Q&A: Jonathan Zittrain

This author, teacher, and Web expert wants to avoid an Internet clampdown.

Mar 1, 2006

Is it possible that a spectacularly productive era of Internet-driven innovation will soon end, amid new government and corporate controls cheered by millions of turned-off consumers?

Yes, says Jonathan Zittrain, professor of Internet governance at the University of Oxford, cofounder of Harvard Law School’s Berkman Center for Internet and Society, and author of “The Generative Internet,” an upcoming article in the Harvard Law Review. Machines clogged with “malware” – the catchall term for code that infiltrates PCs to steal data, send out spam, or produce pop-up messages – are already costing billions annually and testing everyone’s tolerance, Zittrain says.

And a single destructive virus could prompt harsh regulations and cause millions of people to seek safe, closed networks.

To help fight back, Zittrain and fellow academics have just launched a new antimalware effort (www.stopbadware.org) funded by Google, Sun Microsystems, and Lenovo (the Chinese firm that acquired IBM’s PC division). Zittrain describes how this effort fits into the Internet’s history and proposes a possible next step in preempting the stifling of the Net.

Technology Review: What do you feel is at stake here?

Jonathan Zittrain: The history of the PC and the unfettered Internet has shown us just how important amateurs working in obscure corners can be as a source of wildly popular and transformative applications. The capacity for uncoordinated third-party contribution makes the PC and Internet highly generative, and we can thank it for the World Wide Web, instant messaging, blogging, Wikipedia, and even online shopping. It’s a world away from the walled-garden proprietary online services like CompuServe and Prodigy of the 1980s, and from that era’s non-PC “information appliances” like LCD-screen digital typewriters and video-game consoles.

TR: Of course, there’s a downside or two.

JZ: These generative characteristics carry with them the seeds of their own destruction. Generativity can mean excess and outright disruption. Publishers have seen this when a couple teenagers can brilliantly engineer a peer-to-peer network that enables copyright infringement. So far, regulators have had a comparatively light touch going after such activities. I think a watershed in the security space – for example, a mass-distributed virus whose payload wipes out hard drives – could change consumer sentiment so that a controlled information environment is appealing to many more people. These controlled platforms, while great for what they do, foreclose exactly the sort of innovation that brought us all the great applications. And if we lose people, we won’t be as easily able to include them in the critical mass for any project that relies on broad-based adoption. The status quo is not stable.

TR: Many people let companies like Symantec guard the door 24-7, while Microsoft and Apple automatically update their operating systems. Won’t this prevent your “watershed” crisis?

JZ: This risks turning PCs into gated communities that can too easily become prisons patrolled by a single warden. Suppose a security vendor or OS maker, through its success against badware, starts collecting user proxies to decide what will and won’t run on nearly everyone’s machine and enforces those decisions through near-instant automatic updates. This not only creates an antigenerative architecture with a gatekeeper like the days of Prodigy and AOL, but it also offers a way for regulators to demand that such gatekeepers eliminate code deemed socially – rather than technologically – bad or to insert new code for individual surveillance. To be sure, the actions by the biggest players so far have been measured. Microsoft currently distinguishes between critical security updates and others that are merely suggested.

TR: So what will www.stopbadware.org do that’s so different?

JZ: First, we need to deeply understand the problem of bad code – code that will turn people away from participation in the generative Internet – as something more than technical. This includes policy and legal issues that automatic antivirus detectors are, of course, not built to address. Second, we want to marshal a solution that does not cause new problems of centralized control. We can do this on both the input and output sides: developing and distilling evaluations of code in ways that consumers can understand – especially since there is a variety of risk tolerance among them – and in which they can participate.

TR: Surely average PC owners can’t evaluate new code to gauge risks or even regularly consult a new website. What do you hope to offer them?

JZ: Imagine, for example, a simple display, a networked “dashboard” where users contemplating code can contribute to – and then read – simple demographics like how many other people are running it, how many were running it last week, and whether the computers running it appear to be better off with it on board. If enough people participate, meaningful – and currently unobtainable – data can be collected and packaged to keep genuine choice in the hands of the user. That’s a generative solution to a generative problem.