which helped make August the costliest month in terms of economic damage, was responsible for nearly $30 billion in damage alone.1
For an attack to be a genuine societal-scale threat, either the target must be unique and indispensable -- a military or government computer, authoritative time lookup, the computer handling emergency response (911) calls, airport flight control, say -- or the attack must be one which once triggered uncontrollably cascades from one machine to the next. The NIMDA and Slammer worms that attacked millions of Windows-based computers were examples of such "cascade failure" -- they spread from one to another computer at high rates. Why? Because these worms did not have to guess much about the target computers because nearly all computers have the same vulnerabilities.
Unique, valuable targets are identifiable so we, as a society, can concentrate force around them. Given enough people and training (a tall order to be sure), it is possible to protect the unique and core assets. Advanced societies have largely made these investments, and unmitigated failures do not generally occur in these systems.
Not so outside this core: As a practical and perhaps obvious fact, the risk of cascade failure rises at the edges of the network where end users are far more likely to be deceived by a clever virus writer or a random intruder. To put the problem in military terms, we are the most vulnerable when the ratio of available operational skill to available force multiplication is minimized and thus effective control is weakest. Low available skill coupled to high potential force multiplication is a fair description of what is today accumulating on the periphery of the computing infrastructures of every advanced nation. In plainer terms, the power on the average desktop goes up very fast while the spread of computers to new places ensures the average skill of the user goes down. The average user is not, does not want to be, and should not need to be a computer security expert any more than an airplane passenger wants to or should need to be an expert in aerodynamics or piloting. This very lack of sophisticated end users renders our society at risk to a threat that is becoming more prevalent and more sophisticated.
Regardless of the topic -- computing versus electric power generation versus air defense -- survivability is all about preparing for failure so as to survive it. Survivability, whether as a concept or as a measure, is built on two pillars: replicated provisioning and diversified risk. Replicated ("redundant") provisioning ensures that any entity's activities can be duplicated by some other activity; high availability database systems are such an example in computing just as backup generators are in electric power. The ability of redundant systems to protect against random faults is cost effective and well documented.
By contrast, redundancy has little ability to protect against cascade failure; having more computers with the same vulnerabilities cannot help if an attack can reach them all. Protection from cascade failure is instead the province of risk diversification -- that is, using more than one kind of computer or device, more than one brand of operating system, which in turns assures that attacks will be limited in their effectiveness. This fundamental principle assures that, like farmers who grow more than one crop, those of us who depend on computers will not see them all fail when the next blight hits. This sort of diversification is widely accepted in almost every sector of society from finance to agriculture to telecommunications. In the broadest sense, economic diversification is as much the hallmark of free societies as monopoly is the hallmark of central planning. Governments in free market societies have intervened in market failures -- preemptively where failure was be intolerable and responsively when failure had become selfevident.
In free market economies as in life, some failure is essential; the "creative destruction" of markets builds more than it breaks. Wise governments are those able to distinguish that which must be tolerated as it cannot be changed from that which must be changed as it cannot be tolerated. The reapportionment of risk and responsibility through regulatory intervention embodies that wisdom in action. If governments are going to be responsible for the survivability of our technological infrastructure, then whatever governments do will have to take Microsoft's dominance into consideration.
To sum up this section:
- Microsoft is a near-monopoly controlling the overwhelming majority of systems.
- Microsoft has a high level of user-level lock-in; there are strong disincentives to switching operating systems.
- This inability of consumers to find alternatives to Microsoft products is exacerbated by tight integration between applications and operating systems, and that integration is a long-standing practice.
- Microsoft's operating systems are notable for their incredible complexity and complexity is the first enemy of security.
- The near universal deployment of Microsoft operating systems is highly conducive to cascade failure; these cascades have already been shown to disable critical infrastructure.
- After a threshold of complexity is exceeded, fixing one flaw will tend to create new flaws; Microsoft has crossed that threshold.
- Even non-Microsoft systems can and do suffer when Microsoft systems are infected.
- Security has become a strategic concern at Microsoft but security must not be permitted to become a tool of further monopolization.
Near-monopoly dominance of computing by Microsoft is obvious beyond the findings of any court. That percentage dominance is at peak in the periphery of the computing infrastructure of all industrial societies. According to IDC, Microsoft Windows represented 94 percent of the consumer client software sold in the United States in 2002.2 Online researcher OneStat.com estimates Microsoft Windows' market share exceeds 97 percent.3 Its Internet Explorer and Office Suite applications share similar control of their respective markets. The tight integration of Microsoft application programs with Microsoft operating system services is a principal driver of that dominance and is at the same time a principal driver of insecurity. The "tight integration" is this: inter-module interfaces so complex, undocumented, and inaccessible as to (1) permit Microsoft to change them at will, and thus to (2) preclude others from using them such as to compete.
Tight integration of applications and operating system achieves user lock-in by way of application lock-in. It works. The absence of published, stable exchange interfaces necessary to enable exchange of data, documents, structures, etc., enlists such data, documents, or structures as enforcers of application lock-in. Add in the "network effects," such as the need to communicate with others running Microsoft Office, and you dissuade even those who wish to leave from doing so. If everyone else can only use Office then so must you.
Tight integration, whether of applications with operating systems or just applications with each other, violates the core teaching of software engineering, namely that looselycoupled interfaces make maintenance easier and life-cycle costs lower. Academic and commercial studies supporting this principle are numerous and long-standing.
Microsoft well knows this; Microsoft was an early and aggressive promoter of modular programming practices within its own development efforts. What it does, however, is to expressly curtail modular programming and loose-coupling in the interfaces it offers to others. For whatever reason, Microsoft has put aside its otherwise good practices wherever doing so makes individual modules hard to replace. This explains the rancor over Prof. Ed Felten's Internet Explorer removal gadget just as it explains Microsoft's recent decision to embed the IE browser so far into their operating system that they are dropping support for IE on the Macintosh platform. Integration of this sort is about lock-ins through integration too tight to easily reverse buttressed by network effects that effectively discourage even trying to resist.
This integration is not the norm and it is not essential. Just limiting the discussion to the ubiquitous browser, it is clear that Mozilla on Linux or Safari on Macintosh are counter-examples: tight integration has no technical necessity. Apple's use of Safari is particularly interesting because it gets them all the same benefits that Microsoft gets from IE (including component reuse of the HTML rendering widget), but it's just a generic library, easy to replace.4 The point is that Microsoft has performed additional, unnecessary engineering on their products with the result of making components hard to pull out, and thus raising the barrier to entry for competition. Examples of clean interfaces are much older than Microsoft: the original UNIX was very clean and before that Multics or Dijkstra's 1968 "THE" system showed what could be done. In other words, even when Microsoft was very much smaller and very much easier to change these ideas were known and proven, therefore what we have before us today is not inadvertent, it is on plan.
This tight-integration is a core component of Microsoft's monopoly power. It feeds that power, and its effectiveness is a measure of that power. This integration strategy also creates risk if for no other reason that modules that must interoperate with other modules naturally receive a greater share of security design attention than those that expect to speak only to friends. As proof by demonstration, Microsoft's design-level commitment to identical library structures for clients and servers, running on protocols made explicitly difficult for others to speak (such as Microsoft Exchange), creates insecurity as that is precisely the characteristic raw material of cascade failure: a universal and identical platform asserted to be safe rather than shown in practice to be safe. That Microsoft is a monopoly makes such an outcome the default outcome.
The natural strategy for a monopoly is user-level lock-in and Microsoft has adopted this strategy. Even if convenience and automaticity for the low-skill/no-skill user were formally evaluated to be a praiseworthy social benefit, there is no denying the latent costs of that social benefit: lock-in, complexity, and inherent risk.
One must assume that security flaws in Microsoft products are unintentional, that security flaws simply represent a fraction of all quality flaws. On that assumption, the quality control literature yields insight.
The central enemy of reliability is complexity. Complex systems tend to not be entirely understood by anyone. If no one can understand more than a fraction of a complex system, then, no one can predict all the ways that system could be compromised by an attacker. Prevention of insecure operating modes in complex systems is difficult to do well and impossible to do cheaply: The defender has to counter all possible attacks; the attacker only has to find one unblocked means of attack. As complexity grows, it becomes ever more natural to simply assert that a system or a product is secure as it becomes less and less possible to actually provide security in the face of complexity.
Microsoft's corporate drive to maximize an automated, convenient user-level experience is hard to do -- some would say un-doable except at the cost of serious internal complexity. That complexity must necessarily peak wherever the ratio of required convenience to available skill peaks, viz., in the massive periphery of the computing infrastructure. Software complexity is difficult to measure but software quality control experts often describe software complexity as proportional to the square of code volume. One need look no further than Microsoft's own figures: On rate of growth, Windows NT code volume rose 35% per year (implying that its complexity rose 80%/year) while Internet Explorer code volume rose 220%/year (implying that its complexity rose 380%/year). Consensus estimates of accumulated code volume peg Microsoft operating systems at 4-6x competitor systems and hence at 15-35x competitor systems in the complexity-based costs in quality. Microsoft's accumulated code volume and rate of code volume growth are indisputably industry outliers that concentrate complexity in the periphery of the computing infrastructure. Because it is the complexity that drives the creation of security flaws, the default assumption must be that Microsoft's products would have 15-35x as many flaws as the other operating systems.5
One cannot expect government regulation to cap code size -- such a proposal would deserve the derision Microsoft would heap upon it. But regulators would do well to understand that code "bloat" matters most within modules and that Microsoft's strategy of tight integration makes effective module size grow because those tightly integrated components merge into one. It is likely that if module sizes were compared across the industry that the outlier status of Microsoft's code-size-related security problems would be even more evident than the total code volume figures indicate.
Above some threshold level of code complexity, fixing a known flaw is likely to introduce a new, unknown flaw; therefore the law of diminishing returns eventually rules. The general quality control literature teaches this and it has been the received wisdom in software development for a long time (Lehman & Belady at IBM6 and later in many papers and at least one book). The tight integration of Microsoft operating systems with Microsoft application products and they with each other comes at a cost of complexity and at a cost in code volume. Patches create new flaws as a regular occurrence thus confirming that Microsoft's interdependent product base is above that critical threshold where repairs create problems. Some end-users understand this, and delay deployment of patches until testing can confirm that the criticality of problems fixed are not eclipsed by the criticality of problems created. With mandatory patches arriving at the rate of one every six days (39 through 16 September), it is few users indeed who can keep up.
Two different subsets of users effectively bow out of the patching game: the incapablemany (end-users who have limited understanding of -- and limited desire to understand -- the technology even when it is working correctly) and the critical-infrastructure-few (for whom reliability is such a vital requirement that casual patching is unthinkable). Un-patched lethal flaws thus accumulate in the user community. (The Slammer worm fully demonstrated that point -- the problem and the patch were six months old when Slammer hit.)7 Monopoly market dominance is thus only part of the risk story -- market dominance coupled with accumulating exploitable flaw density yields a fuller picture.
Not only is nearly every networked computer sufficiently alike to imply that what vulnerability one has, so has another, but the absolute number of known-to-beexploitable vulnerabilities rises over time. Attackers of the most consummate skill already batch together vulnerabilities thus to ensure cascade failure. (The NIMDA virus fully demonstrated that point -- it used any of five separate vulnerabilities to propagate itself.)
Microsoft has had a history of shipping software at the earliest conceivable moment. Given their market dominance, within days if not hours the installed base of any released Microsoft software, however ill thought or implemented, was too large to dislodge or ignore. No more. Of late Microsoft has indeed been willing to delay product shipment for security reasons. While it is too early to tell if and when this will actually result in a healthier installed base, it is an admission that the level of security flaw density was a greater threat to the company than the revenue delay from slipping ship dates. It is also an admission that Microsoft holds monopoly power -- they and they alone no longer need to ship on time. That this coincides with Microsoft's recent attempts to switch to annual support contracts to smooth out their revenue streams is, at least, opportunistic if not tactical.
On the horizon, we see the co-called Trusted Computing Platform Association (TCPA)8 and the "Palladium" or "NGSCB" architecture for "trusted computing." In the long term, the allure of trusted computing can hardly be underestimated and there can be no more critical duty of government and governments than to ensure that a spread of trusted computers does not blithely create yet more opportunities for lock-in. Given Microsoft's tendencies, however, one can foresee a Trusted Outlook that will refuse to talk to anything but a Trusted Exchange Server, with (Palladium's) strong cryptographic mechanisms for enforcement of that limitation. There can be no greater user-level lock-in than that, and it will cover both local applications and distributed applications, and all in the name of keeping the user safe from viruses and junk. In other words, security will be the claimed goal of mechanisms that will achieve unprecedented user-level lock-in. This verifies the relevance of evaluating the effect of user-level lock-in on security.
3. IMPACT ON PUBLIC PROTECTION
To sum up this section:
- Without change, Microsoft's history predicts its future.
- We must take conscious steps to counter the security threat of Microsoft's monopoly dominance of computing.
- Unless Microsoft's applications and interfaces are available on non-Microsoft platforms it will be impossible to defeat user lock-in.
- Governments by their own example must ensure that nothing they deem important is dependent on a monoculture of IT platforms; the further up the tree you get the more this dictum must be observed.
- Competition policy is tangled with security policy from this point on.
Microsoft and regulators come to this point with a considerable history of flouted regulation behind them, a history which seems unnecessary to recount other than to stipulate that it either bears on the solution or history will repeat itself.
Yes, Microsoft has the power to introduce features unilaterally and one might even say that the current security situation is sufficiently dire that Microsoft as the head of a command structure is therefore somehow desirable. Yet were it not for Microsoft's commanding position economics would certainly be different whether it would be a rise in independent, competitive, mainstream software development industries (because the barriers to entry would be lower), or that today's locked-in Microsoft users would no longer pay prices that only a monopoly can extract. For many organizations the only thing keeping them with Microsoft in the front office is Office. If Microsoft was forced to support Office on, say, Linux, then organizations would save substantial monies better spent on innovation. If Microsoft were forced to interoperate, innovators and innovation could not be locked-out because users could not be locked-in.
Both short-term impact mitigation and long term competition policy must recognize this analysis. In the short term, governments must decide in unambiguous ways whether they are able to meaningfully modify the strategies and tactics of Microsoft's already-in-place monopoly.
If governments do not dismantle the monopoly but choose instead to modify the practices of the monopoly they must concede that that route will, like freedom, require eternal vigilance. Appropriate support for addressing the security-related pathologies of monopoly would doubtless include the introduction of effective, accessible rights of action in a court of law wherever security flaws lead to harm to the end-user. In extreme cases, the consequences of poor security may be broad, diffuse, and directly constitute an imposition of costs on the user community due to the unfitness of the product. Under those circumstances, such failures should surely be deemed "per se" offenses upon their first appearance on the network.
Where risk cannot be mitigated it can be transferred via insurance and similar contracts. As demonstrated in previous sections, the accumulation of risk in critical infrastructure and in government is growing faster than linear, i.e., faster than mere counts of computers or networks. As such, any mandated risk transfer must also grow faster than linear whether those risk transfer payments are a priori, such as for bonding and insurance, or a posteriori, such as for penalties. If risk transfer payments are to be risk sensitive, the price and probability of failure are what matter and thus monopoly status is centrally relevant. For governments and other critical infrastructures, the price of failure determines the size of the risk transfer. Where a software monoculture exists -- in other words, a computing environment made up of Windows and almost nothing else -- what remains operational in the event of wholesale failure of that monoculture determines the size of the risk transfer. Where that monoculture is maintained and enforced by lock-in, as it is with Windows today, responsibility for failure lies with the entity doing the locking-in -- in other words, with Microsoft. It is important that this cost be made clear now, rather than waiting until after a catastrophe.
The idea of breaking Microsoft into an operating system company and an applications company is of little value -- one would just inherit two monopolies rather than one and the monocultural, locked-in nature of the user base would still nourish risk. Instead, Microsoft should be required to support a long list of applications (Microsoft Office, Internet Explorer, plus their server applications and development tools) on a long list of platforms. Microsoft should either be forbidden to release Office for any one platform, like Windows, until it releases Linux and Mac OS X versions of the same tools that are widely considered to have feature parity, compatibility, and so forth. Alternately, Microsoft should be required to document and standardize its Exchange protocols, among other APIs, such that alternatives to its applications could independently exist.
Better still, split Microsoft Office into its components -- noticing that each release of Office adds new things to the "bundle": first Access, the Outlook, then Publisher. Even utilities, such as the grammar checker or clip art manager, might pose less risk of compromise and subsequent OS compromise if their interfaces were open (and subject to public scrutiny and analysis and validation). Note that one of the earlier buffer overflow exploits involved the phone dialer program, and ordinarily benign and uninteresting utility that could have been embedded within dial-up networking, Internet Explorer, Outlook and any other program that offered an Internet link.
The rigorous, independent evaluations to which these otherwise tightly integrated interfaces would thus be exposed would go a long way towards security hardening them while permitting meaningful competition to arise. Microsoft will doubtless counter that its ability to "innovate" would be thus compromised, but in the big picture sense everyone else would have a room to innovate that they cannot now enjoy. Where governments conclude that they are unable to meaningfully modify the strategies and tactics of the already-in-place Microsoft monopoly, they must declare a market failure and take steps to enforce, by regulation and by their own example, risk diversification within those computing plants whose work product they value.
Specifically, governments must not permit critical or infrastructural sectors of their economies to implement the monoculture path, and that includes government's own use of computing. Governments, and perhaps only governments, are in leadership positions to affect how infrastructures develop. By enforcing diversity of platform to thereby blunt the monoculture risk, governments will reap a side benefit of increased market reliance on interoperability, which is the only foundation for effective incremental competition and the only weapon against end-user lock-in. A requirement that no operating system be more than 50% of the installed based in a critical industry or in a government would moot monoculture risk. Other branches to the risk diversification tree can be foliated to a considerable degree, but the trunk of that tree on which they hang is a total prohibition of monoculture coupled to a requirement of standards-based interoperability.
These comments are specific to Microsoft, but would apply to any entity with similar dominance under current circumstances. Indeed, similar moments of truth have occurred, though for different reasons, with IBM or AT&T. The focus on Microsoft is simply that the clear and present danger can be ignored no longer. While appropriate remedies require significant debate, these three alone would engender substantial, lasting improvement if Microsoft were vigorously forced to:
- Publish interface specifications to major functional components of its code, both Windows and Office.
- Foster development of alternative sources of functionality through an approach comparable to the highly successful "plug and play" technology for hardware components.
- Work with consortia of hardware and software vendors to define specifications and interfaces for future developments, in a way similar to the Internet Society's RFC process to define new protocols for the Internet.
Daniel Geer, Sc.D - Dr. Geer is Chief Technical Officer of @Stake, in Cambridge, Mass. Dr. Geer has a long history in network security and distributed computing management as an entrepreneur, author, scientist, consultant, teacher, and architect. He has provided high-level strategy in all manners of digital security and on promising areas of security research to industry leaders including Digital Equipment Corporation, OpenVision Technologies, Open Market, and CertCo. He has written extensively on large-scale security issues such as risk management, applications of cryptography, and Web security for The Digital Commerce Society, the Securities Industry Middleware Council, the Internet Security Conference, and the USENIX Association for whom he founded several conferences.
Dr. Geer has testified before Congress on multiple occasions and has served on various relevant advisory committees to the Federal Trade Commission, the National Science Foundation, the National Research Council, the Commonwealth of Massachusetts, the Department of Defense, the National Institute of Justice, and the Institute for Information Infrastructure Protection.
Dr. Geer holds several security patents, an Sc.D. in Biostatistics from Harvard University's School of Public Health and an S.B. in Electrical Engineering and Computer Science from MIT.
Charles P. Pfleeger, Ph.D - Dr. Pfleeger is a Master Security Architect in the Professional Services group of Exodus Communications, Inc. From 1992 to 1995 he was Director of European Operations for Trusted Information Systems, Inc. (TIS) and head of its European office in London. He was a member of the author group of the U.S. Federal security evaluation criteria and a co-author of the evaluation criteria for trusted virtual machine architectures. He led activities in secure networking, security analysis in hardware design, secure system architecture, and research into assured service. Prior to joining TIS in 1988, he was a professor in the Computer Science Department of the University of Tennessee Dr. Pfleeger has lectured throughout the world and published numerous papers and books. His book Security in Computing (the third edtion will be available from Prentice Hall in 2002) is the standard college textbook in computer security. He is the author of other books and articles on technical computer security and computer science topics.
He holds a Ph.D. degree in computer science from The Pennsylvania State University and a B.A. with honors in mathematics from Ohio Wesleyan University.
Bruce Schneier - Internationally renowned security expert Bruce Schneier has authored six books--including BEYOND FEAR and SECRETS AND LIES--as well as the Blowfish and Twofish encryption algorithms. Mr. Schneier has appeared on numerous television and radio programs, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mr. Schneier is responsible for maintaining Counterpane's technical lead in world-class information security technology and its practical and effective implementation. Mr. Schneier's security experience makes him uniquely qualified to shape the direction of the company's research endeavors, as well as to act as a spokesperson to the business community on security issues and solutions.
Mr. Schneier holds an MS degree in computer science from American University and a BS degree in physics from the University of Rochester.
John S. Quarterman - John S. Quarterman is founder of InternetPerils, an Internet riskmanagement company. Previously, he was Founder and Chief Technology Officer of Matrix NetSystems Inc., the first company to map and track global traffic across the Internet. Mr. Quarterman has almost thirty years experience with network issues dating as far back as 1974, when he first used ARPANET, the Internet's predecessor, at Harvard University. He subsequently worked on ARPANET Unix software for Bolt, Beranek and Newman, the original prime contractor for the network.
Mr. Quarterman has consulted for a wide range of companies and organizations, including AT&T, HP, IBM, MCI and Nortel, among others. Twice elected to the board of directors of USENIX, he was instrumental in the board's decision to provide funding for UUNet, one of the first two commercial Internet service providers. A published author, he has written for Communications of the ACM, Forbes, First Monday and Computerworld, among others. He has appeared in articles written by others in the New York Times, the San Jose Mercury News, The Economist, The Washington Post, Wired and others too numerous to mention.
Perry Metzger - Perry Metzger is managing partner of Metzger, Dowdeswell & Co LLC, a New York based computer security and infrastructure consulting firm. Prior to this, Mr. Metzger founded and served as CEO of Wasabi Systems, Inc., a startup specializing in operating system software for embedded platforms. Previously Mr. Metzger served as President of Piermont Information Systems Inc., a New York based computer security consulting firm he founded in 1994. Piermont's clients included prominent international banks and brokerages, money management companies, public relations firms and advertising agencies.
Before founding Piermont, Mr. Metzger was involved in a variety of innovative technological projects, including highly parallel computer systems, automated equities trading systems, automated systems management software, and the implementation of one of the world's first firewall systems. Mr. Metzger is highly active in the work of the Internet's standardization body, the IETF. He was instrumental in the design and standardization of several major internet security protocols,including IPSEC, for which he served as co-author of several of the initial standards documents.
Becky Bace - Becky Bace is an internationally recognized expert in network security and intrusion detection. A 2003 recipient of Information Security Magazine's Women of Vision Award, she is recognized as one of the most influential women in Information Security today. Ms. Bace has worked in security since the 1980s, leading the first major intrusion detection research program at the National Security Agency, where she received the Distinguished Leadership Award, serving as the Deputy Security Officer for the Computing Division of the Los Alamos National Laboratory, and, since 1997, working as a strategic consultant.
She is currently President and CEO of Infidel, Inc., a security consulting firm. Ms. Bace's publication credits include the books Intrusion Detection (Macmillan, 2000) and A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as An Expert Technical Witness, (Addison-Wesley, October, 2002).
She received a B.S., Engineering/Computer Science from the University of the State of New York, and an M.E.S., Digital Systems Engineering, from Loyola College.
Peter Gutmann - Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland working on design and analysis of cryptographic security architectures. He helped write the popular PGP encryption package and has authored a number of papers on security and encryption including the X.509 Style Guide for certificates.
Over the years, Mr. Gutmann has uncovered numerous security flaws in various computing products, including problems with the encryption used in an early version of the Netscape browser and, later, Internet Explorer. He has also uncovered flaws in previous versions of Norton's Diskreet disk encryption, the Windows 95 password file system and the smart-card fare system used by Auckland's largest public transportation organization.
Gutmann is the author of the much used, open source cryptlib security toolkit.
1 "Government Issue," David Zeiler, The Baltimore Sun/SunSpot.net. September 18, 2003
2 "Wal-Mart sells more Linux wares online," Matt Hines, News.com. August 21, 2003.
3 "Microsoft's Windows OS global market share is more than 97% according to OneStat.com," OneStat.com press release. September 10, 2002.
4 "Apple Releases its own browser," Joe Wilcox, News.com, January 7, 2003.
5 Microsoft seems at least aware of the problem. See: http://www.wired.com/wired/archive/3.09/myhrvold.html.
6 L.A. Belady and M.M. Lehman, "A Model of Large Program Development," IBM Systems Journal 15(3), p.225--252 (1976).
7 " Slammer worm brings patch mgmt. issues to the fore," Audrey Rasmussen, Network World Fusion, Feb. 5, 2003.
8 See: http://www.trustedcomputing.org/home
Categories: Computer and Information Security
Tags: Computer & Communications Industry Association Report
From Capitol Hill to Silicon Valley, the computer software giant has been routinely denounced as a monopolist or near monopolistas if the firms monopoly status were an established fact, not one open to debate. However, many of Microsofts strategies under legal attack make little economic sense for a monopolist.
The Microsoft monopoly is self-evident, if the Justice Departments lawyers are to be believed. In the complaint filed against Microsoft in the U.S. District Court of the District of Columbia on May 18, 1998, the Justice Department declares unequivocally that Microsoft possesses (and for several years has possessed) monopoly power in the market for personal computer operating systems.
The Justice Departments lawsuit merely reaffirms the position U.S. Attorney General Janet Reno had previously staked out: Microsoft is unlawfully taking advantage of its Windows monopoly to protect and extend that monopoly. Hence, it seems beyond dispute that the Justice Departments antitrust assault on Microsoft will, if successful, produce benefits for the American public. We took action today [in the courts], Reno announced earlier this year, to ensure that consumers will have the ability to choose among competing software products (PC Magazine 1997). Assistant Attorney General Joel Klein echoes Renos claims. In a statement accompanying his departments antitrust complaint, he charges that in essence, what Microsoft has been doing, through a wide variety of illegal business practices, is leveraging its Windows operating system monopoly to force its other software products on consumers (Klein 1998b, 1).
Both Kleins and Renos allegations appear to reflect a widespread public sentiment. Indeed, it has become common for reporters, columnists, scholars, and computer industry analysts to use terms such as monopoly or near monopoly to describe Microsoft, as if the firms monopoly status were an established fact, not one open to debate. Wall Street Journal reporter Alan Murray (1998) declares flatly on the front page of his paper, Microsoft is a monopoly (emphasis in original). It is such, Murray tells us, because Bill Gates has managed to win near-total control of the most valuable real estate in business today: His Windows operating system has become almost the sole entry point to cyberspace. Michael Miller, editor in chief of PC Magazine, has seconded Murrays conclusion, asserting that Microsoft has an effective monopoly on PC operating systems. He [Jim Barksdale, head of Netscape] knows it, Bill [Gates] knows it, and all the senators [who questioned Gates at a Senate hearing in early 1998] know it. So do all of us who buy PCs (Miller 1998). Millers only remaining concern is whether antitrust or regulatory action would be good for the computer industry.
Given the assumption that Microsoft has monopolized the market for computer operating systems, the critics have felt comfortable applying their rhetorical skills to condemn Microsofts founder and CEO Bill Gates, who is viewed with animosity as a real-life counterpart of Gordon Gekko, the unsavory character in the 1980s movie Wall Street. Gekko is renowned for having proclaimed, in a fit of self-congratulation, the moral goodness of unchecked greed.
Indeed, the rampant criticism of Microsofts purportedly unfettered market power has given rise to increasingly shrill attacks. A Los Angeles Times editorial chided Microsoft for having macro-gall when it sought to defuse the threat of an adverse court decision by offering computer manufacturers two versions of Windows 95: an older version without Internet Explorer and a newer version with Internet Explorer included (Los Angeles Times 1997). Even former Republican presidential candidate Bob Dole, who once defended Microsoft against Justice Department action but who now lobbies for competing computer software companies, accepts antitrust intervention as necessary because Microsofts goal appears to be to extend the monopoly it has enjoyed in the PC operating system marketplace to the Internet as a whole and to control the direction of innovation (Dole 1997).
New York Times columnist Maureen Dowd (1998) has minced few words in her denunciation of Gates as a rich spoiled brat who has not yet realized the grim truth: People hate Microsoft even more than they hate the Government. Gary Reback, a Silicon Valley antitrust lawyer, mused to the New Yorker, The only thing the robber barons did that Bill Gates hasnt done is use dynamite against their competitors. In his article on Microsoft for the electronic magazine Slate, Jacob Weisberg observed, A few months ago, everyone I met seemed to think that working for Microsoft was a pretty cool thing to do. Now, strangers treat us like we work for Philip Morris (Dowd 1998).
Because of Microsofts dominance in the market for computer operating systems and hence its presumed monopoly status, a growing collection of state attorneys general (twenty at the time the Justice Department filed its suit) began to coordinate with federal trustbusters their investigations of Microsofts past practice of incorporating its own services and programs within Windows without also giving other vendors the same right. Apparently, the attorneys general were especially worried that the forthcoming version of Windows, Windows 98, would seamlessly integrate Microsofts Web browser, Internet Explorer, thus precluding, in their collective view, the installation of competing browsers. New York Attorney General Dennis Vacco summed up his colleagues conclusion that Microsofts product development strategies are evidence of monopoly power by saying, It would be unfortunate if one company were allowed to control access to the Internet in violation of the antitrust laws, restricting consumer choice and stifling competition before it has a chance to develop (Bank 1998).
Firms in the computer industry want to go even further to rein in what they believe is Microsofts undue market power. They have begun a drive to have the U.S. Justice Department force Microsoft to be more open in allowing programmers outside of Microsoft to have access to the code that Microsofts programmers have. They also want Microsoft to be prohibited from integrating into Windows new products that compete directly with non-Microsoft programs and to have Microsoft divest itself of its software compatibility laboratories, which offer a Windows-approved logo to outside vendors (Markoff 1998).
As the deadline for filing its antitrust suit neared, the Justice Department began to insist in its negotiations that Microsoft must also include a copy of rival Netscapes Web browser with each copy of Windows sold, if Microsofts own Internet browser, Internet Explorer, was integrated into Windows 98 (Brinkley 1998). Indeed, in its antitrust suit, the Justice Department seeks such a remedy, mentioning Netscape (and only Netscape) by name. Specifically, the Justice Department asks the courts to prevent Microsoft from including its browser software in Windows unless Microsoft also includes with such operating system the most current version of the Netscape Internet browser. Moreover, if the Justice Department gets its way, Microsoft would be forced to allow computer manufacturers to delete Internet Explorer and to alter in other ways the sequence of screens computer users see as Windows boots up.
The complaint filed by the Justice Department on May 18 levels three specific charges of unlawful behavior against Microsoft. The list of alleged antitrust violations includes agreements tying other Microsoft software products to Microsofts Windows operating system; exclusionary agreements precluding companies from distributing, promoting, buying, or using products of Microsofts software competitors or potential competitors; and exclusionary agreements restricting the right of companies to provide services or resources to Microsofts software competitors or potential competitors.
We do not wish to join the chorus of criticism of a major American firm and its leadership now under way in the courts and the press. On the contrary, our purpose is to ask for a pause in the debate in order to consider the easily skirted issue of whether as a general matter firms with large market sharesnot just Microsoftcan legitimately be classified as monopolists and, if so, whether they should be subjected to the antitrust sanctions now at issue in what is likely to be a protracted court battle. We also ask whether Microsofts business practices are necessarily those of a monopolist; and more specifically, whether the types of tying and exclusionary agreements Microsoft has been accused of employing represent the unfair methods of competition they have been purported to be.
Even if a firm can, in some sense, be found guilty of violating the antitrust laws (because such laws make tying arrangements and exclusionary contracts illegal), it does not necessarily follow that Microsofts actions have been those of a classic monopolist (even when the industry is beset with network effects, which the Justice Departments lawyers believe to be endemic to the computer software business). Many market behaviors that might be construed as violations of the antitrust laws might also be interpreted as the behaviors expected of highly competitive firms. Even if a firm can be classified as having, in some sense, monopoly power, one must also be concerned with whether or not antitrust action can be taken in a timely manner, before market forces are likely to correct any extant abuse of market power; and whether antitrust action, if taken, can generate the heralded consumer benefits to an extent that more than compensates for the legal expenditures and for the costs resulting from the disruption of markets while the suit winds its way through the courts. This issue is hardly a minor one: recall that the Justice Department wasted substantial legal resources in its infamous thirteen-year prosecution of IBM, and note that if the Justice Department and state attorneys general prevail, future product developments in high-technology industries may be tightly constrained. That upshot could mean that competition would be thwarted, not promoted. Indeed, the threat of antitrust penalties in cases pursued because of a firms dominance in its industry can have the perverse effect of forcing the firm to act not as a competitor but as a monopolist, thereby harming consumers.
Two Distinct Issues
At the outset, two issues in the public debate over Microsofts supposed monopoly status must be distinguished. First is the technical legal issue of whether Microsoft violated its 1995 consent agreement with the Justice Department, along with the more general question of whether it has violated the antitrust laws. In the 1995 agreement, Microsoft consented not to require computer manufacturers who install Microsofts Windows operating system to also install separate products. At the same time, the 1995 agreement allowed Microsoft to continue to sell Windows with integrated components. For example, Windows Explorer, which allows computer users to organize files with relative ease, is presumably viewed by both Microsoft and the Justice Department as an integrated component of Windows.
Now, Microsoft has been accused of unfairly demanding that computer manufacturers also install Internet Explorer, a Web browser, as a condition of installing its Windows operating system. That requirement may or may not be a violation of the 1995 agreement or the antitrust laws, mainly because Internet Explorer may or may not be viewed by the courts as an integrated component of Windows, as defined by that agreement. The decision depends on how the language of the 1995 agreement is interpreted. Therefore, the resolution of the issue hinges on the precise meaning of integrated, that is, on how much mutual interdependence must exist before Windows and Internet Explorer are deemed to be integrated. To what extent does Internet Explorer rely on the code built into Windows, and vice versa? Can Internet Explorer be uninstalled without compromising the operation of Windows?
We have no way of knowing how the courts will rule on such semantic issues, but our basic concern is conceptual, not semantic. However the case against Microsoft ultimately turns out, the definition of integrated, as well as the extent to which the laws prohibiting tying contracts and exclusionary agreements are judged applicable, cannot help but be influenced by how the courts expect Microsofts behavior to change in response to the accepted meanings of these terms. Hence, the issue of whether Microsoft is viewed, or should be viewed, as a monopolist (in the economic as well as the legal sense) will necessarily play a key role in determining the courts findings. Therefore, the question expressed in our titleIs Microsoft a monopolist?is of more than academic interest. Its answer cannot be presumed without rigging the debate over what the judge should do.
The Justice Department has argued that Microsoft has given away its Web browser for years as a distinct, stand-alone product. That determination, supported by Microsofts own promotional materials that treat Windows and Internet Explorer as separate products, has prompted the Justice Department to conclude that it is unlawful for Microsoft to require computer manufacturers to install Internet Explorer when the manufacturers also install Windows. Hence, the Justice Department has argued that Microsoft should be fined $1 million a day if it has not complied with the 1995 agreement, as the Justice Department interprets that agreement (Gruley and Wilke 1998). The Justice Departments lawyers do not seem concerned that having a browser fully integrated into the Windows operating system makes sense and provides consumers with benefits, as recognized by technology journalists. To its critics, the key assumption is that Microsoft has a monopoly in the market for operating systems and that the firm is trying to use its monopoly position to extend its operating system monopoly into other software markets, most notably the browser market, and in that way to preclude Netscape from developing an alternative operating system (using the Java language). The Justice Departments position notwithstanding, we should keep in mind that combining the operating system and browser into one integrated system could make considerable sense if consumers want to minimize the time and trouble of moving from the look and feel of one program (the operating system) to that of another (the browser) and if a personal computer in the near future must be able to operate as fluidly within the World Wide Web as it does presently within the confines of the computer box.
Microsoft, on the other hand, has argued that its Web browser is indeed integrated, meaning that Internet Explorer uses some of the code in Windows and itself contains code needed by Windows in order for Windows to operate properly. Take out Internet Explorer from the latest version of Windows 95, Microsoft contends, and the operation of Windows is necessarily impaired. Moreover, Microsoft has stressed that the integration of Internet Explorer is really a gradual process that has been under way for years, with full integration expected with the release of Windows 98, which Microsoft began shipping to computer manufacturers the same day the Justice Department filed its lawsuit (Gates 1997, 1998).
Again, the issue of whether Microsoft violated its 1995 agreement could be settled only in the courts, as it ultimately was in January 1998. Microsoft effectively yielded to the Justice Departments demands by agreeing to offer two versions of Windows 95, one with an Internet Explorer icon available on the desktop (the screen that appears when Windows is initially loaded) and another version with the icon absent (but with a link to Internet Explorer through a menu of other Windows subprograms).
Prior settlements and any future settlement of the current antitrust suit, however, have no bearing on the central concern of this article. To reiterate, our purpose here is to consider the separate, more fundamental issue of whether Microsoft is a monopolist by asking whether Microsofts market actions fit the expected behavior of a monopolist. Granted, Microsoft is actually being accused of violating the nations antitrust laws, mainly the provisions of the Clayton Act that make it illegal, where the effect . . . may be to substantially lessen competition or tend to create a monopoly, for a firm to tie the sale of one separate product (which Internet Explorer might legally be judged to be) to the sale of another (Windows 95). Behind the prohibition of tie-in sales lies the presumption that a firm with monopoly power may be able to use product-bundling strategies to protect and extend its monopoly, with consequent injury to consumers welfare.
Even though Microsoft gave in to the Justice Departments demands that two versions of Windows be offeredone with and one without Internet Explorer (Wilke 1998)it is still not necessarily the case that Microsoft is a monopolist. All the Justice Department has done is to get another court-enforceable agreement from Microsoft, which is a substantially different matter from proving that Microsoft is a monopolist, the standard definition of which is a firm that seeks to enrich itself by restricting output in order to raise its prices and profits at consumers expense.
Many legal and economic scholars have concluded that the antitrust laws have been used more frequently to thwart competition than to restrain monopoly. That outcome has been associated especially with antitrust violations involving tie-in sales, which presumably is the specific offense for which Microsoft would be sanctioned. Rather than a symptom of the exercise of monopoly power, tie-in sales in generaland Microsofts product development strategy in particularcan be construed as an understandable competitive response on the part of a company that seeks to maximize consumer gains while it attempts to expand its sales and profits. From the perspective of the pertinent economic literature, a Justice Department victory can be interpreted as partial validation of Microsofts claim that it has been acting competitively. To appreciate that point, we need first to reflect on exactly what a monopoly is.
The Meaning of Monopoly
The Justice Departments charge that Microsoft is a monopolist rests mainly on the fact that some version of the Windows operating system is currently used on some 80 percent of all personal computers in the world and that Microsoft has required computer manufacturers to install Internet Explorer if they also install Windows on the systems they ship (Gruley and Wilke 1998). Neither the 80 percent market share nor the required installation of Internet Explorer, however, necessarily makes Microsoft a monopoly worthy of antitrust remedies.
To be sure, commonly accepted definitions of monopoly might suggest that Microsoft is a monopoly by virtue of its dominant market share. The tenth edition of the Merriam-Webster Collegiate Dictionary defines monopoly in three ways: (1) exclusive ownership through legal privilege, command of supply, or concerted action; (2) exclusive possession or control; and (3) a commodity controlled by one party.
Moreover, elementary college-level textbooks in economics start their discussions of monopoly, as does Paul Samuelson, by talking in terms of the extreme case of monopoly, called pure monopoly, in which a given industry has a single seller and there is no industry producing a close substitute for his [the monopolists] good (Samuelson 1980, 462).
A less precise definition of monopoly (something less than a pure monopoly) might warrant calling Microsoft a monopolist, given the companys apparent industry dominance and the use of the term dominance in loose definitions of monopoly. However, critical even to the most rudimentary definition of monopoly is the concept of the market in which Microsoft is presumed to operate. Even if the market is restricted to firms selling computer operating systems, Microsoft is clearly not the only seller, but it surely is a dominant one, given its 80 percent (or greater) share of sales. However, if the relevant market is defined more broadly, Microsofts dominance is not nearly so great. The companys sales represent only 5 percent of total dollar sales in the software market and, of course, a much smaller percentage of total dollar sales in the computer market as a whole (DeLong 1998).
If the relevant market is the browser market, as measured in dollar sales, then Microsoft has a zero percent share, for the simple reason that it has given Internet Explorer away. Admittedly, in this case assessing market dominance on the basis of sales can be misleading, but that point is precisely what needs to be kept in mind: a firm may have a dominant market share, even be the sole seller, of a product not because it has acted monopolisticallymeaning that it has garnered monopoly profits by restricting sales and raising pricebut because it has done just the opposite, namely lowered its price in order to expand its customer base to encompass a large fraction of all buyers.
A firm that exercises its monopoly power could actually have a smaller market share measured in unit sales, dollar sales, or both, than a firm that acts competitively. Measured in dollars, a sellers market share depends critically on the response of sales to a change in pricein economists jargon, the elasticity of demand. For example, at $1,000 per copy of Windows 95, Microsoft would undoubtedly see dramatically lower sales, because many buyers would not be willing to purchase a PC if the price of the operating system added 50 to 100 percent to the price of a fully functional computer, or because they would then be willing and able to switch to another operating system (even though they might consider alternative operating systems inferior to Windows). At $45 per copy of Windows 95 (the approximate price of Windows 95 for manufacturers at this writing), Microsofts sales might be sufficiently greater in total units shipped and total revenues earned to make Microsoft the dominant, if not the single, seller of operating systems.
Moreover, the present dominance of Microsoft in the operating-system market can be attributed at least partially to the pricing blunders of its competitors, most notably Apple, which adopted a strategy of restricting the sales of its operating system and then tying the operating system to the purchase of Apple computers. Virginia Postrel, editor of Reason magazine, suggests that Apple did Microsoft a huge favor by trying to control its own operating systems market in the 1980s (Postrel 1997).
From these perspectives, one cannot know from the observation that Microsoft has an 80 percent market share whether Microsoft is acting monopolistically or competitively, and it is altogether understandable that those who accuse Microsoft of being a monopolist also accuse it of being brutally competitive. The firm can be either, and the latter form of behavior could have resulted in its becoming a dominant seller without necessarily being a monopolist.
It cannot be stressed enough that a firm that is a single seller, or just a dominant producer, is not necessarily a monopolist, as the term is generally defined by economists, because all definitions of monopoly presume that the firm is capable of using its market position to restrict output and increase its prices and profits, in the process creating market inefficiency. A firm can become large either by using resources efficiently and remaining attuned to its customers wants or by behaving, well, as a monopolist. But in order for a firm to act successfully as a monopolist, genuine barriers to the entry of new rivals must exist. Otherwise, any firm that seeks greater profits by reducing output and raising price can expect to attract new market entrants who seek to make the sales that the established firm has not made, and which the new entrants can make by undercutting the monopolists price. Without barriers to entry, the price charged by the would-be monopolist will not hold, given that the market supply is not restricted. The output of the new market entrants can be expected to neutralize, partially if not completely, the hopeful monopolists attempt to restrict output.
Even if Microsoft were the only producer of operating systems, it may be only one of several or many potential producers, all of whom stand ready to enter the operating-system market (or to expand their market share) in response to profit opportunities. The greater the number of potential producers and the greater the ease of entry, the less able a dominant producer is to extract monopoly profits from consumers and the closer the dominant producers price will be to the competitive price.
The Justice Department asserts that PC manufacturers . . . have no commercially reasonable alternative to Microsoft operating systems for PCs that they distribute (emphasis added). Such a claim about Microsofts current monopoly status must be tempered, surely, by the observation that, in fact, other firms exist in the operating-system market. The list of existing producers includes at least the following: IBM, Oracle, Sun, Apple, AT&T, Hewlett Packard, NeXT, Xerox, Wang, Be, Linux, DEC, Psion, 3COM, Geos, and GEMand perhaps others of which we are unaware.
To be sure, those sixteen firms combined may have no more than 10 or 20 percent of the world market for personal-computer operating systems, but the listing certainly establishes that Microsoft is not the only seller, in spite of the governments claim (which surely impugns the integrity of the governments case in this instance and others). Even if the Justice Department were correct in its assertion that barriers to entry exist in the operating-system market, those barriers do not justify designating Microsoft a monopolist. Other firms are currently inside the market and are potential competitors, even if they are not, in fact, particularly effective competitors at the moment.
The Justice Department may be correct in its choice of words describing Microsofts present market position: there may be no commercially reasonable alternative to Windows, and Microsoft may be responsible for that situationbut only because it has continued to operate as a competitor. If, indeed, Microsoft were a monopolist and were acting as one, it would stand to reason that a number of commercially reasonable alternatives would be available, because Microsoft would have elevated its price to monopoly levels and, perhaps, would at the same time have limited the power, usefulness, and ease of use of its operating system. But, then, it might not be the dominant producer that it now is.
We emphasize again that the 80 percent market share held by Microsoft does not constitute evidence of significant monopoly or market power. If Microsoft tried to increase its profits by restricting sales and raising price, then that conduct would surely entail that unmade sales would be left for the other sixteen or more existing producers, not to mention any number of other software firms that might have operating systems in storage and that stand ready to divert the time and energy of their software programmers to developing new operating systems.
The prospects of alternative existing or potential sources of operating systems must at least cause observers to wonder whether Microsoft could have achieved its market dominance by charging anything other than prices closely aligned with competitive levels. That existing competitors are not even more numerous does not necessarily speak to Microsofts monopoly practices. Again, the absence of existing competitors could be construed as the result of Microsofts competitive practices. Microsoft may be charging such a low price that other firms do not judge the development of an alternative operating system to be worth the required up-front investment. (Forty-five dollars for an operating system that incorporates millions of lines of code and is fairly powerful and easy to use does not seem like the price a monopolist would choose.) By acknowledging that no commercially viable alternative operating systems exist, the Justice Department seems to be conceding Microsofts advantageous competitive position.
Clearly, Microsoft has market power to some degree, as do almost all firms selling in differentiated-product markets; otherwise, the Justice Department would have no reason to be concerned about Microsofts monopoly status. But surely that power is greatly circumscribed by the economic interests of its investorsincluding Bill Gatesa critical component of which must be the market value of Microsofts stock. No one doubts that Microsoft could at this time or in the near future raise the price of Windows by restricting sales, with the result that its revenues might rise while its production costs declined (owing to lower output), but that course of action would not necessarily imply that Microsoft was pursuing its stockholders best interests. The firms revenues could in fact tumble by more than costs fell, because the quantity sold might decline proportionately more than the corresponding increase in the price as customers switched to the operating systems offered by other existing competitors.
In addition, even if profits rose immediately with an increase in the price of Windows (because revenues fell by less than costs or because revenues rose and costs declined), it does not follow that Microsofts investors would be pleased. The price of Microsoft stock could fall simply because investors worried that a higher price for Windows would in the not-too-distant future cause a larger number of commercially viable operating systems to be shipped by other firms, with the net effect being a smaller market share and profits over the long run for Microsoft. Higher current profits, in other words, could be more than offset by lower profits in the future, an outcome all the more likely in periods, such as the 1990s, with relatively low interest rates.
Why do interest rates matter? A decline in interest rates increases the present discounted value of lost future profits, which is to say that hiking the current price is a less attractive strategy for any firm that possesses market power (or thinks it does). In other words, the lower are current and expected future interest rates, the less incentive Microsoft (or any other firm) has to exert its market control today and the more incentive it has to act competitively, that is, to hold prices low (or lower them) and increase its market share. One plausible reason why Microsoft stands accused of being such an aggressive competitor at the same time that it has been accused of being a monopolist (dominant seller) is that the firm has been responding rationally to prevailing economic conditions: low interest rates do inspire aggressively competitive current behavior, which, in turn, can make life difficult for other competitors who have to meet Microsofts reductions in the real prices of its products. Moreover, Microsofts competitiveness can be fortified by its knowledge that low interest rates will encourage other software firms to be more competitive in the marketplace (and more demanding of the Justice Department in the political arena).
Notably, nowhere in the Justice Departments complaint does Microsoft stand accused of raising its price, as any monopolist worthy of the name would be expected to do. The reason for the absence of a pricing charge is clear: the nominal price of Windows paid by computer manufacturers has reportedly remained constant at $45 for the past six years. That nominal-price constancy means that the real price of Windows (the price adjusted for inflation) has declined during that period by about 18 percent. Actually, the real price has declined by even more, because Windows has been enhanced continuously over the past six years in terms of both power and ease of use. Now, Microsoft proposes to incorporate Internet Explorer into Windows at no added cost, which is an indirect way of lowering the real price of Windows once again. Such reductions in the real price of a product are not what would be expected in the light of textbook treatments of monopoly. They are what would be expected of a competitive firm that sees important economies for consumers, as well as for the firm itself, from gaining market share.
To be sure, the price of Windows might be higher than it could be, and one might argue that it should have fallen by more than it has in recent years. But we cannot help wondering how the Justice Department or the cooperating state attorneys general can know that to be the case. If the price of Windows were materially higher than it should be, then it would follow that Microsofts sales would be materially restricted, as would be its share of the operating-system market. That restriction would occur because existing or potential competitors would be able to invade the operating-system market, lowering their prices below that of Windows, expanding their sales, and increasing their profits. With competitors already in the market standing ready to take advantage of any attempt by Microsoft to charge prices in excess of cost, and in the absence of barriers to the entry of new rivals, Microsofts prices must be closer to the competitive price than to the monopoly price.
The Special Case of Network Effects
Critics are usually eager to concede that Microsoft may not be a garden-variety monopolist. They are quick to reason that Microsoft does not behave as most traditional monopolies behave because the market for computer software, especially operating systems, differ from those for more mundane products. Textbook monopolies are assumed to face static demands that are independent of past or prospective future consumption levels. That is to say, future demand does not rise with greater current consumption, and vice versa.
By contrast, the market for computer programs is said to exhibit network effects or network externalities. Thus, the value of a product to any one person depends on how many other people use it: the larger the number of people who use a program, the larger is the programs individual and collective value, and hence the larger will be the number of people who buy it (Rohlfs 1974; Katz and Shapiro 1985; McAndrews 1997). Therefore, the future demand for the product can be expected to rise with current purchases, which implies that even a monopoly firm in such an industry has a reason not applicable to traditional monopolies (absent network externalities) for keeping current prices low: in so doing, the monopolist can stimulate future demand and, when the increased demand materializes, elevate the profit-maximizing price.
Moreover, the greater the firms market share, the greater the incentive the firm has to hold its current price down. In the presence of network externalities, all of the additional future sales stimulated by todays low prices accrue exclusively to the dominant firm; that is, the benefits of stimulated future sales do not spill over to other producers as they would in a textbook perfectly competitive market, in which the products of rivals are perfectly substitutable. The dominant producer can increase its dominance simply because everyone expects its dominance to grow. If consumers do benefit from network externalities, they will want to join the dominant producers network because their expectation of its (growing) dominance implies greater future benefits.
The Justice Departments lawyers and Microsofts critics reason that setting a low (if not falling) current price, or even a zero price, is behavior consistent with the actions of a profit-maximizing monopolist, given the existence of network effects. Low prices today can lead not only to more sales today and even greater sales in the future, but a firms low prices can fuel consumer expectations of its dominance that, independent of todays price, can contribute to the firms dominance today and in the future. Accordingly, the Justice Department can argue that it must act now to avert monopoly pricing and output restrictions in the future.
Although such an argument may sound appealing, it has weaknesses that must be kept in mind. The argument rests on the presumption that when the future rolls around, the monopoly firmMicrosoft in this casecould actually restrict sales and would want to do so with its stockholders interests in mind. Such a scenario, in turn, presumes that the firm no longer faces effective competition from existing or potential rivals because it has a hammerlock on its buyers.
The future price of the operating system might indeed be increased, but such a price hike could be expected by consumers even in a fully competitive market. The reason has already been given in the case for preemptive antitrust action: network effects. The existence of such externalities implies an unsustainable low current price kept down in order to generate the network effects that will increase the programs value to its users, which in turn will lead to a higher market price at some later date simply because of the implied future increase in demand. A higher future price would not necessarily mean that the consumers were being exploited. They might pay more for the program in the future, but they then would also be getting more value because of the larger number of people using it. Indeed, given the existence of network externalities, consumers would recommend the same time-wise pattern of prices the firms owners would want, namely low (even below-cost) prices todayin order to build the network benefitsfollowed by higher prices in the future.
Moreover, the prediction that Microsoft will be able to raise its price in the future is nothing but sheer speculation by the Justice Departments lawyers and other critics. Microsoft would still face the threat of competition unless some pretty strong barriers obstructed the entry of new firms. The existence of network effects in the market for operating systems not only encourages low current prices. Those effects simultaneously cut the gains any single seller can expect from raising its future price substantially, because network effects also enhance the potential benefits to new entrants from entering the market and undercutting the pricing of the incumbent monopolist. Todays dominant sellerMicrosoftmust worry that network effects will work in reverse: a higher price in the future would not only curb sales at that time but would also cause current sales to fall in anticipation of the higher future price. Of course, when the future price is raised, sales would fall from that point forward because the then-reduced sales imply fewer network benefits for consumers. New entrants can reason that the gains from entry will be accumulating, with then-current sales leading to even higher future sales beyond that point. As a consequence, network effects do not necessarily lead to a greater likelihood that a firm will take advantage of any existing monopoly power; indeed, just the opposite might as well be expected.
The network externality argument rests on an assumption of consumer rationality that cannot be restricted to consideration of the impact of todays low prices on future market dominance. Consumers must also be expected to anticipate, in a rough and ready way, the monopoly price the dominant producer might charge in the future. The very anticipation of that higher future price would at least weaken the ability of the firm to charge a monopoly price in the future, because rational consumersespecially large corporate customers with large financial consequences riding on their buying decisions, both now and in the futurewould curtail their purchases at current prices, buying more of the products of the future would-be monopolists rivals in order to forestall the possibility of being exploited in the future. But even if consumers behavior were not forward-looking, the dominant firm would still hesitate to charge a future price substantially in excess of cost because the network externalities would have been achieved and, for the reasons just stated, such a strategy would invite competitors entry into the market. A dominant firm facing network externalities would not want to be perceived as capable of extorting monopoly prices and profits. Such a perception would reduce its ability to attain the market share and, hence, to exploit the economies of scale in production that it finds most profitable.
Understandably from this perspective, Microsoft might be pleased that alternative operating systems are available, even though they may not now be commercially reasonable, to use the Justice Departments characterization. Given the existing network externalities, the mere existence of OS2 (IBMs operating system), marketed by a large firm, can provide assurance that Microsoft does not (and will not) act as a monopolistan assurance that can add to Microsofts dominance. For that matter, the Justice Departments current antitrust action can increase Microsofts current dominance of the market, because the suit offers an added measure of confidence that Microsoft will not act as a monopolist in the future.
When Apple was facing serious financial difficulties in 1997, Microsoft invested about $150 million in its rival. We suspect that Gates approved the investment for three reasons: First, the investment would help assure consumers that Microsofts monopolistic tendencies would continue to be kept in check. Second, the investment would help keep the Justice Departments antitrust lawyers at bay (or so Microsoft may have reasoned). Third, Apples sales strategy, which ties the sale of its operating system to the sale of its hardware, will likely ensure that Apple never becomes a dominant seller of its operating system. Many computer buyers must understandably worry that Apple will try to use its customers well-known loyalty to its operating system to increase the prices of its hardware. Microsofts dominance in the market for operating systems may be partly the result of Apples strategy and partly the result of Microsofts alternative strategy of letting consumers buy their PCs from independent hardware vendors, a strategy that helps build the network effects supposedly at the foundation of Microsofts monopoly.
The foregoing discussion of network effects presumes that substantial networking effects exist for a program such as Windows 95. But the existence of substantial network effects for individuals working together is not obvious to either of the authors, and we both work extensively with our computers. Granted, some networking externalities may exist for each of us and for our respective academic institutions. Papers can be passed around more easily among faculty members (and students), and the local computer staff has to keep up to date on only a single operating system. However, we are not convinced that the network externality argument applicable to a school or a department can be extended ad infinitum or even to the limits of the computer market. We see practically no benefits from both authors having the same operating system.
Indeed, when we agreed to write this paper jointly, we did not ask one another about computer operating systems. Of course, we might have anticipated some minimal gains from both using Windows and Microsoft Word, but the anticipated benefits of collaboration were never materially influenced by the prospects that we both would use Windows and Word. (Indeed, only after writing this section of the paper did we discover that both of us use Windows.) If our experience is shared by many others, it seems reasonable to conclude that a relatively small increase in the price of Windows 95 would materially affect sales, and vice versa, which suggests that Microsofts monopoly power must be tightly constrained. It also seems reasonable to deduce that Microsoft has a large market share only because it has not been charging anything close to the proverbial monopoly price.
Granted, the Justice Departments suit rests on the argument that, in fact, barriers to entry exist in the operating-system market because of economies of scale and network effects. PC consumers will tend to buy the operating system with the greatest number, variety, and quality of applications, and PC programmers will write programs for the most commonly used operating system, in order to appeal to as many potential customers as possible.
What the Justice Departments lawyers do not seem to understand is that Microsoft probably could never have achieved its market dominance had it behaved as a monopolist in the past or showed signs that it would act as a monopolist in the future (which is now the present). Similarly, if it were to indicate that it was going to act as a monopolist in the future, leading to the likelihood that its dominance of operating systems would erode, software developers would surely anticipate that development in their program writing and marketing plans. Hoping to take advantage of network effects operating in reverse, rival producers of operating systems would have incentives to absorb at least some of the costs of switching for the software firms and consumers. However, by continuing to lower the real price of its operating system and to upgrade it by including a Web browser free of charge (among other enhancements), Microsoft is giving software firms all the more reason to write applications for Windows, which in turn adds to Microsofts market dominance, but not necessarily to its monopoly power.
The Justice Department reasons that Microsofts exclusionary agreements, which require computer manufacturers to install only Windows and only Internet Explorer and do not allow computer manufacturers to alter the screen sequence as Windows boots up, is anticompetitive and anti-consumer. But such is not necessarily the case, if the Justice Department believes its own claims about extensive network effects. The network has benefits to software manufacturers and consumers only to the extent that it holds together. The exclusionary agreements and contract clauses that prevent changes in the starting screen sequence can be interpreted as providing such assurance. Software firms and consumers can thereby readily see the collective gains to be had from joining the Microsoft network.
By what theory of antitrust injury must Microsoft be compelled to advertise the products of its competitors by allowing computer makers unilaterally to make alterations in the first screen the user sees when he boots up (and which the end-users are themselves free to alter in any case)? And if Internet service providers, such as America Online, and Internet content providers, such as the Disney Channel, want to place their logos and links on the first screen the user sees when Windows is shipped from the factory (and which the users are subsequently free to add or delete to suit their own tastes), why must Microsoft be prevented from asking for something in return by insisting that those content providers not enter into similar arrangements with its competitors?
If extensive network effects exist, as claimed by the Justice Department, then those effects must have been produced by Microsofts years of successful product development and marketing. We understand why other firms, including Netscape, would want to free-ride on Microsofts considerable investments in the development of the network, but giving some firms a free ride hardly justifies asserting that the developer of the network is a monopolist and that antitrust action is an appropriate means of granting the free ride. Limiting, by antitrust action, the rights to the use of the most valuable real estate in cyberspace risks making the whole sequence of investments unprofitable and, hence, chilling the efforts of future high-technology pioneers.
Three concerns should be kept in mind when evaluating the charge that Microsofts exclusionary tactics are calculated to preserve its world-wide monopoly in operating systems by stifling companies whose technology would compete (Bork 1998). First, even if the courts forbid the forced installation of Internet Explorer, the Justice Department has not materially affected whatever monopoly power it might imagine Microsoft has. Consumers get no net benefit. If Microsoft is the monopolist it has been acclaimed to be, then it can compel the installation of Internet Explorer (if adding the program is a net burden) only by lowering the price it charges computer manufacturers for Windows. In other words, it must use up some of its monopoly profits from selling operating systems to force the manufacturers to do something they supposedly do not want to do. Forbidden to insist on the installation of Internet Explorer, Microsoft is free to reverse its action, jacking up the price of Windows because the manufacturers no longer have to incur the ostensible added costs of installing Internet Explorer.
Second, the remedies the Justice Department seeks might actually lower the network benefits to application software writers and consumers if they do what they are intended to do, namely, reduce Microsofts dominance in the operating-system market. Although such actions clearly would be a boon to Microsofts competitors, the advantages for consumers are not so clear.
Third, a Justice Department victory could induce Microsoft to develop a monopoly-like pricing and product-development strategy simply because its property rights to its operating system and to the computer desktop would be compromised. Microsoft might reason that a policy of lowering its price, enhancing its products, and maintaining its operating systems acceptability as an industry standard would only add to its future legal bills, a prospect that could lead Microsoft to reduce its market share by hiking its current and future prices and curbing future product enhancements, with the intention of elevating its profits above what they would be if it had to incur the legal bills.
Microsoft appears ready to incur those legal bills, though. Defending his right to innovate, Gates broke off settlement negotiations at the eleventh hour when he balked at the Justice Departments demand that Netscapes Web browser be included in every unit of Windows shipped (Gates 1998). That proposed remedy proves once again that antitrust is mainly about protecting competitors, not about enhancing the welfare of consumers.
The Confused Economics of the Microsoft Case
Microsofts critics have advanced a number of economic theories to explain why the firms behavior has violated the antitrust laws. None of those critics has articulated why or how consumers have been harmed in the process. Instead, the furious attacks on Microsoft have focused on the injuries supposedly suffered by rivals (on account of Microsofts pricing and product-development strategies) and by computer manufacturers and Internet service providers (on account of Microsofts exclusionary contracts).
One of the fundamental antitrust charges against Microsoft is not that it is a monopolist as such, but rather that it has unlawfully used its dominance of the market for computer operating systems as leverage to force computer manufacturers to install its Web browser, Internet Explorer, as a condition of loading Windows on all the units they ship. The Clayton Act made such tie-in sales illegal on the theory that they foreclose competitive market opportunities. The sellers of rival Web browsers are placed at a disadvantage, it is alleged, because Microsoft has contractually locked a large percentage of their potential customers into its own Web-browsing software product. If Internet Explorer is preloaded onto all of the new computers shipped with Windows on board, Microsoft will have an unfair edge as consumers decide what Web browser to use. The normal workings of a free and open competitive marketplace will thereby be short-circuited, and Microsoft will have compounded its monopoly by extending it from the market for the tying good (operating system) to the market for the tied good (Web browser).
Ever since section 3 of the Clayton Act made it unlawful for sellers to condition the sale or lease of one product on the purchase of another, the courts have taken an extremely hostile view of such contractual agreements. Indeed, in 1958 the Supreme Court declared tie-in sales to be illegal per se, meaning that the legal test for finding a law violation does not require evidence of consumer injurythe plaintiff must show only that a tie-in sale has been employed in a factual situation where the effect may be to substantially lessen competition or tend to create a monopoly. Even earlier, the Court stated flatly that tie-in sales serve hardly any purpose beyond the suppression of competition.
The Supreme Court has said that four conditions must hold before a tie-in sale can be deemed to violate the Clayton Acts proscription: First, the tying arrangement must involve two distinct products. Second, the sale of one these distinct products must effectively be conditioned on the purchase of the other. Third, the seller must possess market power with respect to sales of the tying good sufficient to impose its will on customers. Fourth, the volume of commerce foreclosed in the market for the tied good must be not insubstantial.
With the possible exception of the Courts first condition, the facts at hand seem to support the Justice Departments charge of unlawful tying against Microsoft. It is uncontested that Microsoft has an impressive share of the market for computer operating systems. Can we therefore conclude that, by acting monopolistically, Microsoft is capable of foreclosing a substantial volume of commerce in the market for Web browsers if operating systems and Web browsers are in fact distinct products sold in two separate markets?
The answer is clearly no. Except under very restrictive conditionsconditions that do not hold in the case of computer operating systems and Web browsers, which must be used in fixed proportionsa monopoly cannot be compounded. Consider the facts in one of the Justice Departments early attempts to corral monopoly in a high-technology industry. Before the advent of mainframe computers, IBM was the dominant manufacturer of tabulating machines used to sort and compile information entered on cardboard punch cards. Very much like its present-day rival, the firm imposed a requirement on its customers that, as a condition of renting IBMs tabulating machines, they also must purchase all of their punch cards from IBM. The Justice Department sued, charging that IBM had unlawfully used its monopoly of tabulating machines as leverage to obtain a monopoly of punch cards, and the Supreme Court ultimately agreed with the decision of a lower court that found the firm guilty of violating Clayton Act section 3.
The Justice Departments extension-of-monopoly theory was implausible, however. As pointed out by Aaron Director (Director and Levi 1956), IBMs attempt to obtain an additional source of profits by restricting the output and raising the price of punch cards would be frustrated by reduced sales of tabulating machines. That conclusion is reached if one recognizes that IBMs customers were not buying cards or machines, they were buying tabulating servicesthe market for punch cards was not distinct from the market for tabulating machines in any meaningful sense. How the individual inputs entering into the production of those services were priced was essentially irrelevant. If IBM raised the price of one input, the cards, the per-unit cost of tabulating services had increased, and accordingly customers would have bought both fewer cards and fewer machines. Moreover, if the tabulating machines had been priced optimally (at the profit-maximizing level) beforehand, any increase in the price of punch cards would have raised the total price of tabulating services above the optimal level, which would have tended to lower, not raise, IBMs overall profits.
Director suggested that IBMs practice of requiring users of its tabulating machines also to buy their punch cards from IBM made economic sense only as a method of price discriminationa strategy of selling the same product to different customers at different prices. By imposing such a requirement, IBM could use punch-card purchases to meter the demand for tabulating machines. Under this theory, customers who placed relatively high values on data-tabulating services would use the tabulating machines more intensely and hence require more punch cards per week than other customers, for whom tabulating services had less value. By selling more cards to customers in the former group, IBM would effectively charge them a higher price per unit of data-tabulating services. Customers in the latter group, who, by assumption, required fewer cards, would pay lower combined prices for these services. Thanks to its ability to align prices of data-tabulating services with consumer valuations by requiring customers to buy its punch cards as a condition of renting its tabulating machines, IBM increased its total profits over and above those earned under the alternative policy of only leasing tabulating machines and doing so at the same price for all of its customers.