Mon

Apr 14
2008

Andy Oram

Andy Oram

Book review: "The Future of the Internet (And How to Stop It)"

Most of us in the computer field have heard more than our fill about the free software movement, the copyright wars, the scourge of spyware and SQL injection attacks, the Great Firewall of China, and other battles for the control of our computers and networks. But your education is stifled until you have absorbed the insights offered by comprehensive thinkers such as Jonathan Zittrain, who presents in this brand new book some critical and welcome anchor points for discussions of Internet policy. Now we have a definitive statement from a leading law professor at Harvard and Oxford, who combines a scholar's insight into legal doctrines with a nitty-gritty knowledge of life on the Internet.

You can read Zittrain for cogent discussions of key issues in copyright, filtering, licensing, censorship, and other pressing issues in computing and networking. But you're rewarded even more if you read this book to grasp fundamental questions of law and society, such as:

  • What determines the legitimacy of laws and those who make and enforce them?
  • What relationship does the law on the books bear to the law as enforced, and how does the gray area between them affect the evolution of society?
  • What is the proper attitude of citizens toward law-makers and regulators, and how much power is healthy for either side to have?
  • How can community self-organization stave off the need for heavy-handed legislation--and how, in contrast, can premature legislation preclude constructive solutions by self-organized communities?

Core questions such as these power Zittrain's tour of technology and law on today's networks. "The Future of the Internet" takes us briskly down familiar paths, offering valuable summaries of current debates, but Zittrain also tries always to hack away at the brambles that block the end of each path. Thanks to his unusually informed perspective, he usually--although not always--succeeds in pushing us forward a few meticulously footnoted footsteps.

Zittrain has summarized the points in this book in an online article, but reading the whole book pays off because of its depth of legal reasoning.

Informed recommendations

One of Zittrain's most applicable suggestions--and one that exemplifies the positive philosophy he brings to his subject--is his solution for handling computer viruses. Currently, non-expert computer users are either helpless in the face of viruses or employ inadequate firewall products that block useful programs along with infections. When Internet service providers scramble to block malware at the router, proponents of network neutrality complain that they're violating the end-to-end principle. The dilemma seems unsolvable.

Zittrain cuts the Gordian knot by suggesting user empowerment. Experts who know how to track and identify viruses or spyware can label them as such, and less expert users can check ratings on every download. Tools are urgently needed that aggregate widely distributed ratings and present them to users in a very simple screen of information whenever they initiate something potentially dangerous. (Zittrain cites, as a model, the partnership between Google and the StopBadware project run by his colleagues at the Berkman Center.)

Users could have a choice of proxies to help them decide what on put on their computers. Additionally, instead of politely hiding network activity from users, mass-market operating systems can show the information in a manner that is easy to grasp, so that the user has a clue when the computer is at risk of turning into a zombie. Zittrain would probably be gratified by a simple security enhancment recommended in the Febuary issue of Communications of the ACM: a suggestion that a wireless router notify each host using the router how many hosts are currently using it, so that wardriving could immediately be detected by users.

Other people have suggested distributed self-defending security systems, but Zittrain links the whole endeavor to the hope provided by the Internet's ability to bring together people who shared positive goals. If software vendors and Internet security researchers gathered around this vision, a self-interested and self-organized community could protect itself, with more able members educating the less able ones.

As an alternative to restrictive software that sinks roots deep into the operating system and locks down computers, such tools could actually improve Internet users' knowledge and sense of community while putting a dent in identity theft, spam, and distributed denial of service attacks.

Throughout the wide range of topics described in his book, Zittrain looks first to technically powered solutions that unite people of good will and encourage potential malfactors to renounce anti-social behavior. But his tone lies far from that of cocky cyberpunk hackers who boast that their technological solutions can protect them from all cyberharm (and damned be less savvy cybercitizens). Zittrain is too good a lawyer to dismiss the power of governments, or to assume that such power can only be oppressive. Thus:

  • He calls for a new Manhattan Project that would draw in government, research institutions, and individual programmers to solve the afore-mentioned malware problem.
  • He allows that the government should be allowed a lower threshold for access to financial data than access to other personal data.
  • He suggests regulation to enforce data portability, so that user data stored by online services could be retrieved by the owners when they wanted to switch services or when the services failed. (This is the online equivalent to the historic endorsement of open office standards that has been passed by governments in several countries and was nearly hatched in the state of Massachusetts, before a careless legislature ran an off-road vehicle over it.)

Zittrain is not a fan of network neutrality as most proponents describe it, but he sympathizes with the end-to-end principle and would like the principle of neutrality applied to APIs offered by web services such as Google's. If web service providers claim that their data is available for creative uses by outsiders, they should not be allowed to arbitrarily cut off those outsiders that happen to be competitively successful or disruptive to their business models.

I find this recommendation particularly intriguing, because the promising area of web services is currently fraught with uncertainty that's clearly holding back socially beneficial uses. Traditional PCs seem a rock of stability in comparison to the services exploited by modern web services, which vendors can whisk away like apparitions in the night.

You probably know, from such scandals as Yahoo!'s cooperation with the Chinese government in tracking down dissidents and Microsoft's release of search data for a "research project" at the Department of Justice, that data stored at an online service is intrinsically less secure than data stored on your computer. But did you know that the law itself in the U.S. grants substantially less protection against search and seizure to your data when it's stored at a service? Zittrain's elucidation of this legal limbo, although it demands close reading, is a valuable window into the issues of technology and policy for lay readers.

Concerning medical privacy, in particular, the World Privacy Forunm noted in a February report (PDF) that personal health records stored by generic organizations such as Microsoft or Google are not protected by the Health Insurance Portability and Accountability Act (HIPAA). Therefore, the records will probably be fair game for subpoenas in divorce cases, lawsuits, etc. The individual also has fewer rights when trying to correct entries.

Well, I've given you the quick tour of Zittrain's book, which is like doing the Smithsonian National Museum of Natural History in an hour. Now we'll meet back in the lobby by the elephant statue, as it were, and examine the key concept that runs through his book.

Generativity: the new battle cry

We've all heard so much in the past decade about "innovation" that I'm in danger of having my readers snap the browser tab shut on this web page when they see the word. (I remember when the fingers-down-the-throat word in the business world was "synergy." That word finally disappeared along with the businesses that invoked it to justify their mergers.)

Zittrain has coined a term that captures with more richness and potential what's happening in our economy: generativity, a measure of how many new, unexpected, and (occasionally) useful things can be developed thanks to an available platform. He lists a number of famous generative technologies, ranging from duct tape and Lego bricks to the all-time heavyweight champion of generativity, the core Internet protocols. But the effects of the Internet are predicated on many other generative technologies that have contributed to the wave of innovation over the past fifteen years or so:

  • Personal computer hardware, which accepts an unlimited variety of devices
  • Personal computer operating systems, which let ordinary consumers load any program that's compiled to run on them
  • Free software, which encourages infinite extensions

The boon of generativity is threatened in two major ways: network restrictions and locked-down devices such as the Xbox, TiVo, and iPhone, which Zittrain calls tethered appliances. The network and the endpoint are symbiotically linked in their power: freedom in one can help keep the flame of freedom burning on the other, while correspondingly, dousing the embers on one can dim generativity on the other.

Appliances are not bad. The Xbox, TiVo, and iPhone have their place, and Zittrain points out that even the trenchantly open One Laptop Per Child system embeds a trusted computing substrate called Bitfrost that combines digital signatures, sandboxing, and mandatory access controls to prevent downloads from harming the system. Unlike trusted computing platforms in proprietary products, Bitfrost can be overridden by a sophisticated user, but requires a BIOS reflash.

The degree to which a system is "appliancized" is inversely related to its generativity. We need to make sure that at least some of the population can preserve generativity in order to create technology at new levels. Furthermore, everyone needs generative systems in order to prevent vendors from choking off mass adoption of innovations.

Many of the Internet's dangers stem from the attributes of a good generative system. Zittrain, in addition to highlighting about ease of mastery and accessibility, points out that a highly generative system makes it easy to transfer capabilities from highly sophisticated developers to untrained users. This is not entirely sweet. For instance, security guru Bruce Schneier has repeatedly pointed out that easy transferability is the bane of Internet security.

It's bad enough, Schneier says, that systems inevitably contain bugs that can be fatally exploited by top-notch coders and cryptography experts. What really threatens the Internet is that these experts can bundle the exploits into kits that script kiddies can download and use with minimal education. Sharing tools that perform intrusions is not in itself malicious; these tools are important for system administrators, programmers who reverse engineer applications (another skill with both good and evil applications), and other users. But the practice definitely swells the number of malicious programs foraging the Internet for victims.

Once we accept the value of generativity, technical solutions can allow us to preserve it while protecting ourselves from the bugs and intrusions that it makes us so easy to succomb to. For instance, instead of adopting a fortress mentality, public libraries and other institutions could run virtual operating systems on computers they want to protect. In our homes, our computers could have one operating system open to experimental applications (and instantly reloadable if compromised), side by side with another that is locked down. This would allow ordinary people the same generative freedom as programmers, who typically maintain work platforms and development platforms.

Value at the fringe

Among Zittrain's most alarming insights is how calls for a safer Internet, and for one more friendly to copyright and trademark holders, can feed into general governmental control over its population in an age where more and more activity moves online. This danger--also prophesied by Swedish Pirate Party leader Rickard Falkvinge--makes generativity a concern to an immensely larger citizenry than the usual suspects consisting of free software developers and remix musicians. Zittrain's exploration of technology's "regulability" rises far beyond the book's opening subject toward an expansive contribution to our understanding of the relations among citizens, governments, and the commonwealth.

Every business has suffered from the hammerlock of a new computer system that turns out to prevent employees from making the tiny exceptions to rules that previously allowed smooth operations. Perfect control on operating systems or the Internet could cause similar disasters, which range from the added costs of DRM in schools to clamp-downs by repressive regimes. Zittrain lays out several interesting legal considerations that aren't usually raised, overtly in defense of deliberately leaky enforcement regimes.

Concurring and dissenting opinions

I should mention before going further that Zittrain showed me an early paper on the subject underlying his book, and cited me in his acknowledgments as one of the people whose conversations with him influenced the book. Had I the chance to discuss the following issues with him, I would have advised a few changes to the text.

The intractability of privacy violations

Zittrain's last chapter focuses on privacy, which is widely understood to have passed a threshold in the past few years. Given cell phone cameras, the complex data-sharing services on popular social networks, and other tools in the hands of ordinary computer users, privacy can now be violated by irresponsible crowds in addition to large companies and governments.

First, I think Zittrain exaggerates the shift. If he believes that government and corporate abuses are now only a tiny sliver of a larger problem created by peer production on the Internet, I wonder whether he's ever been barred from an airplane by the TSA or denied coverage by an insurance company.

But the problems he points to in privacy-violating activities that have suddenly become everyday behaviors--such as tagging photos on Flickr with people's names--are real. He tries to apply lessons from an earlier chapter focusing on the checks and balances that make Wikipedia successful. Unfortunately, I think the analogy is weak.

Wikipedia, as Zittrain points out, remains a centralized institution under the ultimate control of one man. Authority fans out from creator Jimbo Wales in an admirably broad and flexible spread, but creativity and control at each level depend on the backstop provided at the next higher level. I agree with Zittrain that some of the solutions found here can be translated to the wider and wilder Internet, but in the area of privacy I don't find the analogy persuasive.

Even appliances depend on generative systems

The forward thrust created by generative technologies is so powerful that one finds them in even supposedly non-generative appliances. Most embedded devices with non-trivial capabilities (devices that need more than a while-loop for an operating system) use general-purpose operating systems, often Linux or the reduced-fat version of Windows known as Windows CE.

Zittrain contrasts generative PCs and free software to appliances such as the TiVo, Xbox, and iPhone. The irony is that these are all based on generative technologies. The manufacturers could not resist the opportunity to cut development costs by using robust and freely available platforms.

TiVo uses Linux as its operating system, the Xbox runs on general-purpose hardware that has been successfully hacked to run Linux, and the iPhone--which epitomizes to Zittrain the supreme tethered appliance--has BSD inside. Because of its innately generative qualities (including the relatively transparent language of its API, Objective-C), the iPhone was opened up just a few months after its release in a textbook kind of collaboration among self-organized hackers, leading to a free software toolkit that lets any programmer create new applications using all the features of the iPhone.

These examples underline the challenge Tim O'Reilly used to pose to Microsoft: without open platforms, where will its next wave of technology come from? It looks like Microsoft listened, considering its current tentative support for a few free free software projects. An industry of appliances would be poorer without generative technology.

The tether chafes

One of the central points of Zittrain's book is that embattled computer users, worn down by the onslaught of malware, tend to retreat and give up control to centers of authority, whether by installing restrictive firewalls or buying tethered appliances that were built from the ground up to be closed.

Zittrain has several wonderful sections laying out the long-term detriment of this choice, not only for obvious topics such as technological innovation and fair use of copyrighted material, but for the balance between government and individual rights. He's on top of all the abuses caused by manufacturers who keep control of their devices and send them automated updates--sometimes updates that deliberately disable previously available features. Tethered appliances respond to their vendors with the same flexible slavishness as computers taken over by roving bots.

But Zittrain does not use available evidence to rebut the seductive claim that choosing appliances over applications leads to more safety for the user and the overall community. Does it?

I think we have plenty of evidence to resist the tethering of previously open computers. For instance, what would most computer users trust more than a CD from Sony? And to ward off the dangers of the open Internet, should we turn to telephone companies to protect our privacy and personal data? I need say no more.

Among web services, the same worries apply. The dominant Internet appliance is Google, and every service it unveils seems to raise such fears about privacy that it has to perennially trot out its "don't be evil" motto.

But nowhere has the trust in appliances been more dangerous than the calamitous rush to electronic voting machines without paper output, which cannot be adequately audited after deployment. We need to say loudly: closing down open systems is no solution to security risks. (Richard M. Stallman made similar points in response to Zittrain's article, and Susan Crawford in her response.)

Web 2.0 extends generativity

The wide-area-network equivalent of a tethered alliance is "software as a service," also known as an Application Service Provider. Here, I have to insist that Zittrain gets his terminology wrong. In place of these common industry terms, he refers to the phenomenon as Web 2.0.

Controversy has always surrounded the term Web 2.0, to be sure, despite attempts to define the phrase by Tim O'Reilly, who is credited with inventing it. Although everybody reads his own biases into the term, I don't see any meaningful definition of Web 2.0 that includes web sites where users just log in to run an application remotely. I did see one other speaker misunderstand the term this way, but we have to resist the trend to "mash up" useful terms to the point where they lose their value and all come out in some bland uniformity.

Web 2.0 features--such as simple APIs and ways to incorporate user-submitted content--extend generativity as much as blogs and wikis do. They're a critical stage in the ongoing evolution of the Internet. But Zittrain does offer some important critiques. Google Maps can discourage competition by co-opting it through its powerful API. And this ultimately means more control for Google--control it could leverage to artificially set the direction for mapping applications.

Thus, Web 2.0 technologies can be seen as an enablers that open up the data and applications controlled by corporations, but also as the soft glove than allow the corporate fist to push itself further and further into their clients' lives.

My glosses and musings on "The Future of the Internet" show how much meat it provides for analysis and discussion. Anyone who can make it through this long review would get a lot from the book. In addition to drawing links among useful recommendations for preserving our freedom, Zittrain proves that the legal frameworks for making such decisions are more complex than most technologists and policy makers credit them for.


 
Previous  |  Next

1 TrackBacks

TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/6437

» Legal Research On The Internet from Legal Research On The Internet

TITLE: Legal Research On The Internet URL: http://netcircles.clamtag.com/legal-research-on-the-internet.asp IP: 67.228.192.122 BLOG NAME: Legal Research On The Internet DATE: 06/08/2008 10:02:59 AM Read More

Comments: 4

  Will Fertman [04.15.08 10:30 AM]

I just wanted to note that Prof. Zittrains article, mentioned above and online at www.bostonreview.net/forums/, is accompanied by an array of informed responses:

Roger A. Grimes (Senior Security Consultant at Microsoft)
Richard Stallman (of the FSF)
Bruce M. Owen (Prof. of Public Policy at Stanford)
Susan Crawford (at Yale Law School),
David D. Clark (at MIT)
and Hal Varian (Chief Economist at Google) all contributed short articles to the forum. As you might guess, their perspectives can be quite different from Zittrain's, and enhance the debate considerably.

  Alex Pre [04.18.08 12:21 PM]

Puh a very long article and my bad english - a bad combination.

But many informations thx!

  film izle [10.10.08 09:04 AM]

ave seen better public access review shows. At least those are real and heartfelt. Poor Gene must be rolling in his grave.

  Handy Andy [05.14.09 09:03 AM]

Oh my god, what huge posting, sir! But well done. U put the chair in the right corner, don´t you?

Regards

Andy

Post A Comment:

 (please be patient, comments may take awhile to post)






Type the characters you see in the picture above.