These responses make three major points, each persuasive even as all can’t be true. They contend: there’s no game-changing problem under the rubric of online security; there might be a problem, but it’s hard to measure and will in any case be solved by market forces; there’s a problem, but my suggested solutions are wrong, or hard to evaluate, or simply unlikely to come about.
Is there a problem? There are two. First, it is desirable for users of such generative environments as the Net and PC to run whatever software they please. But that use can be easily subverted and abused. Susan Crawford is right: “security” is a bad name for this. Too quickly a security discussion narrows to talk about the technical vulnerabilities of operating systems. The problem I want to put on the table is as much a feature as a bug: users can choose to run new code. The essence of our IT ecosystem is that people can reconfigure their technologies at the click of a mouse. Often that reconfiguration results in a large and unanticipated surprise. Sometimes the results are harmful, but other times benefits are slowly realized, especially if they increase as their users take up the same code. Thus, social technologies like Skype or Facebook become more useful as more people join, and illegal file sharing pushes the music industry into ventures like the iTunes store.
Richard Stallman has championed the empowerment of users to choose which code to adopt, write their own, and build on the work of others. And not only nerds should be empowered. With the right software, non-coders form new social bonds and produce new content.
This state of affairs is rapidly changing. Wherever new code runs at the user’s discretion, the user can screw up or be tricked, and the results can be devastating: hard drives wiped, personal information compromised, spreadsheets poisoned, computers arrayed into botnets. Tech-savvy people know how to avoid troubles. But as Roger Grimes and Hal Varian suggest, lots of people just want the stuff to work, and can’t keep calling their techie friends to bail them out.
The second problem follows from the first. If generative computers remain vulnerable, users will migrate to platforms that aren’t generative. Stallman believes this won’t happen, because sterile technologies like locked-down mobile phones are not attractive, especially if the vendor (or the government pushing the vendor) uses them to spy upon the user. But Stallman does not address the phenomenon of contingent generativity. This spring Apple released a software development kit for the iPhone. Now third parties can write apps for it. The phone will go from sterile toward generative—sort of. Developers will need to be licensed by Apple and pay a fee, and the applications will be funneled through the iPhone App Store, with Apple’s approval.
So, contingently generative apps will appeal to the market, even as they constrict the ability for truly revolutionary applications to come about, and place unprecedented power in the hands of the platform vendor and the governments that will regulate it. As proprietary as Bill Gates has been portrayed, this is a level of control he never achieved—or probably dreamed of—with Windows, on which any application can run without Microsoft’s approval.
Will the market solve this problem? Generative technologies allow consumers to become participants: to change technologies for themselves or to adopt improvements offered by others not operating through the usual mechanisms of the firm. Whether this is a market force depends on how broadly we define the term. Is any voluntary behavior endogenous to a market? Or are only those choices that have to do with purchases? If a group of people coalesces in Central Park for a game of Ultimate (Frisbee), is the market for Ultimate working its magic? The question is important because often we rely too readily on the solutions proposed by firms and government. If there’s litter in a public space, the government should fine violators and clean it up, or pay a firm to do so. But the amount of litter in a park may depend not so much on the rules against it or the schedule for cleaning, but rather on the habits and normative commitments of the people who use it.
The solutions to the generative dilemma that I find most interesting are ones that don’t assume a zero-sum tradeoff between generativity and security. If we narrow ourselves to firms offering some devices that are generative but quickly compromised, and others that are sterile or contingently generative, but incapable of generating whimsical change, the market will no doubt achieve equilibrium somewhere along the axis. Bruce Owen figures that demand will create supply and the optimal point will be achieved. But Owen’s faith in the market ignores the role that a civic instinct can play if people take shared responsibility for their own and others’ security. To do so, they will need certain tools. But those tools may not be money makers, thus the market may not produce them. If the reply is “well, yes, but someone named Jimbo was moved to produce Wikipedia, and his charity is part of the market,” then the market is circularly defined as every possible action by someone. We can contribute more to our shared public life than what results indirectly through our buying or voting.
Moreover, the market may have trouble pricing the benefits of generative platforms. Behavioral economics is beginning to confirm the conventional wisdom that people do not plan very well. This is true in the PC market where people making platform investment decisions rarely weigh the unknown as part of their thought processes. They buy the PC for email or Web surfing, and only later find that it can be used for Internet telephony. And often the platform’s buyer is not the same as the user. Much of the revolution in PC software has taken place through user adventurousness on office computers acquired by companies for other reasons. What the economists might call an “agency gap” has produced great things. The true value of generative technologies is too easily dismissed when portrayed, á la Owen, as “the extent to which end-users and their communicants may indulge the whim to customize these tools.” What’s at stake is not just setting wallpaper style on your iPhone, but the very Net generativity that has facilitated entire new markets and social relationships.
Looking back, the market produced some sterile, competing consumer networks—CompuServe, the Source, and the like. Non-market forces led production on another course—the Internet. To be sure, the Internet’s reach was greatly extended through its later commercialization, but had the Internet’s architecture been obvious enough for the market to discover it, no modest government subsidies would have been needed. Sperry Rand, IBM, and Prodigy would have easily outpaced academics in producing the technologies underlying the dot-com boom. They did not.
What am I calling for? Generative systems are works in progress that muddle through on a “procrastination principle”—sending a technology out first and adjusting it (or letting others adjust it) later. My proposals fit that conception. They illustrate the kinds of processes that can work. There is no elegant patch; silver bullets belong to the realm of the appliance. Yet, some of these hodge-podge solutions, like many Internet advances, can be developed and deployed to make a difference without major investment, though there are significant barriers that must be overcome. First, we face a widespread failure to realize the extent of the problem and the costs of inaction. Second, there is a collective action problem thanks to which no single existing group of actors that appreciates the problem sees it as its own responsibility. Third, as Crawford points out, incumbent firms stand to profit from one implementation over another and are often in a position to distort the marketplace. And fourth, we labor under a too-easily cultivated sense among Internet users that the system is supposed to work like any other consumer device, and among other observers that profit-maximizing firms can produce whatever solutions are called for.
The suggestions I’ve made—and, in the case of StopBadware and the OpenNet Initiative, am working with others to build—are experiments. They will test the dichotomy between generative and secure, even as the public is racing toward technologies thoroughly controllable by their makers, who themselves stand to be unpleasantly surprised by the limits they can impose (as Stallman hints when he indicates that mobile phones have been conscripted by governments as remotely triggered recording devices). Others in this forum have their own experiments. David Clark, who helped create the generative magic as one of the Internet’s framers, is today devoting his brilliance—and optimism—to clean-slate thinking about how to reconfigure an Internet that has outgrown itself. And Susan Crawford has counseled market participants who now are drivers of Internet infrastructure and services. Her scholarship is devoted to reconciling the entrepreneurial spirit and investment of corporate players with the precious whimsy of curious teenagers who will write the next world-changing applications.
That reconciliation has many possible paths, each represented by the intellectual anchors who have defined the debates in cyberlaw. Libertarians think the problems can be solved through individual self-defense and education; supporters of regulation reach for government direction and Internet non-exceptionalism; the market types see hope from rational accretions of capital invested in solutions that people will pay for in a competitive playing field. Each of these approaches has its place, but my vote and work is weighted toward the communitarian, because it is the least appreciated even as it may offer the most creative solutions to the generative dilemma. We can develop the tools and practices for a bottom-up hierarchy to deal with problems that transcend the individual and happen too quickly for government to capture or too quietly (if sound is measured through the dropping of coins) for markets to respond to. We need to cultivate points of common endeavor for a public good, something that must be argued for rather than imposed or simply awaited, with its success measured one netizen at a time.