Australia is often heralded as having one of the world’s best anti-spam laws and enforcement programs. Sounds like they may also be home to one of the world’s biggest spammers, accused of sending over 2 billion spam messages. Alone. In a single year. All about Viagra (or, V#%GR@). I’m sure I got about 50,000 of those 2 billion. And using what appears to be a not very sophisticated system. Yikes.
Charlie Nesson and his daughter Rebecca Nesson are hosting the Tuesday lunchtime session at the Berkman Center today.
– One first is that this is the first video webcast lunch event. We’ve regularly webcast these lunches audio-only. This week, with the help of Indigo Tabor, we are offering a live feed with video as well as audio. (The real-time webcast is 12:00 – 1:30 p.m. EDT today, Tuesday, Sept. 12, 2006.) So, too, is it being offered in Second Life, where 24 people are tuning in at the moment from Berkman Island, we’re told.
– The other first (actually, I’m certain there are more than two, since Becca and Charlie are involved) is that the class that they are talking about, Cyberone: Law in the Court of Public Opinion, is being taught IN Second Life, a first for Harvard Law School and Harvard Extension School, anyway. If you haven’t seen the promo video for it yet, it’s a must.
It remains to be seen if these firsts will stick. It remains to be seen if these firsts will lead to other good things, as the establishment of Creative Commons by Prof. Lessig or the first podcast series hosted here by a combination of Dave Winer, Chris Lydon, and Bob Doyle. But it’s fun to be sure. Charlie and Becca keep the Berkman Center young and just a bit hip, and the likes of Rodica, Dean, Gene, and John Lester from Linden Labs keep giving things like these experiments life.
(John Bracken called this first first, way before me, and added more about a Berkeley example.)
A week or so ago, we at the Berkman Center joined our friends and colleagues at the Oxford Internet Institute in hosting an academic pre-briefing related to the Internet Governance Forum. The IGF, announced in July by the Secretary-General of the United Nations, is the process and institution that has grown out of the two phases of the World Summit on the Information Society. The IGF is directed by the highly able Swiss diplomat, Markus Kummer, and chaired by the equally able Nitin Desai. The OII’s director, Prof. Bill Dutton, has been leading the way on these briefings for the past three years and gently, appropriately, helpfully, keeping academics and technologists in front of the diplomats. On our end, fellow Mary Rundle — jointly at Harvard and at the Stanford Center for Internet and Society and director of NetDialogue — coordinates our efforts in this space and pulled together major aspects of this briefing.
In listening to the participants in an academic-heavy workshop, we heard a number of areas on which the Internet Governance Forum ought to focus and some hard problems that the IGF faces moving ahead.
For starters, especially for those who have not been following the blow-by-blow of WSIS and its progeny, here is my short FAQ based on this briefing we just had.
1) What is the Internet Governance Forum?
– It is something we feel good about.
– It is a process outcome of the WSIS process.
– It is a “new institutional approach.”
– It is uncharted territory, under a UN umbrella; it is relevant for the conversation about UN reform.
– It is a place for informed and meaningful discussion in a multi-stakeholder context and framework – once unacceptable, now the basis for moving ahead.
– It can be analogized, in part, to the OECD, which has been quite successful via the mode of sharing experiences and best practices (but importantly is different from the OECD in other ways, such as the inclusiveness of all states, not just 30).
– It is full of creative ambiguity.
2) What should the IGF do with that “creative ambiguity”? Or, put another way, how does the IGF deal with hard issues?
The IGF has been tasked, for its first meeting in Athens, with taking up four areas of inquiry: openness, security, diversity, and access.
– Openness: includes IPR, which is polarizing and about which the assembled group has agreed to do nothing in the past, though the Forum will have to grapple with it. Net Neutrality is another contender for a specific issue to handle under the “openness” banner. We all know how hard it is just to define “openness,” so the IGF has its hands full here, as important as this theme is. My personal favorite under openness, perhaps not suprisingly, is the cluster of freedom of expression and security and privacy issues that we work on through the OpenNet Initiative.
– Security: Everybody agrees that Internet security is something that needs to be addressed. But privacy, Mr. Kummer notes off the bat, will cause controversy. Kenn Cukier wonders if there’s in fact consensus about what security means? Do developing countries think that security means something different than what the West thinks it means?
– Diversity: Everyone agrees that ICTs for development is an essential component of what the IGF should do. Multilingualism and IDNs will certainly cause division. I think there has to be a major push to get funding for people from developing countries to be able to participate in meetings, as well as a devotion to free, web-based means of active participation.
– Access: This topic includes the age-old issue of interconnection costs and compensation related thereto. In most contexts, liberalization is perceived to be the common answer to the bulk of the problems. But it might also mean development and it might also mean open access, connecting up to the A2K movement and to the IPR themes dealt with (or not dealt with) under the “openness” heading.
3) But how, really, will the IGF manage to deal with sensitive topics?
– The idea is that the IGF will indeed deal with hard issues, not just sweep them under the table.
– But the IGF is not meant to make decisions, so it may be a good venue for bringing them up.
– It will be essential that the IGF figures out how to make participation meaningful, not just creating an environment where everyone can talk but no one listens.
– Connecting to results: even though the IGF does not have a mandate to make policy decisions, much less enforce anything, how, if at all, can the IGF lead to the world becoming a better place?
4) What were the key take-away messages at the briefing?
– From the Executive Secretariat, the clear message from Markus Kummer was that expectation management is essential. If it is interesting, it allows you to contribute, you learn something – even if the world has not changed – then that should be a success.
– Professor Jonathan Zittrain, our beloved colleague, had the most provocative suggestion. Is there an absence of opportunities for diplomats to get together? Is there an absence of opportunities for network architects to get together? (Even if there are enough opportunities for these two groups separately, we need to get these guys all together, plus one sociologist, responded one participant.) The IGF, JZ said, should not just be a meta-meeting. There is a lesson from Wikipedia. In the first instance, the IGF should leap-frog the so-called stakeholders. Go, instead, straight to the users. The right audience is the one-laptop-per-child children who are about to get the equivalent of a blinking cursor. We don’t want them reading stuff and clicking on ads. We want them to see something that they can change, anytime.
– Professor Milton Mueller, a longtime participant and analyst of this space, disagreed, contending that we should not “continue to conflate the free association communities, like Wikipedia, and governance institutions, which get stuck with problems that people come up with.”
5) A few of my own reflections on what the IGF might do, after the meeting.
– We should recognize that there are various modes of grappling with problems, and of governance, related to the Internet (and yes, I do believe in some degree in Internet exceptionalism in certain contexts, that the laws of gravity still apply but that problems have different and distinctive contours than their real-world counterparts do, prompting thought around different types of governance that might be appropriate):
– Sometimes, the sovereign state, or a collected group of states, carry out governance (for good and for ill). This is the zone of governance that Tim Wu and Jack Goldsmith cover in Who Controls the Internet?;
– Sometimes, it’s something that users can do a lot to work out, and should do to work out first, with a back-stop of the states and involvement of companies (ISPs, e.g.) (this was what I had in mind for my own part in a co-authored paper, the Accountable Net);
– But there is also something very intriguing of democratic institutions that seek to bridge the public and the private to work on problems together. Part of the function could be the collection and aggregation of comments, employment of an ombudsman, and provision of a feedback loop.
To me that’s the wonder and the intriguing challenge of a “new institutional approach” here:
– How do you clarify the themes, prioritize the conversations, and join the hard issues (not forgetting history, or the broader construct of these issues, but also aware of where Internet is different)?
– How do you invite, manage, and make participation meaningful, when someone not representing a state seeks to participate? (Capture the energy that went into WSIS, rather than let it dissipate, says Mary Rundle.)
– And how do you link this process, with appropriately managed expectations, to making the world a better place? To figure out the answer to that question strikes me as the way to take the IGF from a garden-variety “success” and to turn it into an outstanding success.
(Want to know more about the issues that the IGF could take up? Check out NetDialogue, and help us to keep the conversation about these issues informed and lively.)
John Bracken at Media SITREP says “we are liberated but in the dark.” It’s a fun post: he admits that “our interactive media world isn’t all peaches and cream,” reviews a forthcoming book, and cites the policy proposals of a candidate for AG of New York State. Impressive range.
A few days ago, at StopBadware.org, we released a report on AOL 9.0, the free software on offer from one of the giants of the Internet industry.
The back-story on this matter is that we wrestled hard with the right way to release this report. We followed our research process rigorously, following tips and leads from dozens of users who submitted reports to us via StopBadware.org about AOL 9.0, and found that the application didn’t meet our guidelines on multiple fronts. (And yes, we have tested the apps of other big, mainstream tech companies; we are not just “picking on” AOL.) We tested AOL 9.0 many, many times; we shared the draft with a number of trusted advisors and with AOL itself; and we are confident that the results of our testing are accurate. But we also didn’t want to mislead users into thinking that AOL is malicious, when we plainly think they are not.
As I’ve said in every interview I’ve done on this topic, AOL does not belong in the company of the most malicious of spyware and malware providers. No question about it, AOL has been a leader for the past several years in working to fight spyware, whether through its involvement in the Anti-Spyware Coalition that Ari Schwartz of CDT runs or any number of other initiatives overseen by Jules Polonetsky. On his blog, AOL Vice-Chairman Ted Leonsis, the senior executive who has been with the company the longest, wrote, “No company on the Internet has done more to protect users from the dangers of spyware and adware.” That strong statement may or may not be true, but it is certainly the case that AOL has been on the side of the angels in this matter in many ways and on many occasions. It’s important that the nuance is captured, by putting this report in a newly-created category of “open inquiries” on our reports page, rather than issuing a final statement, especially while the company is working to improve the application and says it intends to meet the standards set in the guidelines we’ve published. I admire many people who work at AOL, including one of my oldest friends, from high school. And it’s essential that we make clear that AOL has stepped up to the plate to make changes, many of which they say are already in the works, destined for a new release next month.
Even good companies can release bad applications. Our concern related to AOL 9.0 is primarily about disclosure. The report lists our specific concerns, which I won’t repeat here.
Set aside AOL and our “open inquiry” for a moment, and consider the problem in a broader, abstract construct. If an ordinary computer user goes to a website and decides to accept the offer of a free software download:
1) Does the user have a good chance of knowing — more or less — what will happen to their computer when she clicks “I agree”?
2) Will the user know what’s running in the background after that download, and where she got it from?
3) And once the user decides she no longer wishes to have these services running on their computer, will she be able to get them completely off the computer?
What I wanted to recount here is not our process before issuing the report, but rather just my personal experience trying this application at home — just one user’s view, setting aside all the guidelines and formality of StopBadware. If you doubt our findings, I urge you to try it.
The day before we issued our report, (to be clear, the real testing was in a pristine testing lab environment, many times over), I went home and turned on an ordinary computer. It’s a few years old, a Dell, quite nice when I bought it and generally in great shape, but not exactly humming along on the latest dual-core processors. It is on a fast broadband connection, wired, from Comcast, in the Boston area. I get a good throughput on it.
I went to aol.com and I found the free application, available for download from this page. (On the same page, you are also offered a version that comes with access services, for $9.95 per month, which I did not test.) Then you arrive at this page. You are asked to put personal information, nothing too revealing, into a form. But nowhere on this page can you access what AOL is going to do with your personal information — such as a privacy policy — nor a statement of what you’ll get installed on your computer if you do the download. (Update: if you hit the page from outside, rather than from within the sign-up process, I see that they now have a link to the privacy policy in the footer of this page. The privacy policy link seems curiously still absent if you are within the process — you have to try it, but I have a screencapture — taken after a cleared cache and so forth.)
OK, so, I make the leap of faith and I enter in my (correct) personal information, including name, address, phone, e-mail, and birthday. I come to another page asking me to choose a screen name. I choose the screen-name I had when I got my first private, commercial e-mail address, which was in fact the same one, with AOL. It was still available. Then you get another page, asking me to agree to the Terms of Service, and, also incorporated by reference, consent to the Privacy Policy. Are you forced to scroll through either of them before you click? Nope. Are you told “look in here to find out exactly what you’re downloading”? Nope.
(Pause here for a few other notes, of interest probably only to lawyers. One line in the relevant AOL privacy policy is the ominous statement, a stand-alone paragraph: “Your AOL Member information may be supplemented with additional information, including publicly-available information and information from other companies.” Good to know, but does this mean Choicepoint, or something else? What will my info be supplemented with? How does that relate to all the mail AOL has sent over the years? But one wonders also whether the user has in fact affirmed their consent, as a legal matter, by this means of “agreeing” to the Terms of Service and the Privacy Policy. Consider the line of shrinkwrap, browsewrap and clickwrap cases, including the venerable ProCD, but also Specht v. Netscape Communications Corp., 150 F. Supp. 2d 585 (S.D.N.Y. 2001) and Rudder v. Microsoft, 1999 Carswell Ont. 3195 (Ont. Super. Ct.). A quick, though a bit dated, overview of the cases appears here. AOL surely knows all about this, given the Williams case (Williams v. America Online, Inc. 2001 Mass. Super. LEXIS 11, 43 U.C.C. Rep. Serv. 2d (Callaghan) 1101 (Mass. Super. Ct. Feb. 8, 2001)), in which a court found that there were issues related to whether users had in fact assented. I’m not positive, but there’s certainly a possibility that another judge might say that the user did not actually assent by virtue of this form of establishing “agreement,” since the user is not required to scroll through or otherwise clearly presented with all the relevant terms, other than via mutiple hypertext links. In any event, while simple for users, this process of assent is probably not a best-practice for an interface to ensure that the user knows what they’re getting in for, especially novice Internet users. Maybe no issue here, I suppose, but the caselaw doesn’t seem to answer my question fully. I expect AOL has had wonderful counsel on this score, and that it’s been fully vetted, but I guess I’m still not sure from my own analysis and reading of the caselaw. Some clever e-commerce lawyers, like Ronald Mann and Jane Winn, who wrote the casebook on this topic, might well have some insights here.)
So, lawyerly musings about the intricacies of Remote Contracting aside, I consent by typing in the captcha letters. Then, you get to the screen where they offer you the download itself — one, big bundle, apparently. The sign-up is super-easy, but I’m none the wiser, unless I followed an intricate series of links and tabs, about what’s about to happen to my computer. Even if you do follow all the threads, as we found, you have to get into the Privacy Policy to find some of the apps to download — and even then, we couldn’t find a list of everything that we eventually downloaded. (Perhaps AOL is right and in fact users tend to look to a Privacy Policy to find out what apps are in the bundle, if they do in fact look for such information; that just doesn’t happen to square with my own instincts, but they no doubt have more data on this score than I do.)
I set to downloading the application. It took a while, despite the speed of the connection and the relative power of the computer — perhaps a sure sign that lots was going on. During this time, my screen filled with various statements about security software and so forth that I was getting, and noting that for-pay upgrades would be available to make the services better. At no point did I have the chance to see a full list of what was arriving onto my computer, nor a chance to “uncheck” the boxes so as to say that, no, I didn’t actually need more than one new media player, for instance. The process took maybe 15 minutes or so. After a reboot, I checked out what had happened.
AOL gave me a lot of stuff. This would not come as a surprise to anyone who has downloaded an application suite from AOL before, I suppose. And no doubt other leading Internet firms do the same thing. Several icons appeared on my desktop and in the tray along the bottom of my Windows 98 (yeah, I know, I said it was old) screen. A new search bar appeared in a second layer of the tray along the bottom, branded clearly as AOL. As soon as I tried to go online, I found myself back in 1998 — in AOL’s garden. The experience wasn’t terrible, to be sure — nothing malicious that I could find, to be sure — but not for me. I admit: I’m not likely AOL’s target customer anymore, even if I was in the 1990s. I decide I want to uninstall the whole thing.
I go to add/remove programs, because I know to do that. I suppose most users at this point do, thanks to the computing industry’s standardization around this method, at least in the Windows environment. The process of getting rid of the applications, even the ones that do uninstall, was for me exactly as described here. Let’s just say it took forever. A much longer time than it took to get it installed, by a wide margin.
All in all, let’s assume AOL fixed the pop-up that didn’t have an “x” to close it (floating for days on our test machine, vaguely offering some form of upgrade related to connectivity services) and the .exes that didn’t fully uninstall (seems to have been done, and AOL says it has, and that they were never doing anything bad while they were there) and so forth, as we outline in our report. Let’s assume also that the disclosure is improved.
Would it then add up to Badware, if all of these programs were disclosed and the user could go through and take them all off? Nah. But still pretty annoying? You bet. And is the average user likely to go all the way through this process of informing themselves and then uninstalling all these programs, loads of reboots, etc.? Honestly, I don’t think so. But let’s be clear: this is not just an AOL problem — it’s instead an industry issue, one related to bundling of applications. Do users really want this level of simplicity? Maybe. But maybe users deserve more credit: maybe users really do want to take the easy route OR to be able to install a subset of those applications. Maybe it’s possible within AOL 9.0, but I sure couldn’t find it.
What I’ve been so surprised at, both before and since releasing the report, is what other people have said to us. My e-mail box has filled up with reports of people saying, “I’ve been waiting for someone to say this” or telling stories about how they’ve had similar experiences and have felt powerless to do anything about it. It’s not hard to hear what users are saying about AOL 9.0. Read what people are saying in the comments fields, say, of the many blogs, Slashdot postings, etc. who have covered this story. One user: “What that org. says about AOL is true. AOL 9.0 puts so much extra crap on your computer, doesn’t tell you about it, then tries to say it’s a vital part of the AOL program.” Another user told us, before we released the application: “I re-installed the newest software for AOL and it just keeps coming on and on whether I want it to or not. … I’ll NEVER put AOL on again! Warn people, this is something new.” The user comments, submitted to us directly or to the web before and after this report, tell a pretty clear story: at least some meaningful subset of users are not happy with what they’re getting.
Eric von Hippel is here at the Berkman Center today. He’s amazing — a professor at MIT’s Sloan School and champion of Democratizing Innovation. For the past three decades, he’s been talking about user-centric innovation. The Internet community is packed with people seeking to tell their story back to companies that offer services online. Sometimes users are cranks, for sure. But sometimes they speak very clearly and loudly and with their feet — and much of the time, as von Hippel and others have proved, a subset of these users are in fact the innovators. (This is a big Dave Winer theme, too.) One argument goes: AOL users are not the innovators. But I don’t believe this, not for a second. There are almost 20 million users, and no doubt these users have had a lot to say to AOL over time that has made its way into the many fine applications AOL has developed and offered as part of its services. This is an era of user-centered innovation, not just in Web 2.0, but in many many fields, as von Hippel has shown. Users of AOL 9.0’s free version are doing a whole lot of free reviewing out there and telling a story of their experiences across the web, some of which we’ve echoed on StopBadware.org. Eric von Hippel’s insight strikes me as relevant not just to AOL, but to all those offering bundles of applications for free downloads. Users have a lot to say, and some of it might help get to innovation, if the conversation is kept open. Put another way, instead of trying to make it more and more simple but also more and more closed, could AOL and others similarly situated instead make its application more “hackable”?
Jim has another must-read post in his series of thought-provoking mini-essays on the patent system, innovation, and the web 2.0 space.
A call to action: the security infrastructure for RSS is not where it needs to be for the mainstreaming of this technology to work and to be adequately protective of user privacy.
I was resetting my Bloglines account this morning, adding some new feeds, taking out some that I don’t read, and so forth. I searched on a friend’s web moniker (“Whirlycott”) to find whatever feeds he might be offering. Up popped a feed related to a web-based invoicing service he uses entitled (“[His Name] Invoices”) to which I could subscribe in Bloglines. I am not sure what it would have rendered — I did not subscribe! — but I thought it worth mentioning to him. It turns out he has been mad about this privacy problem for months. His initial post, worth reading and reviving as an issue of public discussion, is here.
I credit the fact that this may not be (just) a “Bloglines issue” but rather an “RSS industry” issue. But it’s a real problem if we are to continue to express ourselves via these citizen-generated media tools that offer RSS feeds, and moreso if we move into the promising realm of using RSS feeds to support other productivity-type tools. The privacy problems that already exist in cyberspace are enough to tackle; we need to get in front of an RSS privacy problem before it grows into yet widespread issue. After this morning’s experience, it’s clear to me it’s already a problem.
(Following the thread a bit, there’s another post in the series, including, some months ago, a note from someone appearing to be with Bloglines saying that they know it’s a serious problem. How can we fix it, gang? If it’s not a Bloglines-only issue and it’s a community issue, what has to get done?)
The Boston Herald‘s Kimberly Atkins is promising to take questions from citizens for the three candidates for the Democratic nomination for Governor of Massachusetts. So, if you have something you want to know about Tom Reilly, Deval Patrick, or Chris Gabrieli, please get in touch with her via her blog.
I just saw that my friend-since-childhood, Andrew Sanocki, has a fabulous new design-related site called DesignPublic.com. It’s a very hip place in cyberspace. I don’t know much about fashion or design but it seems very cool to me. They have a blog, too, called Hatch.
John Palfrey 
