There is a phrase from the days when television was central: “Not ready for prime time.” Prime time refers to the precious time between dinner and bedtime when families would gather around the TV set looking to be informed or entertained. Viewership would be at its apex, both in numbers and in quality of viewers, defined as how much money they had and how ready they were to spend it on the things advertised during commercial breaks. During prime time, the average viewer was, comparatively speaking, a rich drunken sailor. Prime time programming saw the most expensive and elaborate shows, made with the highest production values.

Shows on channels other than those part of networks with big audiences, or at times of the day when most people were not watching TV, had less investment and lower production values. Their actors or presenters were not A-list. Flaws in the shows would prove them not ready for prime time—now a metaphor to mean anything that has not been buffed and polished to a fine, predictable shine. “Not ready” has the virtue of suggesting that someday a B-list program could be ready, vaulting from the backwaters to the center stage. And prime time concedes that there are other times beside it: there are backwaters that are accessible to masses of people so long as they are willing to surf to an unfamiliar channel or stay up a little later than usual.

To be sure, while the barriers to getting a show on an obscure network were less than those to landing a show on a major one, they were still high. And with only a handful of networks that people watched in prime time, the definitions of what was worthy of prime time ended up a devastatingly rough aggregation of preferences. There was not much room for programs finely honed to niche markets. TV’s metaphor is powerful in the Internet space. As we have seen, the generative Internet allows experimentation from all corners, and it used to be all backwater and no prime time.

Now that the generative PC is so ubiquitous and its functions so central to both leisure and commerce, much of what it offers happens in prime time: a set of core applications and services that people are anxious to maintain. Links between backwater and prime time are legion; today’s obscure but useful backwater application can find itself wildly popular and relied upon overnight. No intervention is needed from network executives running some prime time portion of the Internet, and realizing that there is something good going on among the farm teams that deserves promotion to the major league. The Net was built without programming executives, and its users have wide latitude to decide for themselves where they would like to go that day.

The first major challenge in preserving the generative Net, then, is to reconcile its role as a boisterous laboratory with its role as a purveyor of prime time, ensuring that inventions can continue to move easily from one to the other. Today our prime time applications and data share space with new, probationary ones, and they do not always sit well together. There are some technical inspirations we can take from successes like Wikipedia that, with enough alert users, can help.

THE RED AND THE GREEN

Wikis are designed so that anyone can edit them. This entails a risk that people will make bad edits, through either incompetence or malice. The damage that can be done, however, is minimized by the wiki technology, because it allows bad changes to be quickly reverted. All previous versions of a page are kept, and a few clicks by another user can restore a page to the way it was before later changes were made. Our PCs can be similarly equipped. For years Windows XP (and now Vista) has had a system restore feature, where snapshots are taken of the machine at a moment in time, allowing later bad changes to be rolled back. The process of restoring is tedious, restoration choices can be frustratingly all-or-nothing, and the system restore files themselves can become corrupted, but it represents progress. Even better would be the introduction of features that are commonplace on wikis: a quick chart of the history of each document, with an ability to see date-stamped sets of changes going back to its creation. Because our standard PC applications assume a safer environment than really exists, these features have never been demanded or implemented. Because wikis are deployed in environments prone to vandalism, their contents are designed to be easily recovered after a problem.

The next stage of this technology lies in new virtual machines, which would obviate the need for cyber cafés and corporate IT departments to lock down their PCs. Without virtual machine technology, many corporate IT departments relegate most employees to the status of guests on their own PCs, unable to install any new software, lest it turn out to be bad. Such lockdown reduces the number of calls to the helpdesk, as well as the risk that a user might corrupt or compromise a firm’s data. (Perhaps more precisely, calls for help become calls for permission.) Similarly, cyber cafés and libraries want to prevent one user’s ill-advised actions from cascading to future users. But lockdown eliminates the good aspects of the generative environment.

In an effort to satisfy the desire for safety without full lockdown, PCs could be designed to pretend to be more than one machine, capable of cycling from one split personality to the next. In its simplest implementation, we could divide a PC into two virtual machines: “Red” and “Green.”1 The Green PC would house reliable software and important data—a stable, mature OS platform and tax returns, term papers, and business documents. The Red PC would have everything else. In this setup, nothing that happens on one PC could easily affect the other, and the Red PC could have a simple reset button that sends it back to a predetermined safe state. Someone could confidently store important data on the Green PC and still use the Red PC for experimentation. Knowing which virtual PC to use would be akin to knowing when a sport utility vehicle should be placed into four-wheel drive mode instead of two-wheel drive, a decision that mainstream users could learn to make responsibly and knowledgeably.

A technology that splits the difference between lockdown and openness means that intermediaries could afford to give their end users more flexibility—which is to say, more opportunity to run others’ code. Indeed, the miniaturization of storage means that users could bring their own system on a keychain (or download it from a remote site) to plug into a library or café’s pro- cessing unit, screen, and network connection—a rediscovery of the hobbyist PC and its own modularization that made it better and cheaper than its appliancized counterparts.

There could be a spectrum of virtual PCs on one unit, one for each member of the family. Already, most consumer operating systems enable separate login names with customized desktop wallpaper and e-mail accounts for each user.2 If the divide were developed further, a parent could confidently give her twelve-year-old access to the machine under her own account and know that nothing that the child could do—short of hurling the machine out the window— would hurt the data found within the other virtual PCs.3 (To be sure, this does not solve problems at the social layer—of what activities children may undertake to their detriment once online.)

Easy reversion, coupled with virtual PCs, seeks to balance the experimentalist spirit of the early Internet with the fact that there are now important uses for those PCs that we do not want to disrupt. Still, this is not a complete solution. The Red PC, despite its experimental purpose, might end up accumulating data that the user wants to keep, occasioning the need for what Internet architect David Clark calls a “checkpoint Charlie” to move sensitive data from Red to Green without also carrying a virus or anything else undesirable that could hurt the Green PC.4 There is also the question of what software can be deemed safe for Green—which is just another version of the question of what software to run on today’s single-identity PCs. If users could competently decide what should go on Red and what on Green, then they could competently decide what to run on today’s simpler machines, partially obviating the need for the virtual PC solution in the first place.

Worse, an infected Red PC still might be capable of hurting other PCs across the network, by sending spam or viruses, or by becoming a zombie PC controlled from afar for any number of other bad purposes. Virtualization technology eases some of the sting to users of an experimental platform whose experiments sometimes go awry, but it does not do much to reduce the burdens—negative externalities—that such failures can place on everyone else.

Most fundamentally, many of the benefits of generativity come precisely thanks to an absence of walls. We want our e-mail programs to have access to any document on our hard drive, so that we can attach it to an e-mail and send it to a friend. We want to edit music downloaded from a Web site with an audio mixing program and then incorporate it into a presentation. We want to export data from one desktop calendar application to a new one that we might like better. The list goes on, and each of these operations requires the ability to cross the boundaries from one application to another, or one virtual PC to another. For similar reasons, we may be hesitant to adopt complex access control and privilege lists to designate what software can and cannot do.5

It is not easy to anticipate what combinations of applications and data we will want in one place, and the benefits of using virtual machines will not always outweigh the confusion and limitations of having them. It is worth trying them out to buy us some more time—but they will not be panaceas. A guiding principle emerges from the Net’s history at the technical layer and Wikipedia’s history at the content layer: an experimentalist spirit is best maintained when failures can be contained as learning experiences rather than catastrophes.

BETTER INFORMED EXPERIMENTS

The Internet’s original design relied on few mechanisms of central control. This lack of control has the added generative benefit of allowing new services to be introduced, and new destinations to come online, without any up-front vetting or blocking, by either private incumbents or public authorities.

With this absence of central control comes an absence of measurement. CompuServe or Prodigy could have reported exactly how many members they had at any moment, because they were centralized. Wikipedia can report the number of registered editors it has, because it is a centralized service run at wikipedia.org. But the Internet itself cannot say how many users it has, because it does not maintain user information. There is no “it” to query. Counting the number of IP addresses delegated is of little help, because many addresses are allocated but not used, while other addresses are shared. For example, QTel is the only ISP in Qatar, and it routes all users’ traffic through a handful of IP addresses. Not only does this make it difficult to know the number of users hailing from Qatar, but it also means that when a site like Wikipedia has banned access from the IP address of a single misbehaving user from Qatar, it inadvertently has banned nearly every other Internet user in Qatar.6

Such absence of measurement extends to a lack of awareness at the network level of how much bandwidth is being used by whom. This has been beneficial for the adoption of new material on the Web by keeping the Internet in an “all you can eat” mode of data transmission, which happens when large ISPs peering with one another decide to simply swap data rather than trying to figure out how to charge one another per unit of information exchanged. This absence of measurement is good from a generative point of view because it allows initially whimsical but data-intensive uses of the network to thrive—and perhaps to turn out to be vital. For example, the first online webcams were set up within office cubicles and were about as interesting as watching paint dry. But people could tinker with them because they (and their employers, who might be paying for the network connection) did not have to be mindful of their data consumption. From an economic point of view this might appear wasteful, since non-value-producing but high-bandwidth activities—goldfish bowl cams—will not be constrained. But the economic point of view is at its strongest when there is scarcity, and from nearly the beginning of the Internet’s history there has been an abundance of bandwidth on the network backbones. It is the final link to a particular PC or cluster of PCs—still usually a jury-rigged link on twisted copper wires or coaxial cable originally intended for other purposes like telephone and cable television—that can become congested. And in places where ISPs enjoy little competition, they can further choose to segment their services with monthly caps—a particular price plan might allow only two gigabytes of data transfer per month, with users then compelled to carefully monitor their Internet usage, avoiding the fanciful surfing that could later prove central. In either case, the owner of the PC can choose what to do with that last slice of bandwidth, realizing that watching full screen video might, say, slow down a file transfer in the background. (To be sure, on many broadband networks this final link is shared among several unrelated subscribers, causing miniature tragedies of the commons as a file-sharing neighbor slows down the Internet performance for someone nearby trying to watch on-demand video.)

The ability to tinker and experiment without watching a meter provides an important impetus to innovate; yesterday’s playful webcams on aquariums and cubicles have given rise to Internet-facilitated warehouse monitoring, citizen-journalist reporting from remote locations, and, as explained later in this book, even controversial experiments in a distributed neighborhood watch system where anyone can watch video streamed from a national border and report people who look like they are trying to cross it illegally.7

However, an absence of measurement is starting to have generative drawbacks. Because we cannot easily measure the network and the character of the activity on it, we are left incapable of easily assessing and dealing with threats from bad code without laborious and imperfect cooperation among a limited group of security software vendors. It is like a community in which only highly specialized private mercenaries can identify crimes in progress and the people who commit them, with the nearby public at large ignorant of the transgressions until they themselves are targeted.

Creating a system where the public can help requires work from technologists who have more than a set of paying customers in mind. It is a call to the academic environment that gave birth to the Net, and to the public authorities who funded it as an investment first in knowledge and later in general infrastructure. Experiments need measurement, and the future of the generative Net depends on a wider circle of users able to grasp the basics of what is going on within their machines and between their machines and the network.

What might this system look like? Roughly, it would take the form of toolkits to overcome the digital solipsism that each of our PCs experiences when it attaches to the Internet at large, unaware of the size and dimension of the network to which it connects. These toolkits would have the same building blocks as spyware, but with the opposite ethos: they would run unobtrusively on the PCs of participating users, reporting back—to a central source, or perhaps only to each other—information about the vital signs and running code of that PC that could help other PCs figure out the level of risk posed by new code. Unlike spyware, the code’s purpose would be to use other PCs’ anonymized experiences to empower the PC’s user. At the moment someone is deciding whether to run some new software, the toolkit’s connections to other machines could say how many other machines on the Internet were running the code, what proportion of machines of self-described experts were running it, whether those experts had vouched for it, and how long the code had been in the wild. It could also signal the amount of unattended network traffic, pop-up ads, or crashes the code appeared to generate. This sort of data could become part of a simple dashboard that lets the users of PCs make quick judgments about the nature and quality of the code they are about to run in light of their own risk preferences, just as motor vehicle drivers use their dashboards to view displays of their vehicle’s speed and health and to tune their radios to get traffic updates.

Harvard University’s Berkman Center and the Oxford Internet Institute—multidisciplinary academic enterprises dedicated to charting the future of the Net and improving it—have begun a project called StopBadware, designed to assist rank-and-file Internet users in identifying and avoiding bad code.8 The idea is not to replicate the work of security vendors like Symantec and McAfee, which seek to bail new viruses out of our PCs faster than they pour in. Rather, it is to provide a common technical and institutional framework for users to devote some bandwidth and processing power for better measurement: to let us know what new code is having what effect amid the many machines taking it up. Not every PC owner is an expert, but each PC is a precious guinea pig—one that currently is experimented upon with no record of what works and what does not, or with the records hoarded by a single vendor. The first step in the toolkit is now available freely for download: “Herdict.” Herdict is a small piece of software that assembles the vital signs described above, and places them in a dashboard usable by mainstream PC owners. These efforts will test the hypothesis that solutions to generative problems at the social layer might be applicable to the technical layer—where help is desperately needed. Herdict is an experiment to test the durability of experiments.9 And it is not alone. For example, Internet researchers Jean Camp and Allan Friedman have developed the “good neighbors” system to allow people to volunteer their PCs to detect and patch vulnerabilities among their designated friends’ PCs.10

The value of aggregating data from individual sources is well known. Yochai Benkler approvingly cites Google Pagerank algorithms over search engines whose results are auctioned, because Google draws on the individual linking decisions of millions of Web sites to calculate how to rank its search results.11 If more people are linking to a Web site criticizing Barbie dolls than to one selling them, the critical site will, all else equal, appear higher in the rankings when a user searches for “Barbie.” This concept is in its infancy at the application layer on the PC. When software crashes on many PC platforms, a box appears asking the user whether to send an error report to the operating system maker. If the user assents, and enough other users reported a similar problem, sometimes a solution to the problem is reported back from the vendor. But these implementations are only halfway there from a generative standpoint. The big institutions doing the gathering—Google because it has the machines to scrape the entire Web; Microsoft and Apple because they can embed error reporting in their OSes—make use of the data (if not the wisdom) of the crowds, but the data is not further shared, and others are therefore unable to make their own interpretations of it or build their own tools with it. It is analogous to Encarta partially adopting the spirit of Wikipedia, soliciting suggestions from readers for changes to its articles, but not giving any sense of where those suggestions go, how they are used, or how many other suggestions have been received, what they say, or why they say it.

A full adoption of the lessons of Wikipedia would be to give PC users the opportunity to have some ownership, some shared stake, in the process of evaluating code, especially because they have a stake in getting it right for their own machines. Sharing useful data from their PCs is one step, but this may work best when the data is going to an entity committed to the public interest of solving PC security problems, and willing to share that data with others who want to take a stab at solving them. The notion of a civic institution here does not necessarily mean cumbersome governance structures and formal lines of authority so much as it means a sense of shared responsibility and participation.12 It is the opposite of the client service model in which one calls a helpline and for a fee expects to be helped—and those who do not pay receive no help. Instead, it is the volunteer fire department or neighborhood watch where, while not everyone is able to fight fires or is interested in watching, a critical mass of people are prepared to contribute, and such contributions are known to the community more broadly.13 A necessary if not sufficient condition to fighting the propagation of bad code as a social problem is to allow people to enter into a social configuration in order to attack it.

These sorts of solutions are not as easily tried for tethered appliances, where people make a decision only about whether to acquire them, and the devices are otherwise controlled from afar. Of course, they may not be as necessary, since the appliances are not, by definition, as vulnerable to exploits performed by unapproved code. But tethered appliances raise the concern of perfect enforcement described earlier in this book: they can too readily, almost casually, be used to monitor and control the behavior of their users. When tools drawing on group generativity are deployed, the opposite is true. Their success is dependent on participation, and this helps establish the legitimacy of the project both to those participating and those not. It also means that the generative uses to which the tools are put may affect the number of people willing to assist. If it turned out that the data generated and shared from a PC vital signs tool went to help design viruses, word of this could induce people to abandon their commitment to help. Powerful norms that focus collaborators toward rather than against a commitment to the community are necessary. This is an emerging form of netizenship, where tools that embed particular norms grow more powerful with the public’s belief in the norms’ legitimacy.

It is easy for Internet users to see themselves only as consumers whose participation is limited to purchasing decisions that together add up to a market force pushing one way or another. But with the right tools, users can also see themselves as participants in the shaping of generative space—as netizens. This is a crucial reconception of what it means to go online. The currency of cyberspace is, after all, ideas, and we shortchange ourselves if we think of ideas to be, in the words of Electronic Frontier Foundation co-founder John Perry Barlow, merely “another industrial product, no more noble than pig iron,”14 broadcast to us for our consumption but not capable of also being shaped by us. If we insist on treating the Net as an invisible conduit, capable of greater or lesser bandwidth but otherwise meant to be invisible, we naturally turn to service providers with demands to keep it working, even when the problems arising are social in nature.

RECRUITING HELP AT THE BARRICADES: THE GENERATIVITY PRINCIPLE AND THE LIMITS OF END-TO-END NEUTRALITY

Some commentators believe that software authors and operating system makers have it easy.15 They produce buggy code open to viruses and malware, but they are not held accountable the way that a carmaker would be for a car whose wheels fell off, or a toaster maker would be if its toasters set bread on fire.16 Why should there be a difference? The security threats described in this book might be thought so pervasive and harmful that even if they do not physically hurt anyone, software makers ought to pay for the harm their bugs cause.

This is already somewhat true of information appliances. If a TiVo unit did not operate as promised—suppose it simply crashed and failed to record any television programs—the law of warranty would quickly come into play. If the TiVo unit were new enough, the company would make good on a repair or replacement.17 Yet this simple exchange rarely takes place after the purchase of a standard generative PC. Suppose a new PC stops functioning: after a week of using it to surf the Internet and send e-mail, the consumer turns it on and sees only a blue error screen.18 Unless smoke pours out of the PC to indicate a genuine hardware problem, the hardware manufacturer is likely to diagnose the problem as software-related. The operating system maker is not likely to be helpful. Because the user no doubt installed software after purchasing the machine, pinpointing the problem is not easy. In particularly difficult cases, the OS maker will simply suggest a laborious and complete reinstallation of the OS, wiping clean all the changes that the consumer has made. Finally, appealing to individual software makers results in the same problem: a software maker will blame the OS maker or a producer of other software found on the machine.

So why not place legal blame on each product maker and let them sort it out? If the consumer is not skilled enough to solve PC security problems or wealthy enough to pay for someone else to figure it out, a shifting of legal responsibility to others could cause them to create and maintain more secure software and hardware. Unfortunately, such liability would serve only to propel PC lockdown, reducing generativity. The more complex that software is, the more difficult it is to secure it, and allowing third parties to build upon it increases the complexity of the overall system even if the foundation is a simple one. If operating system makers were liable for downstream accidents, they would start screening who can run what on their platforms, resulting in exactly the non-generative state of affairs we want to avoid. Maintainers of technology platforms like traditional OS makers and Web services providers should be encouraged to keep their platforms open and generative, rather than closed to eliminate outside sources of malware or to facilitate regulatory control, just as platforms for content built on open technologies are wisely not asked to take responsibility for everything that third parties might put there.19

Hardware and OS makers are right that the mishmash of software found on even a two-week-old Internet-exposed PC precludes easily identifying the source of many problems. However, the less generative the platform already is, the less there is to lose by imposing legal responsibility on the technology provider to guarantee a functioning system. To the extent that PC OSes do control what programs can run on them, the law should hold OS developers responsible for problems that arise, just as TiVo and mobile phone manufacturers take responsibility for issues that arise with their controlled technologies.

If the OS remains open to new applications created by third parties, the maker’s responsibility should be duly lessened. It might be limited to providing basic tools of transparency that empower users to understand exactly what their machines are doing. These need not be as sophisticated as Herdict aims to be. Rather, they could be such basic instrumentation as what sort of data is going in and out of the box and to whom. A machine turned into a zombie will be communicating with unexpected sources that a free machine will not, and insisting on better information to users could be as important as providing a speedometer on an automobile—even if users do not think they need one.

Such a regime permits technology vendors to produce closed platforms but encourages them to produce generative platforms by scaling liabilities accordingly. Generative platform makers would then be asked only to take certain basic steps to make their products less autistic: more aware of their digital surroundings and able to report what they see to their users. This tracks the intuition behind secondary theories of liability: technology makers may shape their technologies largely as they please, but the configurations they choose then inform their duties and liabilities.20

Apart from hardware and software makers, there is another set of technology providers that reasonably could be asked or required to help: Internet Service Providers. So far, like PC, OS, and software makers, ISPs have been on the sidelines regarding network security. The justification for this—apart from the mere explanation that ISPs are predictably and rationally lazy—is that the Internet was rightly designed to be a dumb network, with most of its features and complications pushed to the endpoints. The Internet’s engineers embraced the simplicity of the end-to-end principle (and its companion, the procrastination principle) for good reasons. It makes the network more flexible, and it puts designers in a mindset of making the system work rather than anticipating every possible thing that could go wrong and trying to design around or for those things from the outset.21 Since this early architectural decision, “keep the Internet free” advocates have advanced the notion of end-to-end neutrality as an ethical ideal, one that leaves the Internet without filtering by any of its intermediaries. This use of end-to-end says that packets should be routed between the sender and the recipient without anyone stopping them on the way to ask what they contain.22 Cyberlaw scholars have taken up end-to-end as a battle cry for Internet freedom,23 invoking it to buttress arguments about the ideological impropriety of filtering Internet traffic or favoring some types or sources of traffic over others.

These arguments are powerful, and end-to-end neutrality in both its technical and political incarnations has been a crucial touchstone for Internet development. But it has its limits. End-to-end does not fully capture the overall project of maintaining openness to contribution from unexpected and unaccredited sources. Generativity more fundamentally expresses the values that attracted cyberlaw scholars to end-to-end in the first place.

According to end-to-end theory, placing control and intelligence at the edges of a network maximizes not just network flexibility, but also user choice.24 The political implication of this view—that end-to-end design preserves users’ freedom, because the users can configure their own machines however they like—depends on an increasingly unreliable assumption: whoever runs a machine at a given network endpoint can readily choose how the machine will work. To see this presumption in action, consider that in response to a network teeming with viruses and spam, network engineers recommend more bandwidth (so the transmission of “deadweights” like viruses and spam does not slow down the much smaller proportion of legitimate mail being carried by the network) and better protection at user endpoints, rather than interventions by ISPs closer to the middle of the network.25 But users are not well positioned to painstakingly maintain their machines against attack, leading them to prefer locked-down PCs, which carry far worse, if different, problems. Those who favor end-to-end principles because an open network enables generativity should realize that intentional inaction at the network level may be self-defeating, because consumers may demand locked-down endpoint environments that promise security and stability with minimum user upkeep. This is a problem for the power user and consumer alike.

The answer of end-to-end theory to threats to our endpoints is to have them be more discerning, transforming them into digital gated communities that must frisk traffic arriving from the outside. The frisking is accomplished either by letting next to nothing through—as is the case with highly controlled information appliances—or by having third-party antivirus firms perform monitoring, as is done with increasingly locked-down PCs. Gated communities offer a modicum of safety and stability to residents as well as a manager to complain to when something goes wrong. But from a generative standpoint, these moated paradises can become prisons. Their confinement is less than obvious, because what they block is not escape but generative possibility: the ability of outsiders to offer code and services to users, and the corresponding opportunity of users and producers to influence the future without a regulator’s permission. When endpoints are locked down, and producers are unable to deliver innovative products directly to users, openness in the middle of the network becomes meaningless. Open highways do not mean freedom when they are so dangerous that one never ventures from the house.

Some may cling to a categorical end-to-end approach; doubtlessly, even in a world of locked-down PCs there will remain old-fashioned generative PCs for professional technical audiences to use. But this view is too narrow. We ought to see the possibilities and benefits of PC generativity made available to everyone, including the millions of people who give no thought to future uses when they obtain PCs, and end up delighted at the new uses to which they can put their machines. And without this ready market, those professional developers would have far more obstacles to reaching critical mass with their creations.

Strict loyalty to end-to-end neutrality should give way to a new generativity principle, a rule that asks that any modifications to the Internet’s design or to the behavior of ISPs be made where they will do the least harm to generative possibilities. Under such a principle, for example, it may be preferable in the medium term to screen out viruses through ISP-operated network gateways rather than through constantly updated PCs.26 Although such network screening theoretically opens the door to additional filtering that may be undesirable, this speculative risk should be balanced against the very real threats to generativity inherent in PCs operated as services rather than products. Moreover, if the endpoints remain free as the network becomes slightly more ordered, they remain as safety valves should network filtering begin to block more than bad code.

In the meantime, ISPs are in a good position to help in a way that falls short of undesirable perfect enforcement, and that provides a stopgap while we develop the kinds of community-based tools that can facilitate salutary endpoint screening. There are said to be tens of thousands of PCs converted to zombies daily,27 and an ISP can sometimes readily detect the digital behavior of a zombie when it starts sending thousands of spam messages or rapidly probes a sequence of Internet addresses looking for yet more vulnerable PCs. Yet ISPs currently have little incentive to deal with this problem. To do so creates a two-stage customer service nightmare. If the ISP quarantines an infected machine until it has been recovered from zombie-hood—cutting it off from the network in the process—the user might claim that she is not getting the network access she paid for. And quarantined users will have to be instructed how to clean their machines, which is a complicated business.28 This explains why ISPs generally do not care to act when they learn that they host badware-infected Web sites or consumer PCs that are part of a botnet.29

Whether through new industry best practices or through a rearrangement of liability motivating ISPs to take action in particularly flagrant and egregious zombie situations, we can buy another measure of time in the continuing security game of cat and mouse. Security in a generative system is something never fully put to rest—it is not as if the “right” design will forestall security problems forevermore. The only way for such a design to be foolproof is for it to be nongenerative, locking down a computer the same way that a bank would fully secure a vault by neither letting any customers in nor letting any money out. Security of a generative system requires the continuing ingenuity of a few experts who want it to work well, and the broader participation of others with the goodwill to outweigh the actions of a minority determined to abuse it.

A generativity principle suggests additional ways in which we might redraw the map of cyberspace. First, we must bridge the divide between those concerned with network connectivity and protocols and those concerned with PC design—a divide that end-to-end neutrality unfortunately encourages. Such modularity in stakeholder competence and purview was originally a useful and natural extension of the Internet’s architecture. It meant that network experts did not have to be PC experts, and vice versa. But this division of responsibilities, which works so well for technical design, is crippling our ability to think through the trajectory of applied information technology. Now that the PC and the Internet are so inextricably intertwined, it is not enough for network engineers to worry only about network openness and assume that the endpoints can take care of themselves. It is abundantly clear that many endpoints cannot. The procrastination principle has its limits: once a problem has materialized, the question is how best to deal with it, with options ranging from further procrastination to effecting changes in the way the network or the endpoints behave. Changes to the network should not be categorically off the table.

Second, we need to rethink our vision of the network itself. “Middle” and “endpoint” are no longer subtle enough to capture the important emerging features of the Internet/PC landscape. It remains correct that, from a network standpoint, protocol designs and the ISPs that implement them are the “middle” of the network, as distinct from PCs that are “endpoints.” But the true import of this vernacular of “middle” and “endpoint” for policy purposes has lost its usefulness in a climate in which computing environments are becoming services, either because individuals no longer have the power to exercise meaningful control over their PC endpoints, or because their computing activities are hosted elsewhere on the network, thanks to “Web services.” By ceding decision-making control to government, to a Web 2.0 service, to a corporate authority such as an OS maker, or to a handful of security vendors, individuals permit their PCs to be driven by an entity in the middle of the network, causing their identities as endpoints to diminish. The resulting picture is one in which there is no longer such a clean separation between “middle” and “endpoint.” In some places, the labels have begun to reverse.

Abandoning the end-to-end debate’s divide between “middle” and “endpoint” will enable us to better identify and respond to threats to the Internet’s generativity. In the first instance, this might mean asking that ISPs play a real role in halting the spread of viruses and the remote use of hijacked machines.

This reformulation of our vision of the network can help with other problems as well. For instance, even today consumers might not want or have the ability to fine-tune their PCs. We might say that such fine-tuning is not possible because PCs, though leveraged and adaptable, are not easy for a mass audience to master. Taking the generativity-informed view of what constitutes a network, though, we can conceptualize a variety of methods by which PCs might compensate for this difficulty of mastery, only some of which require centralized control and education. For example, users might be able to choose from an array of proxies—not just Microsoft, but also Ralph Nader, or a public interest organization, or a group of computer scientists, or StopBadware— for guidance on how best to configure their PCs. For the Herdict program described earlier, the ambition is for third parties to contribute their own dashboard gauges—allowing users of Herdict to draw from a market of advisers, each of whom can draw from some combination of the herd’s data and their own expertise to give users advice. The idea is that by reformulating our vision of the network to extend beyond mere “endpoints” and “middles,” we can keep our eyes on the real value at stake: individual freedom to experiment with new code and anything made possible by it, the touchstone of a generative system.

EXTRA-LEGAL INCENTIVES TO SOLVE THE GENERATIVE PROBLEM: FROM WIKIPEDIA TO MAPS AND STOPBADWARE

Some of the suggested solutions here include legal intervention, such as liability for technology producers in certain circumstances. Legal interventions face certain hurdles in the Internet space. One sovereign cannot reach every potentially responsible entity on a global network, and while commercial forces can respond well to legal incentives,30 the amateur technology producers that are so important to a generative system are less likely to shape their behavior to conform to subtle legal standards.

The ongoing success of enterprises like Wikipedia suggests that social problems can be met first with social solutions—aided by powerful technical tools—rather than by resorting to law. As we have seen, vandalism, copyright infringement, and lies on Wikipedia are typically solved not by declaring that vandals are breaking laws against “exceeding authorized access” to Wikipedia or by suits for infringement or defamation, but rather through a community process that, astoundingly, has impact.

In the absence of consistent interventions by law, we also have seen some peer-produced-and-implemented responses to perceived security problems at the Internet’s technical layer, and they demonstrate both the value and drawbacks of a grassroots system designed to facilitate choice by endpoints about with whom to communicate or what software to run.

One example is the early implementation of the Mail Abuse Prevention System (MAPS) as a way of dealing with spam. In the summer of 1997, Internet pioneer Paul Vixie decided he had had enough of spam. He started keeping a list of those IP addresses that he believed were involved in originating spam, discovered through either his own sleuthing or that of others whom he trusted. The first thing he did with the list was make sure the entities on it could not send him e-mail. Next he made his list instantly available over the network so anyone could free-ride off of his effort to distinguish between spammers and nonspammers. In 1999, leading Web-based e-mail provider Hotmail decided to do just that on behalf of its customers.31 Thus if Paul Vixie believed a particular mail server to be accommodating a spammer, no one using that server could send e-mail to anyone with an account at hotmail.com. MAPS was also known as the “Realtime Blackhole List,” referring to the black hole that one’s e-mail would enter if one’s outgoing e-mail provider were listed. The service was viewed as a deterrent as much as an incapacitation: it was designed to get people who e-mail (or who run e-mail servers) to behave in a certain way.32

Vixie was not the only social entrepreneur in this space. Others also offered tools for deciding what was spam and who was sending it, with varying tolerance for appeals from those incorrectly flagged. The Open Relay Behavior-modification System (ORBS) sent automated test e-mails through others’ e-mail servers to figure out who maintained so-called open relays. If ORBS was able to send itself e-mail through another’s server successfully, it concluded that the server could be used to send spam and would add it to its own blacklist. Vixie concluded that the operator of ORBS was therefore also a spammer—for sending the test e-mails. He blackholed them on MAPS, and they blackholed him on ORBS, spurring a brief digital war between these private security forces.33

Vixie’s efforts were undertaken with what appear to be the best of intentions, and a sense of humility. Vixie expressed reservations about his system even as he continued to develop it. He worried about the heavy responsibilities attendant on private parties who amass the power to affect others’ lives to exercise the power fairly.34 The judgments of one private party about another—perhaps in turn informed by other private parties—can become as life-affecting as the judgments of public authorities, yet without the elements of due process that cabin the actions of public authorities in societies that recognize the rule of law. At the time, being listed on MAPS or other powerful real time blackhole lists could be tantamount to having one’s Internet connection turned off.35

MAPS was made possible by the generative creation and spread of tools that would help interested network administrators combat spam without reliance on legal intervention against spammers. It was a predictable response by a system of users in which strong norms against spamming had lost effectiveness as the Internet became more impersonal and the profits to be gleaned from sending spam increased.36 In the absence of legal solutions or changes at the center of the network, barriers like MAPS could be put in place closer to the end-points, as end-to-end theory would counsel. But MAPS as a generative solution has drawbacks. The first is that people sending e-mail through blackholed servers could not easily figure out why their messages were not being received, and there were no easy avenues for appeal if a perceived spammer wanted to explain or reform. Further, the use of MAPS and other lists was most straightforward when the IP addresses sending spam were either those of avowed spammers or those of network operators with willful ignorance of the spammers’ activities, in a position to stop them if only the operators would act. When spammers adjusted tactics in this game of cat and mouse and moved their spamming servers to fresh IP addresses, the old IP addresses would be reassigned to new, innocent parties—but they would remain blackholed without easy appeal. Some IP addresses could thus become sullied, with people signing on to the Internet having no knowledge that the theoretically interchangeable IP address that they were given had been deemed unwelcome by a range of loosely coordinated entities across the Net.37 Finally, as spammers worked with virus makers to involuntarily and stealthily transform regular Internet users’ machines into ad hoc mail servers spewing spam, users could find themselves blocked without realizing what was going on.

MAPS is just one example of individual decisions being aggregated, or single decisions sent back out to individuals or their proxies for implementation. In 2006, in cooperation with the Harvard and Oxford StopBadware initiative, Google began automatically identifying Web sites that had malicious code hidden in them, ready to infect users’ browsers as soon as they visited the site.38 Some of these sites were set up expressly for the purpose of spreading viruses, but many more were otherwise-legitimate Web sites that had been hacked. For example, the puzzlingly named chuckroast.com sells fleece jackets and other clothing just as thousands of other e-commerce sites do. Visitors can browse chuckroast’s offerings and place and pay for orders. However, hackers had subtly changed the code in the chuckroast site, either by guessing the site owner’s password or by exploiting an unpatched vulnerability in the site’s Web server. The hackers left the site’s basic functionalities untouched while injecting the smallest amount of code on the home page to spread an infection to visitors.

Thanks to the generative design of Web protocols, allowing a Web page to direct users’ browsers seamlessly to pull together data and software from any number of Internet sites to compose a single Web page, the infecting code needed to be only one line long, directing a browser to visit the hacker’s site quietly and deposit and run a virus on the user’s machine.39 Once Google found the waiting exploit on chuckroast’s site, it tagged it every time it came up as a Google search result: “Warning: This site may harm your computer.”40 Those who clicked on the link anyway would, instead of being taken to chuckroast.com, get an additional page from Google with a much larger warning and a suggestion to visit StopBadware or pick another page instead of chuckroast’s.

Chuckroast’s visits plummeted after the warning was given, and the site owner was understandably anxious to figure out what was wrong and how to get rid of the warning. But cleaning the site requires leaving the realm of the amateur Web designer and entering the zone of the specialist who knows how to diagnose and clean a virus. Requests for review—which included pleas for help in understanding the problem to begin with—inundated StopBadware researchers, who found themselves overwhelmed in a matter of days by appeals from thousands of Web sites listed.41 Until StopBadware could check each site and verify it had been cleaned of bad code, the warning page stayed up. Difficult questions were pressed by site owners and users: does Google owe notice to webmasters before—or even after—it lists their sites as being infected and warns Google users away from them? Such notice is not easy to effect, because there is no centralized index of Web site owners, nor a standardized way to reach them. (Sometimes domain name records have a space for such data,42 but the information domain name owners place there is often false to throw off spammers, and when true it often reaches the ISP hosting the Web site rather than the Web site owner. When the ISP is alerted, it either ignores the request or immediately pulls the plug on the site—a remedy more drastic than simply warning Google users away from it.) Ideally, such notice would be given after a potentially labor-intensive search for the Web owner, and the site owner would be helped in figuring out how to find and remove the offending code—and secure the site against future hacking. (Chuckroast eliminated the malicious code, and, not long afterward, Google removed the warning about the site.)

Prior to the Google/StopBadware project, no one took responsibility for this kind of security. Ad hoc alerts to webmasters—those running the hacked sites—and their ISPs garnered little reaction. The sites were working fine for their intended purposes even as they were spreading viruses, and site customers would likely not be able to trace infections back to (and thereby blame) the merchant. As one Web site owner said after conceding that his site was unintentionally distributing malware, “Someone had hacked us and then installed something that ran an ‘Active X’ something or rather [sic]. It would be caught with any standard security software like McAfee.”43 In other words, the site owner figured that security against malware was the primary responsibility of his visitors—if they were better defended, they would not have to worry about the exploit that was on his site. (He also said that the exploit was located in a little-used area of his site, and noted that he had not been given notice before a Google warning was placed on links to his page.) With the Google/StopBadware project in full swing, Web site owners have experienced a major shift in incentives, such that the exploit is their problem if they want Google traffic back. That is perhaps more powerful than a law directly regulating them could manage—and it could in turn generate a market for firms that help validate, clean, and secure Web sites.

Still, the justice of Google/StopBadware and similar efforts remains rough, and market forces alone might not make for a desirable level of attention to be given to those wrongly labeled as people or Web sites to be avoided, or properly labeled but unsure where to turn for help to clean themselves up. Google/StopBadware and MAPS are not the only mainstream examples of this kind of effort. Windows Vista’s anti-spyware program displays a welcome screen during installation inviting you to “meet your computer’s new bodyguards.”44 These bodyguards advise you what you can and cannot run on your PC if you want to be safe, as far as Microsoft is concerned.

These private programs are serving important functions that might otherwise be undertaken by public authorities—and their very efficiency is what might make them less than fair. Microsoft’s bodyguard metaphor is apt, and most of us rely on the police rather than mercenaries for analogous protection.45 The responsibilities when the private becomes the public were addressed in the United States in the 1940s, when the town of Chickasaw, Alabama, was owned lock, stock, and barrel by the Gulf Shipbuilding Corporation. A Jehovah’s Witness was prosecuted for trespass for distributing literature on the town’s streets because they were private property. In a regular town, the First Amendment would have protected those activities. The Supreme Court of the United States took up the situation in Marsh v. Alabama, and held that the private property was to be treated as public property, and the conviction was reversed.46 Others have speculated that Marsh offers some wisdom for cyberspace, where certain chokepoints can arise from private parties.47 Marsh advises that sometimes the government can defend the individual against a disproportionately powerful private party. This view can put public governments in a position of encouraging and defending the free flow of bits and bytes, rather than seeking to constrain them for particular regulatory purposes. It would be a complex theoretical leap to apply the Marsh substitution of public for private for Paul Vixie’s anti-spam service or Microsoft’s bodyguards—asking each to give certain minimum due process to those they deem bad or malicious, and to be transparent about the judgments they make. It is even harder to apply to a collective power from something like Herdict, where there is not a Paul Vixie or Microsoft channeling it but, rather, a collective peer-to-peer consciousness generating judgments and the data on which they are based. How does one tell a decentralized network that it needs to be mindful of due process?

The first answer ought to be: through suasion. Particularly in efforts like the partnership between Google and StopBadware, public interest entities are involved with a mandate to try to do the right thing. They may not have enough money or people to handle what due process might be thought to require, and they might come to decisions about fairness where people disagree, but the first way to make peace in cyberspace is through genuine discussion and shaping of practices that can then catch on and end up generally regarded as fair. Failing that, law might intrude to regulate not the wrongdoers but those private parties who have stepped up first to help stop the wrongdoers. This is because accumulation of power in third parties to stop the problems arising from the generative pattern may be seen as both necessary and worrisome—it takes a network endpoint famously configurable by its owner and transforms it into a network middle point subject to only nominal control by its owner. The touchstone for judging such efforts should be according to the generative principle: do the solutions encourage a system of experimentation? Are the users of the system able, so far as they are interested, to find out how the resources they control—such as a PC—are participating in the environment? Done well, these interventions can lower the ease of mastery of the technology, encouraging even casual users to have some part in directing it, while reducing the accessibility of those users’ machines to outsiders who have not been given explicit and informed permission by the users to make use of them. It is automatic accessibility by outsiders—whether by vendors, malware authors, or governments—that can end up depriving a system of its generative character as its own users are proportionately limited in their own control.


* * *

We need a latter-day Manhattan project, not to build a bomb but to design the tools and conventions by which to continually defuse one. We need a series of conversations, arguments, and experiments whose participants span the spectrum between network engineers and PC software designers, between expert users with time to spend tinkering and those who simply want the system to work—but who appreciate the dangers of lockdown. And we need constitutionalists: lawyers who can help translate the principles of fairness and due process that have been the subject of analysis for liberal democracies into a new space where private parties and groups come together with varying degrees of hierarchy to try to solve the problems they find in the digital space. Projects like the National Science Foundation’s FIND initiative have tried to take on some of this work, fostering an interdisciplinary group of researchers to envision the future shape of the Internet.48

CompuServe and AOL, along with the IBM System 360 and the Friden Flexowriter, showed us the kind of technological ecosystem the market alone was ready to yield. It was one in which substantial investment and partnership with gatekeepers would be needed to expose large numbers of people to new code—and ultimately to new content. The generative Internet was crucially funded and cultivated by people and institutions acting outside traditional markets, and then carried to ubiquity by commercial forces. Its success requires an ongoing blend of expertise and contribution from multiple models and motivations—and ultimately, perhaps, a move by the law to allocate responsibility to commercial technology players in a position to help but without economic incentive to do so, and to those among us, commercial or not, who step forward to solve the pressing problems that elude simpler solutions.

Posted by The Editors on March 1, 2008
Tags: Uncategorized