Illinois Public Law and Legal Theory Research Papers Series Research Paper No.

07-12 November 6, 2007

Analyzing Information Technology & Societal Interactions: A Policy Focused Theoretical Framework

Rajiv C. Shah* Jay P. Kesan**

*Adjunct Assistant Professor Department of Communications, University of Illinois-Chicago **Professor and Director, Program in Intellectual Property and Technology Law Mildred Van Voorhis Jones Faculty Scholar University of Illinois College of Law

This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection: 1028129

Abstract Information technologies affect a variety of fundamental societal concerns, such as privacy and free speech. Policymakers currently analyze each societal concern as sui generis, ignoring commonalities among IT issues. This paper develops a comprehensive descriptive framework to address a variety of IT policy problems. The Information Technology and Societal Interactions (ITSI) framework theorizes how information technology develops, evolves, and influences society. This framework ties together several existing theoretical concepts, while translating them into a practical framework that policymakers can apply to real problems. The framework is illustrated by analyzing wireless security issues. The article seeks to move beyond Lessig’s work by providing a clearer and more comprehensive view of how IT interacts with society. An urgent need has arisen for this type of theoretical framework. Unlike other fields, a compelling theoretical approach within IT law and policy does not exist. As a result, each policy issue is treated as unique and policymakers overlook commonalities. This occurs because the existing theoretical approaches, such as structuration and actor-network theory (ANT), fail to provide applicable models for addressing concrete problems. ITSI is inspired by structuration and ANT, but is tailored to the theoretical and practical needs for analyzing the interactions between IT and society. ITSI focuses on four main relationships within ITSI. These relations are: (1) how technology affects individuals, (2) how individuals reconfigure technology, (3) how developers shape technology, and (4) how society, in mass, can intervene and alter how technology operates. ITSI builds upon a large corpus of descriptive and normative scholarship by computer scientists, sociologists, communications scholars, and legal scholars. The contribution here does not define a new set of relationships between society and information technology, but explicates existing relationships and develops a descriptive framework that provides analytical insights. This article illustrates ITSI through an analysis of security issues involved in wireless technology. The analysis found that consumers are not provided with simple and effective security because of the increased reliance on user configuration. ITSI led to this finding; it would not have emerged using conventional policy analysis. ITSI also provides solutions to this problem. Instead of looking toward users to improve security, policymakers should look to manufacturers to develop APs that are “secure by design.” The analysis ends by pointing out a number of strategies to influence manufacturers to improve the design of wireless APs.

Analyzing Information Technology & Societal Interactions: A Policy Focused Theoretical Framework

Rajiv C. Shah & Jay P. Kesan


Author Contact Information: Rajiv C. Shah Adjunct Assistant Professor Department of Communications University of Illinois-Chicago Jay P. Kesan, Ph.D., J.D. Professor & Director, Program in Intellectual Property & Technology Law Mildred Van Voorhis Jones Faculty Scholar University of Illinois College of Law 134 Law Building, 504 Pennsylvania Avenue Champaign, IL 61820

Abstract Information technologies affect a variety of fundamental societal concerns, such as privacy and free speech. Policymakers currently analyze each societal concern as sui generis, ignoring commonalities among IT issues. This article develops a comprehensive descriptive framework to address a variety of IT policy problems. The Information Technology and Societal Interactions (ITSI) framework theorizes how information technology develops, evolves, and influences society. This framework ties together several existing theoretical concepts while translating them into a practical framework that policymakers can apply to real problems. The framework is illustrated by analyzing wireless security issues.


Analyzing Information Technology & Societal Interactions: A Policy Focused Theoretical Framework Legal scholars have recognized the design of information technologies as central to public policy debates. Most notably, Lawrence Lessig argues that fundamental societal concerns such as privacy, accessibility, freedom of speech, and intellectual property protection are intertwined with the hardware and software of information technologies (IT) (1999). These concerns are far from theoretical and reverberate in technologies such as computer operating systems, web browser cookies, printer cartridges, and even passports. Braman argues that communications law and policy need to address how these technologies affect social welfare (2003). This article addresses the increasingly influential intersection of IT and law by developing a theoretical framework for understanding IT’s impact on societal concerns. This article presents a theoretical model, IT & Societal Interactions (ITSI), which provides a framework for analyzing and addressing public policy issues concerning IT. The goal is to move beyond Lessig’s work by providing a clearer and more comprehensive view of how IT interacts with society. An urgent need has arisen for this type of theoretical framework. Unlike other fields, a compelling theoretical approach within IT law and policy does not exist. As a result, each policy issue is approached as sui generis. Thus, policymakers overlook commonalities among issues concerning IT, because the existing theoretical approaches, such as structuration and actor-network theory, fail to provide applicable models for addressing concrete problems. The framework presented here considers the reciprocity between IT and society in a policy context. It highlights critical actors and relationships that influence how society designs and uses IT. ITSI is an applied theoretical model that allows us to move from problem to


solution through clearly delineated steps that account for the multifarious forces and relations involved in IT’s development and use. The model is constructed to arrive at normative solutions to real-world problems. ITSI is not intended to replace existing scholarly theoretical approaches, such as structuration and actor-network theory, but, instead, complement them by translating their high level concepts for use in policy analysis. In doing so, our framework avoids reducing notions of causality, the process of technological development, and its social consequences to binaries (Lievrouw and Boczkowski 2006). Our goal is pragmatic and our approach follows Walsham’s suggestion on focusing on the interesting issues for why IT has developed in ways contrary to social concerns and how it can be remedied (1993). Ultimately, ITSI provides scholars and policymakers with analytical tools to understand better the relations between technology and society. ITSI is not a regulatory theory per se. We do not try to advocate a particular method of regulation or argue criteria for regulating technologies. Instead, our focus is to sharpen the use of regulatory strategies around technology. We believe policymakers can make better decisions if they understand how technology is developed, used, and shaped. We should acknowledge that at many junctures, both an ITSI and conventional policy analysis might suggest the same policy goals. This does not diminish the value of ITSI. An ITSI analysis still provides more useful insights into how IT operates as well as a broader perspective on how IT develops and responds to society. The first section of the article reviews several theoretical approaches for studying the role of IT: Lessig’s model of IT and society, Gidden’s theory of structuration, and technologies studies’ Actor-Network Theory (ANT). It highlights the strengths and limitations of these approaches and their inability to provide more than a partial picture of the relationship between


IT and society. The next section provides background on ITSI, and then focuses on the four main relationships within ITSI. These relations are (1) how technology affects individuals, (2) how individuals reconfigure technology, (3) how developers shape technology, and (4) how society, in mass, can intervene and alter how technology operates. We rely on the term “technology” to refer to IT. In the third section, we use ITSI to analyze wireless security issues. This application illustrates how ITSI can address a policy issue that conventional approaches have overlooked. This section ends with a brief discussion of how ITSI can provide insights into other technology and policy issues as well. The final section discusses the implications of ITSI for communications law and policy.

Theoretical Approaches for Studying the Role of Information Technology Scholars and policymakers have recently recognized how technology influences, perhaps adversely, social concerns, such as security, privacy, and free speech. While much has been written on the impact of technology, little has been written on how policymakers can harness technology to positively influence social welfare. As a starting point, we map how that influence is understood by reviewing three influential approaches for analyzing technology. The first approach arose within legal studies and focuses on how technology affects society. It is Lessig’s model of “what things regulate.” The other two approaches, information systems research use of “structuration” and “Actor-Network Theory” (ANT) from science and technology studies, share a common understanding about how people act and interact. They offer important insights into understanding how IT affects society. These approaches arose out of the social construction theory of technology, which argues that human action shapes technology (Pinch and Bijker 1987).


Other useful paradigms for examining technological developments or the influence of technology on society have appeared, including “diffusion of innovation,” a theory about how new breakthroughs disseminate through society (Rogers 2003). However, we choose to focus on three most influential theoretical approaches from a policy perspective. After evaluating each approach individually, the final section discusses their limitations for policymakers.

Lessig’s What Things Regulate First, Lessig’s model of “what things regulate” (1999) offers a descriptive model of how software and hardware, collectively termed code, act as a regulatory mechanism on human behavior. Many scholars have looked to this model not only as a tool for understanding code, but also as a way to address issues surrounding it. Lessig constructs his model by considering an individual and the various influences on his or her choices and behavior. This individual may be regulated by the dot in Figure 1. By “regulate” Lessig refers, not to a legal definition, but to the ways technology influences individuals. This is also how we use the term throughout this article. Using a simple example of smoking, he asks what factors affect the decision to smoke. He considers the impact of legislation surrounding where people can smoke, the costs of cigarettes, the technology of unfiltered cigarettes, and how the habits of other people affect an individual’s decision to smoke. This leads him to argue that there are four regulators or constraints on behavior—the law, social norms, the market, and architecture.


Figure 1. Lessig's Model of "What Things Regulate" The model’s strength is its simplicity. Three of the regulators Lessig chose—law, social norms, and the market—are well recognized in the legal academy. Law is considered the method of formal governance. Social norms, on the other hand, are typically defined as informal methods of regulation. This area has received increased attention within the legal academy as scholars recognize that people do things for reasons beyond its legality or illegality (McAdams 1997; Posner 1996). The law and economics movement within the legal academy has highlighted the role of the market, economics, and pricing structures on regulating behavior (Posner 1973). Although Lessig’s model clearly grows out of key areas within legal studies, several problems emerge in his model if we consider how code affects public policy issues. Murray and Scott (2002) argue that Lessig’s model requires additional regulators (2002). However, that is inconsequent, because a problem arises within the model itself: it oversimplifies how people are regulated. The regulatory forces that Lessig chooses are not monolithic. Many times conflicting laws, social norms, and market forces influence a decision. Consider the issue of file sharing. 7

The legality of this practice depends on who you are, what the file contains, and where you are located. This means that the law is both pushing and pulling in Lessig’s model. Hosein, Tsiavos, and Whitley echo this criticism of Lessig’s model; they argue that architecture “cannot really be separated from the other modalities neither does it make any sense without them” (2003). Wagner maintains that code is often a complement to law instead of a direct substitute (2005). In addition, most critics point out that what is missing in Lessig’s model is the near impossibility of distinguishing each force. We also notice that Lessig’s model fails to answer process-oriented questions. Where does technology or architecture come from? Why does it favor particular values? Why is technology sometimes malleable and sometimes durable? Despite these drawbacks, the model’s simplicity foregrounds the role of IT in communications policy.

Structuration Scholars in information systems are applying Giddens’s structuration theory to IT. Giddens’s work attempts to overcome the traditional dichotomy in sociology between structure and agency. Traditionally, sociologists have argued that individuals are either determined by social structures, e.g., race, class, or gender, or that these social structures only exist in the minds of people, thus granting people immense agency. Giddens tried to overcome these two opposing schools in his structuration theory by allowing for reciprocity between structure and agency. Giddens argues that structure consists of the rules and resources that individuals create through practices and routines (1984). According to his model, a duality emerges as structure constrains action, but simultaneously, action serves to maintain and modify structure.


Structuration has become one of the most influential theoretical paradigms in information systems research (Poole and DeSanctis 2004; Jones, Orlikosiki, and Munir 2004; Jones 1997). Several notable approaches for applying structuration to IT have appeared. Orlikowski developed a structuration model of technology to investigate the relationship between humans shaping technology and technology shaping human action in an organizational context (1992; 2000). DeSanctis and Poole (1994) argue for an “adaptive structuration theory,” which focuses on how structural features in IT influence the organization of society and, likewise, how society influences the organization of IT (DeSanctis and Poole 1994). Finally, Samarajiva and Shields use concepts from structuration to develop a normative concept of space for IT (1997). Structuration offers several useful insights for studying the complicated interaction between technology and society. It recognizes the role of users, context, and technology, while considering institutional factors. It acknowledges that technology both enables and constrains users. These insights move considerably beyond existing theoretical accounts that are either technologically or socially deterministic. Nonetheless, several drawbacks emerge when using structuration to examine policy issues with IT (Rose, Jones, and Truex 2005). The first is whether structuration can adequately theorize technology. Orlikowski argues in her structurational theory of technology that social rules can be embedded in IT during its design (1992). However, the idea that structures can be embodied in artifacts is problematic. According to Giddens, structures cannot be embodied in artifacts, since they only have a virtual reality and are “traces in the mind” that are substantiated through actions and practices. Orlikowski’s later work recognizes this problem and uses a “practice lens” perspective, where technology structures are seen as “virtual, emerging from people’s repeated and situated interaction with particular technologies” (2000, p. 407). All the


same, critics argue that structuration should focus on human action and not technology (Jones 1997). Furthermore, structuration offers a limited understanding of the relationship between society and technology. It does not allow us to examine the relationship between people and technology beyond the recognition that technology both enables and constrains us. Parsons acknowledges these limitations in his case study on cable television (1989). While structuration provided a better understanding of the dynamics of using cable television, it was incapable of addressing how power and values are embedded or found in the use of technology. This problem leads Monteiro and Hanseth to argue that structuration simply does not provide a nuanced analysis of the interaction between individuals and technology that would inform the design of IT (1995).

Actor-Network Theory A third theoretical direction for understanding IT comes from the larger discipline of technology studies (Lievrouw 2002; Howcroft, Mitev, and Wilson 2004). Actor-Network Theory (ANT) examines the interactions between technology and individuals (Law 1992). It begins with the observation that the material world is a significant part of our lives and less distinguishable than it may appear. In fact, ANT places the material and the social on equal footing to explain the role of technology (Callon 1986; Latour 1987, 1999). This approach has found traction for understanding how IT affects society (Tatnall 2003; Monteiro 2000; Walsham and Sahay 1999; Monteiro 1998; Klischewski 2002; Vidgen and McMaster 1995). ANT begins by using the term “actor” to refer to both humans and artifacts. ANT considers both the human and the technical as capable of acting and being acted upon. It urges us to treat these symmetrically and to consider seriously artifacts as actors. In short, actor-


networks are a set of interactions between humans and artifacts. ANT views these relationships as dynamic and constantly changing. Or as Law puts it, “social structure is not a noun but a verb” (1992). ANT analyzes these networks and describes how they operate. ANT’s contribution is that it examines technologies by looking at the micro to explain the macro. In doing so, it has developed richly nuanced concepts for studying technologies, such as blackbox, artifacts, networks, reconfiguration, enrollment, and translation. This emphasis on materiality creates a contrast between ANT and other theories that typically focus on the role of humans. As a result, it is one of leading methodological approaches for examining technology. ANT has its critics (Monteiro 2004; McLean and Hassard 2004; Collins and Yearley 1992; Howcroft, Mitev, and Wilson 2004). The criticisms include treating humans and artifacts as symmetrical, its value-neutral stance, and goal directness. Two significant issues emerge when using ANT to examine public policy issues with IT. First, ANT has a tendency to neglect macro-social structures, such as institutions. This is not accidental; ANT’s analytical approach is to dissect rather than explain through macro-scale structures. It prefers to focus on micro processes over large-scale macro processes. Second, ANT is a descriptive theory and provides little analytical and normative guidance (Collins and Yearley 1992). Specifically, it does not provide a general framework for studying how technology operates. Every technology, therefore, must be studied anew. This provides policymakers with little guidance for how technology should be shaped to foster social goals. Nevertheless, several concepts from ANT are useful and emerge in the ITSI framework. Limitations of Existing Approaches All three of these approaches provide an entry point for considering the relationship between IT and policy. However, they all suffer serious limitations in trying to explain the


interactions between IT and society. Moreover, a significant limitation for both structuration and ANT arise, because the high level concepts found in these theories do not allow simple translation for the nuts and bolts problems faced by policymakers. In other words, these existing theoretical approaches do not address problems related to IT. As an example, consider legal scholars’ approach for addressing online privacy (Rotenberg 2001) or the approach of computer scientists (Clarke 1999). They do not rely on ANT or structuration, but instead employ principles of fair information practices. Moreover, this also holds true for new technologies that implicate privacy, such as RFID (Floerkemeier, Schneider, and Langheinrich 2005), Web browsers (Martin et al. 2001), and online personal data (Schwartz 2000). Policymakers do not rely on Lessig’s theory or structuration or ANT. Online privacy offers a clear and compelling example of how sophisticated theoretical approaches fail to provide policymakers with applicable frameworks for addressing social concerns. Policymakers need a systematic way for thinking through online policy issues. While extending existing approaches is understandable, it is also necessary to recognize that information technology has unique attributes. As an example, many scholars have shown that technology is not neutral, but is political and malleable (Friedman 1997; Winner 1980). It was precisely these biases that Lessig highlights with the title of his book, Code and the Other Laws of Cyberspace (1999). These factors lead us to develop a more complete descriptive framework that will enable policymakers to make decisions about IT that will promote social welfare.

Framework for Analyzing IT & Society Interactions Our goal is to describe how IT affects society from a public policy perspective. The framework for analyzing IT and Society Interactions is termed ITSI throughout this article. ITSI


is not a replacement for high-level theories such as structuration or ANT. Instead, our goal is more akin to operationalizing these theories for policymakers. ITSI also lends itself to a more general analysis of IT policy problems. Our approach also differs from most policy literature, which analyzes a specific policy proposal, such as privacy or intellectual property rights. Instead, our framework focuses on the role of IT in general in order to understand various IT concerns from privacy to intellectual property rights. ITSI involves a multi-step analysis that accounts for the various motives, choices, and even accidents implicated in technology operations. It entails thinking through and evaluating policy decisions to solve social welfare issues. ITSI first identifies a series of relationships that influence IT use. By focusing on influential relationships, we can better evaluate where to establish change. Each relation presents questions that lead us to analytical and normative insights. In this section, we explain the framework piece by piece. This approach provides a better sense of our reliance on existing scholarship, as we develop a more comprehensive analysis of the relation between IT and society. We begin by identifying four actors: technology, users, developers, and society. We then analyze the four significant relationships they constitute as they regulate, reconfigure, shape, and develop IT. This is not an exhaustive list, nor do we imply that other actors or relationships are not relevant or important. Instead, we are trying to assist and guide public policy with a framework that is by necessity reductive.

Technology Regulating Users Technology acts as a mediator to constrain or facilitate certain types of actions. In short, technology regulates. This statement, while deterministic, is often how people view technology.


For example, the technology of a pencil, fountain pen, and word processor simultaneously facilitates and constrains certain actions when it comes to composing, editing, and saving our writings. As a result, technology can affect our cognition, culture, socio-structure, and laws. An exemplar of this view can be found Eisenstein’s argument that the printing press led to the emergence of a “print culture” that transformed not merely how people communicate but the underlying structure of consciousness, social interaction, and power (Eisenstein 1997). Figure 2 shows schematically how IT affects or regulates users. Scholars within media ecology (Innis 1951; McLuhan 1964; Meyrowitz 1994), computer-mediated communication (Haythornthwaite, Wellman, and Garton 1998; Daft and Lengel 1984), and cultural studies (Nakamura 2000; Kolko 2000) have all recognized the ability of IT to affect individuals and society even as individuals seemingly develop and manipulate IT.

Figure 2. Technology Regulating

Complications arise because the interactions between technology and society are not neutral but biased and political. This idea is long standing in technology studies and the philosophy of technology (Winner 1980; Feenberg 1991). A classic exposition is Winner’s analysis of the bridges over the parkways of Long Island (1980). These bridges appear to have a strictly utilitarian purpose. However, the height of these bridges is quite low, as short as nine feet. Winner argues that these bridges were designed to prevent buses from passing underneath them. This serves to exclude poor people, who rely on public transportation to access Long


Island. Thus, the seemingly neutral bridge design is in reality a method of social engineering to achieve class or racial exclusion. While the historical accuracy of this account has been challenged (Joerges 1999), it still stands as a powerful, illustrative example. Other empirical studies have illustrated biases in IT, such as the internet and search engines (Friedman 1997; Introna and Nissenbaum 2000; Flanagan, Farinola, and Metzger 2000). It is not enough to declare technology political. To understand how the design of IT affects users, it is necessary to have a technical understanding of its workings. Here we follow ANT’s methodology, which urges scholars to consider technology as an actor and how it “configures the user” (Woolgar 1991). This means examining the biases inscribed in the design of technology (Akrich 1992). Monteiro and Hanseth suggest analyzing “which anticipations of use are envisioned,” “how are they inscribed,” and “how powerful are the inscriptions, that is, how much effort does it take to oppose an inscription” (1995). A study on electronic traffic data shows the value of this approach. Escudero-Pascual and Hosein argue that traffic data from the Internet means something very different than traffic data from the telephone system (2004). After all, information on Web sites and terms entered into search engines can be much more revealing than the phone numbers we call. The authors arrived at this conclusion, because they fully appreciated the technical differences between the Internet and the telephone. The ability of IT to shape user behavior has led policymakers to ask whether they ought to use technological means as an alternative to regulation or to supplement it. The issue is complicated and underdeveloped from a scholarly perspective. Nevertheless, developers often use technology to meet their needs. For example, to improve security, Microsoft switched the default settings to turn on its firewall when it updated Windows XP. This example shows how IT could be used proactively to ensure social welfare.


Users Reconfiguring Technology While the emphasis on using technology to regulate can be seen as deterministic, reconfiguration seeks to balance this paradigm by recognizing users’ agency in addressing social concerns. The notion of agency is a core concept in sociology and is present in leading theories of IT (Rose, Jones, and Truex 2005). Individuals play a crucial role in how technology regulates. Any analysis needs to consider a situated analysis of IT (Suchman 1987), which emphasizes how users interact and reconfigure technology. After all, it is well recognized nowadays that the design and use of technologies often shape each other in a recursive process. This relationship is illustrated in Figure 3.

Figure 3. Reconfiguring Technology

To analyze how users interact with IT, we ask two basic questions: How do users act and how do they respond? For analytical discussion purposes, we discuss each separately. First, it is important to analyze how people use technology. Scholars have shown how local meanings, organizational constraints, and institutional forces can be as meaningful as the rules embedded in IT (Suchman 1987; Kling and Iacono 1988). As a result, sometimes individuals do not always use the technology as intended by developers. The history of IT is full of examples of unanticipated uses, such as the personal use of the telephone by women (Fischer 1992). Even


though developers have inscribed the technology, it does not mean the technology will be used in that manner. Orikowski synthesizes past research on this topic by recognizing that “through error (misperception, lack of understanding, slippage) or intent (sabotage, inertia, innovation), users often ignore, alter, or work around the inscribed technological properties” (Orlikowski 2000, 409). This perspective allows us to treat technology as less monolithic. Individuals also alter technology in multifarious ways. Individuals may respond by reconfiguring the material properties of the technology. This process involves individuals adding or modifying a technology and, therefore, shaping it to fit their needs and interests. This can be as simple as turning on the v-chip feature or the closed captioning feature on televisions. The ability of an individual to reconfigure a technology partly depends upon the technology’s durability. There are two ways technologies can be made more durable and hence more resistant to reconfiguration. First, technologies become more durable when switching or changing technologies requires a considerable investment in hardware and software otherwise known in economics as “switching costs,” where the cost of switching to a new technology outweighs the cost of keeping the current one (Shapiro and Varian 1999). The second means of maintaining durability, “path dependence,” refers to how technologies become durable from a lock-in effect that arises from “random” historical events (Arthur 1989; David 1985). In this way a technology, such as the QWERTY keyboard layout, becomes durable and irreversible because of events during its development. The ability of users to reconfigure technologies has widespread normative implications beyond inefficiencies that may result from switching costs or path dependence. Shah and Kesan argue that certain governance characteristics of IT that can be manipulated either by users or developers influence individuals (2003). Some of the characteristics include default settings,


transparency in user interfaces and code, and the use of standards. Policymakers can modify “governance characteristics” or ensure that individuals are able to modify technology to enhance social welfare. For example, software privacy controls may be difficult to configure. To promote privacy, developers could be required to have privacy controls enabled as a default setting. This would protect a user’s privacy, while also allowing individuals the freedom to optout by reconfiguring the default setting. The manipulation of these governance characteristics could also be used in conjunction with traditional regulatory methods such as law.

Developers Influence on IT By starting with IT and user’s impact on one another, we assume IT design as set. Yet the development stage has obvious and immediate impacts upon IT. Scholars have long studied how technologies are developed to understand why they operate in a particular fashion. While the relationship among developers, users, and IT shown in Figure 4 is quite obvious, it highlights several fundamental points. Developers consist of numerous social actors that play a crucial part in guiding and shaping IT; they are also responsible for biases inscribed in technology. Nonetheless, developers do not exist in a vacuum. The figure also illustrates how developers are embedded and influenced by a web of forces, such as social, economic, political, institutional, and regulatory.


Figure 4. Developing IT The development process shapes the non-neutrality of technology, although not always purposively. Both structuration and ANT consider this process. From the structuration perspective, developers build certain “interpretive schemes (rules reflecting knowledge of the work being automated), certain facilities (resources to accomplish that work), and certain norms (rules that define the execution of the work)” into technology (Orlikowski 1992, 410). ANT scholars hold that the inscription process, which is simultaneous with the development process, is how beliefs, tastes, competences, motives, aspirations, values, biases, and political prejudices are embodied by the artifact (Akrich 1992). The inscription process gives technologies a “script” that prescribes user actions (Latour 1992). For example, a speed bump’s script encourages drivers to slow down. Developers may use scripts as a means to influence user behavior. This strategy does not always result in desired outcomes. Verbeek points out that even though developers set scripts, it is the users that decide how to interpret and appropriate them (2006). As we acknowledge, users can respond and reconfigure technologies. Nevertheless, Verbeek argues that designers have a normative responsibility to make sure artifacts act in a prescribed manner (2005). Another normative approach, Value Sensitive Design, focuses on accounting for values, particularly those 19

with a moral import, during the development process (Friedman, Kahn, and Borning 2006), such as privacy (Camp, Shankar, and Connelly Forthcoming). Institutional forces also lead to systematic regularities in technology’s biases. “Institutions” is a way of referring to groups of organized social actors with common social rules and continued interactions with society (Avgerou 2002). This definition is compatible with work in sociology on new institutionalism theory (Powell and DiMaggio 1991) and work in economics on the role of institutions (North 1990). The idea here is that within a certain institution, there are a set of values, norms, procedures, laws, beliefs, and taken-for-granted assumptions that are related to their raison d’étre. These shared rules and interactions may lead to certain tendencies in the development of IT. The institutional approach has a long history of explaining how firms and government influenced the development of technology (Savage 1989; Mansell 1993; Edwards 1996; Samarajiva and Shields 1997). More recent scholarship on IT considers other influential institutions, such as universities, standards organizations, consortia, and the amateur-led open source movement (Shah and Kesan 2005; Cargill 1989; Schmidt and Werle 1998). This work shows how institutional norms and processes can influence the final attributes of the technology it produces. For example, institutional tendencies may favor certain technical values, such as open standards or low defect code, or more socially-oriented values, such as the appropriate level of intellectual property protection or privacy protection for technology. Consequently, the same technology may have developed differently within different institutions. Policymakers can use these institutional tendencies to assess technologies as well as a way to shape technology to favoring or promoting developing in specific institutions.


While our discussion has focused on institutional forces, this does not mean other forces are irrelevant. We focused on institutional factors, because policymakers continue to undervalue them. Additionally, other institutional factors, like politics or economics, can also serve as a normative tool for developing IT. For example, policymakers could steer development toward an institution that favors particular social or technical attributes. We discuss this issue later in the following section, but it derives from our recognition of institutional tendencies and the assumption that institutional norms and processes are stable.

Society Shaping Technology Along with regulating, reconfiguring, and developing, we also focus on how individuals collectively react and influence the development of technology. The ability of society to influence the development process is widely recognized by a number of disciplines, including communications, social movements, and regulation. Examples of these influences within communications include movements led by citizens concerning radio broadcasting policy (McChesney 1993), the public support for the v-chip legislation (Lieberman 1996), and public calls for regulating telemarketing or spam. This relationship goes beyond individual users to a collective approach to IT. “Society” therefore appears in Figure 5 as an off-shoot of users to complete ITSI framework.


Figure 5. Shaping IT

There are many points through which society can pressure developers to change technology. They include harnessing various forces, such as social, economic, political, institutional, and regulatory. Many of these methods can be employed without government intervention, such as the use of market forces, self-regulation, public pressure, and the work of public interest groups. These methods have a long history of influencing the development of IT. Sometimes, though, government intervention is required. After all government has and will continue to play a role in shaping the development of technology, most notably in the research and development of computer networks such as the Internet. Government has a wide variety of regulatory methods, such as command and control, incentives, and market-harnessing controls (Breyer 1982; Baldwin and Cave 1999; Kesan and Shah 2005). For instance, television manufacturers have responded to consumer desires for larger televisions by producing larger televisions. Their decision reflects market forces. In contrast, the government had to force


television manufacturers to incorporate digital television tuners with a regulation (Balanced Budget Act 1997). Society can also use institutional norms and processes to shape the development process. While institutional norms and processes are generally stable, they do change over time. Consequently, these shifts make it possible to influence the process. The movement over the last thirty years from an emphasis on standard developing organizations to consortia (a legally constructed institution) serves as an example of the shifts within the institutional settings of the IT industry (Cargill 2001). A normative approach to shaping technology can be found under the rubric of constructive technology assessment or normative engineering (Schot and Rip 1997). This literature attempts to understand how technology is shaped from a normative aspect. While we believe that in some circumstances society ought to act to shape technology, it is also necessary to recognize the unpredictability of technological development. This led us to Berg’s cautionary point to expect continual shifts and small movements when influencing technology positively (1998). While the relation between society and IT adds a new dimension to our framework, it is just one branch of a complicated structure. We now turn to an overview of the model.

Summary The ITSI framework defines technology as material artifacts, such as the hardware and software of IT. This narrow definition is useful, because it allows us to frame the use of technology as an interaction between individuals and technology, while also considering how IT can be socially constructed. The narrow definition grants ITSI a wider applicability to examine


how IT affects a variety of societal concerns, such as privacy, freedom of speech, accessibility, or intellectual property protection. The directionality of the arrows in ITSI (Figure 5) emphasizes key relationships between society and IT from a policy perspective. The framework is tightly tailored to address policy concerns, and does not address all the possible relationships among developers, individuals, and technology. For example, an arrow could have been drawn from technology to developers. After all, new information technologies have significant implications on developers, such as government (Fountain 2001) and firms (Shapiro and Varian 1999). However, ITSI concerns how IT affects our experiences and choices in a public policy context, not the evolution of IT. As a result, these other relationships are omitted to keep ITSI as simple as possible. Similarly, we could have included a bubble around users, as we did for developers, to indicate various forces that affect them, such as institutional, social, regulatory, economic, and so on, but instead we emphasize only the critical relationships for understanding the interactions between society and IT from a policy perspective. In contrast, we emphasize the situatedness of developers, because it allows us to understand how technologies are biased and how society can shape IT through developers. To delineate the contribution of ITSI, Tables 1 through 3 provide a summary of various aspects of ITSI. We consider three chronological stages starting with developing, moving to regulating and reconfiguring (which we collapse into one stage), and ending with shaping. Table 1 provides the key questions ITSI poses within each of the three stages. These questions are asked when using ITSI to analyze an issue. Each relationship elicits a set of questions that aid us in identifying where problems emerge and their impact on users. Starting with developers, we ask about the factors and institutional norms that influence the design of technology. We then


ask how IT affects users and identify user responses to it. In terms of shaping, we consider how to enact possible solutions.

Developing IT

IT Regulating / Reconfiguring IT 1. What crucial factors 1. How does the influenced this particular design of IT affect version of IT? users? 2. How have various 2. How do users act / organizations/institutions respond? influenced the technology? Table 1. Significant questions ITSI asks

Shaping IT 1. Can we encourage developers to fix the problem themselves? 2. How best can government (or other organizations) intervene?

Table 2 contains a summary of the main analytical points that arise from ITSI. Each of the relationships involves a set of presuppositions. Our framework maintains that during development, biases are inscribed in the design of the technology. Moreover, institutional norms and processes foster what biases are inscribed. Yet one must have a broad perspective on the development process to identify what biases emerge, because many organizations have a stake in the design. As for users, the framework operates from the point of view that IT influences human actions. At the same time, individuals have agency; they can modify, reconfigure, and misuse technology. Furthermore, one must understand how IT operates at the technical level to identify these processes. ITSI considers society as capable of implementing solutions, because individuals, in mass, can influence developers through the market, direct appeals, or even by advocating government regulations. What is more, society can influence IT through institutional norms and processes, as identified in the development stage.


Developing IT

1. Biases can be inscribed during the development process 2. Institutional norms and processes can result in systematic regularities in biases 3. Consider a wide scope of organizations and institutions that influence development Table 2. Analytical insights from ITSI

IT Regulating/ Reconfiguring IT 1. IT influences human action 2. To understand inscriptions, we need to understand the IT at a technical level 3. Individuals have agency a. Consider how they use or misuse IT b. They can modify or reconfigure IT depending upon its durability

Shaping IT 1. Individuals and society can react and influence developers 2. Many tools available from the market to government regulation 3. Shape IT by modifying institutional norms and processes

ITSI does not merely identify influence biases inscribed in IT, but offers a means of arriving at normative insights into the design of IT. Examples of normative proposals are highlighted in Table 3 and discussed in the relevant part of the framework. Each of the relationships offers an entry point to modify IT and its uses. In the development stage, developers could alter the design of IT or one could rely on institutional norms and processes. Once users and technology interact, policymakers need to understand the IT involved at a technical level. Then they can establish certain governance characteristics or force developers to make the technology easier to reconfigure, thereby reducing its durability and lock-in effect. Lastly, policymakers could shape IT to promote social welfare. The next section applies all of the information provided in three tables to a case study.


Developing IT 1. Design IT differently, e.g., value sensitive design 2. Utilize institutional norms and how processes influence IT

IT Regulating / Reconfiguring IT 1. Policy scholars need to seriously consider / understand the IT 2. Manipulate governance characteristics 3. Make technologies easier to reconfigure by reducing their durability

Shaping IT 1. Policymakers ought to shape IT to societal ends

Table 3. Normative Insights That Flow From ITSI

Applying ITSI to Wireless Technology This section illustrates ITSI as a workable approach for policy issues. We use ITSI to analyze security issues that arise with the use of wireless technologies. We chose wireless security because it has been largely ignored in policy debates. Although people concede that wireless security is important, no policy changes have been suggested. In contrast, an ITSI analysis highlights several critical security issues involved with wireless technology and offers suggestions for improving wireless security. The analysis in this section is based on the four distinct relationships identified by ITSI: IT regulating users, users reconfiguring IT, society shaping IT, and developers influence on IT use. Additionally, we consider normative proposals for improving wireless security based on extant scholarship. The data is derived from our own research, existing scholarly research, and secondary sources.

Background on Wireless Security This case study examines wireless security commonly known as 802.11b or Wi-Fi. This technology emerged in the late 1990s and is now widely used by consumers for wireless networking (Bar and Galperin 2004; Ohrtman and Roeder 2003). The IEEE (Institute of


Electrical and Electronics Engineers) developed the 802.11b standard and a nonprofit trade organization, the Wi-Fi Alliance, certifies products to ensure interoperability on various computers and networks. Interoperability lowers the entry barrier for new manufacturers of WiFi technologies and ensures consumers are not locked into devices from one manufacturer. Currently, the Wi-Fi Alliance includes over 200 member companies and has certified over 2,000 products. Security was a concern during the development of the 802.11b standard. It was understood that an unsecured wireless connection could allow unauthorized parties to eavesdrop on communication, masquerade as an unauthorized user, modify network traffic, and even consume network bandwidth (U.S. General Accounting Office 2005). To prevent such unauthorized use, the 802.11b standard includes a protocol known as Wired Equivalent Privacy (WEP). The purpose of WEP is to encrypt wireless communication, thus preventing unauthorized users from eavesdropping or using a network. In 2001, a group of researchers from the University of California at Berkeley presented a paper on WEP’s flaws (Borisov, Goldberg, and Wagner 2001). In response, the Wi-Fi Alliance created an interim specification, Wi-Fi Protected Access (WPA), to address these security problems (Ohrtman and Roeder 2003). The IEEE eventually developed a revised standard, which is known as WPA2 in 2005. Since 2006, all devices seeking Wi-Fi certification must comply with WPA2. Despite the widespread use of wireless and the sensitivity of the data accessed through it, wireless security has not become a significant public policy issue. Leading public interest groups involved in IT issues, such as the Electronic Frontier Foundation, Center for Democracy and Technology, and the Electronic Privacy Information Center, have not pushed for any policy initiatives for wireless security. The attitude prevails that this is an end user’s responsibility.


This perspective holds end users responsible for securing their wireless access points (AP), whether the user is the government, a firm, or an individual. Despite this consensus that the user should establish his or her wireless security, our use of ITSI finds that policy intervention can better serve societal welfare.

ITSI Analysis of Wireless Technology Regulating Technology / Reconfiguring Technology We have already established the reciprocal influence between individuals and technology. Using ITSI, we now apply this knowledge to understand how individuals have been affected by wireless security and the steps they have (not) taken to protect themselves. The first step is to consider how the design of IT affects users. In this case, we have research that shows how default settings in Wi-Fi access points (APs) affect its use and misuse. APs are a common consumer technology for creating wireless networks inside homes and businesses. APs create a wireless network and are typically connected to other wireless clients (e.g., a laptop) and a router (which is sometimes built in) for Internet connectivity. A wireless network creates security risks, because the AP broadcasts to everyone within its range. Shah and Sandvig analyzed the data from hundreds of thousands of APs to understand how people configure their APs (2005). They found defaults programmed into APs to be extremely influential. Half of the users never changed any of the three default settings that influence security. One particular default setting was the use of WEP security technology. WEP encrypts communication and prevents casual snooping. WEP encryption is widely recommended as a necessary step for properly configuring an AP. The majority of manufacturers turn off WEP by default, resulting in only about 28% using encryption. In


contrast, 2Wire, a broadband service provider, turns on WEP by default leading to 96% usage for encryption. This contrast between 28% and 96% illustrates the power of default settings for establishing user settings. To better understand wireless security, we examined the setup procedures for several popular APs. Our analyses included access points from Linksys, Netgear, Belkin, D-Link, and Microsoft. We found differences among the defaults for encryption, the ease of setup, and requirements for changing passwords and network information. These differences at the technical level can influence how people configure their AP and, consequently, their level of wireless security. As we later argue, this research led us to believe that wireless manufacturers could easily change several settings that would greatly improve wireless security. Default settings establish most users’ configurations. Manufacturers, therefore, should base defaults on such knowledge. ITSI also focuses on the role of users and their use of technology. The predominate view is that correct configuration is the responsibility of end users; this view is supported by a variety of groups including the government (National Institute of Standards and Technology 2002; USCERT 2005), manufacturers (Intel 2005; Linksys 2005), and the media (Karagiannis 2003) (Lasky et al. 2004). They urge users to configure their wireless APs “properly” without asking why it is necessary for users to reconfigure their wireless APs. In fact, all advice for setting up a wireless AP recommends that users configure WEP encryption. Despite the fact that manufacturers set many defaults in anticipation of user preferences, they neglect to choose encryption. While the burden has been placed on users to reconfigure their APs, research on wireless use clearly shows that users are deferring to defaults. This behavior suggests a number of


possible normative solutions. The first is to regulate manufacturers by demanding that they set the default to protect users. APs should be designed as “secure by default.” The second is to encourage reconfigurability by lowering the APs’ durability. This essentially focuses on making it easier for the user to change the APs settings. Educating users and improving user interfaces can help achieve this goal. However, lowering durability follows the broken approach of relying on users to reconfigure their APs. Because defaults carry such significant power, policymakers should ensure these defaults are set to foster security.

Developing Wireless Technology The ITSI analysis examines the development process with an emphasis on how various IT characteristics were shaped as well as the influence of institutions. In the case of wireless technology, ITSI asks why manufacturers neglect to ensure user security in the first place. In the previous section, we noted that defaults play a crucial role in determining levels of wireless security. The analysis should then consider how these defaults were inscribed into AP and the factors influencing this process. This history of wireless security has shown that manufacturers have not emphasized security. For example, manufacturers were slow to incorporate WEP into their products (Gast 2002). Instead, they relied on MAC address filtering, which is useful for preventing unauthorized access, but does not prevent eavesdropping. Moreover, manufacturers have viewed security as an option for consumers and not something that is mandatory or even suggested. After all, almost all manufacturers design their products to turn off WEP by default (Schiesel 2005). This default setting suggests to users that WEP is not necessary or important.


Manufacturers explain that they do not set the default for encryption, because of the high costs associated with technical support. Configuring wireless devices for WEP usage is not easy and, if done improperly, can result in no wireless connectivity. According to Linksys, 70% of its support calls are related to “initial installation and configuration” (Kistner 2004). Moreover, customer satisfaction falls when a user needs to make two or more service calls. Currently, to avoid configuration confusion and customer dissatisfaction, Linksys turns off WEP by default. If Linksys turned on WEP by default, they would expect even more support calls from customers. This explains why virtually all manufacturers turn off WEP and leave customers with poor security. Besides manufacturers, another important developmental force for securing users’ information is the IEEE and Wi-Fi Alliance. Both organizations have worked toward improving the security of wireless technologies through the development of WEP, WPA, and WPA2. Therefore, security is in their members’ interest. However, they have not focused on developing secure technologies that users can easily and transparently utilize. For example, consider the use of hexadecimal passwords for WEP encryption (e.g., a password in hexadecimal format is 5c23a4ab7b) (Potter and Fleck 2003). Only an engineer could appreciate this approach! This bias emerges because the IEEE and the Wi-Fi Alliance respond to their members and not endusers in general. Universities have also played an important role in identifying security flaws in existing standards and wireless technologies. For example, research documenting the problems with WEP encryption was done at the University of California at Berkeley (Borisov, Goldberg, and Wagner 2001). This work (and other follow up work) was crucial in illustrating wireless security


flaws. Their interest in wireless security arises from its novelty and the impact of identifying unknown problems. The ITSI analysis shows that in the area of wireless security, several forms of institutional actors, including firms, consortia, and universities, have attempted to correct flaws. This array of institutions is not the result of natural equilibrium. It is the result of several different interests coming together to focus on security issues. After all, there are many other technologies under development, such as digital rights management or radio-frequency identification, which do not have that same degree of cooperation among various institutions. The history of multiple actors affecting the development of wireless has normative consequences. Policymakers have many actors they can push or prod to help improve wireless security. While the possibility of redesigning such a mature technology is not likely, it is possible to reconfigure slightly the technical characteristics to improve security. One way of doing so is to rely on institutional norms as a rough proxy to predict what these actors may do. In this case, firms focus on selling wireless APs, and therefore they may not focus on security issues if they are too costly and not demanded by their customers. Consortia, on the other hand, are driven by their members’ interest and may favor solutions that are in the interest of their members, but not the general public. As an interested party, universities may be limited, because they have scarce resources. As wireless technologies mature, university researchers may have less incentive to study the security issues involved in an “old” technology. In the next section, we take up these institutional tendencies and discuss how society can strategically utilize them to foster more secure wireless technology.

Society Shaping Wireless Security


The ITSI analysis suggests that security can be improved if manufacturers redesigned their wireless technologies. ITSI recognizes that society can react to technologies by prompting developers to remove, modify, and create new versions of technologies. After all, the development of technology is influenced by society. ITSI suggests that policymakers consider how to improve wireless security by influencing developers, because left in the hands of users, security problems have not been addressed. ITSI does not provide normative guidance; for that, policymakers need to look to the existing literature in regulatory theory as applied to IT. The typical way to influence manufacturers is through the market. However, it is clear at this juncture that a status quo approach of relying on market forces will not improve wireless security. If the market cannot address the security concerns, one must look toward other methods such as cajoling firms and informing consumers about the security issues. Making customers aware of these threats can stimulate public interest and lead advocacy groups and the government to enter the debate. Policymakers should, in fact, foster this debate. There is every reason to believe that the attention and pressure from congressional hearings and reports from public interest groups can influence manufacturers to develop APs that are “secure by default.” This activity will lead customers to demand more security as well as highlight potential regulatory costs to manufacturers. A final recourse for influencing wireless technologies is government involvement. Currently, government funding of university research aids to identify wireless’s security flaws. Other ways government can influence development include fiscal measures, such as using government’s procurement power to favor secure wireless technologies. Government could also expand liability to hold wireless AP manufacturers accountable for the costs of security. Discussion has already arisen for identifying liability more generally when addressing lax


security in computing systems (National Research Council 2002). However, the point of this article is not to address the multitude of ways government can change the incentives of manufacturers. Instead, our goal is to show how an ITSI analysis can provide insights for addressing public policy issues.

Applying ITSI to Other Problems ITSI is useful for analyzing a wide range of scenarios beyond wireless security. ITSI has been used to analyze a number of other technologies and policy issues, such as RFID technology, cookies, digital rights management, and open standards policies. This section briefly discusses the effects on social welfare that ITSI has identified in two other technologies: Radio Frequency Identification (RFID) technology and Digital Rights Management (DRM) technology. In the case of RFID, ITSI is a marked improvement over the existing theoretical approach, the principles of Fair Information Practices (FIP). ITSI provides developers with useable possibilities for addressing RFID privacy. For example, ITSI recognizes that designers are capable of incorporating privacy into the design. Designers can provide users with the ability to control or reconfigure RFID tags. This could be accomplished in many ways, from modifying the information contained in a tag to removing or destroying the tag. While this suggestion may seem obvious, ITSI provides a framework for finding solutions that other approaches miss. An ITSI analysis of DRM technologies also offers several ideas for improving its use. For example, DRM technologies are almost entirely a creation of firms. Our analysis suggests this is because DRM technology is thought of as a proprietary solution and therefore a winnertake-all marketplace. To combat this problem, policymakers should fund efforts to make DRM technology less proprietary and more standardized. If they followed this suggestion, more


vendors would jointly participate in a useful version of DRM. The government could also fund university research, which thus far has not played a large role. ITSI also considers how DRM’s internal dynamics may impede social welfare. Our analysis of a very popular DRM technology, Apple Inc.’s Fairplay that protects music copyright, shows that its popularity stems from its perceived transparency to the user. This is unlike other DRM technology that users dislike because of overly strict restrictions, e.g, Sony. Fairplay acts as most users would expect. Users are not continually trying to reconfigure the technology, in which it would be very difficult for DRM to succeed. Nevertheless, users have difficulty trying to reconfigure some aspects of Apple’s Fairplay. Our analysis describes these limitations and provides suggestions to improve the technology.

Discussion ITSI provides a systematic way for thinking about how technology affects society. It considers how technology develops, how people use technology, and how society can influence the development of technology. This section discusses the implications of these relationships and how ITSI advances our theoretical understanding of technology. First, ITSI is useful for policymakers, who have had little guidance into how to approach these issues. As we pointed out earlier, the current theoretical perspectives for analyzing technology are not used by policymakers. ITSI can be applied by policymakers seeking insights into contemporary policy issues. It can also help identify key actors and processes that influence how IT affects society. In the case of wireless security, the ITSI analysis found flaws with the status quo by analyzing the issue at the individual level. Individuals are not capable of reconfiguring wireless AP. This insight would not have been identified using other approaches,


such as an economic model. After all, this problem is not evident using standard economic criteria, such as cost and market failure. Moreover, ITSI suggests a solution: redesigning APs. Conversely, conventional approaches would look to regulation. Its adeptness with technology is why ITSI is useful for analyzing policy issues. Second, ITSI builds upon existing theoretical paradigms. In doing so, it avoids creating simplistic binary oppositions for understanding how society and IT interact (Lievrouw and Boczkowski 2006). ITSI is largely based on sophisticated scholarly analysis of IT within structuration and actor-network theory and their rejection of simple deterministic relationships. Concepts such as biases in IT, reconfiguration, and shaping are not novel. The novelty is bringing these concepts together into a systematic descriptive framework for understanding IT in a policy context. By doing this, we can see how these concepts aid analysis of policy issues as well as guide policy solutions. As an example, consider how reconfiguration may be more appropriate than regulation in certain circumstances. In the case of RFID tags, a tracking device that relies on radio frequencies, the new favored approach is to focus on ensuring RFID tags are reconfigurable by end users rather than passing new regulations (Baard 2006; Consumers Against Supermarket Privacy Invasion and Numbering 2003). With multiple actors, forces, and relations influencing the use of IT, we require a theoretical approach that understands it in context. Third, ITSI is a theoretical advance over existing approaches because of its emphasis on IT. Technology is as an integral part of the framework. Unlike many other approaches where technology is an afterthought and bolted onto an existing theoretical paradigm, this model allows ITSI to be applied to a variety of social issues. For example, privacy issues are analyzed through the principles of Fair Information Practice, while free speech issues are analyzed on First


Amendment grounds. Instead, ITSI focuses on the common denominator of technology. The advantage is that ITSI is capable of analyzing issues that lack an existing theoretical foundation, such as universal accessibility. However, as ITSI emphasizes, to understand technology, we need to consider how it is situated with respect to users and developers. In other words, technology must be analyzed within context. Fourth, the ITSI framework offers new insights into how IT interacts with society. Some specific examples include the role of institutions, governance characteristics, and the importance of defining how society influences the development of technology. These roles were considered while analyzing wireless security. The norms of firms, consortia, and universities led them to emphasize different values in the development process. The analysis of wireless technology also suggested a normative proposal that relied on modifying the governance characteristic of defaults. This policy move would encourage manufacturers to design their APs to be “secure by default.” After all, if users are unable to reconfigure their APs, then ITSI suggests that we work with the other half of the relationship, how technology regulates, by modifying defaults.

Conclusion This article provides a systematic descriptive framework for analyzing how IT affects public policy issues. The ITSI framework is inspired by existing theory such as structuration and ANT, but is tailored to the theoretical and practical needs for analyzing the interactions between IT and society. Specifically, ITSI considers the development of IT, how IT regulates individuals while also recognizing that individuals can reconfigure IT, and finally, how society can intervene and influence the development of IT. The ITSI framework builds upon a large corpus of descriptive and normative scholarship by computer scientists, sociologists, communications


scholars, and legal scholars. The contribution here does not define a new set of relationships between society and information technology, rather, it explicates existing relationships, and in the process, develops a descriptive framework that provides analytical insights. This article illustrates ITSI through an analysis of security issues involved in wireless technology. The analysis found that consumers are not provided with simple and effective security because of the increased reliance on user configuration. ITSI led to this finding; it would not have emerged using conventional policy analysis. ITSI also provided solutions to this problem. Instead of looking toward users to improve security, policymakers should look to manufacturers to develop APs that are “secure by design.” The analysis ended by pointing out a number of strategies to influence manufacturers to improve the design of wireless APs. ITSI improves the ability of scholars and policymakers to analyze a variety of policy issues concerning IT. Going forward, we believe some of the concepts highlighted by ITSI, such as the role of institutions, reconfiguration, and governance characteristics, will be fruitful grist for scholars. At the very least, ITSI provides scholars and policymakers with a starting point for how IT affects society from a policy perspective.



Akrich, Madeleine. 1992. The De-Scription of Technical Objects. In Shaping Technology/Building Society, edited by W. E. Bijker and J. Law. Cambridge: MIT Press. Arthur, W. Brian. 1989. Competing Technologies, Increasing Returns and Lock-in by Historical Events. Economic Journal 99:106-131. Avgerou, Chrisanthi. 2002. Information Systems and Global Diversity. Oxford: Oxford University Press. Baard, Mark. 2006. Retail-Safe RFID Unveiled. Wired, May 2. Balanced Budget Act. Baldwin, Robert, and Martin Cave. 1999. Understanding Regulation. Oxford: Oxford University Press. Bar, Francois, and Hernan Galperin. 2004. Building the Wireless Internet Infrastructure: From Cordless Ethernet Archipelagos to Wireless Grids. Communications & Strategies 54 (2):45-68. Berg, Marc. 1998. The Politics of Technology: On Bringing Social Theory into Technological Design. Science, Technology, & Human Values 23 (4):456-490. Borisov, Nikita, Ian Goldberg, and David Wagner. 2001. Intercepting Mobile Communications: The Insecurity of 802.11. Paper read at Seventh Annual International Conference on Mobile Computing and Networking. Braman, Sandra. 2003. The Long View. In Communication Researchers and Policy-Making, edited by S. Braman. Cambridge, MA: MIT Press. Breyer, Stephen. 1982. Regulation and Its Reform. Cambridge: Harvard University Press. Callon, Michel. 1986. Some elements of a sociology of translation: Domestication of the scallops and the fishermen of St Brieucâe Bay. In Power, action and belief, edited by J. Law. London: Routledge. Camp, Jean, Kalpana Shankar, and Kay Connelly. Forthcoming. Systematic Design for Privacy in Ubicomp. Cargill, Carl. 1989. Information Technology Standardization: Theory, Process, and Organization: Digital Press. Cargill, Carl F. The Role of Consortia Standards in Federal Government Procurements in the Information Technology Sector: Towards a Re-Definition of a Voluntary Consensus 40

Standards Organization, June 28 2001 [cited. Available from Clarke, Roger. 1999. Internet Privacy Concerns the Case for Intervention Communications of the ACM 42 (2):60-67. Collins, H.M., and Steven Yearley. 1992. Epistemological Chicken. In Science as Practice and Culture, edited by A. Pickering. Chicago, IL: Chicago University Press. ———. 1992. Journey Into Space. In Science as Practice and Culture, edited by A. Pickering. Chicago, IL: Chicago University Press. Consumers Against Supermarket Privacy Invasion and Numbering. 2004. RFID Position Statement of Consumer Privacy and Civil Liberties Organizations, November 20 2003 [cited August 16 2004]. Available from Daft, R. L., and R. H. Lengel. 1984. Information Richness: A New Approach to Managerial Behavior and Organization Design. In Research in Organizational Behavior, edited by B. M. Staw and L. L. Cummings. Greenwich: JAI Press. David, Paul A. 1985. Clio and the Economics of QWERTY. American Economic Review 75 (5):332-337. DeSanctis, Gerardine, and Marshall Scott Poole. 1994. Capturing the Complexity in Advanced Technology Use: Adaptive Structuration Theory. Organizational Science 5:121-147. Edwards, Paul N. 1996. The Closed World: Computers and the Politics of Discourse in Cold War America. Cambridge: MIT Press. Eisenstein, Elizabeth L. 1997. The Printing Press as an Agent of Change: Communications and Cultural Transformations in Early-Modern Europe. Cambridge: Cambridge University Press. Escudero-Pascual, Alberto, and Ian Hosein. 2004. The Hazards of Technology-Neutral Policy: Questioning Lawful Access to Traffic Data. Communications of the ACM 47 (3):77-82. Feenberg, Andrew. 1991. Critical Theory of Technology. New York: Oxford University Press. Fischer, Claude S. 1992. America Calling, A Social History of the Telephone to 1940. Berkeley: University of California Press. Flanagan, Andrew J. , W. J. M. Farinola, and Miriam J. Metzger. 2000. The technical code of the Internet/World Wide Web. Critical Studies in Media Communication 17 (3):409-28. Floerkemeier, Christian, Roland Schneider, and Marc Langheinrich. 2005. Scanning with a Purpose - Supporting the Fair Information Principles in RFID Protocols. In Ubiquitous Computing Systems. Revised Selected Papers from the 2nd International Symposium on 41

Ubiquitous Computing Systems (UCS 2004) edited by H. Murakami, H. Nakashima, H. Tokuda and M. Yasumura. Berlin, Germany: Springer-Verlag. Fountain, Jane E. 2001. Constructing the information society: Women, information technology, and design. Technology in Society 22:45-62. Friedman, Batya. 1997. Human Values and the Design of Computer Technology. Stanford, CA: CLSI Publications. Friedman, Batya, Peter H. Kahn, and Alan Borning. 2006. Value Sensitive Design and Information Systems. In Human-Computer Interaction in Management Information Systems, edited by P. Zhang and D. Galletta. New York: M.E. Sharpe, Inc. Gast, Matthew. 2005. Wireless LAN Security: A Short History 2002 [cited July 12 2005]. Available from Giddens, Anthony. 1984. The Constitution of Society: Outline of the Theory of Structure. Berkeley, CA: University of California Press. Haythornthwaite, Caroline, Barry Wellman, and Laura Garton. 1998. Work and Community Via Computer-Mediated Communication. In Psychology of the Internet, edited by J. Gackenbach. San Diego, CA: Academic Press. Hosein, Ian, Prodromos Tsiavos, and Edgar Whitley. 2003. Regulating Architecture and Architectures of Regulation: Contributions from Information Systems. International Review of Law, Computers & Technology 17 (1):85-97. Howcroft, Debra, Nathalie Mitev, and Melanie Wilson. 2004. What We May Learn from the Social Shaping of Technology Approach. In Social Theory and Philosophy for Information Systems, edited by J. Mingers and L. Willcocks. West Sussex, England: John Wiley & Sons, Ltd. Innis, Harold. 1951. The Bias of Communication. Toronto, Canada: University of Toronto Press. Intel. 2005. Wireless Network Security Resource Center 2005 [cited July 12 2005]. Available from Introna, Lucas, and Helen Nissenbaum. 2000. Defining the Web: The Politics of Search Engines. IEEE Computer 33 (1):54-62. Joerges, Bernward. 1999. Do Politics Have Artifacts. Social Studies of Science 29 (3):411-431. Jones, M. 1997. Structuration Theory. In Rethinking Management Information Systems, edited by W. Currie and B. Galliers. New York: Oxford University Press. Jones, Matthew, Wanda Orlikosiki, and Kamal Munir. 2004. Structuration Theory and Information Systems: A Critical Reappraisal. In Social Theory and Philosophy for


Information Systems, edited by J. Mingers and L. Willcocks. West Sussex, England: John Wiley & Sons, Ltd. Karagiannis, Konstantinos. 2003. Ten Steps to a Secure Wireless Network. PC Magazine, February 25, 64. Kesan, Jay P., and Rajiv C. Shah. 2005. Shaping Code. Harvard Journal of Law & Technology 18 (2):319-399. Kistner, Toni. 2004. Vendors Vie to Ease Home Net Complexity. Network World, Sept. 27. Kling, Rob , and Suzanne Iacono. 1988. The Mobilization of Support for Computerization: The Role of Computerization Movements. Social Problems 35 (3):226-243. Klischewski, Ralf. 2002. Reaching Out for Commitments: Systems Development as Networking. In Social Thinking: Software Practice, edited by Y. Dittrich, C. Floyd and R. Klischewski. Cambridge, MA: MIT Press. Kolko, Beth E. 2000. Erasing @race: Going White in the (Inter)Face. In Race in Cyberspace, edited by B. E. Kolko, L. Nakamura and G. B. Rodman. New York: Routledge. Lasky, Michael S., Dennis O'Reilly, Eric Dahl, and Kirk Steers. 2004. No-Hassle Wireless Networking Superguide. PC World, February, 138-140. Latour, Bruno. 1987. Science in Action. Boston: Harvard University Press. ———. 1992. Where Are the Missing Masses? The Sociology of a Few Mundane Artifacts. In Shaping Technology/Building Society, edited by W. E. Bijker and J. Law. Cambridge: MIT Press. ———. 1999. Pandora's Hope. London: Harvard University Press. Law, John. 1992. Notes on the Theory of the Actor-Network: Ordering, Strategy and Heterogeneity. Systems Practice 5:379-393. Lessig, Lawrence. 1999. Code and Other Laws of Cyberspace. New York: Basic Books. Lieberman, Joseph. 1996. Why Parents Hate TV. Policy Review 77:19-23. Lievrouw, Leah A. 2002. Determination and Contingency in New Media Development: Diffusion of Innovations and Social Shaping of Technology Perspectives. In Handbook of New Media: Social Shaping and Consequences of ICTs, edited by L. A. Lievrouw and S. Livingstone. London: Sage. Lievrouw, Leah A., and Pablo Boczkowski. 2006. Bridging Communication Studies and Science and Technology Studies: Scholarship on Media and Information Technologies. In The Handbook of Science and Technology Studies, edited by E. J. Hackett, O. Amsterdamska, M. Lynch and J. Wajcman. Cambridge, MA: MIT Press. 43

Linksys. 2005. Protecting Your Wireless Network 2005 [cited July 12 2005]. Available from %3DL_Content_C1%26cid%3D1116519873380&pagename=Linksys%2FCommon%2F VisitorWrapper. Mansell, Robin. 1993. The New Telecommunications: A Political Economy of Network Evolution. London: Sage. Martin, David M., Richard M. Smith, Michael Brittain, Ivan Fetch, and Hailin Wu. 2001. The Privacy Practices of Web Browser Extensions. Communications of the ACM 44 (2):4550. McAdams, Richard H. 1997. The Origin, Development, and Regulation of Social Norms. Michigan Law Review 96:338-433. McChesney, Robert W. 1993. Telecommunications, Mass Media, and Democracy. Oxford: Oxford University Press. McLean, Chris, and John Hassard. 2004. Symmetrical Absence/Symmetrical Absurdity: Critical Notes on the Production of Actor-Network Accounts. journal of Management Studies 41 (3):493-519. McLuhan, Marshall. 1964. Understanding Media: The Extensions of Man. New York: McGrawHill Book Co. Meyrowitz, Joshua. 1994. Medium Theory. In Communication Theory Today, edited by D. Crowley and D. Mitchell. Cambridge, MA: Polity Press. Monteiro, Eric. 1998. Scaling Information Infrastructure: The Case of Next-Generation IP in the Internet. Information Society 14 (3):229-245. ———. 2000. Actor-Network Theory and Information Infrastructure. In From Control to Drift, edited by C. Ciborra. Oxford: Oxford University Press. ———. 2004. Actor Network Theory and Cultural Aspects of Interpretative Studies. In The Social Study of Information and Communication Technology, edited by C. Avgerou, C. Ciborra and F. Land. Oxford: Oxford University Press. Monteiro, Eric, and Ole Hanseth. 1995. Social Shaping of Information Infrastructure: On Being Specific About the Technology. In Information Technology and Changes in Organizational Work, edited by W. Orlikowski, G. Walsham, M. R. Jones and J. I. DeGross: Chapman & Hall. Murray, Andrew, and Colin Scott. 2002. Controlling the New Media: Hybrid Responses to New Forms of Power. Modern Law Review 65:491-516. Nakamura, Lisa. 2000. Race In/For Cyberspace: Identity Tourism on the Internet. In The Cybercultures Reader, edited by D. Bell. New York: Routledge Press. 44

National Institute of Standards and Technology. 2002. Wireless Network Security. Gaithersburg, MD. National Research Council. 2002. Cybersecurity: Today and Tomorrow. Washington, DC: National Academy Press. North, Douglas C. 1990. Institutions, Institutional Change and Economic Performance. New York: Cambridge University Press. Ohrtman, Frank D., and Kondrad Roeder. 2003. Wi-Fi Handbook: Building 802.11b Wireless Networks. New York: McGraw-Hill Professional. Orlikowski, Wanda J. 1992. The Duality of Technology: Rethinking the Concept of Technology in Organizations. Organizational Science 3 (3):398-427. ———. 2000. Using Technology and Constituting Structures: A Practice Lens for Studying Technology in Organizations. Organizational Science 11 (4):404-428. Parsons, Patrick R. 1989. Defining Cable Television: Structuration and Public Policy. Journal of Communication 39 (2):10-26. Pinch, Trevor J., and Wiebe E. Bijker. 1987. The Social Construction of Facts and Artifacts: Or How the Sociology of Science and the Sociology of Technology Might Benefit Each Other. In The Social Construction of Technological Systems, edited by W. E. Bijker, T. P. Hughes and T. J. Pinch. Cambridge, MA: MIT Press. Poole, Marshall Scott, and Gerardine DeSanctis. 2004. Structuration Theory in Information Systems Research: Methods and Controversies. In The Handbook for Information Systems Research, edited by M. E. Whitman and A. B. Woszczynski. Hershey, PA: IDEA Group Publications. Posner, Eric A. 1996. Law, Economics, and Inefficient Norms. University of Pennsylvania 144:1697-1745. Posner, Richard A. 1973. Economic Analysis of Law. Boston: Little Brown. Potter, Bruce, and Bob Fleck. 2003. 802.11 Security. Sebastopol, CA: O'Reilly & Associates. Powell, Walter W., and Paul J. DiMaggio, eds. 1991. The New Institutionalism in Organizational Analysis. Chicago, IL: University of Chicago Press. Rogers, Everett. 2003. Diffusion of Innovations. 5th ed. New York: Free Press. Rose, Jeremy, Matthew Jones, and Duane Truex. 2005. Socio-Theoretic Accounts of IS: The Problem of Agency. Scandinavian Journal of Information Systems 17 (1):133-152. Rotenberg, Marc. 2001. What Larry Doesn't Get: Fair Information Practices and the Architecture of Privacy. Stanford Technology Law Review 2001:1. 45

Samarajiva, Rohan, and Peter Shields. 1997. Telecommunication Networks as Social Scape: Implications for Research and Policy as an Exemplar. Media, Culture & Society 19 (4):535-555. Savage, James G. 1989. The Politics of International Telecommunications Regulation. Boulder, CO: Westview Press, Inc. Schiesel, Seth. 2005. Growth of Wireless Internet Opens New Path for Thieves. New York Times, A1. Schmidt, Suzanne K., and Raymund Werle. 1998. Coordinating Technology: Studies in the International Standardization of Telecommunications. Cambridge, MA: MIT Press. Schot, Johan, and Arie Rip. 1997. The Past and Future of Constructive Technology Assessment. Technological Forecasting and Social Change 54 (2-3):251-268. Schwartz, Paul M. 2000. Beyond Lessig’s Code for Internet Privacy: Cyberspace Filters, Privacy-Control, and Fair Information Practices. Wisconsin Law Review 2000:743-788. Shah, Rajiv C., and Jay P. Kesan. 2003. Manipulating the Governance Characteristics of Code. Info 5 (4):3-9. ———. 2005. Nurturing Software: How Societal Institutions Shape the Development of Software. Communications of the ACM 48 (9):80-85. Shah, Rajiv C., and Christian Sandvig. 2005. Software Defaults as De Facto Regulation: The Case of Wireless Access Points. Paper read at Telecommunications Policy Research Conference, at Washington, DC. Shapiro, Carl, and Hal R. Varian. 1999. Information Rules: A Strategic Guide to the Network Economy. Boston, MA: Harvard Business School Press. Suchman, Lucy. 1987. Plans and Situated Actions: The Problem of Human-Machine Communication. New York: Cambridge University Press. Tatnall, Arthur. 2003. Actor-Network Theory as a Socio-Technical Approach to Information Systems Research. In Socio-Technical and Human Cognition Elements of Information Systems, edited by S. Clarke, E. Coakes, M. G. Hunter and A. Wenn. Hershey, PA: Information Science Publishing. U.S. General Accounting Office. 2005. Information Security: Federal Agencies Need to Improve Controls Over Wireless Security. US-CERT. 2005. Cyber Security Tip ST05-003 -- Securing Wireless Networks 2005 [cited July 12 2005]. Available from Verbeek, Peter-Paul. 2005. What Things Do. University Park, PA: Pennsylvania State University Press. 46

———. 2006. Materializing Morality. Science, Technology, & Human Values 31 (3):361-380. Vidgen, R., and T. McMaster. 1995. Black Boxes, Non-Human Stakeholders and the Translation of IT Through Mediation. In Information Technology and Changes in Organizational Work, edited by W. Orlikowski, G. Walsham, M. R. Jones and J. I. DeGross: Chapman & Hall. Wagner, Polk. 2005. On Software Regulation. California Law Review 78:457-519. Walsham, Geoff. 1993. Interpreting Information Systems in Organizations. Chichester, UK: John Wiley & Sons. Walsham, Geoff, and Sundeep Sahay. 1999. GIS for District-Level Administration in India: Problems and Opportunities. MIS Quarterly 23 (1):39-66. Winner, Langdon. 1980. Do Artifacts have Politics? Daedalus 109 (1):121-136. Woolgar, Steve. 1991. Configuring the User: The Case of Usability Trials. In Sociology of Monsters: Essays on Power, Technology, and Domination, edited by J. Law. London: Routledge.