Jonathan Zittrain on the future of software and law

My old boss, Jonathan Zittrain (the only person I know with a two-letter domain: jz.org) spoke yesterday at Columbia. I thought my notes from the talk (slightly edited) might be of interest to this crowd as well. The subject of the talk was 'PC as Appliance, Software as Service', and is apparently based on a chapter of his forthcoming book. The book is based on his excellent paper 'The Generative Internet'- something anyone interested in internet law should read, whether you agree with it or not.

The focus of the talk was on how PCs are going to become more and more appliance-like, or more service-like (think flickr), in response to safety and usability concerns, and what impact that will have on law and governance. The notes:

• starts off with the hourglass diagram- everything on the internet goes through Internet Protocol- don't need to know a whole lot about the top if you're good at the bottom, or vice-versa: any task on any device can happen over any medium.


• he pairs it with a PC hourglass architecture- any app on top of the OS which sits on any x86 box- app author doesn't need to know the details of a printer; OS hides that.


• good that we have an open top of the hourglass- can create any new thing you want, including (for example) a slew of VOIP apps. This is all good...


• ... except for a slide showing a graph of security incidents, which is a very, very steep upward curve.


• next a slide of the cap'n crunch whistle: AT&T could be hacked because it used sound to control the network, so the control could be gained by issuing the appropriate sound. PCs are still at this stage- data we love to send around is also a program, so separating data and control vectors is approximately impossible, as long as you want to keep the system flexible and open.


• So now two examples of attempts to educate the user: email from Harvard IT, and a web browser https security alert, both of which we all instinctively ignore, or (better? worse?) read and can't understand. Shows the Vista dialogs, which are prettier, but still unlikely to be useful, esp. since they default to off b/c of antitrust concerns.


• MS auto-update is a problematic approach to security: besides someone potentially hacking MS and then wreaking serious havoc, you're asking MS every day 'how do I behave?'. Not just Windows; virtually every app is doing this now. Pushing software to be service rather than product- regular updates, just like any software.


• Example: Tivo; discussion of difficulty of hacking it and tivo's retroactive removal of features.


• so we get to Napster, and the 9th circuit ruling, which overruled Sony and the 512 safe harbor, and (in his mind) reasonably decides that the company should put in some technology that makes it more easy to monitor copyright infringements.


• Result: when Tivo sued a competitor for patent infringement in Texas; they are ordered in the case to update their software to disable it (which is possible since all DVRs have update functionality, obviously.) The next napster/grokster will likely have a software update functionality, and so could be forced to update it.


• tangent re: GPL and software as a service: software on your own machine that you can't control is ~= web 2.0 software that is on another machine that you can't control. So JZ is finally aware of the web service GPL loophole


• his concern: we are about to see the end of the free-floating exe file. Will the clamp be perfect such that only good software goes through and is only bad software blocked? Seems unlikely- the filter will fail, and we'll still have zombies/viruses/etc. And so we'll likely gravitate away from general purpose PCs and towards special-purpose machines (Tivo, Blackberry, etc.)


• The PC is a swiss-army knife, and so is pretty bad at most things, just like a swiss-army knife. So it is in many ways good if things get more specialized- they get more reliable, easier to use. But the worry is that if you've got no 'safety valve'- if TiVO is not threatened by MythTV, for example- then we have problems.


• Tim Wu: Everyone having the same platform is a positive common good. JZ: the possibility for innovation is a positive externality that people don't price for- they get value from innovation/generativity, but they aren't willing to pay for it, so they are happy to buy something cheaper/stupider which fulfills their immediate needs.


• Apple's security was discussed a bit; I stopped following the discussion for a bit to move this post from Tomboy to Wordpress.


• Discusses the AMD Internet Box and the like (such as Xbox 360). Discussing the Xbox specifically, notes that the biggest difference between it and a PC may be the business model- you can't install anything on it unless the developer of that game has paid MS for the privilege. Thinks that the biggest reason PCs aren't on that model is historical accident, and that most things are moving towards the Xbox model, which would be bad for innovation. [Notes that MS execs haven't really thought about why these two models are different.]


• Sees this pattern happening in other places wrt openness- wikipedia was really open b/c of generativity; now they have rulesets, bans, etc., and thinks this will become more intense as they become more popular. Really aren't popular enough yet- what happens when Wal-Mart has real interest in what the Wal-Mart entry says? How will they cope? Some form of heavier hand will be needed, most likely, which bothers the happy anarchists (like Yochai.)


• Solutions:




• revisit the 'sacred cow' of end-to-end neutrality: 'if you want a neat room, just shovel everything under the bed'. Simple network makes for messy end points, which are insecure. This makes your endpoint a middle from a choice perspective. So how do we, for example, quarantine machines on the network? That violates end-to-end but is probably better for generativity.


• to borrow from global warming: for a long time, our ability to create pollution outstripped our ability to measure pollution. On the network, we did the same, so now we have a measurement problem- we don't know what are on the endpoints, how healthy they are, etc., etc. So he wants to build this- his 'dashboard'. Give consumers information about applications that is more useful, and based on information about mass usage, and which (being end-user-y and not MS-provided) can't be ordered to do evil things by the government. Emergent 'third way' between individual action and government action.




• Q&A:




• Notes that courts have ruled (in an SEC case) that your fourth amendment rights mostly vanish when you hand information to a third party, so your email is not likely to be particularly safe, even under the fourth amendment. In the context of this discussion, any app that records where people go or what app they run that is held by MS is not really legally protected.


• Q: isn't an analysis of emergent network patterns conflicting with a tightening of end-to-end for security purposes? A: Definitely some potential tension, but sees them mostly as being at different levels. Notes that he isn't completely anti-end-to-end, just thinks it is a flawed heuristic.


• Q: how will new users get on the net? A: very interesting issue; has traditionally been PC first, then get a TiVO or what have you. May get to it over the phone or over an xbox first in the future.


• Q: I didn't get a sense that consumers will regret the problem. Is this path irreversible, once we go down it? Will people realize what they've lost? A: I'd love to believe that this would be the case, and we'd have a pendulum effect, where after a while, people suddenly want MythTVs. Worries that this is not the case because often we don't actually own our net access boxes- corporate environment, cafe environment, mobile phones- generally an increasingly locked-down world. Also, that more and more devices will have 'signatures' which create gateways to information- you can only get to the interesting content if you use a safe/locked-down device.


• Q: Tim Wu: contradictory issues: you're saying that there is a security threat that will drive us away from this valuable, open model; but on the other hand, you're willing to compromise openness, both on the network and at the end-point. A: is there a big contradiction there? I don't think so; he calls it 'subtlety', and a warning to fellow travelers who worship at temple of end-to-end that the security problem is very real, and the first order attempts to deal with it are problematic, so we must seek out better, more subtle solutions. Tim responds: so maybe what you need are criteria for what constitutes a 'legitimate' lockdown/end-to-end violation. Compare and contrast to how a cell-phone is locked down. This might sound like the war on terror; because we have to fight the war on terror we have to repeal the death tax. Is the fear of security the same thing here? JZ: very much so; if customers/voters are so scared that they really run in the non-rights/non-open direction, we move in the same way. Should pre-empt that.


• Q: Clarisa Long: what about economic demands of users? A: because we couldn't kill napster with a button, we got a dialectic which led us to iTunes Music Store, which makes most people happy. He's not anti-TiVO, just worries about the loss of the safety valve, and impossibility of valuation of what you are missing out on in the future. Scott(?): this story is hard to tell, but you can tell stories about what people might have missed out on- MiniTel for example.


• Discussion: Tim on MS: hasn't government been useful here? The antitrust suit has kept them on their toes; if they were like baseball, and got a free pass, would Windows be more like Xbox? JZ: maybe they'd at least block out new platform competitiors. Scott: there is an assumption about PCs that isn't there with cell phones. JZ: baseline thought experiment re: net neutrality: suppose comcast added a channel called 'the internet channel' that allowed you to surf to pre-approved internet sites (like old AOL)- what then? Is that objectionable?


• JZ notes that Google APIs/Google-as-OS is critically different from Windows-as-OS in that you can't take away Windows (right now); Google can, and it is totally within their Terms Of Service.
  

My two cents:

• He only said 'generativity' twice, which he told me later was a deliberate attempt to simplify.
  


• The notion that openness and anarchy leads to control problems even in organizations deliberately designed to be open an anarchic is very interesting, and probably worth thinking/writing about.

[image from the excellent 'Mr. T v. Jack Valenti, co-starring Jonathan Zittrain'.]