Apple's recent announcement of the iPhone application software development kit is drawing criticism from Net neutrality activists. While the company has previously angered many for its practice of bricking unlocked phones, it is now being accused of anticompetitive behavior.
Could Apple take Comcast's place as the poster child for the Save The Internet movement? Furthermore, by blocking competing Web browser Firefox, could Apple draw Microsoft-like antitrust lawsuits?
Control
Thursday, Apple released its eagerly awaited iPhone software development kit. Putting an end to hopes of user choice, Apple has declared that the only way for users to install applications will be through its App Store via the iPhone or iTunes. If the company doesn't like an application, it will be removed from the store, with no other way for a user to install it.
In a Q and A session with reporters, CEO Steve Jobs was asked if voice applications such as Skype will be permitted. Jobs replied by saying that VoIP (voice over Internet Protocol) will be allowed when the iPhone is using a WiFi connection, but forbidden over AT&T's cellular data network. How this will be enforced remains unclear. At the very least, Apple can blacklist from iTunes any application that doesn't play nice over AT&T's network.
In addition to the anti-VoIP rules, Apple seems to have also set its sights on the Firefox Web browser. Deep in the legal agreement for developers, Apple states:
"No interpreted code may be downloaded and used in an Application except for code that is interpreted and run by Apple's Published APIs and builtin interpreter(s)...An Application may not itself install or launch other executable code by any means, including without limitation through the use of a plug-in architecture, calling other frameworks, other APIs or otherwise."
As a member of the Firefox development team has already noted, this is a big deal.
Both the Firefox and Opera Web browsers, which compete with Apple's pre-installed Safari browser, are forbidden as they support hundreds of user-created add-ons. Furthermore, the Web browsers support Javascript, which is a key component of most Web 2.0 content. Javascript is an interpreted programming language, and thus forbidden as per Apple's terms of service.
Also banned from the iPhone: programming languages Ruby, Python, Perl, and Java. Quake, the video game engine ported to practically every platform (including Google's Android), as well as Microsoft's Word, Excel, and .NET are also persona non grata.
Sun announced last week that it is readying a version of Java for the iPhone. Once the restrictive iPhone license was pointed out, Eric Klein, the vice president of Java marketing at Sun, backpedaled somewhat on his own personal blog, writing that "I'll leave those (legal) questions to another forum, but we really do want to deliver a JVM if at all possible." This alone should make for an interesting fight, as Sun is no stranger to filing antitrust complaints.
Net neutrality complaints
Apple's blocking of Skype and other voice applications raises the same Net neutrality issues as Comcast's blocking of BitTorrent. Critics have argued that Comcast does this because the P2P video apps compete with the cable giant's own video programming.
Apple is now engaging in a similar practice, blocking any VoIP application that competes with the voice services offered by AT&T--the company with which Apple signed an exclusive five-year contract.
The company will be unable to borrow Comcast's line, and claim that the restriction is "reasonable network management." After all, watching a couple YouTube videos eats up far more data than a VoIP call.
This is not the first time that a company has attempted to block VoIP traffic to protect its own business model. Madison River Communications, a North Carolina ISP was fined and forced to change its behavior by the FCC when it started blocking VoIP providers like Vonage in 2005.
Paging Congressman Markey
Apple's sexy iPhone has attracted the attention of those in power before. Congressman Ed Markey (D-Mass.) held up an iPhone during a congressional hearing last year, before he sharply criticized the practice of locking such devices to a specific carrier's network.
Just a couple weeks ago, Markey introduced the Wireless Consumer Protection and Community Broadband Empowerment Act of 2008, which would require wireless carriers to sell unlocked phones without contracts for reasonable prices. In introducing the bill, Markey clearly had the iPhone in mind.
Markey's other well-publicized cause is Net neutrality. The congressman spoke at the Comcast/BitTorrent FCC hearing just a couple weeks ago. He has previously held hearings on the subject, and introduced legislation in February to stop ISP data favoritism.
With Apple's recent adoption of Comcast-style filtering, Markey can combine two of his passions: wireless phones rules and Net neutrality regulation.
Antitrust
Microsoft's bundling of Internet Explorer back in the late '90s led to major antitrust lawsuits brought by Department of Justice and 20 different states. While consumers were free to install Netscape and other competing browsers, it was the preferential treatment of its own browser that lead to legal problems for Microsoft.
Apple is now engaged in an even more egregious practice. It bundles the Safari browser with its iPhone, it makes it impossible for consumers to remove the browser, and the company now forbids competing companies from making their browsers available to the millions of iPhone users. Firefox has over 40 percent market share in some European countries, but it forbidden from making a version for the iPhone platform.
If Apple doesn't rapidly backtrack on its anti-Firefox and VoIP rules, I predict that it will soon be looking at investigations from multiple government agencies, both here in the U.S. and EU. The FCC and Congress will most likely look into the Net neutrality complaints, while the European antitrust regulators will probably take a keen interest in the Firefox issues. This would, of course, not be the first time that the Europeans have investigated Apple's iTunes store for dirty tricks.
Disclosure: I worked for Apple as a summer intern in 2005. While I love Markey's positions on Net Neutrality, he did publicly call for my arrest back in 2006. He changed his mind two days later.
In this interview, Mozilla's technology strategist Mike Shaver responds to and rejects recent claims that Firefox and Google are getting a bit too close for comfort. Mozilla is independent, he says, with or without Google's $56 million.
I received a fair bit of criticism for a blog post that I wrote last week describing what I believe is the extremely close relationship between Google and Mozilla. Mozilla's PR people complained, Firefox developers left critical comments in the blog post itself, and I received a number of e-mails from upset individuals. All had concerns with the claims and the general tone of my blog post. In order to try and clear things up, I had a chat with Mike Shaver, the technology strategist for Mozilla (the for-profit company holding the rights and purse strings for Firefox).
In my blog post last week, I stated that "in addition to the Google cash flowing to Mozilla, a number of Google engineers spend significant amounts of time working on Firefox. This includes Ben Goodger, the former lead developer, and still a major contributor for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser."
Mozilla: We don't need no stinkin' money.
(Credit: Mozilla.org)Mike disagreed, stating that "absent a surprising error on my part, there are no Google employees paid to work on Firefox at this time." Clarifying further, he said that "we don't see significant code contributions at this time from Google." He did, however, acknowledge that Google engineers had contributed significant contribution to the browser in the past, stating that "there was a time when a large number of Google developers were working on Firefox." As examples of this, he cited the built-in spell-check system, the crash reporting system, and database code.
Another Mozilla employee and Firefox developer, Stephen Donner, further clarified the situation in an e-mail by stating, "the only Google employees who currently work on anything related to Firefox would be Tony Chang, an employee on their security application team, who works on the anti-phishing stuff, but mostly in the form of reviewing our employees' code."
On the issue of Google developers and the Firefox code base, I stand corrected.
"Making a perfectly secure browser is trivial," Mike joked. This could be done, he said, by "stopping [the browser] from showing anything on the Web." The difficulty, he argued, was in creating a browser that is both usable and secure. "If [the browser] is not usable, and users have to sacrifice productivity, they won't use it at all." Finding the balance between something that millions of people will use, yet which is secure, is a constant struggle, he said.
Cha-ching.
(Credit: Otto Albert De Wood)In my recent article, I cited complaints by security researcher Robert Hansen into Google's unwillingness to fix its own vulnerabilities, and the interesting situation this created, given that Google also creates, maintains, and distributes the antiphishing blacklists used by Firefox.
Speaking on the subject of the phishing blacklist, Mike stressed that "the quality of that list is of paramount importance." He also said that it was vital, both for users and for the strategic health of Firefox, that the source of the blacklist could be easily changed. On this subject, he said that "it is important that people can switch the provider. We (Mozilla) maintain the flexibility to switch if we discover that there are problems with a blacklist. We evaluate this all the time." He was careful to add that "none of the financial ties (between Google and Firefox) relate to the "antiphishing blacklist" or Mozilla's choice in the provider of the blacklist data.
On the subject of the browser using multiple blacklists at once (in order to stop any one company having too much power), Mike said that "we would be open to the idea." He was careful to note, however, that "blacklists are expensive" and that most high-quality sources of phishing data cost money, due to the manpower required to keep them updated. One of the key factors in Mozilla's decision to use Google's blacklist, he said, was the fact that Google is not charging for it. Mike also revealed that unlike the phishing blacklist, which Google maintains and updates, the new antimalware blacklist that the upcoming Firefox 3.0 will be using will come from stopbadware.org, a project lead by Harvard University and Oxford University. Google will still provide the infrastructure for distributing this list to the 120 million-plus Firefox users, but the company will not have editorial control over this blacklist.
Update: Mike later informed me that he was wrong, and that the anti-malware list will come from Google. The search giant will maintain editorial control over the list, just as it currently does for the anti-phishing blacklist. For more on this, see recent blogposts by Mike, and one by the folks at stopbadware.org.
Regarding the specifics of Robert Hansen's claims, Mike drew a careful line between hosted phishing Web sites and "legitimate" Web sites that were vulnerable to Cross Site Scripting (XSS) attacks. "We do not expect to put XSS sites in the phishing database," he stated. The main reason for this, he argued, was the risk of confusion to users attempting to initiate a legitimate session to vulnerable Web sites, as compared with users following a XSS link to the same site. "False positives lead to user loss of trust in the feature," he was careful to say. Once users lose trust in the antiphishing blacklist, they either start ignoring the warnings, or turn off the features. At least for now, Mike said, it is "premature to block XSS domains, regardless of where the content is hosted."
Firefox is currently vulnerable to a number of history sniffing attacks, which can allow an attacker to learn which Web sites a user has visited in the past. This can be used by criminals to build phishing sites tailored to the bank that a victim uses. An example of this attack can be seen by viewing the Browser Recon project, created by my colleagues at Indiana University. The vulnerability that these attacks take advantage of has been known to the Firefox developers for some time. A bug report and accompanying lengthy conversation between developers and security researchers in the Mozilla bug database goes back to 2002. A partial fix to some of these attacks has been available in the form of two Firefox extensions, made by Stanford University security researchers in 2005.
Speaking on the subject of history sniffing attacks, and the need for a fix, Mike said that "it is certainly something that we want to remedy." He cited the difficulty of finding a fix that closed off all methods of attack, yet while providing users with the ability to utilize key features of browser history tracking. The main reason the attacks were still possible, he said, was that there were simply higher priority attacks that developers had to spend their time on.
On the subject of Firefox extensions, Mike had good news on the security front for the upcoming 3.0 version of the browser. In June of this year, I announced a vulnerability in the upgrade process used by many big name (Google, Yahoo, Facebook) browser extensions. Starting in Firefox 3.0, the browser will refuse to install extensions that are not served via a secure upgrade path. This can either be via a secure Web server (https://), or using digital signatures. This only really affects commercial extension authors, as the vast majority of open-source extensions are hosted by Mozilla, and have been secure out-of-the-box for quite some time.
Finally, Mike spoke on the subject of the widely popular AdBlock Plus extension, and the reason it had not been merged into the mainline Firefox browser. "Rolling something into the mainstream trunk means that it needs to be suitable for all of our users." Citing past experiences, he said that "When we have integrated extensions in the past, it has taken a lot of work to get it to the point where it was appropriate for the kind of people who do not install extensions." One of the key factors for AdBlock plus, he said, was the extension's heavy use of resources. The oft-repeated claim of " 'too much memory use' is a big concern for us, and so we are hesitant to pull in a huge piece of functionality. Especially for 120 million users."
He was also careful to contrast between AdBlock Plus and the pop-up blocker already included with the browser. The pop-up blocker is content neutral, in that it neutralizes all pop-ups, be they from commercial entities, or an individual home page. He is very wary, he said, of any technology that targets the specific content of Web sites (such as commercial images), as opposed to merely an annoying delivery mechanism. He summed up Mozilla's position on the issue by stating, "neutrality and being agnostic to the field of use are tenets of open-source values. It is Important, as we (Firefox) have a tremendously powerful position. We take that very seriously, to protect integrity of the user experience and of the Web."
Update: This blog post was edited after receiving complaints from a number of Mozilla employees. For a list of the edits, go to to the bottom of the post.
The Firefox browser may not be as independent as previously thought. Mozilla essentially owns Firefox, and it proved so when it flexed its muscles last year in forcing Debian to rename its browser IceWeasel.
However, the open secret in the tech sector is that at the end of the day, Google calls the shots. As this blog post will explain, when a pro-user security feature in the browser threatens Google's business model, it is the feature that is made to compromise--not the search engine.
Embrace Google Freedom (TM)
(Credit: Sgrah / flickr)First, a few highlights of the Firefox-Google relationship.
Fact: $56 million of the $66 million that Mozilla made in 2006 came from Google. The vast majority of this was due to the fact that Google is the default search engine for queries entered into the Firefox search bar.
While Apple also gets a nice chunk of change from Google for the search bar in its Safari browser, Apple has enough other sources of revenue that it can easily walk away from Google's cash.
Fact: Users who enter keywords or misspelled URLs into the Firefox 2.0 location bar will essentially be running a Google "I'm Feeling Lucky" search. That is, they will be taken to the first result for a Google search query for those terms.
Fact: In addition to the Google cash flowing to Mozilla, a number of Google engineers spend significant amounts of time working on Firefox. This includes Ben Goodger, the former lead developer, and still a major contributor for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser.
Fact: Two key features of the Google Toolbar for Firefox were rolled into the Firefox 2.0 browser and are turned on by default: Google Browse By Name and Google Safe Browsing for Firefox (now the Phishing Protection feature in Firefox 2.0). These two features, while useful, are more than just the application of a useful patch. They result in millions of Firefox browsers regularly polling Google servers for core information.
Fact: The Google Anti-Phishing relationship will be expanded in Firefox 3.0. While Google currently is the default provider of a blacklist of known phishing sites to the browser, this will be enhanced to include a blacklist of sites that serve up malicious software.
Fact: Google pays AdSense publishers (Web site owners) $1 for each new user who installs Firefox + Google Toolbar as a result of a referral link from one of their pages.
The fact that Google wants to encourage a standards-compliant alternative to Internet Explorer is logical, and it makes good business sense for the company. The company's very ability to make money depends upon users being able to access its various Web-based applications. If Microsoft controlled 90 percent of the browser market, and it could "accidentally" break Google's Web sites with a software update, the search giant would be in serious trouble.
Dear Mozilla - remember your priorities.
(Credit: lautreamax / flickr)Of course, from the perspective of limiting the chance of government regulation, antitrust actions and any controversy over the company's acquisitions (such as with DoubleClick), there are some serious strategic advantages to being able to say Firefox is controlled by a bunch of open-source developers--and that is not taking its orders from the Googleplex.
The close relationship between Google and Mozilla leads to a number of serious conflicts of interest. The end result is that users' online privacy and security take a backseat to the protection of Google's revenue streams. I will now explore two particularly chilling examples of this conflict of interest.
Ad blocking
The AdBlock Plus Firefox extension is getting to be extremely popular. It has been featured in The New York Times, and it is regularly included in various "top 10" lists of Firefox extensions on major blogs and other popular Web sites. For those of you who have not yet tried it out, AdBlock Plus (and its essential sidekick, the Filterset G Updater) completely revolutionizes the Web-browsing experience. After surfing without ads for the last few years, having to use a public computer without AdBlock Plus is a frustrating, distracting, and unpleasant experience.
While AdBlock Plus is fantastic at getting rid of most banner ads, it doesn't do the best job of targeting Google's text-based advertisements. This is where another immensely useful extension, CustomizeGoogle, comes in handy.
In addition to blocking Google's text ads (on all Web sites, including Google Web properties such as Gmail and Google Calendar), the extension also protects user privacy. With CustomizeGoogle installed, the search engine's tracking "cookies" are not accepted. This means that users cannot be tracked across multiple sessions. They can deny the search engine knowledge of which links a user clicks on from the results page of a search.
Given the cavalier attitude that the company has to user privacy (tracking users via cookies, unless the user leaves a two-year gap between visits to a Google Web property), CustomizeGoogle is one of the few ways that users can take proactive steps to protect their own privacy online.
This begs the question: why doesn't Firefox adopt the features of AdBlock Plus and CustomizeGoogle? While the terms of Google's contract with Mozilla are not public, even if Mozilla were contractually free to include anti-Google-tracking features, it would not be a wise move, business-wise. After all, it is not too smart to anger the company that provides more than 85 percent of your financing.
This is all conjecture, of course, but why else would the Firefox team not roll in the features of two extensions that are widely popular and that do so much to protect users from annoying advertisements and creepy privacy intrusions online?
Firefox Phishing Protection
(Credit: Firefox/Mozilla)Phishing Toolbars
There is a normal cycle when a new phishing site is created. It works something like this:
- A new phishing site is created and is e-mailed about to thousands of people.
- Someone tips off Google, which adds it to the phishing blacklist.
- Millions of Firefox browsers download the latest blacklist from Google.
- Users who click on e-mails, taking them to the phishing site, receive a clear warning from Firefox, telling them that the site is malicious.
However, what happens when the phishing site is hosted by Google?
This very issue was discussed by noted Web application security expert Robert "RSnake" Hansen in August. RSnake discovered a cross-site scripting (XSS) flaw in Google's gmodules.com Web site. The security flaw, which has yet to be fixed, was dismissed by the Google security team, which claimed that it was, in fact, an intended design feature.
RSnake described the significance of the vulnerability, stating that the exploit would allow someone "to take over other people's Web sites when they embedded the erroneous third-party code. Kinda nasty. Unlikely, but nasty. More likely, it would simply be in phishing sites that didn't want their sites taken down, but wanted Google's to be taken down instead."
This brings us to a really interesting dilemma. Google has a well-known flaw in one of its Web sites that can be (ab)used by phishers and malicious hackers. Google refuses to fix the flaw, as it believes that it is not a problem. Google also operates the Firefox phishing blacklist. Will Google add one of its own domains to the phishing blacklist? Of course not!
RSnake, who worked in the antiphishing blacklist area for some time, makes several claims. On his blog, he wrote that "the browser companies have to maintain a list of sites that aren't phishing sites but often get flagged as phishing sites. Google happens to host a lot of those.
In reality, Google is being used to phish consumers or redirect to them to phishing sites, but Google doesn't really fix this problem. Instead, it tells the browser companies to whitelist its sites, regardless of the fact that consumers are losing their identities as a direct result of Google's actions in two ways: 1) because it has not ended the vulnerability and 2) because of its insistence in being marked as a 'good' site."
Essentially, what he claims is that with Google's rather menacing legal department, no other competing antiphishing company will dare to include a Google-owned domain on a blacklist. In addition, Google's domains get included on a whitelist shipped with antiphishing software, which is a list of domains that will never cause warnings.
RSnake further claims that in addition to intimidating the other firms in the market, Google refuses to include its own Web properties in the Firefox phishing blacklist, which it maintains.
While RSnake does nothing to hide his lack of love for the big G, his reputation in the Web application security arena is top-notch. Furthermore, in the two months since RSnake first made his concerns public, no one from Google has publicly disputed anything he has said.
With Google providing the blacklists for the new antimalware features in Firefox 3.0, we should all be asking: Can we trust Google? To paraphrase the old phrase, who will blacklist the blacklisters? With control of hundreds of millions of Firefox browsers, what incentive does Google have to keep its own Web properties free of phishing sites?
A number of edits were made to this blog post on the evening of November 1 2007, to reflect feedback received from Mozilla Corp employees.
The following edits were made:
Original: "This includes Ben Goodger, the lead developer for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many resources at the browser."
Now: "This includes Ben Goodger, the former lead developer, and still major contributor for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser."
The following text was removed from the introductory paragraph: "When the Big G wants some technology in Firefox, a patch gets applied." - Several Google developed features (including Safe Browsing/Phishing Protection) are now in the mainstream browser, however, this sentence could be read in many ways, and so it seemed best to remove it.
This paragraph was removed "Fact: While Mozilla's contract with Google ends next year, it is highly unlikely that Mozilla will shift to another search engine, even if paid more. The simple reason for this is that lots of users like the Google search experience. If Firefox switched, say, for example, to MSN Live Search, many users would be up in arms. Thus, while Mozilla can keep taking Google's money, it can't realistically switch the default search engine to any other Web site." - I erred in placing this in the "Fact" section, when in fact it should have been noted as a conjecture. In any case, it has been removed completely.
Do you consider yourself to be a privacy aware Internet user? Are you concerned about your security online?
You've installed antivirus and spyware software, which you also keep updated. You regularly update your operating system for any security patches. You have a firewall on your home computer and have locked down your home wireless network with a WPA2 password. Most importantly, you've ditched Internet Explorer and jumped on the Firefox bandwagon.
Your job is done, right? Think again.
While installing Firefox (and not using IE) is one of the most important steps users can take towards a safe online experience, Firefox is (alas) not totally safe out of the box. Luckily, Firefox provides a very flexible framework for open-source programmers and commercial vendors to create their own software add-ons for the browser. A number of these software extensions fix critical design flaws in Firefox--or simply improve transparency so that users have a better idea of where they are and which sites they're interacting with. I've selected a few of the best ones, which I highlight below.
... Read More
The New York Times recently covered the already over-hyped dispute between Danny Carlton, an obscure Web site designer, and the makers of the popular Adblock Plus Firefox browser extension.
Adblock Plus is something akin to a TiVo for Web-browsing. Users who install the extension will find that their Web experience is radically changed--in that the vast majority of graphical Web advertisements will no longer be displayed within the Web-pages that they visit.
For those of you with short memories, it's worth noting that before TiVo was the only major game in town, there used to be another TV advertisement skipping technology. ReplayTV was vastly superior to the TiVo, in that it completely skipped commercials, instead of permitting users to fast-forward. Following a similar tactic to that was used by the major media companies (who had previously gone after Napster and the VCR), the TV networks essentially sued ReplayTV out of existence. The moral of the story: companies that have built their business models on advertising revenue do not take kindly to others who permit customers to skip those advertisements.
With that little walk down memory lane over, let us focus on the issue at hand--Web advertisement skipping technology. Essentially, it boils down to this: Web site designers depend upon advertising revenue to pay their bandwidth bills as well as to pay for the staff time that goes into making a successful site. Users do not particularly want to see advertisements, but except in a few cases where advertisements are extremely annoying, will for the most part put up with the ads in order to view the Web content that they are seeking.
There is a pretty big difference between the TV and Web site business models. A broadcast TV network, by and large, has fixed costs, no matter how many customers actually tune into the show. The same amount of electricity will flow to the TV transmitter, and the satellites above will still beam down the same number of 1s and 0s. Internet content is different, as each person's computer makes an individual connection to the remote server hosting whatever Web content the user is seeking. Each time users visit a Web site, the server consumes bandwidth to send the content of the Web page back to the user--and that bandwidth costs money.
Thus, every time someone uses advertisement-blocking software to avoid the graphical ads embedded within a Web site, they are denying the Web site operator revenue that would otherwise have gone to pay for the bandwidth that is consumed during that browsing session. While it could be said that TiVo users are freeloading from the broadcast networks, users of Web advertising skipping technology are far closer to theft than they are to freeloading. This is not a clearly defined issue, but there are a significant number of moral issues at play.
Which now brings us to the technical issues involved in this particular story...
... Read More
- prev
- 1
- next
