The Google Phone, Unlocked. Google is introducing a branded smartphone running the Android OS. Interestingly, it’s an unlocked phone, although because it’s GSM, it can only run on T-Mobile and AT&T in the US. I wonder if it will be subsidized by the carriers; if not, it could be a first step in helping break the carrier-subsidy model—discussed in this slightly out-of-date paper. Of course, even the iPhone couldn’t make it unsubsidized.

This Dumb Decade: The 87 Lamest Moments in Tech, 2000-2009. Not so much the future of the internet, but the recent past. Many of the recent lame moments have been covered in this blog (Danger Sidekick phones lose users’ data for weeks; Apple rejects Google Voice; Amazon removes 1984 from the Kindle). The old stuff is fun. I didn’t know that Facebook donated $9.5 million to a privacy-education foundation after the Beacon fiasco.

Obama to Name Howard Schmidt as Cybersecurity Coordinator, President Obama appoints Howard Schmidt, who also worked for President Bush, as his cybersecurity coordinator. Good to see that the administration is taking cybersecurity seriously, although they’re really looking at a different problem than the book discusses—threats to military and commercial infrastructure, rather than users’ endpoints and experiences.

Taxi Hack. A website allows users to criticize or praise service from specific taxi drivers, identified by medallion or license number. This has echoes of a future imagined in Chapter 9 of the book—you see a taxi, you punch in the number, and you have the driver’s digital reputation before you step into the cab (or choose not to).  (Hat tip: Emily Brill.)

Piqqem. A website crowd-sources stock picks. Of course, crowd-sourcing is all over the internet, but it seems it would be particularly treacherous if this website were subverted—say, by a company ordering its employees to vote its stock up.

—By Elisabeth Oppenheimer and JZ

Of course, those can be blocked too, and often are.  Twitter’s ancillary sites are working — to the extent they still are — only because the censors have their hands full at the moment.  But the PC changes the equation on both sides: within and outside of Iran.

Inside Iran, people can load new software on their PCs to try to get around blocks.  Find a copy of something like the xB browser online, or modify your current browser to work with software like Tor, and you can try directing all your Web access through intermediaries that aren’t blocked.  If you find one that works, all your surfing can end up unblocked.  If people were using today’s mobile phones for Internet access instead of PCs, this wouldn’t be possible, because most mobile phones, even if they can hook up to a wireless Internet access point, won’t run outside code, or only run outside code approved by the vendor.  (The jury’s still out on how easily one can install outside code on a phone running Google’s Android OS.)

Even more important than the options available to someone inside Iran are the options for those everywhere else.  Many people have been eager to show support for those in Iran who want to evade the government clampdown on news, both in and out.  Thanks to the PC they can do more than color their personal avatars green.  If you have a PC and want to help, you can find instructions on how to download software that will turn your PC into a way station between Iranian citizens and the rest of the Net.  Two minutes ago you were playing Quake, and now you’re donating bandwidth and computing cycles to the free movement of bits — and you can even go back to playing Quake again.  And discussions are under way to reconfigure the just-released free Opera browser so it can serve as a proxy. [Update: Al Billings at Mozilla is thinking through the same questions for Firefox.]

That’s extraordinary.  The computing machines we buy are descendants of the old hobbyist machines of the 1980′s, which assumed people would get them so they could tinker with them, and those vestiges turn out to be crucial at a time like this.  We’re lucky to still have so many home PCs out there.  Our work ones are often locked down — your neighborhood IT department would have a heart attack if it found you running a proxy server, since it would worry about the security of the corporate intranet.  Most schools don’t allow their students to run new code in a computer cluster, and libraries are locked down, too.  (Indeed, all three of these places typically have their own content filters installed!)  Thanks to the PC, people can help forge new civic technologies — ones that succeed to the extent that people are willing to participate in them.

Perhaps soon we’ll see even more profound ways to transform access to the information grid.  Researchers have been puzzling through “wireless ad hoc mesh networking,” which allows devices to connect to each other without needing an Internet Service Provider to run interference.  If anyone is connected to the larger Internet, everyone else nearby — and everyone near everyone else nearby, etc. — can connect.  This is the method used by the One Laptop Per Child project to allow the PCs they are sending to kids in developing countries to share data with one another even if there’s no Internet drop point available.  Imagine that technology redeployed to this situation — and it can be, if someone writes or adapts the right software.  Our PCs have radios in them that can talk to one another, not just to an “official” access point; you may even recall seeing others’ computers in your wi-fi access list when trying to find a way to get online while on the road.  A little tweak here and there and it can start working — for school kids in Brazil, for hurricane refugees running laptops on battery power, and for citizens in Iran facing otherwise-limited Net access.

A green avatar is just the beginning — so long as we maintain our somewhat accidental ubiquitous infrastructure of generative, reprogrammable boxes, a legion of hackers ready to reprogram them to social ends, and a citizenry ready to donate some bandwidth and cycles to a good cause.

Facebook and other social networks have an especially tricky time in this zone, since so much user data is relational.  You upload a photo of you and me; I tag it with your name.  I leave Facebook — does your name disappear from the photo since I was the one who originally tagged it?  Should all traces of someone vanish from everyone’s news feed, or is the alert that X posted a photo (along with a thumbnail of the photo) a different contribution than … posting the photo?  Facebook possibly thought to avoid these issues — or at least retain maximum flexibility to answer them — by including the sweeping clauses about being able to retain our data forever.

One lesson is that plain English (and its other-language counterparts!) works better these days than legalese.  When talented lawyers sit down to draft something like a set of terms of service, they naturally want terms that protect their client as much as possible — both in its current practices and for any future practices it could conceivably undertake.  Plus they know that courts will hold this language against them in a dispute if there’s any wiggle room, since the company itself drafted it and the users couldn’t negotiate.  So the writers tend to (1) reuse terms from other companies’ agreements like old holiday fruitcakes getting passed around, since venerable terms must be good ones and (2) they write broadly and at length.  But now just one hawk-eyed person scrutinizing new terms can see them get broadened and raise an alarm to everyone else, thinking of all sorts of future actions the company just permitted itself to take — the way the lawyers themselves were thinking, too.  This is true even if the people running the company didn’t have anything more in mind than avoiding some class action lawsuit for using people’s data in ways that could be said to exceed the limits they’ve placed on themselves with their own terms.

Writing in plain language can better describe what the company is trying to do, and may even make a court more sympathetic if trouble arises.  That trend is probably increasing — consider Google’s warning upon installing its browser toolbar, which in “advanced” mode will send every visited Web site URL back to Google so that, among other things, Google can provide an icon showing the page’s popularity as it’s visited.  Google leads its privacy policy with “PLEASE READ THIS CAREFULLY — IT’S NOT THE USUAL YADA YADA.”  Mark Zuckerberg’s blog entry in response to the controversy is a welcome piece of plainspeak.

So — Facebook will go back to the drawing board and come up with something new, no doubt rightly more narrowly drawn.  In another post Zuckerberg said:

More than 175 million people use Facebook. If it were a country, it would be the sixth most populated country in the world. Our terms aren’t just a document that protect our rights; it’s the governing document for how the service is used by everyone across the world. Given its importance, we need to make sure the terms reflect the principles and values of the people using the service. 

Governing document is right.  That brings up two bigger picture issues worth highlighting out of what otherwise might be a garden-variety dispute about privacy terms that people can have with any of the companies to who they entrust their data.

First, if Facebook is analogous to a country, how to govern it?  There’s an amazing amount of energy devoted to arguing about who gets to control the top-level allocation of domain names, since they’re seen as a shared resource of the Net that can greatly affect people’s lives.  (I think that’s overblown, but that’s a different discussion.)  So what about a “community” like that of Facebook, where people invest their data — indeed, often their very identities.  When someone’s years’-long cultivated Facebook account is terminated for alleged objectionable behavior, is that a mere customer service issue, or ought it be thought of as something broader?  No one expects Facebook to be run by anyone other than its management and private owners (and perhaps someday its public shareholders), adjusting for market pressure from its users, but if the communities there are truly to flourish, perhaps it’s time to experiment with forms of self-governance.  Just as online multiplayer games allow worlds of users with different rules, and some incorporate users themselves into developing those rules, Facebook could experiment with some of the same things.  (So far online organizing on Facebook tends to be represented by the creation of groups with provocative titles and then a count of how quickly how many people sign up, an especially interesting metric since Facebook itself can tweak how often word of people joining a group appears in their friends’ newsfeeds.)  There may be a sweet spot somewhere between the status quo — where at least we know whom to blame or sue if we disagree with a Facebook policy — and, say, Wikipedia, where governance generally takes place in ways large and small among the thousands of people who edit its articles and work through the disputes that naturally arise there.

Second, it’s amazing how much people focus on Facebook’s use of data vs. uses by fellow users on Facebook.  I think “peer-to-peer” privacy violations will turn out to be the most interesting and pervasive, and that we ought to start working out how to handle these issues.  Even small tweaks in how a site like Facebook operates — such as who gets to tag and untag a photo and who is notified (or asked for permission) when tagging happens — can have a huge impact on the flow of data and identity.  (Facebook’s structure is highly innovative here — they’ve actually got pretty good instincts about people’s privacy preferences.)  This is especially true as more and more of our “mouse droppings” end up in social networks — automatically updated telemetry about our daily travels (think Google Latitude) or changes in who we’re friends with.  I’ve written a lot more about this in chapter nine of “The Future of the Internet — And How to Stop It,” available for free download,  (But you’re welcome to buy it, too, newly in paperback!)

Privacy “perfect storms” are good times to think about these matters — too often people are too busy shoveling out their data to really think through the implications of what they’re doing.  Now, with the pitchforks on this particular issue being mostly returned to holsters, we can debate.  …JZ

Suppose that we agree on a rough (to some, controversial) value judgment: the Internet’s architectural openness (its “generativity”) — and its progression into the mainstream — has been a genuinely awesome thing, facilitating radical (and mostly good) revolutions in how we express and entertain ourselves, how we learn, how we shop, essentially in how meaning is made. 

Then: is there a signal threat to it apart from the ones arising from people (and regulators) who reject or are harmed by the Net’s openness even when it’s functioning as designed?  I.e., apart from those who don’t share the value judgment about openness?

I gather that some say no.  David Akin and David Isenberg, and perhaps Gene S. (although he sort of seems to say “a pox on both your houses”), say that for all its vulnerabilities, the Internet manages to keep on ticking, and suggestions that there is a growing — perhaps existential — threat to its functioning arising from anti-libertarian control freaks and mercenary security vendors — those who benefit from rejecting its generative premise rather than those who want to save it.

I say yes.  It’s an tough empirical question and there is plenty of room for disagreement — much of this is crystal ball gazing — but it clouds the ball further to argue that anyone who tries to describe the threat is only doing so because he or she seeks lockdown.  I worry both about the problem that will, if no better alternatives are offered, drive people away from open systems, and life in the gated communities that will welcome them.

So what’s the problem?  As Gene says, the issue is not only with networks that are not secure, but also the endpoints: reprogrammable machines, PCs, that provide the basis for the botnets that can wreak various forms of havoc.  It’s a miracle and an absurdity that infused in homes, workplaces, and laps around the world are PCs that can be repurposed in an instant, running code from the other side of the world without the vendor of the machine or its operating system, or the network service provider, having anything to say about it.  That’s how an innovation like Skype — or, for that matter, a Web browser — can come about and hit prime time.  It’s also how worms and viruses spread, and it’s not just about OS bugs: many of these come in through the front door, with the user choosing to run new code without understanding what’s hidden within it.  I remember Microsoft’s “first immutable law of security“:

There’s a nice analogy between running a program and eating a sandwich. If a stranger walked up to you and handed you a sandwich, would you eat it? Probably not. How about if your best friend gave you a sandwich? Maybe you would, maybe you wouldn’t — it depends on whether she made it or found it lying in the street. Apply the same critical thought to a program that you would to a sandwich, and you’ll usually be safe.”

This is well intentioned, of course — we know what the author is trying to say by it — but it’s also crazy.  Millions of years of evolution have helped us intuitively discern a good sandwich from a rotten one, and we don’t continually ingest little bits of food every few minutes as we walk down the street.  There’s no such help with code.  That’s why for 99.9% of the people out there, the idea of merrily running any code they see is already a fiction.  (Most of the .1% are people who just don’t care if their PCs melt, rather than geeks who know how to secure them.)  People turn to anti-virus vendors, firewall makers, and all the other patchy tech that Gene rightly dismisses as baling wire and twine.  If that’s all they’ve got, people will be ripe for persuasion that they should lock themselves down more, opting for sterile environments like the Kindle for more and more tasks, or hybrid environments like that of the iPhone or Facebook Apps: outside code can run, but only with the prospective and ongoing  permission of the platform operator.  These are attractive solutions — I love my iPhone — but they are worrisome in the big picture, especially as the model for them begins to predominate across all software.  Already, many of the otherwise-generative machines out there are being locked down by the boxes’ actual owners: PCs in corporate environments, schools, cyber cafes, and libraries are frequently unable to run new code without bureaucratized approval.  And in the developing world, much of the excitement around the adoption of mobile platforms instead of clunky PCs tends, with a few notable exceptions, to play into the walled gardens.  Where demand goes, supply follows: for the next generation of geeks and tinkerers, many find these walled gardens to be an unremarkable feature of the landscape.  Today’s kidz are coding for Facebook and iPhone, not for GNU/Linux or Windows.

It’s not much answer to say: “Well, *I* don’t have problems with viruses; it’s just losers who don’t know how to protect their machines.  Let them have a playpen, then.”  This response reminds me of the end of Atlas Shrugged, when the handful of good capitalists retreat to a golden valley and mow each others’ lawns in a new economy, while the rest of the world melts.  I don’t want an Internet where only the nerds remain.  (USENET was fun, but …)

So, David’s subject line sounds right to me: “Fixing the Internet might break it worse than it’s broken now.”  But that doesn’t mean that we should accept the status quo.  If we do, we’ll lose it — or we’ll find that we’re one of a comparative handful clinging to it as everyone else migrates away.

What are the solutions that aren’t iatrogenic?  I’m less sanguine than many on this list that some sort of liability regime for buggy code is the way to go, both because I think it will in many cases lead to less generative platforms and because the problem transcends mere bugs in code.  (For a more detailed treatment of this, see <http://yupnet.org/zittrain/archives/18#29>.) And “more training” for users would be great, but seems unrealistic.  We need solutions that require only a critical mass of people to implement, rather than counting on lots and lots of people to suddenly become tinkerers themselves — even as they rightly should enjoy the benefits of an experimentalist culture like that of the Internet and PC.  My own ideas run less in the direction of re-architecting the entire Internet, though I’m intrigued by the Clean Slate project and its siblings, like that run by David Clark at MIT.  David Isenberg is right that I’ve suggested some promise in virtual machine technology that allows promising but suspect code to run in a “red” zone, but this approach also has limits and drawbacks.  (Who decides what’s red and green when the users’ cluelessness is what gives rise to the need for a red zone at all?)  See, e.g., <http://yupnet.org/zittrain/archives/18#6>.

Instead, I think that collecting and making available more data about the shape of the problem can help enormously.  We really don’t know what’s going on out there, and the sooner we can replace speculation with reality — and not have what little we know be a trade secret! — the better.  See <http://yupnet.org/zittrain/archives/18#48> for more details on how this could work:

Social problems can be met first with social solutions — aided by powerful technical tools — rather than by resorting to law. As we have seen, vandalism, copyright infringement, and lies on Wikipedia are typically solved not by declaring that vandals are breaking laws against “exceeding authorized access” to Wikipedia or by suits for infringement or defamation, but rather through a community process that, astoundingly, has impact.

The Google/Stopbadware partnership — which made news a few weeks ago for reasons unrelated to its core operations — is one experiment in this area.  I’m all for the Net solving its own problems — someone does always tend to step up.  (E.g., thanks, Luis von Ahn, for the CAPTCHA!)  Maybe that someone is among us?

There, now, I’ve gone ahead and ended with the thought that we are the change we’ve been waiting for.  Or is it Ready to Lead? …JZ

The downloading takes place over an “EVDO modem with fallback to 1xRTT; utilizes Amazon Whispernet to provide U.S wireless coverage via Sprint’s 3G high-speed data network.”[1]  The connectivity needed to download books and browsing certain other sites is free of charge: “The Kindle Store enables you to download, display and use on your Device a variety of digitized electronic content, such as books, subscriptions to magazines, newspapers, journals and other periodicals, blogs, RSS feeds, and other digital content, [*]as determined by Amazon from time to time[*].”[2]  … “Amazon provides wireless connectivity free of charge to you for certain content shopping and downloading services on your Device. You may be charged a fee for wireless connectivity for your use of other wireless services on your Device, such as Web browsing and downloading of personal files, should you elect to use those services.”[3]  So there appears to be a more generic Web browser — how locked down it is I’m not sure, but the overall platform does not allow third party apps, and I wonder if it even allows things like Flash — and Amazon will charge fees TBD for going outside the sandbox.

Suppose that Amazon does indeed get to (1) choose what Web sites its users can visit or (2) choose what Web sites will incur a wireless access fee (to the user).  I’m curious whether people think either practice should be banned or limited by regulation, e.g. as a violation of network neutrality.  If a standard ISP did this, would it be a problem?  Does the fact that Amazon is both ISP and hardware provider make the situation better or worse?  At some level a specialized device won’t substitute for “standard” Net access and one wouldn’t complain about limitations, any more than one complains that standard cable TV service doesn’t allow Web surfing, even if the set top box can tune to a handful of specialized Web site front ends for “enhanced” content.  (In fact, some televisions themselves now do this, along with Blu-Ray disc players.)  On the other hand, it’s clearly a platform convergent with everything else — one could imagine bringing only a Kindle on a trip and managing web and primitive email access from it.

I think we’ll be faced with more and more of these hybrid Internet appliances.  I’m worried about the end of the ethos of the mainstream hobbyist PC — defined as the general public being able to define what code they want to run, without interference or undue shaping by gatekeepers — and see appliances (and managed web services like the Facebook and Google apps platforms) as substitutes rather than complements.

Joel Tenenbaum was one of thousands, perhaps millions of teenagers. When he was 17, he allegedly downloaded seven songs from the Internet using a peer-to-peer file sharing program called Kazaa [Both parties appear to agree this is a downloading case, not (solely) an uploading case like many of the others]. Now, 10 years later, he is being sued by the Recording Industry Association of America (RIAA), along with Capital Records and Sony BMG. What does the RIAA want from Mr. Tenenbaum? $1 million.

But before we begin to think about the legal details and who is right or wrong, let’s think about why this is a problem. For starters, the current architecture of the Internet does not technically support copyright. It is different from controlled virtual environments such as Second Life, in which any object made by someone will forever contain the “watermark” of the maker. Items or programs in Second Life can be designated at birth whether or not they will be copyable or transferable.

That does not mean copyright has no meaning on the Web– only that the architecture of the Web makes it easy to exchange copyrighted material to a scale that cannot compare to what could happen in the physical world.

Is the Architecture of the Net Creating Problems?

These copyright issues are taking place because the creators of the Internet did not think like proprietary networks. As explained in Chapter 2, the people who designed the Internet were primarily academic researchers and corporate engineers who “had little concern for controlling the network or its users’ behavior.” When they first made the Internet, they probably had no idea that someone (actually two someones) would come along and invent a peer-to-peer file sharing program.

If the Internet were designed by the RIAA, they probably would have made it so that music would not be able to be shared by multiple people. We can make this assumption because one of the attempts made by the music industry has been to impose digital rights management, or DRM, on their products. DRM gives the media maker the authority to control what can and cannot be done with a song. For instance, a music file can be programmed so that it can only be played a certain number of times, or only on certain devices. While DRMs are increasingly fading, they still have a strong presence in much of the content available on online music stores like iTunes.

So what does that mean for an organization like the RIAA? It could continue its current mission of hunting down music downloaders/uploaders and suing them, hoping in the long run that this will discourage people from doing so. Or, it could look for an entirely different business model that still brings in revenues regardless of Internet file sharing. Or… it could try to change the Internet to one that is more controlled by requiring Internet service providers to impose filters.

That last scenario is something that concerns people like Charles Nesson, Harvard Law School professor and Mr. Tenenbaum’s legal representative. According to Prof. Nesson, the RIAA’s lawsuit against Mr. Tenenbaum is more about working to change the infrastructure to make control of content easier.

In the defense of the counterclaim he argues:

They do this, not for the purpose of recovering compensation for actual damage caused by Joel’s individual action, nor for the primary purpose of deterring him from further copyright infringement, but for the ulterior purpose of creating an urban legend so frightening to children using computers, and so frightening to parents and teachers of students using computers, that they will somehow reverse the tide of the digital future.

That is something we should think about. Will the Internet continue to run on the open infrastructure that it currently is? Do we, as users, have any say in what happens to it?

Already there’s talk of expanding the App Store to PCs themselves. From Venturebeat:

While it may not make sense for huge applications such as Photoshop or Microsoft Office, does it not make sense to eventually get items such as Dashboard widgets through the App Store?

Perhaps a stretch, but worth thinking about would be Apple using the App Store as a competitor to something like Adobe Air. The apps run so beautifully on the iPhone and iPod Touch, just imagine would they could run on a more powerful desktop or notebook computer.

The App Store model is very powerful — and has some real benefits with it, not least of which is keeping the user experience a “quality” one, to include screening (or later killing) apps that appear malicious.  But it is a wholesale shift of our IT ecosystem when a vendor or vendors are in position to screen the apps coming from the “dark energy” of nerds at large.

–JZ

As developers update their applications — including bug fixes — it can take up to a week for a new version to go live after being submitted to Apple.  Developers don’t know when new or updated apps will go live — complicating planning.  And they aren’t given live sales information, so they don’t know how their apps are doing.

Apple isn’t alone.  Facebook is ramping up efforts to pick winners and losers in its platform:

Facebook announced a series of new incentives for developers to write what it characterized as “meaningful” tools for the service. It said it would pick certain applications that meet a set of Facebook principles to be part of a new “Great Apps” program. Those applications will get higher visibility on the service and will be able to work more closely with Facebook. …

“They are trying to evolve to a place where the right companies get funded and they launch more ambitious features on the platform,” he said.

Facebook said it was also setting up another level of certification, called the Facebook Verification program, for applications that meet the basic criteria of being secure and trustworthy. These applications will get added visibility and a graphical “badge.”

Picking winners and losers: that’s exactly what generative platform makers don’t do, and a good thing, since obvious losers — Wikipedia, couchsurfing.com, instant messenger — can end up being winners.  The ability to “throttle” certain apps by giving them more or less newsfeed space is an interesting contrast to the Apple App Store’s all-or-nothing system of app approval.  People learn about new apps on Facebook when their feeds indicate that a friend has added or used it — and slowing down undesirable apps can have a huge impact on their uptake.  Throttling is a gentle way to handle spammy apps, and it could genuinely be used to improve the user experience — but the technique could be applied for any reason.

Remember the days when developers could write software for a machine and then share it or sell it by simply handing someone a diskette or CD, or providing a link on which people could click?  And when the most diabolical way for a platform maker to influence the spread of apps was through clumsy efforts to dictate what could and couldn’t be on the desktop of a Windows machine fresh from the factory?

–JZ

Techcrunch speculates that this reflects a realization that much of the Platform is political, not technical.  Because the architecture naturally allows Facebook to control which apps run, and how they run — a big difference from the relationship of a traditional PC OS maker to PC app developers — someone able to act sensitively to public and political opinion would be helpful.  Facebook, like other Web 2.0 software-as-service counterparts like Google Apps, is entering the governance business.  It’ll be interesting to see how decisions will be made — or even if we can see how decisions are made — about what is banned and what is not.

Recently SuperWall was put in the dock, and Secret Crush was killed several days after Wired reported that it came bundled with spyware (and the maker, Zango, denied).

We’ll see the same phenomenon with the new iPhone apps platform, where Apple reserves the right to determine what will run and what won’t.  Adam Thierer over at Tech Liberation points to the hacking of the latest iPhone as evidence that we’re not about to enter an era of centralized control.  Putting aside that case for the iPhone — as a tethered device it can always be reflashed by Apple to eliminate hacks, especially those installed by non-techies just trying to double-click on something to run an unapproved app — it’s much more difficult to hack software-as-service platforms with apps not desired by the platform makers.

Perhaps ongoing delays will prompt Apple to open up a bit — but Steve Jobs rightfully might be more concerned about the “three apps” problem:

“You don’t want your phone to be like a PC. The last thing you want is to have loaded three apps on your phone and then you go to make a call and it doesn’t work anymore. These are more like iPods than they are like computers.”

Of course, that was when Jobs didn’t want the iPhone to be open to outside applications at all.