John Battelle asked me a few Qs about my thinking on the themes in The Future of the Internet in the three years since the book came out (four since it was drafted!).  John’s review is available on his blog, and I’ve reproduce the core of it here:

JBAT:

- You wrote the Future of the Internet three years ago. It warned of a lack of awareness with regard to what we’re building, and the consequences of that lack of attention. it also warned of data silos and early lockdown. Three years later, how are we doing? Are things better, worse, the same?

And a follow up. On a scale of one to ten, where one is “actively helping” and ten is “pretty much evil,” how do the following companies rate in terms of the debate you frame in the book?

- Google (you can break this down into Android, Search, Apps, etc)

- Facebook (which was really not at full scale when you published)

- Apple

- Twitter

- Microsoft (again break it down if you wish)

Thanks!

JONATHAN ZITTRAIN:

Sorry this took me so long! I got a little carried away in answering –

- You wrote the Future of the Internet three years ago. It warned of a lack of awareness with regard to what we’re building, and the consequences of that lack of attention. it also warned of data silos and early lockdown. Three years later, how are we doing? Are things better, worse, the same?

It’s the best of times and the worst of times: the digital world offers us more every day, while we continue to set ourselves up for levels of surveillance and control that will be hard to escape as they gel.

That’s because the plus is also the minus: more and more of our activities are mediated by gatekeepers who make life easier, but who also can watch what we do and set boundaries on it — either for their own purposes, or under pressure from government authorities.

On the book’s specific predictions, Apple’s ethos remains a terrific bellwether. The iPhone — released in ’07 — has proved not only a runaway success, but the principles of its iOS have infused themselves across the spectrum. There’s less reason than ever to need a traditional PC, and by that I mean one that lets you run whatever code you want. OS X Lion points the way to a much more controlled PC zone, anyway, as it more and more funnels its software through a single company’s app store rather than from anywhere. I’d be surprised if Microsoft weren’t thinking along similar lines for Windows.

Google has offered a counterpoint, since the Android platform, while including an app store, allows outside code to be run. In part that’s because Google’s play is through the cloud. Google seeks to make our key apps based somewhere within the google.com archipelago, and to offer infrastructure that outside apps can’t resist, such a easy APIs to geographic mapping or user location. It’s important to realize that a cloud-based setup like Google Docs or APIs, or Facebook’s platform offer control similar to that of a managed device like an iPhone or a Kindle. All represent the movement of technology from product to service. Providers of a product have little to say about it after it changes hands. Providers of services are different: they don’t go away, and a choice of one over another can have lingering implications for months and even years.

At the time of the book’s drafting, the alternatives seemed stark: the “sterile” iPhone that ran only Apple’s software on the one hand, and the chaotic PC that ran anything ending in .exe on the other. The iPhone’s openness to outside code beginning in ’08 changed all that. It became what I call “contingently generative” — it runs outside code after approval (and then until it doesn’t). The upside is that the vast creativity of outside coders has led to a software renaissance on mobile devices, including iPhones, from the sublime to the ridiculous. And Apple’s gatekeeping has seemed to be with a light touch; apps not allowed in the store pale in comparison to the torrents of stuff let through. But that masks entire categories of applications that aren’t allowed — namely anything disruptive to Apple’s business model or that of its partners or regulators. No p2p, no alternate email clients, browsers with limited functionality.

More important, the ability to limit code is what makes for the ability to control content. More and more we see content, whether a book, or a magazine subscription, represented in and through an app. It’s sheer genius for a platform maker to demand a cut of in-app purchases. Can you imagine if, back in the day, the only browser allowed on Windows was IE, and further, all commerce conducted through that browser — say, buying a book through Amazon — constituted an “in-app purchase” for which Microsoft was due 30%?

A natural question is why competition isn’t the answer here — or at least reason to not worry about the question. If people thought the iPhone made for a bad deal, why would they want one? The reason they want one is the same thing that made the Mac so appealing when it first came on the scene: it was elegant and intuitive and it just worked. No blue screen of death. Consistency across apps. And, as viruses and worms naturally were designed for the most common platform, Windows, those 5% with Macs weren’t worth the trouble of corrupting.

We’ve seen a new generation of Mac malware as its numbers grow, and in the meantime a first defense is that of curation: the app store provides a rough filter for bad code, and accountability against its makers if something goes wrong even after it’s been approved. So that’s why the market likes these architectures. I’ll bet few Android users actually go “off-roading” with apps not obtained through the official Android app channels. But the fact that they can provides a key safety valve: if Google were to try the same deal as Apple with content providers for in-app content, the content providers could always offer their wares directly to Android users. I’m worried that a piece of malware could emerge on Android that would cause the safety valve of outside code to be changed, either formally by Google, or in practice as people become unwilling to drive outside the lanes.

So how about competition between platforms? Doesn’t that keep each competitor honest, even if all the platforms are curated? I suppose: the way that Prodigy and CompuServe and AOL competed with one another to offer different services as each chased subscribers. (Remember the day when AOL members couldn’t email CompuServe users and vice versa?) That was competition of a sort, but the Internet and the Web put them all to shame — even as the Internet arose from no business plan at all.

Here’s another way to think about it. Suppose you were going buy a new house. There are lots of choices. It’s just that each house is “curated” by its seller. Once you move in, that seller will get to say what furnishings can go in, and collects 30% of the purchase price of whatever you buy for the house. That seller has every reason to want to have a reputation for being generous about what goes in — but it still doesn’t feel very free when, two years after you’re living in the house, a particular coffee table or paint color is denied. There is competition in this situation — just not the full freedom that we rightly associate with inhabiting our dwellings. A small percentage of people might elect to join gated communities with strict rules about what can go inside and outside each house — but most people don’t want to have to consult their condo association by-laws before making choices that affect only themselves.

IR-transmitted metadata. Last week, Apple filed for a patent on an iOS camera that can detect infrared in addition to visible light. If a user aims the camera at an object that is sending out additional information about that object in the IR band, the camera transmits that information to the device, and potentially also to the user. This technology could be used to disable the camera at classified government outposts; automatically blur out copyrighted background or foreground images (or, for regimes not squeamish about censorship, disfavored images); provide an automated tour of a city or museum, instead of using traditional visible signs and placards; or even transmit personal requests: “Please don’t photograph my house.” “Please don’t post pictures of my eight-year-old on public sites.” The IR metadata could also be recorded so that it would persist each time the image was transmitted across the internet.

Google wrestles with the generative trade-off. Security experts have found another set of malicious apps in the Android Market and discovered that Google Docs regularly hosts phishing sites.

Falun Gong sues Cisco for facilitating official Chinese repression. Members of Falun Gong have sued tech giant Cisco in a U.S. court, alleging that the company customized its technology to meet government tracking and censorship needs and helped design China’s Golden Shield, the country’s infamous online censorship and surveillance firewall. The group also claims that Cisco marketed its technology as a tool to target government dissidents.

Hargreaves Review published. The review evaluates the fitness of the UK’s intellectual property regime for an internet age. It finds that IP laws put in place several hundred years ago are now stifling modern innovation and goes on to make ten specific recommendations for IP law reform to correct the problem. These recommendations include approaches to clearing patent thickets; dealing with orphan works; and transitioning to evidence-based, rather than lobby-based, IP policy; as well as rejection of a US-like fair use limitation.

Facebook users benefit from a Web of Trust. Clicking a link on your Facebook page that the crowdsourced Web of Trust service has identified as spammy or malicious will now bring up a warning that you may want to avoid the suspect site (and also check out Wikipedia entries on malware and phishing).

iFlowReader closes. Independent iOS e-book retailer iFlowReader shut down at the end of May. According to the company, Apple’s new e-book seller rules made it impossible to turn a profit. (The rules require sellers to give Apple a 30% cut of sales while at the same time limiting the seller to only a 30% commission, so the seller gets the commission from the publisher but then owes it all to Apple.) Company execs expressed frustration that, in their view, Apple maintained complete control over its platform and felt free to change the rules on developers, even after they, relying on the old rules, had been induced to make significant investments.

TiVo and EchoStar settle. The case involving a judicial order to EchoStar to send a remote signal disabling its customers’ DVRs ended in a whimper last month when the parties settled after the Federal Circuit held that EchoStar had waived its arguments that the disablement provision was vague and overbroad. EchoStar had asserted that it legally should not have been forced to disable the DVR boxes because it implemented a design-around instead so that the boxes no longer infringed TiVo’s patents. But the court didn’t reach the merits of this argument, since it held that the time to raise such issues was before the district court found EchoStar in contempt. So while we know that the Federal Circuit doesn’t have a problem with trial courts issuing a disablement provision to remedy patent infringement, we still don’t know whether the infringing party could avoid disabling its users’ products by pushing an update that replaced the infringing technology with a non-infringing alternative.

—Jennifer Halbleib

Smartphone tracking data. Two researchers reported last month that Apple has been storing time-stamped location information on users’ iOS devices since June. An unencrypted file with these data is saved onto a user’s computer each time she syncs her device with it, as well. Apple appears to have good reasons for collecting the location information, but mistakenly stored data long-term on the device and collected it even after users turned off all location services. The company says that a fix is on the way. Google’s Android phones collect similar location information, although tracking is opt-in, difficult to use to trace a particular person, and can be disabled by the user. Both companies are being sued.

The U.S. government uses a PC control switch? The U.S. federal government obtained a temporary restraining order in April that allowed it to send to private computers unwittingly part of a massive criminal botnet a command that disabled the malware. In the past, the government has cut off or seized the command-and-control servers and computers that run a botnet, but here – without notice, because federal agents were still trying to collect the IP addresses of infected computers – the government issued a command to personal computers owned by innocent targets of the Coreflood botnet. Arguably, since Coreflood steals private data and loots victims’ bank accounts instead of just generating huge amounts of spam, the government had sufficient justification to order citizens’ (and non-citizens?) computers to kill the program. But in addition to concern that the command itself might unintentionally damage some private machines, such a path may be quite slippery. After all, prevention may be cheaper than disease; why shouldn’t the government push security software to all personal computers? And why shouldn’t it monitor citizens’ online activity to make sure they aren’t downloading programs from malicious sites? Nonetheless, how different is the command in this case from required residential building and health standards or mandatory vaccinations for schoolchildren? The government regulates personal safety in the real world when it implicates the broader public good, why shouldn’t it do the same online? And in the end, an individual can avoid running the command on his computer (and dodge the botnet risk, too) by simply disconnecting from the Internet.  Of course, that makes the computer slightly less useful.  The phenomenon is reminiscent of this Wired account from 2003, though note the reporter’s credibility appears to be in question.  (!)

Google’s questionable Grooveshark takedown. Last week, the Electronic Freedom Foundation criticized Google for removing the popular music service Grooveshark’s app from the Android Market. Google has said that it was responding to an RIAA complaint but has not explained the basis of that complaint. The company did not require notice before the takedown as provided for by the Digital Millennium Copyright Act. If the complaint was grounded in copyright, EFF noted that Google’s actions departed from its longstanding position of requiring such valid notice before takedown. Because the move coincided with Google’s testimony before the Senate Judiciary Committee, EFF speculated that it was designed to mollify any Congressional skepticism that Google was not committed to copyright enforcement.  Note that apps can still be added to a phone without having to go through the Android Market.

More consumers demanding iPads in place of laptop PCs. Last quarter, Apple’s profits exceeded Microsoft’s for the first time since 1991. Overall PC sales declined 2%, consumer PCs dropped 8%, and netbooks –  the inexpensive and mobile generative PCs most similar tablets like the tethered iPad – fell 40%.

Translating iOS to WP7. Meanwhile, Microsoft is contesting Apple’s dominance of the tethered device market. Microsoft now offers a tool that helps developers convert their iOS apps to Windows Phone 7 apps. It maps the WP7 application programming interface – the set of definitions and rules an app uses to communicate with the phone’s operating system – onto the iOS API, making it easier for developers to port their apps to WP7, giving Windows Phone 7 users access to more apps, and allowing Microsoft to compete with Apple in app marketplace size and range sooner.

And a related discussion of generative PCs and tethered devices including thoughts on JZ’s thesis in the book, as well as a take on his concerns about crowdsourced work.

—Jennifer Halbleib

Rumor — and that’s all it is — is that Google will announce  a $10/month Chrome OS laptop rental.  That such a rumor could be credible, whether or not it actually bears out, is a testament to how much our IT ecosystem has evolved in just the past few years.  I’ve long been concerned about the death of the PC, whether through the “appliancization” of our endpoint devices like smartphones or through increasing reliance on what’s now known as the Cloud: running our apps, and keeping our data, online instead of on devices that we own.

A rented laptop only makes sense when there’s nothing that will end up on the unit that would make it difficult to lose or trade in.  And that’s the promise of Chrome OS and the cloud: the keyboard and screen are generic; everything interesting happens online, either on the public Web or behind the gates of a user’s various online accounts — Gmail, Facebook, etc.

There’s nothing inherently wrong with that, just as there was no inherent ethical case to a decision between an old-fashioned answering machine (keeping your phone messages at home) and voicemail (keeping them … in the cloud).  (Remember when people called each other and left messages?)

The reason I’ve singled out the PC’s future is because it’s a bellwether for how much we get to control the code we run and the data we accrete.  In the good old days we effectively bought software (its own claim to being merely licensed notwithstanding) and stored our data in our plain view.  So long as we didn’t lose or munge our laptops we knew where our data was — and wasn’t.

As abundant, saturating network connectivity makes it more sensible to store stuff on others’ faraway servers, it’s all the more important that we establish technical and legal architectures to preserve our primacy in choosing what code to run and what data to associate with ourselves.  I have some thoughts on how to do that here and here.

Update [11 May 2011]: The rumors appear to be true.

Last month the OpenNet Initiative published a report that shines light on one of the more sensitive business practices of Western Internet security and filtering companies. These companies – including McAfee (an Intel subsidiary), Websense, and Netsweeper – promote their filtering technologies in the West as tools for parents and schools trying to shield children from online pornography and employers looking to maintain a professional work environment. But they also appear to make their software and URL categorization services available to state-run ISPs and telecoms in Middle Eastern and North African countries, such as Bahrain, UAE, Qatar, Oman, Saudi Arabia, Kuwait, Yemen, Sudan, and Tunisia. These ISPs and telecoms, and the governments behind them, use the software to filter out Internet content that they don’t want their citizens to see.

What content? Well, depending on the Western software company, any of the millions to billions of websites that the company has categorized. And the categories, of which multiple companies boast that they have more than 90, range from porn and violence, to dating and filesharing, to politics, religion, and even anonymizers. All the repressive regime has to do is to buy the software, pay the Western company to maintain the database of categorized websites, click the check boxes next to the categories of sites that it doesn’t want its people to access, and viola, the Western company has commercialized censorship. As the report puts it, “This is not simply a case of a general purpose, neutral tool being used for an end not contemplated by its maker. The filtering products of today engage in regular communications with their makers, updating lists of millions of websites to block across dozens of content categories, including political opposition and human rights.”

The report illustrates how the categorized lists these companies maintain tend to be overinclusive – after all, a governmental customer is unlikely to care if more speech is censored than necessary as long as nothing that it doesn’t want its citizens to see gets through. Furthermore, to give a repressive state the flexibility it needs to oppress effectively, most Western companies also allow their governmental customers to create user-defined lists of sites to filter, in case there is additional content that the government wants to block. Finally, some combination of the Western companies and the governments who use their products has recently moved to obscure attribution of filtering to these products, so citizens – and groups like the OpenNet Initiative – have a hard time determining who is allowing their government to censor the Internet.

It doesn’t have to work this way. Western companies don’t have to sell their filtering tools to repressive regimes – or any government or state-run ISP. They could limit customers to individuals and private employers. Moreover, they don’t need to maintain lists of categorized sites at all. And even if they want to keep lists of violent or pornographic sites for legitimate users, classifications such as “politics,” “religion,” and “privacy” are inexplicable unless the Western company is actively trying to help its governmental customers muzzle speech, and inexcusable then. Therefore, at a minimum, the Western companies could get rid of many of their categories.

Risks would still exist. Governments could steal the technology, as Iran may have done with McAfee’s SmartFilter. And in certain cases, repressive regimes could adapt free software developed for innocuous purposes to filter their citizens’ Internet. These risks – and others – may be sufficient to counsel against supplying anyone with any tool that can be repurposed for state-level censorship. But at the very least, Western companies shouldn’t be continuously complicit in government Internet censorship by selling repressive regimes the software and regularly providing them with updated lists of sites to filter.

It’s remarkable how brazen these Western filtering companies are. For example, one American company, Websense, has an explicit policy not to facilitate government censorship, except to restrict pornography. But among its nearly one hundred classifications listed in the report are such categories as “Advocacy Groups,” “Traditional Religions,” “Political Organizations,” and “Educational Institutions.” Perhaps Websense can articulate a legitimate reason for these categories, but it seems a stretch to relate them to “Adult Content,” which is a separate category in any case.

Another company, Netsweeper, is apparently perfectly willing exploit the freedom of foreign peoples by selling its software to government-backed ISPs looking to “block inappropriate content to meet government rules and regulations ‘based on social, religious or political ideals.’” Meanwhile, McAfee remains mum on how its relationship with repressive governments plays into its business conduct and ethics policy.

In an online world where we condemn oppression of a single netizen as cyberbullying, what do we call the conduct of Western companies that collude with governments to oppress an entire citizenry? Cyberrepression? And should companies that ostensibly exist largely to give parents the control needed to shield children from harmful Internet content be surprised if the government that created them exerts another form of parental control – the kind that parents use on poorly-behaving children with no self-control – by regulating the companies’ own asocial behavior? After all, if corporations have rights and obligations based on the legal fiction of corporate personhood, then these companies are the all-too-real sociopaths of the corporate world.

Even better, customers in Western countries can send a free-market message to these companies without having to resort to a regulatory intermediary: such duplicitous behavior – marketing software in the West as a tool to empower parents and businesses but in the Middle East and Africa as a tool to enervate a state’s citizenry – isn’t acceptable. We shouldn’t buy software that’s supposed to protect if its maker also sells it as a means to abuse.

—Jennifer Halbleib

Amazon strong-arms a third-party Kindle service. Amazon shut down Lendle, a popular Kindle service that allows users to lend their books to strangers, last week because it didn’t “serve the principal purpose of driving sales of products and services on the Amazon site.” Two days later, after customers tweeted their displeasure, Amazon informed Lendle of the specific feature that got the service blocked. That feature, Book Sync, scraped the Amazon site itself to determine which books in a user’s library were lendable (not all are). Lendle removed it and is now back up and running. Axing a company’s service to your platform without notice or an opportunity to address the issue is a severe sanction and may intimidate service providers to comply rather than publicly balking at your demands. Here, Lendle disabled the offending feature without a row. Then again, maybe the company knew all along that Book Sync violated Amazon’s policies. While Lendle could argue that Amazon shouldn’t restrict harmless features of third-party services, flagrantly violating those policies could lead Amazon to boot a service.

While Apple and RIM pull the plug. This week both Apple and RIM removed controversial apps from their official app stores. Apple pulled an iOS app from Exodus International that propounded techniques and resources to treat homosexuality. And after several U.S. senators urged Apple, RIM and Google to remove the PhantomAlert app, which maps locations of nearby DUI checkpoints, from their respective app stores, RIM complied. So far, Apple has not removed PhantomAlert and Google refused to pull the app, saying that the app does not appear to violate Android content policies. Apple’s ultimate decision may shed some light on how it views its role as a benevolent gatekeeper: under what circumstances will Apple feel the need to step in and protect users from apps that are legal and don’t harm the device or expose personal data, but nevertheless contain content that users find offensive or believe is personally harmful? Similarly, should Exodus International come out with Android and BlackBerry apps, it will be interesting to see where RIM draws that line – and whether Google draws it. Of course, even if Google were to remove such apps from its official Market, Android’s open platform means that users could still download them from third-party app stores and sites.

And Google flips the kill switch. While Android owners may download third-party apps from Web sites that are independent of the official Android Marketplace, Google retains the power to reach in and remove apps from the phone without the owner’s permission. It recently did just that with over fifty apps containing code that, apparently as an initial step towards constructing a mobile botnet, rooted users’ phones. In this case, the apps were malicious and free. Google prevented users’ phones from co-option by a botnet and the users weren’t out any money. But by highlighting the precision and efficacy of tethering, Google may have put its remote kill switch on the table as a means for removing any illegal content. TiVo v. EchoStar showed us that some courts are willing to force an infringer to reach in and disable infringing devices that users have already purchased and installed in their homes. Courts may be less inclined to take such action against illegal content on a cell phone if it similarly means basically bricking the device. Cutting off innocent users’ phone service would be a much more disruptive remedy than frying their DVRs. But since Google has just demonstrated that it can excise the offending content specifically, why wouldn’t litigants ask courts for it as a remedy?

In the end, all four platforms decided what exactly their users own. Users buy a device, but what that device actually does is a service controlled by the platform. This service is subject to change at the platform’s discretion if, for example, it harms the device or doesn’t fit the company’s business model – and subject to change if senators, courts, advocacy groups, or anyone else can pressure the platform to take action.

In the past month we’ve seen two countries try to “turn off” the Internet. On January 27, in Egypt, which had previously known few restrictions on Internet access (though, to be sure, intimidation of bloggers and activists was common), nearly all ISPs stopped delivering bits to their subscribers, even though data transiting Egypt from the outside world kept flowing normally. One Egyptian ISP, Noor, stayed up for a few days amidst speculation that it had been spared because major banks and the Egyptian stock exchange were subscribers; subsequently it went down, too. Internet access was then restored before the Mubarak government fell. In Libya, irregular nationwide outages lasting anywhere from a few minutes to seven hours have been occurring since the February 19.

This is nearly unprecedented; only brief incidents in Nepal and Burma, in 2005 and 2007 respectively, could compare. The events have renewed debate over proposed U.S. legislation that might give the government a similar ability to pull the plug on Internet communications in an emergency.

The bill, introduced in the Senate first last fall and again this spring by Senators Collins and Lieberman, was first titled “Protecting Cyberspace as a National Asset Act of 2010,” and then “Cybersecurity and Internet Freedom Act of 2011.” Many observers have simply called it the “kill switch” bill, suggesting that the bill would give the President authority to shut down the Internet, perhaps in ways just seen in the Middle East. That’s an unfair characterization. But there are other reasons to be skeptical about S.3480.

The bill contains a lot more than just the provision for a so-called “kill switch.” It provides for the establishment of a White House Office of Cyberspace Policy, tasked with oversight over all “instruments of national power relating to ensuring the security and resiliency of cyberspace” and the enforcement of security standards developed by the National Institute of Standards and Technology (NIST)  across both public and private sector “critical infrastructure systems.”    (NIST is the National Institute of Standards and Technology, an agency at the Department of Commerce tasked with advancing measurement science, standards and technology. Among other things, it houses the atomic clock which keeps the nation’s official time.) It also provides for the establishment of a National Center for Cybersecurity and Communications at the Department of Homeland Security, which would oversee the United States Computer Emergency Response Team, which, as the public/private operational arm of the National Cyber Security Division,  acts to disseminate cybersecurity information from the research and government communities to the private sector.

Then there’s the most controversial bit: the bill proposes that, in the event of a “cyber emergency” as declared by the President, the Department of Homeland Security could issue mandatory orders and directives to “critical infrastructure systems”. This has been interpreted as meaning that the goverment could “shut down” the internet within the United States.

Under what circumstances this would be warranted depends largely on interpretation. The bill says a “cyber emergency” is an “actual or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure”. “Critical infrastructure” is in turn defined as those systems whose “disruption or destruction would cause a mass casualty event which includes an extraordinary number of fatalities; severe economic consequences; mass evacuations with a prolonged absence; or severe degradation of national security capabilities, including intelligence and defense functions”.

That all sounds pretty narrow: most Web servers would not qualify as that type of infrastructure–nor would a small ISP.  Responding to criticism of the kill switch idea, the Senate has said that the bill is intended to provide a “precise, targeted and focused way for the President to defend our most sensitive infrastructure,”  further defining that infrastructure as systems involved in the vital maintenance of the telecommunications networks, electrical grid, water systems and  financial systems. Of course, as more systems move to the cloud, there’s a question of whether we will start to find these critical infrastructure systems interwoven with more mundane civilian resources, and what the implications of such mixing would be under this bill.

Putting it all together, this means that a cyber emergency would only to be declared in the event of an imminent risk of massive death and destruction, severe economic damage, mass evacuations or harm to our national security capabilities—the worst of all possible scenarios.  But a critical issue is what kind of review there would be of whether a declared emergency really qualifies under the bill.  Though there is no direct identification of critical infrastructure beyond those whose disruption would cause scenes from the movie 2012, there is a means in the bill for those designated as critical infrastructure systems to appeal that classification.

The new draft of the bill– likely responding to public anxiety over kill switches–explicitly forbids a shut down: “neither the President, the Director of the National Center for Cybersecurity and Communications or any officer or employee of the United States Government shall have the authority to shut down the Internet.”

Any emergency measures developed and implemented in the event of a cyber emergency would also expire within thirty days, with the possibility of several thirty day extensions.  To be sure though, thirty days is a long while in Internet time, and more than enough time to change, perhaps irreversibly, a company who find itself on the wrong side of the critical infrastructure designation.  Most important is to try. It’s also hard to imagine the circumstances under which these provisions would be invoked.  By the language of the bill, it would appear to be nothing short of a massive virus–or physical–attack in which ISPs stood idly by as malware spread like.  Of course, should that situation arise, it’s not clear that sending in the Marines (figuratively, if not literally), and telling various ISP’s to fix it would make any difference–as if they somehow wouldn’t be trying to do that anyway, and as if the government would have any comparative advantage in understanding the situation than the Internet engineers themselves would have.

Oddly, the U.S. government may already have the authority to shut down the Internet anyway. Section 706 of the Communications of Act of 1934 – written into the Act shortly after the 1941 attacks on Pearl Harbor – provides the President with the ability to shut down “any facility or station for wire communication” or take federal control of such facilities in the event of a “state of war” and for up to six months after the expiration of such a state. Of course, the War Congress of 1941 wasn’t thinking about the Internet at the time, though there is some indication that the Department of Homeland Security believes this provision could apply.  In June of 2010, the Department of Homeland security apparently cited Section 706 as “one of the authorities the President would rely on if the nation were under a cyber attack.”

The new bill does not permit such a Federal takeover or shutdown, limits the amount of time a cyber emergency declaration can be in effect, and contains language intended to render the emergency measures as non-disruptive as possible.

Beyond the legalities or politics of drastic action, it’s worth asking whether the type of Internet shutdown seen in Egypt and elsewhere is even possible in the United States. Internet penetration in Egypt is around 15.4%, high for Africa but low compared to the rest of the Middle East; penetration in Libya is around 5% ; in Burma Internet penetration is at less than 1%.  They have much smaller populations than the US, in smaller geographic areas.  The shuttering of one or two ISPs has a much greater effect in these small markets than it would in the States.  It is unlikely that the government could, though social and political pressure not backed up by statute and public accord, cow the hundreds of different ISPs operating in the continental United States to all shut down at once.  Someone bent on disrupting Internet access would have to focus on Tier 1 ISPs – those who provide Internet access to other ISPs, and for which a shutdown would have the biggest ramifications.  Another potential method for shutdown would be disrupting one or more of the major Internet exchange points or “carrier hotels” that exist around the country.  Going after major wireless providers could also have a big impact. However, the likelihood of a complete shutdown remains low: at the point such a measure would be attempted we’d likely have plenty of other problems to raise with such an overreaching government.  More important, with Internet access so crucial to the economy and to state and federal governments, a broad-based shutdown would carry incalculable costs.  The point at which the Internet is so suffused in a society that a censorious government could consider turning it off is also the point at which the Internet is so suffused in a society that a government would likely not dare turn it off.  Egypt and Libya provide new and surprising counter-examples to that hypothesis, but even in Egypt access was restored while the Mubarak government was still in power.  And the level of integration of the Internet with layers of the American economy and communications system is an order of magnitude more than in Egypt and certainly Libya.

So, while there is no a kill switch hidden in the bill, it provides for the establishment of two federal bodies responsible for the development and enforcement of certain private and governmental security standards in the area of critical infrastructure systems, and establishes the ability of the government to give mandatory directives and orders to the private operators of critical infrastructure systems in the event of a cyber emergency, which is defined to sound a lot like a real emergency.

That said, is this bill a reasonable reaction to the current state of cybersecurity in this country?

The bill endows NIST with the ability to create security standards, in conjunction with the private sector, which would then be imposed on federal agencies and private operators of critical infrastructure systems.  This introduces the potential for mission creep, and moreover, it is simply not known what those standards will be yet.  Would such standards include the capacity for deep-packet sniffing, other methods of surveillance or backdoors?  Who within NIST and the private sector would have final say in the creation of these standards, their implementation and enforcement?  Does the government currently possess the expertise to take on this task to begin with?  What actions will the relevant agencies take to ensure they have that experience at the ready when it comes to developing these standards?

When it comes to improving the online security environment in this country, everyone has work to do, including the federal government.  Keeping up with patches and updates, changing default usernames and passwords on critical systems and choosing unique, complex passwords that change regularly are just some habits of good security that should be widespread but aren’t. Some parts of this bill, like section 301 which in part provides for the withholding of bonuses to senior agency officials whose agencies aren’t up to snuff, may be a good step towards implementing a functional and habitual security environment at the federal level.  Some other sections clearly need more consideration and debate.

That the information security environment in this country and around the world needs work is clear.  Whether or not this is the bill that is needed, or even whether the federal government should have a role in regulating civilian, private sector infosec, is less so.

An edited version was published this morning by the MIT Technology Review.

Retailer’s Terms and Conditions attempt to restrict negative online reviews. After a consumer posted a negative review of an Internet retailer online, the retailer reached out, not to apologize, but rather to threaten a libel suit. It turns out that the retailer’s Terms and Conditions aim to limit the circumstances under which an unhappy customer can publicly review her experience. For example, it requires that the consumer base her critique on documented evidence, and the retailer must not have responded to her customer support request for at least seventy-two hours. It’s not clear whether a mass contract like a terms of service can penalize speech that wouldn’t otherwise be libelous. And truth is usually a defense against libel. The article also points out that the email threat’s claim that “Libel is a prosecutable felony in the state of Washington” is false – the state has held that criminal libel laws are unconstitutional. So perhaps the TOC and follow-up emails are designed to scare potential negative reviewers, or at least give them pause before they take five minutes to besmirch the retailer’s reputation online.

Apple changes its policy on iOS e-book and subscription sales. If a company has an iOS app and allows users to buy premium content, such as e-books to be displayed by the app, with purchases made via a Web site (and therefore avoiding giving Apple a cut), Apple now requires that the company also allow users to make those purchases in-app (where Apple takes 30% of the price). Magazine or newspaper subscriptions sold through a browser must be available for the same price or less in iTunes as well. And publishers can no longer embed links in their iOS apps to Web sites that sell content. Furthermore, customers must be asked and then agree to release their information to publishers when they buy content through iTunes, so publishers are less likely to get the valuable consumer data they want for targeted advertising.

Google launches subscription payment service. After Apple announced its iOS subscriptions model Google followed with its content payment system, One Pass. One Pass operates across platforms. Customers who purchase content through their Google accounts can access it on their computers, tablets, or smartphones (though presumably not on their iOS devices, though there’s no technical reason this has to be the case). A spectrum of models is available to publishers: they can sell by the article, offer subscriptions, or provide day passes, among other options. Unless a customer opts out, Google shares customer name, zip code, and email address with the publisher. For One Pass service, Google takes 10% of sales revenue.

RIM tablet rumored to run Android apps. RIM may be developing software that would allow its PlayBook tablet to run Android apps. The move would increase the number of apps that can run on PlayBook more than six-fold to over 130,000 apps, making it more attractive to consumers. The tablet, promoted as the company’s answer to the iPad, is slated for release this year.

Facebook and the bright side of human flesh search engines. A woman who found a camera in New York City identified its owner in three hours by posting pictures from its memory card to Facebook and tagging her friends to solicit their help in the search. Web sites designed to reunite owners with their lost property exist, but both the finder and the seeker must know of them and go to the same one. Facebook doesn’t suffer from either problem. Although Facebook is not a fully public forum – most users restrict access to their profiles in some way – in this case it ended up being a big enough network to connect a helpful New Yorker with a grateful French tourist.

Boston promises a pothole-reporting app. It’s probably not something that Apple would have developed on its own initiative: an app that detects and automatically reports potholes using GPS and accelerometer data from the driver’s phone is in the works by the city’s “Office of New Urban Mechanics.” (!) While an unsafe driver may be wary of sending such information to city officials, the app’s developers see it as a new form of civic engagement. Perhaps we’ll see a pothole-filling app next year.

Google adds new security and crowdsourced ranking features. Google has recently added two new features. The first feature lets people with Google accounts add a second password. An account holder generates this additional code every time he wants to login, receiving it on his phone. It expires after a few minutes – giving the user time to log into his Google account – and so dramatically reduces the chance that it will be phished. The second feature is a Chrome extension that allows searchers to block sites that they don’t want to see in their Google search results. The user reduces unhelpful content farm results in her own searches, and Google draws on the information to tweak its rankings to decrease global content farm contamination of results.

Corporate strategies for information security and transparency. As more and more information is stored in the cloud and shared through networks, companies are increasingly susceptible to accidental or intentional disclosure of sensitive information. The Economist reports that corporations are taking a range of approaches to address the problem, from technological restrictions and monitoring (software or hardware that limits or watches what employees do with data) to cultural awareness (explaining to employees how particular acts put data at risk) or openness (sanctioning the release of more information to promote trust). Meanwhile, 40,000 individual Gmail account holders lost their cloud-stored emails and contacts this week because of a bug in a software update. Google is in the process of restoring users’ data to them — from backup copies on tapes.

Android app hacked to repeatedly text premium numbers. Hackers, apparently in China, have inserted code into a legitimate Android app that causes it to continuously text premium numbers. The altered form of the (already free) Steamy Windows app is available on unauthorized app sites. Once a user installs it, the app sends text messages to premium numbers, running up the user’s bill. It also blocks incoming texts from the wireless service provider that would normally alert a user that he has exceeded his text message quota. The hackers get a commission for each text sent to the specified numbers. Unwitting Android owners are at greater risk of attack, because unlike iOS owners, they can download apps from third party sites in addition to the official marketplace.  That makes them more generative — but also less secure, leading to the “generative dilemma.” (cached) [Cached because the cloud-based host for the deep linkable version of the Future of the Internet — And How to Stop It has vanished — ironic (or fitting?), given the book’s warning about the dangers of cloud-based platforms.

PCs as an endangered species. As the evolution of computing devices marches forward, PCs may be headed for extinction. Smartphones and tablets are increasingly marketed as PC replacements. These mobile devices can be used on their own, but also connect to a range of peripherals — laptop shells, monitors, keyboards, mice, even docks that turbo-charge performance with extra CPUs — for a more PC-like experience. For example, Motorola’s Android-based Atrix smartphone can run the desktop version of the Firefox browser when docked, giving the user access to cloud-based services like Google Docs in addition to the apps installed on the phone. But Firefox doesn’t run off the Atrix, it runs off a minimal Linux machine in the dock. And the Android app ecosystem doesn’t yet match the diversity of PC applications. Still, as mobile devices and the Web 2.0 apps and services (cached) they support become more sophisticated, it’s likely that they will expand out of their niche and invade the habitat currently occupied by PCs.

—Jennifer Halbleib

The European Journal of International Law published on an affiliated web site a short book review.  The author of the book reviewed was displeased, and wrote to the editor asking for it to be taken down.  He declined in a very thoughtful letter, part of a correspondence reproduced here. He suggested that he would forward the author’s comments to reviewer, and in “uncharted” territory, possibly be prepared to approve a revised review by the reviewer and substitute that in on the Web site.  The reviewer declined to make any changes, and the editor stood by that decision.

Three months later and the editor — not the reviewer — found himself the target of a criminal libel investigation in France.  Strange location, since …

[t]he author of the book was an Israeli academic. The book was in English. The publisher was Dutch. The reviewer was a distinguished German professor. The review was published on a New York website.

He’s written up his experience with the trial, which was last week, here.  Fascinating — and chilling — reading.

You may have heard of Herdict, the Berkman Center project to crowdsource reports on the moment-to-moment health of the Internet.  (Video introduction here; FAQ here.)  We are seeking a CEO for it!

Since last year Herdict has tracked big blockages like those of China’s Great Firewall, and small ones like the temporary block of WordPress in Guatemala.  Herdict receives thousands of visitors each day and hundreds of reports from just about every country.

Last summer we were awarded a $1.5M grant from the Omidyar Network to take Herdict further, which means setting it up as a standalone non-profit, partnering with browser makers to increase Herdict’s paths for gleaning and sharing data, exploring new ways of crowdsourcing, and securing additional funds (part of our grant is for matching contributions).

So, the new Herdict venture needs a CEO.  The ideal candidate would have some combination of start-up experience, a rich human network (in the US and ideally, abroad), familiarity with the Net, experience in building and motivating online communities, and a commitment to turning Herdict into a sustainable nervous system for it.  The CEO will build and lead our technology team to shape the future of Herdict, figure out how it can best integrate with other worthy efforts in this zone, and define what the boundaries will be of just what Herdict will aspire to do.

The team will be located in Cambridge, Massachusetts — so it will help if the CEO is prepared to live in the Boston area, and at least travel there regularly.  The CEO will work closely with the board of Herdict and with faculty from the Berkman Center and members of the OpenNet Initiative as we figure out how to measure and preserve a free and open Internet.  Salary competitive.

Statements of interest can be sent to jobs@herdict.org.