Illinois Public Law and Legal Theory Research Papers Series

Research Paper No. 07-12

November 6, 2007

Analyzing Information Technology & Societal Interactions: A Policy Focused Theoretical Framework

Rajiv C. Shah*

Jay P. Kesan**

*Adjunct Assistant Professor Department of Communications, University of Illinois-Chicago

**Professor and Director, Program in Intellectual Property and Technology Law

Mildred Van Voorhis Jones Faculty Scholar University of Illinois College of Law

This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection:

http://papers.ssrn.com/abstract= 1028129

Abstract

Information technologies affect a variety of fundamental societal concerns, such as privacy and free speech. Policymakers currently analyze each societal concern as sui generis, ignoring commonalities among IT issues. This paper develops a comprehensive descriptive framework to address a variety of IT policy problems. The Information Technology and Societal Interactions (ITSI) framework theorizes how information technology develops, evolves, and influences society. This framework ties together several existing theoretical concepts, while translating them into a practical framework that policymakers can apply to real problems. The framework is illustrated by analyzing wireless security issues.

The article seeks to move beyond Lessig’s work by providing a clearer and more comprehensive view of how IT interacts with society. An urgent need has arisen for this type of theoretical framework. Unlike other fields, a compelling theoretical approach within IT law and policy does not exist. As a result, each policy issue is treated as unique and policymakers overlook commonalities. This occurs because the existing theoretical approaches, such as structuration and actor-network theory (ANT), fail to provide applicable models for addressing concrete problems.

ITSI is inspired by structuration and ANT, but is tailored to the theoretical and practical needs for analyzing the interactions between IT and society. ITSI focuses on four main relationships within ITSI. These relations are: (1) how technology affects individuals, (2) how individuals reconfigure technology, (3) how developers shape technology, and (4) how society, in mass, can intervene and alter how technology operates. ITSI builds upon a large corpus of descriptive and normative scholarship by computer scientists, sociologists, communications scholars, and legal scholars. The contribution here does not define a new set of relationships between society and information technology, but explicates existing relationships and develops a descriptive framework that provides analytical insights.

This article illustrates ITSI through an analysis of security issues involved in wireless technology. The analysis found that consumers are not provided with simple and effective security because of the increased reliance on user configuration. ITSI led to this finding; it would not have emerged using conventional policy analysis. ITSI also provides solutions to this problem. Instead of looking toward users to improve security, policymakers should look to manufacturers to develop APs that are “secure by design.” The analysis ends by pointing out a number of strategies to influence manufacturers to improve the design of wireless APs.

1

Analyzing Information Technology & Societal Interactions: A Policy Focused

Theoretical Framework

Rajiv C. Shah & Jay P. Kesan

2

Author Contact Information: Rajiv C. Shah Adjunct Assistant Professor Department of Communications University of Illinois-Chicago rshah@a5.com Jay P. Kesan, Ph.D., J.D. Professor & Director, Program in Intellectual Property & Technology Law Mildred Van Voorhis Jones Faculty Scholar University of Illinois College of Law 134 Law Building, 504 Pennsylvania Avenue Champaign, IL 61820 kesan@uiuc.edu

Abstract

Information technologies affect a variety of fundamental societal concerns, such as

privacy and free speech. Policymakers currently analyze each societal concern as sui generis,

ignoring commonalities among IT issues. This article develops a comprehensive descriptive

framework to address a variety of IT policy problems. The Information Technology and Societal

Interactions (ITSI) framework theorizes how information technology develops, evolves, and

influences society. This framework ties together several existing theoretical concepts while

translating them into a practical framework that policymakers can apply to real problems. The

framework is illustrated by analyzing wireless security issues.

3

Analyzing Information Technology & Societal Interactions: A Policy Focused

Theoretical Framework

Legal scholars have recognized the design of information technologies as central to

public policy debates. Most notably, Lawrence Lessig argues that fundamental societal concerns

such as privacy, accessibility, freedom of speech, and intellectual property protection are

intertwined with the hardware and software of information technologies (IT) (1999). These

concerns are far from theoretical and reverberate in technologies such as computer operating

systems, web browser cookies, printer cartridges, and even passports. Braman argues that

communications law and policy need to address how these technologies affect social welfare

(2003). This article addresses the increasingly influential intersection of IT and law by

developing a theoretical framework for understanding IT’s impact on societal concerns.

This article presents a theoretical model, IT & Societal Interactions (ITSI), which

provides a framework for analyzing and addressing public policy issues concerning IT. The goal

is to move beyond Lessig’s work by providing a clearer and more comprehensive view of how IT

interacts with society. An urgent need has arisen for this type of theoretical framework. Unlike

other fields, a compelling theoretical approach within IT law and policy does not exist. As a

result, each policy issue is approached as sui generis. Thus, policymakers overlook

commonalities among issues concerning IT, because the existing theoretical approaches, such as

structuration and actor-network theory, fail to provide applicable models for addressing concrete

problems.

The framework presented here considers the reciprocity between IT and society in a

policy context. It highlights critical actors and relationships that influence how society designs

and uses IT. ITSI is an applied theoretical model that allows us to move from problem to

4

solution through clearly delineated steps that account for the multifarious forces and relations

involved in IT’s development and use. The model is constructed to arrive at normative solutions

to real-world problems. ITSI is not intended to replace existing scholarly theoretical approaches,

such as structuration and actor-network theory, but, instead, complement them by translating

their high level concepts for use in policy analysis. In doing so, our framework avoids reducing

notions of causality, the process of technological development, and its social consequences to

binaries (Lievrouw and Boczkowski 2006). Our goal is pragmatic and our approach follows

Walsham’s suggestion on focusing on the interesting issues for why IT has developed in ways

contrary to social concerns and how it can be remedied (1993). Ultimately, ITSI provides

scholars and policymakers with analytical tools to understand better the relations between

technology and society.

ITSI is not a regulatory theory per se. We do not try to advocate a particular method of

regulation or argue criteria for regulating technologies. Instead, our focus is to sharpen the use

of regulatory strategies around technology. We believe policymakers can make better decisions

if they understand how technology is developed, used, and shaped. We should acknowledge that

at many junctures, both an ITSI and conventional policy analysis might suggest the same policy

goals. This does not diminish the value of ITSI. An ITSI analysis still provides more useful

insights into how IT operates as well as a broader perspective on how IT develops and responds

to society.

The first section of the article reviews several theoretical approaches for studying the role

of IT: Lessig’s model of IT and society, Gidden’s theory of structuration, and technologies

studies’ Actor-Network Theory (ANT). It highlights the strengths and limitations of these

approaches and their inability to provide more than a partial picture of the relationship between

5

IT and society. The next section provides background on ITSI, and then focuses on the four

main relationships within ITSI. These relations are (1) how technology affects individuals, (2)

how individuals reconfigure technology, (3) how developers shape technology, and (4) how

society, in mass, can intervene and alter how technology operates. We rely on the term

“technology” to refer to IT. In the third section, we use ITSI to analyze wireless security issues.

This application illustrates how ITSI can address a policy issue that conventional approaches

have overlooked. This section ends with a brief discussion of how ITSI can provide insights into

other technology and policy issues as well. The final section discusses the implications of ITSI

for communications law and policy.

Theoretical Approaches for Studying the Role of Information Technology

Scholars and policymakers have recently recognized how technology influences, perhaps

adversely, social concerns, such as security, privacy, and free speech. While much has been

written on the impact of technology, little has been written on how policymakers can harness

technology to positively influence social welfare. As a starting point, we map how that influence

is understood by reviewing three influential approaches for analyzing technology. The first

approach arose within legal studies and focuses on how technology affects society. It is Lessig’s

model of “what things regulate.” The other two approaches, information systems research use of

“structuration” and “Actor-Network Theory” (ANT) from science and technology studies, share

a common understanding about how people act and interact. They offer important insights into

understanding how IT affects society. These approaches arose out of the social construction

theory of technology, which argues that human action shapes technology (Pinch and Bijker

1987).

6

Other useful paradigms for examining technological developments or the influence of

technology on society have appeared, including “diffusion of innovation,” a theory about how

new breakthroughs disseminate through society (Rogers 2003). However, we choose to focus on

three most influential theoretical approaches from a policy perspective. After evaluating each

approach individually, the final section discusses their limitations for policymakers.

Lessig’s What Things Regulate

First, Lessig’s model of “what things regulate” (1999) offers a descriptive model of how

software and hardware, collectively termed code, act as a regulatory mechanism on human

behavior. Many scholars have looked to this model not only as a tool for understanding code,

but also as a way to address issues surrounding it. Lessig constructs his model by considering an

individual and the various influences on his or her choices and behavior. This individual may be

regulated by the dot in Figure 1. By “regulate” Lessig refers, not to a legal definition, but to the

ways technology influences individuals. This is also how we use the term throughout this article.

Using a simple example of smoking, he asks what factors affect the decision to smoke. He

considers the impact of legislation surrounding where people can smoke, the costs of cigarettes,

the technology of unfiltered cigarettes, and how the habits of other people affect an individual’s

decision to smoke. This leads him to argue that there are four regulators or constraints on

behavior—the law, social norms, the market, and architecture.

7

Figure 1. Lessig's Model of "What Things Regulate"

The model’s strength is its simplicity. Three of the regulators Lessig chose—law, social

norms, and the market—are well recognized in the legal academy. Law is considered the

method of formal governance. Social norms, on the other hand, are typically defined as informal

methods of regulation. This area has received increased attention within the legal academy as

scholars recognize that people do things for reasons beyond its legality or illegality (McAdams

1997; Posner 1996). The law and economics movement within the legal academy has

highlighted the role of the market, economics, and pricing structures on regulating behavior

(Posner 1973).

Although Lessig’s model clearly grows out of key areas within legal studies, several

problems emerge in his model if we consider how code affects public policy issues. Murray and

Scott (2002) argue that Lessig’s model requires additional regulators (2002). However, that is

inconsequent, because a problem arises within the model itself: it oversimplifies how people are

regulated. The regulatory forces that Lessig chooses are not monolithic. Many times conflicting

laws, social norms, and market forces influence a decision. Consider the issue of file sharing.

8

The legality of this practice depends on who you are, what the file contains, and where you are

located. This means that the law is both pushing and pulling in Lessig’s model. Hosein,

Tsiavos, and Whitley echo this criticism of Lessig’s model; they argue that architecture “cannot

really be separated from the other modalities neither does it make any sense without them”

(2003). Wagner maintains that code is often a complement to law instead of a direct substitute

(2005). In addition, most critics point out that what is missing in Lessig’s model is the near

impossibility of distinguishing each force. We also notice that Lessig’s model fails to answer

process-oriented questions. Where does technology or architecture come from? Why does it

favor particular values? Why is technology sometimes malleable and sometimes durable?

Despite these drawbacks, the model’s simplicity foregrounds the role of IT in communications

policy.

Structuration

Scholars in information systems are applying Giddens’s structuration theory to IT.

Giddens’s work attempts to overcome the traditional dichotomy in sociology between structure

and agency. Traditionally, sociologists have argued that individuals are either determined by

social structures, e.g., race, class, or gender, or that these social structures only exist in the minds

of people, thus granting people immense agency. Giddens tried to overcome these two opposing

schools in his structuration theory by allowing for reciprocity between structure and agency.

Giddens argues that structure consists of the rules and resources that individuals create through

practices and routines (1984). According to his model, a duality emerges as structure constrains

action, but simultaneously, action serves to maintain and modify structure.

9

Structuration has become one of the most influential theoretical paradigms in information

systems research (Poole and DeSanctis 2004; Jones, Orlikosiki, and Munir 2004; Jones 1997).

Several notable approaches for applying structuration to IT have appeared. Orlikowski

developed a structuration model of technology to investigate the relationship between humans

shaping technology and technology shaping human action in an organizational context (1992;

2000). DeSanctis and Poole (1994) argue for an “adaptive structuration theory,” which focuses

on how structural features in IT influence the organization of society and, likewise, how society

influences the organization of IT (DeSanctis and Poole 1994). Finally, Samarajiva and Shields

use concepts from structuration to develop a normative concept of space for IT (1997).

Structuration offers several useful insights for studying the complicated interaction

between technology and society. It recognizes the role of users, context, and technology, while

considering institutional factors. It acknowledges that technology both enables and constrains

users. These insights move considerably beyond existing theoretical accounts that are either

technologically or socially deterministic.

Nonetheless, several drawbacks emerge when using structuration to examine policy

issues with IT (Rose, Jones, and Truex 2005). The first is whether structuration can adequately

theorize technology. Orlikowski argues in her structurational theory of technology that social

rules can be embedded in IT during its design (1992). However, the idea that structures can be

embodied in artifacts is problematic. According to Giddens, structures cannot be embodied in

artifacts, since they only have a virtual reality and are “traces in the mind” that are substantiated

through actions and practices. Orlikowski’s later work recognizes this problem and uses a

“practice lens” perspective, where technology structures are seen as “virtual, emerging from

people’s repeated and situated interaction with particular technologies” (2000, p. 407). All the

10

same, critics argue that structuration should focus on human action and not technology (Jones

1997). Furthermore, structuration offers a limited understanding of the relationship between

society and technology. It does not allow us to examine the relationship between people and

technology beyond the recognition that technology both enables and constrains us. Parsons

acknowledges these limitations in his case study on cable television (1989). While structuration

provided a better understanding of the dynamics of using cable television, it was incapable of

addressing how power and values are embedded or found in the use of technology. This problem

leads Monteiro and Hanseth to argue that structuration simply does not provide a nuanced

analysis of the interaction between individuals and technology that would inform the design of

IT (1995).

Actor-Network Theory

A third theoretical direction for understanding IT comes from the larger discipline of

technology studies (Lievrouw 2002; Howcroft, Mitev, and Wilson 2004). Actor-Network

Theory (ANT) examines the interactions between technology and individuals (Law 1992). It

begins with the observation that the material world is a significant part of our lives and less

distinguishable than it may appear. In fact, ANT places the material and the social on equal

footing to explain the role of technology (Callon 1986; Latour 1987, 1999). This approach has

found traction for understanding how IT affects society (Tatnall 2003; Monteiro 2000; Walsham

and Sahay 1999; Monteiro 1998; Klischewski 2002; Vidgen and McMaster 1995).

ANT begins by using the term “actor” to refer to both humans and artifacts. ANT

considers both the human and the technical as capable of acting and being acted upon. It urges

us to treat these symmetrically and to consider seriously artifacts as actors. In short, actor-

11

networks are a set of interactions between humans and artifacts. ANT views these relationships

as dynamic and constantly changing. Or as Law puts it, “social structure is not a noun but a

verb” (1992). ANT analyzes these networks and describes how they operate. ANT’s

contribution is that it examines technologies by looking at the micro to explain the macro. In

doing so, it has developed richly nuanced concepts for studying technologies, such as blackbox,

artifacts, networks, reconfiguration, enrollment, and translation. This emphasis on materiality

creates a contrast between ANT and other theories that typically focus on the role of humans. As

a result, it is one of leading methodological approaches for examining technology.

ANT has its critics (Monteiro 2004; McLean and Hassard 2004; Collins and Yearley

1992; Howcroft, Mitev, and Wilson 2004). The criticisms include treating humans and artifacts

as symmetrical, its value-neutral stance, and goal directness. Two significant issues emerge

when using ANT to examine public policy issues with IT. First, ANT has a tendency to neglect

macro-social structures, such as institutions. This is not accidental; ANT’s analytical approach is

to dissect rather than explain through macro-scale structures. It prefers to focus on micro

processes over large-scale macro processes. Second, ANT is a descriptive theory and provides

little analytical and normative guidance (Collins and Yearley 1992). Specifically, it does not

provide a general framework for studying how technology operates. Every technology,

therefore, must be studied anew. This provides policymakers with little guidance for how

technology should be shaped to foster social goals. Nevertheless, several concepts from ANT

are useful and emerge in the ITSI framework.

Limitations of Existing Approaches

All three of these approaches provide an entry point for considering the relationship

between IT and policy. However, they all suffer serious limitations in trying to explain the

12

interactions between IT and society. Moreover, a significant limitation for both structuration and

ANT arise, because the high level concepts found in these theories do not allow simple

translation for the nuts and bolts problems faced by policymakers. In other words, these existing

theoretical approaches do not address problems related to IT. As an example, consider legal

scholars’ approach for addressing online privacy (Rotenberg 2001) or the approach of computer

scientists (Clarke 1999). They do not rely on ANT or structuration, but instead employ

principles of fair information practices. Moreover, this also holds true for new technologies that

implicate privacy, such as RFID (Floerkemeier, Schneider, and Langheinrich 2005), Web

browsers (Martin et al. 2001), and online personal data (Schwartz 2000). Policymakers do not

rely on Lessig’s theory or structuration or ANT. Online privacy offers a clear and compelling

example of how sophisticated theoretical approaches fail to provide policymakers with

applicable frameworks for addressing social concerns.

Policymakers need a systematic way for thinking through online policy issues. While

extending existing approaches is understandable, it is also necessary to recognize that

information technology has unique attributes. As an example, many scholars have shown that

technology is not neutral, but is political and malleable (Friedman 1997; Winner 1980). It was

precisely these biases that Lessig highlights with the title of his book, Code and the Other Laws

of Cyberspace (1999). These factors lead us to develop a more complete descriptive framework

that will enable policymakers to make decisions about IT that will promote social welfare.

Framework for Analyzing IT & Society Interactions

Our goal is to describe how IT affects society from a public policy perspective. The

framework for analyzing IT and Society Interactions is termed ITSI throughout this article. ITSI

13

is not a replacement for high-level theories such as structuration or ANT. Instead, our goal is

more akin to operationalizing these theories for policymakers. ITSI also lends itself to a more

general analysis of IT policy problems. Our approach also differs from most policy literature,

which analyzes a specific policy proposal, such as privacy or intellectual property rights.

Instead, our framework focuses on the role of IT in general in order to understand various IT

concerns from privacy to intellectual property rights.

ITSI involves a multi-step analysis that accounts for the various motives, choices, and

even accidents implicated in technology operations. It entails thinking through and evaluating

policy decisions to solve social welfare issues. ITSI first identifies a series of relationships that

influence IT use. By focusing on influential relationships, we can better evaluate where to

establish change. Each relation presents questions that lead us to analytical and normative

insights.

In this section, we explain the framework piece by piece. This approach provides a better

sense of our reliance on existing scholarship, as we develop a more comprehensive analysis of

the relation between IT and society. We begin by identifying four actors: technology, users,

developers, and society. We then analyze the four significant relationships they constitute as

they regulate, reconfigure, shape, and develop IT. This is not an exhaustive list, nor do we imply

that other actors or relationships are not relevant or important. Instead, we are trying to assist

and guide public policy with a framework that is by necessity reductive.

Technology Regulating Users

Technology acts as a mediator to constrain or facilitate certain types of actions. In short,

technology regulates. This statement, while deterministic, is often how people view technology.

14

For example, the technology of a pencil, fountain pen, and word processor simultaneously

facilitates and constrains certain actions when it comes to composing, editing, and saving our

writings. As a result, technology can affect our cognition, culture, socio-structure, and laws. An

exemplar of this view can be found Eisenstein’s argument that the printing press led to the

emergence of a “print culture” that transformed not merely how people communicate but the

underlying structure of consciousness, social interaction, and power (Eisenstein 1997). Figure 2

shows schematically how IT affects or regulates users. Scholars within media ecology (Innis

1951; McLuhan 1964; Meyrowitz 1994), computer-mediated communication (Haythornthwaite,

Wellman, and Garton 1998; Daft and Lengel 1984), and cultural studies (Nakamura 2000; Kolko

2000) have all recognized the ability of IT to affect individuals and society even as individuals

seemingly develop and manipulate IT.

Figure 2. Technology Regulating

Complications arise because the interactions between technology and society are not

neutral but biased and political. This idea is long standing in technology studies and the

philosophy of technology (Winner 1980; Feenberg 1991). A classic exposition is Winner’s

analysis of the bridges over the parkways of Long Island (1980). These bridges appear to have a

strictly utilitarian purpose. However, the height of these bridges is quite low, as short as nine

feet. Winner argues that these bridges were designed to prevent buses from passing underneath

them. This serves to exclude poor people, who rely on public transportation to access Long

15

Island. Thus, the seemingly neutral bridge design is in reality a method of social engineering to

achieve class or racial exclusion. While the historical accuracy of this account has been

challenged (Joerges 1999), it still stands as a powerful, illustrative example. Other empirical

studies have illustrated biases in IT, such as the internet and search engines (Friedman 1997;

Introna and Nissenbaum 2000; Flanagan, Farinola, and Metzger 2000).

It is not enough to declare technology political. To understand how the design of IT

affects users, it is necessary to have a technical understanding of its workings. Here we follow

ANT’s methodology, which urges scholars to consider technology as an actor and how it

“configures the user” (Woolgar 1991). This means examining the biases inscribed in the design

of technology (Akrich 1992). Monteiro and Hanseth suggest analyzing “which anticipations of

use are envisioned,” “how are they inscribed,” and “how powerful are the inscriptions, that is,

how much effort does it take to oppose an inscription” (1995). A study on electronic traffic data

shows the value of this approach. Escudero-Pascual and Hosein argue that traffic data from the

Internet means something very different than traffic data from the telephone system (2004).

After all, information on Web sites and terms entered into search engines can be much more

revealing than the phone numbers we call. The authors arrived at this conclusion, because they

fully appreciated the technical differences between the Internet and the telephone.

The ability of IT to shape user behavior has led policymakers to ask whether they ought

to use technological means as an alternative to regulation or to supplement it. The issue is

complicated and underdeveloped from a scholarly perspective. Nevertheless, developers often

use technology to meet their needs. For example, to improve security, Microsoft switched the

default settings to turn on its firewall when it updated Windows XP. This example shows how

IT could be used proactively to ensure social welfare.

16

Users Reconfiguring Technology

While the emphasis on using technology to regulate can be seen as deterministic,

reconfiguration seeks to balance this paradigm by recognizing users’ agency in addressing social

concerns. The notion of agency is a core concept in sociology and is present in leading theories

of IT (Rose, Jones, and Truex 2005). Individuals play a crucial role in how technology regulates.

Any analysis needs to consider a situated analysis of IT (Suchman 1987), which emphasizes how

users interact and reconfigure technology. After all, it is well recognized nowadays that the

design and use of technologies often shape each other in a recursive process. This relationship is

illustrated in Figure 3.

Figure 3. Reconfiguring Technology

To analyze how users interact with IT, we ask two basic questions: How do users act and

how do they respond? For analytical discussion purposes, we discuss each separately. First, it is

important to analyze how people use technology. Scholars have shown how local meanings,

organizational constraints, and institutional forces can be as meaningful as the rules embedded in

IT (Suchman 1987; Kling and Iacono 1988). As a result, sometimes individuals do not always

use the technology as intended by developers. The history of IT is full of examples of

unanticipated uses, such as the personal use of the telephone by women (Fischer 1992). Even

17

though developers have inscribed the technology, it does not mean the technology will be used in

that manner. Orikowski synthesizes past research on this topic by recognizing that “through

error (misperception, lack of understanding, slippage) or intent (sabotage, inertia, innovation),

users often ignore, alter, or work around the inscribed technological properties” (Orlikowski

2000, 409). This perspective allows us to treat technology as less monolithic.

Individuals also alter technology in multifarious ways. Individuals may respond by

reconfiguring the material properties of the technology. This process involves individuals

adding or modifying a technology and, therefore, shaping it to fit their needs and interests. This

can be as simple as turning on the v-chip feature or the closed captioning feature on televisions.

The ability of an individual to reconfigure a technology partly depends upon the technology’s

durability. There are two ways technologies can be made more durable and hence more resistant

to reconfiguration. First, technologies become more durable when switching or changing

technologies requires a considerable investment in hardware and software otherwise known in

economics as “switching costs,” where the cost of switching to a new technology outweighs the

cost of keeping the current one (Shapiro and Varian 1999). The second means of maintaining

durability, “path dependence,” refers to how technologies become durable from a lock-in effect

that arises from “random” historical events (Arthur 1989; David 1985). In this way a

technology, such as the QWERTY keyboard layout, becomes durable and irreversible because of

events during its development.

The ability of users to reconfigure technologies has widespread normative implications

beyond inefficiencies that may result from switching costs or path dependence. Shah and Kesan

argue that certain governance characteristics of IT that can be manipulated either by users or

developers influence individuals (2003). Some of the characteristics include default settings,

18

transparency in user interfaces and code, and the use of standards. Policymakers can modify

“governance characteristics” or ensure that individuals are able to modify technology to enhance

social welfare. For example, software privacy controls may be difficult to configure. To

promote privacy, developers could be required to have privacy controls enabled as a default

setting. This would protect a user’s privacy, while also allowing individuals the freedom to opt-

out by reconfiguring the default setting. The manipulation of these governance characteristics

could also be used in conjunction with traditional regulatory methods such as law.

Developers Influence on IT

By starting with IT and user’s impact on one another, we assume IT design as set. Yet

the development stage has obvious and immediate impacts upon IT. Scholars have long studied

how technologies are developed to understand why they operate in a particular fashion. While

the relationship among developers, users, and IT shown in Figure 4 is quite obvious, it highlights

several fundamental points. Developers consist of numerous social actors that play a crucial part

in guiding and shaping IT; they are also responsible for biases inscribed in technology.

Nonetheless, developers do not exist in a vacuum. The figure also illustrates how developers are

embedded and influenced by a web of forces, such as social, economic, political, institutional,

and regulatory.

19

Figure 4. Developing IT

The development process shapes the non-neutrality of technology, although not always

purposively. Both structuration and ANT consider this process. From the structuration

perspective, developers build certain “interpretive schemes (rules reflecting knowledge of the

work being automated), certain facilities (resources to accomplish that work), and certain norms

(rules that define the execution of the work)” into technology (Orlikowski 1992, 410). ANT

scholars hold that the inscription process, which is simultaneous with the development process,

is how beliefs, tastes, competences, motives, aspirations, values, biases, and political prejudices

are embodied by the artifact (Akrich 1992). The inscription process gives technologies a “script”

that prescribes user actions (Latour 1992). For example, a speed bump’s script encourages

drivers to slow down.

Developers may use scripts as a means to influence user behavior. This strategy does not

always result in desired outcomes. Verbeek points out that even though developers set scripts, it

is the users that decide how to interpret and appropriate them (2006). As we acknowledge, users

can respond and reconfigure technologies. Nevertheless, Verbeek argues that designers have a

normative responsibility to make sure artifacts act in a prescribed manner (2005). Another

normative approach, Value Sensitive Design, focuses on accounting for values, particularly those

20

with a moral import, during the development process (Friedman, Kahn, and Borning 2006), such

as privacy (Camp, Shankar, and Connelly Forthcoming).

Institutional forces also lead to systematic regularities in technology’s biases.

“Institutions” is a way of referring to groups of organized social actors with common social rules

and continued interactions with society (Avgerou 2002). This definition is compatible with work

in sociology on new institutionalism theory (Powell and DiMaggio 1991) and work in economics

on the role of institutions (North 1990). The idea here is that within a certain institution, there

are a set of values, norms, procedures, laws, beliefs, and taken-for-granted assumptions that are

related to their raison d’étre. These shared rules and interactions may lead to certain tendencies

in the development of IT.

The institutional approach has a long history of explaining how firms and government

influenced the development of technology (Savage 1989; Mansell 1993; Edwards 1996;

Samarajiva and Shields 1997). More recent scholarship on IT considers other influential

institutions, such as universities, standards organizations, consortia, and the amateur-led open

source movement (Shah and Kesan 2005; Cargill 1989; Schmidt and Werle 1998). This work

shows how institutional norms and processes can influence the final attributes of the technology

it produces. For example, institutional tendencies may favor certain technical values, such as

open standards or low defect code, or more socially-oriented values, such as the appropriate level

of intellectual property protection or privacy protection for technology. Consequently, the same

technology may have developed differently within different institutions. Policymakers can use

these institutional tendencies to assess technologies as well as a way to shape technology to

favoring or promoting developing in specific institutions.

21

While our discussion has focused on institutional forces, this does not mean other forces

are irrelevant. We focused on institutional factors, because policymakers continue to undervalue

them. Additionally, other institutional factors, like politics or economics, can also serve as a

normative tool for developing IT. For example, policymakers could steer development toward

an institution that favors particular social or technical attributes. We discuss this issue later in the

following section, but it derives from our recognition of institutional tendencies and the

assumption that institutional norms and processes are stable.

Society Shaping Technology

Along with regulating, reconfiguring, and developing, we also focus on how individuals

collectively react and influence the development of technology. The ability of society to

influence the development process is widely recognized by a number of disciplines, including

communications, social movements, and regulation. Examples of these influences within

communications include movements led by citizens concerning radio broadcasting policy

(McChesney 1993), the public support for the v-chip legislation (Lieberman 1996), and public

calls for regulating telemarketing or spam. This relationship goes beyond individual users to a

collective approach to IT. “Society” therefore appears in Figure 5 as an off-shoot of users to

complete ITSI framework.

22

Figure 5. Shaping IT

There are many points through which society can pressure developers to change

technology. They include harnessing various forces, such as social, economic, political,

institutional, and regulatory. Many of these methods can be employed without government

intervention, such as the use of market forces, self-regulation, public pressure, and the work of

public interest groups. These methods have a long history of influencing the development of IT.

Sometimes, though, government intervention is required. After all government has and will

continue to play a role in shaping the development of technology, most notably in the research

and development of computer networks such as the Internet. Government has a wide variety of

regulatory methods, such as command and control, incentives, and market-harnessing controls

(Breyer 1982; Baldwin and Cave 1999; Kesan and Shah 2005). For instance, television

manufacturers have responded to consumer desires for larger televisions by producing larger

televisions. Their decision reflects market forces. In contrast, the government had to force

23

television manufacturers to incorporate digital television tuners with a regulation (Balanced

Budget Act 1997).

Society can also use institutional norms and processes to shape the development process.

While institutional norms and processes are generally stable, they do change over time.

Consequently, these shifts make it possible to influence the process. The movement over the last

thirty years from an emphasis on standard developing organizations to consortia (a legally

constructed institution) serves as an example of the shifts within the institutional settings of the

IT industry (Cargill 2001).

A normative approach to shaping technology can be found under the rubric of

constructive technology assessment or normative engineering (Schot and Rip 1997). This

literature attempts to understand how technology is shaped from a normative aspect. While we

believe that in some circumstances society ought to act to shape technology, it is also necessary

to recognize the unpredictability of technological development. This led us to Berg’s cautionary

point to expect continual shifts and small movements when influencing technology positively

(1998). While the relation between society and IT adds a new dimension to our framework, it is

just one branch of a complicated structure. We now turn to an overview of the model.

Summary

The ITSI framework defines technology as material artifacts, such as the hardware and

software of IT. This narrow definition is useful, because it allows us to frame the use of

technology as an interaction between individuals and technology, while also considering how IT

can be socially constructed. The narrow definition grants ITSI a wider applicability to examine

24

how IT affects a variety of societal concerns, such as privacy, freedom of speech, accessibility,

or intellectual property protection.

The directionality of the arrows in ITSI (Figure 5) emphasizes key relationships between

society and IT from a policy perspective. The framework is tightly tailored to address policy

concerns, and does not address all the possible relationships among developers, individuals, and

technology. For example, an arrow could have been drawn from technology to developers.

After all, new information technologies have significant implications on developers, such as

government (Fountain 2001) and firms (Shapiro and Varian 1999). However, ITSI concerns

how IT affects our experiences and choices in a public policy context, not the evolution of IT.

As a result, these other relationships are omitted to keep ITSI as simple as possible. Similarly,

we could have included a bubble around users, as we did for developers, to indicate various

forces that affect them, such as institutional, social, regulatory, economic, and so on, but instead

we emphasize only the critical relationships for understanding the interactions between society

and IT from a policy perspective. In contrast, we emphasize the situatedness of developers,

because it allows us to understand how technologies are biased and how society can shape IT

through developers.

To delineate the contribution of ITSI, Tables 1 through 3 provide a summary of various

aspects of ITSI. We consider three chronological stages starting with developing, moving to

regulating and reconfiguring (which we collapse into one stage), and ending with shaping. Table

1 provides the key questions ITSI poses within each of the three stages. These questions are

asked when using ITSI to analyze an issue. Each relationship elicits a set of questions that aid us

in identifying where problems emerge and their impact on users. Starting with developers, we

ask about the factors and institutional norms that influence the design of technology. We then

25

ask how IT affects users and identify user responses to it. In terms of shaping, we consider how

to enact possible solutions.

Developing IT IT Regulating / Reconfiguring IT

Shaping IT

1. What crucial factors influenced this particular version of IT? 2. How have various organizations/institutions influenced the technology?

1. How does the design of IT affect users? 2. How do users act / respond?

1. Can we encourage developers to fix the problem themselves? 2. How best can government (or other organizations) intervene?

Table 1. Significant questions ITSI asks

Table 2 contains a summary of the main analytical points that arise from ITSI. Each of

the relationships involves a set of presuppositions. Our framework maintains that during

development, biases are inscribed in the design of the technology. Moreover, institutional norms

and processes foster what biases are inscribed. Yet one must have a broad perspective on the

development process to identify what biases emerge, because many organizations have a stake in

the design. As for users, the framework operates from the point of view that IT influences

human actions. At the same time, individuals have agency; they can modify, reconfigure, and

misuse technology. Furthermore, one must understand how IT operates at the technical level to

identify these processes. ITSI considers society as capable of implementing solutions, because

individuals, in mass, can influence developers through the market, direct appeals, or even by

advocating government regulations. What is more, society can influence IT through institutional

norms and processes, as identified in the development stage.

26

Developing IT IT Regulating/ Reconfiguring IT

Shaping IT

1. Biases can be inscribed during the development process 2. Institutional norms and processes can result in systematic regularities in biases 3. Consider a wide scope of organizations and institutions that influence development

1. IT influences human action 2. To understand inscriptions, we need to understand the IT at a technical level 3. Individuals have agency a. Consider how they use or misuse IT b. They can modify or reconfigure IT depending upon its durability

1. Individuals and society can react and influence developers 2. Many tools available from the market to government regulation 3. Shape IT by modifying institutional norms and processes

Table 2. Analytical insights from ITSI

ITSI does not merely identify influence biases inscribed in IT, but offers a means of

arriving at normative insights into the design of IT. Examples of normative proposals are

highlighted in Table 3 and discussed in the relevant part of the framework. Each of the

relationships offers an entry point to modify IT and its uses. In the development stage,

developers could alter the design of IT or one could rely on institutional norms and processes.

Once users and technology interact, policymakers need to understand the IT involved at a

technical level. Then they can establish certain governance characteristics or force developers to

make the technology easier to reconfigure, thereby reducing its durability and lock-in effect.

Lastly, policymakers could shape IT to promote social welfare. The next section applies all of

the information provided in three tables to a case study.

27

Developing IT IT Regulating / Reconfiguring IT

Shaping IT

1. Design IT differently, e.g., value sensitive design 2. Utilize institutional norms and how processes influence IT

1. Policy scholars need to seriously consider / understand the IT 2. Manipulate governance characteristics 3. Make technologies easier to reconfigure by reducing their durability

1. Policymakers ought to shape IT to societal ends

Table 3. Normative Insights That Flow From ITSI

Applying ITSI to Wireless Technology

This section illustrates ITSI as a workable approach for policy issues. We use ITSI to

analyze security issues that arise with the use of wireless technologies. We chose wireless

security because it has been largely ignored in policy debates. Although people concede that

wireless security is important, no policy changes have been suggested. In contrast, an ITSI

analysis highlights several critical security issues involved with wireless technology and offers

suggestions for improving wireless security. The analysis in this section is based on the four

distinct relationships identified by ITSI: IT regulating users, users reconfiguring IT, society

shaping IT, and developers influence on IT use. Additionally, we consider normative proposals

for improving wireless security based on extant scholarship. The data is derived from our own

research, existing scholarly research, and secondary sources.

Background on Wireless Security

This case study examines wireless security commonly known as 802.11b or Wi-Fi. This

technology emerged in the late 1990s and is now widely used by consumers for wireless

networking (Bar and Galperin 2004; Ohrtman and Roeder 2003). The IEEE (Institute of

28

Electrical and Electronics Engineers) developed the 802.11b standard and a nonprofit trade

organization, the Wi-Fi Alliance, certifies products to ensure interoperability on various

computers and networks. Interoperability lowers the entry barrier for new manufacturers of Wi-

Fi technologies and ensures consumers are not locked into devices from one manufacturer.

Currently, the Wi-Fi Alliance includes over 200 member companies and has certified over 2,000

products.

Security was a concern during the development of the 802.11b standard. It was

understood that an unsecured wireless connection could allow unauthorized parties to eavesdrop

on communication, masquerade as an unauthorized user, modify network traffic, and even

consume network bandwidth (U.S. General Accounting Office 2005). To prevent such

unauthorized use, the 802.11b standard includes a protocol known as Wired Equivalent Privacy

(WEP). The purpose of WEP is to encrypt wireless communication, thus preventing

unauthorized users from eavesdropping or using a network. In 2001, a group of researchers from

the University of California at Berkeley presented a paper on WEP’s flaws (Borisov, Goldberg,

and Wagner 2001). In response, the Wi-Fi Alliance created an interim specification, Wi-Fi

Protected Access (WPA), to address these security problems (Ohrtman and Roeder 2003). The

IEEE eventually developed a revised standard, which is known as WPA2 in 2005. Since 2006,

all devices seeking Wi-Fi certification must comply with WPA2.

Despite the widespread use of wireless and the sensitivity of the data accessed through it,

wireless security has not become a significant public policy issue. Leading public interest

groups involved in IT issues, such as the Electronic Frontier Foundation, Center for Democracy

and Technology, and the Electronic Privacy Information Center, have not pushed for any policy

initiatives for wireless security. The attitude prevails that this is an end user’s responsibility.

29

This perspective holds end users responsible for securing their wireless access points (AP),

whether the user is the government, a firm, or an individual. Despite this consensus that the user

should establish his or her wireless security, our use of ITSI finds that policy intervention can

better serve societal welfare.

ITSI Analysis of Wireless Technology

Regulating Technology / Reconfiguring Technology

We have already established the reciprocal influence between individuals and

technology. Using ITSI, we now apply this knowledge to understand how individuals have been

affected by wireless security and the steps they have (not) taken to protect themselves. The first

step is to consider how the design of IT affects users. In this case, we have research that shows

how default settings in Wi-Fi access points (APs) affect its use and misuse. APs are a common

consumer technology for creating wireless networks inside homes and businesses. APs create a

wireless network and are typically connected to other wireless clients (e.g., a laptop) and a router

(which is sometimes built in) for Internet connectivity. A wireless network creates security risks,

because the AP broadcasts to everyone within its range.

Shah and Sandvig analyzed the data from hundreds of thousands of APs to understand

how people configure their APs (2005). They found defaults programmed into APs to be

extremely influential. Half of the users never changed any of the three default settings that

influence security. One particular default setting was the use of WEP security technology. WEP

encrypts communication and prevents casual snooping. WEP encryption is widely

recommended as a necessary step for properly configuring an AP. The majority of

manufacturers turn off WEP by default, resulting in only about 28% using encryption. In

30

contrast, 2Wire, a broadband service provider, turns on WEP by default leading to 96% usage for

encryption. This contrast between 28% and 96% illustrates the power of default settings for

establishing user settings.

To better understand wireless security, we examined the setup procedures for several

popular APs. Our analyses included access points from Linksys, Netgear, Belkin, D-Link, and

Microsoft. We found differences among the defaults for encryption, the ease of setup, and

requirements for changing passwords and network information. These differences at the

technical level can influence how people configure their AP and, consequently, their level of

wireless security. As we later argue, this research led us to believe that wireless manufacturers

could easily change several settings that would greatly improve wireless security. Default

settings establish most users’ configurations. Manufacturers, therefore, should base defaults on

such knowledge.

ITSI also focuses on the role of users and their use of technology. The predominate view

is that correct configuration is the responsibility of end users; this view is supported by a variety

of groups including the government (National Institute of Standards and Technology 2002; US-

CERT 2005), manufacturers (Intel 2005; Linksys 2005), and the media (Karagiannis 2003)

(Lasky et al. 2004). They urge users to configure their wireless APs “properly” without asking

why it is necessary for users to reconfigure their wireless APs. In fact, all advice for setting up a

wireless AP recommends that users configure WEP encryption. Despite the fact that

manufacturers set many defaults in anticipation of user preferences, they neglect to choose

encryption.

While the burden has been placed on users to reconfigure their APs, research on wireless

use clearly shows that users are deferring to defaults. This behavior suggests a number of

31

possible normative solutions. The first is to regulate manufacturers by demanding that they set

the default to protect users. APs should be designed as “secure by default.” The second is to

encourage reconfigurability by lowering the APs’ durability. This essentially focuses on making

it easier for the user to change the APs settings. Educating users and improving user interfaces

can help achieve this goal. However, lowering durability follows the broken approach of relying

on users to reconfigure their APs. Because defaults carry such significant power, policymakers

should ensure these defaults are set to foster security.

Developing Wireless Technology

The ITSI analysis examines the development process with an emphasis on how various

IT characteristics were shaped as well as the influence of institutions. In the case of wireless

technology, ITSI asks why manufacturers neglect to ensure user security in the first place. In the

previous section, we noted that defaults play a crucial role in determining levels of wireless

security. The analysis should then consider how these defaults were inscribed into AP and the

factors influencing this process.

This history of wireless security has shown that manufacturers have not emphasized

security. For example, manufacturers were slow to incorporate WEP into their products (Gast

2002). Instead, they relied on MAC address filtering, which is useful for preventing

unauthorized access, but does not prevent eavesdropping. Moreover, manufacturers have viewed

security as an option for consumers and not something that is mandatory or even suggested.

After all, almost all manufacturers design their products to turn off WEP by default (Schiesel

2005). This default setting suggests to users that WEP is not necessary or important.

32

Manufacturers explain that they do not set the default for encryption, because of the high

costs associated with technical support. Configuring wireless devices for WEP usage is not easy

and, if done improperly, can result in no wireless connectivity. According to Linksys, 70% of its

support calls are related to “initial installation and configuration” (Kistner 2004). Moreover,

customer satisfaction falls when a user needs to make two or more service calls. Currently, to

avoid configuration confusion and customer dissatisfaction, Linksys turns off WEP by default.

If Linksys turned on WEP by default, they would expect even more support calls from

customers. This explains why virtually all manufacturers turn off WEP and leave customers

with poor security.

Besides manufacturers, another important developmental force for securing users’

information is the IEEE and Wi-Fi Alliance. Both organizations have worked toward improving

the security of wireless technologies through the development of WEP, WPA, and WPA2.

Therefore, security is in their members’ interest. However, they have not focused on developing

secure technologies that users can easily and transparently utilize. For example, consider the use

of hexadecimal passwords for WEP encryption (e.g., a password in hexadecimal format is

5c23a4ab7b) (Potter and Fleck 2003). Only an engineer could appreciate this approach! This

bias emerges because the IEEE and the Wi-Fi Alliance respond to their members and not end-

users in general.

Universities have also played an important role in identifying security flaws in existing

standards and wireless technologies. For example, research documenting the problems with

WEP encryption was done at the University of California at Berkeley (Borisov, Goldberg, and

Wagner 2001). This work (and other follow up work) was crucial in illustrating wireless security

33

flaws. Their interest in wireless security arises from its novelty and the impact of identifying

unknown problems.

The ITSI analysis shows that in the area of wireless security, several forms of

institutional actors, including firms, consortia, and universities, have attempted to correct flaws.

This array of institutions is not the result of natural equilibrium. It is the result of several

different interests coming together to focus on security issues. After all, there are many other

technologies under development, such as digital rights management or radio-frequency

identification, which do not have that same degree of cooperation among various institutions.

The history of multiple actors affecting the development of wireless has normative

consequences. Policymakers have many actors they can push or prod to help improve wireless

security. While the possibility of redesigning such a mature technology is not likely, it is

possible to reconfigure slightly the technical characteristics to improve security. One way of

doing so is to rely on institutional norms as a rough proxy to predict what these actors may do.

In this case, firms focus on selling wireless APs, and therefore they may not focus on security

issues if they are too costly and not demanded by their customers. Consortia, on the other hand,

are driven by their members’ interest and may favor solutions that are in the interest of their

members, but not the general public. As an interested party, universities may be limited, because

they have scarce resources. As wireless technologies mature, university researchers may have

less incentive to study the security issues involved in an “old” technology. In the next section,

we take up these institutional tendencies and discuss how society can strategically utilize them to

foster more secure wireless technology.

Society Shaping Wireless Security

34

The ITSI analysis suggests that security can be improved if manufacturers redesigned

their wireless technologies. ITSI recognizes that society can react to technologies by prompting

developers to remove, modify, and create new versions of technologies. After all, the

development of technology is influenced by society. ITSI suggests that policymakers consider

how to improve wireless security by influencing developers, because left in the hands of users,

security problems have not been addressed. ITSI does not provide normative guidance; for that,

policymakers need to look to the existing literature in regulatory theory as applied to IT.

The typical way to influence manufacturers is through the market. However, it is clear at

this juncture that a status quo approach of relying on market forces will not improve wireless

security. If the market cannot address the security concerns, one must look toward other

methods such as cajoling firms and informing consumers about the security issues. Making

customers aware of these threats can stimulate public interest and lead advocacy groups and the

government to enter the debate. Policymakers should, in fact, foster this debate. There is every

reason to believe that the attention and pressure from congressional hearings and reports from

public interest groups can influence manufacturers to develop APs that are “secure by default.”

This activity will lead customers to demand more security as well as highlight potential

regulatory costs to manufacturers.

A final recourse for influencing wireless technologies is government involvement.

Currently, government funding of university research aids to identify wireless’s security flaws.

Other ways government can influence development include fiscal measures, such as using

government’s procurement power to favor secure wireless technologies. Government could also

expand liability to hold wireless AP manufacturers accountable for the costs of security.

Discussion has already arisen for identifying liability more generally when addressing lax

35

security in computing systems (National Research Council 2002). However, the point of this

article is not to address the multitude of ways government can change the incentives of

manufacturers. Instead, our goal is to show how an ITSI analysis can provide insights for

addressing public policy issues.

Applying ITSI to Other Problems

ITSI is useful for analyzing a wide range of scenarios beyond wireless security. ITSI has

been used to analyze a number of other technologies and policy issues, such as RFID technology,

cookies, digital rights management, and open standards policies. This section briefly discusses

the effects on social welfare that ITSI has identified in two other technologies: Radio Frequency

Identification (RFID) technology and Digital Rights Management (DRM) technology.

In the case of RFID, ITSI is a marked improvement over the existing theoretical

approach, the principles of Fair Information Practices (FIP). ITSI provides developers with

useable possibilities for addressing RFID privacy. For example, ITSI recognizes that designers

are capable of incorporating privacy into the design. Designers can provide users with the ability

to control or reconfigure RFID tags. This could be accomplished in many ways, from modifying

the information contained in a tag to removing or destroying the tag. While this suggestion may

seem obvious, ITSI provides a framework for finding solutions that other approaches miss.

An ITSI analysis of DRM technologies also offers several ideas for improving its use.

For example, DRM technologies are almost entirely a creation of firms. Our analysis suggests

this is because DRM technology is thought of as a proprietary solution and therefore a winner-

take-all marketplace. To combat this problem, policymakers should fund efforts to make DRM

technology less proprietary and more standardized. If they followed this suggestion, more

36

vendors would jointly participate in a useful version of DRM. The government could also fund

university research, which thus far has not played a large role.

ITSI also considers how DRM’s internal dynamics may impede social welfare. Our

analysis of a very popular DRM technology, Apple Inc.’s Fairplay that protects music copyright,

shows that its popularity stems from its perceived transparency to the user. This is unlike other

DRM technology that users dislike because of overly strict restrictions, e.g, Sony. Fairplay acts

as most users would expect. Users are not continually trying to reconfigure the technology, in

which it would be very difficult for DRM to succeed. Nevertheless, users have difficulty trying

to reconfigure some aspects of Apple’s Fairplay. Our analysis describes these limitations and

provides suggestions to improve the technology.

Discussion

ITSI provides a systematic way for thinking about how technology affects society. It

considers how technology develops, how people use technology, and how society can influence

the development of technology. This section discusses the implications of these relationships

and how ITSI advances our theoretical understanding of technology.

First, ITSI is useful for policymakers, who have had little guidance into how to approach

these issues. As we pointed out earlier, the current theoretical perspectives for analyzing

technology are not used by policymakers. ITSI can be applied by policymakers seeking insights

into contemporary policy issues. It can also help identify key actors and processes that influence

how IT affects society. In the case of wireless security, the ITSI analysis found flaws with the

status quo by analyzing the issue at the individual level. Individuals are not capable of

reconfiguring wireless AP. This insight would not have been identified using other approaches,

37

such as an economic model. After all, this problem is not evident using standard economic

criteria, such as cost and market failure. Moreover, ITSI suggests a solution: redesigning APs.

Conversely, conventional approaches would look to regulation. Its adeptness with technology is

why ITSI is useful for analyzing policy issues.

Second, ITSI builds upon existing theoretical paradigms. In doing so, it avoids creating

simplistic binary oppositions for understanding how society and IT interact (Lievrouw and

Boczkowski 2006). ITSI is largely based on sophisticated scholarly analysis of IT within

structuration and actor-network theory and their rejection of simple deterministic relationships.

Concepts such as biases in IT, reconfiguration, and shaping are not novel. The novelty is

bringing these concepts together into a systematic descriptive framework for understanding IT in

a policy context. By doing this, we can see how these concepts aid analysis of policy issues as

well as guide policy solutions. As an example, consider how reconfiguration may be more

appropriate than regulation in certain circumstances. In the case of RFID tags, a tracking device

that relies on radio frequencies, the new favored approach is to focus on ensuring RFID tags are

reconfigurable by end users rather than passing new regulations (Baard 2006; Consumers

Against Supermarket Privacy Invasion and Numbering 2003). With multiple actors, forces, and

relations influencing the use of IT, we require a theoretical approach that understands it in

context.

Third, ITSI is a theoretical advance over existing approaches because of its emphasis on

IT. Technology is as an integral part of the framework. Unlike many other approaches where

technology is an afterthought and bolted onto an existing theoretical paradigm, this model allows

ITSI to be applied to a variety of social issues. For example, privacy issues are analyzed through

the principles of Fair Information Practice, while free speech issues are analyzed on First

38

Amendment grounds. Instead, ITSI focuses on the common denominator of technology. The

advantage is that ITSI is capable of analyzing issues that lack an existing theoretical foundation,

such as universal accessibility. However, as ITSI emphasizes, to understand technology, we

need to consider how it is situated with respect to users and developers. In other words,

technology must be analyzed within context.

Fourth, the ITSI framework offers new insights into how IT interacts with society. Some

specific examples include the role of institutions, governance characteristics, and the importance

of defining how society influences the development of technology. These roles were considered

while analyzing wireless security. The norms of firms, consortia, and universities led them to

emphasize different values in the development process. The analysis of wireless technology also

suggested a normative proposal that relied on modifying the governance characteristic of

defaults. This policy move would encourage manufacturers to design their APs to be “secure by

default.” After all, if users are unable to reconfigure their APs, then ITSI suggests that we work

with the other half of the relationship, how technology regulates, by modifying defaults.

Conclusion

This article provides a systematic descriptive framework for analyzing how IT affects

public policy issues. The ITSI framework is inspired by existing theory such as structuration and

ANT, but is tailored to the theoretical and practical needs for analyzing the interactions between

IT and society. Specifically, ITSI considers the development of IT, how IT regulates individuals

while also recognizing that individuals can reconfigure IT, and finally, how society can intervene

and influence the development of IT. The ITSI framework builds upon a large corpus of

descriptive and normative scholarship by computer scientists, sociologists, communications

39

scholars, and legal scholars. The contribution here does not define a new set of relationships

between society and information technology, rather, it explicates existing relationships, and in

the process, develops a descriptive framework that provides analytical insights.

This article illustrates ITSI through an analysis of security issues involved in wireless

technology. The analysis found that consumers are not provided with simple and effective

security because of the increased reliance on user configuration. ITSI led to this finding; it

would not have emerged using conventional policy analysis. ITSI also provided solutions to this

problem. Instead of looking toward users to improve security, policymakers should look to

manufacturers to develop APs that are “secure by design.” The analysis ended by pointing out a

number of strategies to influence manufacturers to improve the design of wireless APs.

ITSI improves the ability of scholars and policymakers to analyze a variety of policy

issues concerning IT. Going forward, we believe some of the concepts highlighted by ITSI, such

as the role of institutions, reconfiguration, and governance characteristics, will be fruitful grist

for scholars. At the very least, ITSI provides scholars and policymakers with a starting point for

how IT affects society from a policy perspective.

40

References:

Akrich, Madeleine. 1992. The De-Scription of Technical Objects. In Shaping Technology/Building Society, edited by W. E. Bijker and J. Law. Cambridge: MIT Press.

Arthur, W. Brian. 1989. Competing Technologies, Increasing Returns and Lock-in by Historical Events. Economic Journal 99:106-131.

Avgerou, Chrisanthi. 2002. Information Systems and Global Diversity. Oxford: Oxford University Press.

Baard, Mark. 2006. Retail-Safe RFID Unveiled. Wired, May 2.

Balanced Budget Act.

Baldwin, Robert, and Martin Cave. 1999. Understanding Regulation. Oxford: Oxford University Press.

Bar, Francois, and Hernan Galperin. 2004. Building the Wireless Internet Infrastructure: From Cordless Ethernet Archipelagos to Wireless Grids. Communications & Strategies 54 (2):45-68.

Berg, Marc. 1998. The Politics of Technology: On Bringing Social Theory into Technological Design. Science, Technology, & Human Values 23 (4):456-490.

Borisov, Nikita, Ian Goldberg, and David Wagner. 2001. Intercepting Mobile Communications: The Insecurity of 802.11. Paper read at Seventh Annual International Conference on Mobile Computing and Networking.

Braman, Sandra. 2003. The Long View. In Communication Researchers and Policy-Making, edited by S. Braman. Cambridge, MA: MIT Press.

Breyer, Stephen. 1982. Regulation and Its Reform. Cambridge: Harvard University Press.

Callon, Michel. 1986. Some elements of a sociology of translation: Domestication of the scallops and the fishermen of St Brieucâe Bay. In Power, action and belief, edited by J. Law. London: Routledge.

Camp, Jean, Kalpana Shankar, and Kay Connelly. Forthcoming. Systematic Design for Privacy in Ubicomp.

Cargill, Carl. 1989. Information Technology Standardization: Theory, Process, and Organization: Digital Press.

Cargill, Carl F. The Role of Consortia Standards in Federal Government Procurements in the Information Technology Sector: Towards a Re-Definition of a Voluntary Consensus

41

Standards Organization, June 28 2001 [cited. Available from http://www.sun.com/standards/HouseWhitePaper_ver2_Final.PDF.

Clarke, Roger. 1999. Internet Privacy Concerns the Case for Intervention Communications of the ACM 42 (2):60-67.

Collins, H.M., and Steven Yearley. 1992. Epistemological Chicken. In Science as Practice and Culture, edited by A. Pickering. Chicago, IL: Chicago University Press.

———. 1992. Journey Into Space. In Science as Practice and Culture, edited by A. Pickering. Chicago, IL: Chicago University Press.

Consumers Against Supermarket Privacy Invasion and Numbering. 2004. RFID Position Statement of Consumer Privacy and Civil Liberties Organizations, November 20 2003 [cited August 16 2004]. Available from http://www.privacyrights.org/ar/RFIDposition.htm.

Daft, R. L., and R. H. Lengel. 1984. Information Richness: A New Approach to Managerial Behavior and Organization Design. In Research in Organizational Behavior, edited by B. M. Staw and L. L. Cummings. Greenwich: JAI Press.

David, Paul A. 1985. Clio and the Economics of QWERTY. American Economic Review 75 (5):332-337.

DeSanctis, Gerardine, and Marshall Scott Poole. 1994. Capturing the Complexity in Advanced Technology Use: Adaptive Structuration Theory. Organizational Science 5:121-147.

Edwards, Paul N. 1996. The Closed World: Computers and the Politics of Discourse in Cold War America. Cambridge: MIT Press.

Eisenstein, Elizabeth L. 1997. The Printing Press as an Agent of Change: Communications and Cultural Transformations in Early-Modern Europe. Cambridge: Cambridge University Press.

Escudero-Pascual, Alberto, and Ian Hosein. 2004. The Hazards of Technology-Neutral Policy: Questioning Lawful Access to Traffic Data. Communications of the ACM 47 (3):77-82.

Feenberg, Andrew. 1991. Critical Theory of Technology. New York: Oxford University Press.

Fischer, Claude S. 1992. America Calling, A Social History of the Telephone to 1940. Berkeley: University of California Press.

Flanagan, Andrew J. , W. J. M. Farinola, and Miriam J. Metzger. 2000. The technical code of the Internet/World Wide Web. Critical Studies in Media Communication 17 (3):409-28.

Floerkemeier, Christian, Roland Schneider, and Marc Langheinrich. 2005. Scanning with a Purpose - Supporting the Fair Information Principles in RFID Protocols. In Ubiquitous Computing Systems. Revised Selected Papers from the 2nd International Symposium on

42

Ubiquitous Computing Systems (UCS 2004) edited by H. Murakami, H. Nakashima, H. Tokuda and M. Yasumura. Berlin, Germany: Springer-Verlag.

Fountain, Jane E. 2001. Constructing the information society: Women, information technology, and design. Technology in Society 22:45-62.

Friedman, Batya. 1997. Human Values and the Design of Computer Technology. Stanford, CA: CLSI Publications.

Friedman, Batya, Peter H. Kahn, and Alan Borning. 2006. Value Sensitive Design and Information Systems. In Human-Computer Interaction in Management Information Systems, edited by P. Zhang and D. Galletta. New York: M.E. Sharpe, Inc.

Gast, Matthew. 2005. Wireless LAN Security: A Short History 2002 [cited July 12 2005]. Available from http://www.oreillynet.com/lpt/a/1728.

Giddens, Anthony. 1984. The Constitution of Society: Outline of the Theory of Structure. Berkeley, CA: University of California Press.

Haythornthwaite, Caroline, Barry Wellman, and Laura Garton. 1998. Work and Community Via Computer-Mediated Communication. In Psychology of the Internet, edited by J. Gackenbach. San Diego, CA: Academic Press.

Hosein, Ian, Prodromos Tsiavos, and Edgar Whitley. 2003. Regulating Architecture and Architectures of Regulation: Contributions from Information Systems. International Review of Law, Computers & Technology 17 (1):85-97.

Howcroft, Debra, Nathalie Mitev, and Melanie Wilson. 2004. What We May Learn from the Social Shaping of Technology Approach. In Social Theory and Philosophy for Information Systems, edited by J. Mingers and L. Willcocks. West Sussex, England: John Wiley & Sons, Ltd.

Innis, Harold. 1951. The Bias of Communication. Toronto, Canada: University of Toronto Press.

Intel. 2005. Wireless Network Security Resource Center 2005 [cited July 12 2005]. Available from http://www.intel.com/personal/wireless/security/index.htm.

Introna, Lucas, and Helen Nissenbaum. 2000. Defining the Web: The Politics of Search Engines. IEEE Computer 33 (1):54-62.

Joerges, Bernward. 1999. Do Politics Have Artifacts. Social Studies of Science 29 (3):411-431.

Jones, M. 1997. Structuration Theory. In Rethinking Management Information Systems, edited by W. Currie and B. Galliers. New York: Oxford University Press.

Jones, Matthew, Wanda Orlikosiki, and Kamal Munir. 2004. Structuration Theory and Information Systems: A Critical Reappraisal. In Social Theory and Philosophy for

43

Information Systems, edited by J. Mingers and L. Willcocks. West Sussex, England: John Wiley & Sons, Ltd.

Karagiannis, Konstantinos. 2003. Ten Steps to a Secure Wireless Network. PC Magazine, February 25, 64.

Kesan, Jay P., and Rajiv C. Shah. 2005. Shaping Code. Harvard Journal of Law & Technology 18 (2):319-399.

Kistner, Toni. 2004. Vendors Vie to Ease Home Net Complexity. Network World, Sept. 27.

Kling, Rob , and Suzanne Iacono. 1988. The Mobilization of Support for Computerization: The Role of Computerization Movements. Social Problems 35 (3):226-243.

Klischewski, Ralf. 2002. Reaching Out for Commitments: Systems Development as Networking. In Social Thinking: Software Practice, edited by Y. Dittrich, C. Floyd and R. Klischewski. Cambridge, MA: MIT Press.

Kolko, Beth E. 2000. Erasing @race: Going White in the (Inter)Face. In Race in Cyberspace, edited by B. E. Kolko, L. Nakamura and G. B. Rodman. New York: Routledge.

Lasky, Michael S., Dennis O'Reilly, Eric Dahl, and Kirk Steers. 2004. No-Hassle Wireless Networking Superguide. PC World, February, 138-140.

Latour, Bruno. 1987. Science in Action. Boston: Harvard University Press.

———. 1992. Where Are the Missing Masses? The Sociology of a Few Mundane Artifacts. In Shaping Technology/Building Society, edited by W. E. Bijker and J. Law. Cambridge: MIT Press.

———. 1999. Pandora's Hope. London: Harvard University Press.

Law, John. 1992. Notes on the Theory of the Actor-Network: Ordering, Strategy and Heterogeneity. Systems Practice 5:379-393.

Lessig, Lawrence. 1999. Code and Other Laws of Cyberspace. New York: Basic Books.

Lieberman, Joseph. 1996. Why Parents Hate TV. Policy Review 77:19-23.

Lievrouw, Leah A. 2002. Determination and Contingency in New Media Development: Diffusion of Innovations and Social Shaping of Technology Perspectives. In Handbook of New Media: Social Shaping and Consequences of ICTs, edited by L. A. Lievrouw and S. Livingstone. London: Sage.

Lievrouw, Leah A., and Pablo Boczkowski. 2006. Bridging Communication Studies and Science and Technology Studies: Scholarship on Media and Information Technologies. In The Handbook of Science and Technology Studies, edited by E. J. Hackett, O. Amsterdamska, M. Lynch and J. Wajcman. Cambridge, MA: MIT Press.

44

Linksys. 2005. Protecting Your Wireless Network 2005 [cited July 12 2005]. Available from http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&packedargs=c%3DL_Content_C1%26cid%3D1116519873380&pagename=Linksys%2FCommon%2FVisitorWrapper.

Mansell, Robin. 1993. The New Telecommunications: A Political Economy of Network Evolution. London: Sage.

Martin, David M., Richard M. Smith, Michael Brittain, Ivan Fetch, and Hailin Wu. 2001. The Privacy Practices of Web Browser Extensions. Communications of the ACM 44 (2):45-50.

McAdams, Richard H. 1997. The Origin, Development, and Regulation of Social Norms. Michigan Law Review 96:338-433.

McChesney, Robert W. 1993. Telecommunications, Mass Media, and Democracy. Oxford: Oxford University Press.

McLean, Chris, and John Hassard. 2004. Symmetrical Absence/Symmetrical Absurdity: Critical Notes on the Production of Actor-Network Accounts. journal of Management Studies 41 (3):493-519.

McLuhan, Marshall. 1964. Understanding Media: The Extensions of Man. New York: McGraw-Hill Book Co.

Meyrowitz, Joshua. 1994. Medium Theory. In Communication Theory Today, edited by D. Crowley and D. Mitchell. Cambridge, MA: Polity Press.

Monteiro, Eric. 1998. Scaling Information Infrastructure: The Case of Next-Generation IP in the Internet. Information Society 14 (3):229-245.

———. 2000. Actor-Network Theory and Information Infrastructure. In From Control to Drift, edited by C. Ciborra. Oxford: Oxford University Press.

———. 2004. Actor Network Theory and Cultural Aspects of Interpretative Studies. In The Social Study of Information and Communication Technology, edited by C. Avgerou, C. Ciborra and F. Land. Oxford: Oxford University Press.

Monteiro, Eric, and Ole Hanseth. 1995. Social Shaping of Information Infrastructure: On Being Specific About the Technology. In Information Technology and Changes in Organizational Work, edited by W. Orlikowski, G. Walsham, M. R. Jones and J. I. DeGross: Chapman & Hall.

Murray, Andrew, and Colin Scott. 2002. Controlling the New Media: Hybrid Responses to New Forms of Power. Modern Law Review 65:491-516.

Nakamura, Lisa. 2000. Race In/For Cyberspace: Identity Tourism on the Internet. In The Cybercultures Reader, edited by D. Bell. New York: Routledge Press.

45

National Institute of Standards and Technology. 2002. Wireless Network Security. Gaithersburg, MD.

National Research Council. 2002. Cybersecurity: Today and Tomorrow. Washington, DC: National Academy Press.

North, Douglas C. 1990. Institutions, Institutional Change and Economic Performance. New York: Cambridge University Press.

Ohrtman, Frank D., and Kondrad Roeder. 2003. Wi-Fi Handbook: Building 802.11b Wireless Networks. New York: McGraw-Hill Professional.

Orlikowski, Wanda J. 1992. The Duality of Technology: Rethinking the Concept of Technology in Organizations. Organizational Science 3 (3):398-427.

———. 2000. Using Technology and Constituting Structures: A Practice Lens for Studying Technology in Organizations. Organizational Science 11 (4):404-428.

Parsons, Patrick R. 1989. Defining Cable Television: Structuration and Public Policy. Journal of Communication 39 (2):10-26.

Pinch, Trevor J., and Wiebe E. Bijker. 1987. The Social Construction of Facts and Artifacts: Or How the Sociology of Science and the Sociology of Technology Might Benefit Each Other. In The Social Construction of Technological Systems, edited by W. E. Bijker, T. P. Hughes and T. J. Pinch. Cambridge, MA: MIT Press.

Poole, Marshall Scott, and Gerardine DeSanctis. 2004. Structuration Theory in Information Systems Research: Methods and Controversies. In The Handbook for Information Systems Research, edited by M. E. Whitman and A. B. Woszczynski. Hershey, PA: IDEA Group Publications.

Posner, Eric A. 1996. Law, Economics, and Inefficient Norms. University of Pennsylvania 144:1697-1745.

Posner, Richard A. 1973. Economic Analysis of Law. Boston: Little Brown.

Potter, Bruce, and Bob Fleck. 2003. 802.11 Security. Sebastopol, CA: O'Reilly & Associates.

Powell, Walter W., and Paul J. DiMaggio, eds. 1991. The New Institutionalism in Organizational Analysis. Chicago, IL: University of Chicago Press.

Rogers, Everett. 2003. Diffusion of Innovations. 5th ed. New York: Free Press.

Rose, Jeremy, Matthew Jones, and Duane Truex. 2005. Socio-Theoretic Accounts of IS: The Problem of Agency. Scandinavian Journal of Information Systems 17 (1):133-152.

Rotenberg, Marc. 2001. What Larry Doesn't Get: Fair Information Practices and the Architecture of Privacy. Stanford Technology Law Review 2001:1.

46

Samarajiva, Rohan, and Peter Shields. 1997. Telecommunication Networks as Social Scape: Implications for Research and Policy as an Exemplar. Media, Culture & Society 19 (4):535-555.

Savage, James G. 1989. The Politics of International Telecommunications Regulation. Boulder, CO: Westview Press, Inc.

Schiesel, Seth. 2005. Growth of Wireless Internet Opens New Path for Thieves. New York Times, A1.

Schmidt, Suzanne K., and Raymund Werle. 1998. Coordinating Technology: Studies in the International Standardization of Telecommunications. Cambridge, MA: MIT Press.

Schot, Johan, and Arie Rip. 1997. The Past and Future of Constructive Technology Assessment. Technological Forecasting and Social Change 54 (2-3):251-268.

Schwartz, Paul M. 2000. Beyond Lessig’s Code for Internet Privacy: Cyberspace Filters, Privacy-Control, and Fair Information Practices. Wisconsin Law Review 2000:743-788.

Shah, Rajiv C., and Jay P. Kesan. 2003. Manipulating the Governance Characteristics of Code. Info 5 (4):3-9.

———. 2005. Nurturing Software: How Societal Institutions Shape the Development of Software. Communications of the ACM 48 (9):80-85.

Shah, Rajiv C., and Christian Sandvig. 2005. Software Defaults as De Facto Regulation: The Case of Wireless Access Points. Paper read at Telecommunications Policy Research Conference, at Washington, DC.

Shapiro, Carl, and Hal R. Varian. 1999. Information Rules: A Strategic Guide to the Network Economy. Boston, MA: Harvard Business School Press.

Suchman, Lucy. 1987. Plans and Situated Actions: The Problem of Human-Machine Communication. New York: Cambridge University Press.

Tatnall, Arthur. 2003. Actor-Network Theory as a Socio-Technical Approach to Information Systems Research. In Socio-Technical and Human Cognition Elements of Information Systems, edited by S. Clarke, E. Coakes, M. G. Hunter and A. Wenn. Hershey, PA: Information Science Publishing.

U.S. General Accounting Office. 2005. Information Security: Federal Agencies Need to Improve Controls Over Wireless Security.

US-CERT. 2005. Cyber Security Tip ST05-003 -- Securing Wireless Networks 2005 [cited July 12 2005]. Available from http://www.us-cert.gov/cas/tips/ST05-003.html.

Verbeek, Peter-Paul. 2005. What Things Do. University Park, PA: Pennsylvania State University Press.

47

———. 2006. Materializing Morality. Science, Technology, & Human Values 31 (3):361-380.

Vidgen, R., and T. McMaster. 1995. Black Boxes, Non-Human Stakeholders and the Translation of IT Through Mediation. In Information Technology and Changes in Organizational Work, edited by W. Orlikowski, G. Walsham, M. R. Jones and J. I. DeGross: Chapman & Hall.

Wagner, Polk. 2005. On Software Regulation. California Law Review 78:457-519.

Walsham, Geoff. 1993. Interpreting Information Systems in Organizations. Chichester, UK: John Wiley & Sons.

Walsham, Geoff, and Sundeep Sahay. 1999. GIS for District-Level Administration in India: Problems and Opportunities. MIS Quarterly 23 (1):39-66.

Winner, Langdon. 1980. Do Artifacts have Politics? Daedalus 109 (1):121-136.

Woolgar, Steve. 1991. Configuring the User: The Case of Usability Trials. In Sociology of Monsters: Essays on Power, Technology, and Domination, edited by J. Law. London: Routledge.