# Table of Contents 1. PRINCIPAL AGENT RELATIONSHIPS IN TRUSTED THIRD PARTY APPLICATIONS.....

Dissertation Proposal Methodology

Modeling Trust in Applied Computer Science: A Principal Agent Perspective

Anya Kim Department of Computer Science School of Engineering and Applied Science The George Washington University anya@seas.gwu.edu

Table of Contents

1. PRINCIPAL AGENT RELATIONSHIPS IN TRUSTED THIRD PARTY APPLICATIONS .................... 1 2. THE THEORY: PRINCIPAL AGENT THEORY .......................................................................... 7 3. APPLYING PRINCIPAL AGENT THEORY TO THIRD PARTY KEY MANAGEMENT ..................... 8 4. OBTAINING THE DATA .......................................................................................................16 5. EXPERT OPINION DATA GATHERING APPROACH ................................................................18 6. APPLICATION OF THE HOLSTROM MODEL ..........................................................................20 7. EXAMPLE USE OF THE MODEL ...........................................................................................23 8. CONCLUSION .....................................................................................................................26 REFERENCES .........................................................................................................................28 APPENDIX A. LIST OF KEY RECOVERY AND SOFTWARE ESCROW COMPANIES .......................30 APPENDIX B. SAMPLE SURVEY FOR KEY RECOVERY CENTERS ..............................................31 APPENDIX C. SAMPLE SURVEY FOR SOFTWARE ESCROW COMPANIES ...................................33

i

1. Principal Agent Relationships in Trusted Third Party Applications There are instances in applied computer science where one party provides a service or produces an output on behalf of another party. Of these instances, when there exists a risk-sharing problem between the parties, a principal agent problem arises. Economists, policy makers, and others have for some time considered whether such problems of delegation and loss of control may be better managed through incentives (Ross 1973; Guston 1996). In this research we suggest many cases in applied computer science where principal agent relationships exist, and will attempt to apply previous work in other fields to these computer science problems. For this proposal, we focus particularly on one case (trusted third party key management systems), but other cases will be noted towards the end of this discussion. In third party key management schemes, the principal is the owner of the encryption/decryption key and the agent is the key recovery center. It is the task of the key recovery center to manage the principal’s key and upon request, recover the key to the user. The research will model the relationship between the two or more parties in trusted third party key management systems using a principal agent framework. The model will allow the research to answer the following questions: ? How do the risk attitudes of the parties affect the incentive relationship between the principal and agent(s)? ? When the principal is more risk averse than the agent(s), how is this relationship affected?

1

?

When the principal is less risk averse than the agent(s), how is this relationship affected?

?

When the principal and agent(s) have the same level of risk aversion, how is this relationship affected?

?

In trusted key management systems, what (if any) other factors affect the trust relationship between the 0principal and the user? And how do these factors affect the relationship?

To answer these questions, once the model is formed (see section 2 for a standard model), various values will be used for the parameters of the model (see sections 6 and 7 for an example). The research will examine how changes in these values affect the incentive scheme. By answering these questions, the research proposes to stress the importance of the trust relationship between the principal and agent(s), and identify factors that affect this relationship. It has been stated that “it is very costly to contract out for goods and services with people one does not know well or trust” (Fukuyama 1995). The research attempts to determine the magnitude of this cost and demonstrate ways that trust is increased or decreased through incentives. Although Fukuyama also states that most neoclassical economists’ assumption that human beings are rational utility-maximizing individuals motivated by self-interest is questionable, “people will still act as self-serving individuals long enough for the laws of economics to be a useful guide for making predictions and formulating public policy” (Fukuyama 1995). Therefore, when looking at relationships in a principal agent framework, it is important to remember that the principal agent model

2

does not present us with a complete picture of human nature, but rather serves as a guideline. The research will assume that both the principal and the agent are risk-averse in the trusted third party key management setting. This is due to the fact that the risk attitudes of both parties are a main factor that affects the principal agent relationship. In cases of a risk-neutral principal and/or agent, the risk-neutral party has no preference between a sure thing and a gamble of equal value. Therefore a fixed fee compensation scheme is sufficient. But as the literature has revealed, the principal and agent in key management systems are both risk-averse (Swire 1997). While there is a debate about the usefulness of third party key management systems (Denning and Weitzner 1994; Abelson, Anderson et al. 1998), there are still many legitimate uses for it (Denning 1994; Swire 1997). Given the situation, a strategy is to have the key owner (principal) offer the key recovery center (agent), an incentive scheme that will motivate the key recovery center to provide a level of effort that will suit the key owner. Since there are other services the key recovery center may provide that may offer more competitive returns, the incentive scheme must offer competitive terms in order to induce key recovery centers to accept key management tasks. For example, key recovery centers such as SourceFile and Fort Knox Escrow provide other escrow services as well. While the principal may determine the characteristics of the incentive scheme, it is the key recovery centers that have complete control over the key management process. Thus in considering their respective choice variables, the principal determines the characteristics of the incentive scheme, while the key recovery centers control the key management process.

3

In formalizing this relationship, we want the principal to set the terms of the incentive scheme so as to motivate the key recovery center to apply the ‘optimal’ amount of effort, where ‘optimal’ refers to the level which will maximize the principal’s welfare. There can be two types of principal agent relationships that can exist in trusted third party key management schemes. One is the case of a single-principal, single-agent scheme, and the other is the case of a single-principal, multiple-agent scheme. In the single-principal, single-agent relationship, the principal escrows his keys with only one agent. In the single-principal, multiple-agent scheme, the principal’s key is divided into n pieces, which are then distributed among n agents. In the latter case, the profits to the agent can be divided by the agents in three ways: the output can be divided equally among all agents, it can be divided proportionally in relation to the agent’s level of service (Mookherjee 1984), or based solely on the ‘best’ agent’s output (Levitt 1995). The research will attempt to model both the single-principal single-agent and single-principal multiple-agent relationships, and examine the distribution of risk in both situations. The following sections cover how the research will apply the principal agent framework to trusted third party key management systems. Interestingly, the single-principal, single-agent model to be developed and applied in the research can also be applied with no (or minimal) change to the case of software escrow arrangements between two parties1. In this case, the principal agent relationship is between the owner of the software (principal) and the escrow agent (agent) that provides

1 The model would not be applicable to software escrow cases of a three party agreement. Three party agreements between the licensee, developer and escrow agent may be viewed as two relationships: one between the licensee (principal) and agent, and another between the developer (principal) and agent.

4

escrowing services. In software escrow schemes, vital software is entrusted to an escrow that produces this escrowed copy when the original becomes unavailable due to circumstances similar to those in key management requiring key recovery. In fact, part of the information required in developing the model will be obtained from software escrow companies. Therefore the research need not be limited to trusted third party key management schemes. The research suggests that a principal agent framework may be applicable to any number of applied computer science problems related to the loss of control and balance of risk between two (or more) parties. Examples include the use of Internet search engines, Internet content labeling or filtering software (Boyle 1997; K?hntopp and K?hntopp 1999), and the use of intrusion detection systems (Kaiser 1998). Principal agent relationships may be found in other instances of applied computer science where an agent provides some type of service. Basically any Web site that provides a service to users can serve as an agent from a principal agent perspective. If the service has some risk associated with it and that agent is risk-averse, then there may be a principal agent problem. Of Web sites that provide ‘file sharing’ services, those such as Napster (http://www.napster.com) have recently been brought to attention. Napster acts like a music search engine, maintaining an index of music files kept by other users. One relationship that exists here is between the user who is looking for music files, and Napster that provides the service. Since there are many users sharing Napster’s index, this can be viewed as a multiple-principal single-agent relationship. Currently this service is free, but it has been suggested by interested investors that it collect subscription fees from members, persuade record labels to use the service as a marketing tool, or act as an

5

e-commerce outlet for CDs (Harmon 2000). It would be interesting to see if an incentive model would offer a better solution while assisting in the copyright issues that presently surround Napster.

6

2. The Theory: Principal Agent Theory In this section, the research introduces a mathematical analysis of the principal agent problem. The following is a summary of the principal agent problem, to facilitate reading of subsequent sections. The principal agent problem can be stated mathematically. The mathematical analysis of the principal agent problem in the single-agent case can be stated as follows. This standard principal agent model is provided from Holstrom (Holstrom 1979). Let x= I(x) = m= f(x:m) = agent’s output the payment schedule to the agent the agent’s effort the probability density function of output x. This implies that x is a function of the effort level m G(s) = U(s) = V(m) = E() = K= principal’s utility for income s agent’s utility for income s agent’s disutility for choosing effort level m expected utility agent’s reservation utility (the utility he can get by working elsewhere)

Based on the above assumptions, the principal’s problem becomes maxE(G(s)) =max∫G(x-I(x))f(x:m)dx s.t. E(U-V) = ∫U(I(x))f(x:m)dx – V(m) ≥ K (1) (2)

7

This says that (1) the principal wants to choose I(x) to maximize her expected utility, subject to (2), the agent’s utility must be at least as much as his reservation utility. The following section identifies parameters required in the model, and how they interact in determining the characteristics of the incentive scheme.

3. Applying Principal Agent Theory to Third Party Key Management In the previous section a mathematical analysis of the principal agent model was introduced. Although the actual model may differ in the research, the parameters must first be identified and defined in relation to trusted third party key management systems. This section provides a more detailed description of the parameters introduced in the previous section, and explains how they may be applied when modeling the principal agent relationship in trusted third party key management systems.

The agent’s output x. x is the output that is produced by the service provided by the agent, usually depicted in dollar values. This output is usually shared between the principal and the agent through an incentive scheme. In key management cases, there is no dollar amount output that can be split. Therefore, in modeling trusted third party key management systems, the output should be something that is closely linked to the agent’s effort, and is also easy to monitor. One might think that some measurements that may be used are the principal’s level of satisfaction, the agent’s degree of success, the lifetime of the key, and the value of the data being encrypted. But upon closer examination, the principal’s level of satisfaction is

8

not an appropriate measurement to use. This is because satisfaction has the potential to be subjective. The agent’s degree of success is a binary value: success or failure. Success is the event where the key is managed in a trustworthy and desirable manner and if necessary, can be retrieved by the principal upon request. Failure is any or all of the following cases: the key is lost, destroyed, stolen, damaged, or not produced to the principal when requested. The degree of success is a suitable value, but it is also a discrete variable. The lifetime of a key is not infinite. The lifetime of a key depends on the application and is decided by the policy. Keys that are used to encrypt data files for storage cannot be changed often. These keys need to be kept in a safe location until they are needed (Schneier 1996). If these keys are kept by the third party agent, the lifetime of the keys depend on the management of the third party. Mismanagement of the key will shorten the lifetime of the key, whereas effective management will allow the key to live out its lifetime. Therefore, the length of the key can be thought of as a continuous random variable and an ‘output’ of the third party agent providing the key recovery service. The value of the data being encrypted is a continuous variable, and can be displayed in dollar values. Therefore, for key management purposes, the output will initially be determined as the value of the data being encrypted. As an example, if the data is valued initially at $1000.00 by the principal, and at the end of the contract period, the key to the data has been successfully managed, then the value will remain the same. But if due to bad key management, the data could not be recovered, or was revealed to another party, the value of the data will depreciate. In the research, the actual model may use the lifetime of the key as the agent’s output value rather than the value of the data being encrypted.

9

The agent’s effort m In trusted third party key management schemes, the principal desires that the key recovery center (the agent) take every precaution to safe-keep the principal’s key. These precautions range from having a secure facility, to training and educating personnel. In other words, the agent’s effort level can be the monetary and/or physical effort that the agent puts in to complete the task or provide the service. This level of effort will differ from agent to agent. For example, a company that acts solely as a key recovery facility can be expected to provide a higher level of effort (in terms of facility and equipment), than your next-door neighbor. In this research the level of effort is a stochastic variable, where m is measured in dollars.

The probability density function of x Since x and e are continuous random variables, the probability density function may be represented as that of a gamma random variable. A gamma random variable is a versatile random variable that appears in many applications. For example, it is used to model the time required to service customers in queuing systems, the lifetime of devices and systems in reliability studies, and the defect of clustering behavior in VLSI chips (Leon-Garcia 1994). The probability density function (pdf) of a gamma random variable has two parameters, w > 0 and q > 0, and is given by f(x) = wqx q-1 e-wx/T(q),

where T(q) is the gamma function which is defined by the integral:

10

T(a) = ∫exp(-x)xa-1dx The gamma function has the characteristics that: T(a + 1) = aT(a) for a > 0, and T(a + 1) = a! for nonnegative integer a

E(x) = q/w and Var(x) = q/w2

By varying the parameters w and q, it is possible to fit the gamma pdf to many types of experimental data. Another useful characteristic of the gamma random variable is that many random variables are special cases of the gamma random variable. By letting q = 1, we can obtain the exponential random variable. The exponential random variable arises in the modeling of the lifetime of devices and systems which applies neatly when modeling the lifetime of the key. In such cases the probability density function takes the form of:

f(x) =

0 we-wx

x<0 x>= 0

where E(x) = 1/w and Var(x) = 1/w2

The shape of the distribution is governed by w. w controls the rate of an event having a lifetime of x. The exponential distributions for w = 2, 1, and 0.5 are shown below in Figure 1.

11

Figure 1. Exponential Distributions

f(x) 2 w=2 1.5 1 0.5

w=1 w=0.5 x

0

1

2

3

4

So that when using the lifetime of a key is the (agent’s) output to be modeled, we can use a probability density function of the form: f(x) = (1/m)e-x/m where m is the agent’s level of effort

In that case, expected output is thus assumed to be an increasing function of the agent’s effort.

Compensation Scheme I(x) is the compensation scheme to the agent. Most compensation schemes are linear functions of the output x. For example, the linear form is I(x) = A + Bx, where A is a fixed payment. In the key management case, the incentive scheme should be a function of the value of the data being encrypted. Therefore, the model should give the agent a compensation amount that is more closely tied to the principal’s satisfaction than any dollar value. Once the mathematical model for trusted third party systems is complete,

12

the user will be able to insert values for other parameters (such as agent’s output, and risk-attitude) to obtain a suitable value for A and B.

Utility functions Utilities are different for every person/organization. In other words, no one utility function can be used to model utilities of every entity. Therefore, the research will be using a general utility function that has a risk-aversion parameter. Substituting different values for this parameter will give us the different utility functions we need to analyze the relationship between risk attitudes and incentive schemes. We follow Sutinen (1975) and assume that if risk-averse, an individual has a constant absolute risk aversion utility function. Thus the utility functions will take the form of: G(s) = - Exp(-r1s) U(s) = - Exp(-r2s) The principal’s utility function The agent’s utility function

Where r1 and r2 are the principal’s degree of risk aversion and the agent’s degree of risk aversion, respectively. 0< ri< 1 and the party is more risk averse as ri nears 0 (i = 1,2). The agent’s disutility of effort V(m) is a function of effort and can generally be represented as follows (Adrokovich 1985; Hillburn 1993): V(m) = m2 By giving different values for r1 and r2, we can account for the different risk attitudes of the individuals.

13

Reservation utility K Reservation utility is the utility that the agent can get by working elsewhere. The reservation utility of an agent can vary immensely from agent to agent. Therefore, this value cannot be predetermined prior to modeling. Once the model is defined, then a principal can find out the reservation utility of a particular agent and insert this value into the model. As an example, if SourceFile were the agent in question, the reservation utility would be $2,200 for the first year and $1,000 for every year thereafter (SourceFile http://www.sourcefile.com), which is what the company receives by acting as an escrow company.

Summarizing our discussion up to this point, we recognize that many coefficients have to be specified: the utility functions (2 parameters: r1 and r2), the probability distribution (2 parameters: w and q), the agent’s level of effort m, and the agent’s reservation utility K. It is impossible to substitute specific values for these coefficients, and obtain a tangible value for general cases of trusted third party systems. This is because the nature of the model relies heavily on statistical data and user preference, which varies from agent to agent and principal to principal (Androkovich 1985). Also, incentive schemes are currently not used in trusted third party key management systems so there is no previous data to compare with. Therefore, the product of the dissertation will be the mathematical model as it applies to trusted third party key management systems (for both the single-principal single–agent, and single-principal multiple-agent cases), and a discussion of the relationship between various variables, the risk attitudes of

14

the principal and agent, and the effect the variables and risk attitudes have on the incentive scheme. The coefficients that characterize trusted key management systems fall into one of two categories. The first category is the set of values that are specified and varied by the research. This includes the principal’s and the agent’s absolute degree of risk aversion (r1 and r2), the coefficients which characterize the probability distribution (w and q), and the agent’s reservation utility (K). The second category is those values that are estimated given the information available (through a survey or other mechanism). The reservation utility is such a value. As stated previously, the research will vary the values of the coefficients to obtain values for A and B, the components of the incentive scheme I(x) = A + Bx. The result will be displayed in a tabular format:

Table 1. Sample Table: The Effects of Changes in the Key Variables principal’s risk aversion r1 agent’s risk aversion r2 parameters for the probability

density function

agent’s effort level m

w

q

agent’s reservation utility K

Incentive scheme parameters A B

Various values are displayed here

By varying the values of the coefficients (r1, r2, w, q, m, K) we can examine and discuss how changes in the values affect the parameters (A, B) that define the incentive scheme I(x) = A + Bx between the principal and the agent(s).

15

4. Obtaining the Data The above data can be categorized into two major categories: Relationship and Model. The Relationship category includes factors that characterize the nature of the principal agent relationship (in trusted third party key management systems). The Model category contains elements that are crucial to implementing the principal agent model mathematically. These categories and their factors can be described as follows: Relationship Category: The group of factors that characterize the nature of the principal-agent relationship in trusted third party key management schemes. Factors in this category include: ? The terms of the contract (incentive scheme): Are the terms of the contract negotiated prior to the agent’s efforts or are they determined after the agent performs the service ? Structure of the relationship: Which of the following relationships best characterize the problem to be modeled: Single-agent, single-principal, Multiple-agent, singleprincipal, Single-agent, multiple-principal, or Multiple-agent, multiple-principal ? Information available to the principal: How much information about the agent is available to the principal? Does the principal only know the outcome of the agent’s effort or does the principal possess some information about the agent’s effort? Model Category: The group of factors that affect the mathematical (principal agent) modeling process. ? ? ? The agent’s output x The agent’s effort Agent’s reservation utility

16

? ? ?

The probability density function The utility of the principal The utility of the agent(s)

The above factors are summarized in the following table:

Table 2. Factors and How They Will be Determined Category and Factors Terms of the contract Relationship Category Structure of the relationship Information available to the principal Agent’s output x Agent’s effort m Model Category Agent’s reservation utility K Probability density function Principal’s utility Agent’s utility * * * Specified and varied by the research * * * * * * Estimated from results of survey

As can be seen in Table 2, some of the above factors will be specified (and their values varied) by the research. To make the model as accurate as possible, some factors will be estimated through the use of an expert opinion survey. The main items to be determined through the experts are the reservation utility of the agent and the agent’s level of effort.

17

5. Expert Opinion Data Gathering Approach Participants of the survey will be the third party key managers (key recovery centers), because they have the information and knowledge necessary to complete the survey. Initial sources may include companies and/or organizations that provide third party key management services (more accurately, the personnel in the department that provides this service), companies that provide similar services such as software escrow, and companies that provide key recovery technology. Companies that produce key recovery technologies will be asked for a list of key recovery centers that support the company’s technology to obtain a longer list of key recovery centers. These sources will be obtained from a literature review. A good source of key management systems can be found at D. Denning’s “The Cryptography Project” available online at http://www.cosc.georgetown.edu/~denning/crypto/index.html (Denning and Branstad 1996). Particularly, “A Taxonomy for Key Recovery Encryption Systems” (http://www.cs.georgetown.edu/~denning/crypto/taxonomy.html) from the site, lists numerous key recovery schemes. Also, the fact that key recovery services are similar to software escrow services, and the fact that major key recovery centers started out as software escrow companies suggests including software escrow companies as participants of the study. An initial search of key recovery centers and software escrow companies produced a list of companies that are shown in Appendix A. The research expects to have 10-20 companies participate in the survey. Since the survey is estimated to be fairly short, it will be sent via email. Initially, the selected participants will be

18

contacted via phone and asked to participate in the survey2. Once permission is granted, an email message containing the survey information will be sent out to the participants. Participants will be given two weeks to respond and return the survey. After the two weeks, any participant that has not returned the survey will be contacted and given an additional week to finish the survey. Sample survey forms can be found in Appendix B and Appendix C. Appendix B survey is for key recovery centers, and Appendix C survey which is very similar to Appendix B, is for software escrow companies.

2

The companies listed in Appendix A have already been contacted by telephone and permission has been

granted for participation in the survey.

19

6. Application of the Holstrom Model In this section, we will use the Holstrom (1979) principal agent model given in a previous section (Section 2), and insert the parameters defined above to obtain an optimal incentive scheme. In the next section we will take the equations obtained here, and insert values for the parameters to examine the relationship and incentive scheme between the principal and agent. (Note: The resulting model may not look exactly like the model given in the first section, so the following results may not be identical to that of the finished research.) Recall from previous sections that: The probability density function is defined as: f(x) = wqx q-1 e-wx/T(q) (w and q are parameters), where T(q) is the gamma function which is defined by the integral: T(a) = ∫exp(-x)xa-1dx The utility functions are defined as: G(s) = - Exp(-r1s) U(s) = - Exp(-r2s) The principal’s utility function The agent’s utility function

Where r1 and r2 are the principal’s degree of risk aversion and the agent’s degree of risk aversion, respectively. V(m) = m2 The agent’s disutility function

Also recall that the principal wants to maximize her utility: maxE(G) = max∫G(x-I(x))f(x:m)dx (1)

subject to the constraint that the agent’s utility is at least as much as his reservation utility:

20

E(U-V) = ∫U(I(x))f(x:m)dx – V(m) ≥ K

(2)

Assume a linear incentive scheme of the form I(x) = A + Bx where A and B are constant real parameters of the incentive scheme.

Step 1: The first step is to solve for the principal: maxE(G(x-I(x)) = maxE(G(x-A-Bx) Substitution of the incentive scheme into (1)

The first order condition for a maximum is given by E(G’(x-A-Bx)(1-B)) = 0 ó (1-B)E(G’(x-A-Bx)) = 0 Since G(x-A-Bx) = -exp(r1A – r1 (1-B)x) = -e r1Ae- r1 (1-B)x, G’ (x-A-Bx) = r1(1-B)e r1Ae- r1 (1-B)x Substituting (4) into equation (3), we would get: r1(1-B)2e r1AE(e- r1 (1-B)x) = 0 Let Y be a function of x, g(x), where Y = g(x) = (e- r1 (1-B)x). Then, E(Y) = ∫g(x)f(x:e)dx Substituting (6) into (5) gives: r1(1-B)2e r1A∫g(x)f(x:e)dx = 0 The integral part of the above equation can be solved as follows: ∫g(x)f(x:e)dx = ∫ e- r1 (1-B)xwqx q-1 e-wx/T(q)dx = (wq/T(q)) ∫ e- (r1 (1-B) + w)xx q-1 dx Let t = (r1(1-B) + w)x, then dt = (r1(1-B) + w)dx Then substituting (9) into (8) gives: (wq/T(q))(1/(r1(1-B) + w) ∫ e- tt q-1 dt

21

(3)

(4)

(5)

(6)

(7)

(8) (9)

By definition, ∫ e- tt q-1 dt = T(q), therefore E(Y) = ∫g(x)f(x:e)dx = wq/(r1(1-B) + w) Substituting (10) into (7) gives: E’ (G) = r1(1-B)2e r1A wq/(r1(1-B) + w) = 0 (11) (10)

The next step is to ensure that the agent receives a compensation that is at least as much as his reservation utility. Step 2: Solve for the agent’s reservation utility E(U-V) = ∫U(I(x))f(x:e)dx – V(m) ≥ K The integral portion of (12) can be solved as follows: ∫U(I(x))f(x:e)dx = ∫-exp(-r2(A+Bx)) wqx q-1 e-wx/T(q)dx = (-wqe-r2A/T(q)) ∫exp(-r2Bx - wx)x q-1 dx Let t = (r2B + w)x, then dt = (r2B + w)dx Substituting (14) into (13) gives: (-wqe-r2A/T(q))(1/(r2B + w)) ∫exp(-t) tq-1 dt By definition, ∫ e- tt q-1 dt = T(q), therefore ∫U(I(x))f(x:e)dx = (-wqe-r2A/(r2B + w)) Substituting (15) into (12) gives: E(U-V) = -wqe-r2A/(r2B + w)– V(m) ≥ K Since the disutility function is defined as V(m) = m2, E(U-V) = -wqe-r2A/(r2B + w)– m2 ≥ K (16) (15) (13) (14) (12)

By supplying values for r1, r2, w, q, m and K, we can obtain values for A and B.

22

7. Example Use of the Model In this section, we will apply the result of the incentive scheme to an imaginary key recovery center. The example will insert various values for the given coefficients, and discuss how the changes affect the principal agent relationship. Assume that Alice wishes to escrow her encryption/decryption keys with Acme Key Recovery Center. Acme has a reservation utility K of $2200. The data that is encrypted with this key is valued at $5000 at the beginning of the escrow period. Assume that the key recovery center’s output x is determined by the value of Alice’s data after the end of the contract period. Then x can be assumed to be in the range of 0 and 5000 dollars. Alice wants to offer a linear incentive scheme of the form I(x) = A + Bx. If she used the model in the previous section, she could substitute the parameters in equations (11) and (16) for values such as those in Table 3 to see the resulting incentive scheme for each case. In Table 3, the values for A and B are obtained by substituting values for coefficients r1, r2, w, q, m, and K into equations (11) and (16).

Table 3. Table of Parameters principal’s risk aversion case r1 1 0.01 2 0.09 3 0.09 4 0.01 agent’s risk aversion r2 0.09 0.01 0.01 0.09 parameters for the probability

density function

w 1 1 1 1

q 2 2 2 2

agent’s effort level m 1000 1000 500 1000

agent’s reservation utility K 2200 2200 2200 1850

Incentive scheme parameters A B 154 1 1382 1 139 1 154 1

23

For all cases we assume that w = 1 and q = 2. These two parameters define the probability density function. For these values, the probability density function takes the form of that shown in Figure 2.

Figure 2. Probability Density Function of the Gamma Random Variable f(x)

w=1, q=2

0.5

x 0 1 2 3 4

In case 1, Alice is assumed to be more risk averse than Acme (since r1 < r2). As mentioned above, Acme is assumed to have a reservation utility (K) of $2,200. Assuming that Acme gives an effort (m) of $1000, then A and B are given from equations (9) and (14). In other words, the incentive scheme would take the form I(x) = 154 + x. When the data is initially valued at $5,000, the above model will give a high reward for a good effort of key management $(154 + 5000), whereas if the agent is delinquent and the key management task results in total loss of value of the data (i.e. x = 0), the agent will be punished by receiving only a very small value of $154.

24

Now let us examine case 2. Previously, the values for r1 and r2 were rather risk averse values with the principal being more risk averse than the agent. Now assume the opposite: Acme is more risk averse than Alice. In case 2, all other values are identical to case 1 except for the risk aversion parameters. The risk aversion values for Alice and Acme are switched so that Acme has a more risk averse attitude. The result is that the incentive scheme is much more steeper: I(x) = 1382 +x. This shows us that the risk attitudes of the principal and agent affect the incentive scheme in a significant manner. It also shows that for risk-averse agents, a stronger incentive is required. Now we will examine the effects of effort. In case 3, all other values are equal to case 1, except for the level of effort which is only half the effort of case 1. The result is an incentive scheme of I(x) = 139 + x. In other words, although all other conditions are equal for case 1 and case 3, if Acme were to only put in half the effort, the reward the agent were to receive would not be as high as in case 1. Lastly, suppose Alice wanted to compare the incentive requirements of Acme to another key recovery center, StrongHold Company. Assume that the StrongHold company had a reservation utility of $1,8503. All other things being equal to case 1 (both Acme and StrongHold have identical risk attitudes, and put in the same amount of effort), the resulting incentive scheme is I(x) = 154 + x. In other words, the difference in reservation utilities has no effect on the incentives in this case. Of course, these cases may not be realistic, due to the fact that the actual model to be used in the research for key management systems is not yet derived (we used a standard

3

This value was obtained from Fort Know Escrow (http://www.fortknoxescrow.com)

25

principal agent model to obtain the above results). But it does give an idea of how principal agent theory can be applied to third party key management systems. The above examples show imaginary, yet specific cases that the model is applied to. In fact, if the model were to define the agent’s output as the lifetime of the key, we would substitute w = (1/m) for the probability density function for an exponential distribution. Thus, it is possible to construct numerous examples of optimal compensation schemes by changes in the probability density function. But actually a more important use of the model is to test it against various parameters to examine the relationship between these factors and the incentives required to persuade the agent(s) to act on the principal’s behalf. It will also show how trust between the principal and agent(s) can be better obtained through the use of incentives. The model will then serve as a guideline for parties wanting to use incentives in trusted third party key management systems.

8. Conclusion The purpose of the research is to suggest the use of incentives to increase trust and balance risk in applied computer science. We have illustrated this mainly by looking in some detail at trusted third party key management systems. We will apply a principal agent framework to computer science applications, focusing on third party key management systems, and from this model identify factors that affect the relationship and incentive structure between the principal and agent(s). It will also examine and discuss how these factors affect the relationship, and the incentive scheme. However, the dissertation will not limit itself to key management.

26

Since key recovery schemes and software escrow schemes share a very similar principal agent relationship, the results of the research may apply directly to software escrow schemes as well. The parameters required for developing the model and their values are almost identical in both cases. Therefore the results obtained from the model may well be able to explain incentive effects in software escrow schemes as well. If the model developed by the research does not fit well with that for software escrow, a model for software escrow can be developed separately. The research will also include a chapter that discusses further applications in which principal agent theory can be applied, such as Internet content control, and Napster-like services. In conclusion, the research will identify various areas in applied computer science in which a principal agent relationship exists. Of these areas, the research will develop a model for trusted third party key management systems, and examine the effects that various factors in the model have on the principal agent relationship. It will also try to model some of the relationships in the areas identified in the research.

27

References

Abelson, H., R. Anderson, et al. (1998). The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption. Adrokovich, R. A. (1985). The Impact of Risk on Contract Structure in a Principal-Agent Model: An Application to the Alberta Sugar Beet Industry. Department of Agriculture. London, Ontario, University of Western Ontario. Boyle, J. (1997). Foucault in Cyberspace. June 19 2000. http://www.wcl.american.edu/pub/faculty/boyle/foucault.htm. Denning, D. (1994). Encryption and Law Enforcement. http://www.cpsr.org. Denning, D. E. and D. K. Branstad (1996). “A Taxonomy for Key Escrow Encryption Systems.” Communications of the ACM Vol. 39(no. 3 (March)): 34-40. Denning, D. E. and D. J. Weitzner (1994). “Clipper Controversy.” Computer World v28 no. 30 (July 25, 1994): 105-106. FortKnoxEscrow (http://www.fortknoxescrow.com). Fort Knox Escrow Services - Fee Schedule. June 2 2000. http://www.fortknoxescrow.com/feesched.htm. Fukuyama, F. (1995). Trust: The Social Virtues and the Creation of Prosperity. New York, NY, Free Press Papaerbacks. Guston, D. H. (1996). “Principal-agent Theory and the Structure of Science Policy.” Science and Public Policy 23(4): 229-240. Harmon, A. (2000). Powerful Music Software has Industry Worried. New York Times. Hillburn, C. L. (1993). A Theoretical and Financial Analysis of Pork Production Contracts. Economics. Ames, Iowa State University.: 156.

28

Holstrom, B. (1979). “Moral Hazard and Observability.” Bell Journal of Economics 10: 74-91. Kaiser, J. (1998). Policing the Computer Underworld. Science. 282: 1223. K?hntopp, K. and M. K?hntopp (1999). Why Internet Content Rating and Selection Doesn't Work. June 19 2000. http://www.koehntopp.de/kris/artikel/rating_does_not_work/. Leon-Garcia, A. (1994). Probability and random Processing for Electrical Engineering. Reading, Massachusetts, Addison-Wesley. Levitt, S. D. (1995). “Optimal Incentive Schemes When Only the Agents' 'Best' Output Matters to the Principal.” Rand Journal of Economics 26(4): 744-760. Mookherjee, D. (1984). “Optimal Incentive Schemes with Many Agents.” Review of Economic Studies 51: 433-446. Ross, S. A. (1973). “The Economic Theory of Agency: The Principal's Problem.” The American Economic Review 63(2): 134-139. Schneier, B. (1996). Applied Cryptography. New York, John Wiley and Sons. SourceFile (http://www.sourcefile.com). SourceFile 2000 Fees. May 8 2000. http://www.sourcefile.com/services/prices.html. Swire, P. (1997). The Uses and Limits of Financial Cryptography: A Law Professor'sPerspective. Proceedings of Financial Cryptography '97, SpringerVerlag.

29

Appendix A. List of Key Recovery and Software Escrow Companies

Company Name SourceFile? FortKnox Escrow? Data Securities Int’l Lincoln Parry SoftEscrow EscrowTech Int’l Inc. Vital Records, Inc. DataSafe Inc. Nat’l Software Escrow Inc. Software Escrow Corp.

Company URL http://www.sourcefile.com http://www.fortknoxescrow.com http://www.dsiescrow.com http://www.softescrow.com/ http://www.escrowtech.com http://www.vitalrecords.com http://www.datasafeinc.com/ http://www.nationalsoftwareescrow.com/ http://www.softwareescrowcorp.com

Contact Info 800-237-2769 800-875-5669 800-962-0652 303-595 0065 801-572-9415 908-369-6900 503-620-3423 440-546-9750 904-249-4240

?

Key recovery service providers; all other companies are software escrow companies.

30

Appendix B. Sample Survey for Key Recovery Centers

INTRODUCTION Thank you for participating in this survey of trusted third party key management centers. This survey was developed as part of a research effort to examine the current relationship between the key owner and the key recovery center in trusted third party key management systems. The research will examine the relationship in terms of a principal agent framework. The results of this survey are to be used in the modeling of this relationship.

Please complete the following information: DATE: PARTICIPANT INFORMATION Your Name: Phone: E-mail: COMPANY INFORMATION Company Name: Company Address: City: Country: State: Zip Code:

31

ASSESSMENT OF PRINCIPAL AGENT FACTORS IN TRUSTED THIRD PARTY KEY MANAGEMENT SYSTEMS Please assign a monetary value to the effort required in terms of key management: (Effort includes the following two factors: Initialization and Maintenance)

If you or your company (organization) currently provides key recovery services, what is the pricing scheme for these services?

If you or your company (organization) currently provide key management services, what other service does your company provide that is of similar effort to you?

Do you receive payment for this similar service? If so, please specify the amount.

COMMENTS Please include any comments or questions regarding the survey.

Please send completed forms via email to anya@seas.gwu.edu. THANK YOU!

This survey is part of a dissertation research entitled “Modeling Trust in Applied Computer Science: A Principal Agent Perspective”.

32

Appendix C. Sample Survey for Software Escrow Companies

INTRODUCTION Thank you for participating in this survey of third party management schemes. This survey was developed as part of a research effort to examine the current relationship between the key owner and the key recovery center in trusted third party key management systems from a principal agent perspective. The third party services your company provides as a software escrow company are similar to those of a trusted third party key management system. The results of this survey are to be used in the modeling of this relationship.

Please complete the following information: DATE: PARTICIPANT INFORMATION Your Name: Phone: E-mail: COMPANY INFORMATION Company Name: Company Address: City: Country: State: Zip Code:

33

ASSESSMENT OF PRINCIPAL AGENT FACTORS IN TRUSTED THIRD PARTY MANAGEMENT SYSTEMS (SOFTWARE ESCROW SYSTEMS) Besides software escrow services, does your company provide key recovery services as well? (Key recovery services provide recovery of the decryption/encryption key to the owner of that key when necessary)

Please assign a monetary value to the effort required in terms of software management: (Effort includes the following two factors: Initialization and Maintenance)

If you or your company (organization) currently provides software escrow services, what is the pricing scheme for these services?

COMMENTS Please include any comments or questions regarding the survey.

Please send completed forms via email to anya@seas.gwu.edu. THANK YOU!

This survey is part of a dissertation research entitled “Modeling Trust in Applied Computer Science: A Principal Agent Perspective”.

34