April 6, 1999

WE CAN SOLVE THE PROBLEMS OF INTERNET POLICY

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—Ungainly as it will lie upon my shoulders, I must bear the mantle of a techno-optimist. I believe we can find solutions for many policy problems associated with the Internet. We’re held back only where we haven’t figured out what the problems really are.

For two years I’ve been trying to clarify and weigh these policy problems in weekly American Reporter columns. Conscious of the scrutiny my readers apply to both technical and legal details, I’ve always tried to shore up my statements with respectable research. Meanwhile, I have shoved to the side various oddball notions that come to me when I wonder about the future of the Internet.

This column now has to come to an end. The demands of a job that is more than full-time make it impossible for me to write an article every week, which is the minimum the American Reporter needs from its correspondents to keep up publication. So in this final column, I will divulge some of the unsubstantiated, wispy, late-night reflections on the fate of the Internet that I’ve never seen fit to print.

Let’s look at problems, then. Every programmer knows that you can’t get the computer to act reliably unless you define your problem unambiguously. A precisely-defined problem is one that lends itself to a technical solution. Many problems are not so accommodating; they become the eternal subject of law, policy, and ethics.

The wildly disruptive career of the Melissa virus last week led me to realize that computer security is not always a precisely definable problem. Melissa did not spread itself so much as it was spread by users. Whenever a user saw the name of a familiar colleague and obligingly opened the Word file (or an Excel spreadsheet, in a new version of the virus traversing the corporate world), the virus skimmed a few more names from an email list and went on its way. Microsoft made things easier for the virus in recent versions of its Office suite by opening mail attachments automatically when mail is read.

Technically, Melissa was a short and fairly easy-to-code combination of two older viruses. But as a feat of social engineering it was brilliant. For instance, its designer understood that popular modern mail utilities contain lists of people to whom the user frequently sends email. Thus, the crude technical trick of skimming names from the list could find the most common communications channels between users. And these users were closely enough related to trust each other’s email, but loosely enough related to spread the virus quickly.

Melissa also exploits Microsoft’s hand-waving attitude toward security, hiding behind the routine message “This document may contain macros…” The message is useless because it does not show the content of the macros and is common enough to be routinely ignored.

By contrast, when you open a file using the Emacs editor, you can see the code of a macro and choose whether or not to execute it. Emacs designers assumed their users could understand the code in macros, while Microsoft assumed they couldn’t—a marketing assessment that rolled out the red carpet for viruses.

In short, Melissa breached no technical security, but just used the tools available to users and programmers in ways their designers did not expect. By this definition, most security breaches could be considered failures of policy rather than failures of technology.

But the FBI’s balladists can sing today of poetic justice. Another poor design decision at Microsoft, which leads to the insertion of machine identifiers in Word files, will help to prove the case against the person created the Melissa virus—although it now appears, contrary to some news reports, that the FBI did not actually use the Word identifier to find him originally.

Loss of privacy is for many people the scariest thing about the Internet, and they were not made to feel any more secure by yesterday’s news that Yahoo! and America Online were turning over to Raytheon’s lawyers the names of its employees who criticized the company in chat groups. Here again, there is no technical question, but a legal and contractual one.

Technically, I am an optimist regarding privacy. Not if we leave matters up to individual institutions, because they will rake in as much data on people as they can. But politics allows the public to make social decisions that otherwise would be made, consciously or unconsciously, in board rooms.

What most people would like is a system of identifying signatures that preserves anonymity. Imagine yourself renting a hotel room. The system would work something like this:

  1. An authorization service contracts with the hotel, and with you, to allow you entry into your room.

  2. Through a secure channel (encrypted email, a traditional postal envelope, or whatever) you convey a computerized identifier to the authorization service. This identifier may be unique to this transaction and not related to anything else identifying you on the Internet.

  3. The hotel uses a secure channel to tell the authorization service what hotel room you’re in and how to electronically unlock the room.

  4. When you reach the hotel room, you identify yourself through a card swipe, or even some biometric identification such as a fingerprint.

  5. The door transmits your identifier to the authorization service, which lets you in.

By contract (routinely audited by an independent service) the authorization server maintains no record of your entry and does not notify the hotel or anybody else that you’ve used the service. If the public demands an authorization system like this, we will secure a good deal of protection from faceless data collectors.

Even biometrics need no longer be feared, if an anonymous service is available. Most computer break-ins would never happen if we depended on voice prints or retinal scans instead of passwords. (I told you I’m a techno-optimist—at least today.)

Corporations will claim that anonymity ruins business because they need to “target their customers” with advertising. Perhaps there’s a socio-technical solution for this: the substitution of pull technology for push technology.

Right now most companies assume we’ll never hear about their earth-shattering new products and great discounts unless they tell us. They push their message to us by interrupting our dinners with phone calls, our sitcoms with advertising spots (which by now are outperforming the programs in entertainment quality), and our workdays with email.

What a waste! It’s like spreading pesticide across a whole county to eradicate mosquitoes in a few small ponds.

Many Internet-watchers think that users will get increasingly sophisticated at pulling information toward them, instead of having it pushed. Already there are services that let you search for the best deal on an airplane ticket or new car. Some day, companies may no longer need to scream on the radio that they’re now selling juicers for $19.99, because anyone who wants that kind of juicer will find out through research.

But before pull can completely push out push, we have to confront the problem of truly new ideas that no one researches, because no one knows they exist. Even these may be able to permeate the population without advertising, because people in communities that benefit from innovative products (such as new drugs to fight specific medical conditions) often share information with each other through loose social networks.

So can you imagine newspapers without circulars and roads without billboards? Perhaps the Internet will win us all a breath of fresh air.

Since I require a problem to be precisely defined before it’s amenable to a technical solution, I do not apply the term “solutions” to chicanery like content filters. These will never accomplish what proponents hope them to, and the reason has nothing to do with how far the field of Artificial Intelligence has advanced or how culturally diverse the filtering categories become.

You just can’t say in advance what you don’t want to look at. The problem would be the same if you were talking to a person instead of a computer.

“Mortimer, please don’t admit anyone to the house today that we don’t want to see.”

“And who are the people you don’t want to see, ma’am?”

“Oh, Mortimer, you can tell. Anyone who’s poorly dressed, or is trying to sell us something.”

“But this is the time of year that the Child Protection Society always has their fund drive, and you’ve always said you’re happy to buy magazine subscriptions from those nice ladies.”

“Yes, of course, you can let in the Child Protection Society.”

“And Master Brat’s young friends often dress down when they come to visit.”

“Certainly, you can invite in our friends, but no one else that is poorly dressed.”

“Alderman Pritchett is well-dressed, and not trying to peddle anything, but you always say how terribly boring it is when he comes around with talk about moral rights.”

“Oh, for heaven’s sake, don’t let in Pritchett…”

And so on. It would be even harder to specify what documents, images, or works of art should be excluded from a computer screen.

Let’s turn from the troublesome question of avoiding undesirable content, to the equally thorny one of encouraging people in cyberspace to produce valuable content. Advertising has proven too thin a source of revenue, and outright sponsorship leads to a bias toward the organizations with the funds to be sponsors.

Micropayments are an intriguing idea, but are a risky way to support a significant effort like a novel and entirely inadequate for a major motion picture. Someone who intends to pay his keep through micropayments may have to resort to continuous advertising to bring customers back, and the whole process may degenerate to one of sensationalism and impulse gratification.

If you depend on the “gift economy” you get people who stop short when they’re tired of their latest creative effort. (Many fine projects in free software have stagnated as the first impetus wore off.) If you depend on other extrinsic rewards like academic advancement, you get narrow research efforts that only a few can read.

I can testify first-hand to the difficulties of sustaining online work pay. This column has been fun and gratifying, but starting tomorrow I have to spend more time on my day job.

In other settings, I have contributed efforts as both a writer and an editor to the free software community. But while my first products were of the highest quality I could muster, I inevitably found that I couldn’t find the time to return to my documents when they needed an update.

Like other problems of the Internet, I believe solutions will be found. For instance, an alternative to micropayments may be a subscription service. One Internet veteran with substantial connections in the technical community maintains an “interesting persons” list where he simply posts provocative ideas from recognized experts. While I’m delighted the service is free, other publications serving narrow communities stay alive by requiring a small monthly or yearly payment.

Piracy remains a problem. (And one that my company has suffered from, so I don’t simply dismiss it.) Movie makers and music companies want dearly to get on the Internet, but they won’t do it so long as copying is as simple as pulling down “Save” from a menu.

I believe, in line with the thesis of this article, that these companies have to specify more clearly what bothers them. If it’s mass sales of pirated material they want to combat, they can do so by prosecuting those who advertise pirated material and putting pressure on national governments that turn a blind eye to it.

Do the vendors really benefit from heavy-handed legal or technical measures to squelch all copying, even one friend sending a favorite song to another? How much more do vendors lose by digital copying than they do when friends trade music albums? People get together to watch a videotape together—isn’t that a way of stretching one copy for the pleasure of multiple users?

Before albums and videotapes, people did even more radical things, like going to music halls and congregating in amphitheaters. Returning to the great traditions of the past, half self-expression and half mass ritual, may truly be the salvation of the creative personality.

Perhaps if the Internet drowns us sufficiently in sound and video, people will wake up to the realization that the most meaningful performance experiences happen live. Once again they will attend the local theater company and listen to their neighbors at a cafe. Perhaps once again performers will get their money through the brutally demanding method of going before their audience without the artifice of the studio.

As a final creative gift from my own Muse, I’ll address the worries of those who wish to preserve a “non-commercial Internet.” They see the independent voices being drowned out by Disney and Time/Life, a fear bolstered by the Economist of February 13-19, which reports that TV broadcast empires are buying into Internet companies.

Well, sure, for people who want predictability and glitter (as even I do sometimes) sites put up by tycoons will be attractive. Other people will seek the distinctive taste and the unpolished gem. They are the ones creating the market for individual Web sites and chat groups; there will always be an Internet for them.

It would still worry me if—as Jeff Mallett, the president of Yahoo!, was quoted as saying last week—the Internet is dominated by three companies by the end of this year. But somewhere there will always be a place where I can emit my dyspeptic critiques.

And the next place that’s going to happen is Web Review, http://www.webreview.com/, an online publication started and partly funded by my employer, O’Reilly & Associates. Check out a trial article by me on issues familiar to readers of this column—it will run from April 23 to 29. If it meets Web Review standards, I will write for them monthly.

To get notification by email of my next major literary effort, or just to tell me what you’ve always thought of my American Reporter columns, please write.

I would require a whole sheaf of articles to express my thanks to Joe Shea, publisher and editor of the American Reporter. He showed interest in my passions and offered me a forum two years ago; this column has been one of the highlights of my career. But a weekly column took time I could not afford. If I return to the presses of the American Reporter, it will be on an ad-hoc basis.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles