• Home
  • About
  • Blog
  • Events
  • Media
  • Audio
  • Video
  • Glossary
  • Contact
  • Download
  • RSS

The Future of the ‘iPatriot Act’

July 14th, 2008  |  by bballou  |  Published in Future of the Internet  |  9 Comments

Larry Lessig’s generous review of the Future of the Internet makes an interesting point:

“Whether a single event, or a coordinated event, whether intentional, or accidental, it is simply a matter of time before a catastrophic network event happens. And when it happens — think of it as a kind of i9/11 event, but the bad guys are not Al-Qaeda — will we be prepared for the inevitable iPatriot Act response? Are we better prepared than civil libertarians were when we were hit with the USA Patriot Act? Have we even framed the right debate?”

First, will there be an ‘i9/11′, and second, will it prompt an ‘iPatriot Act’? The actual chances of a catastrophic network failure are pretty slim. But were one to occur, it would probably look a lot like the attacks on the DNS root servers in 2007. Here’s what happened:

The 13 Domain Name System (DNS) root servers record who controls the Top-Level Domains (’.com’, ‘.edu’, ‘.uk’, and so forth) and where. This file of information is quite small, and very few computers actually have to call upon the root servers to find the sites they’re looking for. But without them, the single Internet we’re used to would fracture, and computers would have no easy, reliable way to find the IP addresses they’re looking for.

On February 6, 2007, hackers issued a Distributed Denial of Service (DDoS) attack on the root servers, sending gigabytes of useless requests every minute in order to overload the roots and prevent them from responding to genuine Internet traffic. Such an attack was made possible only by harnessing the power of hundreds or thousands of ‘zombie’ computers infected with malicious bots.

The 2007 DDoS attack failed, however. Because the malicious network traffic was relatively easy to distinguish from genuine network traffic, and because most of the DNS root servers were able to distribute the requests over hundreds of component computers, only two of the 13 servers (each themselves made of dozens of computers) were affected. And this was the most successful such attack against the network. In order to noticeably disable network traffic, hackers would have to (in theory at least) destroy all thirteen servers.

All of this is to say that a catastrophic network failure, while possible, is unlikely. But that’s not to say there won’t be an ‘iPatriot Act’. In fact, we’re already seeing its development in agencies and hearings across the country, as regulators push policies that discourage open, generative products and encourage closed, tethered ones.

Take, for example, the Department of Homeland Security’s list of ‘best practices’ for software developers. Among the suggestions:

Don’t trust users: “Developers should assume that the environment in which their system resides is insecure. Trust, whether it is in external systems, code, people, etc., should always be closely held and never loosely given.”
Secure the end-points: “Attackers are more likely to attack a weak spot in a software system than to penetrate a heavily fortified component. For example, some cryptographic algorithms can take many years to break, so attackers are not likely to attack encrypted information communicated in a network. Instead, the endpoints of communication (e.g., servers) may be much easier to attack.”

In themselves these are not bad pieces of advice. But within DHS’s broader vision of online security, they indicate that the government considers safe technologies to be tethered technologies, and vice versa.

Take as further examples any of the current IP-enforcement laws working their way through Congress. H.R. 4279 would create an IP czar at the Department of Justice; S. 522 would create an entire ‘Intellectual Property Enforcement Network’; and S. 2317 would allow the Department of Justice to sue copyright infringers in civil as well as criminal court.

What’s interesting about these bills is that more often than not, Intellectual Property protection is packaged as consumer protection. In fact, just last month the Senate held a hearing entitled “Protecting Consumers by Protecting Intellectual Property”, in which witnesses and legislators advocated for the very bills discussed above.

What all of this amounts to is that agencies and officials are pushing increasingly closed systems of code and increasingly strict Intellectual Property regulations. Both of these encourage increasingly tethered appliances. We don’t need a catastrophic network failure to have an ‘iPatriot Act’: such an act is already in the works.

Responses

Feed Trackback Address
  1. James Morris says:

    July 18th, 2008 at 4:37 pm (#)

    I agree with you optimism about the basic networks robustness in principle. It’s more like the highway system than a tall building.

    After 9/11 I began musing that the most vulnerable targets are ones with high potential energy and/or low entropy, e.g. sky scrapers and jet fuel. The internet, after all, was conceived as a thing that could survive attacks. The giant server farms might not be a good idea…

  2. The Future of Internet Security « Blurring Borders says:

    July 19th, 2008 at 6:23 pm (#)

    [...] this over-regulation has already started to take place, but it could certainly get worse. To help flesh out some of the important ideas about the future [...]

  3. nail says:

    August 8th, 2008 at 12:20 am (#)

    You can slap it around, spit on it, call it names, try to regulate it– it’s iNevitable. Not like a bad novel. No climax… just TIA.

  4. Alex Jones’ Prison Planet.com The Future of the ‘iPatriot Act’ says:

    August 8th, 2008 at 4:52 am (#)

    [...] Future of the Internet Friday, Aug 8, 2008 [...]

  5. phree says:

    August 8th, 2008 at 8:35 am (#)

    There is no need to pass an iPatriot Act though the bills above do tighten down the surveillance conduits and make it easier for the government to block critical domains and enforce the DMCA. The Patriot Act, Homeland Security and DMCA all contain very onerous surveillance provisions that allow any investigator to tap into your computer via the internet IP on your machine. I am a Ph.D. working on describing data-mining and surveillance technologies. My research reveals that the deal was done in the Homeland Security Act. The pieces of legislation above just close the door for any last minute challenges.

  6. Cory says:

    August 8th, 2008 at 10:25 am (#)

    The elite are scrambling to patch the hole that is the internet. The emergent abilities of a global network — and, more specifically, of a public with access to that network — were not foreseen. We have them at a rare and vital moment of weakness; one in which their usual and known formulas have failed.

    But we must move fast.

    They are very adept at maintaining power, and the time will not last. We must be diligent, and move fast while we can.

  7. Patriot Act, The Future and Death of The Internet, etc. « THE “G” BLOG @WordPress.com says:

    August 9th, 2008 at 11:07 am (#)

    [...] Future of the Internet Friday, Aug 8, [...]

  8. Law Professor: There’s going to be an Internet 9/11 « noworldsystem.com says:

    August 10th, 2008 at 8:07 am (#)

    [...] The Future of the ‘iPatriot Act’http://futureoftheinternet.org/the-future-of-the-ipatriot-act [...]

  9. Chris Grey says:

    August 15th, 2008 at 5:21 pm (#)

    I like how they only mention (.com, .edu, and .uk). Not (.net, or .org), and H.R. 4279 would create an IP czar at the DOJ? A czar?! This is ridiculous. The totalitarianism of this reeks, and that’s the pungent smell of evil.

Leave a Response

Blog

  • From privacy to accountability at IAPP

    • I’m co-moderating a retreat with John Palfrey about the future of privacy, and one of the morning provocateurs was Hal Abelson.  He mused back on the days of SAFE — a campaign against a U.S. government proposal for a “Clipper Chip” that would permit, with a warrant, the government to gain access to encrypted data without the permission of the keyholder(s).  Hal supported SAFE, but today said that the best ways to implement the values of privacy aren’t so much in worrying about who has access to what data, but how the data is used.  If that’s the case, I asked, have you rethought your support of SAFE?  To my surprise, Hal said yes: at least in a place under the rule of law, the ways to protect privacy are through process rather than through technology that cannot be broken, even if the process is followed.  That’s a very interesting shift from the days when Hal and I were among five people teaching a course on the legal and technical architectures of cyberspace. Read more »

  • Disabling the iPhone kill switch

    • After praising the iPhone as wholesome as warm bread, Colbert takes to task the iPhone for its “kill switch” (”It actually kills you!”).  In the meantime, Gizmodo reports that there’s a “BossPrefs” app to disable it, joining the more labor intensive method of tricking the iPhone into thinking that the Apple update server is found on the phone itself.  (Hat tip: Patrick Meier.)  Both require that the phones be “jailbroken” — untethered from Apple’s control — currently a somewhat unstable and scary process that many have nonetheless tried.  A jailbroken phone can run apps from sources other than the iPhone apps store; hence the ability to install BossPrefs despite its absence there.

    Of course, to completey untether the iPhone from Apple can greatly reduce its functionality — and it gives Apple the practical option to reassert control over jailbroken phones by forcing owners to decide between complete isolation or a return to the sandbox.

    I’ve got an iPhone myself now and love it — and don’t find myself yet prepared to try to jailbreak it …

    …JZ

  • The iPhone kill switch

    • It’s been clear from the start that information appliances like the iPhone, tethered to their vendors, would have a kill switch — that’s just a subset of the vendor’s (in the case, Apple’s) ability to reprogram any aspect of the phone from a distance at any time.  In a world of third party apps, that means that Apple could kill any app, too.  After some breathless reporting caused by the discovery of a Web page meant for consultion by iPhones that lists bad apps, and debate about whether the switch was more modest — say, only to say which apps wouldn’t be allowed to use the iPhone’s GPS functionality, as a way to protect user privacy — Steve Jobs confirmed that any app can be killed.

    This isn’t exclusive to Apple, of course.  Microsoft offers a monthly “malicious software removal tool,” which unobtrusively goes through a PC to remove malware.  Presumably it would become much less popular if Microsoft, or someone regulating Microsoft, tried to use the tool to remove software that people liked; no one seems to have tried to get Microsoft to kill anything yet, though, and such attempts are limited since any new app can immediately be installed on a PC — including one that shuts down a Microsoft app-removal tool.

    On the other side of the spectrum, when Facebook kills an app the app is naturally not only unavailable to new users, but disabled for current ones, too.  So Superwall or Secret Crush can go from millions of users to zero in a heartbeat.

    So far Apple hasn’t seemed to try to kill any apps already residing on users’ phones.  Instead, it has “merely” yanked apps from the Apps Store, which is the only place to acquire them. Recently Apple got rid of the “I Am Rich” app, which cost the maximum $999.99, and simply featured a glowing red gem on buyers’ screens.

    iPhone iamrich app

    iPhone I Am Rich app

    Eight people apparently bought it, with several receiving refunds.  (”Category: Lifestyle.”  Heh.)  The app’s author doesn’t yet know whether he’ll get the money from the rest, minus Apple’s 30% vig.

    So should we care?  Apple likely wouldn’t kill apps people like — they make money along with the authors.  And people think of an iPhone as a more unified device, expecting all of it to work at high quality, so gatekeeping might help keep malicious or poor quality apps away.

    On the other hand, people don’t know what they’re missing — and firms can be very bad, despite their own economic interests, in recognizing the value of truly novel contributions from outsiders that might take awhile to catch on.  Who would have invested in Wikipedia at the beginning?  And if Wikipedia required an incumbent gatekeeper’s approval or permission to get started, it might have failed to receive it — or languished at the bottom of a list of to-dos amongst hundreds of other apps and services awaiting review.

    The iPhone apps model is powerful, and it’s serving some useful purpose in shielding people, prospectively and retroactively, against bad code.  It’s so powerful we may see it extended to PC-like platforms, too, with the thirty-year run of open season for new software drawing to a close.  Without ways of managing that open season without a central gatekeeper, chances seem strong that most will accept — even demand — one.

    –JZ

  • What’s with the sheep?

    • Followers of Herdict’s progress may have noticed by now that our chosen icon is the sheep.  “What’s up with the sheep?” they might ask.

    “Herdict” is a portmanteau of “herd” and “verdict” – used to mean “the verdict of the herd.”  Since the goal of Herdict Network Health is to gain insight into what the world – that is, the herd – is experiencing in terms of web accessibility, we’ve chosen to go with a sheep to represent you, the herd.

    Now, you might be thinking, “Wait a minute…who are you calling a sheep?”  To many, the sheep is considered to be an unintelligent species content to simply run with the flock.  On the contrary, sheep tend not to follow the herd when no natural predator is present.

    While considering web inaccessibility and online censorship  as a predator might be a bit farfetched, when faced with it, it makes sense to join the herd.  And the more folks who do so, the better the picture we are able to paint of the network.

    For example, if you, User A, is in Morocco and finds YouTube blocked, you will probably want to know if others are having the same problem.  With Herdict, you can see – in real time - if others are reporting the same phenomenon, giving you a better sense of possible reasons of why the site is inaccessible.
    In other words, Herdict presents your verdict, allowing you, the user, to take control of the process and try to determine what’s going on.

    -Jillian C. York

  • Protect your PC, Protect our Network, Protect the Internet: JOIN Herdict

    • This fall the Berkman Center for Internet and Society (and JZ’s new home) will unveil Herdict, a suite of programs that gathers data from users around the world about their PCs’ performance and ability to access websites. Herdict aggregates this information and aims to provide a real time picture of users’ PC health and web accessibility. Read more »

About Jonathan Zittrain

jonathan zittrain

Jonathan Zittrain is the Professor of Internet Governance and Regulation at Oxford Internet Institute, Oxford University, and co-founder of Harvard Law School’s Berkman Center for Internet and Society.

Blog Archives

  • August 2008 (8)
  • July 2008 (11)
  • June 2008 (2)
  • March 2008 (1)
  • November 2007 (2)
  • February 2007 (1)
Creative Commons BY-NC-SA Jonathan Zittrain unless otherwise noted.
Powered by WordPress using Gridline Lite.