“I got a recording. I got a recording of this idiot.” A Scandinavian-accented voice declares over voice chat. “Can someone tell the people from [the other player’s guild] what he just did?”

That was the subject of a Reddit post giving a “daily reminder that Sharphealz is a ninja.” Instead of shuriken-wielding shadow warriors, “ninja” is here slang for a thief of valuable in-game items. The above video was taken from a private World of Warcaft (WoW) server, emulating the 2006 iteration of the popular online game, soon to be officially re-released by Blizzard as World of Warcraft Classic.

Yet, the bootleg version of the massively-multiplayer icon is a special beast beyond just game mechanics. Some of its core social dynamics serve as excellent – if accidental – microcosms of real-world phenomena.

These servers are third-party clones of proprietary software, and hence are of questionable legality. Taking advantage of spotty IP protections, most are hosted overseas – in Russia, for example. They are typically organized into non-profit “projects,” or amateur initiatives to create versions of the 2006 iteration of the game. Each private server project hosts at least a couple of “realms” or instances of the game world in which players can interact.

Most large private servers carry thousands of people, and tend to be radically weighted towards a single primary realm in population. Players from around the world fight, banter, organize and develop a virtual social system in their free time. It is a fairly close-knit group, but only lightly moderated by volunteer Game Masters. Players themselves must play a role in this community moderation if they wish to coexist productively.

The mixture of old-school WoW’s original quirks, private servers’ laissez-faire ethos, and their small but dense populations render them petri dishes for “natural” social experiments. At issue is how near-total strangers are able to make their own rules and institutions, and cooperate effectively and on the fly for common rewards.

Servers may have their share of delinquents – okay, a large share – but the anarchy is more orderly than you’d anticipate, given the difficulty of developer-side rule enforcement. In fact, the conditions that allow for unplanned cooperation among strangers are extremely important topics among the big debates in social sciences and public policy. Political scientist Mancur Olson identified problems in the real world in which individuals’ conflicting interests impede common goals as “collective action problems.” Concern with such dilemmas dates back to philosophers David Hume and Thomas Hobbes.

One of the largest and most consequential collective action problems is the “Player vs. Environment” (PvE) raiding scene in the game. Old-school WoW has several large “raid” dungeons pitting 20 and 40-player teams against powerful computer-controlled monsters. These encounters are typically the most difficult end-game challenges, but also the most rewarding. Not only is the loot found within among the best around, but “raid gear” confers a sort of prestige, and obviously, we all want to saunter around Ironforge with shinier stuff than the next guy.

So there’s huge incentive to raid, but you might have to spend often upwards of six hours in the crucible of high-end PvE with 39 other people, many of whom desperately want the same valuable stuff you do. They are also probably total strangers.

That’s basically what Blizzard left us with in 2004, and it sounds like a powderkeg of potential disputes over who deserves loot, or whom is at fault for getting everyone killed. Yet, players have overcome these challenges, using a variety of creative avenues.

With nobody officially in charge at the outset, leaders come out of the woodwork to direct these complex operations. Some raid leaders do it for the joy of accomplishing something difficult or for the bragging rights provided by a “server first” boss kill, while some experienced players may behave entrepreneurially by putting together raids for in-game money. In a scenario of mutual efforts but uncertain, scarce rewards, one of the first things that must emerge is a rule system. This is a de facto necessity – even “first-come-first-serve” is a rule system. Since the infancy of this gaming genre, enterprising players have invented various systems of their own, with no one system being “official.” It’s a marketplace of institutions in which players converge on the rulesets that that benefit them most.

Eventually, a few dominant systems rose from the massively-multiplayer gaming community. The iconic DKP system is a points-currency scheme, where players receive “Dragon Kill Points” for participating in raids, which they can save or spend in player-organized auctions for loot, whereas “gold-bid” systems use in-game currency (the proceeds of which often provide income for those “entrepreneurial” leaders).

Most raids, especially informal pick-up-groups, tend towards “Need Before Greed” (NBG) systems. Players can roll the virtual dice against each other for items their characters genuinely need for advancement, as opposed to items that are more of a luxury. Since what constitutes real need is frequently disputable, secondary rule systems dictating priority in cases of competing claims on a given item may crop up in NBG raids as well.

Sometimes new, influential raiders can introduce rule schemes. On one server, the status quo consisted mostly of Need Before Greed and auctions, but after a merge with another server, a large influx of experienced raiders became the new kids on the block. Having many successful dungeon runs under their belt, they imported the “Wishlist” system, in which each raider may reserve one item for themselves. If multiple players reserve the same item, they then roll the dice on it. The efficiency of this idea soon became obvious, and within a few weeks Wishlist (and the players that imported it) took over the raiding scene.

Joining a raid group is a significant investment, in time, effort and in-game resources. Players are putting a lot on the line, and expected rewards can be highly uncertain. Given this investment risk, players have sought out means to ensure not only the use of fair loot rules, but institutional mechanisms to make sure they can complete the dungeons regularly and smoothly. Hardcore raiders’ best tool for this is the game’s Guild system, offering built-in organizational features such as a common chat channel and active roster of members. A competent raiding guild offers members a chance to clear dungeons in an organized manner with skilled leadership, and to win items in a loot system that is reliable and fair.

Like “Sharphealz,” the ninja looter in the video, there is a strong incentive to abscond with others’ items, or to just coast on everyone else’s efforts in the heat of battle. To hedge against this behavior, guilds offer ingredients to reduce the likelihood of cheating: longevity and reliability, accountability, as well as simple bonds of friendship. Guilds frequently expel members who violate rules or behave boorishly, and a player without a guild is one at a big disadvantage. A player can get to know and care for their guildmates’ welfare, and everyday social interaction builds rapport between members. It’s tough enough to be kicked from a guild, tougher still to lose your in-game friends.

The accountability mechanisms within guilds rely heavily on reputation, much like within the broader game community. Since the vast majority of players are stuck on the same realm, and the community is fairly small, informal social sanctions provide punishment for rulebreaking. Sharphealz’ widely shared video provides documentation of his crimes, and it cemented the player’s reputation as a troublemaker for quite some time. It is not uncommon to hear public shaming in the game’s chatbox, marking various players as cheaters or slackers. A person with a bad reputation doesn’t get invited to groups – a big handicap in an inherently collaborative environment. Indeed, many hotly contest public accusations for this reason.

There are, of course, “troll” players who thrive on infamy. The original ninja looting video was recorded by the thief himself. Indeed, a side effect of this melting pot of a server is that although players may cooperate to achieve certain gameplay goals, large strains of animosity and angry flare-ups run through the community. Many raiding guilds keep “blacklists” of prohibited players for this reason, while others collapse from their own internal strife. Some particularly frustrating raid encounters are wryly dubbed “guild-breakers” for their propensity to spark conflict.

What is clear from the common problem of raid organization is that players can figure it out naturally, overcoming complex challenges of focus and coordination as a hobby. They jerry-rig institutions to provide accountability and avoid disputes, as well as to bring people together in the first place.

The power of community networks, anticipation of future opportunities, and high-value payoffs influences our behavior on Earth in myriad ways, and there is no reason why it would be otherwise on Azeroth.

Anne Hobson is a program manager at the Mercatus Center at George Mason University. Leo Plumer is an MA Fellow at the Mercatus Center at George Mason University.

Today, botnets and the Distributed Denial of Service (DDoS) attacks that can accompany them, are considered among “the most severe cybersecurity threats.” Botnets have caused extensive economic harm to businesses, banks, hospitals, and government agencies around the world. Furthermore, botnets are used to spread political propaganda aimed at distorting democratic elections. In fact, U.S. government officials concluded that the Russian propaganda campaign has not stopped since the 2016 election and the magnitude of the issue is expected to grow. Yet, a time-tested framework for addressing the problem already exists. Governing complex internet-based problems is best accomplished by a network of stakeholders similar to the way the internet is currently governed.

In her Nobel Lecture, Elinor Ostrom emphasized the necessity to study human economic behavior in any complex system. She added that no “one size fits all” policy solution would work for a highly complex socio-economic issue, but approaches created by a disperse, spontaneously self-organized group are far more innovative. This is the essence of polycentric order as defined by Elinor and Vincent Ostrom. A polycentric order has multiple overlapping decision-making centers comprised of individuals equipped with necessary knowledge and expertise to create better outcomes for issues of high complexity.

In the case of cybersecurity, where dynamic response is critical – distributed network actors are best suited to govern complex cyber problems. While policymakers are one such group in this governance network, the efforts of other stakeholders are critical to maintaining flexibility and adaptability to emerging threats. The role of policymakers is to facilitating the emergence of multiple decision-making centers, which is key for resolving botnet issues.

In his book Networks and States, Milton Mueller offers a comprehensive analysis of network actors outside of the nation-state system as well as their effectiveness in addressing cybersecurity issues. Mueller outlines distinct challenges of cybercrime such as its globalized scope, boundless scale, and its decentralized and distributed nature. He argues that efficient institutions and new organizational forms are in a continuous process of emerging out of the interactions between public and private actors.

Mueller asserts that meaningful solutions to cybersecurity issues are only possible at the trans-national level. Such large international organizations as Internet Corporation for Assigned Names and Numbers (ICANN), The World Intellectual Property Organization (WIPO), and Internet Governance Forum (IGF) among others, provide governance at the international internet governance. Mueller highlights that an effective global internet security policy will recognize the interdependence of markets, nation-state specific property rights protections, and shared information and communication resources. He proposes that a “denationalized liberal approach” would be effective in resolving this dilemma. Moreover, he concludes that a true denationalized liberal governance will emerge out of the interactions of globally networked communities. His conclusions regarding internet security governance are, therefore, aligned with the Ostromian approach.

There have been some promising developments in collaboration between private and public sectors. In 2018, USTelecom and ITI announced the creation of the Council to Secure the Digital Economy. The Council brings together the leaders from the Information and Communication Technology sector to create a more resilient digital ecosystem. For example, they produced the botnet guide, a compilation of best practices by large scale enterprises that can be implemented in a variety of industries to mitigate the threats of the distributed denial of service attacks. Additionally, the Federal Trade Commission has been facilitating meetings between stakeholders.

Past and future administrations can learn from the Clinton Administration’s Framework for Global Electronic Commerce that made space for stakeholders to be involved in governing the internet and maximized cooperation between public and private initiatives for cyber-security. Indeed, the Obama administration’s cybersecurity plan included a call for technology companies to fight botnets collectively. The Trump administration declared its commitment to giving the Federal agencies legal authority to combat botnets.

Government should not be the only source of governance in addressing cybersecurity problems. Botnets are best combated by a multistakeholder effort between public and private entities. The tenants of “polycentricity” and “decentralized liberalism” capture the wisdom of a more distributed governance approach.

Anne Hobson is a program manager at the Mercatus Center at George Mason University. Yuliya Yatsyshina is an MA Fellow at the Mercatus Center at George Mason University.

Should government to protect us from snooping teddy bears and untrustworthy toasters? The California State Senate seems to think so.

With traditional devices on the decline, laptop and desktop computers now account for less than 25 percent of internet network traffic. Indeed, American households now use, on average, seven connected devices every day. As this so-called “internet of things” continues to expand, an array of connected objects—from toasters to lightbulbs to dishwashers—now include embedded microprocessors, multiplying the number of potential threat vectors for data breaches and cyberattacks.

Notably, security researchers revealed recently that CloudPets, a company that sells connected stuffed animal toys with voice-recording capabilities, had a security vulnerability that leaked the information of more than 500,000 people. In response to accounts like these and concerns about data collection by internet-of-things devices, California is considering S.B. 327, legislation that would require certain security and privacy features for any connected devices sold in the Golden State.

Device insecurity is a real threat and it’s encouraging to see legislators thinking about consumer privacy and security. But this bill, facetiously called the “teddy bear and toaster act” by its critics, would create more problems than it solves. These concerns do not merit a heavy-handed and wide-reaching legislative response.

First introduced in February, the bill targets a broad range of products that include “any device, sensor, or other physical object that is capable of connecting to the internet, directly or indirectly, or to another connected device.” It would require that their manufacturers “equip the device with reasonable security features.”

The scope and scale of that definition would appear to cover everything from smartphones to cars to tweet-happy toasters. Sweeping such a broad range of connected devices under its rules ignores that all of these items have unique functions, capabilities, and vulnerabilities. What constitutes a “reasonable security feature” for one might be completely unreasonable for another. This one-size-fits-all regulatory approach threatens to chill innovation, as companies from a host of different sectors expend resources just to make sense of the rules.

Should the bill move forward, we should also expect a range of consumer items will be equipped to blink and buzz and beep in ways more annoying than informative. The bill decrees that: “a manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.”

For some types of devices—such as virtual and augmented reality systems and autonomous vehicles—this requirement is simply infeasible. These devices use sensors to collect data constantly in order to perform their core functions. For always-on devices like IP security cameras, Amazon Alexa or connected cars, an indicator would just be synonymous with an “on” button. Many of these indicators will be superfluous, misunderstood and costly to implement—costs that disproportionately would hit smaller businesses.

Other provisions of the bill urge sellers of connected devices to notify consumers at checkout where they can find the item’s privacy policy and information about security patches and updates. This is valuable information, but the point-of-sale may not be the best time to communicate it. For many devices, a verbal or web-based tutorial likely would be more effective. Companies need the flexibility to figure out the best ways to inform their customers, while these design requirements would remove that flexibility.

In an interconnected world, balancing privacy rights and security is a hugely difficult undertaking. Enshrining that balance in law requires a nuanced and targeted approach. Policymakers at both the state and federal levels should focus their efforts on provable privacy or security harms, while empowering consumers with baseline information, where appropriate. Applying design requirements and compliance tasks in a haphazard way, as S.B. 327 does, will harm innovation without meaningfully improving data security.

Anne Hobson is technology policy fellow with the R Street Institute.

Ticket scalpers have a bad rep. Critics deride them as “malicious” and “bad actors” and sometimes even deem them the primary cause of a purported nationwide “bot epidemic.” Responding to fan complaints about the paucity of tickets, de facto monopolist Live Nation Entertainment points to the scourge of “bots” ? software that allows scalpers to buy tickets en masse and resell them on secondary-market sites like SeatGeek and Stubhub.

Instead of finding a solution on their own, ticket sellers want the federal government to do their policing for them. In July, Sens. Jerry Moran and Chuck Schumer introduced the BOTS Act, a bill that promises “equitable consumer access to tickets.” The most recent Senate hearing on the issue featured compelling personal narratives about fans who weren’t able to get cheap tickets to popular shows, such as the hit musical “Hamilton.”

But closer analysis of the legislation’s details cast doubt on whether it truly would benefit fans. Indeed, it clearly misses several crucial pieces of the puzzle.

A solution in search of a problem

The first question is obvious: are ticket-harvesting bots actually a significant problem? To be sure, those who seek to outlaw them are armed with anecdotes. Research from New York Attorney General Eric Schneiderman finds “at least tens of thousands of tickets per year” are acquired using bots. But given that Live Nation’s Ticketmaster service sold 147 million tickets in 2012, even if bots acquired 100,000 tickets a year, that would still be significantly less than 1 percent of all tickets sold.

For its part, Ticketmaster estimates that “60 percent of the most desirable tickets for some shows” are purchased by bots. Leaving aside the profusion of qualifiers needed to make even that claim, it probably shouldn’t be surprising that high-demand and underpriced tickets are the most likely to be resold. But this ignores that venues contribute to the problem by not making tickets available to the general public in the first place. For example, analysis of a 2013 Justin Bieber concert in Nashville, Tennessee, revealed that 92 percent of tickets were presold for credit-card promotions, to fan clubs, to VIP programs or to the artist. Even if bots bought 60 percent of the Bieber tickets released to the general public, it would represent only 4 percent of the show’s seats.

‘Unfairness’ is in the eye of the beholder

The BOTS Act would punish digital ticket scalping as an “unfair and deceptive” practice. But the way tickets currently are sold is neither fair nor transparent. Schneiderman’s report acknowledged that ticket sellers are complicit in limiting the general public’s access to tickets. The investigation found a majority (56 percent, on average) of tickets are presold or put on hold for the most popular concerts. Given that managers and artists often resell these tickets to the highest bidders, it’s clear why industry insiders support a crackdown on bots. They compete directly in the resale market.

The culture long ago evolved to regard scalpers with moral repugnance, similar to the opprobrium reserved for price gougers, speculators and arbitrageurs. Indeed, Nobel laureate economist Alvin Roth has identified ticket scalping as a market in which repugnance discourages what would be otherwise efficient market activity. But norms can change. Usury ? that is, charging interest on loans ? also was once widely deemed morally repugnant, but modern financial markets could scarcely exist without it.

Writing in The New York Times, Harvard University economist Gregory Mankiw notes of his recent experience spending $2,500 for tickets to “Hamilton” that it “was only because the price was so high that I was able to buy tickets at all on such a short notice.” Mankiw’s tale illustrates a frequently forgotten fact ? namely, that tickets purchased by bots do end up in the hands of genuine fans. By making tickets available closer to the event date and by raising their perceived cost, scalpers also help ensure that venues fill.

When scalpers buy and resell tickets, they bear the risk of stale inventory so that primary ticket sellers don’t have to. Like any investment, scalpers can lose money. When scalpers guess wrong, they have to sell tickets at below face value. This allows the market to clear and allows consumers to buy at a price that better matches how much they value the experience. Tightening controls on ticket resellers would expose primary ticket outlets to a liquidity and seat-inventory risk.

Scalpers also help provide crucial market information both to venues and to consumers. The prices paid in the secondary market signal to venues when tickets are underpriced and concerts are undervalued. Secondary-market vendors such as SeatGeek, for example, collect and share data on past ticket transactions to provide ticket cost analysis to vendors and fans. These services create value for consumers and shouldn’t be suppressed.

Because it would raise the cost of using bots, the BOTS Act would leave fewer tickets available through services like Stubhub and even Ticketmaster itself. It wouldn’t kill the secondary market, but scalpers likely would raise prices to account for the higher risk that any given ticket will go unsold. It also would change the distribution of tickets to favor those willing to stand in line the longest, those who have the fastest internet connections or even just those who happen to have good timing or good luck. It’s hard to see how any of this benefits fans.

Another expected effect of legislation like this would be to reduce innovation in ticket sales. Fueled by the demand for tickets, investors continue to fund new entrepreneurs in the event space. For example, the app Pogoseat allows existing ticket holders to browse and purchase potential seat upgrades from their smartphones while they are in the venue. Sites like SeatGeek provide information on the going prices of tickets, helping consumers gauge whether they are getting a good or bad deal. Punishing digital ticket resellers probably would scare away capital investments in apps that better match consumers with tickets, leading to worse outcomes for everyone.

The case against federal regulation

There are some subtle differences in the two versions of the BOTS Act currently wending their way through Congress. The House version ? H.R. 5104, sponsored by Reps. Marsha Blackburn and Paul Tonko ? would make the purchase and use of bots to acquire tickets a federal crime. The Senate bill is vaguer, prohibiting the “circumvention of control measures used by Internet ticket sellers to ensure equitable consumer access to tickets.” The Senate version also could affect a broader range of user activities ? for example, allowing primary ticket outlets to bar season-ticket holders from reselling their seats.

The law would empower the Federal Trade Commission to police compliance with the terms and conditions of private contracts. That sets a dangerous precedent. Under Sen. Schumer’s vision, the FTC would target websites that assist in selling digitally scalped tickets, issue cease-and-desist orders and level fines in the millions of dollars for unfair trade activities. In practice, the law would grant the entertainment industry a hammer to smash its competition in the resale market.

But little effort has been made to explain the case for federal involvement in an area in which state enforcement long has proven more than adequate. More than 30 states have scalping laws and 14 states ban the use of bots in ticket purchasing. Furthermore, ticket fraud and other coercive activities are already illegal under criminal law. A federal criminal statute would be both redundant and excessive.

For that matter, the industry appears perfectly capable of handling this issue on its own. Venues and primary ticket sellers can and do recover tickets from individuals who purchase them in violation of the terms and conditions. In 2007, Ticketmaster successfully sued software maker RMG Technologies for $18.2 million over programs designed to circumvent anti-scalping measures. Companies also spend big sums hiring machine-learning experts to outwit the bots. The BOTS Act would shift these enforcement costs to the federal government, and ultimately, to the taxpayers.

There are simpler solutions

Basic economics dictates the easiest way to minimize scalping is either for venues to raise ticket prices or for artists to have many more concerts. The secondary market for tickets exists only because venues and artists routinely underprice and undersupply tickets. If artists truly want their fans to have access to lower ticket prices, they can hold concerts over consecutive nights or schedule them at larger venues. Increasing supply for the most popular concerts will shrink the secondary market.

Country singer Garth Brooks chose to add concerts to cities based on demand. His decision to disrupt the way concerts are scheduled made him the highest-paid country performer in 2016. Ticketmaster has also begun to price tickets based on supply and demand, and holds its own auctions. Major League Baseball instituted dynamic pricing in 2013. The Ultimate Fighting Championship circuit also uses dynamic pricing, making it more difficult for resellers to make a profit. These are much more direct ways to overcome inefficiencies in the ticket market.

The BOTS Act would lock the industry into its current practices, effectively protecting insiders’ business models at the expense of competitors and consumers. Live Nation controls about 85 percent of the primary ticket market. Without competitive pressure from other ticket sellers, secondary markets or customers, the firm has little incentive to improve how tickets are supplied.

Efforts to criminalize bots draw attention away from the larger conversation about how venues misallocate tickets in presales. It also detracts from important policy questions about the role of government in enforcing private companies’ terms and conditions. If Congress is genuinely interested in benefiting fans, it should allow entrepreneurs to find better ways to match consumer preferences and empower fans to choose how tickets are sold.

Anne Hobson is a technology policy fellow at the R Street Institute. Christopher Koopman is a senior research fellow with the Project for the Study of American Capitalism at the Mercatus Center at George Mason University.