Review of The Future of the Internet
Cyberlaw expert Jonathan Zittrain's latest book, The Future of the Internet—And How to Stop It (Yale University Press, 2008; licensed under CC-BY-NC-SA and freely available online), is a thought-provoking analysis of the temptations and dangers inherent in attempts at making the Internet safer by limiting its flexibility and openness. Zittrain holds degrees in both computer science and law, and is a professor of Internet law at Harvard University; he is thus well-versed on both the technical and legal aspects of the Internet. The book convincingly demonstrates that security threats from malware and botnets are increasing at an alarming rate and will soon reach a point where people will feel that "something must be done." But overreaching steps to contain these threats, Zittrain says, might damage the Internet as much as worms and spambots.
The book begins with a history of personal computers and computer networks, comparing them with other technological developments. An interesting analogy is drawn with AT&T, the company which, throughout most of the 20th century, controlled virtually every aspect of telephone services in the United States. AT&T attempted to prohibit any intervention or modification of its system by outside parties, and even waged a long legal battle against the sale of the Hush-A-Phone, a small cup-like device attached to the mouthpiece which purported to prevent bystanders from listening in on the conversation. A court of appeals ultimately allowed the sale of the Hush-A-Phone on the grounds that it did not "affect more than the conversation of the user," but devices which directly interacted with the telephone system were prohibited for many years. Only in 1968 did the FCC rule that proprietary devices could connect to the AT&T network, as long as they did not damage the system. The result was a diversification of the uses of the phone network, with answering machines, faxes and cordless phones entering the mainstream.
AT&T's phone system was an example of what Zittrain calls "non-generative technology." The entire system was designed and maintained by a single large company with little incentive to seek improvements, and amateurs or hobbyists were not allowed to fiddle with the parts. Early computer systems followed a similar marketing strategy: they were rented along with a service contract. Zittrain attributes the explosive growth of personal computers to the fact that programs could be written by anyone, easily distributed, and used for purposes beyond the original intention of the manufacturer. For example, Apple was not even aware of the existence of VisiCalc, the first spreadsheet program, when it noticed the resulting increase in the sales of its personal computer. A similar effect occurred when proprietary networks such as CompuServe and AOL were drowned out by the Internet, in which the creation of content by anyone was much simpler. In Zittrain's words, the PC and the Internet are "generative" in that they have a "capacity to produce unanticipated change through unfiltered contributions from broad and varied audiences."
But the generativity of the Internet can also be the cause of its downfall, since malicious software can be written and distributed as easily as the next revolutionary product. While the Internet was never designed for security, until recent years there was little economic incentive for breaking into other people's computers. This is changing, though: innocent computers are unwittingly incorporated into botnets and used for various spam-related purposes, or even for waging DDoS attacks on websites for a ransom. The figures cited by Zittrain are truly alarming: by some accounts, upwards of 10% of all computers on the Internet are part of a botnet. And at one point, a single botnet used up 15% of Yahoo's server load for a spam-related task. It seems that severe Internet disruptions may well become more common in the future.
Zittrain is worried that the public will eventually come to distrust the network, and will seek safer (but less generative) alternatives instead. Some such alternatives are already available on the market. For example, the iPhone is basically a computer with a wireless network connection, but it can only run software approved by Apple. Even personal computers are sometimes locked down to various degrees, with many workplaces now prohibiting users from installing software on their office computer, for fear of introducing viruses.
Will this trend continue, with people buying "boxes that look like PCs" but are actually only web browsers, and offices going back to the days of mainframes and terminals? Personally, I remain skeptical. There are many far less severe methods for dealing with an increasingly hostile outside network. Even completely disconnecting an office network from the Internet, a rather severe step, would not destroy generativity altogether, since innovative products could still be introduced by traditional CD-ROM installation. And I find it hard to imagine corporate IT departments giving up the ability to separately purchase products such as word processors and backup software, without being tied down to a single supplier. However, the world we live in, in which universal unobstructed Internet access is taken for granted, may change in coming years. Zittrain is correct that we should recognize this possibility and prepare for it.
Wikipedia and the future of the Internet
The book concludes with a wide and varied set of ideas for increasing the safety of the Internet without losing its generativity. Interestingly, many of these ideas arise from an analogy between Internet worms and Wikipedia vandalism. Like all generative systems, Wikipedia faced problems as its popularity grew: in this case, the problem of vandalism resulting from the "anyone can edit" policy. But rather than massively protecting articles, vandal fighters, equipped with appropriate technology, keep the situation (more or less) in check. Why can't something similar be done for Internet worms? There are many reasons, but Zittrain cites the ease of crowdsourcing a simple task like RC patrol as opposed to the difficulty and technical skills required in identifying and fighting malicious code. Nevertheless, there are some intriguing collaborative efforts in this direction, such as StopBadware (co-directed by Zittrain), a nonprofit organization using a volunteer computational grid to identify malware. None of these solutions will entirely neutralize the threat of network abuse, since eventually malware writers will attempt to infiltrate the malware-fighting volunteer networks themselves. But that would really mean that such efforts are beginning to show success, just as vandalism on Wikipedia is an indicator of Wikipedia's popularity. And, like vandalism on Wikipedia, such problems can probably be dealt with with as they come along.
Some of the problems described by Zittrain are also confronting Wikipedia specifically. Many people have an obvious economic incentive in altering the content of Wikipedia to suit their needs. Thus, it is not inconceivable that vandalism will be transformed from a graffiti-like nuisance to a profitable business. If this happens, we may one day have to deal with massive, multiple-IP, botnet-driven advertising, inserted simultaneously into thousands of marginally-related articles. If a single botnet was able to occupy a sizable portion of Yahoo's server load, how will a small corps of vandal fighters deal with such an attack? These questions are beyond the scope of Zittrain's book, but perhaps we Wikipedians should think about the matter sooner rather than later.
Ultimately, there's a place on the Internet for restricted appliances alongside more generative (and less reliable) counterparts. I fully agree with Steve Jobs, who said at the launch of the iPhone that "[t]he last thing you want is to have loaded three apps on your phone and then you go to make a call and it doesn't work anymore," a statement which Zittrain seems to view with some reservation. We want phones to be highly available and rely on them for emergency services. There's a reason why the Skype website warns that "Skype is not a replacement for your ordinary telephone"; that sort of reliability just isn't available on the Internet. The popularity of restricted appliances like smart phones does not necessarily threaten the continued existence of traditional PCs. But any effort at increasing the safety of the net, while maintaining its generativity, is a worthy endeavor.
Check back for the next Signpost on August 31.