Most of us in the computer field have heard more than our fill about
the free software movement, the copyright wars, the scourge of spyware
and SQL injection attacks, the Great Firewall of China, and other
battles for the control of our computers and networks. But your
education is stifled until you have absorbed the insights offered by
comprehensive thinkers such as Jonathan Zittrain, who presents in this
brand new book some critical and welcome anchor points for discussions
of Internet policy. Now we have a definitive statement from a leading
law professor at Harvard and Oxford, who combines a scholar’s insight
into legal doctrines with a nitty-gritty knowledge of life on the
Internet.
You can read Zittrain for cogent discussions of key issues in
copyright, filtering, licensing, censorship, and other pressing issues
in computing and networking. But you’re rewarded even more if you read
this book to grasp fundamental questions of law and society, such as:
-
What determines the legitimacy of laws and those who make and
enforce them? -
What relationship does the law on the books bear to the law as
enforced, and how does the gray area between them affect the
evolution of society? -
What is the proper attitude of citizens toward law-makers and
regulators, and how much power is healthy for either side to have? -
How can community self-organization stave off the need for
heavy-handed legislation–and how, in contrast, can premature
legislation preclude constructive solutions by self-organized
communities?
Core questions such as these power Zittrain’s tour of technology and
law on today’s networks. “The Future of the Internet” takes us briskly
down familiar paths, offering valuable summaries of current debates,
but Zittrain also tries always to hack away at the brambles that block
the end of each path. Thanks to his unusually informed perspective, he
usually–although not always–succeeds in pushing us forward a few
meticulously footnoted footsteps.
Zittrain has summarized the points in this book in an
online article,
but reading the whole book pays off because of its depth of legal
reasoning.
Informed recommendations
One of Zittrain’s most applicable suggestions–and one that
exemplifies the positive philosophy he brings to his subject–is his
solution for handling computer viruses. Currently, non-expert computer
users are either helpless in the face of viruses or employ inadequate
firewall products that block useful programs along with
infections. When Internet service providers scramble to block malware
at the router, proponents of network neutrality complain that they’re
violating the end-to-end principle. The dilemma seems unsolvable.
Zittrain cuts the Gordian knot by suggesting user
empowerment. Experts who know how to track and identify viruses
or spyware can label them as such, and less expert users can check
ratings on every download. Tools are urgently needed that aggregate
widely distributed ratings and present them to users in a very simple
screen of information whenever they initiate something potentially
dangerous. (Zittrain cites, as a model, the partnership between Google
and the
StopBadware project run by
his colleagues at the Berkman Center.)
Users could have a choice of proxies to help them decide what on put
on their computers. Additionally, instead of politely hiding network
activity from users, mass-market operating systems can show the
information in a manner that is easy to grasp, so that the user has a
clue when the computer is at risk of turning into a zombie. Zittrain
would probably be gratified by a simple security enhancment
recommended in the Febuary issue of Communications of the ACM: a
suggestion that a wireless router notify each host using the router
how many hosts are currently using it, so that wardriving could
immediately be detected by users.
Other people have suggested
distributed self-defending security systems,
but Zittrain links the whole endeavor to the hope provided by the
Internet’s ability to bring together people who shared positive goals.
If software vendors and Internet security researchers gathered around
this vision, a self-interested and self-organized community could
protect itself, with more able members educating the less able ones.
As an alternative to restrictive software that sinks roots deep into
the operating system and locks down computers, such tools could
actually improve Internet users’ knowledge and sense of community
while putting a dent in identity theft, spam, and distributed denial
of service attacks.
Throughout the wide range of topics described in his book, Zittrain
looks first to technically powered solutions that unite people of good
will and encourage potential malfactors to renounce anti-social
behavior. But his tone lies far from that of cocky cyberpunk hackers
who boast that their technological solutions can protect them from all
cyberharm (and damned be less savvy cybercitizens). Zittrain is too
good a lawyer to dismiss the power of governments, or to assume that
such power can only be oppressive. Thus:
-
He calls for a new Manhattan Project that would draw in government,
research institutions, and individual programmers to solve the
afore-mentioned malware problem. -
He allows that the government should be allowed a lower threshold
for access to financial data than access to other personal data. -
He suggests regulation to enforce data portability, so that user
data stored by online services could be retrieved by the owners when
they wanted to switch services or when the services failed. (This is
the online equivalent to the historic endorsement of open office
standards that has been passed by governments in several countries
and was nearly hatched in the state of Massachusetts, before a
careless legislature ran an off-road vehicle over it.)
Zittrain is not a fan of network neutrality as most proponents
describe it, but he sympathizes with the end-to-end principle and
would like the principle of neutrality applied to APIs offered by web
services such as Google’s. If web service providers claim that their
data is available for creative uses by outsiders, they should not be
allowed to arbitrarily cut off those outsiders that happen to be
competitively successful or disruptive to their business models.
I find this recommendation particularly intriguing, because the
promising area of web services is currently fraught with uncertainty
that’s clearly holding back socially beneficial uses. Traditional PCs
seem a rock of stability in comparison to the services exploited by
modern web services, which vendors can whisk away like apparitions in
the night.
You probably know, from such scandals as Yahoo!’s cooperation with the
Chinese government in tracking down dissidents and Microsoft’s release
of search data for a “research project” at the Department of Justice,
that data stored at an online service is intrinsically less secure
than data stored on your computer. But did you know that the law
itself in the U.S. grants substantially less protection against search
and seizure to your data when it’s stored at a service? Zittrain’s
elucidation of this legal limbo, although it demands close reading, is
a valuable window into the issues of technology and policy for lay
readers.
Concerning medical privacy, in particular, the World Privacy Forunm
noted in a February report
(PDF)
that personal health records stored by generic organizations such as
Microsoft or Google are not protected by the Health Insurance
Portability and Accountability Act (HIPAA). Therefore, the records
will probably be fair game for subpoenas in divorce cases, lawsuits,
etc. The individual also has fewer rights when trying to correct
entries.
Well, I’ve given you the quick tour of Zittrain’s book, which is like
doing the Smithsonian National Museum of Natural History in an hour.
Now we’ll meet back in the lobby by the elephant statue, as it were,
and examine the key concept that runs through his book.
Generativity: the new battle cry
We’ve all heard so much in the past decade about “innovation” that I’m
in danger of having my readers snap the browser tab shut on this web
page when they see the word. (I remember when the
fingers-down-the-throat word in the business world was “synergy.” That
word finally disappeared along with the businesses that invoked it to
justify their mergers.)
Zittrain has coined a term that captures with more richness and
potential what’s happening in our economy: generativity, a
measure of how many new, unexpected, and (occasionally) useful things
can be developed thanks to an available platform. He lists a number of
famous generative technologies, ranging from duct tape and Lego bricks
to the all-time heavyweight champion of generativity, the core
Internet protocols. But the effects of the Internet are predicated on
many other generative technologies that have contributed to the wave
of innovation over the past fifteen years or so:
-
Personal computer hardware, which accepts an unlimited variety of
devices -
Personal computer operating systems, which let ordinary consumers
load any program that’s compiled to run on them -
Free software, which encourages infinite extensions
The boon of generativity is threatened in two major ways: network
restrictions and locked-down devices such as the Xbox, TiVo, and
iPhone, which Zittrain calls tethered appliances. The network
and the endpoint are symbiotically linked in their power: freedom in
one can help keep the flame of freedom burning on the other, while
correspondingly, dousing the embers on one can dim generativity on the
other.
Appliances are not bad. The Xbox, TiVo, and iPhone have their place,
and Zittrain points out that even the trenchantly open One
Laptop Per Child system embeds a trusted computing substrate called
Bitfrost
that combines digital signatures, sandboxing, and mandatory access
controls to prevent downloads from harming the system. Unlike trusted
computing platforms in proprietary products, Bitfrost can be
overridden by a sophisticated user, but requires a BIOS reflash.
The degree to which a system is “appliancized” is inversely related to
its generativity. We need to make sure that at least some of the
population can preserve generativity in order to create technology at
new levels. Furthermore, everyone needs generative systems in order to
prevent vendors from choking off mass adoption of innovations.
Many of the Internet’s dangers stem from the attributes of a good
generative system. Zittrain, in addition to highlighting about ease of
mastery and accessibility, points out that a highly generative system
makes it easy to transfer capabilities from highly
sophisticated developers to untrained users. This is not entirely
sweet. For instance, security guru Bruce Schneier has repeatedly
pointed out that easy transferability is the bane of Internet
security.
It’s bad enough, Schneier says, that systems inevitably contain bugs
that can be fatally exploited by top-notch coders and cryptography
experts. What really threatens the Internet is that these experts can
bundle the exploits into kits that script kiddies can download and use
with minimal education. Sharing tools that perform intrusions is not
in itself malicious; these tools are important for system
administrators, programmers who reverse engineer applications (another
skill with both good and evil applications), and other users. But the
practice definitely swells the number of malicious programs foraging
the Internet for victims.
Once we accept the value of generativity, technical solutions can
allow us to preserve it while protecting ourselves from the bugs and
intrusions that it makes us so easy to succomb to. For instance,
instead of adopting a fortress mentality, public libraries and other
institutions could run virtual operating systems on computers they
want to protect. In our homes, our computers could have one operating
system open to experimental applications (and instantly reloadable if
compromised), side by side with another that is locked down. This
would allow ordinary people the same generative freedom as
programmers, who typically maintain work platforms and development
platforms.
Value at the fringe
Among Zittrain’s most alarming insights is how calls for a safer
Internet, and for one more friendly to copyright and trademark
holders, can feed into general governmental control over its
population in an age where more and more activity moves online. This
danger–also prophesied by
Swedish Pirate Party
leader Rickard Falkvinge–makes generativity a concern to an immensely
larger citizenry than the usual suspects consisting of free software
developers and remix musicians. Zittrain’s exploration of technology’s
“regulability” rises far beyond the book’s opening subject toward an
expansive contribution to our understanding of the relations among
citizens, governments, and the commonwealth.
Every business has suffered from the hammerlock of a new computer
system that turns out to prevent employees from making the tiny
exceptions to rules that previously allowed smooth operations. Perfect
control on operating systems or the Internet could cause similar
disasters, which range from the added costs of DRM in schools to
clamp-downs by repressive regimes. Zittrain lays out several
interesting legal considerations that aren’t usually raised, overtly
in defense of deliberately leaky enforcement regimes.
Concurring and dissenting opinions
I should mention before going further that Zittrain showed me an early
paper on the subject underlying his book, and cited me in his
acknowledgments as one of the people whose conversations with him
influenced the book. Had I the chance to discuss the following issues
with him, I would have advised a few changes to the text.
The intractability of privacy violations
Zittrain’s last chapter focuses on privacy, which is widely understood
to have passed a threshold in the past few years. Given cell phone
cameras, the complex data-sharing services on popular social networks,
and other tools in the hands of ordinary computer users, privacy can
now be violated by irresponsible crowds in addition to large companies
and governments.
First, I think Zittrain exaggerates the shift. If he believes that
government and corporate abuses are now only a tiny sliver of a larger
problem created by peer production on the Internet, I wonder whether
he’s ever been barred from an airplane by the TSA or denied coverage
by an insurance company.
But the problems he points to in privacy-violating activities that
have suddenly become everyday behaviors–such as tagging photos on
Flickr with people’s names–are real. He tries to apply lessons from
an earlier chapter focusing on the checks and balances that make
Wikipedia successful. Unfortunately, I think the analogy is weak.
Wikipedia, as Zittrain points out, remains a centralized institution
under the ultimate control of one man. Authority fans out from creator
Jimbo Wales in an admirably broad and flexible spread, but creativity
and control at each level depend on the backstop provided at the next
higher level. I agree with Zittrain that some of the solutions found
here can be translated to the wider and wilder Internet, but in the
area of privacy I don’t find the analogy persuasive.
Even appliances depend on generative systems
The forward thrust created by generative technologies is so powerful
that one finds them in even supposedly non-generative appliances. Most
embedded devices with non-trivial capabilities (devices that need more
than a while-loop for an operating system) use general-purpose
operating systems, often Linux or the reduced-fat version of Windows
known as Windows CE.
Zittrain contrasts generative PCs and free software to appliances such
as the TiVo, Xbox, and iPhone. The irony is that these are all based
on generative technologies. The manufacturers could not resist the
opportunity to cut development costs by using robust and freely
available platforms.
TiVo uses Linux as its operating system, the Xbox runs on
general-purpose hardware that has been successfully hacked to run
Linux, and the iPhone–which epitomizes to Zittrain the supreme
tethered appliance–has BSD inside. Because of its innately generative
qualities (including the relatively transparent language of its API,
Objective-C), the iPhone was
opened up just a few months after its release
in a textbook kind of collaboration among self-organized hackers,
leading to a free software toolkit that lets any programmer create new
applications using all the features of the iPhone.
These examples underline the challenge Tim O’Reilly used to pose to
Microsoft: without open platforms, where will its next wave of
technology come from? It looks like Microsoft listened, considering
its current tentative support for a few free free software projects.
An industry of appliances would be poorer without generative
technology.
The tether chafes
One of the central points of Zittrain’s book is that embattled
computer users, worn down by the onslaught of malware, tend to retreat
and give up control to centers of authority, whether by installing
restrictive firewalls or buying tethered appliances that were built
from the ground up to be closed.
Zittrain has several wonderful sections laying out the long-term
detriment of this choice, not only for obvious topics such as
technological innovation and fair use of copyrighted material, but for
the balance between government and individual rights. He’s on top of
all the abuses caused by manufacturers who keep control of their
devices and send them automated updates–sometimes updates that
deliberately disable previously available features. Tethered
appliances respond to their vendors with the same flexible slavishness
as computers taken over by roving bots.
But Zittrain does not use available evidence to rebut the seductive
claim that choosing appliances over applications leads to more safety
for the user and the overall community. Does it?
I think we have plenty of evidence to resist the tethering of
previously open computers. For instance, what would most computer
users trust more than a CD from Sony? And to ward off the dangers of
the open Internet, should we turn to telephone companies to protect
our privacy and personal data? I need say no more.
Among web services, the same worries apply. The dominant Internet
appliance is Google, and every service it unveils seems to raise such
fears about privacy that it has to perennially trot out its “don’t be
evil” motto.
But nowhere has the trust in appliances been more dangerous than the
calamitous rush to electronic voting machines without paper output,
which cannot be adequately audited after deployment. We need to say
loudly: closing down open systems is no solution to security risks.
(Richard M. Stallman made similar points in
response
to Zittrain’s article, and Susan Crawford in
her response.)
Web 2.0 extends generativity
The wide-area-network equivalent of a tethered alliance is “software
as a service,” also known as an Application Service Provider. Here, I
have to insist that Zittrain gets his terminology wrong. In place of
these common industry terms, he refers to the phenomenon as Web 2.0.
Controversy has always surrounded the term Web 2.0, to be sure,
despite attempts to
define the phrase
by Tim O’Reilly, who is credited with inventing it. Although everybody
reads his own biases into the term, I don’t see any meaningful
definition of Web 2.0 that includes web sites where users just log in
to run an application remotely. I did see one other speaker
misunderstand the term this way, but we have to resist the trend to
“mash up” useful terms to the point where they lose their value and
all come out in some bland uniformity.
Web 2.0 features–such as simple APIs and ways to incorporate
user-submitted content–extend generativity as much as blogs and wikis
do. They’re a critical stage in the ongoing evolution of the
Internet. But Zittrain does offer some important critiques. Google
Maps can discourage competition by co-opting it through its powerful
API. And this ultimately means more control for Google–control it
could leverage to artificially set the direction for mapping
applications.
Thus, Web 2.0 technologies can be seen as an enablers that open up the
data and applications controlled by corporations, but also as the soft
glove than allow the corporate fist to push itself further and further
into their clients’ lives.
My glosses and musings on “The Future of the Internet” show how much
meat it provides for analysis and discussion. Anyone who can make it
through this long review would get a lot from the book. In addition to
drawing links among useful recommendations for preserving our freedom,
Zittrain proves that the legal frameworks for making such decisions
are more complex than most technologists and policy makers credit them
for.