The following article based on a keynote speech to the Chaos Computer Congress in Berlin, December 2011, and has been shortened for our purposes at YU Free Press. The full-length version can be found at http://boingboing.net/2012/01/10/lockdown.html.
General-purpose computers are astounding. They are so astounding that our society still struggles to come to grips with them, what they are for, how to accommodate them, and how to cope with them. This brings us back to something you might be sick of reading about: copyright. The shape of the copyright wars clues us into an upcoming fight over the destiny of the general-purpose computer itself. In the beginning, we had packaged software and we had Sneakernet. We had floppy disks in Ziplock bags sold like candy bars and magazines. They were eminently susceptible to duplication, were duplicated quickly, and widely, and this was to the great chagrin of people who made and sold software.
Enter Digital Rights Management in its most primitive forms. They introduced physical indicia, which the software checked for — deliberate damage, dongles, hidden sectors — and challenge-response protocols that required possession of large, unwieldy manuals that were difficult to copy. These failed for two reasons. First, they were commercially unpopular, because they reduced the usefulness of the software to the legitimate purchasers. Honest buyers resented the non-functionality of their backups, they hated the loss of scarce ports to the authentication dongles, and they chafed at the inconvenience of having to lug around large manuals when they wanted to run their software. Second, these did not stop pirates, who found it trivial to patch the software and bypass authentication. People who took the software without paying for it were untouched.
Typically, the way this happened is a programmer (in possession of technology and expertise of equivalent sophistication to the software vendor itself), would reverse-engineer the software and circulate cracked versions. While this sounds highly specialized, it really wasn’t. Figuring out what recalcitrant programs were doing and routing around media defects were core skills for computer programmers, especially in the era of fragile floppy disks and the rough-and-ready early days of software development. Anti-copying strategies only became more fraught as networks spread; once we had bulletin boards, online services, USENET newsgroups and mailing lists, the expertise of people who figured out how to defeat these authentication systems could be packaged up in software as little crack files. As network capacity increased, the cracked disk images or executables themselves could be spread on their own.
By 1996, it became clear to everyone in the halls of power that there was something important about to happen. We were about to have an information economy. They assumed it meant an economy where we bought and sold information. Information technology improves efficiency, so imagine the markets that an information economy would have! You could buy a book for a day, you could sell the rights to watch a movie for a Euro sell it for one price in one country, at another price in another, and so on. The fantasies of those days were like a boring science fiction adaptation of the Old Testament Book of Numbers, a tedious enumeration of every permutation of things people do with information — and what might be charged for each.
Unfortunately for them, none of this would be possible unless they could control how people use their computers and the files we transfer to them. After all, it was easy to talk about selling someone a tune to download to their MP3 player, but not so easy to talk about the right to move music from the player to another device. How could you stop that once you had given them the file? In order to do so, you needed to figure out how to stop computers from running certain programs and inspecting certain files and processes. For example, you could encrypt the file, and then require the user to run a program that only unlocked the file under certain circumstances.
But, as they say on the Internet, now you have two problems.
You must now also stop the user from saving the file while it’s unencrypted — which must happen eventually — and you must stop the user from figuring out where the unlocking program stores its keys, enabling them to permanently decrypt the media and ditch the player app entirely.
Now you have three problems: you must stop the users who figure out how to decrypt from sharing it with other users. Now you have four problems, because you must stop the users who figure out how to extract secrets from unlocking programs and tell other users how to do it too. And now you have five problems, because you must stop users who figure out how to extract these secrets from telling other users what the secrets were!
That’s a lot of problems. But by 1996, we had a solution. We had the ‘WIPO Copyright Treaty,’ passed by the United Nations World Intellectual Property Organization. This created laws that made it illegal to extract secrets from unlocking programs, and extracting media (such as songs and movies) from the unlocking programs while they were running. It created laws that made it illegal to tell people how to extract secrets from unlocking programs, and hosting copyrighted works or the secrets. It also established a handy streamlined process that let you remove stuff from the Internet without having to interact with lawyers, and judges. And with that, illegal copying ended forever; the information economy blossomed into a beautiful flower that brought prosperity to the whole wide world. As they say on the aircraft carriers, ‘Mission Accomplished.’
That’s not how the story ends, of course, because pretty much anyone who understood computers and networks understood that these laws would create more problems than they could possibly solve. In short, they made unrealistic demands on reality and reality did not oblige them. Copying only got easier following the passage of these laws — copying will only ever get easier. Right now is as hard as copying will get.
It is tempting to conclude that the problem is that lawmakers are either clueless or evil, or possibly evilly clueless. This is not a very satisfying place to go, because it is fundamentally a counsel of despair; it suggests that our problems cannot be solved for so long as stupidity and evilness are present in the halls of power. But I have another theory about what’s happened.
It is not that regulators do not understand information technology, because it should be possible to be a non-expert and still make a good law. MPs and Congressmen and so on are elected to represent districts and people, not disciplines and issues. We do not have a Member of Parliament for biochemistry, and we do not have a Senator from the great state of urban planning. Yet those people, who are experts in policy and politics, not technical disciplines, still manage to pass good rules that make sense. That is because government relies on heuristics: rules of thumb about how to balance expert input from different sides of an issue. Unfortunately, information technology confounds these heuristics — it kicks the crap out of them —in one important way.
The important tests of whether or not a regulation is fit for a purpose are first whether it will work, and second whether or not it will, in the course of doing its work, have effects on everything else. If I wanted Congress, Parliament, or the E.U. to regulate a wheel, it is unlikely I would succeed. If I turned up, pointed out that bank robbers always make their escape on wheeled vehicles, and asked, “Can’t we do something about this?” the answer would be “No.” We do not know how to make a wheel that is still generally useful for legitimate wheel applications, but useless to criminals. We can see that the general benefits of wheels are so profound that it would be foolish to risk changing them in an errand to stop bank robberies. Even if there were an epidemic of bank robberies — and society was on the verge of collapse thanks to bank robberies — no one would think that wheels were the right place to start solving our problems.
However, if I were to show up in that same body to say that I had absolute proof that hands-free phones were making cars dangerous, and I requested a law prohibiting hands-free phones in cars, the regulator might say “Yeah, I’d take your point, we’d do that.” We might disagree about whether or not this is a good idea, or whether or not my evidence made sense, but very few of us would say that once you take the hands-free phones out of the car, they stop being cars. We understand that cars remain cars even if we remove features from them.
This rule of thumb serves regulators well, by and large, but it is rendered null and void by the general-purpose computer and the general-purpose network — the PC and the Internet. If you think of computer software as a feature, a computer with spreadsheets running on it has a spreadsheet feature, and one that is running World of Warcraft has an MMORPG feature. The heuristic would lead you to think that a computer unable to run spreadsheets or games would be no more of an attack on computing than a ban on car-phones would be an attack on cars.
And, if you think of protocols and websites as features of the network saying, “fix the Internet so that it doesn’t run BitTorrent,” or “fix the Internet so that thepiratebay.org no longer resolves,” sounds a lot like “change the sound of busy signals,” or “take that pizzeria on the corner off the phone network” and not at all like an attack on the fundamental principles of internetworking.
The rule of thumb works for cars, for houses, and for every other substantial area of technological regulation. Not realizing that it fails for the Internet does not make you evil, and it does not make you an ignoramus. It makes you part of the vast majority of the world, for whom ideas like Turing completeness and end-to-end are meaningless.
So, our regulators go off, they blithely pass these laws, and they become part of the reality of our technological world. There are, suddenly, numbers that we are not allowed to write down on the Internet, programs we are not allowed to publish, and all it takes to make legitimate material disappear from the Internet is the mere accusation of copyright infringement. It fails to attain the goal of the regulation, because it does not stop people from violating copyright. It bears a kind of superficial resemblance to copyright enforcement — it satisfies the security syllogism: “something must be done, I am doing something, something has been done.” As a result, any failures that arise can be blamed on the idea that the regulation does not go far enough, rather than the idea that it was flawed from the outset.
Today we have marketing departments that say things such as “we don’t need computers, we need appliances. Make me a computer that does not run every program, just a program that does this specialized task, like streaming audio, or routing packets, or playing Xbox games, and make sure it does not run programs that I have not authorized that might undermine our profits.”
On the surface, this seems like a reasonable idea: a program that does one specialized task. After all, we can put an electric motor in a blender, we can install a motor in a dishwasher, and we do not worry if it is still possible to run a dishwashing program in a blender. What is problematic, is that we do not know how to build a general-purpose computer that is capable of running any program except for some program that we do not like, is prohibited by law, or which loses us money. The closest approximation that we have to this is a computer with spyware: a computer on which remote parties set policies without the computer user’s knowledge, or over the objection of the computer’s owner. Digital rights management always converges on malware.
In one famous incident — a gift to people who share this hypothesis — Sony loaded covert rootkit installers on 6 million audio CDs, which secretly executed programs that watched for attempts to read the sound files on CDs and terminated them. It also hid the rootkit’s existence by causing the computer operating system’s kernel to lie about which processes were running, and which files were present on the drive. That’s not the only example. Nintendo’s 3DS opportunistically updates its firmware, and does an integrity check to make sure that you have not altered the old firmware in any way. If it detects signs of tampering, it turns itself into a brick.
Human rights activists have raised alarms over U-EFI, the new PC bootloader, which restricts your computer so it only runs “signed” operating systems, noting that repressive governments will likely withhold signatures from operating systems unless they allow for covert surveillance operations. On the network side, attempts to make a network that cannot be used for copyright infringement always converge with the surveillance measures that we know from repressive governments. Consider SOPA, the U.S. ‘Stop Online Piracy Act,’ which bans innocuous tools such as DNSSec — a security suite that authenticates domain name information because, they might be used to defeat DNS blocking measures. It blocks Tor, an online anonymity tool sponsored by the U.S. Naval Research Laboratory and used by dissidents in oppressive regimes, because it can be used to circumvent IP blocking measures.
Canada’s Parliament did not vote on its copyright bills because, of all the things that Canada needs to do, fixing copyright ranks well below health emergencies on First Nations reservations, exploiting the oil patch in Alberta, interceding in sectarian resentments among French- and English-speakers, solving resources crises in the nation’s fisheries, and a thousand other issues. The triviality of copyright tells you that when other sectors of the economy start to evince concerns about the Internet and the PC, copyright will be revealed for a minor skirmish — not a war.
Why might other sectors come to nurse grudges against computers in the way the entertainment business already has? The world we live in today is made of computers. We do not have cars anymore; we have computers we ride in. A radio is no longer a crystal: it’s a general-purpose computer, running software.
Consider radio. Radio regulation until today was based on the idea that the properties of a radio are fixed at the time of manufacture, and cannot be easily altered. You cannot flip a switch on your baby monitor and interfere with other signals. But powerful software-defined radios (SDRs) can change from baby monitor to emergency services dispatcher or air traffic controller, just by loading and executing different software. This is why the Federal Communications Commission (FCC) considered what would happen when we put SDRs in the field, and asked for comment on whether it should mandate that all software-defined radios should be embedded in “trusted computing” machines. Ultimately, the question is whether every PC should be locked, so that central authorities could strictly regulate their programs.
Even this is a shadow of what is to come. After all, this was the year in which we saw the debut of open source shape files for converting AR-15 rifles to fully-automatic. This was the year of crowd-funded open-sourced hardware for genetic sequencing. It does not take a science fiction writer to understand why regulators might be nervous about the user-modifiable firmware on self-driving cars, or limiting interoperability for aviation controllers, or the kind of thing you could do with bio-scale assemblers and sequencers.
Regardless of whether you think these are real problems or hysterical fears, they are, nevertheless, the political currency of lobbies and interest groups far more influential than Hollywood and big content. Every one of them will arrive at the same place: “Can’t you just make us a general-purpose computer that runs all the programs, except the ones that scare and anger us? Can’t you just make us an Internet that transmits any message over any protocol between any two points, unless it upsets us?”
There will be programs that run on general-purpose computers, and peripherals, that will freak even me out. So I can believe that people who advocate for limiting general-purpose computers will find a receptive audience. But just as we saw with the copyright wars, banning certain instructions, protocols or messages will be wholly ineffective as a means of prevention and remedy. All attempts at controlling PCs will converge on rootkits, and all attempts at controlling the Internet will converge on surveillance and censorship. This stuff matters because we have spent the last decade sending our best players out to fight what we thought was the final boss at the end of the game, but it turns out it has just been an end-level guardian. The stakes are only going to get higher.
We haven’t lost yet, but we have to win the copyright war first if we want to keep the Internet and the PC free and open. Freedom in the future will require us to have the capacity to monitor our devices and set meaningful policies for them; to examine and terminate the software processes that run on them; and to maintain them as honest servants to our will, not as traitors and spies working for criminals, thugs, and control freaks.
Cory Doctorow is a science fiction author, activist, journalist, and blogger the co-editor of Boing Boing (boingboing.net) and the author of Tor Teens/HarperCollins UK novels like For the Win and the bestselling Little Brother. He is the former European director of the Electronic Frontier Foundation and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in London. Cory Doctorow is a proud York University dropout.