Jonathan Zittrain Keynote at “Trust or Consequence: The Web’s Reputation at Risk”
Beau Brendler, Director, Consumer Reports WebWatch
Jonathan Zittrain, Professor of Internet Governance and Regulation, Oxford University; Co-Founder, Berkman Center for Internet & Society at Harvard Law School
Stephanie Hill, Voice of America
Stephen Balkam, the Internet Content Rating Association
Note: This is an edited transcript of the proceedings.
Beau Brendler: I’d like to introduce Jonathan Zittrain. Back in June, I went to a seminar at Harvard Law School, which was very enlightening. While there, I heard Jonathan speak and was very enlivened by the way he approaches this topic.
Heaven knows that there’s a great deal of abstractions and technical data and terms and such in this field that can sometimes have a numbing effect on the brain, but the great thing about Jonathan was he really turned on my brain and a lot of the other people who were there. Sometimes a topic like Internet law can be a bit heavy, but Jonathan’s speaking ability and his on-target pop culture references are terrific.
He holds the Chair in Internet Governance and Regulation at Oxford University and is a Principal of the Oxford Internet Institute. He’s also the Jack N. and Lillian R. Berkman Visiting Professor for Entrepreneurial Studies at Harvard, where he co-founded the Berkman Center for Internet and Society. Jonathan’s research interests include battles for control of digital property, and content, cryptography, electronic privacy, the roles of intermediaries within Internet architecture, and the useful and unobtrusive deployment of technology and education.
He has recently co-authored a study of Internet filtering by national governments and is writing a book about the future of the now-intertwined Internet and PC. I think you’re really going to enjoy what Jonathan has to say, and please welcome him.
Thanks so much, Beau. Good morning. Oh boy! Good morning! All right, there we go! If you can’t get the press riled, what can you do?
So I’m delighted to be here and delighted to be here on the occasion of seeing yet another element of the stop-motion photography that these WebWatch reports represent as consumers are trying to react to the Internet. And when they — consumers, right, we mean consumers — these are people being ferreted out that are grandmas, grandchildren, people using the Net who aren’t necessarily expert at it, and not surprisingly, perhaps, to many people in the room, not entirely happy with what they see online and looking for some form of lodestone.
So what I thought I would do is reflect a bit on this year’s report and some of the findings that seemed notable to me against a backdrop of the fact that the puzzle underneath is itself in motion right now. I mean, if you just think for a minute as to whether you believe that 10 years from now, when we pop open – will it be a laptop? Will it be something else? – and surf, will we still be dealing with pop-up ads? No, clearly they will have gotten into the temporal bone of your jaw by then, right? With like a molar pop-up of some kind — I mean, right? It’s going to be different, and trying, however dangerous it is, to look around the corner and see where today’s trends are leading us is part of what I want to do as we integrate where consumers are right now on the Web.
As you’ll see, I’m pretty convinced that Internet 1.0, as I roughly call it — the Internet that existed really from 1969 onwards in the mainstream, from 1995 onwards — is in fact a dodo bird, and we’ll be telling our grandkids about it. And the question is: Will we be saying, “Boy, were we kind of lame, clicking and surfing?” Or will we be saying, “Those were the good old days.”
So that’s what I want to talk about today, and I wanted to frame the remarks with this image. This is a fellow in South Korea holding up a solar-powered radio. The fact about this radio, which makes it remarkable near South Korea but not here, is that you can tune it with a little analogue dial up and down the frequency modulation spectrum. It turns out that in North Korea, if you have a radio, by law it must only be quantum tunable to one of like four radio stations, you know, like the Kim Jong-il Hour, the Kim Jong-il Day, the Kim Il Sung Hour, that kind of thing, but not anything in between. In fact, there’s a project going on in South Korea right now where the plan is actually to take a bunch of those solar-powered radios and put them under helium balloons and float them over the border into the waiting arms of news-hungry North Koreans.
So I think it will become clear later why these images seemed appropriate to me to lead off the discussion, and not just because we’re here in the National Press Club, which is, I would like to think, the beating heart of free speech in this city. I don’t know why you’re laughing cynically at that characterization. On my way to the bathroom, I did pass the First Amendment Lounge, and I haven’t yet been inside — I’m very curious what I’ll find. If it were the Second Amendment Lounge, I would not venture in. And if it were the Twenty-first Amendment Lounge, right, it probably wouldn’t be very interesting, right? Now we’re identifying who the lawyers in the room are! That’s the Temperance Lounge.
So let’s talk about the good stuff: Why we like the Internet. Because I believe that pretty much everybody in this room, if you showed up for this, does. I think we like it because — and I realize this is a bit of a new term to coin — because it is generative. I want to explain what generative means, and I’ll do it first as we think about those laptops I referenced, what their forebears were. And one forebear of the modern laptop is the Friden Flexowriter, a near neighbor to the teletype that used to be at the front of the Press Club here, spitting out the AP story at 110 baud—do you remember that? Bu-bu-bu-bu-bu, that kind of thing.
So this is Friden Flexowriter. It looks a lot like a Royal typewriter, except it has up along the left here, this little area where you can thread tape, and as you type, the tape would be threaded through — there’s a side view of it — and it would make indentations in the tape and it would be a record of what you had typed, and then you could then take the tape and feed it back through, which would cause the typewriter to type out what had been recorded on the tape. If you actually took two scissors and tape, you could cut and paste your way to a mail merge. You could do actual mail merge letters and it would be easier than it is right now with Microsoft Word! So that was the Friden Flexowriter.
It was good at what it did, but it wasn’t going to do much else than what you saw. And that’s why even though it went through a series of improvements as we went into the fifties and the sixties, [inaudible] ended up buying it from IBM and we had — I don’t know how many of you remember in the late seventies, early eighties, those awful typewriters that had a little window in here with an LED, and people were supposed to do full [inaudible] copy and pasting looking at one line at a time? Like wow, those were the days! These were information appliances of a sort, but they weren’t PCs.
What makes something a PC? Well, it has something to do with this fellow, seen in his more carefree days. Bill Gates, having been pulled over at a traffic stop in Albuquerque, New Mexico, in 1977. What I like most about this photo is the smile on his face that says — this is like Tom DeLay kind of smile, if that’s what you’re thinking — yeah, that says like, “I’m going to buy and sell you all someday.” And he was right.
So what did Bill and others of his generation do? They built this kind of object and somehow conned us into buying it and putting it in our houses. Now what’s notable about this — this is a picture of a PC circa 1992 or ’93, you can date it by the little 66 LED light there — does anybody remember those? There was a button next to it and you could say whether it should operate at 66 or 33 megahertz, so you could downshift it if the hamsters inside were getting tired — I’m not sure why!
But the architecture of the PC has not changed in any meaningful way since this photograph was taken. And what do I mean by the essential architecture? I mean that this thing will run any piece of software that you hand it and the software can come from anywhere. You actually don’t have to be a rocket scientist in order to write something that ends in dot-exe. You put it on a floppy disk in 1992, you put it over the Net now, and voila! It’s running on the machine and Packard Bell or Hewlett Packard or whoever built the machine, or Bill Gates or Steven Jobs or whoever built the operating system, have nothing to say about it. It’s an incredibly repurpose-able unit in your house, and the reasons why you might have bought it don’t have to bear much relation to the way in which you actually use it down the line.
You start hooking that up to an Internet and you can move from so-called off-the-shelf software in the nineties, when you would literally go to the store, buy it, and it would sit on your shelf as you loaded the exe in. And you realize now you can get it over the Internet in so places like Tucows offer you all sorts of freeware, shareware, and other ware software. Or SourceForge.net is a place for people who write software can put up the source code, the recipe to the software, and others can download it and take a look at it and make changes, and it’s amazing how many projects and users there are at SourceForge doing exactly this.
Even after adjusting for the Theodore Sturgeon rule — he’s a science fiction writer that at some point was cornered at a convention and asked by a critic, “Isn’t it true that 90 percent of science fiction is crap?” and his answer was, “Ninety percent of everything is crap.” So even if you apply the Theodore Sturgeon rule, there’s still an amazing number of very good users and projects to be found for your downloading on something like SourceForge. So that’s the PC.
But I said times two. Times two is the amazing and unappreciated fact that the Internet — through historical accident in large part, it was not ordained that it had to be this way — has a very similar architecture. These are three of the Internet’s founders from 1969. They were actually classmates at Van Nuys High School in Southern California. We like did the French Club or the Chess Club. They’re like, “Let’s build an Internet Club.” And theirs did a lot better than ours.
Here they are posing for their 25th anniversary retrospective in Newsweek, holding tin cans and what look to me to be zucchini and squash — I think meant to demonstrate the principle that you can build a network, at least an Internet network, out of just about anything. Although the very alert observer will see that their network doesn’t work. It’s ear-to-ear and mouth-to-mouth, so I’m hoping that was an inside joke with these very smart men.
So they built a network, not because they had the fiber optic. They didn’t have coast-to-coast, ocean-to-ocean communications capabilities. They had to cadge it and borrow it and lease it using government and other money from other places. So as a result, they built a network that was meant to work over any old medium. They didn’t make it medium-specific, as almost every network that preceded it was, and they also built it so that it would pretty much be able to do anything.
Again, it seems so obvious now, but it is incredibly, to this day, revolutionary, because what it’s saying is, “We’re just going to build a network for which you can introduce any new part to it and not have to clear it through any central authority.” It can just keep growing and growing around the edges, like suburban sprawl, until what you thought was the suburb has become the exurb — or the exurb becomes the sub — I think it’s the exurb becomes the suburb, becomes the city, and there’s no central planning board to mediate. And what you get is a really big network for which almost any application can be put over it.
E-mail, the World Wide Web itself, all of these things, were almost afterthoughts to a basic network that took a packet from here and saw to it, without any grand conductor, that the packet could get from here to here the way, if we wanted, we could pass a microphone from person to person along the row and get it there without having any wranglers needed to move the microphones around. Being able to hook up any device or any user, so long as they followed the rules of Internet protocol, which was not secret. These were rules that were published, that were open for anybody to adopt, was another central feature of this network, and the fact that it was built this way, I suppose, let it out-compete its proprietary counterparts.
I don’t know how many of you remember if you had CompuServe accounts back in the day or America Online or The Source or, God forbid, MCI Mail. These proprietary networks that could only communicate with other people over the same network — and many of us, including me, I thought which one will be the network? Who will win, AOL or CompuServe? And who knew the answer was going to be the Internet?
So what are the features — what’s the ethos that could generate a network like that? And here are some of them. I say IETF Principles because those three guys and a number of other people are members of the IETF, the Internet Engineering Task Force, which in fact has no membership. It is not incorporated. There’s no place to serve it process if you want to sue it. It’s basically a virtual organization. You basically know whether you belong. I clearly would not since I’m wearing a tie.
[END OF SIDE A]
Jonathan Zittrain (continued)
…if there is consensus, which means no vote is taken to establish trust on an outcome, they call for a hum. They ask for everybody in the room to hum and that would determine, more or less, everybody hearing the hum, you can pretty much tell whether it’s rough consensus. Maybe a few dissenters humming as loudly as possible, but pretty much it works or it doesn’t.
So what are their principles? Keep it simple. They didn’t get into the feature creep problem with the network, the way that some other instrumentalities, as they enter Version 7.0, now called 2005, do, right? There’s no bouncing paper clip on this network saying, “I see you’re trying to email a resignation letter. Would you like some help with that?” No, you’re left to your own devices on that sort of thing.
Keep it open. Understand that growth can come from anywhere, and that your purpose in designing these protocols is not, oddly enough, to collect what one PC architect once called a “vig.” Not to collect a little tax on everything that flows from your innovation, but instead, just to [inaudible] a bloom and see what happens. As we sit in the room and argue about our protocols, technical meritocracy — the smart idea should win, the dumb ideas should lose — that’s democracy for you. Or is it? I guess that’s technocracy for you.
And finally, the dual-killer assumptions: That people are reasonable and nice. These assumptions permeate the fabric of our Internet, and if there’s anything striking about it, it’s that they lasted and have served us as well as they have for as long as they have. This is the Internet for which, when it came time to establish people’s identity for the purpose of sending e-mail, they didn’t think of some central database that would be housed on servers and you authenticate to the server and you pick a name and you make sure it’s different from everybody. No, you just say to your e-mail client who you are, and that’s who the network assumes you are. That’s what you call a distributed database because who better than you knows who you are? But of course, it means that any of us could say that we are W at WhiteHouse.gov, send it to grandma, and chances are good that it would just like the e-mail she’s already getting from that person.
So this has long led some people, technical people included, to question whether Internet protocol itself can work. IBM was famously quoted in 1992, saying, “You can’t build a corporate network out of TCPIP, out of Internet protocol. You’ve got to use a Novell net or Banyon LAN Manager or something else that just somehow one day it turned out you weren’t using it, you were just somehow magically networking, and all that stuff that cost so much money that never quite worked went out the door.”
That’s why if the IETF had a mascot, which it does not, it is said that it would be a bumblebee on the surely apocryphal story that an aerodynamic engineer in the twenties famously said that bees, in fact, if you look at them from an aerodynamic perspective, can’t fly. Their fur-to-wing ratio is just not right and they won’t work, and then, of course, the bee flies. And that’s the metaphor for the Internet.
I suppose if we wanted to extend the metaphor, not in the direction of a sting but in the direction of, well, how many bees do you see flying like in the rain? It may make you wonder just how durable this model is, and I’m going to return to that in a moment.
But first, I want to emphasize just a little bit more how wonderfully generative this open network coupled with this open personal computer — and when I say open, Windows is just as open as Linux for these purposes — how generative that combination has been. All of these services we see, some of which have come from traditional offline institutions and people, some of which are entirely new inventions, some of which you get to through a standard Web browser online, others of which you download some component to your computer and run, and it interfaces with something online. Each of these things has come through the Internet without any central permission being orchestrated, and in some cases, just being started by one or two people in a corner, thinking, “Hey, maybe this will work.”
I don’t know if you’re familiar with [inaudible] model in South Korea of having citizen journalists who get paid 30 to 50 bucks a pop for writing an article that then some central editors look at and decide whether to put over the wire, that has become one of the most popular news site in South Korea.
Or Wikipedia. Wikipedia is something that has finally, I think, come into its own. How many people have heard of Wikipedia? You can hum, right? Yeah, so there’s consensus that we’ve heard of Wikipedia. I looked up the Consumer Reports Wikipedia entry and there is one there. It hasn’t been gone over that much. It opens with basically some stuff from the Consumer Reports Web site. This wonderful use of the passive voice. “It is called into controversy,” right? Like by whom exactly? We have no idea because, of course, Wikipedia entries are editable at any moment by any one, so you could just say, “Consumer Reports is a poopy-head,” save it, and that would be the entry forConsumer Reports thenceforth, unless somebody want to revert it.
Here we see just the recent history. This is not a site that has had a whole lot of activity. Some of the sites on controversial topics like abortion or on the heavy metal umlaut — the use of an umlaut in the names of heavy metal rock bands — these kinds of pages of the Wikipedia get edited like that, and as they get vandalized, they get switched back by other Wikipedians.
This is an idea that clearly, if I or anyone else had gotten up at a podium like this five years ago and said, “All right, here’s the idea: an encyclopedia that the world will create and edit all together at any time,” right? I would be rightfully laughed out of the room. It’s a lunatic idea, and yet if you go to Wikipedia, it’s not bad, this particular entry’s not a very great contribution to humankind’s knowledge notwithstanding.
So we take a look at the study and we see from Evans that I’m amazed at this, right? Because mature people are less trusting of the media than those cynical Generation Xers and Yers. Isn’t that odd? People are getting more as you go, trusting of what they see as they get younger? I guess they’ll have to get burned several times before they finally become a little more trusting.
Now of course, this is for television and newspapers. We saw the difference of questions about blogs showing less trust. But this raises wonderful questions about when a generative Internet hands you a Wikipedia, how do you inculcate into students at school who are writing reports that it was one thing when you paraphrased Encyclopedia Britannica — now that was a book report!
But paraphrasing the Wikipedia, well, that’s dangerous. We don’t know what that information might be. It actually calls for cascading adjustments in the way that we’re teaching our kids and asking them actually to critically assess information online. I don’t think we can be disappointed that even the most trusting are still only up to 75 percent. I think it’s okay not to be trusting, right? It’s kind of like, Well, trust but verify, sort of thing, and maybe this kind of instrumentality gives you a chance to triangulate and to see whether or not something you read in one place appears to be echoed or not in others.
Other forms of creativity, of course, are blossoming, thanks to PCs running ever more powerful software that let kids and others edit stuff, create stuff. This is the best I could do on an Etch-A-Sketch. This is what some really talented people can do on an Etch-A-Sketch. This is what some embarrassingly talented people can do on an Etch-A-Sketch. That’s one of those like, “Please-don’t-shake-the-Etch-A-Sketch” Etch-A-Sketches.
That has really gone to town online in all sorts of wonderfully generative ways. People are using these particular instrumentalities to do things that just hadn’t been anticipated before, whether it’s remixing Howard Dean’s scream a thousand different ways and helping to bring down his candidacy, or the Crazy Frog Axel F ringtone which, in fact, made the top of the British pop charts. A ringtone! Was the No. 1 single in Britain, invented by some guy who primarily went Brrrrr, like that was it. This is what should be scaring the publishing industries! Not piracy and demand for their products, but the fact that this can supplant their products.
The fact that podcasting, invented by a handful of people, could be taken up in its second generation by Apple, bundled into an update of I-tunes, and before you know it, if you’re interested in Harry Potter, here’s the Muggle-cast and others, just people in a room with a microphone getting interviews with other people in rooms with microphones, putting them online. People are actually listening to this stuff. Again, something that should be sending a signal that there’s so much new and good stuff out there.
All right, so what’s the problem if this is all the good stuff going on that suggests that the next generation won’t just be clicking on Web pages the way that perhaps we have been doing ourselves with the Internet? The problem is exactly this generative Net architecture. Now I was just extolling it. What do I mean when I’m saying it’s also the problem? Well, two main problems here.
Problem No. 1: Napster – the old Napster, the illegal Napster. The fact that people could use this great generative instrumentality to write software within a week or two, to get that software out to the populace. The populace happily starts using it. The more people who use it, the more useful it is. And before you know it, it’s really easy to get your dose of television or radio or book or music from albums over the Net without having to go through the usual channels. And the publishers are not happy with this. They’ve tried technical interventions, they’ve tried legal interventions, they’re trying cultural interventions right now.
My favorite cultural intervention from the U.K. group assembled to deal with this program, it issued a bunch of recommendations. This is my favorite recommendation, that perhaps kids should put the copyright symbol on their coursework as they turn it in, presumably making anything less than A a derivative work and being able to sue the professor for not having gotten permission. Now I’m not sure this is going to be successful. If anything, it’s sort of just fighting against what we would think is the inevitable. But there’s another problem that’s going to change that, and it’s mediated by the fact that Bill Gates himself has long since gone straight. He’s grown up, his compatriots have grown up, and they are starting to produce products that are open to the idea of perhaps digitally locking down stuff. So that when a book says, “Don’t copy me,” it says, “Okay, I won’t copy you.” This book, a monastic manuscript from one of the Harvard Rare Book Libraries, I had to sneak a photograph of because I wasn’t permitted to photograph it. Not because it would hurt the book to photograph it, but just because Harvard owns it, even though I think, even given the term of copyright, it has since lapsed from its 14th century copyright. So it’s not a copyright issue; I’m not sure what it is.
What’s the problem that’s going to tip the balance, then, from what I’ve so far described as a trajectory of generativity that may be disruptive to some, but unless there are any members of the publishing industry in the room, it’s not clear to any of us, are all that personally exorcised about it. And I think the answer is actually security. Now I don’t like to be joining what chorus there may be, typically of security vendors, saying how bad Internet security is. But as I actually look at it, I think we are headed for a metaphorical iceberg of sorts. And I want to describe why and say how it relates to the larger issues of trust that have been identified in this survey.
This is from the Computer Emergency Response Team Coordination Center data. They kept track of security incidents starting after the famous Morris worm in 1987, and you can see that there’s been an amazing uptick of incidents. They stopped keeping data in 2003 because it was too much trouble, there were too many incidents. So now it’s just “assume more” is what they’ve said. And I think they are right. Now why are they right?
The best explanation I can think of is this: The Cap’n Crunch Bo’suns Whistle. This was a toy, a prize, available in a box of Cap’n Crunch cereal in the early seventies. You took the whistle out, you blew the whistle, you annoyed your parents, like that was the prize. It turned out, however, that if you covered one hole of the whistle and blew, it emitted a tone of 2,600 hertz, which was exactly the tone that AT&T had chosen to indicate an idle line on their network. So you could pick up the phone, dial an 800 number, blow the whistle, dial your long-distance friend, and get free telephone calling with your Cap’n Crunch Whistle. This is true. Now this was a problem, right?
Word didn’t get around as fast as it would had there been an Internet at the time, but eventually AT&T caught on to this, and the telephone network — unlike the Internet — being a centrally managed thing, they fixed it, they plugged the hole. You can no longer get telephone calls with a whistle. Each generation has to invent its new way of getting phone calls. My brother, who’s a little older than I am, was going to the mall and accepting collect calls on a pay phone and accepting the charges — that was how he got his free phone calling. For us, it’s just Skype. So the lesson of this whistle is that you should not make your channel of communication be the same as your channel of control.
Let me explain that just a little bit more. You should not have it be that the customers who are supposed to be exchanging data with each other can utter any sound, if sound is to be your medium of exchange — and being a telephone network, it’s all about sound — there should be no sound they can utter to control the network. To control the network should somehow be out of that band, a separate wire from the pay phone that says whether a coin has gone in rather than a tone that the pay phone emits over the line that somebody could mimic with the proper whistle or device.
Now as I said, AT&T learned that lesson. The Internet has not. The Internet is exactly in this phase, and it has to be. There is no easy way to fix it. And why is that? Because the very data channels that communicate our instant messages are Web pages, are music, are also the channels that communicate software, that move exe around, that give you updates to things, that let you download new stuff — whether it’s actual programs that you install and run or these little active X or Java applications.
The line between data and program on the Internet is nearly invisible at this point, just as the line between the PC and the Internet itself has become invisible. And the ability to reach out to someone else’s PC and control it is exactly what we’ve signed up for, and exactly our biggest problem.
Now when we look at the survey and we see the fears that people have about identity theft and what they’ve been doing as a result of those fears, 53 percent say they’ve stopped giving out personal information online. Which is to say, they think they’ve stopped giving out personal information online. Thirty percent say they’ve reduced their Internet use. Now if that’s true, wow! That’s a serious consumer reaction just to fears about identity theft.
What I’m talking about is a far more fundamental fear that your very PC can’t stay your own. When you think of the penetration that a decently written worm or virus can achieve — which is to say about 40, 50, maybe 60 percent of the PCs operate at any time, and as they’re on broadband, that means you can spread among them in a matter of hours rather than days — once those PCs are penetrated, what they will do is entirely at the election of the virus writer. And the strange thing is, that of all those viruses, almost every single one has elected not to include the one-line instruction “Delete Everything.” If they simply put in a line to the virus, instead of having the virus say, “My purpose is to spread, so I’m just going to put you to work spreading me to other computers, who will then spread me, but that’s it. I have no other goal than to spread.” Or: “My purpose is to send spam. I’m going to put your computer to work sending spam once I’ve compromised it, but I’ll try to make it gentle so you won’t notice, and you can keep doing your thing and I’ll do mine.”
But instead, if they were to say, “No, on Tuesday morning, erase the entire hard drive.” Or: “Look for spreadsheet documents and just find some numbers at random and transpose them.” Think about that virus, right? Easy to do because once you’ve commanded the machine, you have the keys to the kingdom. And yet it’s the forbearance of the virus writers alone that stopped something like that from happening.
If we have a watershed moment where somebody writes a good virus — meaning one that gets a lot of penetration — and a truly damaging one, imagine what it would do to these kinds of numbers and how long it might take to recover, and how quickly it might change everyone’s attitude — regulators, software authors, hardware manufacturers — to what kind of PC and Internet we want to do.
So if that’s the problem, how do we solve it? Well, one solution is to ask users to be more alert. This is what people have been trying. So for example, on the Harvard Law School faculty, I get these junk mail things from our IT department. You’ve probably got these too. This one says, “Lately there’s been an insurgence of fraudulent e-mails at the Law School.” A low-level insurgency of fraudulent e-mails! Here’s my favorite line, of all the advice in this e-mail: “Be weary of e-mails that have misspellings, poor grammar or odd characters.” That’s like that’s just — I mean, that’s — you can’t make this stuff up! I just highlighted that and wrote back to them with a smiley face, and they said nothing! Now I’m convinced that I’m in big trouble with the IT department.
And of course, people have NO idea what to do. They know enough to know that if Miriam Abaka is writing them, like God forbid the day that the real Miriam Abaka is actually in trouble, because no one is going to believe her, right? Because that’s it, we’re sick of Nigerian generals. But it’s some other scam that might get us, and the national strategy to secure cyberspace from 2003, by Richard Clarke among others, basically acknowledges this. It has, the first half of this lengthy report, that basically says, “digital Pearl Harbor,” and the second half of the report on what to do about it is, “I don’t know.”
Now you can’t blame them because it’s not clear with a decentralized grid of the sort we have what you can easily do about it. So what did they do, of course? They called for a committee, the IT Information Sharing and Advisory Committee, and they funded it and here’s their operations center. I think up here in the window is either Steve Case or Jack Bauer, I can’t tell which. But there they are, and they’re monitoring the Internet every second. I’m just waiting for one day they’re going to go like, “Hah! The Internet’s down.” What should we do about it? I don’t know. We can’t reach anybody, the Internet’s down! It’s just one of those kinds of watch-and-learn sorts of things.
So what it has meant in practice is that we are left retreating behind our own cantons, trying to, I don’t know, bulletproof in some way our little corner of the Internet and the PC that increasingly contains information, data, and stuff that we care about so much and can’t stand to lose. This I think is not a functional strategy.
I was giving a talk at Fordham, at a conference at Fordham University, and wanted to get on a wireless network. And first it needed some kind of password, so I just turned to the student next to me and I was like, “What’s your password?” And so he gave me his password — that’s what hackers call social engineering! And I put in his password and it said, “Okay, we’re on, but we’ve looked at your machine and we see that you don’t have the Smart Enforcer running on your machine and we’re not letting you on the network until you do.” I was like, What the hell is the Smart Enforcer? Anybody heard of the Smart Enforcer? I was like, look, I was desperate to get online. I download and install the Smart Enforcer, so here’s the Smart Enforcer set-up wizard, and it says immediately now, “I’m sorry. Smart Enforcer has detected you don’t have Symantec Anti-Virus installed. You have to go get it and you have 55 minutes to do it.”
So all right, I go and I get Symantec Anti-Virus and I download this thing. I come back to run the wizard again, and it says, “No, no, you didn’t update your definitions. You took a shortcut. You’ve got to update your definitions with eight minutes left before we’ll let you on the network.” Okay, I update my definitions, I turn on Symantec Anti-Virus, which I’m a little chary of doing, and what’s the first thing Symantec tells me, now that it is finally up and running at the insistence of Smart Enforcer? It says that, “Smart Enforcer is trying to access the Internet and I should block it.”
Now this is like, you know, how many Pinkertons do you need in front of your house before they start fighting with each other? And you’re like, Am I feeling any more secure? No, I’m just feeling clueless. I have no idea what I’m supposed to do. And that’s where you look at the survey and you see people are saying things like they want to know who owns the Web site, who supports it, I’d like to see some seals of approval and things. People are into that, but it’s so hard to actually make good hay out of it with the chaos that’s out there, especially as applied to what should run on your PC.
So you get one of these things and you visit a Web site? How many of you have seen this sort of thing? Yeah, right, really everybody’s seen it. Now the other good thing about humming is that it sort of protects your anonymity.
Here’s the quiz: You see this screen, do you want to proceed? Yeah, right. You’re not going to stop. I write a name on this security, it doesn’t matter, I don’t care! Right? This could be like three yellow exclamation points and just an unhappy dog face or something, and you’d still go to the site if it’s something you thought you wanted enough. Here’s another great screen you get sometimes when you’re installing a new piece of software with Service Pack II for XP. “So, I see, you’re trying to run Merck 616 dot.exe. We can’t verify the publisher. Would you like to run it?” And your choice is Run or Cancel, and there’s this wonderful thing: How can I decide what to run? You click on that, it puts up a little pop-up: “Only run software you can trust.” What was I thinking, right? So what do you do here? You’ve set aside your Friday night. If you hit Cancel, you’re just back to where you were. So you know you’re going to hit Run, or even if you don’t, the idea that you have to be 100 percent right every single time as to whether you should be running something or not, you know you’re going to make a mistake. So I don’t think that’s itself the right solution.
So what else could we do? Well, how about a more alert Internet? And for a more alert Internet, this is a highly controversial idea, and the more technical the person you talk to, the more they will look at you as if you are a heretic if you should suggest such a thing. And that’s because, for the longest time, based on the ethos that I mentioned before, the Internet architects believed that the point is to route data — not to look at the data, not to judge the data, just to get it from here to there. And the solutions say to the fact that 80 percent of the e-mail messages going around right now are spam? They just get thrown out at the destination. It’s more bandwidth, so we don’t care.
All right, we’ll take the spam too, you know? That’s not a problem, say the makers of the Internet. But the fact is that there may be things that can be done that challenge their end-to-end neutrality system design principles, that may make life easy for the rest of us. So for example, if somebody’s PC turns out to be compromised and is spewing viruses undeniably, the idea that that person’s Internet service provider would be like, “Naw, it’s a customer service problem to shut them off. They don’t want to pay anymore. Then they call and ask what’s going on and I have to tell them how to disinfect their machine. I’m just going to let them pay their monthly fee, spew the viruses, I’ll route the viruses, end of story.”
It’s that kind of reluctance that’s making it hard to try to cut out at least the very worst part of viruses, even as I am one of the first to say that I am reluctant to see Internet service providers dragooned into becoming the network police, as say publishers and others have tried to do. So one question is, can we get them to work on security problems alone in a way that can prevent a kind of watershed event from happening?
And finally, while maybe there is some way to make the PC itself more alert, and when I look at the result from the report that says that, for instance, so many people are like, “Yeah, I’d like a rating system,” well, I take that at first with a little bit of a grain of salt. Why? Well, how many people have seen this window before? Yeah? This is built in to Internet Explorer. It’s a window that lets you, among other things, have the content advisor ratings, and you ask to enable those and, for instance, you can say, “I only want to look at sites that have no violence because my kid is using the machine.” On fifth birthday for the kid, it’s like, “All right, kid, you’re five, congratulations! We’re moving you up to fighting.” And then, when you were 10, it’s like, “Son, it’s time for killing.” And then when you were 17, it was a very good year! Killing with blood and gore.
Which, of course, leads to the question: What could possibly come next? What would the next step on the scale be? Notice it’s humans injured or killed, so they’re leaving out pet torture. And then level four is wanton and gratuitous violence. So this is people killed without good reason, and that’s the thing that you really shouldn’t be looking at. And it turns out nobody uses this stuff.
Now one reason I think people don’t use it is because it doesn’t work. Most sites aren’t rated as it turns out, so if you turn this thing on, it will assume that pretty much every site you see, including ConsumerReports.org, may have wanton and gratuitous violence since it hasn’t been explicitly rated, so you’re stuck in a sandbox that is very small. But I think it’s also because a lot of V-chip people say they like ratings, but if they have to actually implement them in any tangible way, the compliance rate starts to go down. So what we see in response from the industry are a rating scheme that is embedded. It doesn’t even pretend to be a rating scheme, even though it is.
I don’t know if you’ve ever seen this box about automatic update for your Service Pack II XP machine. If you try to operate without automatic updates, it starts hectoring you about every 10 minutes telling you that you’re an idiot and what are you thinking? Please enable automatic updates. So what does this mean?
It means every day at 2 a.m., your computer is supposed to communicate over the Internet with the Redmond, Washington, mothership and say, “Program me,” every day. And they can then send any code they want to update your machine, and voila, it’s done. The next day, you don’t even have to notice that it was done. Now this is good from a kind of Patriot missile point of view, saying, yeah, we’re going to just push those patches out, so that as we discover vulnerabilities, we’re just going to cure everybody that’s tuned in.
Of course, it does make you hope that they’ve well bunkerized the automatic update mothership so that on one fine Wednesday it doesn’t send out “erase the hard drive” to everybody coming in. And that in fact the same thing has been done for the sonic CD label stamping program updater, which comes bundled with something you installed. You’ve got it on your machine, trust me, and it also has automatic updates, so that if there’s some great advance in CD labeling technology, your machine can get it like that. And of course, it’s the keys to the kingdom. Once that thing gets downloaded, it may choose that CD stamping isn’t where it’s at, it’s all about some other completely new business model that’s now running your machine.
So I’m both seeing this as a promising avenue and highly, highly worried about what it’s implications are, because it’s turning our IT experience from a product into a service. And it means that all we’re doing at the end of the day is renting our machines and our experiences, rather than buying them and being able to count on them at whatever level they happen to be at the moment we close the sale.
What all these things point to is the end of the era of the free exe. With that change made, you want new software, your machine will say, “Well, I’m not so sure I want that software on me. For your own good, I’m not going to let that exe run because I haven’t heard of it.” In fact, anything from some obscure third party has to be not so trusted under this scheme.
That can invert the experience we have right now, where the wildly generative PCs we have can pretty much run anything, and the people who invented Nutella put it on the Net on a Tuesday, withdrew it on a Wednesday because it turns out Nulsoft where they worked had been bought by AOL, and AOL was like, Wait, Nutella can be used to pirate files. They withdrew it and it was too late. It was already out there. People implemented stuff along its protocols, and voila, in a week, everybody was running it. That kind of thing for better or worse is over. The very heart of the PC, the quality that I said made it not having changed in 20 years, is the quality that I say now might well be changing.
So as we move from this model of a general purpose information device, that can be reprogrammed at any moment, to a device that has one purpose, does it really well, does it much more reliably, and is implemented by somebody that you pay and that you can call — the 800 number, if there’s a problem — here the PC is becoming like a TiVo – Linux inside the TiVo screaming to get out, but you get the TiVo with something like this, that’s the kind of future I see. And it also means with automatic update that what you thought was a TiVo can become something different.
Here’s TiVo’s plans to introduce from an update watching ads while you skip the ads; you fast-forward the ads, it’ll show you new ads from TiVo. It’s not yet clear to me whether if you try to skip those ads, they’ll show you a third set of ads, but also here, TiVo trying to implement through automatic update copy protection so that various creators of programming can say, “Yeah, they can save it on their TiVo, but after a week, it’s gone even if they want to keep it.” These are the sorts of changes – again for better or worse – possible once you go to the information appliance model, whether it’s the set-top box or the voiceover Internet protocol, reified into something names Vonage, or the Blackberry which does what it does really well, but don’t expect it to do a whole lot different that the Blackberry makers didn’t approve of. The cellular telephone.
Even the X Box, produced to be a platform for which people can write software for it, but before you can actually get that software out to the public, you need a license from Microsoft. That to me is the future, and I’m almost bemused that it isn’t the present. We’ve been getting away with something until now, and I fear that the new century will be quite different, no matter what the device. And in fact, it’s really the revenge of the Flexowriter. The independent unit that’s very reliable for what it does, but not at all pleasantly surprising.
It’s Mr. Coffee — that’s what we’re seeing for our future. And you know, all right, it’s a good cup of coffee, but Mr. Coffee is not going to make you hot chocolate one morning. It’s just going to do what it says that it’s going to do.
So is there any other way forward out of this, or is it basically just, well, that’s too bad. We need a more secure Net so it’s going to be a more boring one? And for that, I want to turn back to the idea that, well, people say they are wanting ratings and they’re willing to be responsive to ratings. So what could that mean?
Well, if we look back at this box, maybe we could take seriously the question of how you can decide what software to run. It might be that if we empowered people in a reasonable way to judge what level of risk they wanted to accept with the Web sites they visit, with the transactions into which they enter, or with the software they run – all right, they don’t want a zillion options, but they want more than one option as well. So taking that seriously is one way forward, and the idea maybe of saying, All right, anonymous software writing is interesting, but we should be skeptical of it. Let people stand behind the code they want, and if we know where they live and they’ve posted some kind of bond or they otherwise are findable and able to be held accountable, I might be more willing to run the software than if it just came out of nowhere, some random — you find a floppy disk in the gutter, chances are it came out of the helicopter pushed by AOL to sign up. But you wouldn’t just stick it in the machine and just run it. It’s only if it says AnnaKurnikova.pdf in an email that people are like, “Oh, I’ve got to click on this thing, no matter what the warnings are.”
As one colleague of mine said, “We license our cosmetologists.” So if somebody before they can wash your hair needs to be licensed in some way, why wouldn’t we think of some way of trying to license the people writing code? And then the question becomes: Where should this license come from? Right? Microsoft is one candidate because they’ve got auto update, they’ve got anti-spyware, beta going. That’s one natural place to say, “Trust us, we’ll tell you want software to run.”
A place like Consumers Union is another example. They’ve been rating stuff with — and I’m so sorry about that whole half-moon thing. I always get so confused — better than that, I like it — is there some way that those kinds of services can be put to work just as the WebWatch project has been trying to do?
Or is it to government we should be turning? I know somebody, at least one person from the FTC is here. What role might government play in this? Or is it just such a quintessentially American characteristics, the minute you say, “Well, government should help.” “No, no! Don’t want government’s help. They’re elected, they’re accountable. I want the help of somebody else that I can’t actually petition for redress of my grievances.”
So there are all sorts of players here fighting for our trust, and to give us credible information that we can use, including some that start to distribute it out. Like e-Bay, with a rating system, an up-down kind of system that’s so crude, and yet it works! If you want to read a book from somebody that has 9,000 thumbs-up over a course of five years, you’re like, “I’m probably going to get my book,” right?
So there are ways in which we may be able to deploy even the distributed experiences of consumers to try to get something done here. And if all else fails — I know there’s at least one person here from Public Citizen — Ralph Nader’s just going to do it, right? He’ll just tell us what’s unsafe at any speed and what is not. These systems are not perfect, especially the distributed ones. This is a real screen snapshot of the U.K.’s Amazon.com. I don’t know if you can tell what’s odd about this home page for the official Lego Creator Activity Book, but you can see here that the perfect partner is American Jihad: The Terrorist Living Among Us Today. Sometimes these automated systems don’t make the right associations. But you know, all right, it’s one point. “Oh, we’ll work on it! Mistakes are high, we’re going to try to make this work.”
Or on the supply side, we might – for instance, this is a Lenovo Machine with a little dial built into the keyboard. It’s purpose from Lenovo is so that dad, mom, and kid can each have their own setting, their own virtual machine in essence, so the kid can switch over and have his messy desktop with the video games, and then back to dad when dad wants to do real work, that kind of thing. You could actually see virtual machine technology taking off so that that dial actually is like red, yellow, and green. And if you want to think in green mode, it’s a coffee maker. It’s not going to be able to run a whole lot, but what it does run will work. That’s the idea of green. And by the time you get to red, you’re like, “I’m ready to go off-roading. I want to get some mud on my flats. I want to try out the Skype I’ve hearing so much about.”
And with maybe the flick of a simple switch, if the consumer can somehow go back and forth between the two, that might be a way to try to cut the Gordian knot of we know we need something more secure than what we have, but we don’t want to kill off the generative possibilities that have already gotten us so much that we have reason to think they’ll give us more in the future.
The capacity for any of us to tinker with the technology — and in tinkering, to enable others among us, the artists, to be able to do creative things — is what I love most about the Internet and what I think it has yet to fully realize. There’s so much more around the corner if we can just keep this ship from hitting an iceberg.
Basically, I want to go against the idea that among people – there are three kinds. There’s 02139; that’s MIT’s zip code — those are the people that can hack anything, I don’t care what it is, they’ll hack your pocketwatch. So they’re going to live in their own world and never be restricted by the technology.
There’s 02138; that’s Harvard Square’s zip code. They don’t care about the technology because they just read books, so it’s like as long as you don’t take their books away, they’re not affected by trust issues on the Internet.
And then somewhere in the middle is basically everybody else. And the question is: How do we conceive of what falls in the middle of this graph? Consumer is such an interesting word because it may be actually a little limited. I’m not suggesting we rename Consumers Union, but it’s about producing as well, whether it is blogging or contributing to the Wikipedia or making art or otherwise getting yourself out there in what’s becoming an international chorus of voices that, in many ways, is much more entertaining than what we’re getting from centralized sources. That’s what’s worth preserving in the middle.
That’s what I say is the challenge that’s before us, and which the annual snapshots we’re getting hopefully guide us to know how to keep consumers along for this ride, rather than just having it be a fun corner that only the technorati know something about, that only they get to listen to the full spectrum and the rest of us are just stuck on Top Forty. Thank you very much.
We have some time for questions if there are any. That was terrific. Jonathan came all the way from Oxford to do this today, so we are very grateful to him for that. Does anyone have any questions? We’ll take a few and then we’ll probably take a break because you’ve been sitting for a while.
I just want to ask a question. I’m Stephanie Hill from Voice of America. Professor Zittrain, I wanted to ask you about the ongoing debate about who controls the Internet and whether other countries should get involved? And I just wanted to know what you thought about that argument.
Yeah, I’m so glad you asked that. How many people have been following this particular debate that she’s been talking about? Yeah? Okay, both hands and hums. This is such a sideshow debate, so here’s my take on it.
There used to be one guy, one of the three pictured in the picture with the zucchini, John Pastel, who managed domain names. Why? Because it was his Ph.D. thesis in 1969, a naming scheme so it wouldn’t just be a network of numbers, which turns out to be more mnenomic and allows for indirection. Because if you move your computer to another place and it needs a new number, so long as it has the same name, we don’t have to change our behavior on the consuming end. And then domain names were run sort of collaboratively, and then they were run under a government cooperative agreement, which meant the government just gave money, the U.S. government, to have certain firms manage the lists of names and who would claim them and where the names should resolve to what number.
Then there was a big fight in 1997, ’98 over it because one of the firms was making a big pile of money over it, and a lot of other people who wanted to have new names like dot-biz and dot-museum were finding it hard to get their names recognized by what was the de facto route of the system. ICAN was the result of it, a California non-profit run according to a Byzantine set of rules that was like, Let’s try to make an organization run by everybody — not just people on the Internet but people who might some day want to use the Internet, which turns out to be everybody. And ICAN has bumbled along with this and now there’s a controversy going on, where the World Summit on the Information Society, coming up in a couple weeks in Tunis, Tunisia, is considering under UN auspices who should control that route zone file? This is completely irrelevant.
Let me repeat that: This is completely irrelevant. Domain names are nearly meaningless at this point. If you couldn’t find IBM at IBM.com, what would you do? Yeah, you’d Google it and there’d you be. Now nobody’s talking about, Well, wait a minute, shouldn’t there be an international consortium to run Google, to make sure that when you type in IBM and are feeling lucky, it goes to IBM rather than Irving B. Moskowitz! Well, no, Google’s a private company, it has market share, whatever.
It’s historical accident that search functionality, like search engines, were private and that domain name system was quasi-public. Historical accident that the operating systems we use, primarily as consumers, are proprietary, issued by firms, but the network is open. It could have been a CompuServe network with Linux boxes all attached to it.
So this is all to say that the only thing really at stake with domain names is basically money, and not to be underestimated, symbolic pride — especially because John had the idea, beginning with dot-UK, that maybe each country should have its own top-level domain, and the minute you do that, there’s now national stake in who gets to run dot-IQ or you name the domain. Panama or Paraguay — which gets the lucrative “pa” domain? Those fights get made. So what will happen with that debate? I predict nothing. There’ll be a lot of fighting and the system is driven by inertia.
It’s Internet service providers who subscribe to the route zone anyway. If you move the route to some evildoer and that person were to suddenly point dot-com to somewhere else so that all the sites you knew as dot-com no longer could be found anymore, it wouldn’t happen because your Internet service provider would remember where the old dot-coms were and trust that more than the new one.
Thank you for a very informative and entertaining presentation. My question has to do with the overall either your opinion or if you see trends, as far as the future of access to Internet information, particularly paid or non-paid. Do you think consumers are going to drive the decisions, or would it be government and/or private industry, such as the software publishers, that will determine things in the future? And one example is, I think it was just last week, there was an article inThe Wall Street Journal — I forgot the person’s name, he’s one of those sort of young high school brilliant — high dropout, brilliant —
That narrows it down!
Yeah. In Scandinavia, who has made lots of money with music, but he’s different than some of the other people that he’s against the Napsters of the world, but believes that once you pay for something, then a consumer should be able to do what they want with it. And so far in his own country, in Scandinavia, he’s been acquitted. Do you think that’s going to be more of a trend and will consumers demand more of freedom once they pay for something?
Yeah, yeah. And it’s funny, if you had asked this two years ago, I probably would have had a very different answer. But right now, my best sense of it is that we are generating kids at a faster pace than older people are generating laws and new technology. And that the kids are way ahead on this, that what they’re doing with the network just embeds very different assumptions about ownership of information, and that even our own assumptions about what’s fair and not with respect to information are kind of squishy.
There might be a lot of us, especially given people who create their own work and publish it, who say, “Well, I ought to have some say in getting paid for it and maybe even where it goes,” but we would be hard-pressed to find somebody who says, “If somebody sings your song in the shower, like you know, write me a check. Or get a blanket license for your house based on the number of showers you have.” There’s some way in which we feel the information ought to be free at some point. Either for some uses or after some period of time, it ought to be out there to be reused and made. And our kids are taking the lead on that.
The only thing that might stop it would actually be some seed change that makes the Internet itself such that most people are on an 80-20 rule going to the same small set of sites, and that these sites are basically driven roughly according to the configuration of old media. And if that’s done, then it just might not be that we’d be exposed to new possibilities.
But again, I don’t think the publishers ought to be worrying that people are so excited about what they’re producing that they’re basically lining up at the Washington Post as the printing press is putting out the papers, and hastening to deliver it to every house in the neighborhood. The idea of like, stop that, I want to pay my own trucks to do that is crazy to me. And the publishers are slowly coming around to this.