October 11, 2024

Posts Comments

Applications and Appliances: A Conversation with Jonathan Zittrain

January 9, 2012 by

Professor Jonathan Zittrain is well-known for his concern that the general-purpose computer may be disappearing. The recent rise of app stores is putting his fears in a new light. After trading some thoughts about the issues in the blogosphere, he and I sat down at our respective keyboards for a conversation about the future of computing. This is a lightly edited version of our exchange.

JG: I suppose the place to start is with your concern about “appliances”: single-purpose devices like the TiVo. What’s wrong with boxes that do one thing and do it well?

JZ: Nothing’s inherently wrong with single-purpose devices. The worry comes when we lose the general-purpose devices formerly known as the PC and replace it with single-purpose devices and “curated” general-purpose devices.

JG: In the last few years, the appliance has taken on a new face, thanks to downloadable apps. An appliance with an app store is no longer just a single-purpose device: it can do all kinds of things. But that, you’ve argued, doesn’t really fix the fundamental problem.

JZ: It may look like the best of both worlds, but I worry it’s the worst of both worlds.

JG: I wanted to focus on your critique of the Mac App Store. This one is interesting because it sells programs that run, not on a closed device like the iPhone but on a traditional, general-purpose computer. The day that Apple activated the Mac App Store, it didn’t reduce the Mac’s generativity one iota. Every Mac in the world was just as capable of doing everything it used to be able to do, just as easily. All Apple added was a new way to install programs: so they made the Mac even easier to use, without reducing its power. But you’re skeptical. Why?

JZ: Let’s see how much of an advantage a developer sees from having an app in the App Store vs. “sideloaded,” even on a Mac OS that doesn’t require jailbreaking for sideloading. To the extent that users are looking to the App Store for their wares, it’s a de facto limit on generativity even if not a literal one. But I agree that the real worry is if Mac OS should become routinely configured not to allow sideloading at all.

JG: So let’s take up some of the countervailing arguments. One that’s high on a lot of people’s lists is the idea that an app store is more secure because it’s more tightly controlled. And of coure, security is the major reasons you cite in your book The Future of the Internet for why computer makers and users may be tempted to turn their back on open, generative systems. What do you think the Mac App Store does for security, if anything?

JZ: As a security measure, I give the Mac App Store three out of five stars. That’s because the software it is likely to turn away is more gray market sludge ­ sloppily written or poorly documented ­ than outright badware. There’s nothing to stop a software developer from registering under a cat’s paw, especially to offer a free app, and then build a bomb into the app .­ It could appear exemplary while Apple tests it and users then use it, until a designated H-hour at which point all bets are off.

JG: I might not be so quick to dismiss the security benefits. We know that Apple does run static analysis tools against iOS App Store submissions. And then there’s sandboxing. Regular programs have substantially free run of the computer, but Mac App Store programs are severely restricted in what they can see and do. It’s as if they’re playing safely with soft rubber toys in a glass-encased sandbox: your solitaire game isn’t going to suddenly overwrite your spreadsheets. Doesn’t that have some significant security benefits?

JZ: Sandboxing can prevent some damage from an app bound and determined to wreak havoc, but sandboxing is a phenomenon independent of the App Store: Mac OS could implement it with or without Apple screening the software up front.

JG: True. But sandboxing and Apple’s code review go together. The code review ensures that programs are placed in the smallest appropriate sandbox for their needs. Apple will only let the application have permissions if really needs them to do its job: there’s no reason for a stock ticker to save files to arbitrary places. Without the up-front review, how many developers would voluntarily agree to play only in the sandbox?

JZ: The real question at the intersection of security and freedom is whether the user has an opportunity to choose to override the sandbox’s boundaries. If the user can’t do it, then a bunch of functionality is foreclosed unless Apple chooses to allow it ­ and Apple can be fooled as easily as anyone else by a truly bad actor. If the user can do it, there’s no particular need for the App Store.

JG: This is a question about routine practice and interface design. If I rarely need to override the sandbox’s limits, then when an app comes to me and asks for additional privileges, my eyebrows are more likely to go up.

JZ: Don’t forget that Apple reserves the right not only to prevent software distributions up front, but also retroactively: software can be removed from machines that have already downloaded it. Perhaps helpful in some limited cases of security troubles, but all the more troublesome as regulators realize that cats can be put back into bags.

JG: Well, if we’re thinking about retroactive nuking, Apple has shown that it can uninstall even user-installed programs. After the Mac Defender malware started tricking Mac users into installing it, Apple came out with an operating system update that uninstalled it. Yes, Apple gave users a dialog box with a choice, but technologically, there’s no reason it had to. Do you see a difference between this and the Mac App Store?

JZ: Only in how this evolves our conception of code and who “owns” it: if the app lives in the cloud, our expectations are that it’s a service, and a service can change from day to day. If it’s on our own machines we feel like we own it, and look skeptically — and vendors tread carefully — over attempts to modify it without clearing it with us first.

JG: How much of this is about the fact that this is Apple’s app store we’re talking about? Do you feel differently about app stores that aren’t offered by the same company that controls the hardware and the operating system? So take something like Valve’s highly successful Steam, which is basically an app store for games. It runs on both Windows and Mac, and it handles all of the payment and DRM for the game developers.

JZ: I worry less if there’s not vertical integration, but there’s still a concern if, through natural monopoly, we end up with a single gatekeeper or a mere handful of them. Hence Facebook’s platform as a worry, despite (or because of!) it being not tied to any one OS or browser.

JG: I’d like to bring in an idea from your book: “Red” and “Green” PCs. Your computer would have two “virtual machines,” which couldn’t easily affect each other. The Green one would be for important data and would only run software you were confident in; the Red one would be easy to reset back to a safe point.

JZ: Well, as I say in the book:

“Someone could confidently store important data on the Green PC and still use the Red PC for experimentation. Knowing which virtual PC to use would be akin to knowing when a sport utility vehicle should be placed into four-wheel drive mode instead of two-wheel drive, a decision that mainstream users could learn to make responsibly and knowledgeably.”

JG: I read that and thought it sounded like a good idea. And it was pretty much the first thing I thought of when Apple announced the Mac App Store. Everything you install manually is like the Red PC; everything you install from the Mac App Store is like the Green PC. You have a safe mode for greater security, and an unsafe mode for greater generativity. Since you’re a fan of the Red/Green hybrid between open and closed, why not the Mac App Store hybrid?

JZ: The Red PC isn’t the same as a sandbox. Software developers in a Red/Green environment still only write one piece of code, and it doesn’t have to be otherwise vetted. The whole point of the red zone is to contain any bad effects of iffy code. The point of a sandbox is to mitigate the risks of iffy code, by limiting its functionality outright. This is a subtle but important point. The Mac App Store with a sandbox requirement means that a competent, legitimate developer who wants to do things beyond the sandbox either has to plead a special case or write two versions of the code: one for the Store and one not for the Store.

JG: Can’t this argument be turned back against the Red/Green model? The competent, legitimate developer who wants to write code that indexes and optimally compresses your Word documents needs to plead a special case to whoever controls the green certification. She doesn’t even have the choice to write both red and green versions of her code.

JZ: My conception of the green model is not that it’s guarded by a third party, but that the user gets to place iffy apps into a place where, if they blow up, stuff in the green zone doesn’t get hurt.

JG: I keep coming back to the fact that participation in the Mac App Store is voluntary. And this isn’t just voluntary in the sense that participation in the iOS App Store is “voluntary” because no one held a gun to your head and forced you to write iPhone games. You have no good alternative to the iOS App Store if you want your app to run on an iPhone, but you can perfectly easily write, sell, and distribute software that users install on Macs in the time-honored fashion: clicking on an installer or dragging an icon into the Applications folder. How can adding the Mac App Store as an additional option be a net loss?

JZ: Well, that’s the question. If sideloading is trivial, I’m in your corner. But one wonders why any developer would take the 30% hit in profits to distribute through the App Store if he or she could put it on a Web site and sell it through sideloading. (And, when did the front become the side?!)

JG: Is this really a case against truly voluntary app stores? Put another way, should we be digging in to prevent Apple from offering the Mac App Store, or should we be digging in to prevent Apple from turning off the ability to install programs manually?

JZ: I see it more as a spectrum than a dichotomy. Compare the Mac App Store with a program that provided an Apple Good Housekeeping seal for good code. They’re functionally the same, but wildly different in practice thanks to the power of the default.

Jonathan Zittrain is a Professor of Law at Harvard Law School and the author of The Future of the Internet: And How to Stop It

James Grimmelmann is an Associate Professor at New York Law School.

Filed Under: Other Topics, Privacy & Security Tagged With: , , , , , ,

Wikipedia Banner Challenge

December 20, 2011 by

As you can tell from the banners appearing all over Wikipedia, their fundraiser is in full swing. Despite Wikipedia’s importance as a global resource, only about one in a thousand Wikipedia readers donate. One way to improve that would be better banners, and that’s why my research group is launching the Wikipedia Banner Challenge, a website to collect and prioritize banner ideas for Wikipedia. You can participate by voting on banners and suggesting new ones. It is quick, easy, and even a little fun.

The Wikipedia Banner Challenge builds on previous innovative efforts by Wikipedia to involve their community in the design of the fundraiser, especially during the 2010 fundraiser. In a continuation of that community-driven spirit, Wikipedia announced on their blog that they will be watching the results from the Wikipedia Banner Challenge closely and will use some of the most promising banners during the fundraiser. In other words, your banner could appear in front of Wikipedia users around the world.

In addition to building on previous efforts by Wikipedia, this project also furthers work by my research group on developing methods that enable communities to collect and prioritize information in a way that is democratic, open, and efficient. So far, our free and open source website, www.allourideas.org, has been used by governments and non-profit organizations around the world. The Wikipedia Banner Challenge provides an interesting test case for our methods, and we are excited to see the results. Wikipedians, if you want better banners for the fundraiser, give us your ideas.

Here are links to more information about:

Filed Under: Uncategorized

Stopping SOPA's Anticircumvention

December 15, 2011 by

The House’s Stop Online Piracy Act is in Judiciary Committee Markup today. As numerous protests, open letters, and advocacy campaigns across the Web, this is a seriously flawed bill. Sen. Ron Wyden and Rep. Darell Issa’s proposed OPEN Act points out, by contrast, some of the procedural problems.

Here, I analyze just one of the problematic provisions of SOPA: a new “anticircumvention” provision (different from the still-problematic anti-circumvention of section 1201). SOPA’s anticircumvention authorizes injunctions against the provision of tools to bypass the court-ordered blocking of domains. Although it is apparently aimed at MAFIAAfire, the Firefox add-on that offered redirection for seized domains in the wake of ICE seizures, [1] the provision as drafted sweeps much more broadly. Ordinary security and connectivity tools could fall within its scope. If enacted, it would weaken Internet security and reduce the robustness and resilience of Internet connections.

The anticircumvention section, which is not present in the Senate’s companion PROTECT-IP measure, provides for injunctions, on the action of the Attorney General:

(ii)against any entity that knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity or by another in concert with such entity for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses, search query results, payments, or ads] and taken in response to a court order issued under this subsection, to enjoin such entity from interfering with the order by continuing to provide or offer to provide such product or service. § 102(c)(3)(A)(ii)

As an initial problem, the section is unclear. Could it cover someone who designs a tool for “the circumvention or bypassing of” DNS blockages in general — even if such a person did not specifically intend or market the tool to be used to frustrate court orders issued under SOPA? Resilience in the face of technological failure is a fundamental software design goal. As DNS experts Steve Crocker, et al. say in their Dec. 9 letter to the House and Senate Judiciary Chairs, “a secure application expecting a secure DNS answer will not give up after a timeout. It might retry the lookup, it might try a backup DNS server, it might even restart the lookup through a proxy service.” Would the providers of software that looked to a proxy for answers –products “designed” to be resilient to transient DNS lookup failures –be subject to injunction? Where the answer is unclear, developers might choose not to offer such lawful features rather than risking legal attack. Indeed, the statute as drafted might chill the development of anti-censorship tools funded by our State Department.

Some such tools are explicitly designed to circumvent censorship in repressive regimes whose authorities engage in DNS manipulation to prevent citizens from accessing sites with dissident messages, alternate sources of news, or human rights reporting. (See Rebecca MacKinnon’s NYT Op-Ed, Stop the Great Firewall of America. Censorship-circumvention tools include Psiphon, which describes itself as an “Open source web proxy designed to help Internet users affected by Internet censorship securely bypass content-filtering systems,” and The Tor Project.) These tools cannot distinguish between Chinese censorship of Tiananmen Square mentions and U.S. copyright protection where their impacts — blocking access to Web content — and their methods — local blocking of domain resolution — are the same.

Finally, the paragraph may encompass mere knowledge-transfer. Does telling someone about alternate DNS resolvers, or noting that a blocked domain can still be found at its IP address — a matter of historical record and necessary to third-party evaluation of the claims against that site — constitute willfully “providing a service designed … [for] bypassing” DNS-blocking? Archives of historic DNS information are often important information to legal or technical network investigations, but might become scarce if providers had to ascertain the reasons their information was being sought.

For these reasons among many others (such as those identified by my ISP colleague Nick), SOPA should be stopped.

Filed Under: Censorship & Filtering Tagged With: , ,

Governor Genro tops President Obama on Citizen Feedback: "The Governer Asks" vs. "Open for Questions"

December 14, 2011 by

Something neat is happening in Porto Alegre, Brazil today. Governor Tarso Genro, of the state of Rio Grande do Sul, is meeting with some of his constituents. Of course, that’s pretty normal; governors meet with constituents all the time. What is neat is how those constituents were selected. They are not the ones with the most money or influence, they are the ones with the best ideas.

These 50 constituents were selected to meet with Governor Genro through a process called Governador Pergunta (The Governor Asks). The process started when citizens suggested 1,300 ideas related to five different aspects of health care (e.g., access to care, family health). Next, the Governor’s office launched a major public outreach campaign to encourage residents to prioritize these ideas through an online voting process. To broaden participation, there were public events and even a “voting van” packed with Internet-connected computers that drove around the state. In just 30 days, Governador Pergunta collected 120,000 votes, and these votes were used to select the top 10 ideas in each of the five categories.

To readers in the US, Governador Pergunta might sound like President Obama’s Open for Questions, and the two did have the same admirable goal: to increase public participation in government. But, there were important differences in their implementation that lead me to conclude that Governor Genro’s Governador Pergunta topped President Obama’s Open for Questions.

The first big difference between the two projects was their voting mechanisms. Here’s what they looked like:

Governador Pergunta

Open for Questions

Open for Questions used single-column, approval voting. Visitors to the site could find the items that they wanted and then vote for them. Governador Pergunta used pairwise comparison, meaning that voters were presented with two options and are asked to choose between them. These mechanism may seem similar, but the Governador Pergunta voting system is better than Open for Questions in important ways. (Disclaimer: Now is probably a good time to mention that I’ve been researching pairwise comparison voting mechanisms for several years, and that Governador Pergunta used open-source software developed by my research group. But, more on that later.)

One reason that the voting mechanism in Governador Pergunta is better is that voters made their decisions independently; they had no information about how others had voted. In Open for Questions, in contrast, voters made their decisions interdependently; items were sorted by popularity and this popularity was shown to voters (see screenshot above). This type of interdependent voting system, unfortunately, can lead to strong and unpredictable fads where some ideas get additional support mainly because they had been supported in the past. As I’ve shown in some earlier web-based experiments, the stronger the interdependence of decision-making, the weaker the relationship between underlying quality and ultimate success. In other words, interdependent voting systems are not good for finding the best ideas.

Further, the pairwise comparison voting mechanism used by Governador Pergunta is more manipulation resistant. Recall that in the approval voting system used in Open for Questions, the voters chose which items to consider. This feature makes it easy for a small group of people to rush to a single idea and push it to the top. This weakness was quickly discovered and exploited by the National Organization for the Reform of Marjuana Laws (NORML). In the midst of a financial crisis and national debate about health reform, many of the highest scoring items in Open for Questions were focused on the legalization of marijuana.

With a pairwise comparison voting mechanism, such as the one used by Governador Pergunta, it would have been much harder (but not impossible) for NORML, or any other group, to skew the results because a voter would have had to cast many, many votes before she would get a chance to vote for the idea she wanted to push to the top. Whatever you think about the fairness of marijuana laws in the US, having a system of public participation that is open to manipulation by a small group is clearly not ideal.

Finally, in addition to using a superior voting system, Governador Pergunta topped Open for Questions in another way: it was open-source. Just as black-box electronic voting machines threaten public confidence in elections, so to do black-box systems for other forms of public participation in democratic governance. Any effort to make government more open and transparent using processes that are not open and not transparent seems destined to fail. The source code for Governador Pergunta and the source code for the Pairwise API, developed by my research group and used by used Governador Pergunta, are both open-source. The Governor’s team and I hope that other public officials will build on our work to develop even better ways of making government more open, transparent, and effective.

Filed Under: Uncategorized

CITP Call for 2012-2013 Visiting Fellows and Postdocs

December 12, 2011 by

The Center for Information Technology Policy is an interdisciplinary research center at Princeton University that studies the intersection of digital technologies and society. Each academic year, CITP issues a call for visiting fellows and postdoctoral researchers. Applications for the 2012-2013 academic year are due by February 1st, 2012.

CITP seeks candidates for Fellows positions from academia, industry, government, and civil society. These are one year appointments — usually from July 1st to June 30th. We are happy to hear from anyone who works at the intersection of digital technology and public life. In addition to our existing strengths in computer science and sociology, we are particularly interested in hearing from faculty members at other universities who have first-hand experience in public service in the technology policy area, engineers, economists, lawyers, civil servants and policy analysts whose research interests are complementary to our existing activities. Please see our current and past fellows to get a sense for the type of people we seek.

For more details, and to apply, visit:
http://citp.princeton.edu/about/join/fellowship-application/

Filed Under: Uncategorized