The U.S. government uses a PC control switch? The U.S. federal government obtained a temporary restraining order in April that allowed it to send to private computers unwittingly part of a massive criminal botnet a command that disabled the malware. In the past, the government has cut off or seized the command-and-control servers and computers that run a botnet, but here – without notice, because federal agents were still trying to collect the IP addresses of infected computers – the government issued a command to personal computers owned by innocent targets of the Coreflood botnet. Arguably, since Coreflood steals private data and loots victims’ bank accounts instead of just generating huge amounts of spam, the government had sufficient justification to order citizens’ (and non-citizens?) computers to kill the program. But in addition to concern that the command itself might unintentionally damage some private machines, such a path may be quite slippery. After all, prevention may be cheaper than disease; why shouldn’t the government push security software to all personal computers? And why shouldn’t it monitor citizens’ online activity to make sure they aren’t downloading programs from malicious sites? Nonetheless, how different is the command in this case from required residential building and health standards or mandatory vaccinations for schoolchildren? The government regulates personal safety in the real world when it implicates the broader public good, why shouldn’t it do the same online? And in the end, an individual can avoid running the command on his computer (and dodge the botnet risk, too) by simply disconnecting from the Internet.  Of course, that makes the computer slightly less useful.  The phenomenon is reminiscent of this Wired account from 2003, though note the reporter’s credibility appears to be in question.  (!)

Google’s questionable Grooveshark takedown. Last week, the Electronic Freedom Foundation criticized Google for removing the popular music service Grooveshark’s app from the Android Market. Google has said that it was responding to an RIAA complaint but has not explained the basis of that complaint. The company did not require notice before the takedown as provided for by the Digital Millennium Copyright Act. If the complaint was grounded in copyright, EFF noted that Google’s actions departed from its longstanding position of requiring such valid notice before takedown. Because the move coincided with Google’s testimony before the Senate Judiciary Committee, EFF speculated that it was designed to mollify any Congressional skepticism that Google was not committed to copyright enforcement.  Note that apps can still be added to a phone without having to go through the Android Market.

More consumers demanding iPads in place of laptop PCs. Last quarter, Apple’s profits exceeded Microsoft’s for the first time since 1991. Overall PC sales declined 2%, consumer PCs dropped 8%, and netbooks –  the inexpensive and mobile generative PCs most similar tablets like the tethered iPad – fell 40%.

Translating iOS to WP7. Meanwhile, Microsoft is contesting Apple’s dominance of the tethered device market. Microsoft now offers a tool that helps developers convert their iOS apps to Windows Phone 7 apps. It maps the WP7 application programming interface – the set of definitions and rules an app uses to communicate with the phone’s operating system – onto the iOS API, making it easier for developers to port their apps to WP7, giving Windows Phone 7 users access to more apps, and allowing Microsoft to compete with Apple in app marketplace size and range sooner.

And a related discussion of generative PCs and tethered devices including thoughts on JZ’s thesis in the book, as well as a take on his concerns about crowdsourced work.

—Jennifer Halbleib

This is nearly unprecedented; only brief incidents in Nepal and Burma, in 2005 and 2007 respectively, could compare. The events have renewed debate over proposed U.S. legislation that might give the government a similar ability to pull the plug on Internet communications in an emergency.

The bill, introduced in the Senate first last fall and again this spring by Senators Collins and Lieberman, was first titled “Protecting Cyberspace as a National Asset Act of 2010,” and then “Cybersecurity and Internet Freedom Act of 2011.” Many observers have simply called it the “kill switch” bill, suggesting that the bill would give the President authority to shut down the Internet, perhaps in ways just seen in the Middle East. That’s an unfair characterization. But there are other reasons to be skeptical about S.3480.

The bill contains a lot more than just the provision for a so-called “kill switch.” It provides for the establishment of a White House Office of Cyberspace Policy, tasked with oversight over all “instruments of national power relating to ensuring the security and resiliency of cyberspace” and the enforcement of security standards developed by the National Institute of Standards and Technology (NIST)  across both public and private sector “critical infrastructure systems.”    (NIST is the National Institute of Standards and Technology, an agency at the Department of Commerce tasked with advancing measurement science, standards and technology. Among other things, it houses the atomic clock which keeps the nation’s official time.) It also provides for the establishment of a National Center for Cybersecurity and Communications at the Department of Homeland Security, which would oversee the United States Computer Emergency Response Team, which, as the public/private operational arm of the National Cyber Security Division,  acts to disseminate cybersecurity information from the research and government communities to the private sector.

Then there’s the most controversial bit: the bill proposes that, in the event of a “cyber emergency” as declared by the President, the Department of Homeland Security could issue mandatory orders and directives to “critical infrastructure systems”. This has been interpreted as meaning that the goverment could “shut down” the internet within the United States.

Under what circumstances this would be warranted depends largely on interpretation. The bill says a “cyber emergency” is an “actual or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure”. “Critical infrastructure” is in turn defined as those systems whose “disruption or destruction would cause a mass casualty event which includes an extraordinary number of fatalities; severe economic consequences; mass evacuations with a prolonged absence; or severe degradation of national security capabilities, including intelligence and defense functions”.

That all sounds pretty narrow: most Web servers would not qualify as that type of infrastructure–nor would a small ISP.  Responding to criticism of the kill switch idea, the Senate has said that the bill is intended to provide a “precise, targeted and focused way for the President to defend our most sensitive infrastructure,”  further defining that infrastructure as systems involved in the vital maintenance of the telecommunications networks, electrical grid, water systems and  financial systems. Of course, as more systems move to the cloud, there’s a question of whether we will start to find these critical infrastructure systems interwoven with more mundane civilian resources, and what the implications of such mixing would be under this bill.

Putting it all together, this means that a cyber emergency would only to be declared in the event of an imminent risk of massive death and destruction, severe economic damage, mass evacuations or harm to our national security capabilities—the worst of all possible scenarios.  But a critical issue is what kind of review there would be of whether a declared emergency really qualifies under the bill.  Though there is no direct identification of critical infrastructure beyond those whose disruption would cause scenes from the movie 2012, there is a means in the bill for those designated as critical infrastructure systems to appeal that classification.

The new draft of the bill– likely responding to public anxiety over kill switches–explicitly forbids a shut down: “neither the President, the Director of the National Center for Cybersecurity and Communications or any officer or employee of the United States Government shall have the authority to shut down the Internet.”

Any emergency measures developed and implemented in the event of a cyber emergency would also expire within thirty days, with the possibility of several thirty day extensions.  To be sure though, thirty days is a long while in Internet time, and more than enough time to change, perhaps irreversibly, a company who find itself on the wrong side of the critical infrastructure designation.  Most important is to try. It’s also hard to imagine the circumstances under which these provisions would be invoked.  By the language of the bill, it would appear to be nothing short of a massive virus–or physical–attack in which ISPs stood idly by as malware spread like.  Of course, should that situation arise, it’s not clear that sending in the Marines (figuratively, if not literally), and telling various ISP’s to fix it would make any difference–as if they somehow wouldn’t be trying to do that anyway, and as if the government would have any comparative advantage in understanding the situation than the Internet engineers themselves would have.

Oddly, the U.S. government may already have the authority to shut down the Internet anyway. Section 706 of the Communications of Act of 1934 – written into the Act shortly after the 1941 attacks on Pearl Harbor – provides the President with the ability to shut down “any facility or station for wire communication” or take federal control of such facilities in the event of a “state of war” and for up to six months after the expiration of such a state. Of course, the War Congress of 1941 wasn’t thinking about the Internet at the time, though there is some indication that the Department of Homeland Security believes this provision could apply.  In June of 2010, the Department of Homeland security apparently cited Section 706 as “one of the authorities the President would rely on if the nation were under a cyber attack.”

The new bill does not permit such a Federal takeover or shutdown, limits the amount of time a cyber emergency declaration can be in effect, and contains language intended to render the emergency measures as non-disruptive as possible.

Beyond the legalities or politics of drastic action, it’s worth asking whether the type of Internet shutdown seen in Egypt and elsewhere is even possible in the United States. Internet penetration in Egypt is around 15.4%, high for Africa but low compared to the rest of the Middle East; penetration in Libya is around 5% ; in Burma Internet penetration is at less than 1%.  They have much smaller populations than the US, in smaller geographic areas.  The shuttering of one or two ISPs has a much greater effect in these small markets than it would in the States.  It is unlikely that the government could, though social and political pressure not backed up by statute and public accord, cow the hundreds of different ISPs operating in the continental United States to all shut down at once.  Someone bent on disrupting Internet access would have to focus on Tier 1 ISPs – those who provide Internet access to other ISPs, and for which a shutdown would have the biggest ramifications.  Another potential method for shutdown would be disrupting one or more of the major Internet exchange points or “carrier hotels” that exist around the country.  Going after major wireless providers could also have a big impact. However, the likelihood of a complete shutdown remains low: at the point such a measure would be attempted we’d likely have plenty of other problems to raise with such an overreaching government.  More important, with Internet access so crucial to the economy and to state and federal governments, a broad-based shutdown would carry incalculable costs.  The point at which the Internet is so suffused in a society that a censorious government could consider turning it off is also the point at which the Internet is so suffused in a society that a government would likely not dare turn it off.  Egypt and Libya provide new and surprising counter-examples to that hypothesis, but even in Egypt access was restored while the Mubarak government was still in power.  And the level of integration of the Internet with layers of the American economy and communications system is an order of magnitude more than in Egypt and certainly Libya.

So, while there is no a kill switch hidden in the bill, it provides for the establishment of two federal bodies responsible for the development and enforcement of certain private and governmental security standards in the area of critical infrastructure systems, and establishes the ability of the government to give mandatory directives and orders to the private operators of critical infrastructure systems in the event of a cyber emergency, which is defined to sound a lot like a real emergency.

That said, is this bill a reasonable reaction to the current state of cybersecurity in this country?

The bill endows NIST with the ability to create security standards, in conjunction with the private sector, which would then be imposed on federal agencies and private operators of critical infrastructure systems.  This introduces the potential for mission creep, and moreover, it is simply not known what those standards will be yet.  Would such standards include the capacity for deep-packet sniffing, other methods of surveillance or backdoors?  Who within NIST and the private sector would have final say in the creation of these standards, their implementation and enforcement?  Does the government currently possess the expertise to take on this task to begin with?  What actions will the relevant agencies take to ensure they have that experience at the ready when it comes to developing these standards?

When it comes to improving the online security environment in this country, everyone has work to do, including the federal government.  Keeping up with patches and updates, changing default usernames and passwords on critical systems and choosing unique, complex passwords that change regularly are just some habits of good security that should be widespread but aren’t. Some parts of this bill, like section 301 which in part provides for the withholding of bonuses to senior agency officials whose agencies aren’t up to snuff, may be a good step towards implementing a functional and habitual security environment at the federal level.  Some other sections clearly need more consideration and debate.

That the information security environment in this country and around the world needs work is clear.  Whether or not this is the bill that is needed, or even whether the federal government should have a role in regulating civilian, private sector infosec, is less so.

An edited version was published this morning by the MIT Technology Review.

For every smartphone, someone, somewhere has an app kill switch. This week, Microsoft discussed the circumstances in which its kill switch could be flipped on the Windows Phone. It emphasized that pre-screening apps and subsequent removal of any remaining risky apps from the Market Place were preferred tools for addressing privacy and security concerns, characterizing the kill switch as a scram in case of impending meltdown.

i(Gold)Bricks. An iPhone 3G user has accused Apple of a different type of killing. In a lawsuit filed last week, she alleges that Apple intentionally used the iOS 4 update to debilitate iPhone 3Gs in order to increase sales of the iPhone 4. Part of her claim is based on the charge that Apple didn’t allow consumers to revert to a previous version of iOS after experiencing poor iOS 4 performance on an iPhone 3G — at least without voiding the warranty by jailbreaking the phone.

What are the limits on employee Internet policies? The NLRB is suing a Connecticut company, alleging that the employer fired one of its workers because she posted a negative comment about her supervisor on her Facebook page from her home computer. According the Legal Times, the NLRB is challenging a provision of the policy that the union says prohibits “depicting the company in any way over the Internet without company permission.” The EMT service contends the woman was fired for “multiple serious issues.”

A picture is worth a thousand dollars in traffic tickets. Next generation speed cameras not only calculate a driver’s speed, but also check to see if his insurance is current, his seatbelt is on, and he’s keeping a safe distance from the car in front of him. Some jurisdictions are apparently having difficulty making money off their speed cams. Upping the number of violations per picture should help.

Market Captcha. In the grand capitalist tradition of slapping an ad on any exposed surface, NuCaptcha is selling squiggly commercial space. Website visitors will have to type in a company slogan to proceed. Several prominent companies have signed up. I wonder if sellers of knock-off Rolexes and cheap pharmaceuticals will as well.

—Jennifer Halbleib

Facial recognition and next generation privacy. David Thompson gives an update on the progress of facial recognition software and its implications for privacy 2.0.  In addition to describing the revolution in surveillance capabilities that occurs when a person can be identified on any security camera feed or in any of the more than three billion photos on Flickr, he notes that Face.com released an API last month, allowing developers free access to its facial recognition technology and the green light to adapt it for new uses.  Here’s hoping the appropriate norms evolve in tandem.

Defamation liability: please fwd. A bankruptcy court in Texas has ruled that forwarding an email link can be considered defamation.  The defendant in the case didn’t send a copy of the actual content, just a link to a website.  Neither had he written any of the defamatory content on the website.  It’s unlikely that the ruling will survive an appeal, since forwarding a link probably doesn’t amount to the required element of “publication” under a traditional interpretation of defamation law.  Still, it’s something to think about the next time there’s a link to a juicy tabloid story in your inbox.

Shifting foundations of the App Store. Apple continues to indulge its discretion when it comes to approving iOS apps.  This time it pulled an app for being “widget-like,” despite approving three previous versions.  The frustrated developer asks “How can a company be prepared to invest into a platform that can change at any time?“

It Gets Worse: Apple Censors a Gay Kiss in Oscar Wilde Comic. In another Apple censorship story, the company appeared to block out a kiss in a comic book because two men were doing the kissing. To be fair, it’s not entirely clear to me from the pictures in the article whether the same-sex kiss was the cause of the blackout, but the author claims that similar opposite-sex scenes have gone unchanged in other comic books. As he says, “the more examples I see of Apple’s capricious censoring, the less funny it is.”

Steve Jobs at D8: Post-PC era is nigh. In the introduction of the book, JZ predicted that Steve Jobs, having launched the PC era, was about to usher it out. Now, Jobs says the same thing. According to him, “PCs are going to be like trucks … they are still going to be around,” but “one out of x people will need them.”

TiVo’s ‘Big Win’ Over Dish On Patents Looking Less And Less Solid, As Patent Office Rejects Patent Claims. Update in the TiVo-EchoStar battle: we may never find out if EchoStar will actually have to remotely kill already-purchased DVRs, because the Federal Circuit is rehearing the original patent claims en banc.

—By Jennifer Halbleib and Elisabeth Oppenheimer

Communicating with the e-book mothership. If the latest must-read on Kindle is dotted with typos or has a few pages missing, there’s a good chance Amazon offers a patch to correct the error. It’s a handy Internet-enabled functionality, although one can imagine at the extreme authors continuing to update their work ad infinitum, making it impossible for a reader to say he or she has read an e-book since content is always subject to change. Information flows in the other direction on the Kindle superhighway too, as Amazon apparently keeps track of what readers are highlighting. There’s some creep factor in Amazon knowing what ideas Kindle readers think are important, even if the most highlighted passages are in works as deep as The Lost Symbol. But the information is also so interesting.

The remote control. In April, Sony quietly revised the End User License Agreement that came with the latest PS3 firmware update to allow the company to change how an owner’s console operates in whatever way it wants, no notice or permission required. Now the FCC, at the request of the MPAA, has given cable and satellite providers the right to remotely disable output connections on consumers’ set-top boxes, leading consumers to ask “What did I buy?”

Curated Computing is the new name in town for the experience provided by the tablet non-PC. This particular term is meant to accentuate the “less choice, more relevance” aspects of that experience. It rolls off the tongue more smoothly than “contingently generative” and sounds less regressive than an “appliance,” but it connotes somewhat life aboard the Axiom. However, its proponents suggest that curated computing devices are meant to exist alongside and supplement traditional PCs. Let’s call that a worthy goal and the best of both worlds.

iPhone pillow talk with Steve Jobs. A ValleyWag reporter last week exchanged late-night emails with a defiant Steve Jobs on the iPhone’s ability to give people “freedom from” data theft, battery hogs, and porn. The emails speak for themselves, giving a little insight into Jobs’ perspective on the benefits and aims of the iPhone. He gets a little snarky at the end, but then again it’s 2am when he’s responding, and he never has a chance to clarify his comments, unlike the Gawker reporter.

Android outsells iPhone. During the first quarter of 2010, phones with the Android OS grabbed 28% of the U.S. market share, surpassing iPhone’s 21% (RIM’s Blackberry is still at the top with 36%).  Although Android benefited from Verizon’s buy-one-phone-get-one-free promotion and iPhone continues to lead worldwide, it appears Google is getting closer in Apple’s rearview mirror.

McAfee prevents computers from booting up in new virus-protection strategy. Centralizing security software in a few big providers concentrates expertise to solve problems, while also meaning that there are only a few–albeit strong–security systems the bad guys need to breach in order to wreak widespread havoc.  But in a previously under-appreciated risk, a flawed update of widely-used antivirus software can cut out the middleman and accomplish the same havoc directly.  A McAfee software update mistakenly identified a critical file as a virus and quarantined it, causing computers around the world, many of which automatically install updates, to repeatedly attempt to boot up.  One source estimated that 800,000 PCs were affected.

Taking [re-]generativity seriously. A Connecticut mayor donated her kidney to a Facebook friend last month after seeing his desperate status update.  The patient’s doctor had suggested that he try publicizing his need through social media, using an online connection to a forge a real-world bond.

Whoops: Five days later, Steve Jobs announced modified Apple developer rules banning use of “intermediary” tools such as Air—in other words, there will be no more cross-platform development. Adobe employees: not happy.

This is starting to sound pretty antitrust-y. It’s hard to think of any logical reason Apple cares where an app’s code originates—unless, of course, it just wants to hurt Adobe at every turn. Unfortunately, it’s been hard to find knowledgeable people analyzing actual antitrust law—anyone know of a good blog? (For what it’s worth, this old post from the Antitrust Law Blog indicates that the tech sector, including Apple, is under heavier scrutiny from the DOJ and FTC.)

Not surprisingly, there are rumors a lawsuit is brewing.

As usual, there’s another chapter in this saga: Flash translation. In a related but not identical story, Apple has long been hostile to Adobe’s Flash multimedia platform, citing stability and security concerns for refusing to offer Flash support for the iPhone and iPad. This puts websites that use Flash in a tough spot and limits iUsers’ access to content—75% of web video according to Adobe. Enter RipCode, which has developed a server-side translator solution. If an iPhone user attempts to access a Flash video, the “transcoder” detects the platform and translates the video into a compatible format. Since the transcoder is run off the website’s server, it doesn’t require Apple’s approval. Assuming it’s reliable, this is a nice example of a how the generative web allows enterprising developers to solve problems (or, depending on your point of view, do end-runs around the rules).

—By Jennifer Halbleib and Elisabeth Oppenheimer

-Prof. Z was elected to the Internet Society’s board of trustees for a three-year term. The Internet Society is an international nonprofit organisation founded in 1992 to “provide leadership in Internet related standards, education, and policy.”

- For those who missed it, the audio of the interview featured on WNPR (April 30) on “What’s Next For the World Wide Web?” is up on the web!

-The Zittrain Twitter feed has been added to the site. Of course, you can always follow the professor directly through Twitter if you set up your own account (it’s free).

-Prof. Z participated in a workshop hosted by the Harvard Kennedy School titled “Cultures in Common: 50 Years of Reflection on Science, Technology, and Society” on May 8. He spoke about “Ordering the Wild Frontier: The Cultures of the Internet”

-Z was in London on May 19 to deliver a lecture on “The Future of the Internet: Private Sheriffs in Cyberspace” for the Society for Computers and Law.

Coming up…

-Celebrating the 10th anniversary of the Cluetrain Manifesto, Prof. Z will talk with Cluetrain authors Doc Searls and David Weinberger at Harvard Law School  on June 16. The event is open to the public. More info here.

-Z will deliver the keynote “Future of Video and How to Stop It” on June 20 at the Open Video Conference in New York.

April 7: The Harvard Law School News reports on Prof.Z’s talk at the Computer Emergency Response Team Coordination Center’s 20^th Anniversary Technical Symposium at Carnegie MellonUniv.

April 13: Prof. Z talks to PayPal and Clarium Capital founder Peter Thiel about whether monopolies can save the Internet. Click here for video.

April 15: Prof. Z interviews Daniel Hoffer, Founder and Chairman of CouchSurfing. Click here for video.

April 19: “In a down economy, one might surf for an hour rather than spend $15 at a multiplex,” Z says in Cnet article on online piracy.

April 22: Interview (podcast) on Command Line. (updated 4/23)

April 28: Discussing the Wolfram Alpha demo with Stephen Wolfram (updated April 29)

* On NPR’s On the Media, Prof. Z talks about the future of the internet and security issues

* Z introduces  Herdict on the World Technology Podcast 234, Air Mozilla (Media player available on Air Mozilla’s website), and Radio Berkman.

-yvette wohn

Snowfall in Cambridge is keeping people at home but perfectly illustrates situations that can be solved with ubiquitous human computing. Prof. Z discusses this concept of using remote human resources in a recent interview with Nokia’s Ideas Project. Cheap networks, he says, enables organizations to get things done regardless of location. Bad news for those who enjoyed sleeping in on a Monday morning.

Prof. Z’s working paper on ubiquitous human computing can be found here.