Illinois Public Law and Legal Theory Research Papers
Research Paper No. 07-12
November 6, 2007
Analyzing Information Technology & Societal Interactions:
A Policy Focused Theoretical Framework
Rajiv C. Shah*
Jay P. Kesan**
*Adjunct Assistant Professor
Department of Communications, University of Illinois-Chicago
**Professor and Director, Program in Intellectual Property and Technology Law
Mildred Van Voorhis Jones Faculty Scholar
University of Illinois College of Law
This paper can be downloaded without charge from the Social Science Research Network
Electronic Paper Collection:
Information technologies affect a variety of fundamental societal concerns, such
as privacy and free speech. Policymakers currently analyze each societal concern as sui
generis, ignoring commonalities among IT issues. This paper develops a comprehensive
descriptive framework to address a variety of IT policy problems. The Information
Technology and Societal Interactions (ITSI) framework theorizes how information
technology develops, evolves, and influences society. This framework ties together
several existing theoretical concepts, while translating them into a practical framework
that policymakers can apply to real problems. The framework is illustrated by analyzing
wireless security issues.
The article seeks to move beyond Lessig’s work by providing a clearer and more
comprehensive view of how IT interacts with society. An urgent need has arisen for this
type of theoretical framework. Unlike other fields, a compelling theoretical approach
within IT law and policy does not exist. As a result, each policy issue is treated as unique
and policymakers overlook commonalities. This occurs because the existing theoretical
approaches, such as structuration and actor-network theory (ANT), fail to provide
applicable models for addressing concrete problems.
ITSI is inspired by structuration and ANT, but is tailored to the theoretical and
practical needs for analyzing the interactions between IT and society. ITSI focuses on
four main relationships within ITSI. These relations are: (1) how technology affects
individuals, (2) how individuals reconfigure technology, (3) how developers shape
technology, and (4) how society, in mass, can intervene and alter how technology
operates. ITSI builds upon a large corpus of descriptive and normative scholarship by
computer scientists, sociologists, communications scholars, and legal scholars. The
contribution here does not define a new set of relationships between society and
information technology, but explicates existing relationships and develops a descriptive
framework that provides analytical insights.
This article illustrates ITSI through an analysis of security issues involved in
wireless technology. The analysis found that consumers are not provided with simple
and effective security because of the increased reliance on user configuration. ITSI led to
this finding; it would not have emerged using conventional policy analysis. ITSI also
provides solutions to this problem. Instead of looking toward users to improve security,
policymakers should look to manufacturers to develop APs that are “secure by design.”
The analysis ends by pointing out a number of strategies to influence manufacturers to
improve the design of wireless APs.
Analyzing Information Technology & Societal Interactions: A Policy Focused
Rajiv C. Shah & Jay P. Kesan
Author Contact Information:
Rajiv C. Shah
Adjunct Assistant Professor
Department of Communications
University of Illinois-Chicago
Jay P. Kesan, Ph.D., J.D.
Professor & Director, Program in Intellectual Property & Technology Law
Mildred Van Voorhis Jones Faculty Scholar
University of Illinois College of Law
134 Law Building, 504 Pennsylvania Avenue
Champaign, IL 61820
Information technologies affect a variety of fundamental societal concerns, such as
privacy and free speech. Policymakers currently analyze each societal concern as sui generis,
ignoring commonalities among IT issues. This article develops a comprehensive descriptive
framework to address a variety of IT policy problems. The Information Technology and Societal
Interactions (ITSI) framework theorizes how information technology develops, evolves, and
influences society. This framework ties together several existing theoretical concepts while
translating them into a practical framework that policymakers can apply to real problems. The
framework is illustrated by analyzing wireless security issues.
Analyzing Information Technology & Societal Interactions: A Policy Focused
Legal scholars have recognized the design of information technologies as central to
public policy debates. Most notably, Lawrence Lessig argues that fundamental societal concerns
such as privacy, accessibility, freedom of speech, and intellectual property protection are
intertwined with the hardware and software of information technologies (IT) (1999). These
concerns are far from theoretical and reverberate in technologies such as computer operating
systems, web browser cookies, printer cartridges, and even passports. Braman argues that
communications law and policy need to address how these technologies affect social welfare
(2003). This article addresses the increasingly influential intersection of IT and law by
developing a theoretical framework for understanding IT’s impact on societal concerns.
This article presents a theoretical model, IT & Societal Interactions (ITSI), which
provides a framework for analyzing and addressing public policy issues concerning IT. The goal
is to move beyond Lessig’s work by providing a clearer and more comprehensive view of how IT
interacts with society. An urgent need has arisen for this type of theoretical framework. Unlike
other fields, a compelling theoretical approach within IT law and policy does not exist. As a
result, each policy issue is approached as sui generis. Thus, policymakers overlook
commonalities among issues concerning IT, because the existing theoretical approaches, such as
structuration and actor-network theory, fail to provide applicable models for addressing concrete
The framework presented here considers the reciprocity between IT and society in a
policy context. It highlights critical actors and relationships that influence how society designs
and uses IT. ITSI is an applied theoretical model that allows us to move from problem to
solution through clearly delineated steps that account for the multifarious forces and relations
involved in IT’s development and use. The model is constructed to arrive at normative solutions
to real-world problems. ITSI is not intended to replace existing scholarly theoretical approaches,
such as structuration and actor-network theory, but, instead, complement them by translating
their high level concepts for use in policy analysis. In doing so, our framework avoids reducing
notions of causality, the process of technological development, and its social consequences to
binaries (Lievrouw and Boczkowski 2006). Our goal is pragmatic and our approach follows
Walsham’s suggestion on focusing on the interesting issues for why IT has developed in ways
contrary to social concerns and how it can be remedied (1993). Ultimately, ITSI provides
scholars and policymakers with analytical tools to understand better the relations between
technology and society.
ITSI is not a regulatory theory per se. We do not try to advocate a particular method of
regulation or argue criteria for regulating technologies. Instead, our focus is to sharpen the use
of regulatory strategies around technology. We believe policymakers can make better decisions
if they understand how technology is developed, used, and shaped. We should acknowledge that
at many junctures, both an ITSI and conventional policy analysis might suggest the same policy
goals. This does not diminish the value of ITSI. An ITSI analysis still provides more useful
insights into how IT operates as well as a broader perspective on how IT develops and responds
The first section of the article reviews several theoretical approaches for studying the role
of IT: Lessig’s model of IT and society, Gidden’s theory of structuration, and technologies
studies’ Actor-Network Theory (ANT). It highlights the strengths and limitations of these
approaches and their inability to provide more than a partial picture of the relationship between
IT and society. The next section provides background on ITSI, and then focuses on the four
main relationships within ITSI. These relations are (1) how technology affects individuals, (2)
how individuals reconfigure technology, (3) how developers shape technology, and (4) how
society, in mass, can intervene and alter how technology operates. We rely on the term
“technology” to refer to IT. In the third section, we use ITSI to analyze wireless security issues.
This application illustrates how ITSI can address a policy issue that conventional approaches
have overlooked. This section ends with a brief discussion of how ITSI can provide insights into
other technology and policy issues as well. The final section discusses the implications of ITSI
for communications law and policy.
Theoretical Approaches for Studying the Role of Information Technology
Scholars and policymakers have recently recognized how technology influences, perhaps
adversely, social concerns, such as security, privacy, and free speech. While much has been
written on the impact of technology, little has been written on how policymakers can harness
technology to positively influence social welfare. As a starting point, we map how that influence
is understood by reviewing three influential approaches for analyzing technology. The first
approach arose within legal studies and focuses on how technology affects society. It is Lessig’s
model of “what things regulate.” The other two approaches, information systems research use of
“structuration” and “Actor-Network Theory” (ANT) from science and technology studies, share
a common understanding about how people act and interact. They offer important insights into
understanding how IT affects society. These approaches arose out of the social construction
theory of technology, which argues that human action shapes technology (Pinch and Bijker
Other useful paradigms for examining technological developments or the influence of
technology on society have appeared, including “diffusion of innovation,” a theory about how
new breakthroughs disseminate through society (Rogers 2003). However, we choose to focus on
three most influential theoretical approaches from a policy perspective. After evaluating each
approach individually, the final section discusses their limitations for policymakers.
Lessig’s What Things Regulate
First, Lessig’s model of “what things regulate” (1999) offers a descriptive model of how
software and hardware, collectively termed code, act as a regulatory mechanism on human
behavior. Many scholars have looked to this model not only as a tool for understanding code,
but also as a way to address issues surrounding it. Lessig constructs his model by considering an
individual and the various influences on his or her choices and behavior. This individual may be
regulated by the dot in Figure 1. By “regulate” Lessig refers, not to a legal definition, but to the
ways technology influences individuals. This is also how we use the term throughout this article.
Using a simple example of smoking, he asks what factors affect the decision to smoke. He
considers the impact of legislation surrounding where people can smoke, the costs of cigarettes,
the technology of unfiltered cigarettes, and how the habits of other people affect an individual’s
decision to smoke. This leads him to argue that there are four regulators or constraints on
behavior—the law, social norms, the market, and architecture.
Figure 1. Lessig's Model of quot;What Things Regulatequot;
The model’s strength is its simplicity. Three of the regulators Lessig chose—law, social
norms, and the market—are well recognized in the legal academy. Law is considered the
method of formal governance. Social norms, on the other hand, are typically defined as informal
methods of regulation. This area has received increased attention within the legal academy as
scholars recognize that people do things for reasons beyond its legality or illegality (McAdams
1997; Posner 1996). The law and economics movement within the legal academy has
highlighted the role of the market, economics, and pricing structures on regulating behavior
Although Lessig’s model clearly grows out of key areas within legal studies, several
problems emerge in his model if we consider how code affects public policy issues. Murray and
Scott (2002) argue that Lessig’s model requires additional regulators (2002). However, that is
inconsequent, because a problem arises within the model itself: it oversimplifies how people are
regulated. The regulatory forces that Lessig chooses are not monolithic. Many times conflicting
laws, social norms, and market forces influence a decision. Consider the issue of file sharing.
The legality of this practice depends on who you are, what the file contains, and where you are
located. This means that the law is both pushing and pulling in Lessig’s model. Hosein,
Tsiavos, and Whitley echo this criticism of Lessig’s model; they argue that architecture “cannot
really be separated from the other modalities neither does it make any sense without them”
(2003). Wagner maintains that code is often a complement to law instead of a direct substitute
(2005). In addition, most critics point out that what is missing in Lessig’s model is the near
impossibility of distinguishing each force. We also notice that Lessig’s model fails to answer
process-oriented questions. Where does technology or architecture come from? Why does it
favor particular values? Why is technology sometimes malleable and sometimes durable?
Despite these drawbacks, the model’s simplicity foregrounds the role of IT in communications
Scholars in information systems are applying Giddens’s structuration theory to IT.
Giddens’s work attempts to overcome the traditional dichotomy in sociology between structure
and agency. Traditionally, sociologists have argued that individuals are either determined by
social structures, e.g., race, class, or gender, or that these social structures only exist in the minds
of people, thus granting people immense agency. Giddens tried to overcome these two opposing
schools in his structuration theory by allowing for reciprocity between structure and agency.
Giddens argues that structure consists of the rules and resources that individuals create through
practices and routines (1984). According to his model, a duality emerges as structure constrains
action, but simultaneously, action serves to maintain and modify structure.
Structuration has become one of the most influential theoretical paradigms in information
systems research (Poole and DeSanctis 2004; Jones, Orlikosiki, and Munir 2004; Jones 1997).
Several notable approaches for applying structuration to IT have appeared. Orlikowski
developed a structuration model of technology to investigate the relationship between humans
shaping technology and technology shaping human action in an organizational context (1992;
2000). DeSanctis and Poole (1994) argue for an “adaptive structuration theory,” which focuses
on how structural features in IT influence the organization of society and, likewise, how society
influences the organization of IT (DeSanctis and Poole 1994). Finally, Samarajiva and Shields
use concepts from structuration to develop a normative concept of space for IT (1997).
Structuration offers several useful insights for studying the complicated interaction
between technology and society. It recognizes the role of users, context, and technology, while
considering institutional factors. It acknowledges that technology both enables and constrains
users. These insights move considerably beyond existing theoretical accounts that are either
technologically or socially deterministic.
Nonetheless, several drawbacks emerge when using structuration to examine policy
issues with IT (Rose, Jones, and Truex 2005). The first is whether structuration can adequately
theorize technology. Orlikowski argues in her structurational theory of technology that social
rules can be embedded in IT during its design (1992). However, the idea that structures can be
embodied in artifacts is problematic. According to Giddens, structures cannot be embodied in
artifacts, since they only have a virtual reality and are “traces in the mind” that are substantiated
through actions and practices. Orlikowski’s later work recognizes this problem and uses a
“practice lens” perspective, where technology structures are seen as “virtual, emerging from
people’s repeated and situated interaction with particular technologies” (2000, p. 407). All the
same, critics argue that structuration should focus on human action and not technology (Jones
1997). Furthermore, structuration offers a limited understanding of the relationship between
society and technology. It does not allow us to examine the relationship between people and
technology beyond the recognition that technology both enables and constrains us. Parsons
acknowledges these limitations in his case study on cable television (1989). While structuration
provided a better understanding of the dynamics of using cable television, it was incapable of
addressing how power and values are embedded or found in the use of technology. This problem
leads Monteiro and Hanseth to argue that structuration simply does not provide a nuanced
analysis of the interaction between individuals and technology that would inform the design of
A third theoretical direction for understanding IT comes from the larger discipline of
technology studies (Lievrouw 2002; Howcroft, Mitev, and Wilson 2004). Actor-Network
Theory (ANT) examines the interactions between technology and individuals (Law 1992). It
begins with the observation that the material world is a significant part of our lives and less
distinguishable than it may appear. In fact, ANT places the material and the social on equal
footing to explain the role of technology (Callon 1986; Latour 1987, 1999). This approach has
found traction for understanding how IT affects society (Tatnall 2003; Monteiro 2000; Walsham
and Sahay 1999; Monteiro 1998; Klischewski 2002; Vidgen and McMaster 1995).
ANT begins by using the term “actor” to refer to both humans and artifacts. ANT
considers both the human and the technical as capable of acting and being acted upon. It urges
us to treat these symmetrically and to consider seriously artifacts as actors. In short, actor-
networks are a set of interactions between humans and artifacts. ANT views these relationships
as dynamic and constantly changing. Or as Law puts it, “social structure is not a noun but a
verb” (1992). ANT analyzes these networks and describes how they operate. ANT’s
contribution is that it examines technologies by looking at the micro to explain the macro. In
doing so, it has developed richly nuanced concepts for studying technologies, such as blackbox,
artifacts, networks, reconfiguration, enrollment, and translation. This emphasis on materiality
creates a contrast between ANT and other theories that typically focus on the role of humans. As
a result, it is one of leading methodological approaches for examining technology.
ANT has its critics (Monteiro 2004; McLean and Hassard 2004; Collins and Yearley
1992; Howcroft, Mitev, and Wilson 2004). The criticisms include treating humans and artifacts
as symmetrical, its value-neutral stance, and goal directness. Two significant issues emerge
when using ANT to examine public policy issues with IT. First, ANT has a tendency to neglect
macro-social structures, such as institutions. This is not accidental; ANT’s analytical approach is
to dissect rather than explain through macro-scale structures. It prefers to focus on micro
processes over large-scale macro processes. Second, ANT is a descriptive theory and provides
little analytical and normative guidance (Collins and Yearley 1992). Specifically, it does not
provide a general framework for studying how technology operates. Every technology,
therefore, must be studied anew. This provides policymakers with little guidance for how
technology should be shaped to foster social goals. Nevertheless, several concepts from ANT
are useful and emerge in the ITSI framework.
Limitations of Existing Approaches
All three of these approaches provide an entry point for considering the relationship
between IT and policy. However, they all suffer serious limitations in trying to explain the
interactions between IT and society. Moreover, a significant limitation for both structuration and
ANT arise, because the high level concepts found in these theories do not allow simple
translation for the nuts and bolts problems faced by policymakers. In other words, these existing
theoretical approaches do not address problems related to IT. As an example, consider legal
scholars’ approach for addressing online privacy (Rotenberg 2001) or the approach of computer
scientists (Clarke 1999). They do not rely on ANT or structuration, but instead employ
principles of fair information practices. Moreover, this also holds true for new technologies that
implicate privacy, such as RFID (Floerkemeier, Schneider, and Langheinrich 2005), Web
browsers (Martin et al. 2001), and online personal data (Schwartz 2000). Policymakers do not
rely on Lessig’s theory or structuration or ANT. Online privacy offers a clear and compelling
example of how sophisticated theoretical approaches fail to provide policymakers with
applicable frameworks for addressing social concerns.
Policymakers need a systematic way for thinking through online policy issues. While
extending existing approaches is understandable, it is also necessary to recognize that
information technology has unique attributes. As an example, many scholars have shown that
technology is not neutral, but is political and malleable (Friedman 1997; Winner 1980). It was
precisely these biases that Lessig highlights with the title of his book, Code and the Other Laws
of Cyberspace (1999). These factors lead us to develop a more complete descriptive framework
that will enable policymakers to make decisions about IT that will promote social welfare.
Framework for Analyzing IT & Society Interactions
Our goal is to describe how IT affects society from a public policy perspective. The
framework for analyzing IT and Society Interactions is termed ITSI throughout this article. ITSI
is not a replacement for high-level theories such as structuration or ANT. Instead, our goal is
more akin to operationalizing these theories for policymakers. ITSI also lends itself to a more
general analysis of IT policy problems. Our approach also differs from most policy literature,
which analyzes a specific policy proposal, such as privacy or intellectual property rights.
Instead, our framework focuses on the role of IT in general in order to understand various IT
concerns from privacy to intellectual property rights.
ITSI involves a multi-step analysis that accounts for the various motives, choices, and
even accidents implicated in technology operations. It entails thinking through and evaluating
policy decisions to solve social welfare issues. ITSI first identifies a series of relationships that
influence IT use. By focusing on influential relationships, we can better evaluate where to
establish change. Each relation presents questions that lead us to analytical and normative
In this section, we explain the framework piece by piece. This approach provides a better
sense of our reliance on existing scholarship, as we develop a more comprehensive analysis of
the relation between IT and society. We begin by identifying four actors: technology, users,
developers, and society. We then analyze the four significant relationships they constitute as
they regulate, reconfigure, shape, and develop IT. This is not an exhaustive list, nor do we imply
that other actors or relationships are not relevant or important. Instead, we are trying to assist
and guide public policy with a framework that is by necessity reductive.
Technology Regulating Users
Technology acts as a mediator to constrain or facilitate certain types of actions. In short,
technology regulates. This statement, while deterministic, is often how people view technology.
For example, the technology of a pencil, fountain pen, and word processor simultaneously
facilitates and constrains certain actions when it comes to composing, editing, and saving our
writings. As a result, technology can affect our cognition, culture, socio-structure, and laws. An
exemplar of this view can be found Eisenstein’s argument that the printing press led to the
emergence of a “print culture” that transformed not merely how people communicate but the
underlying structure of consciousness, social interaction, and power (Eisenstein 1997). Figure 2
shows schematically how IT affects or regulates users. Scholars within media ecology (Innis
1951; McLuhan 1964; Meyrowitz 1994), computer-mediated communication (Haythornthwaite,
Wellman, and Garton 1998; Daft and Lengel 1984), and cultural studies (Nakamura 2000; Kolko
2000) have all recognized the ability of IT to affect individuals and society even as individuals
seemingly develop and manipulate IT.
Figure 2. Technology Regulating
Complications arise because the interactions between technology and society are not
neutral but biased and political. This idea is long standing in technology studies and the
philosophy of technology (Winner 1980; Feenberg 1991). A classic exposition is Winner’s
analysis of the bridges over the parkways of Long Island (1980). These bridges appear to have a
strictly utilitarian purpose. However, the height of these bridges is quite low, as short as nine
feet. Winner argues that these bridges were designed to prevent buses from passing underneath
them. This serves to exclude poor people, who rely on public transportation to access Long
Island. Thus, the seemingly neutral bridge design is in reality a method of social engineering to
achieve class or racial exclusion. While the historical accuracy of this account has been
challenged (Joerges 1999), it still stands as a powerful, illustrative example. Other empirical
studies have illustrated biases in IT, such as the internet and search engines (Friedman 1997;
Introna and Nissenbaum 2000; Flanagan, Farinola, and Metzger 2000).
It is not enough to declare technology political. To understand how the design of IT
affects users, it is necessary to have a technical understanding of its workings. Here we follow
ANT’s methodology, which urges scholars to consider technology as an actor and how it
“configures the user” (Woolgar 1991). This means examining the biases inscribed in the design
of technology (Akrich 1992). Monteiro and Hanseth suggest analyzing “which anticipations of
use are envisioned,” “how are they inscribed,” and “how powerful are the inscriptions, that is,
how much effort does it take to oppose an inscription” (1995). A study on electronic traffic data
shows the value of this approach. Escudero-Pascual and Hosein argue that traffic data from the
Internet means something very different than traffic data from the telephone system (2004).
After all, information on Web sites and terms entered into search engines can be much more
revealing than the phone numbers we call. The authors arrived at this conclusion, because they
fully appreciated the technical differences between the Internet and the telephone.
The ability of IT to shape user behavior has led policymakers to ask whether they ought
to use technological means as an alternative to regulation or to supplement it. The issue is
complicated and underdeveloped from a scholarly perspective. Nevertheless, developers often
use technology to meet their needs. For example, to improve security, Microsoft switched the
default settings to turn on its firewall when it updated Windows XP. This example shows how
IT could be used proactively to ensure social welfare.
Users Reconfiguring Technology
While the emphasis on using technology to regulate can be seen as deterministic,
reconfiguration seeks to balance this paradigm by recognizing users’ agency in addressing social
concerns. The notion of agency is a core concept in sociology and is present in leading theories
of IT (Rose, Jones, and Truex 2005). Individuals play a crucial role in how technology regulates.
Any analysis needs to consider a situated analysis of IT (Suchman 1987), which emphasizes how
users interact and reconfigure technology. After all, it is well recognized nowadays that the
design and use of technologies often shape each other in a recursive process. This relationship is
illustrated in Figure 3.
Figure 3. Reconfiguring Technology
To analyze how users interact with IT, we ask two basic questions: How do users act and
how do they respond? For analytical discussion purposes, we discuss each separately. First, it is
important to analyze how people use technology. Scholars have shown how local meanings,
organizational constraints, and institutional forces can be as meaningful as the rules embedded in
IT (Suchman 1987; Kling and Iacono 1988). As a result, sometimes individuals do not always
use the technology as intended by developers. The history of IT is full of examples of
unanticipated uses, such as the personal use of the telephone by women (Fischer 1992). Even
though developers have inscribed the technology, it does not mean the technology will be used in
that manner. Orikowski synthesizes past research on this topic by recognizing that “through
error (misperception, lack of understanding, slippage) or intent (sabotage, inertia, innovation),
users often ignore, alter, or work around the inscribed technological properties” (Orlikowski
2000, 409). This perspective allows us to treat technology as less monolithic.
Individuals also alter technology in multifarious ways. Individuals may respond by
reconfiguring the material properties of the technology. This process involves individuals
adding or modifying a technology and, therefore, shaping it to fit their needs and interests. This
can be as simple as turning on the v-chip feature or the closed captioning feature on televisions.
The ability of an individual to reconfigure a technology partly depends upon the technology’s
durability. There are two ways technologies can be made more durable and hence more resistant
to reconfiguration. First, technologies become more durable when switching or changing
technologies requires a considerable investment in hardware and software otherwise known in
economics as “switching costs,” where the cost of switching to a new technology outweighs the
cost of keeping the current one (Shapiro and Varian 1999). The second means of maintaining
durability, “path dependence,” refers to how technologies become durable from a lock-in effect
that arises from “random” historical events (Arthur 1989; David 1985). In this way a
technology, such as the QWERTY keyboard layout, becomes durable and irreversible because of
events during its development.
The ability of users to reconfigure technologies has widespread normative implications
beyond inefficiencies that may result from switching costs or path dependence. Shah and Kesan
argue that certain governance characteristics of IT that can be manipulated either by users or
developers influence individuals (2003). Some of the characteristics include default settings,
transparency in user interfaces and code, and the use of standards. Policymakers can modify
“governance characteristics” or ensure that individuals are able to modify technology to enhance
social welfare. For example, software privacy controls may be difficult to configure. To
promote privacy, developers could be required to have privacy controls enabled as a default
setting. This would protect a user’s privacy, while also allowing individuals the freedom to opt-
out by reconfiguring the default setting. The manipulation of these governance characteristics
could also be used in conjunction with traditional regulatory methods such as law.
Developers Influence on IT
By starting with IT and user’s impact on one another, we assume IT design as set. Yet
the development stage has obvious and immediate impacts upon IT. Scholars have long studied
how technologies are developed to understand why they operate in a particular fashion. While
the relationship among developers, users, and IT shown in Figure 4 is quite obvious, it highlights
several fundamental points. Developers consist of numerous social actors that play a crucial part
in guiding and shaping IT; they are also responsible for biases inscribed in technology.
Nonetheless, developers do not exist in a vacuum. The figure also illustrates how developers are
embedded and influenced by a web of forces, such as social, economic, political, institutional,
Figure 4. Developing IT
The development process shapes the non-neutrality of technology, although not always
purposively. Both structuration and ANT consider this process. From the structuration
perspective, developers build certain “interpretive schemes (rules reflecting knowledge of the
work being automated), certain facilities (resources to accomplish that work), and certain norms
(rules that define the execution of the work)” into technology (Orlikowski 1992, 410). ANT
scholars hold that the inscription process, which is simultaneous with the development process,
is how beliefs, tastes, competences, motives, aspirations, values, biases, and political prejudices
are embodied by the artifact (Akrich 1992). The inscription process gives technologies a “script”
that prescribes user actions (Latour 1992). For example, a speed bump’s script encourages
drivers to slow down.
Developers may use scripts as a means to influence user behavior. This strategy does not
always result in desired outcomes. Verbeek points out that even though developers set scripts, it
is the users that decide how to interpret and appropriate them (2006). As we acknowledge, users
can respond and reconfigure technologies. Nevertheless, Verbeek argues that designers have a
normative responsibility to make sure artifacts act in a prescribed manner (2005). Another
normative approach, Value Sensitive Design, focuses on accounting for values, particularly those
with a moral import, during the development process (Friedman, Kahn, and Borning 2006), such
as privacy (Camp, Shankar, and Connelly Forthcoming).
Institutional forces also lead to systematic regularities in technology’s biases.
“Institutions” is a way of referring to groups of organized social actors with common social rules
and continued interactions with society (Avgerou 2002). This definition is compatible with work
in sociology on new institutionalism theory (Powell and DiMaggio 1991) and work in economics
on the role of institutions (North 1990). The idea here is that within a certain institution, there
are a set of values, norms, procedures, laws, beliefs, and taken-for-granted assumptions that are
related to their raison d’étre. These shared rules and interactions may lead to certain tendencies
in the development of IT.
The institutional approach has a long history of explaining how firms and government
influenced the development of technology (Savage 1989; Mansell 1993; Edwards 1996;
Samarajiva and Shields 1997). More recent scholarship on IT considers other influential
institutions, such as universities, standards organizations, consortia, and the amateur-led open
source movement (Shah and Kesan 2005; Cargill 1989; Schmidt and Werle 1998). This work
shows how institutional norms and processes can influence the final attributes of the technology
it produces. For example, institutional tendencies may favor certain technical values, such as
open standards or low defect code, or more socially-oriented values, such as the appropriate level
of intellectual property protection or privacy protection for technology. Consequently, the same
technology may have developed differently within different institutions. Policymakers can use
these institutional tendencies to assess technologies as well as a way to shape technology to
favoring or promoting developing in specific institutions.
While our discussion has focused on institutional forces, this does not mean other forces
are irrelevant. We focused on institutional factors, because policymakers continue to undervalue
them. Additionally, other institutional factors, like politics or economics, can also serve as a
normative tool for developing IT. For example, policymakers could steer development toward
an institution that favors particular social or technical attributes. We discuss this issue later in the
following section, but it derives from our recognition of institutional tendencies and the
assumption that institutional norms and processes are stable.
Society Shaping Technology
Along with regulating, reconfiguring, and developing, we also focus on how individuals
collectively react and influence the development of technology. The ability of society to
influence the development process is widely recognized by a number of disciplines, including
communications, social movements, and regulation. Examples of these influences within
communications include movements led by citizens concerning radio broadcasting policy
(McChesney 1993), the public support for the v-chip legislation (Lieberman 1996), and public
calls for regulating telemarketing or spam. This relationship goes beyond individual users to a
collective approach to IT. “Society” therefore appears in Figure 5 as an off-shoot of users to
complete ITSI framework.
Figure 5. Shaping IT
There are many points through which society can pressure developers to change
technology. They include harnessing various forces, such as social, economic, political,
institutional, and regulatory. Many of these methods can be employed without government
intervention, such as the use of market forces, self-regulation, public pressure, and the work of
public interest groups. These methods have a long history of influencing the development of IT.
Sometimes, though, government intervention is required. After all government has and will
continue to play a role in shaping the development of technology, most notably in the research
and development of computer networks such as the Internet. Government has a wide variety of
regulatory methods, such as command and control, incentives, and market-harnessing controls
(Breyer 1982; Baldwin and Cave 1999; Kesan and Shah 2005). For instance, television
manufacturers have responded to consumer desires for larger televisions by producing larger
televisions. Their decision reflects market forces. In contrast, the government had to force
television manufacturers to incorporate digital television tuners with a regulation (Balanced
Budget Act 1997).
Society can also use institutional norms and processes to shape the development process.
While institutional norms and processes are generally stable, they do change over time.
Consequently, these shifts make it possible to influence the process. The movement over the last
thirty years from an emphasis on standard developing organizations to consortia (a legally
constructed institution) serves as an example of the shifts within the institutional settings of the
IT industry (Cargill 2001).
A normative approach to shaping technology can be found under the rubric of
constructive technology assessment or normative engineering (Schot and Rip 1997). This
literature attempts to understand how technology is shaped from a normative aspect. While we
believe that in some circumstances society ought to act to shape technology, it is also necessary
to recognize the unpredictability of technological development. This led us to Berg’s cautionary
point to expect continual shifts and small movements when influencing technology positively
(1998). While the relation between society and IT adds a new dimension to our framework, it is
just one branch of a complicated structure. We now turn to an overview of the model.
The ITSI framework defines technology as material artifacts, such as the hardware and
software of IT. This narrow definition is useful, because it allows us to frame the use of
technology as an interaction between individuals and technology, while also considering how IT
can be socially constructed. The narrow definition grants ITSI a wider applicability to examine
how IT affects a variety of societal concerns, such as privacy, freedom of speech, accessibility,
or intellectual property protection.
The directionality of the arrows in ITSI (Figure 5) emphasizes key relationships between
society and IT from a policy perspective. The framework is tightly tailored to address policy
concerns, and does not address all the possible relationships among developers, individuals, and
technology. For example, an arrow could have been drawn from technology to developers.
After all, new information technologies have significant implications on developers, such as
government (Fountain 2001) and firms (Shapiro and Varian 1999). However, ITSI concerns
how IT affects our experiences and choices in a public policy context, not the evolution of IT.
As a result, these other relationships are omitted to keep ITSI as simple as possible. Similarly,
we could have included a bubble around users, as we did for developers, to indicate various
forces that affect them, such as institutional, social, regulatory, economic, and so on, but instead
we emphasize only the critical relationships for understanding the interactions between society
and IT from a policy perspective. In contrast, we emphasize the situatedness of developers,
because it allows us to understand how technologies are biased and how society can shape IT
To delineate the contribution of ITSI, Tables 1 through 3 provide a summary of various
aspects of ITSI. We consider three chronological stages starting with developing, moving to
regulating and reconfiguring (which we collapse into one stage), and ending with shaping. Table
1 provides the key questions ITSI poses within each of the three stages. These questions are
asked when using ITSI to analyze an issue. Each relationship elicits a set of questions that aid us
in identifying where problems emerge and their impact on users. Starting with developers, we
ask about the factors and institutional norms that influence the design of technology. We then
ask how IT affects users and identify user responses to it. In terms of shaping, we consider how
to enact possible solutions.
Developing IT IT Regulating / Shaping IT
1. What crucial factors 1. How does the 1. Can we encourage
influenced this particular design of IT affect developers to fix the
version of IT? users? problem themselves?
2. How have various 2. How do users act / 2. How best can
organizations/institutions respond? government (or other
influenced the organizations)
Table 1. Significant questions ITSI asks
Table 2 contains a summary of the main analytical points that arise from ITSI. Each of
the relationships involves a set of presuppositions. Our framework maintains that during
development, biases are inscribed in the design of the technology. Moreover, institutional norms
and processes foster what biases are inscribed. Yet one must have a broad perspective on the
development process to identify what biases emerge, because many organizations have a stake in
the design. As for users, the framework operates from the point of view that IT influences
human actions. At the same time, individuals have agency; they can modify, reconfigure, and
misuse technology. Furthermore, one must understand how IT operates at the technical level to
identify these processes. ITSI considers society as capable of implementing solutions, because
individuals, in mass, can influence developers through the market, direct appeals, or even by
advocating government regulations. What is more, society can influence IT through institutional
norms and processes, as identified in the development stage.
Developing IT IT Regulating/ Shaping IT
1. Biases can be 1. IT influences human 1. Individuals and
inscribed during the action society can react and
development process 2. To understand influence developers
2. Institutional norms inscriptions, we need to 2. Many tools
and processes can understand the IT at a available from the
result in systematic technical level market to government
regularities in biases 3. Individuals have agency regulation
3. Consider a wide a. Consider how they use or 3. Shape IT by
scope of misuse IT modifying
organizations and b. They can modify or institutional norms
institutions that reconfigure IT depending and processes
influence upon its durability
Table 2. Analytical insights from ITSI
ITSI does not merely identify influence biases inscribed in IT, but offers a means of
arriving at normative insights into the design of IT. Examples of normative proposals are
highlighted in Table 3 and discussed in the relevant part of the framework. Each of the
relationships offers an entry point to modify IT and its uses. In the development stage,
developers could alter the design of IT or one could rely on institutional norms and processes.
Once users and technology interact, policymakers need to understand the IT involved at a
technical level. Then they can establish certain governance characteristics or force developers to
make the technology easier to reconfigure, thereby reducing its durability and lock-in effect.
Lastly, policymakers could shape IT to promote social welfare. The next section applies all of
the information provided in three tables to a case study.
Developing IT IT Regulating / Shaping IT
1. Design IT 1. Policy scholars need to 1. Policymakers
differently, e.g., value seriously consider / ought to shape IT to
sensitive design understand the IT societal ends
2. Utilize institutional 2. Manipulate governance
norms and how characteristics
processes influence 3. Make technologies easier
IT to reconfigure by reducing
Table 3. Normative Insights That Flow From ITSI
Applying ITSI to Wireless Technology
This section illustrates ITSI as a workable approach for policy issues. We use ITSI to
analyze security issues that arise with the use of wireless technologies. We chose wireless
security because it has been largely ignored in policy debates. Although people concede that
wireless security is important, no policy changes have been suggested. In contrast, an ITSI
analysis highlights several critical security issues involved with wireless technology and offers
suggestions for improving wireless security. The analysis in this section is based on the four
distinct relationships identified by ITSI: IT regulating users, users reconfiguring IT, society
shaping IT, and developers influence on IT use. Additionally, we consider normative proposals
for improving wireless security based on extant scholarship. The data is derived from our own
research, existing scholarly research, and secondary sources.
Background on Wireless Security
This case study examines wireless security commonly known as 802.11b or Wi-Fi. This
technology emerged in the late 1990s and is now widely used by consumers for wireless
networking (Bar and Galperin 2004; Ohrtman and Roeder 2003). The IEEE (Institute of
Electrical and Electronics Engineers) developed the 802.11b standard and a nonprofit trade
organization, the Wi-Fi Alliance, certifies products to ensure interoperability on various
computers and networks. Interoperability lowers the entry barrier for new manufacturers of Wi-
Fi technologies and ensures consumers are not locked into devices from one manufacturer.
Currently, the Wi-Fi Alliance includes over 200 member companies and has certified over 2,000
Security was a concern during the development of the 802.11b standard. It was
understood that an unsecured wireless connection could allow unauthorized parties to eavesdrop
on communication, masquerade as an unauthorized user, modify network traffic, and even
consume network bandwidth (U.S. General Accounting Office 2005). To prevent such
unauthorized use, the 802.11b standard includes a protocol known as Wired Equivalent Privacy
(WEP). The purpose of WEP is to encrypt wireless communication, thus preventing
unauthorized users from eavesdropping or using a network. In 2001, a group of researchers from
the University of California at Berkeley presented a paper on WEP’s flaws (Borisov, Goldberg,
and Wagner 2001). In response, the Wi-Fi Alliance created an interim specification, Wi-Fi
Protected Access (WPA), to address these security problems (Ohrtman and Roeder 2003). The
IEEE eventually developed a revised standard, which is known as WPA2 in 2005. Since 2006,
all devices seeking Wi-Fi certification must comply with WPA2.
Despite the widespread use of wireless and the sensitivity of the data accessed through it,
wireless security has not become a significant public policy issue. Leading public interest
groups involved in IT issues, such as the Electronic Frontier Foundation, Center for Democracy
and Technology, and the Electronic Privacy Information Center, have not pushed for any policy
initiatives for wireless security. The attitude prevails that this is an end user’s responsibility.
This perspective holds end users responsible for securing their wireless access points (AP),
whether the user is the government, a firm, or an individual. Despite this consensus that the user
should establish his or her wireless security, our use of ITSI finds that policy intervention can
better serve societal welfare.
ITSI Analysis of Wireless Technology
Regulating Technology / Reconfiguring Technology
We have already established the reciprocal influence between individuals and
technology. Using ITSI, we now apply this knowledge to understand how individuals have been
affected by wireless security and the steps they have (not) taken to protect themselves. The first
step is to consider how the design of IT affects users. In this case, we have research that shows
how default settings in Wi-Fi access points (APs) affect its use and misuse. APs are a common
consumer technology for creating wireless networks inside homes and businesses. APs create a
wireless network and are typically connected to other wireless clients (e.g., a laptop) and a router
(which is sometimes built in) for Internet connectivity. A wireless network creates security risks,
because the AP broadcasts to everyone within its range.
Shah and Sandvig analyzed the data from hundreds of thousands of APs to understand
how people configure their APs (2005). They found defaults programmed into APs to be
extremely influential. Half of the users never changed any of the three default settings that
influence security. One particular default setting was the use of WEP security technology. WEP
encrypts communication and prevents casual snooping. WEP encryption is widely
recommended as a necessary step for properly configuring an AP. The majority of
manufacturers turn off WEP by default, resulting in only about 28% using encryption. In
contrast, 2Wire, a broadband service provider, turns on WEP by default leading to 96% usage for
encryption. This contrast between 28% and 96% illustrates the power of default settings for
establishing user settings.
To better understand wireless security, we examined the setup procedures for several
popular APs. Our analyses included access points from Linksys, Netgear, Belkin, D-Link, and
Microsoft. We found differences among the defaults for encryption, the ease of setup, and
requirements for changing passwords and network information. These differences at the
technical level can influence how people configure their AP and, consequently, their level of
wireless security. As we later argue, this research led us to believe that wireless manufacturers
could easily change several settings that would greatly improve wireless security. Default
settings establish most users’ configurations. Manufacturers, therefore, should base defaults on
ITSI also focuses on the role of users and their use of technology. The predominate view
is that correct configuration is the responsibility of end users; this view is supported by a variety
of groups including the government (National Institute of Standards and Technology 2002; US-
CERT 2005), manufacturers (Intel 2005; Linksys 2005), and the media (Karagiannis 2003)
(Lasky et al. 2004). They urge users to configure their wireless APs “properly” without asking
why it is necessary for users to reconfigure their wireless APs. In fact, all advice for setting up a
wireless AP recommends that users configure WEP encryption. Despite the fact that
manufacturers set many defaults in anticipation of user preferences, they neglect to choose
While the burden has been placed on users to reconfigure their APs, research on wireless
use clearly shows that users are deferring to defaults. This behavior suggests a number of
possible normative solutions. The first is to regulate manufacturers by demanding that they set
the default to protect users. APs should be designed as “secure by default.” The second is to
encourage reconfigurability by lowering the APs’ durability. This essentially focuses on making
it easier for the user to change the APs settings. Educating users and improving user interfaces
can help achieve this goal. However, lowering durability follows the broken approach of relying
on users to reconfigure their APs. Because defaults carry such significant power, policymakers
should ensure these defaults are set to foster security.
Developing Wireless Technology
The ITSI analysis examines the development process with an emphasis on how various
IT characteristics were shaped as well as the influence of institutions. In the case of wireless
technology, ITSI asks why manufacturers neglect to ensure user security in the first place. In the
previous section, we noted that defaults play a crucial role in determining levels of wireless
security. The analysis should then consider how these defaults were inscribed into AP and the
factors influencing this process.
This history of wireless security has shown that manufacturers have not emphasized
security. For example, manufacturers were slow to incorporate WEP into their products (Gast
2002). Instead, they relied on MAC address filtering, which is useful for preventing
unauthorized access, but does not prevent eavesdropping. Moreover, manufacturers have viewed
security as an option for consumers and not something that is mandatory or even suggested.
After all, almost all manufacturers design their products to turn off WEP by default (Schiesel
2005). This default setting suggests to users that WEP is not necessary or important.
Manufacturers explain that they do not set the default for encryption, because of the high
costs associated with technical support. Configuring wireless devices for WEP usage is not easy
and, if done improperly, can result in no wireless connectivity. According to Linksys, 70% of its
support calls are related to “initial installation and configuration” (Kistner 2004). Moreover,
customer satisfaction falls when a user needs to make two or more service calls. Currently, to
avoid configuration confusion and customer dissatisfaction, Linksys turns off WEP by default.
If Linksys turned on WEP by default, they would expect even more support calls from
customers. This explains why virtually all manufacturers turn off WEP and leave customers
with poor security.
Besides manufacturers, another important developmental force for securing users’
information is the IEEE and Wi-Fi Alliance. Both organizations have worked toward improving
the security of wireless technologies through the development of WEP, WPA, and WPA2.
Therefore, security is in their members’ interest. However, they have not focused on developing
secure technologies that users can easily and transparently utilize. For example, consider the use
of hexadecimal passwords for WEP encryption (e.g., a password in hexadecimal format is
5c23a4ab7b) (Potter and Fleck 2003). Only an engineer could appreciate this approach! This
bias emerges because the IEEE and the Wi-Fi Alliance respond to their members and not end-
users in general.
Universities have also played an important role in identifying security flaws in existing
standards and wireless technologies. For example, research documenting the problems with
WEP encryption was done at the University of California at Berkeley (Borisov, Goldberg, and
Wagner 2001). This work (and other follow up work) was crucial in illustrating wireless security
flaws. Their interest in wireless security arises from its novelty and the impact of identifying
The ITSI analysis shows that in the area of wireless security, several forms of
institutional actors, including firms, consortia, and universities, have attempted to correct flaws.
This array of institutions is not the result of natural equilibrium. It is the result of several
different interests coming together to focus on security issues. After all, there are many other
technologies under development, such as digital rights management or radio-frequency
identification, which do not have that same degree of cooperation among various institutions.
The history of multiple actors affecting the development of wireless has normative
consequences. Policymakers have many actors they can push or prod to help improve wireless
security. While the possibility of redesigning such a mature technology is not likely, it is
possible to reconfigure slightly the technical characteristics to improve security. One way of
doing so is to rely on institutional norms as a rough proxy to predict what these actors may do.
In this case, firms focus on selling wireless APs, and therefore they may not focus on security
issues if they are too costly and not demanded by their customers. Consortia, on the other hand,
are driven by their members’ interest and may favor solutions that are in the interest of their
members, but not the general public. As an interested party, universities may be limited, because
they have scarce resources. As wireless technologies mature, university researchers may have
less incentive to study the security issues involved in an “old” technology. In the next section,
we take up these institutional tendencies and discuss how society can strategically utilize them to
foster more secure wireless technology.
Society Shaping Wireless Security
The ITSI analysis suggests that security can be improved if manufacturers redesigned
their wireless technologies. ITSI recognizes that society can react to technologies by prompting
developers to remove, modify, and create new versions of technologies. After all, the
development of technology is influenced by society. ITSI suggests that policymakers consider
how to improve wireless security by influencing developers, because left in the hands of users,
security problems have not been addressed. ITSI does not provide normative guidance; for that,
policymakers need to look to the existing literature in regulatory theory as applied to IT.
The typical way to influence manufacturers is through the market. However, it is clear at
this juncture that a status quo approach of relying on market forces will not improve wireless
security. If the market cannot address the security concerns, one must look toward other
methods such as cajoling firms and informing consumers about the security issues. Making
customers aware of these threats can stimulate public interest and lead advocacy groups and the
government to enter the debate. Policymakers should, in fact, foster this debate. There is every
reason to believe that the attention and pressure from congressional hearings and reports from
public interest groups can influence manufacturers to develop APs that are “secure by default.”
This activity will lead customers to demand more security as well as highlight potential
regulatory costs to manufacturers.
A final recourse for influencing wireless technologies is government involvement.
Currently, government funding of university research aids to identify wireless’s security flaws.
Other ways government can influence development include fiscal measures, such as using
government’s procurement power to favor secure wireless technologies. Government could also
expand liability to hold wireless AP manufacturers accountable for the costs of security.
Discussion has already arisen for identifying liability more generally when addressing lax
security in computing systems (National Research Council 2002). However, the point of this
article is not to address the multitude of ways government can change the incentives of
manufacturers. Instead, our goal is to show how an ITSI analysis can provide insights for
addressing public policy issues.
Applying ITSI to Other Problems
ITSI is useful for analyzing a wide range of scenarios beyond wireless security. ITSI has
been used to analyze a number of other technologies and policy issues, such as RFID technology,
cookies, digital rights management, and open standards policies. This section briefly discusses
the effects on social welfare that ITSI has identified in two other technologies: Radio Frequency
Identification (RFID) technology and Digital Rights Management (DRM) technology.
In the case of RFID, ITSI is a marked improvement over the existing theoretical
approach, the principles of Fair Information Practices (FIP). ITSI provides developers with
useable possibilities for addressing RFID privacy. For example, ITSI recognizes that designers
are capable of incorporating privacy into the design. Designers can provide users with the ability
to control or reconfigure RFID tags. This could be accomplished in many ways, from modifying
the information contained in a tag to removing or destroying the tag. While this suggestion may
seem obvious, ITSI provides a framework for finding solutions that other approaches miss.
An ITSI analysis of DRM technologies also offers several ideas for improving its use.
For example, DRM technologies are almost entirely a creation of firms. Our analysis suggests
this is because DRM technology is thought of as a proprietary solution and therefore a winner-
take-all marketplace. To combat this problem, policymakers should fund efforts to make DRM
technology less proprietary and more standardized. If they followed this suggestion, more
vendors would jointly participate in a useful version of DRM. The government could also fund
university research, which thus far has not played a large role.
ITSI also considers how DRM’s internal dynamics may impede social welfare. Our
analysis of a very popular DRM technology, Apple Inc.’s Fairplay that protects music copyright,
shows that its popularity stems from its perceived transparency to the user. This is unlike other
DRM technology that users dislike because of overly strict restrictions, e.g, Sony. Fairplay acts
as most users would expect. Users are not continually trying to reconfigure the technology, in
which it would be very difficult for DRM to succeed. Nevertheless, users have difficulty trying
to reconfigure some aspects of Apple’s Fairplay. Our analysis describes these limitations and
provides suggestions to improve the technology.
ITSI provides a systematic way for thinking about how technology affects society. It
considers how technology develops, how people use technology, and how society can influence
the development of technology. This section discusses the implications of these relationships
and how ITSI advances our theoretical understanding of technology.
First, ITSI is useful for policymakers, who have had little guidance into how to approach
these issues. As we pointed out earlier, the current theoretical perspectives for analyzing
technology are not used by policymakers. ITSI can be applied by policymakers seeking insights
into contemporary policy issues. It can also help identify key actors and processes that influence
how IT affects society. In the case of wireless security, the ITSI analysis found flaws with the
status quo by analyzing the issue at the individual level. Individuals are not capable of
reconfiguring wireless AP. This insight would not have been identified using other approaches,
such as an economic model. After all, this problem is not evident using standard economic
criteria, such as cost and market failure. Moreover, ITSI suggests a solution: redesigning APs.
Conversely, conventional approaches would look to regulation. Its adeptness with technology is
why ITSI is useful for analyzing policy issues.
Second, ITSI builds upon existing theoretical paradigms. In doing so, it avoids creating
simplistic binary oppositions for understanding how society and IT interact (Lievrouw and
Boczkowski 2006). ITSI is largely based on sophisticated scholarly analysis of IT within
structuration and actor-network theory and their rejection of simple deterministic relationships.
Concepts such as biases in IT, reconfiguration, and shaping are not novel. The novelty is
bringing these concepts together into a systematic descriptive framework for understanding IT in
a policy context. By doing this, we can see how these concepts aid analysis of policy issues as
well as guide policy solutions. As an example, consider how reconfiguration may be more
appropriate than regulation in certain circumstances. In the case of RFID tags, a tracking device
that relies on radio frequencies, the new favored approach is to focus on ensuring RFID tags are
reconfigurable by end users rather than passing new regulations (Baard 2006; Consumers
Against Supermarket Privacy Invasion and Numbering 2003). With multiple actors, forces, and
relations influencing the use of IT, we require a theoretical approach that understands it in
Third, ITSI is a theoretical advance over existing approaches because of its emphasis on
IT. Technology is as an integral part of the framework. Unlike many other approaches where
technology is an afterthought and bolted onto an existing theoretical paradigm, this model allows
ITSI to be applied to a variety of social issues. For example, privacy issues are analyzed through
the principles of Fair Information Practice, while free speech issues are analyzed on First
Amendment grounds. Instead, ITSI focuses on the common denominator of technology. The
advantage is that ITSI is capable of analyzing issues that lack an existing theoretical foundation,
such as universal accessibility. However, as ITSI emphasizes, to understand technology, we
need to consider how it is situated with respect to users and developers. In other words,
technology must be analyzed within context.
Fourth, the ITSI framework offers new insights into how IT interacts with society. Some
specific examples include the role of institutions, governance characteristics, and the importance
of defining how society influences the development of technology. These roles were considered
while analyzing wireless security. The norms of firms, consortia, and universities led them to
emphasize different values in the development process. The analysis of wireless technology also
suggested a normative proposal that relied on modifying the governance characteristic of
defaults. This policy move would encourage manufacturers to design their APs to be “secure by
default.” After all, if users are unable to reconfigure their APs, then ITSI suggests that we work
with the other half of the relationship, how technology regulates, by modifying defaults.
This article provides a systematic descriptive framework for analyzing how IT affects
public policy issues. The ITSI framework is inspired by existing theory such as structuration and
ANT, but is tailored to the theoretical and practical needs for analyzing the interactions between
IT and society. Specifically, ITSI considers the development of IT, how IT regulates individuals
while also recognizing that individuals can reconfigure IT, and finally, how society can intervene
and influence the development of IT. The ITSI framework builds upon a large corpus of
descriptive and normative scholarship by computer scientists, sociologists, communications
scholars, and legal scholars. The contribution here does not define a new set of relationships
between society and information technology, rather, it explicates existing relationships, and in
the process, develops a descriptive framework that provides analytical insights.
This article illustrates ITSI through an analysis of security issues involved in wireless
technology. The analysis found that consumers are not provided with simple and effective
security because of the increased reliance on user configuration. ITSI led to this finding; it
would not have emerged using conventional policy analysis. ITSI also provided solutions to this
problem. Instead of looking toward users to improve security, policymakers should look to
manufacturers to develop APs that are “secure by design.” The analysis ended by pointing out a
number of strategies to influence manufacturers to improve the design of wireless APs.
ITSI improves the ability of scholars and policymakers to analyze a variety of policy
issues concerning IT. Going forward, we believe some of the concepts highlighted by ITSI, such
as the role of institutions, reconfiguration, and governance characteristics, will be fruitful grist
for scholars. At the very least, ITSI provides scholars and policymakers with a starting point for
how IT affects society from a policy perspective.
Akrich, Madeleine. 1992. The De-Scription of Technical Objects. In Shaping
Technology/Building Society, edited by W. E. Bijker and J. Law. Cambridge: MIT Press.
Arthur, W. Brian. 1989. Competing Technologies, Increasing Returns and Lock-in by Historical
Events. Economic Journal 99:106-131.
Avgerou, Chrisanthi. 2002. Information Systems and Global Diversity. Oxford: Oxford
Baard, Mark. 2006. Retail-Safe RFID Unveiled. Wired, May 2.
Balanced Budget Act.
Baldwin, Robert, and Martin Cave. 1999. Understanding Regulation. Oxford: Oxford University
Bar, Francois, and Hernan Galperin. 2004. Building the Wireless Internet Infrastructure: From
Cordless Ethernet Archipelagos to Wireless Grids. Communications & Strategies 54
Berg, Marc. 1998. The Politics of Technology: On Bringing Social Theory into Technological
Design. Science, Technology, & Human Values 23 (4):456-490.
Borisov, Nikita, Ian Goldberg, and David Wagner. 2001. Intercepting Mobile Communications:
The Insecurity of 802.11. Paper read at Seventh Annual International Conference on
Mobile Computing and Networking.
Braman, Sandra. 2003. The Long View. In Communication Researchers and Policy-Making,
edited by S. Braman. Cambridge, MA: MIT Press.
Breyer, Stephen. 1982. Regulation and Its Reform. Cambridge: Harvard University Press.
Callon, Michel. 1986. Some elements of a sociology of translation: Domestication of the scallops
and the fishermen of St Brieucâe Bay. In Power, action and belief, edited by J. Law.
Camp, Jean, Kalpana Shankar, and Kay Connelly. Forthcoming. Systematic Design for Privacy
Cargill, Carl. 1989. Information Technology Standardization: Theory, Process, and
Organization: Digital Press.
Cargill, Carl F. The Role of Consortia Standards in Federal Government Procurements in the
Information Technology Sector: Towards a Re-Definition of a Voluntary Consensus
Standards Organization, June 28 2001 [cited. Available from
Clarke, Roger. 1999. Internet Privacy Concerns the Case for Intervention Communications of the
ACM 42 (2):60-67.
Collins, H.M., and Steven Yearley. 1992. Epistemological Chicken. In Science as Practice and
Culture, edited by A. Pickering. Chicago, IL: Chicago University Press.
———. 1992. Journey Into Space. In Science as Practice and Culture, edited by A. Pickering.
Chicago, IL: Chicago University Press.
Consumers Against Supermarket Privacy Invasion and Numbering. 2004. RFID Position
Statement of Consumer Privacy and Civil Liberties Organizations, November 20 2003
[cited August 16 2004]. Available from
Daft, R. L., and R. H. Lengel. 1984. Information Richness: A New Approach to Managerial
Behavior and Organization Design. In Research in Organizational Behavior, edited by B.
M. Staw and L. L. Cummings. Greenwich: JAI Press.
David, Paul A. 1985. Clio and the Economics of QWERTY. American Economic Review 75
DeSanctis, Gerardine, and Marshall Scott Poole. 1994. Capturing the Complexity in Advanced
Technology Use: Adaptive Structuration Theory. Organizational Science 5:121-147.
Edwards, Paul N. 1996. The Closed World: Computers and the Politics of Discourse in Cold
War America. Cambridge: MIT Press.
Eisenstein, Elizabeth L. 1997. The Printing Press as an Agent of Change: Communications and
Cultural Transformations in Early-Modern Europe. Cambridge: Cambridge University
Escudero-Pascual, Alberto, and Ian Hosein. 2004. The Hazards of Technology-Neutral Policy:
Questioning Lawful Access to Traffic Data. Communications of the ACM 47 (3):77-82.
Feenberg, Andrew. 1991. Critical Theory of Technology. New York: Oxford University Press.
Fischer, Claude S. 1992. America Calling, A Social History of the Telephone to 1940. Berkeley:
University of California Press.
Flanagan, Andrew J. , W. J. M. Farinola, and Miriam J. Metzger. 2000. The technical code of the
Internet/World Wide Web. Critical Studies in Media Communication 17 (3):409-28.
Floerkemeier, Christian, Roland Schneider, and Marc Langheinrich. 2005. Scanning with a
Purpose - Supporting the Fair Information Principles in RFID Protocols. In Ubiquitous
Computing Systems. Revised Selected Papers from the 2nd International Symposium on
Ubiquitous Computing Systems (UCS 2004) edited by H. Murakami, H. Nakashima, H.
Tokuda and M. Yasumura. Berlin, Germany: Springer-Verlag.
Fountain, Jane E. 2001. Constructing the information society: Women, information technology,
and design. Technology in Society 22:45-62.
Friedman, Batya. 1997. Human Values and the Design of Computer Technology. Stanford, CA:
Friedman, Batya, Peter H. Kahn, and Alan Borning. 2006. Value Sensitive Design and
Information Systems. In Human-Computer Interaction in Management Information
Systems, edited by P. Zhang and D. Galletta. New York: M.E. Sharpe, Inc.
Gast, Matthew. 2005. Wireless LAN Security: A Short History 2002 [cited July 12 2005].
Available from http://www.oreillynet.com/lpt/a/1728.
Giddens, Anthony. 1984. The Constitution of Society: Outline of the Theory of Structure.
Berkeley, CA: University of California Press.
Haythornthwaite, Caroline, Barry Wellman, and Laura Garton. 1998. Work and Community Via
Computer-Mediated Communication. In Psychology of the Internet, edited by J.
Gackenbach. San Diego, CA: Academic Press.
Hosein, Ian, Prodromos Tsiavos, and Edgar Whitley. 2003. Regulating Architecture and
Architectures of Regulation: Contributions from Information Systems. International
Review of Law, Computers & Technology 17 (1):85-97.
Howcroft, Debra, Nathalie Mitev, and Melanie Wilson. 2004. What We May Learn from the
Social Shaping of Technology Approach. In Social Theory and Philosophy for
Information Systems, edited by J. Mingers and L. Willcocks. West Sussex, England: John
Wiley & Sons, Ltd.
Innis, Harold. 1951. The Bias of Communication. Toronto, Canada: University of Toronto Press.
Intel. 2005. Wireless Network Security Resource Center 2005 [cited July 12 2005]. Available
Introna, Lucas, and Helen Nissenbaum. 2000. Defining the Web: The Politics of Search Engines.
IEEE Computer 33 (1):54-62.
Joerges, Bernward. 1999. Do Politics Have Artifacts. Social Studies of Science 29 (3):411-431.
Jones, M. 1997. Structuration Theory. In Rethinking Management Information Systems, edited by
W. Currie and B. Galliers. New York: Oxford University Press.
Jones, Matthew, Wanda Orlikosiki, and Kamal Munir. 2004. Structuration Theory and
Information Systems: A Critical Reappraisal. In Social Theory and Philosophy for
Information Systems, edited by J. Mingers and L. Willcocks. West Sussex, England: John
Wiley & Sons, Ltd.
Karagiannis, Konstantinos. 2003. Ten Steps to a Secure Wireless Network. PC Magazine,
February 25, 64.
Kesan, Jay P., and Rajiv C. Shah. 2005. Shaping Code. Harvard Journal of Law & Technology
Kistner, Toni. 2004. Vendors Vie to Ease Home Net Complexity. Network World, Sept. 27.
Kling, Rob , and Suzanne Iacono. 1988. The Mobilization of Support for Computerization: The
Role of Computerization Movements. Social Problems 35 (3):226-243.
Klischewski, Ralf. 2002. Reaching Out for Commitments: Systems Development as
Networking. In Social Thinking: Software Practice, edited by Y. Dittrich, C. Floyd and
R. Klischewski. Cambridge, MA: MIT Press.
Kolko, Beth E. 2000. Erasing @race: Going White in the (Inter)Face. In Race in Cyberspace,
edited by B. E. Kolko, L. Nakamura and G. B. Rodman. New York: Routledge.
Lasky, Michael S., Dennis O'Reilly, Eric Dahl, and Kirk Steers. 2004. No-Hassle Wireless
Networking Superguide. PC World, February, 138-140.
Latour, Bruno. 1987. Science in Action. Boston: Harvard University Press.
———. 1992. Where Are the Missing Masses? The Sociology of a Few Mundane Artifacts. In
Shaping Technology/Building Society, edited by W. E. Bijker and J. Law. Cambridge:
———. 1999. Pandora's Hope. London: Harvard University Press.
Law, John. 1992. Notes on the Theory of the Actor-Network: Ordering, Strategy and
Heterogeneity. Systems Practice 5:379-393.
Lessig, Lawrence. 1999. Code and Other Laws of Cyberspace. New York: Basic Books.
Lieberman, Joseph. 1996. Why Parents Hate TV. Policy Review 77:19-23.
Lievrouw, Leah A. 2002. Determination and Contingency in New Media Development:
Diffusion of Innovations and Social Shaping of Technology Perspectives. In Handbook of
New Media: Social Shaping and Consequences of ICTs, edited by L. A. Lievrouw and S.
Livingstone. London: Sage.
Lievrouw, Leah A., and Pablo Boczkowski. 2006. Bridging Communication Studies and Science
and Technology Studies: Scholarship on Media and Information Technologies. In The
Handbook of Science and Technology Studies, edited by E. J. Hackett, O. Amsterdamska,
M. Lynch and J. Wajcman. Cambridge, MA: MIT Press.
Linksys. 2005. Protecting Your Wireless Network 2005 [cited July 12 2005]. Available from
Mansell, Robin. 1993. The New Telecommunications: A Political Economy of Network
Evolution. London: Sage.
Martin, David M., Richard M. Smith, Michael Brittain, Ivan Fetch, and Hailin Wu. 2001. The
Privacy Practices of Web Browser Extensions. Communications of the ACM 44 (2):45-
McAdams, Richard H. 1997. The Origin, Development, and Regulation of Social Norms.
Michigan Law Review 96:338-433.
McChesney, Robert W. 1993. Telecommunications, Mass Media, and Democracy. Oxford:
Oxford University Press.
McLean, Chris, and John Hassard. 2004. Symmetrical Absence/Symmetrical Absurdity: Critical
Notes on the Production of Actor-Network Accounts. journal of Management Studies 41
McLuhan, Marshall. 1964. Understanding Media: The Extensions of Man. New York: McGraw-
Hill Book Co.
Meyrowitz, Joshua. 1994. Medium Theory. In Communication Theory Today, edited by D.
Crowley and D. Mitchell. Cambridge, MA: Polity Press.
Monteiro, Eric. 1998. Scaling Information Infrastructure: The Case of Next-Generation IP in the
Internet. Information Society 14 (3):229-245.
———. 2000. Actor-Network Theory and Information Infrastructure. In From Control to Drift,
edited by C. Ciborra. Oxford: Oxford University Press.
———. 2004. Actor Network Theory and Cultural Aspects of Interpretative Studies. In The
Social Study of Information and Communication Technology, edited by C. Avgerou, C.
Ciborra and F. Land. Oxford: Oxford University Press.
Monteiro, Eric, and Ole Hanseth. 1995. Social Shaping of Information Infrastructure: On Being
Specific About the Technology. In Information Technology and Changes in
Organizational Work, edited by W. Orlikowski, G. Walsham, M. R. Jones and J. I.
DeGross: Chapman & Hall.
Murray, Andrew, and Colin Scott. 2002. Controlling the New Media: Hybrid Responses to New
Forms of Power. Modern Law Review 65:491-516.
Nakamura, Lisa. 2000. Race In/For Cyberspace: Identity Tourism on the Internet. In The
Cybercultures Reader, edited by D. Bell. New York: Routledge Press.
National Institute of Standards and Technology. 2002. Wireless Network Security. Gaithersburg,
National Research Council. 2002. Cybersecurity: Today and Tomorrow. Washington, DC:
National Academy Press.
North, Douglas C. 1990. Institutions, Institutional Change and Economic Performance. New
York: Cambridge University Press.
Ohrtman, Frank D., and Kondrad Roeder. 2003. Wi-Fi Handbook: Building 802.11b Wireless
Networks. New York: McGraw-Hill Professional.
Orlikowski, Wanda J. 1992. The Duality of Technology: Rethinking the Concept of Technology
in Organizations. Organizational Science 3 (3):398-427.
———. 2000. Using Technology and Constituting Structures: A Practice Lens for Studying
Technology in Organizations. Organizational Science 11 (4):404-428.
Parsons, Patrick R. 1989. Defining Cable Television: Structuration and Public Policy. Journal of
Communication 39 (2):10-26.
Pinch, Trevor J., and Wiebe E. Bijker. 1987. The Social Construction of Facts and Artifacts: Or
How the Sociology of Science and the Sociology of Technology Might Benefit Each
Other. In The Social Construction of Technological Systems, edited by W. E. Bijker, T. P.
Hughes and T. J. Pinch. Cambridge, MA: MIT Press.
Poole, Marshall Scott, and Gerardine DeSanctis. 2004. Structuration Theory in Information
Systems Research: Methods and Controversies. In The Handbook for Information
Systems Research, edited by M. E. Whitman and A. B. Woszczynski. Hershey, PA: IDEA
Posner, Eric A. 1996. Law, Economics, and Inefficient Norms. University of Pennsylvania
Posner, Richard A. 1973. Economic Analysis of Law. Boston: Little Brown.
Potter, Bruce, and Bob Fleck. 2003. 802.11 Security. Sebastopol, CA: O'Reilly & Associates.
Powell, Walter W., and Paul J. DiMaggio, eds. 1991. The New Institutionalism in Organizational
Analysis. Chicago, IL: University of Chicago Press.
Rogers, Everett. 2003. Diffusion of Innovations. 5th ed. New York: Free Press.
Rose, Jeremy, Matthew Jones, and Duane Truex. 2005. Socio-Theoretic Accounts of IS: The
Problem of Agency. Scandinavian Journal of Information Systems 17 (1):133-152.
Rotenberg, Marc. 2001. What Larry Doesn't Get: Fair Information Practices and the Architecture
of Privacy. Stanford Technology Law Review 2001:1.
Samarajiva, Rohan, and Peter Shields. 1997. Telecommunication Networks as Social Scape:
Implications for Research and Policy as an Exemplar. Media, Culture & Society 19
Savage, James G. 1989. The Politics of International Telecommunications Regulation. Boulder,
CO: Westview Press, Inc.
Schiesel, Seth. 2005. Growth of Wireless Internet Opens New Path for Thieves. New York Times,
Schmidt, Suzanne K., and Raymund Werle. 1998. Coordinating Technology: Studies in the
International Standardization of Telecommunications. Cambridge, MA: MIT Press.
Schot, Johan, and Arie Rip. 1997. The Past and Future of Constructive Technology Assessment.
Technological Forecasting and Social Change 54 (2-3):251-268.
Schwartz, Paul M. 2000. Beyond Lessig’s Code for Internet Privacy: Cyberspace Filters,
Privacy-Control, and Fair Information Practices. Wisconsin Law Review 2000:743-788.
Shah, Rajiv C., and Jay P. Kesan. 2003. Manipulating the Governance Characteristics of Code.
Info 5 (4):3-9.
———. 2005. Nurturing Software: How Societal Institutions Shape the Development of
Software. Communications of the ACM 48 (9):80-85.
Shah, Rajiv C., and Christian Sandvig. 2005. Software Defaults as De Facto Regulation: The
Case of Wireless Access Points. Paper read at Telecommunications Policy Research
Conference, at Washington, DC.
Shapiro, Carl, and Hal R. Varian. 1999. Information Rules: A Strategic Guide to the Network
Economy. Boston, MA: Harvard Business School Press.
Suchman, Lucy. 1987. Plans and Situated Actions: The Problem of Human-Machine
Communication. New York: Cambridge University Press.
Tatnall, Arthur. 2003. Actor-Network Theory as a Socio-Technical Approach to Information
Systems Research. In Socio-Technical and Human Cognition Elements of Information
Systems, edited by S. Clarke, E. Coakes, M. G. Hunter and A. Wenn. Hershey, PA:
Information Science Publishing.
U.S. General Accounting Office. 2005. Information Security: Federal Agencies Need to
Improve Controls Over Wireless Security.
US-CERT. 2005. Cyber Security Tip ST05-003 -- Securing Wireless Networks 2005 [cited July
12 2005]. Available from http://www.us-cert.gov/cas/tips/ST05-003.html.
Verbeek, Peter-Paul. 2005. What Things Do. University Park, PA: Pennsylvania State University
———. 2006. Materializing Morality. Science, Technology, & Human Values 31 (3):361-380.
Vidgen, R., and T. McMaster. 1995. Black Boxes, Non-Human Stakeholders and the Translation
of IT Through Mediation. In Information Technology and Changes in Organizational
Work, edited by W. Orlikowski, G. Walsham, M. R. Jones and J. I. DeGross: Chapman &
Wagner, Polk. 2005. On Software Regulation. California Law Review 78:457-519.
Walsham, Geoff. 1993. Interpreting Information Systems in Organizations. Chichester, UK:
John Wiley & Sons.
Walsham, Geoff, and Sundeep Sahay. 1999. GIS for District-Level Administration in India:
Problems and Opportunities. MIS Quarterly 23 (1):39-66.
Winner, Langdon. 1980. Do Artifacts have Politics? Daedalus 109 (1):121-136.
Woolgar, Steve. 1991. Configuring the User: The Case of Usability Trials. In Sociology of
Monsters: Essays on Power, Technology, and Domination, edited by J. Law. London: