New legislation being considered in Congress would prevent US companies from aiding the censorship and surveillance operations of repressive foreign governments. The Global Online Freedom Act (GOFA), sponsored by Chris Smith (R-NJ), would track foreign Internet monitoring and blocking efforts under a new Office of Global Internet Freedom and would prevent US tech firms from handing over sensitive user information to so-called Internet-Restricting Countries. (Internet Restricting Countries, or IRCs, would be those that were “directly or indirectly responsible for a systematic pattern of substantial restrictions on Internet freedom.” China would be included, of course, but what about Australia or Finland?) On balance, GOFA would help the cause of Internet freedom, or at least provide a better understanding of surveillance worldwide. Yet some of the provisions are misguided, and could actually hurt the cause GOFA aims to further.

Let’s focus on Section 201, which would prevent US companies from “locating” sensitive user information within Internet-Restricting Countries. Just what “locating” means here is not entirely clear: is a Chinese GMail subscriber’s email located on her own computer, in Mountain View, California, or on one of the many routers in between? Regardless, the goal here would be to make it more difficult for Internet-restricting governments to claim jurisdiction over, and gain access to, user data.

Unfortunately, as the Center for Democracy and Technology makes clear (pdf), Sec. 201 would almost certainly fail to achieve its objective, and might actually cause more harm than good. If US companies couldn’t place important servers within IRCs they would be forced to degrade some low-latency services (e.g. IM) and discontinue others (e.g. VoIP). This would discourage US investments in these countries and encourage less scrupulous foreign companies to take their place.

More importantly, Section 201 would be unlikely to impact IRCs jurisdictional claims. As Internet law rapidly evolves, countries have repeatedly and successfully demanded that information be controlled or monitored, even when that information is hosted outside their borders. Forcing US companies to locate their servers outside IRCs would only make their services less reliable; it would not make them less regulable.

If the goal of GOFA is to discourage US companies from violating human rights, then it will probably be successful. But if the goal of the Act is to make the Internet more free and more safe, and not just push rights violations on foreign companies, then more must be done. Here are three suggestions that together might accomplish what Sec. 201 aims to do:

1. Publicize privacy restrictions: If companies are clear with their users that they intend to follow the laws of IRCs, users will be less likely to put dangerous content online. Many of the largest ICT firms are already working in coordination with the Berkman Center to create an industry standard for disclosing their privacy policies.
2. Push privacy protection to the edges: By giving users in IRCs access to privacy protection technologies like Tor or Anonymizer, users will be able to protect their own privacy without government mandates.
3. Make that push to the edges possible: Protections against surveillance are pointless if content is automatically filtered. Congress can mandate export controls against IRCs, preventing US companies from selling filtering technologies to these countries. In fact, GOFA begins the process of mandating just such export controls.

GOFA is, on balance, a step in the right direction. But the problems with Sec. 201 show that the government cannot protect the Internet openness by itself. These suggestions would shift some of that responsibility for protecting freedom and innovation towards interested individuals and responsible companies.

-Brendan Ballou

A new study by Future Source Consulting reports that 1/3 of US residents have copied a DVD in the past six months. This number, high as it is, might not be surprising. What is surprising is how little action the television and film industries (at least in comparison to the recording industry) have taken in response to such commonplace copyright infringement.

Why might this be? Why would content producers fail to enforce their legal right to prevent most of this ripping and sharing? It’s unlikely that film and television producers are unaware of or unconcerned by DVD ripping. Rather, they probably think that this sort of infringement is too hard to prosecute, and that the individual infringers are too “low value” to worthy any sort of extensive legal action. Content producers also probably recognize that at least some of these infringing uses actually add value to their products: ripping a DVD to post clips on an Internet fan page, or sharing a DVD with a friend who becomes an addict of the show might actually increase legal viewership.

What we’re seeing here is the emergence of what Professor Tim Wu calls “tolerated use.” This is use that is not legal, but that content creators take only occasional action to prevent. In this way the specific case of DVD ripping is like Internet users posting copyrighted content onto YouTube, or fans of Lost posting the transcripts of the show on Lostpedia. These sorts of infringing uses are generally hard to prosecute, involve low value targets, and occasionally create marketable opportunities for the original content creator or distributor. Theoretically the content creators could swoop down at any time and stop the unlawful infringement, but for the most part it just isn’t in their interest to do so.

Is tolerated use a good thing? Maybe. In general consumers get to continue to use their technologies in the ways that they want, and content creators get to maintain ultimate control over their products. However, the situation with tolerated use is analogous to the situation with the Facebook API. While coders on Facebook can in theory create most any kind of product they want, Facebook reserves the right to block or impose charges for the product at any point. The coders are free as a matter of fact, but not as a matter of law.

The same situation is going on with DVD rippers and tolerated use. People can rip DVDs, share those DVDs with a few friends, and post clips on YouTube. But they can’t do so “resiliently.” That is, their use could be blocked or controlled at any moment.

This sort of fragility in action almost certainly deters innovation and deprives individual users of a sense of autonomy. In a choice between total technological lock-down and tolerated use, tolerated use is certainly superior. But to the extent that innovation and autonomy are things we value, tolerated use is only a partial solution to over-broad copyright laws; it is not an ideal.

-Brendan Ballou

Larry Lessig’s generous review of the Future of the Internet makes an interesting point:

“Whether a single event, or a coordinated event, whether intentional, or accidental, it is simply a matter of time before a catastrophic network event happens. And when it happens — think of it as a kind of i9/11 event, but the bad guys are not Al-Qaeda — will we be prepared for the inevitable iPatriot Act response? Are we better prepared than civil libertarians were when we were hit with the USA Patriot Act? Have we even framed the right debate?”

First, will there be an ‘i9/11′, and second, will it prompt an ‘iPatriot Act’? The actual chances of a catastrophic network failure are pretty slim. But were one to occur, it would probably look a lot like the attacks on the DNS root servers in 2007. Here’s what happened:

The 13 Domain Name System (DNS) root servers record who controls the Top-Level Domains (’.com’, ‘.edu’, ‘.uk’, and so forth) and where. This file of information is quite small, and very few computers actually have to call upon the root servers to find the sites they’re looking for. But without them, the single Internet we’re used to would fracture, and computers would have no easy, reliable way to find the IP addresses they’re looking for.

On February 6, 2007, hackers issued a Distributed Denial of Service (DDoS) attack on the root servers, sending gigabytes of useless requests every minute in order to overload the roots and prevent them from responding to genuine Internet traffic. Such an attack was made possible only by harnessing the power of hundreds or thousands of ‘zombie’ computers infected with malicious bots.

The 2007 DDoS attack failed, however. Because the malicious network traffic was relatively easy to distinguish from genuine network traffic, and because most of the DNS root servers were able to distribute the requests over hundreds of component computers, only two of the 13 servers (each themselves made of dozens of computers) were affected. And this was the most successful such attack against the network. In order to noticeably disable network traffic, hackers would have to (in theory at least) destroy all thirteen servers.

All of this is to say that a catastrophic network failure, while possible, is unlikely. But that’s not to say there won’t be an ‘iPatriot Act’. In fact, we’re already seeing its development in agencies and hearings across the country, as regulators push policies that discourage open, generative products and encourage closed, tethered ones.

Take, for example, the Department of Homeland Security’s list of ‘best practices’ for software developers. Among the suggestions:

Don’t trust users: “Developers should assume that the environment in which their system resides is insecure. Trust, whether it is in external systems, code, people, etc., should always be closely held and never loosely given.”
Secure the end-points: “Attackers are more likely to attack a weak spot in a software system than to penetrate a heavily fortified component. For example, some cryptographic algorithms can take many years to break, so attackers are not likely to attack encrypted information communicated in a network. Instead, the endpoints of communication (e.g., servers) may be much easier to attack.”

In themselves these are not bad pieces of advice. But within DHS’s broader vision of online security, they indicate that the government considers safe technologies to be tethered technologies, and vice versa.

Take as further examples any of the current IP-enforcement laws working their way through Congress. H.R. 4279 would create an IP czar at the Department of Justice; S. 522 would create an entire ‘Intellectual Property Enforcement Network’; and S. 2317 would allow the Department of Justice to sue copyright infringers in civil as well as criminal court.

What’s interesting about these bills is that more often than not, Intellectual Property protection is packaged as consumer protection. In fact, just last month the Senate held a hearing entitled “Protecting Consumers by Protecting Intellectual Property”, in which witnesses and legislators advocated for the very bills discussed above.

What all of this amounts to is that agencies and officials are pushing increasingly closed systems of code and increasingly strict Intellectual Property regulations. Both of these encourage increasingly tethered appliances. We don’t need a catastrophic network failure to have an ‘iPatriot Act’: such an act is already in the works.

Techcrunch is reporting that Facebook has poached Elliot Schrage from Google as its new VP of Communications and Public Policy, and that one of Elliot’s jobs will be to manage the Facebook development platform, where outsiders can write code to run on Facebook — from the bitten-by-a-vampire app to Scrabulous.

Techcrunch speculates that this reflects a realization that much of the Platform is political, not technical.  Because the architecture naturally allows Facebook to control which apps run, and how they run — a big difference from the relationship of a traditional PC OS maker to PC app developers — someone able to act sensitively to public and political opinion would be helpful.  Facebook, like other Web 2.0 software-as-service counterparts like Google Apps, is entering the governance business.  It’ll be interesting to see how decisions will be made — or even if we can see how decisions are made — about what is banned and what is not.

Recently SuperWall was put in the dock, and Secret Crush was killed several days after Wired reported that it came bundled with spyware (and the maker, Zango, denied).

We’ll see the same phenomenon with the new iPhone apps platform, where Apple reserves the right to determine what will run and what won’t.  Adam Thierer over at Tech Liberation points to the hacking of the latest iPhone as evidence that we’re not about to enter an era of centralized control.  Putting aside that case for the iPhone — as a tethered device it can always be reflashed by Apple to eliminate hacks, especially those installed by non-techies just trying to double-click on something to run an unapproved app — it’s much more difficult to hack software-as-service platforms with apps not desired by the platform makers.

The new iPhone was released today at AT&T and Apple stores around the country. For people who missed the phone the first time around, or who didn’t want to pay $599 and a two-year contract, or who just really want a GPS system, this may be important. But for developers, the new iPhone won’t change much. As JZ posted, coders will have to wait up to six months to get their programs vetted by Apple. This sort of lock-down hurts innovators and hurts consumers.

But it isn’t the only kind of lock-down Apple is pushing. Like the original one, this new iPhone will remain tethered to the AT&T network. Customers can buy a phone for $199-$299 so long as they sign up for a 2-year contract, or they can pay up to $699 upfront with no such requirement. But either way, users cannot bring the iPhone to a new carrier without hacking it. (Which raises the question: why would anyone pay $699 for a phone without a contract? That’s an awful lot of money for an iPod Touch with a camera.)

This sort of locking hurts consumers where AT&T has no network, or where the network is unreliable. It also hurts consumers who want to shop for different coverage plans, who want to mix-and-match phone and data services (maybe get AT&T’s 3G data service, but Verizon’s voice service), or who want to use different contracts when they travel abroad.

And it hurts innovation as well. After all, if you’re a potential developer, would you invest your time coding an application that only works on one network? And would you invest time in an application that can be blocked by AT&T at any time? You might, but in general these sorts of controls make innovation on the iPhone less attractive and less likely.

So why does Apple do it then? Because it has no interest in helping independent innovators. They’ve locked the code and locked the phone to the network so that they can better monetize any future applications developers might produce (not to mention that this lock down fits quite nicely with AT&T’s own business plan). The result is that Apple and AT&T gained almost complete control over the iPhone, but at the cost of innovation.

Tom Standage of the Sunday Times makes an interesting point in his review of The Future of the Internet:

“Zittrain insists that generativity at the code level is the most important kind, but it is not clear that this is really under threat. In the early days of home-computing, most enthusiasts learnt the essentials of programming. (Remember Basic?) As other uses such as word-processing and e-mail came along, computers became general-purpose tools, and sales went up. Did it matter that the proportion of users who actually learnt how to program declined? Of course not. As long as some people know how, most do not have to. And as long as there are hundreds of millions of PCs out there, innovation on the internet will continue. Despite Zittrain’s concerns, the emergence of other, simpler internet-access devices alongside PCs seems unlikely to change that.”

The question Standage is asking – and it’s one that’s been echoed here and here – is this: why will my iPhone hurt the Internet’s generativity (that is, its capacity for innovation and creation)? If I’m not a programmer, does it matter that I’m not allowed to program my phone? The simply answer of course is no, it doesn’t matter. But the overall market for appliances like the iPhone does matter, and unless we act as responsible consumers, this market for “tethered” appliances – those that do not allow user innovation and that remain controlled by the manufacturer – might destroy the market for generative ones.

Let’s look at a few statistics. Contrary to popular wisdom, a huge percentage (pdf), and in some industries a majority, of product innovations are created by consumers, not manufacturers. When a consumer added foot straps (pdf) to a windsurfing board to control his movement mid-flight, he exploded the market for competitive windsurfing. When Linus Torvalds (pdf) started an open-source operating system, he inadvertently created a technical-support market for businesses like Red Hat and IBM. These specific examples are huge innovations, creating whole new companies and industries. Most user-generated innovations are not nearly so large. But they are still significant. Over 60% of innovations in the semiconductor industry come from semiconductor users, not manufacturers; over 70% of innovations in the scientific instrument industry come from users. And these user-driven innovations are generally qualitative improvements of their products. That is, users generally add new features and new functionality to the products they use; manufacturers generally make existing functions and features more useful.

Yet most of the innovations come from a minority of users. Only about 10-40% of users in a particular field modify their products (pdf). What this means is that the ‘generative’ market - that is, people who add functionality to the products they use - is not large.

Should we expect Apple to produce two iPhones: one ‘tethered’ phone for consumers worried about security and reliability, and one ‘generative’ phone for the 10%-40% of consumers who want to modify their phones? Probably not. Apple and companies like it lock down their products specifically to stop ‘generative users’ from modifying their products. After all, if a generative user fixes a bug or creates a new killer app, how can Apple monetize that user’s creation? Better, Apple executives think, to let such problem solving and innovation occur ‘in house’.

From all this we can draw two conclusions. First, generative technologies are worth sustaining as innovation enabling devices. But second, because only a small percentage of the market actually innovates, generative technologies are not self-sustaining.

The good news however, is that we can protect generative technologies by acting as responsible consumers. Does this mean putting ‘Certified Generative’ stickers on products that enable innovation, on par with ‘Certified Organic’ stickers in grocery stores? Maybe. But more likely it means using good passwords, not opening unknown email attachments, and running community safety programs like Herdict. It means using technologies responsibly, so that generative machines are just as safe and reliable as tethered ones.
Generative technologies – technologies that allow users to innovate – are worth sustaining. And I believe that through responsible shopping and surfing, the market for these generative technologies can be sustained.

The Silicon Alley insider is reporting that would-be iPhone application developers — at least those who aren’t well connected — can be waiting up to six months to be accepted into the Apple iPhone developers’ program.  Only those in the program can submit apps to be distributed through the iPhone Apps Store, and with several minor exceptions the Apps Store is the only way to get an iPhone app distributed to the public.  And once an apps is submitted, there’s still a review by Apple — which can reject it for any reason or no reason at all.

Perhaps ongoing delays will prompt Apple to open up a bit — but Steve Jobs rightfully might be more concerned about the “three apps” problem:

“You don’t want your phone to be like a PC. The last thing you want is to have loaded three apps on your phone and then you go to make a call and it doesn’t work anymore. These are more like iPods than they are like computers.”

Of course, that was when Jobs didn’t want the iPhone to be open to outside applications at all.

Thanks to everyone who tuned in to the June 17 ‘08 Colbert Report, including those who switched away from the last quarter of the Celtics championship.

Here’s a direct link to the video.

Is it geo restricting, i.e. are there some who can’t view it because of location?  If so we can look for an additional source.

Adam Thierer has posted a thoughtful review of the Future of the Internet. He picks up on something that others have mentioned that I don’t realize I appear to suggest: that my distinction between sterile and generative technologies appears to be too much of a dichotomy, and that I think that only generative technologies are good ones.

I don’t mind sterile technologies in principle — I like the idea of taking the rough-hewn innovations that spring from the Internet and packaging them into cleaner, more reliable forms. I love my TiVo. (Indeed, that used to be the first sentence of the book. Then I went with the iPhone.) I even appreciate that sterile technologies can come about without having to emulate the products of generative ones — not every toaster comes from nerds experimenting with heating elements.

My worry, though, is that we’ll lose a sense of equilibrium between the generative and sterile spheres, and that the emergence of contingently generative technologies — platforms that are open to third party innovation at first, but then close off selectively — will squeeze out fully generative technologies, to the detriment of innovation and enhancement of exquisite regulatory control. This is in part because the amateur nerds that drive innovation here rarely read the fine print; teenagers will code for the Facebook, iPhone and Google platforms without thinking about the ways in which their advances can be eliminated or proprietized.

Adam’s point of view is sympathetic to markets and skeptical of government intervention. He rightly asks why the market doesn’t just solve this. For that, I point to my reply to similar questions raised to parts of FOI that have been excerpted in the Boston Review:

Will the market solve this problem? Generative technologies allow consumers to become participants: to change technologies for themselves or to adopt improvements offered by others not operating through the usual mechanisms of the firm. Whether this is a market force depends on how broadly we define the term. Is any voluntary behavior endogenous to a market? Or are only those choices that have to do with purchases? If a group of people coalesces in Central Park for a game of Ultimate Frisbee, is the market for Ultimate working its magic? The question is important because often we rely too readily on the solutions proposed by firms and government. If there’s litter in a public space, the government should fine violators and clean it up, or pay a firm to do so. But the amount of litter in a park may depend not so much on the rules against it or the schedule for cleaning, but rather on the habits and normative commitments of the people who use it.

The solutions to the generative dilemma that I find most interesting are ones that don’t assume a zero-sum tradeoff between generativity and security. If we narrow ourselves to firms offering some devices that are generative but quickly compromised, and others that are sterile or contingently generative, but incapable of generating whimsical change, the market will no doubt achieve equilibrium somewhere along the axis. Bruce Owen figures that demand will create supply and the optimal point will be achieved. But Owen’s faith in the market ignores the role that a civic instinct can play if people take shared responsibility for their own and others’ security. To do so, they will need certain tools. But those tools may not be money makers, thus the market may not produce them. If the reply is “well, yes, but someone named Jimbo was moved to produce Wikipedia, and his charity is part of the market,” then the market is circularly defined as every possible action by someone. We can contribute more to our shared public life than what results indirectly through our buying or voting.

Moreover, the market may have trouble pricing the benefits of generative platforms. Behavioral economics is beginning to confirm the conventional wisdom that people do not plan very well. This is true in the PC market where people making platform investment decisions rarely weigh the unknown as part of their thought processes. They buy the PC for email or Web surfing, and only later find that it can be used for Internet telephony. And often the platform’s buyer is not the same as the user. Much of the revolution in PC software has taken place through user adventurousness on office computers acquired by companies for other reasons. What the economists might call an “agency gap” has produced great things. The true value of generative technologies is too easily dismissed when portrayed, á la Owen, as “the extent to which end-users and their communicants may indulge the whim to customize these tools.” What’s at stake is not just setting wallpaper style on your iPhone, but the very Net generativity that has facilitated entire new markets and social relationships.

Looking back, the market produced some sterile, competing consumer networks—CompuServe, the Source, and the like. Non-market forces led production on another course—the Internet. To be sure, the Internet’s reach was greatly extended through its later commercialization, but had the Internet’s architecture been obvious enough for the market to discover it, no modest government subsidies would have been needed. Sperry Rand, IBM, and Prodigy would have easily outpaced academics in producing the technologies underlying the dot-com boom. They did not.

I imagine Adam might agree with me on not reaching too quickly to government for solutions — the question is whether some of the cooperative solutions (rather than regulatory interventions) I suggest have any traction for a market-oriented thinker.

A lot of my recent work concerns how vulnerable the Internet is to bad code — in particular, how easily the generative PCs hooked up to it can find themselves reprogrammed for worse, in a heartbeat, either by drive-by downloads that sneak onto the machine or by code that the user affirmatively (but foolishly) asks to install.

The response to the claim that there’s a real problem here is sometimes that it’s Microsoft’s fault. For example, I endured benefited from a drubbing set of comments along these lines on Groklaw on the paper I wrote first discussing the issue.

But the fact is that (1) Macs have their own security vulnerabilities; (2) interoperability creates avenues for infection that can cross platforms; and (3) the core problem is that generative platforms — where people can choose what code to run — are all vulnerable to people being tricked into running the wrong code. For example, now there’s a fake codec floating around targeting Mac users. Being only 5% of the installed base can only go so far to help one avoid the baleful attention of malware authors!

Thus our efforts at StopBadware …