Jonathan Zittrain and I had a Twitter exchange last week that I think is extremely illuminating on the brilliance — and the limits — of his book The Future of the Internet—And How to Stop It. It started with this tweet:
zittrain: Apple one step closer to locking down PCs as predicted in The Future of the Internet at http://t.co/yYhvdrEE ; see http://t.co/e4kmgQWi
Let me unpack. The story Zittrain linked to was about how Apple will soon be “sandboxing” all applications that are sold through the Mac App Store. Regular applications can read or write files at will, launch other programs, open network connections, and do all kinds of complicated things to your computer. Sandboxed applications can’t even see the rest of the computer, let alone affect it: it’s as if they’re playing safely with soft rubber toys in a glass-encased sandbox. In order to get outside the sandbox, they need adult supervision from Apple. The developer gives Apple a list of “entitlements” that the application needs: being able to write a file to a place specified by the user through the Save dialog box, for example. Apple will only let the application have those entitlements if really needs them to do its job: there’s no reason for a stock ticker to save files to arbitrary places.
The reasons for this, of course, are security and stability. Apple doesn’t want Mac App Store applications to install spyware or fill your Documents directory with gibberish. Properly sandboxed applications can’t take advantage of security holes in pieces of software. They can mess themselves up, but nothing else.
The Future of the Internet predicted it. The book starts off as a celebration of “generativity”: the openness of a system to new and unplanned change from its users. We have open computers: you can run any programs you want. And we have an open Internet: you can run any protocols you want and connect to anyone you want. The combination is a remarkably generative system — no, the most generative system in human history. The consequences for innovation, creativity, sharing, and community have been, well, adjectives fail me.
But generative systems’ greatest strength, Zittrain observes, is also their greatest weakness. Their openness makes them open to bad uses as well as good. The Internet is open: to spam. Computers are open: to viruses. The onslaught of abuse starts to make them unusable, as anyone who has ever pitched a computer that just “got slow” can attest. This, Zittrain argues, creates counter-pressures fighting back against generativity: people flee to safety as bad software drives out good. They seek defensible systems: ones that aren’t actually open to new uses, but which at least work reliably. Instead of general-purpose computers, we get specialized, sealed appliances: like ATMs and TiVos.
Thus Zittrain’s tweet. Apple is closing off the Mac App Store. Programs available through it can do less. In order to make your Mac run more smoothly, Apple is restricting what you can run on it. The Future of the Internet absolutely nailed it on this point. Zittrain has a compelling explanation both of why Apple is sandboxing applications, and what we lose by it.
There’s just one problem with this story of fear and loss: you can still install anything you want on your Mac, just not through the Mac App Store. Any users who want to run unsandboxed applications are still free to. Any developers who want to write unsandboxed applications are still free to. The Mac App Store is not old, and it is not exclusive. Developers used to sell direct to users; many still do.
So, in a sense, Apple is now giving users the best of both worlds, open and closed. Users who want the power of openness can install applications directly. Users who want the safety of closure can install applications from the Mac App Store. In fact, here’s a powerful argument for this kind of hybrid model:
In an effort to satisfy the desire for safety without full lockdown, PCs could be designed to pretend to be more than one machine, capable of cycling from one split personality to the next. In its simplest implementation, we could divide a PC into two virtual machines: “Red” and “Green.” The Green PC would house reliable software and important data—a stable, mature OS platform and tax returns, term papers, and business documents. The Red PC would have everything else. In this setup, nothing that happens on one PC could easily affect the other, and the Red PC could have a simple reset button that sends it back to a predetermined safe state. Someone could confidently store important data on the Green PC and still use the Red PC for experimentation. Knowing which virtual PC to use would be akin to knowing when a sport utility vehicle should be placed into four-wheel drive mode instead of two-wheel drive, a decision that mainstream users could learn to make responsibly and knowledgeably.
This is almost exactly what Apple has done. The Mac App Store is the Green
PC Mac. Everything you install on your own is the Red PC Mac. The only significant difference is that the Red Mac, unlike the Red PC, can affect the environment that the Green Mac runs in, which means that Red Mac users need to be a little more careful with their computer offroading. But this is not a major issue in the scheme of things. The important part is having a computer that supports both “safe” and “unsafe” modes: one for greater security, and one for greater generativity.
Sounds like a good idea to me. And it also sounds like a good idea to Jonathan Zittrain. He wrote that passage about the Red PC and the Green PC. It’s on page 155 of The Future of the Internet. So I replied to him:
grimmelm: @zittrain Isn’t this exactly the red PC/green PC split that you called for?
Zittrain’s response was what lawyers call a “confession and avoidance,” or, in lay terms, “yes, but.”
zittrain: @grimmelm Sure - so long as one can install apps outside the App Store environment. I think that will be made more difficult or eliminated.
I want to leave aside the questions of whether Apple really will try to stamp out independent applications, whether it would succeed if it did, whether it could weather the antitrust storm that would immediately erupt, and whether it would be for the best if Apple did, would, and could. My best guesses are “no,” “no,” “no,” and “no.” Instead, I want to focus on whether this is really a convincing reply to my question. What does it tell us if Zittrain himself now thinks that Red-and-Green is not such a good development after all because it’s just a hand-basket service station on the road to lockdown hell?
In the context of The Future of the Internet, the Red-and-Green proposal was designed to help address the tension between generativity’s innovative upside and its security downside. It came in a chapter titled “Stopping the Future of the Internet: Stability on a Generative Net.” The “Future” to be stopped was lockdown; this chapter was the one in which Zittrain explained how other, lesser measures could provide security and usability without sacrificing generativity entirely. In other words, Red-and-Green was meant to be a stable policy, one we could all get behind because it would stave off the march to lockdown. It is, to say the least, not encouraging if the proposal’s own author now sees it as a harbinger of doom, rather than the generative Internet’s last, best hope.
Paul Ohm and I wrote a book review of The Future of the Internet last year. Although we showered the book with praise for isolating generativity as an essential technical goal for policy-makers, this was precisely where we had the most skepticism about Zittrain’s analysis. We compared Wikipedia (which Zittrain clearly loves) with the iPhone (which he seems to regard with dread):
Even with these restrictions, though, it isn’t obvious that the App Store is all that far away—from a generativity perspective—from Wikipedia. Many of the charges that could be hurled against the iPhone would also stick to Wikipedia. Many Wikipedia edits are reverted quickly after they are made. Some IP addresses are banned entirely. One organization has its finger on Wikipedia’s master override switch, and sometimes it uses that power. For example, the news of a New York Times reporter’s kidnapping in Afghanistan was suppressed for almost a year, on orders straight from Wikipedia’s founder. Compared with some of the convoluted fights over Wikipedia article edits, the iPhone App Store application process sometimes seems like a model of bureaucratic rationality.
This isn’t to say that Wikipedia is ungenerative, or dystopian, or doomed. It isn’t. But it is a complex, messy system, and one that accepts significant limits to its generativity. Those limits may be necessary to make the whole thing work, of course. Someone has to run the server, someone has to resolve disputes, someone has to deal with spammers and sock puppets,168 and so on. But structurally, this is the same argument used to justify Apple’s control over the iPhone environment. The Wikipedia model may be superior to the Apple model, all things considered, but it’s not self-evidently superior. Or, put another way, it’s easy to say the first-generation, locked-down iPhone was generatively inferior to Wikipedia, but it’s much harder to explain why Wikipedia beats the modern iPhone. They both make sacrifices in the name of overall generativity. You need a more precise analytical framework than what Zittrain provides to explain why one tradeoff is better than another.
The Future of the Internet makes a compelling case that more generativity is better than less — and also that there is such a thing as too much generativity. That commits Zittrain to finding sensible in-between positions that realize the best of both worlds. But the book never really explains how to distinguish the sensible compromises from the dangerous ones. As we wrote, using another example:
On what basis does he conclude that extensive firewalling and virus scanning is worse for generativity than some packet filtering? He’s probably right, but it’s hard to escape the conclusion that Zittrain’s gut is doing as much work here as his theory. He knows generativity when he sees it.
We could have said much the same about Red-and-Green.
Compare Zittrain’s book to his tweet, and I think it’s fair to say that he is of two minds about sandboxes. This is not a charge of cognitive dissonance or confusion. I think he really is wrestling with the problem. This is a man, after all, who teaches a seminar on “Difficult Problems in Cyberlaw.” No, these two points are the sign of a first-rate intelligence, one that really can hold two opposing ideas in mind at the same time. But there is a conflict here, and it deserves to be recognized as such.
For more technical details on OS X sandboxing (and much more), see John Siracusa’s review of OS X Lion.
For an interesting take on some of the security issues, see Wil Shipley’s Real Security in Mac OS X Requires Apple-Signed Certificates.)