July 22, 2024

Android Open Source Model Has a Short Circuit

[Update: Google subsequently worked out a mechanism that allows Cyanogen and others to distribute their mods separate from the Google Apps.]

Last year, Google entered the mobile phone market with a Linux-based mobile operating system. The company brought together device manufacturers and carriers in the Open Handset Alliance, explaining that, “Together we have developed Android™, the first complete, open, and free mobile platform.” There has been considerable engagement from the open source developer community, as well as significant uptake from consumers. Android may have even been instrumental in motivating competing open platforms like LiMo. In addition to the underlying open source operating system, Google chose to package essential (but proprietary) applications with Android-based handsets. These applications include most of the things that make the handsets useful (including basic functions to sync with the data network). This two-tier system of rights has created a minor controversy.

A group of smart open source developers created a modified version of the Android+Apps package, called Cyanogen. It incorporated many useful and performance-enhancing updates to the Android OS, and included unchanged versions of the proprietary Apps. If Cyanogen hadn’t included the Apps, the package would have been essentially useless, given that Google doesn’t appear to provide a means to install the Apps on a device that has only a basic OS. As Cyanogen gained popularity, Google decided that it could no longer watch the project distribute their copyright-protected works. The lawyers at Google decided that they needed to send a Cease & Desist letter to the Cyanogen developer, which caused him to take the files off of his site and spurred backlash from the developer community.

Android represents a careful balance on the part of Google, in which the company seeks to foster open platforms but maintain control over its proprietary (but free) services. Google has stated as much, in response to the current debate. Android is an exciting alternative to the largely closed-source model that has dominated the mobile market to date. Google closely integrated their Apps with the operating system in a way that makes for a tremendously useful platform, but in doing so hampered the ability of third-party developers to fully contribute to the system. Perhaps the problem is simply that they did not choose the right location to draw the line between open vs. closed source — or free-to-distribute vs. not.

The latter distinction might offer a way out of the conundrum. Google could certainly grant blanket rights to third-parties to redistribute unchanged versions of their Apps. This might compromise their ability to make certain business arrangements with carriers or handset providers in which they package the software for a fee. That may or may not be worth it from their business perspective, but they could have trouble making the claim that Android is a “complete, open, and free mobile platform” if they don’t find a way to make it work for developers.

This all takes place in the context of a larger debate over the extent to which mobile platforms should be open — voluntarily or via regulatory mandate. Google and Apple have been arguing via letters to the FCC about whether or not Apple should allow the Google Voice application in the iPhone App Store. However, it is yet to be determined whether the Commission has the jurisdiction and political will to do anything about the issue. There is a fascinating sideshow in that particular dispute, in which AT&T has made the very novel claim that Google Voice violates network neutrality (well, either that or common carriage — they’ll take whichever argument they can win). Google has replied. This is a topic for another day, but suffice to say the clear regulatory distinctions between telephone networks, broadband, and devices have become muddied.

(Cross-posted to Managing Miracles)

The Markey Net Neutrality Bill: Least Restrictive Network Management?

It’s an exciting time in the net neutrality debate. FCC Chairman Jules Genachowski’s speech on Monday promised a new FCC proceeding that will aim to create a formal rule to replace the Commission’s existing policy statement.

Meanwhile, net neutrality advocates in Congress are pondering new legislation for two reasons: First, there is a debate about whether the FCC currently has enough authority to enforce a net neutrality rule. Second, regardless of whether the Commission has such authority today or doesn’t, some would rather see net neutrality rules etched into statute than leave them to the uncertainties of the rulemaking process under this and future Commissions.

One legislative proposal comes from Rep. Ed Markey and colleagues. Called the Internet Freedom Preservation Act of 2009, its current draft is available on the Free Press web site.

I favor the broad goals that motivate this bill — an Internet that remains friendly to innovation and broadly available. But I personally believe the current draft of this bill would be a mistake, because it embodies a very optimistic view of the FCC’s ability to wield regulatory authority and avoid regulatory capture, not only under the current administration but also over the long-run future. It puts a huge amount of statutory weight behind the vague-till-now idea of “reasonable network management” — something that the FCC’s policy statement (and many participants in the debate) have said ISPs should be permitted to do, but whose meaning remains unsettled. Indeed, Ed raised questions back in 2006 about just how hard it might be to decide what this phrase should mean.

The section of the Markey bill that would be labeled as section 12 (d) in statute says that a network management practice

. . . is a reasonable practice only if it furthers a critically important interest, is narrowly tailored to further that interest, and is the means of furthering that interest that is the least restrictive, least discriminatory, and least constricting of consumer choice available.

This language — particularly the trio of “leasts” — puts the FCC in a position to intervene if, in the Commission’s judgment, any alternative course of action would have been better for consumers than the one an ISP actually took. Normally, to call something “reasonable” means that it is within the broad range of possibilities that might make sense to an imagined “reasonable person.” This bill’s definition of “reasonable” is very different, since on its terms there is no scope for discretion within reasonableness — the single best option is the only one deemed reasonable by the statute.

The bill’s language may sound familiar — it is a modified form of the judicial “strict scrutiny” standard the courts use to review government action when the state uses a suspect classification (such as race) or burdens a fundamental right (such as free speech in certain contexts). In those cases, the question is whether or not a “compelling governmental interest” justifies the policy under review. Here, however, it’s not totally clear whose interest, in what, must be compelling in order for a given network management practice to count as reasonable. We are discussing the actions of ISPs, who are generally public companies– do their interests in profit maximization count as compelling? Shareholders certainly think so. What about their interests in R&D? Or, does the statute mean to single out the public’s interest in the general goods outlined in section 12 (a), such as “protect[ing] the open and interconnected nature of broadband networks” ?

I fear the bill would spur a food fight among ISPs, each of whom could complain about what the others were doing. Such a battle would raise the probability that those ISPs with the most effective lobbying shops will prevail over those with the most attractive offerings for consumers, if and when the two diverge.

Why use the phrase “reasonable network management” to describe this exacting standard? I think the most likely answer is simply that many participants in the net neutrality debate use the phrase as a shorthand term for whatever should be allowed — so that “reasonable” turns out to mean “permitted.”

There is also an interesting secondary conversation to be had here about whether it’s smart to bar in statue, as the Markey bill would, “. . .any offering that. . . prioritizes traffic over that of other such providers,” which could be read to bar evenhanded offers of prioritized packet routing to any customer who wants to pay a premium, something many net neutrality advocates (including, e.g. Prof. Lessig) have said they think is fine.

My bottom line is that we ought to speak clearly. It might or might not make sense to let the FCC intervene whenever it finds ISPs’ network management to be less than perfect (I think it would not, but recognize the question is debatable). But whatever its merits, a standard like that — removing ISP discretion — deserves a name of its own. Perhaps “least restrictive network management” ?

Cross-posted at the Yale ISP Blog.

On China's new, mandatory censorship software

The New York Times reports that China will start requiring censorship software on PCs. One interesting quote stands out:

Zhang Chenming, general manager of Jinhui Computer System Engineering, a company that helped create Green Dam, said worries that the software could be used to censor a broad range of content or monitor Internet use were overblown. He insisted that the software, which neutralizes programs designed to override China’s so-called Great Firewall, could simply be deleted or temporarily turned off by the user. “A parent can still use this computer to go to porn,” he said.

In this post, I’d like to consider the different capabilities that software like this could give to the Chinese authorities, without getting too much into their motives.

Firstly, and most obviously, this software allows the authorities to do filtering of web sites and network services that originate inside or outside of the Great Firewall. By operating directly on a client machine, this filter can be aware of the operations of Tor, VPNs, and other firewall-evading software, allowing connections to a given target machine to be blocked, regardless of how the client tries to get there. (You can’t accomplish “surgical” Tor and VPN filtering if you’re only operating inside the network. You need to be on the end host to see where the connection is ultimately going.)

Software like this can do far more, since it can presumably be updated remotely to support any feature desired by the government authorities. This could be the ultimate “Big Brother Inside” feature. Not only can the authorities observe behavior or scan files within one given computer, but every computer now because a launching point for investigating other machines reachable over a local area network. If one such machine were connected, for example, to a private home network, behind a security firewall, the government software could still scan every other computer on the same private network, log every packet, and so forth. Would you be willing to give your friends the password to log into your private wireless network, knowing their machine might be running this software?

Perhaps less ominously, software like this could also be used to force users to install security patches, to uninstall zombie/botnet systems, and perform other sorts of remote systems administration. I can’t imagine the difficulty in trying to run the Central Government Bureau of National Systems Administration (would they have a phone number you could call to complain when your computer isn’t working, and could they fix it remotely?), but the technological base is now there.

Of course, anybody who owns their own computer will be able to circumvent this software. If you control your machine, you can control what’s running on it. Maybe you can pretend to be running the software, maybe not. That would turn into a technological arms race which the authorities would ultimately fail to win, though they might succeed in creating enough fear, uncertainty, and doubt to deter would-be circumventors.

This software will also have a notable impact in Internet cafes, schools, and other sorts of “public” computing resources, which are exactly the sorts of places that people might go when they want to hide their identity, and where the authorities could have physical audits to check for compliance.

Big Brother is watching.

Chinese Internet Censorship: See It For Yourself

You probably know already that the Chinese government censors Internet traffic. But you might not have known that you can experience this censorship yourself. Here’s how:

(1) Open up another browser window or tab, so you can browse without losing this page.

(2) In the other window, browse to baidu.com. This is a search engine located in China.

(3) Search for an innocuous term such as “freedom to tinker”. You’ll see a list of search results, sent back by Baidu’s servers in China.

(4) Now return to the main page of baidu.com, and search for “Falun Gong”. [Falun Gong is a dissident religious group that is banned in China.]

(5) At this point your browser will report an error — it might say that the connection was interrupted or that the page could not be loaded. What really happened is that the Great Firewall of China saw your Internet packets, containing the forbidden term “Falun Gong”, and responded by disrupting your connection to Baidu.

(6) Now try to go back to the Baidu home page. You’ll find that this connection is disrupted too. Just a minute ago, you could visit the Baidu page with no trouble, but now you’re blocked. The Great Firewall is now cutting you off from Baidu, because you searched for Falun Gong.

(7) After a few minutes, you’ll be allowed to connect to Baidu again, and you can do more experiments.

(Reportedly, users in China see different behavior. When they search for “Falun Gong” on Baidu, the connection isn’t blocked. Instead, they see “sanitized” search results, containing only pages that criticize Falun Gong.)

If you do try more experiments, feel free to report your results in the comments.

A "Social Networking Safety Act"

At the behest of the state Attorney General, legislation to make MySpace and Facebook safer for children is gaining momentum in the New Jersey State Legislature.

The proposed Social Networking Safety Act, heavily marked-up with floor amendments, is available here. An accompanying statement describes the Legislative purpose. Explanations of the floor amendments are available here.

This bill would deputize MySpace and Facebook to serve as a branch of law enforcement. It does so in a very subtle way.

On the surface, it appears to be a perfectly reasonable response to concerns about cyberbullies in general and to the Lori Drew case in particular. New Jersey was the first state in the nation to pass Megan’s Law, requiring information about registered sex offenders to be made available to the public, and state officials hope to play a similar, pioneering role in the fight against cyberbullying.

The proposed legislation creates a civil right of action for customers who are offended by what they read on MySpace or Facebook. It allows the social network provider to sue customers who post “sexually offensive” or “harassing” communications. Here’s the statutory language:

No person shall transmit a sexually offensive communication through a social networking website to a person located in New Jersey who the actor knows or should know is less than 13 years of age, or is at least 13 but less than 16 years old and at least four years younger than the actor. A person who transmits a sexually offensive communication in violation of this subsection shall be liable to the social networking website operator in a civil action for damages of $1,000, plus reasonable attorney’s fees, for each violation. A person who transmits a sexually offensive communication in violation of this subsection shall also be liable to the recipient of the communication in a civil action for damages in the amount of $5,000, plus reasonable attorney’s fees, or actual damages…

The bill requires social network providers to design their user interfaces with icons that will allow customers to report “sexually offensive” or “harassing” communications:

A social networking website operator shall not be deemed to be in violation … if the operator maintains a reporting mechanism available to the user that meets the following requirements: (1) the social networking website displays, in a conspicuous location, a readily identifiable icon or link that enables a user or third party to report to the social networking website operator a sexually offensive communication or harassing communication transmitted through the social networking website.

Moreover, the social network provider must investigate complaints, call the police when “appropriate” and banish offenders:

A social networking website operator shall not be deemed to be in violation … if … (2) the operator conducts a review, in the most expedient time possible without unreasonable delay, of any report by a user or visitor, including investigation and referral to law enforcement if appropriate, and provides users and visitors with the opportunity to determine the status of the operator’s review or investigation of any such report.

Finally, if the social network provider fails to take action, it can be sued for consumer fraud:

[I]t shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) [the state Consumer Fraud Act] for a social networking website operator to fail to revoke, in the most expedient time possible without unreasonable delay, the website access of any user or visitor upon receipt of information that provides a reasonable basis to conclude that the visitor has violated [this statute]”

So what’s the problem? It’s not a criminal statute, and we do want to shut down sex offenders and cyberbullies. How could anyone object to this proposed measure?

First, the proposed law puts a special burden on one specific type of technology. It’s as if the newfangledness of social networking—and its allure for kids—have made it a special target for our fears about sex offenders and cyberbullies. No similar requirements are being placed on e-mail providers, wikis, blogs or the phone company.

Second, it deputizes private companies to do the job of law enforcement. Social network providers will have to evaluate complaints and decide when to call the police.

Third, it’s the thin edge of the wedge. If social network providers have to investigate and report criminal activity, they will be enlisted to do more. Today, sex offenders and cyberbullies. Tomorrow, drug deals, terrorist threats and pornography.

Fourth, this raises First Amendment concerns. Social network providers, if they are called upon to monitor and punish “offensive” and “harassing” speech, effectively become an arm of law enforcement. To avoid the risk of lawsuits under the Consumer Fraud Act, they will have an incentive to ban speech that is protected under the First Amendment.

Fifth, the definitions of “offensive” and “harassing” are vague. The bill invokes the “reasonable person” standard, which is okay for garden-variety negligence cases, but not for constitutional issues like freedom of speech. It’s not clear just what kinds of communication will expose customers to investigation or liability.

If the bill is enacted, MySpace and Facebook could mount a legal challenge in federal court. They could argue that Congress intended to occupy the field of internet communication, and thus pre-empt state law, when it adopted the Communications Decency Act (CDA), 47 U.S.C. § 230(c)(1).

The bill probably violates the Dormant Commerce Clause as well. It would affect interstate commerce by differentially regulating social networking websites. Social networking services outside New Jersey can simply ignore the requirements of state law. Federal courts have consistently struck down these sorts of laws, even when they are designed to protect children.

In my opinion, the proposed legislation projects our worst fears about stalkers and sex predators onto a particular technology—social networking. There are already laws that address harassment and obscenity, and internet service providers are already obliged to cooperate with law enforcement.

Studies suggest that for kids online, education is better than restriction. This is the conclusion of the Internet Safety Technical Task Force of State Attorneys General of the United States, Enhancing Child Safety and Online Technologies. According to another study funded by the MacArthur Foundation, social networking provides benefits, including opportunities for self-directed learning and independence.