Zittrain's "The Future of the Internet" — how to save the Internet from the Internet

I've just finished reading Jonathan Zittrain's The Future of the Internet and How to Stop It, a provocative, well-reasoned, well-informed and sometimes frustrating book about the power of the Internet to allow people to be more effective at taking action — whether that action is good or bad.

Zittrain talks about the principle of "generativity" in technology: the capacity of some technology to allow its users to make new things out of it, things the designer never anticipated, and does a very good job in enumerating the characteristics that make a technology more or less generative. Zittrain is more-or-less in favor of generativity: he talks about all the amazing things that the human race has accomplished by using that most generative of technologies: the public Internet and the general-purpose PC.

But Zittrain points out that generativity contains the seeds of its own destruction, because it allows bad people to leverage their malicious intentions — with malware, spyware, DDoS attacks and so on — to the point that an average person using the Internet is at constant risk from creeps and thugs. And what's more, all average people use the Internet because it's been so thoroughly woven into our lives.

Zittrain fears that the power of the Internet to let creeps do bad things will lead to a regulatory backlash and a series of Draconian laws that take away all the social benefits of the Internet, and that this will be enabled by a consumer backlash against general-purpose PCs in favor of "tethered appliances" — TiVos, iPhones, etc — that grant a measure of security by taking away the user-modifiability that is at the heart of the principle of generativity.

Here's where I started to get a little frustrated. I agree that the legislative backlash is here — it's impossible to miss — but I disagree that it's being driven by identity thieves and spyware vendors. I think it's being driven by the same authoritarian urge that gave rise to all the other spying and control laws that have been passed for centuries. Net-creeps may be the rubric, but that's as far as it goes.

More importantly, I disagree about the security offered by tethered appliances. Zittrain identifies the particular risks of these technologies that spring from governments and commercial partners remotely reprogramming them to attack their users — for example, a court ordered EchoStar to remotely disable its PVRs, Google locked Google Video customers out of their purchases, the FBI has forced car-vendors to use OnStar to spy on drivers' conversations and location.

But that's only a tiny piece of the risk arising from "tethered appliances." The DRM wars have shown us that motivated attackers can always break code-signing trusted hardware platforms, given enough motivation. Tethered appliances are designed to allow remote parties to enforce policy on them without the knowledge or consent of their owners — they're designed to treat their owners as attackers. So while it's possible to torque a PC into attacking its owner with spyware, it's even more possible with tethered appliances, because once you figure out how to slip inside, the whole device is designed, from the ground up, to stop the user from interfering with the "authorities" who have the keys.

Take CALEA, the law that forces phone-switch manufacturers to build in back-doors that allow cops to snoop on voice-traffic without physically accessing the switch. It's pretty implausible that the "police override" built into phone switches has never leaked outside of the police force. After all, the police leak all kinds of "confidential" information (ask a private eye, off the record, how easy it is to get a cop to look up a license plate number). All it would take is one leak to organized crime and the bad guys would have the same off-site phone-monitoring capability as the folks in blue.

I think that Zittrain takes the security claims of appliance vendors at face value, and that this really undermines the argument. Appliances are neither generative nor secure, and it's likely that appliances will be broken in more interesting ways by more creeps as they increase in value as targets. The backlash against PCs will be quickly met with another backlash against everything else, and no one is going to be able to opt out of the system altogether.

Nevertheless, the principle of generativity is a powerful lens through which we can view proposals for regulating and policing technology. The last third of the book offers "solutions" — more like "directions in which solutions may reside," really — that look to mitigate the harmful effects of generativity without clobbering the good effects.

The book is a cracking read — smart and engaging as Zittrain himself is in person and at the podium — and while I didn't agree with everything in it, it got me thinking about 200 miles a minute, and that's always a good thing.


Update: The whole book's also downloadable under a CC license!