The Future of the Internet -- And How to Stop It » jz

A SOPA compromise is floated

jz — Wed, 07 Dec 2011 21:17:37 +0000

Last week several members of Congress — Senators Wyden, Cantwell, Moran, and Paul, and Reps. Issa, Lofgren and Chaffetz — floated a proposal to substitute for the contentious proposed Stop Online Piracy Act, previously discussed here. Sen. Wyden’s office has commented on the compromise, and TechDirt has a writeup and a copy of the document here. The proposal omits the elements of SOPA that had run into the most resistance. Gone is tinkering with fundamental Internet architecture such as the use of the domain name system. Gone is the involvement of the Attorney General. Gone is the criminal copyright streaming provision that could, theoretically, make a teenage Justin Bieber a felon for streaming amateur videos featuring his renditions of songs by his favorite artists.In all these ways, the Wyden compromise is significantly better than SOPA. So what’s left?The compromise framework makes an interesting conceptual maneuver: it links international trade in counterfeit goods (think fake Gucci handbags or DVDs) with international Internet downloading or streaming of copyright infringing material. From the proposal, “In a digital economy, illegally downloading a movie from a foreign website is no different than importing an illegal copy from a company in China.”There are certainly similarities between physical and virtual IP violations — both, after all, involve intellectual property laws, and DVDs in particular are containers for the same content that otherwise can be streamed online. But there are big differences, too. International counterfeiting rings involve hard losses to U.S. manufacturers by providing products to people who, in buying them, are showing that they might otherwise be buying the real thing. Shady download sites are quite possibly another story: those willing to ferret out free files amidst the banner ads at a “.ru” address might not buy legitimate DVDs and CDs even if the overseas site were unavailable. Downloads of free (but copyright infringing) content simply may not represent lost purchases of the real thing to the same degree that people paying for counterfeit goods may buy the real ones if the fakes aren’t available. More important, a lot of the reasons for aggressive trademark enforcement has to do not only with lost sales to legitimate sellers, but public safety. Many physical products with gray market origins may not be safe to wear, eat, or give to your kids, and may be virtually indistinguishable from their authentic counterparts.

The linkage between real and virtual, however, paves the way for the meat of the compromise proposal. It involves an obscure century-old U.S. entity: the International Trade Commission, an “independent, nonpartisan, quasi-judicial federal agency.” From its website:

“The mission of the U.S. International Trade Commission is to: (1) administer U.S. trade remedy laws within its mandate in a fair and objective manner; (2) provide the President, the United States Trade Representative (USTR), and Congress with independent, quality analysis, information, and support on matters relating to tariffs and international trade and competitiveness; and (3) maintain the Harmonized Tariff Schedule of the United States.”

In general, a U.S. company can complain to the ITC about anti-competitive practices by foreign competitors such as dumping (selling items far below cost to put others out of business) or patent or trademark infringement (making product knock-offs). The ITC, in turn, can affirm that such practices are happening, which then leads to a complex process by which the U.S. Department of Commerce can impose punitive tariffs on the import of foreign goods. You can see a list of “cases” pending before the ITC here. (Cases may belong in quotes because, as the ITC says, “The USITC is NOT a policymaking body. It is NOT a court of law. It does NOT negotiate trade agreements.”)

The ITC process takes awhile. For example, in March of 2010 Apple lodged a complaint about HTC infringing its patents. An administrative judge set a target date to rule about it around 15 months from the complaint; and the ITC made an initial determination in July of 2011.

With this background, we can infer how the framers of the SOPA compromise came up with the idea of bringing in the ITC. One big problem with the original SOPA proposal is that private parties could go directly to intermediaries like payment providers and ad networks with complaints about sites “dedicated to theft of U.S. property” and demand that they be cut off, with no disinterested party weighing in on the merits of the complaint. With the ITC, there’s a way to get some due process into the picture: under the compromise, private parties aggrieved by copyright infringement made possible by foreign web sites lodge complaints with the ITC over “digital imports … by foreign websites.”

If the ITC agrees the the foreign website is infringing copyright, it could issue a cease-and-desist order against the website, and the rightsholders could then use the order to compel domestic payment providers and ad networks to break off relationships with the foreign site. There’s also provision for the ITC to penalize rightsholders who lodge frivolous claims.

But there are important issues left unresolved in the draft — which, at two pages, doesn’t cover many details. On a mundane level, it’s not clear what counts as a foreign website. SOPA’s definition was odd: it was any site that used an overseas registrar for its domain name. That’s an unusual definition — it could include lots of sites that are hosted in the US but just happened to register a domain name by using an overseas name retailer. Presumably the right definition covers only sites that are truly overseas, and perhaps completely so — ones beyond the reach of traditional U.S. civil law enforcement processes, which is why further legislation is called for.

More fundamentally, there’s a question about how well suited the ITC is to solve the due process worries of the original SOPA’s notice-and-takedown. A look at the ITC’s current caseload shows comparatively low volume and long lead times — a few dozen open cases at any one time. If the idea is to go after “kingpin” sites — the Pirate Bays of the world — then this may not be a problem. But if the proponents of Congressional action here are hoping to do voluminous takedowns of an expansive and rotating cast of sites, then the ITC’s involvement becomes tricky. The proposal alludes to “boost[ing] the ITC’s administrative capacities,” perhaps in anticipation of having to buff up the commission’s infrastructure to handle an influx of claims. However, more staff doesn’t address the deeper problem of a punt to the ITC. To sort out meritorious claims of undue infringement from borderline ones from frivolous ones, each adjudication would likely take days or weeks. That pace would likely not satisfy IP holders, who want to be able to whack the moles as they pop up. But to make the process hours instead of days would eliminate the value of getting a quasi-public agency into the mix to determine the validity of claims. HTC isn’t going anywhere, so Apple can bring a case to the ITC about its claimed patent infringement. It’s a different story with a site like listen4ever.

As a political matter, SOPA may have represented an opening bid in a negotiation — after which the SOPA proposers found themselves surprised that it might actually pass unamended. Pushback across the spectrum has made that outcome less likely, and this compromise could be a continuation of a negotiation. (To be sure, the Congressional proponents of SOPA appear to be unimpressed by this compromise, while suggesting that some changes will be made.)

The question Congress ideally would take up before passing anything is an empirical one, because overseas copyright infringement is a classic example of a public policy issue that hungers for real data. We’d do well to have less unanchored rhetoric around this topic and more information about just what kinds of sites proponents want to target and what evidence they can produce to show the harm these sites are causing. Then Congress could evaluate how risky or costly legislative action against those sorts of sites would prove. This is an earnest plea — we really could benefit from good data here.

Without it, any compromise may be simply pitted against a caricatured initial proposal — when both are ill-considered. Bottom line: the Wyden compromise is significantly better than the original SOPA proposal, and it might form the basis for a new law against egregious overseas “kingpin” infringement. A narrowly tailored proposal fleshing out the compromise would test how much the publishers seeking the law mean to go after only the big fish. And developing some real data on the scope of the problem and the impact of solutions is both desirable and doable.

A close look at SOPA

jz — Fri, 02 Dec 2011 20:16:52 +0000

A Close Look at SOPA

Jonathan Zittrain, Kendra Albert and Alicia Solow-Niederman

This document is a guide to the Stop Online Piracy Act as proposed in the United States House of Representatives. Stop Online Piracy Act (SOPA), H.R. 3261, 112th Cong. (2011). It represents our notes as we sought to understand exactly what it does and how it does it — along with our corresponding sense for why its principal mechanisms make for poor law. Our aim is for this analysis to be useful to anyone wanting to understand the Act — whatever his or her point of view may be on technology or intellectual property policy.

According to its advocates, SOPA will strengthen copyright in the United States by establishing a number of public and private tools to hinder infringement by international “rogue” sites previously unreachable by U.S. law. The Act also includes a number of independent provisions targeting the sale and dissemination of prescription drugs and military materials and equipment.

1. Copyright enforcement against websites, foreign & domestic.

The bulk of SOPA is a set of public and private mechanisms intended to give American copyright holders tools to combat offshore infringers. The Attorney General’s office, when armed with a court order (the granting of which doesn’t appear to have a standard beyond the Act’s definitions – the court “may” grant an order when requested Id., at § 102(c)), will be able to demand the elimination of access and funding to infringing sites on behalf of copyright holders. When acting alone, copyright holders can use these mechanisms to cut off funding.

Public Remedies (H.R. 3261, 112th Cong. § 102 (2011).)

SOPA gives tools to the U.S. Attorney General to combat “foreign infringing sites.” Id., at § 102. The definition of this term is unusual; a site with a domain name registered outside the U.S. (e.g. through a non-U.S. domain name registrar) seems to count as “foreign,” even if it’s run by an American company and hosted on U.S. soil. Id., at § 101(5)-101(8). As an initial matter, the site must be “U.S. directed,” although virtually all sites not actively blocking U.S. IPs would fall under this category. See id. at § 102(a)(1). Infringement does not need to be direct, and instead may be imputed on sites that merely “facilitat[e] the commission” of copyright infringement . Id. at § 102(a). The order can ask the operator of the targeted site to “cease and desist from undertaking any further activity as a foreign infringing site.” Id. at § 102(b)(5), and then the Attorney General can send additional copies of the order to “similarly situated entities” with permission of the Court – that is, others can fall under the Court’s power without previously having been given notice of a proceeding against them. Id. at § 102(c)(1).

But these provisions are likely not the real force of the law, as fully overseas infringing sites may try to ignore a U.S. court order. The law’s real force is focused domestically. Once a foreign infringing site has been made the subject of a court order, the Attorney General may apply the court order not only at the site but at American companies that occupy the space between the infringing site and an American end user’s browser- specifically, service providers, search engines, payment network providers, and advertising networks. Id. at § 102(c)(2). The court order may require these entities to take all “technically feasible and reasonable measures” to prevent access or payments to foreign infringing sites. Id. Those intermediaries would, it appears, not have been given notice or otherwise involved in the proceeding by which the Attorney General obtained the original order that would then bind them.

There are a number of specifics mentioned in the bill as “technically feasible and reasonable measures.” H.R. 3261 at § 102(c). For service providers ¹, this includes “measures designed to prevent the domain name of the foreign infringing site (or portion thereof) from resolving to that domain name’s IP address” Id. at § 102(c)(2)(A)(i). DNS blocking is one of the techniques that China uses to prevent access to dissident websites, and has serious technical ramifications. Sandia National Laboratories publisheda letter, after being asked for comment, characterizing the proposed DNS filtering as “whack-a-mole.” ISOC also released a paper detailing how DNS blocking would undermine the Internet architecture. Under a SOPA-based order, Internet search engines are to prevent an allegedly infringing site from being served to users as a direct hypertext link. Id. at § 102(c)(2)(B). Payment providers (like MasterCard or PayPal) must stop completing payment to the payment account used by the site. Id. at § 102(c)(2)(C). Finally, advertisers must complete three separate actions: cut off any ads that they were serving to the site, cut off any advertisements for the site served on other websites, and finally, cut off payments stemming from advertisements. Id. at § 102(c)(2)(D).

SOPA critics point to the vagueness of the phrase “technically feasible and reasonable measures” when questioning the burden the Act will place on intermediaries. An elephant in the room is whether this requirement would necessitate active monitoring of all content to prevent access to previously-noticed infringing sites and/or content. It is notable that payment providers and advertising companies alone are explicitly exempt from having a “duty to monitor” future infringing activity. H.R. 3261 at 102(c)(2)(D)(ii). The Act is silent on whether service providers and search engines have a duty to monitor, which, by implication, may be said (and surely would be argued) to render such a duty.

SOPA encourages such a broad reading by granting immunity to parties who act to limit access to copyrighted materials and by reserving the possibility of litigation for parties that fail to act. See id. at § 102(c)(5)(A). The Attorney General may bring an action for injunctive relief – essentially a further court order – against third parties for not complying with the first court order. Id. at § 102(c)(4)(A)(i). Injunctive relief may also be sought against any entity that provides a product or service designed (or marketed) to circumvent the procedures proposed under SOPA. Relief is to be limited to injunctive mechanisms, and SOPA by itself does not appear to impute infringement on a non-complying service provider, search engine, or payment network. Still, when faced with immunity for action or litigation against the Justice Department for inaction, it is plausible that technology companies would be highly motivated to overcensor. Worse, the kinds of circumvention tools supported within human rights communities and by the U.S. government as part of its Internet freedom initiatives against authoritarian censorship are precisely the tools targeted for elimination under SOPA.

The overwhelming controversy regarding SOPA’s public remedies (that is, those initiated by the Attorney General rather than a private party) regards the provision allowing a court to order a service provider–essentially an unwitting middleman–to take all “technically feasible and reasonable measures” to block an infringing site. Id. at § 103. The Act’s most fervent critics often point to this element when stating that SOPA has the potential to kill the Internet as we know it, placing the fate of interoperability in the hands of technically unsophisticated judges. Only slightly less fervent critics note that this provision would align federal Internet policy with China and like-minded regimes. While the current statute is limited to copyright infringement, the concern is that it establishes an architecture for widespread – indeed, nationwide – technical implementations of censorship.^[2]

Private Remedies (H.R. 3261, 112th Cong. § 103 (2011))

SOPA further provides what it calls a “Market-Based System to…Protect U.S. Property.” H.R. 3261 at § 103. This “market-based system” is a private mechanism by which an IP holder can pressure payment network providers and Internet advertising services to cease all transactions with “sites dedicated to theft of U.S. property.” See id.

This private remedy does not use the “foreign infringing sites” terminology from the public mechanism. Id. at § 102(a). Here the ultimate infringers are described as sites “dedicated to theft of U.S. property.” Id. at § 103. The statutory definition goes beyond what the label colloquially suggests. For example, a site may be branded as “dedicated to theft of U.S. property” if it simply “is taking, or has taken, deliberate actions to avoid confirming a high probability” of the use of the site for copyright infringement. Id. at § 103(a)(ii).
An American copyright holder can therefore approach a payment processor or advertising network and demand that it do whatever is technically feasible and reasonable to prevent sites it deems “dedicated to theft of U.S. property.” Id. at § 103. Unlike in the public remedy, the copyright holder can only seek to cut off payments from payment providers and advertisers. Id.

The threshold for a private corporation giving such a notice is presumably lower than the court order standard in the public remedy. As such, this is arguably SOPA’s most powerful element and one positioned to be applied in a particularly overbroad way. Under the Digital Millennium Copyright Act of 1998, which has an analogous private system of notice-and-takedown, there are countless well-intentioned actors, yet some rightsholders have nonetheless overreached (both intentionally and unintentionally). Under SOPA, payment and advertising companies will have a tremendous incentive to cooperate with a stream of private requests for reasons such as the inconvenience of or inability to evaluate the rightsholder’s claims. Unlike the public remedy, the private remedy allows the alleged infringer to provide counter notification to the third party,³ after which the third party can presumably decide whether or not to comply. H.R. 3261 at § 103(b)(5).

It is important to note that SOPA provides a cause of action, including attorney’s fees, for parties damaged by a knowing, material misrepresentation made in conjunction with the private enforcement mechanisms’ notice and counter-notice provision. Still, the third party must comply within five calendar days from the initial notice. Id. at § 103(b). The turnaround time, taking into account legal advice and the alleged infringer’s counter-notice, is extremely tight. Any intellectual property counsel can attest that those limits will be difficult to navigate, especially without exempting holidays and weekends, which turn out to be when such notices are often sent.

As with the public remedy, the payment and advertising companies are immune from liability if they cut off funding to a site or entity in accordance with SOPA. Should a payment or advertising company not comply, the rightsholder may then seek injunctive relief against the non-complying third party. H.R. 3261, 112th Cong. § 103(c) (2011).

Issues Common to Both Public and Private Remedies

Industry lobbyists and other supporters argue that SOPA is designed specifically to combat “foreign rogue sites.” The image they draw is of brazenly obviously illegal sharing and downloading, such as the Pirate Bay and its brethren. Yet “foreign infringing sites” and sites “dedicated to the theft of U.S. property” could include almost any website registered outside of the United States that allows user-generated content. Requiring American third parties to take all “technically feasible and reasonable” efforts to block such sites, prospectively in some cases, is equally vague. If this legislation were only aimed at the Pirate Bays of the world, the language could and would be much tighter. In many instances, statutory language is vague for a reason: to afford maximum leverage by one party intent on invoking a law over whoever is subject to the law.

Immunity for Voluntary Action

Even without instigation by the Attorney General or rightsholders, alleged infringers may find their sites blocked and their funding cut off without any sort of due process. SOPA grants payment providers, Internet search engines, advertising services, service providers, and domain name registries immunity from suit for voluntarily acting in a manner consistent with the public and private mechanisms against a site that they “reasonably believe” is a foreign infringing site or dedicated to the theft of US property. H.R. 3261 at § 104. Even with no copyright holder notifying them that their rights are being violated, all of these actors can take down or stop serving revenue to sites, as long as they are consistent with terms of use. Id.

Likewise, payment providers, Internet search engines, advertising services, service providers, and domain name registries are also not liable for taking action against sites they believe are “endangering public health.” Id. at § 105.

2. “Notorious foreign infringers” and U.S. investors ((H.R. 3261, 112th Cong. § 107 (2011).)

The U.S. IP Enforcement Coordinator, along with various agency heads, will identify “notorious foreign infringers” who are causing “significant harm to holders of IP rights in the US”, soliciting suggestions from the public and rights holders. Id. at § 107(a)(1). This information will be made into a report to Congress, which will examine and analyze various methods of combating IP rights violations, including and up to prohibiting such sites from raising capital in the United States. Id. at § 107(b)(5). While SOPA does not directly prohibit such investment, the spectre of such a ban may lead to a chill in investor confidence in countless internet startups, even those that may only distantly be thought of as enabling copyright infringement, such as social networks or content creation platforms.

3. Amendments to existing criminal copyright laws

Criminal penalties for streaming. (H.R. 3261, 112th Cong. § 201 (2011).).

While most of SOPA’s IP treatment revolves around the third-party-based enforcement mechanisms outlined above, the Act also does refine a number of existing IP laws. Most notable among the many changes, SOPA calls for the criminalization of public performance copyright infringement. H.R. 3261 at § 201. This provision is specifically targeted at digital streaming and provides criminal penalties for streaming copyrighted material with ten or more views and a retail value of $2,500. Id. at § 201(b). This sweeping and vague change could categorize millions of Americans as criminals. Prosecutorial discretion thus determines whether these long prison terms are applied fairly. The colorful advocacy at http://freebieber.org/ is, at its core, pointing out the implications of this inexplicably broad provision: the videos that teenage Justin Bieber posted of himself singing songs by his favorite artists do indeed appear to qualify as felonies under the Act. This is a particular irony, since those videos launched Bieber’s career as a musician – exactly the people the Act is intended to protect.

Additional criminal penalties (H.R. 3261, 112th Cong. § 202-203 (2011).).

SOPA amends 18 U.S.C. § 2320 to add the importation, export, or participation in the manufacture of counterfeit drugs to the list of criminal activities. Id. at § 202(1)(a)(iii). It also increases the penalties for the production or distribution of counterfeit products that result in serious bodily harms from twenty years to life in prison. Id. at § 202(2)(a). SOPA further increases the penalties for manufacturing or distributing counterfeit goods to the military (or in a way that may harm national security). Id. at § 202(3).

SOPA also amends 18 U.S.C. § 1831(a) to increase penalties for individuals or organizations committing economic espionage. Id. at § 203.

4. Protecting IP rights abroad

In what would potentially be a significant increase in the United States diplomatic corps and its activities, SOPA requires the Secretary of State and of Commerce to ensure diplomatic missions or embassies have “adequate resources” to pursue “aggressive support of enforcement action against violations of intellectual property.” H.R. 3261 at § 205. It would further require the diplomatic corps to make best efforts to see that foreign countries honor existing intellectual property treaties. Id. at § 205(a)(2).
Under SOPA, special intellectual property attachés hired by the Director of the Patent and Trademark Office will work from within embassies or diplomatic missions to advance United States intellectual property policy goals in general and specifically to reduce intellectual property infringement. Id. at § 205(b).

Conclusion

Others have weighed in on why SOPA makes for poor public policy and is an ill-considered technical intervention. In this paper we’ve hewed closely to simply reviewing it as legal doctrine. On those terms, its vague language and undue granting of law-like powers to private parties without sufficient public protections make it worthy of a firm “no” vote. SOPA is both overly strong and overly broad; overly strong in the collection of remedies provided, and overly broad for the problems it is attempting to take on.

Jonathan Zittrain is a member of the boards of the Electronic Frontier Foundation and the Internet Society. Both organizations have weighed in on this bill. However, the opinions expressed above are his (and our) own.

Notes:
1 “As used in subsection (a), the term “service provider” means an entity offering the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user’s choosing, without modification to the content of the material as sent or received.” 17 U.S.C. § 512(k).

2 The United States may have already crossed that threshold with our government’s actions regarding Wikileaks.

3 As with the DMCA, counter-notice requires the alleged infringer to consent to U.S. jurisdiction in the matter.

The PC is dead. Why no angry nerds?

jz — Wed, 30 Nov 2011 16:32:21 +0000

From Technology Review:

The Personal Computer Is Dead

Power is fast shifting from end users and software developers to operating system vendors.

By Jonathan Zittrain

The PC is dead. Rising numbers of mobile, lightweight, cloud-centric devices don’t merely represent a change in form factor. Rather, we’re seeing an unprecedented shift of power from end users and software developers on the one hand, to operating system vendors on the other—and even those who keep their PCs are being swept along. This is a little for the better, and much for the worse.

The transformation is one from product to service. The platforms we used to purchase every few years—like operating systems—have become ongoing relationships with vendors, both for end users and software developers. I wrote about this impending shift, driven by a desire for better security and more convenience, in my 2008 book The Future of the Internet—and How to Stop It.

For decades we’ve enjoyed a simple way for people to create software and share or sell it to others. People bought general-purpose computers—PCs, including those that say Mac. Those computers came with operating systems that took care of the basics. Anyone could write and run software for an operating system, and up popped an endless assortment of spreadsheets, word processors, instant messengers, Web browsers, e-mail, and games. That software ranged from the sublime to the ridiculous to the dangerous—and there was no referee except the user’s good taste and sense, with a little help from nearby nerds or antivirus software. (This worked so long as the antivirus software was not itself malware, a phenomenon that turned out to be distressingly common.)

Choosing an OS used to mean taking a bit of a plunge: since software was anchored to it, a choice of, say, Windows over Mac meant a long-term choice between different available software collections. Even if a software developer offered versions of its wares for each OS, switching from one OS to another typically meant having to buy that software all over again.

That was one reason we ended up with a single dominant OS for over two decades. People had Windows, which made software developers want to write for Windows, which made more people want to buy Windows, which made it even more appealing to software developers, and so on. In the 1990s, both the U.S. and European governments went after Microsoft in a legendary and yet, today, easily forgettable antitrust battle. Their main complaint? That Microsoft had put a thumb on the scale in competition between its own Internet Explorer browser and its primary competitor, Netscape Navigator. Microsoft did this by telling PC makers that they had to ensure that Internet Explorer was ready and waiting on the user’s Windows desktop when the user unpacked the computer and set it up, whether the PC makers wanted to or not. Netscape could still be prebundled with Windows, as far as Microsoft was concerned. Years of litigation and oceans of legal documents can thus be boiled down into an essential original sin: an OS maker had unduly favored its own applications.

When the iPhone came out in 2007, its design was far more restrictive. No outside code at all was allowed on the phone; all the software on it was Apple’s. What made this unremarkable—and unobjectionable—was that it was a phone, not a computer, and most competing phones were equally locked down. We counted on computers to be open platforms—hard to think of them any other way—and understood phones as appliances, more akin to radios, TVs, and coffee machines.

Then, in 2008, Apple announced a software development kit for the iPhone. Third-party developers would be welcome to write software for the phone, in just the way they’d done for years with Windows and Mac OS. With one epic exception: users could install software on a phone only if it was offered through Apple’s iPhone App Store. Developers were to be accredited by Apple, and then each individual app was to be vetted, at first under standards that could be inferred only through what made it through and what didn’t. For example, apps that emulated or even improved on Apple’s own apps weren’t allowed.

The original sin behind the Microsoft case was made much worse. The issue wasn’t whether it would be possible to buy an iPhone without Apple’s Safari browser. It was that no other browserwould be permitted—or, if permitted, it would be only through Apple’s ongoing sufferance. And every app sold for the iPhone would have 30 percent of its price (and later, that of its “in-app purchases”) go to Apple. Famously proprietary Microsoft never dared to extract a tax on every piece of software written by others for Windows—perhaps because, in the absence of consistent Internet access in the 1990s through which to manage purchases and licenses, there’d be no realistic way to make it happen.

Fast forward 15 years, and that’s just what Apple did with its iOS App Store.

In 2008, there were reasons to think that this situation wasn’t as worrisome as Microsoft’s behavior in the browser wars. First, Apple’s market share for mobile phones was nowhere near Microsoft’s dominance in PC operating systems. Second, if the completely locked-down iPhone of 2007 (and its many counterparts) was okay, how could it be wrong to have one that was partially open to outside developers? Third, while Apple rejected plenty of apps for any reason—some developers were fearful enough of the ax that they confessed to being afraid to speak ill of Apple on the record—in practice, there were tons of apps let through; hundreds of thousands, in fact. Finally, Apple’s restrictiveness had at least some good reason behind it independent of Apple’s desire for control: rising amounts of malware meant that the PC landscape was shifting from anarchy to chaos. The wrong keystroke or mouse click on a PC could compromise all its contents to a faraway virus writer. Apple was determined not to have that happen with the iPhone.

By late 2008, there was even more reason to relax: the ribbon was cut on Google’s Android Marketplace, creating competition for the iPhone with a model of third-party app development that was a little less paranoid. Developers still registered in order to offer software through the Marketplace, but once they registered, they could put software up immediately, without review by Google. There was still a 30 percent tax on sales, and line-crossing apps could be retroactively pulled from the Marketplace. But there was and is a big safety valve: developers can simply give or sell their wares directly to Android handset owners without using the Marketplace at all. If they didn’t like the Marketplace’s policies, it didn’t mean they had to forgo ever reaching Android users. Today, Android’s market share is substantially higher than the iPhone’s. (To be sure, that market share is inverted in the tablet space; currently 97 percent of tablet Web traffic is accounted for by iPads. But as new tablets are introduced all the time—the flavor of the month just switched to Kindle Fire, an Android-based device—one might look at the space and see what antitrust experts call a “contestable” market, which is the kind you want to have if you’re going to suffer market dominance by one product in the first place. The king can be pushed down the hill.)

With all of these beneficial developments and responses between 2007 and 2011, then, why should we be worried at all?

The most important reasons have to do with the snowballing replicability of the iPhone framework. The App Store model has boomeranged back to the PC. There’s now an App Store for the Mac to match that of the iPhone and iPad, and it carries the same battery of restrictions. Some restrictions, accepted as normal in the context of a mobile phone, seem more unfamiliar in the PC landscape.

For example, software for the Mac App Store is not permitted to make the Mac environment look different than it does out of the box. (Ironic for a company with a former motto importuning people to think different.) Developers can’t add an icon for their app to the desktop or the dock without user permission, an amazing echo of what landed Microsoft in such hot water. (Though with Microsoft, the problem was prohibiting the removal of the IE icon—Microsoft didn’t try to prevent the addition of other software icons, whether installed by the PC maker or the user.) Developers can’t duplicate functionality already on offer in the Store. They can’t license their work as Free Software, because those license terms conflict with Apple’s.

The content restrictions are unexplored territory. At the height of Windows’s market dominance, Microsoft had no role in determining what software would and wouldn’t run on its machines, much less whether the content inside that software was to be allowed to see the light of screen. Pulitzer Prize-winning editorial cartoonist Mark Fiore found his iPhone app rejected because it contained “content that ridicules public figures.” Fiore was well-known enough that the rejection raised eyebrows, and Apple later reversed its decision. But the fact that apps must routinely face approval masks how extraordinary the situation is: tech companies are in the business of approving, one by one, the text, images, and sounds that we are permitted to find and experience on our most common portals to the networked world. Why would we possibly want this to be how the world of ideas works, and why would we think that merely having competing tech companies—each of which is empowered to censor—solves the problem?

This is especially troubling as governments have come to realize that this framework makes their own censorship vastly easier: what used to be a Sisyphean struggle to stanch the distribution of books, tracts, and then websites is becoming a few takedown notices to a handful of digital gatekeepers. Suddenly, objectionable content can be made to disappear by pressuring a technology company in the middle. When Exodus International—”[m]obilizing the body of Christ to minister grace and truth to a world impacted by homosexuality”—released an app that, among other things, inveighed against homosexuality, opponents not only rated it poorly (one-star reviews were running two-to-one against five-star reviews) but also petitionedApple to remove the app. Apple did.

To be sure, the Mac App Store, unlike its iPhone and iPad counterpart, is not the only way to get software (and content) onto a Mac. You can, for now, still install software on a Mac without using the App Store. And even on the more locked-down iPhone and iPad, there’s always the browser: Apple may monitor apps’ content—and therefore be seen as taking responsibility for it—but no one seems to think that Apple should be in the business of restricting what websites Safari users can visit. Question to those who stand behind the anti-Exodus petition: would you also favor a petition demanding that Apple prevent iPhone and iPad users from getting to Exodus’s website on Safari? If not, what’s different, since Apple could trivially program Safari to implement such restrictions? Does it make sense that South Park episodes are downloadable through iTunes, but the South Park app containing the same content was banned from the App Store?

Given that outside apps can still run on a Mac and on Android, it’s worth asking what makes the Stores and Marketplaces so dominant—compelling enough that developers are willing to run the gauntlet of approval and take a 30 percent hit on revenue instead of simply selling their apps directly. The iPhone restricts outside code, but developers could still, in many cases, manage to offer functionality through a website accessible through the Safari browser. Few developers do, and there’s work to be done to ferret out what separates the rule from the exception. The Financial Times is one content provider that pulled its app from the [iOS] App Store to avoid sharing customer data and profits with Apple, but it doesn’t have much company.

The answer may lie in seemingly trivial places. Even one or two extra clicks can dissuade a user from consummating what he or she meant to do—a lesson emphasized in the Microsoft case, where the ready availability of IE on the desktop was seen as a signal advantage over users’ having to download and install Netscape. The default is all-powerful, a notion confirmed by the value of deals to designate what search engine a browser will use when first installed. Such deals provided 97 percent of Firefox-maker Mozilla’s revenue in 2010—$121 million. The safety valve of “off-road” apps seems less helpful when people are steered so effortlessly to Stores and Marketplaces for their apps.

Security is also a factor—consumers are willing to consign control over their code to OS vendors when they see so much malware out in the wild. There are a variety of approaches to dealing with the security problem, some of which include a phenomenon called sandboxing—running software in a protected environment. Sandboxing is soon to be required of Mac App Store apps. More information on sandboxing, and a discussion of its pros and cons, can be found here.

The fact is that today’s developers are writing code with the notion not just of consumer acceptance, but also vendor acceptance. If a coder has something cool to show off, she’ll want it in the Android Marketplace and the iOS App Store; neither is a substitute for the other. Both put the coder into a long-term relationship with the OS vendor. The user gets put in the same situation: if I switch from iPhone to Android, I can’t take my apps with me, and vice versa. And as content gets funneled through apps, it may mean I can’t take my content, either—or, if I can, it’s only because there’s yet another gatekeeper like Amazon running an app on more than one platform, aggregating content. The potentially suffocating relationship with Apple or Google or Microsoft is freed only by a new suitor like Amazon, which is structurally positioned to do the same thing.

A flowering of innovation and communication was ignited by the rise of the PC and the Web and their generative characteristics. Software was installed one machine at a time, a relationship among myriad software makers and users. Sites could appear anywhere on the Web, a relationship among myriad webmasters and surfers. Now activity is clumping around a handful of portals: two or three OS makers that are in a position to manage all apps (and content within them) in an ongoing way, and a diminishing set of cloud hosting providers like Amazon that can provide the denial-of-service resistant places to put up a website or blog.

Both software developers and users should demand more. Developers should look for ways to reach their users unimpeded, through still-open platforms, or through pressure on the terms imposed by the closed ones. And users should be ready to try “off-roading” with the platforms that still allow it—hewing to the original spirit of the PC, perhaps amplified by systems that let apps have a trial run on a device without being given the keys to the kingdom. If we allow ourselves to be lulled into satisfaction with walled gardens, we’ll miss out on innovations to which the gardeners object, and we’ll set ourselves up for censorship of code and content that was previously impossible. We need some angry nerds.

An interview with John Batelle on The Future of the Internet

jz — Mon, 15 Aug 2011 15:51:03 +0000

John Battelle asked me a few Qs about my thinking on the themes in The Future of the Internet in the three years since the book came out (four since it was drafted!). John’s review is available on his blog, and I’ve reproduce the core of it here:

JBAT:

- You wrote the Future of the Internet three years ago. It warned of a lack of awareness with regard to what we’re building, and the consequences of that lack of attention. it also warned of data silos and early lockdown. Three years later, how are we doing? Are things better, worse, the same?

And a follow up. On a scale of one to ten, where one is “actively helping” and ten is “pretty much evil,” how do the following companies rate in terms of the debate you frame in the book?

- Google (you can break this down into Android, Search, Apps, etc)

- Facebook (which was really not at full scale when you published)

- Apple

- Twitter

- Microsoft (again break it down if you wish)

Thanks!

JONATHAN ZITTRAIN:

Sorry this took me so long! I got a little carried away in answering –

- You wrote the Future of the Internet three years ago. It warned of a lack of awareness with regard to what we’re building, and the consequences of that lack of attention. it also warned of data silos and early lockdown. Three years later, how are we doing? Are things better, worse, the same?

It’s the best of times and the worst of times: the digital world offers us more every day, while we continue to set ourselves up for levels of surveillance and control that will be hard to escape as they gel.

That’s because the plus is also the minus: more and more of our activities are mediated by gatekeepers who make life easier, but who also can watch what we do and set boundaries on it — either for their own purposes, or under pressure from government authorities.

On the book’s specific predictions, Apple’s ethos remains a terrific bellwether. The iPhone — released in ’07 — has proved not only a runaway success, but the principles of its iOS have infused themselves across the spectrum. There’s less reason than ever to need a traditional PC, and by that I mean one that lets you run whatever code you want. OS X Lion points the way to a much more controlled PC zone, anyway, as it more and more funnels its software through a single company’s app store rather than from anywhere. I’d be surprised if Microsoft weren’t thinking along similar lines for Windows.

Google has offered a counterpoint, since the Android platform, while including an app store, allows outside code to be run. In part that’s because Google’s play is through the cloud. Google seeks to make our key apps based somewhere within the google.com archipelago, and to offer infrastructure that outside apps can’t resist, such a easy APIs to geographic mapping or user location. It’s important to realize that a cloud-based setup like Google Docs or APIs, or Facebook’s platform offer control similar to that of a managed device like an iPhone or a Kindle. All represent the movement of technology from product to service. Providers of a product have little to say about it after it changes hands. Providers of services are different: they don’t go away, and a choice of one over another can have lingering implications for months and even years.

At the time of the book’s drafting, the alternatives seemed stark: the “sterile” iPhone that ran only Apple’s software on the one hand, and the chaotic PC that ran anything ending in .exe on the other. The iPhone’s openness to outside code beginning in ’08 changed all that. It became what I call “contingently generative” — it runs outside code after approval (and then until it doesn’t). The upside is that the vast creativity of outside coders has led to a software renaissance on mobile devices, including iPhones, from the sublime to the ridiculous. And Apple’s gatekeeping has seemed to be with a light touch; apps not allowed in the store pale in comparison to the torrents of stuff let through. But that masks entire categories of applications that aren’t allowed — namely anything disruptive to Apple’s business model or that of its partners or regulators. No p2p, no alternate email clients, browsers with limited functionality.

More important, the ability to limit code is what makes for the ability to control content. More and more we see content, whether a book, or a magazine subscription, represented in and through an app. It’s sheer genius for a platform maker to demand a cut of in-app purchases. Can you imagine if, back in the day, the only browser allowed on Windows was IE, and further, all commerce conducted through that browser — say, buying a book through Amazon — constituted an “in-app purchase” for which Microsoft was due 30%?

A natural question is why competition isn’t the answer here — or at least reason to not worry about the question. If people thought the iPhone made for a bad deal, why would they want one? The reason they want one is the same thing that made the Mac so appealing when it first came on the scene: it was elegant and intuitive and it just worked. No blue screen of death. Consistency across apps. And, as viruses and worms naturally were designed for the most common platform, Windows, those 5% with Macs weren’t worth the trouble of corrupting.

We’ve seen a new generation of Mac malware as its numbers grow, and in the meantime a first defense is that of curation: the app store provides a rough filter for bad code, and accountability against its makers if something goes wrong even after it’s been approved. So that’s why the market likes these architectures. I’ll bet few Android users actually go “off-roading” with apps not obtained through the official Android app channels. But the fact that they can provides a key safety valve: if Google were to try the same deal as Apple with content providers for in-app content, the content providers could always offer their wares directly to Android users. I’m worried that a piece of malware could emerge on Android that would cause the safety valve of outside code to be changed, either formally by Google, or in practice as people become unwilling to drive outside the lanes.

So how about competition between platforms? Doesn’t that keep each competitor honest, even if all the platforms are curated? I suppose: the way that Prodigy and CompuServe and AOL competed with one another to offer different services as each chased subscribers. (Remember the day when AOL members couldn’t email CompuServe users and vice versa?) That was competition of a sort, but the Internet and the Web put them all to shame — even as the Internet arose from no business plan at all.

Here’s another way to think about it. Suppose you were going buy a new house. There are lots of choices. It’s just that each house is “curated” by its seller. Once you move in, that seller will get to say what furnishings can go in, and collects 30% of the purchase price of whatever you buy for the house. That seller has every reason to want to have a reputation for being generous about what goes in — but it still doesn’t feel very free when, two years after you’re living in the house, a particular coffee table or paint color is denied. There is competition in this situation — just not the full freedom that we rightly associate with inhabiting our dwellings. A small percentage of people might elect to join gated communities with strict rules about what can go inside and outside each house — but most people don’t want to have to consult their condo association by-laws before making choices that affect only themselves.

Why buy a PC when you can rent an un-PC?

jz — Mon, 02 May 2011 14:28:40 +0000

Rumor — and that’s all it is — is that Google will announce a $10/month Chrome OS laptop rental. That such a rumor could be credible, whether or not it actually bears out, is a testament to how much our IT ecosystem has evolved in just the past few years. I’ve long been concerned about the death of the PC, whether through the “appliancization” of our endpoint devices like smartphones or through increasing reliance on what’s now known as the Cloud: running our apps, and keeping our data, online instead of on devices that we own.

A rented laptop only makes sense when there’s nothing that will end up on the unit that would make it difficult to lose or trade in. And that’s the promise of Chrome OS and the cloud: the keyboard and screen are generic; everything interesting happens online, either on the public Web or behind the gates of a user’s various online accounts — Gmail, Facebook, etc.

There’s nothing inherently wrong with that, just as there was no inherent ethical case to a decision between an old-fashioned answering machine (keeping your phone messages at home) and voicemail (keeping them … in the cloud). (Remember when people called each other and left messages?)

The reason I’ve singled out the PC’s future is because it’s a bellwether for how much we get to control the code we run and the data we accrete. In the good old days we effectively bought software (its own claim to being merely licensed notwithstanding) and stored our data in our plain view. So long as we didn’t lose or munge our laptops we knew where our data was — and wasn’t.

As abundant, saturating network connectivity makes it more sensible to store stuff on others’ faraway servers, it’s all the more important that we establish technical and legal architectures to preserve our primacy in choosing what code to run and what data to associate with ourselves. I have some thoughts on how to do that here and here.

Update [11 May 2011]: The rumors appear to be true.

Edit a European academic journal, face a criminal trial?

jz — Thu, 27 Jan 2011 14:30:25 +0000

The European Journal of International Law published on an affiliated web site a short book review. The author of the book reviewed was displeased, and wrote to the editor asking for it to be taken down. He declined in a very thoughtful letter, part of a correspondence reproduced here. He suggested that he would forward the author’s comments to reviewer, and in “uncharted” territory, possibly be prepared to approve a revised review by the reviewer and substitute that in on the Web site. The reviewer declined to make any changes, and the editor stood by that decision.

Three months later and the editor — not the reviewer — found himself the target of a criminal libel investigation in France. Strange location, since …

[t]he author of the book was an Israeli academic. The book was in English. The publisher was Dutch. The reviewer was a distinguished German professor. The review was published on a New York website.

He’s written up his experience with the trial, which was last week, here. Fascinating — and chilling — reading.

Help save the Internet!

jz — Tue, 25 Jan 2011 14:41:00 +0000

You may have heard of Herdict, the Berkman Center project to crowdsource reports on the moment-to-moment health of the Internet. (Video introduction here; FAQ here.) We are seeking a CEO for it!

Since last year Herdict has tracked big blockages like those of China’s Great Firewall, and small ones like the temporary block of WordPress in Guatemala. Herdict receives thousands of visitors each day and hundreds of reports from just about every country.

Last summer we were awarded a $1.5M grant from the Omidyar Network to take Herdict further, which means setting it up as a standalone non-profit, partnering with browser makers to increase Herdict’s paths for gleaning and sharing data, exploring new ways of crowdsourcing, and securing additional funds (part of our grant is for matching contributions).

So, the new Herdict venture needs a CEO. The ideal candidate would have some combination of start-up experience, a rich human network (in the US and ideally, abroad), familiarity with the Net, experience in building and motivating online communities, and a commitment to turning Herdict into a sustainable nervous system for it. The CEO will build and lead our technology team to shape the future of Herdict, figure out how it can best integrate with other worthy efforts in this zone, and define what the boundaries will be of just what Herdict will aspire to do.

The team will be located in Cambridge, Massachusetts — so it will help if the CEO is prepared to live in the Boston area, and at least travel there regularly. The CEO will work closely with the board of Herdict and with faculty from the Berkman Center and members of the OpenNet Initiative as we figure out how to measure and preserve a free and open Internet. Salary competitive.

Statements of interest can be sent to jobs@herdict.org.

Number crunch: the struggle to upgrade the Internet from IPv4 to IPv6

jz — Mon, 10 Jan 2011 23:27:37 +0000

[cross-posted at the CDT blog]

How the Internet is running out of room, and what we must do about it

“CDT Fellows’ Focus” is a series from CDT that presents the views of other notable experts on tech policy issues. This week, CDT Fellow Jonathan Zittrain and Leslie Daigle write about the end of IPv4 address space. Guest posts featured in “CDT Fellows’ Focus” don’t necessarily reflect the views of CDT; the goal of the series is to present diverse, well-informed views on significant tech policy issues.

The Internet’s framers famously designed it without predicting much about how, or how much, it would be used. For example, the network’s capacity was conceived less in a count of precisely how many could participate at once – the way traditional phone circuits worked – and more in flexibly divisible bandwidth. As that bandwidth got saturated, it would degrade gracefully: data might move slower for everyone, but no one would get an “all circuits are busy” message. In ways large and small, what animates Internet protocol design is a procrastination principle: if something can work well, it doesn’t have to be perfect, and not every problem or limit must be anticipated and preempted. Potential but still speculative flaws can be fixed later – possibly somewhere other than inside the network.

Unfortunately “later” is arriving now for a crucial piece of the Internet: its ability to tell one attached device from another. Internet architects designed a simple way to identify participating computers and route data among them: assign each a unique number: an Internet Protocol (IP) address. No IP address, no delivery. The routers in between you and your friend use your friend’s number the way a postal service would – the number says something about where she is. That’s made possible because IP addresses are clustered together, just like street addresses grouped in a ZIP or other postal code.

The system has an Achilles’ heel: there are a limited number of numbers. It might seem that you could add 1 to whatever the last number is and keep going, but there’s a hard cap in venerable Internet Protocol Version 4 (IPv4): 4 billion IP addresses, which the Internet is outgrowing in much the same way that applications outstripped the original 64K of memory expected for a PC running Microsoft DOS. There is now general agreement among Internet technologists that the end days are upon us: the last block of fresh IPv4 addresses will likely be allocated to the Internet’s North American address warehouse in early 2011, to be passed out to Internet Service Providers here by mid- to late-2011.

Worse, because of the clustering of addresses, we can’t squeeze the last bit of digital toothpaste out of the tube as fresh numbers become scarce. There’s a gray market for chunks of already-allocated numbers despite restrictions against selling them – and some telecommunications providers are rumored to have been purchased only for their numbers! – but such used numbers carry their own risks. Anyone who has inherited the former phone number of a pizza shop will appreciate that some numbers are less desirable than others. Moreover, some IP addresses have at one time been the source of cyberattacks, or hosted politically sensitive content, and the resulting blocking of traffic originating from them by various ISPs is rarely revisited by those ISPs. (Who wants an old Wikileaks IP address?)

Running out of fresh numbers will not stop the Internet from working. But, unchecked, it will greatly complicate growth. As new computers and devices come online, something has to give – making more use of existing addresses, or finding a new way to address things.

In the first category – making do – the procrastination principle has bought us some time. Enterprising engineers developed an ingenious baling-wire-and-twine workaround to the one-number-per-computer rule. Known as network address translation, or NAT, it allows the holder of a single IP address to share it among a group of computers. This happens nearly every time you hook up a wireless router and access point at home: your ISP only gives you one number, and you use your inexpensive router to share it with everyone who connects to your network. Cable and DSL ISPs are considering the same thing to put larger networks of multiple customers behind a single address, at least as an interim measure. Unfortunately, like most such workarounds, it doesn’t really work as well as having one number per machine: the fancy footwork required to share a number around can limit the kinds of applications you can run, and greatly increase the complexity of some software, such as Skype Internet telephony, if it’s to work at all. NAT has bought us some time – much of Qatar has been known to share one IP address – but it’s spackle covering a rapidly-rusting architecture stretched far beyond its creators’ wildest ambitions.

Which brings us to a more comprehensive solution. Internet technologists did not sit idly by when it became clear IPv4 could not last. Over a decade ago, they specified its successor, IPv6 (don’t ask what became of IPv5), with a few hundred trillion trillion trillion addresses. Such huge swaths of address space promise something even better than a well-functioning market for valuable but limited assets: abundance so great that no market is required, only careful administration. Unfortunately, for IPv6 to work, nearly every piece of networking software and hardware from one end of a data transmission to the other needs to be upgraded. If just one link in the chain hasn’t been upgraded to understand the new numbers, IPv4 will still have to be used.

The idea for transition was that systems would work with both protocols for awhile, and gradually IPv4 would end not with a bang, but with a whimper – fading away like, say, the telegraph or telex addresses that used to share letterhead with telephone and fax numbers. However, even though many operating system and hardware vendors have been anticipating IPv6 for years (current Mac and Windows systems now support it out of the box), there are still gaps in available products and little business dependency on it, and there has been remarkably little deployment. This is consistent with the procrastination principle: the only networks that have deployed IPv6 are those that have found a business model for which it as a requirement. And, because the benefits are, generally, global rather than local to one network, the procrastination principle becomes a Prisoner’s Dilemma: we’re all better off if we all move to IPv6, but the worst case is if you pay to move while others don’t. So why not wait – forever, if others act similarly – for everyone else to do it before making the investment?

We’ve spent a decade with few networks taking the plunge to deploy IPv6.

This holding pattern is not likely to persist. With the larder dry, in the absence of fundamental innovation in Internet Protocol, we’d see an unfortunate ramp up in the use of NAT and its complications, coupled with parties’ tussles over existing ‘pure’ IP addresses like rats fighting over crumbs. Demonstrated shortcomings of the type of IPv4 address sharing include degraded performance of network-intensive web services: web pages where different pieces show up slowly, rather than seamlessly. Customers will not see a poor network connection – they will perceive poor service from the product or company.

More directly, IPv6 is gaining ground among new entrants (who have little choice), so the days of an all-IPv4 Internet are numbered. In developing its broadband strategy, India went for IPv6. New industries looking at wide scale networking are also looking to IPv6 in order to have access to adequate address space, and to be able to build novel network architectures, unencumbered by the structural assumptions needed to support address sharing.

The best future for the Internet is for all networks to deploy IPv6, and pay the price of working in a dual IPv6 / IPv4 world for a period of transition. If companies wait until the business impacts of degraded IPv4 network experience or the identification of opportunities to work with new (IPv6) networks are upon them, the need to make a transition more quickly than a multi-year equipment refresh cycle will likely be more costly and difficult. So how to encourage enough entities to take the plunge?

One way out of a classic problem demanding collective action is through regulation. A government can incent or compel everyone to contribute. However, this would require coordinated regulation across boundaries not recognized by network traffic – the intricacies are daunting, and for the Internet without precedent. And if successful, governments might gain an appetite for controlling the direction of an Internet which previously managed growth and innovation through elective uptake. Few are enthusiastic about mandated transitions.

Another way out is through leadership by big players. For example, governments aren’t just regulators of information technology, they’re purchasers of it. By insisting that government- and military-run subnetworks are IPv6, they’ll stimulate demand for the newer technologies and encourage intertwined private parties to follow suit. The US government’s Office of Management and Budget followed just such a route in 2005, requiring all government services to be IPv6 capable by 2008. In September, Vivek Kundra crystallized requirements for government websites to be IPv6 capable.

China has been leading IPv6 adoption for years, in part because it may otherwise feel the IPv4 number crunch most acutely, and perhaps because the government has determined that it’s in the country’s best commercial interests. Some large companies have placed bets on an upgrade. Google has been public about its activities to deploy IPv6, and a business rationale to not be last to market with IPv6 support.

A cold calculus on such investments for many Net-connected enterprises may indeed suggest holding off. But what has made the Internet better than the more proprietary networks that it eclipsed is that its participants have had a sense of stewardship of the space, justifying the absence of government planners and sheriffs, or a single corporate umbrella. Engineers from the public and private sectors labor on Internet protocols with loyalty to a network functioning as a commons, not simply to their employers’ particular business models. An investment in IPv6 from enough corners is sensible if each corner decides to factor in the benefit to the overall ecosystem – not just itself.

If such capacious thinking comes through, the Internet won’t run out of space – and we can go back to procrastinating on its future.

Jonathan Zittrain is Professor of Law and Professor of Computer Science at Harvard University, where he co-founded its Berkman Center for Internet & Society. He is a member of the Board of Trustees of the Internet Society. Leslie Daigle is Chief Internet Technology Officer for the Internet Society.

The FCC tees up net neutrality

jz — Sat, 04 Dec 2010 03:11:51 +0000

A few months ago it looked like there’d be no action on net neutrality in the US by the FCC or Congress. After some momentum gathered during both the Bush and Obama administrations, a federal court ruling had cast doubt on the FCC’s ability to regulate in the area, and a rancorous election season suggested this wouldn’t find much room within Congress’s agenda.

Then in September the FCC announced that its open Internet proceeding was continuing, and yesterday the commission’s agenda for the December meeting suggests a vote in short order.

While the proposed rules are not yet publicly available, reports drawing from the chairman’s speech yesterday and other talk in DC have something modeled on Congressman Henry Waxman’s draft legislative proposal. The central plank is that broadband Internet service providers — at least non-wireless ones — must let their subscribers get where they want to go on the Internet. An ISP can’t decide, say, that you’re not to be allowed to get to facebook.com or that your service package doesn’t permit streaming video or Internet telephony, each of which could conceivably compete with other services offered by the ISP, such as regular cable television or phone service.

It’s good to have that off the table — it would be awful if ISP’s started to do such things, and the prospect isn’t as far-fetched as it might seem. An ISP might want to charge Facebook or Vimeo or some other content source for the privilege of reaching the ISP’s subscribers, and the most direct way to do that is to threaten to halt the movement of bits from that source until a deal is reached. (This might look something like the recurring fights between the likes of Cablevision and Fox over showing the World Series, though in that case it was the content provider holding out for payment from the cable company. The risk that eager fans might not get to see baseball resulted in calls for FCC and Congressional intervention.)

With a net neutrality rule in place, if a Web site’s bits can’t be stopped in the middle just on the basis of where they came from, the ISP can’t threaten to come between the site and its users. The market alone may not be able to deal with this in the absence of a net neutrality rule, both because there isn’t much competition for broadband at a given location and because it’s good for people to have assurances ahead of time that sites they are beginning a relationship with — as they put photos on Flickr or stow mail on Gmail — won’t suddenly be pulled out from under them, held ransom to extra payments either from the sites or from them.

The telcos and other ISPs seem reconciled to this prospect, at least for wired networks. Now’s the time to lock that in, when such holdups are not central to their business models — not by source, at least — and even application blocking has not historically been a core goal. (To be sure, five years ago at least one U.S. ISP appeared to be blocking an Internet telephony service, and it’s happened elsewhere on a larger scale around the world.)

The FCC rules are said to exempt wireless from this mandate, instead simply requiring transparency about what’s being blocked. [Update: A look at the FCC chairman's speech suggests there may be more than a transparency requirement for wireless; it mentions a "basic no blocking rule" there too. That would track the Waxman bill at p. 4 lines 1-7.] My reaction now is the same as it was when that division between wired and wireless was proposed as part of the Google/Verizon “framework” the two companies released in August. Basically:

Some critics have said: who cares about network neutrality for regular broadband; wireless is the important part.

I’m not so sure. If the framework had said the opposite — Verizon is OK with network neutrality for wireless but not for regular broadband — I can imagine many critics being just as upset, saying that wireless is still ancillary and that full broadband, with consumers’ wi-fi attached, is what really matters. I guess they’d say that both matter. I’m skeptical myself of rules that carve a difference between them — one point of the Internet is to be medium-agnostic — but I’m less inclined to find an evil plan lurking in the differentiation. I can see that bandwidth management, at least, can be more crucial for wireless than wired at this stage in its development, and a Verizon might not feel comfortable having to justify any policies in those terms as an exception to a network neutrality rule. I’m less confident that there’s robust competition in the wireless Internet space — there are still only a handful or providers, and switching among them is costly.

If a basic net neutrality mandate can be established for broadband — not only formally mandated by law (which includes FCC edict), but accepted as doable by the ISP’s — that’s good progress, and a metric against which the wireless ISPs will always be measured. Any protestations that they have to discriminate for the network’s sake — or for the sake of a business model — will be increasingly belied by their wired counterparts’ experiences under no-longer-controversial net neutrality rules. [And if the rule for wireless goes beyond the weak tea of Google/Verizon -- no-blocking as well as transparency -- that much the better.]

Another exception built in is for reasonable network management. Some critics have described this as a hole large enough to drive a truck through. But there has to be some kind of exception. The most obvious example is if a denial-of-service attack is in progress; there an ISP may refuse to carry bits precisely because of the content or purpose of the communication, discriminating by source, and no one would find that unacceptable. Should “reasonable” be stretched too far that could lead to trouble — but the alternative is to try to write down a more detailed set of technical requirements that might become stale very quickly. (I’m also no fan of Internet privacy legislation that makes specific reference, say, to “cookies.”) This is exactly what a commission is for: to lay down principles, to stand by them, and then to adjudicate complaints under them with the benefit of transparency about what’s going on. The ongoing Level 3/Comcast dispute is a great example of the utter rabbit hole of complexity — coupled with obscurity — surrounding some disputes over the movement of bits. There’s no easy rule I can think of to anticipate it, much less resolve it, today. (And on that example, I hope to be part of a Berkman Center podcast next week exploring the topic as a way of thinking through just how unusual and not-fully-realized the economics of Internet connectivity are.)

Finally there is the question — abstruse to anyone who isn’t a student of US telecom law — of whether the FCC should proceed under its “Title I” or “Title II” authority here. You can read some of the details in a guest post by Kevin Werbach at the FCC blog here. Essentially Title I is the weaker brew — so-called “ancillary authority” — and the FCC’s use of it to advance the first round of net neutrality rules is what got it into trouble in the federal court ruling mentioned at the beginning of this post. Title II is stronger medicine, representing a claim to be able to more comprehensively regulate in the area, and ISPs have long rued the prospect of a reclassification of Internet services to Title II. I think whatever works … works. If this can happen with Title I, despite the D.C. Circuit ruling, great. If not — Title II remains a possibility. (Congressional action could clear all this up, of course, but it seems remote that Congress would wade into this once it reconvenes politically divided between House and Senate.)

I’ll read the proposed rules with interest when they’re released. In the meantime, the Chairman’s speech shows the FCC knows what’s at stake and is moving within a field of complex interests and claims to assure an Internet that’s not cantonized, and that is open to new applications and content coming from anywhere, not just incumbents.

As part of a panel on net neutrality yesterday at Yale Law School with Susan Crawford, Dawn Nunziato, and Nick Bramble, I’ve drafted some general thoughts on why net neutrality matters. That should be up on a Yale site next week — I’ll link to it or include a copy here once the essays are released.

The FTC’s do-not-track list

jz — Thu, 02 Dec 2010 20:15:07 +0000

Yesterday the FTC announced a new project to encourage the formation of a “do-not-track” list, where Internet users could opt out of certain kinds of cookie-based Web tracking in one place and for good. The NYT room for debate blog asked for reactions –

It’s amazing to think that the sophistication and intensity of behavioral tracking technologies are primarily for the purpose of targeted advertising: giving dog food ads to dog owners, and homemade veggie burger ads to locavore vegans. All that borderline Orwellian machinery to … offer us stuff we might actually have interest in purchasing. What’s more, if we click on an ad at a favorite Web site, we’re sending money to that Web site. The more relevant the ad, the more clicks we make — and the more money we cause to be sent in support of the site we like. So I can see the worry of making opt-out so easy and permanent that people do it without another thought — and then injure the model that’s bringing them free content.

This feels different to me than a do-not-call list, which seems like an unambiguously good idea. There I’m opting out of getting bothered by sales calls while I’m eating dinner or reading a book. Those calls weren’t underwriting the cost of my food or going to the author of my book. Do-not-track, on the other hand, doesn’t opt out of getting ads at all, it just opts out of having them targeted. If do-not-call didn’t affect how many calls I got — just whether I was getting pitched stuff I was likely to want — I’m not sure I would care one way or the other. I’d hang up on them all.

Nonetheless I support some sort of global do-not-track system. That’s because there are currently no functioning limits on what gets collected and how it is used, and the rise of cookie consortia like Doubleclick means otherwise-unrelated Web sites can all quietly serve as collection points for data about us that gets fed to a central source. If kept for long periods of time and not distilled, that data can prove as revealing about us as, say, our search engine histories. If the data is distilled — say, I’m targeted into old-fashioned advertising categories like “empty nester” or “college wannabe” — I’m much less concerned about its collection in order to better hone my placement.

I’d couple opt-out with some helpful auditing tools. Let people see what’s being collected about them and what impact it’s having. For example, imagine a browser button that toggles between targeted and not-targeted, flipping back and forth between ads in the same space. Users may quickly get a sense of what they prefer, and if they can be assured that they can wipe everything clean at any time after checking out what’s been gathered about them, they might be willing to let the data collection pay out a bit before deciding whether to pull the plug.

The real nightmare scenarios to avoid are not better placed dog food ads. They have to do with varying price or service depending on undisclosed and long-collected behavior cues. Imagine if your wait for a customer service agent — and level of flexibility in making a return on a regrettable product purchase — depended on your overall purchasing (and product return) history across multiple merchants. Or if the price you were quoted (or coupons offered) at Amazon were a function of how quickly you click to purchase something at Etsy? (Those with known itchy trigger fingers don’t get the discount, of course.) Or if your life insurance rates were grounded not just in openly collected facts like a medical checkup, but unexplained variances in what Web sites you elected to visit (backpacked across Europe, did you?).

Bottom line: Web surfers get a bad deal right now; information is collected about them all over the place, and used in murky ways. Let’s empower them to know what’s going on and opt out of practices they don’t like, both prospectively and retroactively. Those options can be honed to eliminate abuses while still touting to people the products and services they want — and that fund the free content and services they already enjoy.