![[Valid Atom 1.0]](images/valid-atom.png "Valid Atom 1.0")
This is a valid Atom 1.0 feed.
This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
<subtitle></subtitle>
^
line 249, column 0: (8 occurrences) [help]
<p>This is (obviously) the nuclear option. It puts Apple outside the jurisdi ...
<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom"> <title>mark nottingham</title> <link rel="alternate" type="text/html" href="https://www.mnot.net/blog/" /> <link rel="self" type="application/atom+xml" href="https://www.mnot.net/blog/index.atom" /> <id>tag:www.mnot.net,2010-11-11:/blog//1</id> <updated>2025-09-23T05:28:46Z</updated> <subtitle></subtitle> <entry> <title>Bridging the Gap Between Standards and Policy</title> <link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/09/20/configuration" /> <id>https://www.mnot.net/blog/2025/09/20/configuration</id> <updated>2025-09-20T00:00:00Z</updated> <author> <name>Mark Nottingham</name> <uri>https://www.mnot.net/personal/</uri> </author> <summary>Achieving policymakers' goals in coordination with Internet standards activity can be difficult. This post explores some of the options and considerations involved.</summary> <category term="Tech Regulation" /> <category term="Standards" /> <category term="Web and Internet" /> <content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/09/20/configuration"> <![CDATA[<p>Internet standards bodies like the IETF and W3C are places where experts can come to agreement about the details of how technology should work. These communities have the deep experience that allows them to guide the evolution of the Internet towards common goals.</p> <p>Policymakers have none of that technical expertise, but are the legitimate source of policy decisions in any functioning society. They don’t have the means to develop new technical proposals: while most countries have a national standard body, their products are a poor fit for a global Internet, and those bodies generally lack specific expertise.</p> <p>So, it might seem logical for policymakers to turn to Internet standards bodies to develop the technical solutions for their policy goals, trusting the open process and community involvement to produce a good solution. Unfortunately, doing so can create problems that will cause such efforts to fail.</p> <h3 id="whats-the-problem">What’s the Problem?</h3> <p>A few different issues often become apparent when policymakers pre-emptively specify a standard.</p> <p>First, as discussed previously the <a href="https://www.mnot.net/blog/2024/03/13/voluntary">voluntary nature of Internet standards</a> acts as a proving function for them: if implementers don’t implement or users don’t use, the standard doesn’t matter. If a legal mandate to use a particular standard precedes that proof of viability, it distorts the incentives for participation in the process, because the power relationships between participants have changed – it’s no longer voluntary for the targets of the regulation, and the tone of the effort shifts from being <a href="https://www.mnot.net/blog/2024/07/16/collaborative_standards">collaborative</a> to competitive.</p> <p>Second, Internet standards are created by <a href="https://www.mnot.net/blog/2024/05/24/consensus">consensus</a>. That approach to decision making is productive when there is reasonable alignment between participants’ motives, but it’s not well suited to handling fundamental conflicts about societal values. That’s because while technical experts might be good at weighing technical arguments and generally adhering to widely agreed-to principles (whether they be regarding Internet architecture or human rights), it’s much more difficult for them to adjudicate direct conflict between values outside their areas of expertise. In these circumstances, the outcome is often simply a lack of consensus.</p> <p>Third, jurisdictions often have differences in their policy goals, but the Internet is global, and so are its standards bodies, who want the Internet to be interoperable regardless of borders. If policy goals aren’t widely shared and aligned between countries, it becomes even more difficult to come to consensus.</p> <p>Fourth, making decisions with societal impact in a technical expert body raises fundamental legitimacy issues. That’s not to say that Internet standards can’t or shouldn’t (or don’t) change society in significant ways, but that’s done from the position of private actors coordinating to achieve a common goal through well-understood processes, within the practical boundaries of the commonalities of the applicable legal frameworks. It’s entirely different for a contentious policy decision to be delegated by policymakers to a non-representative technical body.</p> <p>So, what’s a policymaker to do?</p> <h3 id="patience-is-a-virtue">Patience is a Virtue</h3> <p>One widely repeated recommendation for policymakers is to avoid specifying the work or even a venue for it in regulation or legislation until <em>after</em> it’s been created and its viability is proven by some amount of market adoption. Instead, the policymaker should just hint that an industry standard that serves a particular policy goal would be useful.</p> <p>However, this approach comes with a few caveats:</p><ul> <li>A set of proponents that drives the standards work has to emerge, and they need to be at least somewhat aligned with the policy goal</li> <li>Consensus-based technical standards are slow, so policymakers have to have realistic expectations about the timeline</li> <li>If the targets of the regulation don’t participate in the standards process, they may be able to reasonably claim that what results can’t be implemented by them</li></ul> <p>These issues aren’t impossible to address: they just require good communication, alignment of incentives, management of expectations, and careful diligence.</p> <h3 id="add-a-configuration-layer">Add a Configuration Layer</h3> <p>Even if the policymaker waits for the outcome of the standards process, it’s rare for the policy decisions to be cleanly separable from the technology that needed to be created. Choices need to be made about how the technology is used and how it maps to the policy goals of a specific jurisdiction.</p> <p>One intriguing way to manage that gap is to span it with a new entity – one that creates neither technical specifications nor policy goals, but instead is explicitly constituted to define how to meet the stated policy goals using already available technology. That leaves policy formation in the hands of policymakers and technical design in the hands of technologists.</p> <p>In technology terms, this is a configuration layer: clearly and cleanly separating the concerns of how the technology is designed from how it is used. It still requires the technology to exist and have the appropriate configuration “interfaces”, but promises to take a large part of the policy pressure off of the standards process.</p> <p>An example of this approach is just being started by the European Commission now. At IETF 123, they explained a proposal for a <a href="https://www.iepg.org/2025-07-20-ietf123/slides-123-iepg-sessa-multi-stakeholder-forum-on-internet-standards-deployment-00.pdf">Multi-stakeholder Forum on Internet Standards Deployment</a> that fills the gap between the definition of Internet security mechanisms and the policy intent of making European networks more secure. Policymakers have no desire to refer to specific RFCs in legislation, and Internet technologists don’t want to define regulatory requirements for Europe, so the idea is that this third entity will make those decisions without defining new technology <em>or</em> policy intent.</p> <p>Getting this right requires the new forum to be constituted in a particular way. It has to be constrained by the policymaker’s intent, and can’t define new technology. That means that the technology has to be amenable to configuration – the relevant options need to be available. The logical host for the discussion is a venue controlled by the policymaker, but it needs to be open to broad participation (including online and asynchronous participation) so that the relevant experts can participate. Transparency will be key, and I suspect that the decision making policy will be critical to get right – ideally something close to a consensus model, but the policymaker may need to reserve the right to overrule objections or handle appeals.</p> <p>Needless to say, I’m excited to see how this forum will work out. If successful, it’s a pattern that could be useful elsewhere.</p>]]> </content> </entry> <entry> <title>Using AI to Evaluate Internet Standards</title> <link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/06/04/using_ai" /> <id>https://www.mnot.net/blog/2025/06/04/using_ai</id> <updated>2025-06-04T00:00:00Z</updated> <author> <name>Mark Nottingham</name> <uri>https://www.mnot.net/personal/</uri> </author> <summary>Is AI a useful option for policymakers who want to evaluate open standards? Let's take a look.</summary> <category term="Standards" /> <category term="Web and Internet" /> <content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/06/04/using_ai"> <![CDATA[<p class="intro">One of the reasons I’m writing the <a href="/blog/series/internet-standards/">Nature of Internet Standards</a> series is to give policymakers tools that help them to understand and evaluate open standards efforts. A big part of that is understanding whether a specification (and the effort that led to it) is really a reflection of open deliberation, consensus processes, appropriate governance, and various other hallmarks of open standards.</p> <p>Evaluating these factors requires a fair amount of context and nuance. What’s the most 2025 way to avoid that work? Using AI, of course.</p> <p>Some colleagues were using AI to ask similar questions, and that inspired me to wonder whether it would be a useful option for policymakers who want to evaluate the openness of Internet standards. Let’s find out.</p> <h2 id="the-privacy-sandbox">The Privacy Sandbox</h2> <p>Our first experiment is an effort that I’m fairly familiar with, having engaged with it both professionally and <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3891335">academically</a> – Google’s Privacy Sandbox. How will AI portray this longstanding and very politicised effort?</p> <h3 id="prompt">Prompt</h3> <p>I started by asking ChatGPT’s “deep research” mode:</p> <blockquote> <p>Is the Privacy Sandbox developed in an open standards process? Consider the venue(s) it’s developed in, their governance, openness, and conformance to other widely recognised signifiers of open standards processes, breadth of implementation, and adoption.</p></blockquote> <p>It asked for a few clarifications:</p> <blockquote> <p>To give you the most accurate and up-to-date analysis, could you clarify a few things:</p> <ol> <li>Are you primarily interested in the Privacy Sandbox on the web (i.e., as developed by Chrome and the W3C), or are you also considering the Android Privacy Sandbox?</li> <li>Do you want a comparison to established open standards processes (e.g., W3C, IETF), or just an evaluation of the Privacy Sandbox initiatives on their own merits?</li> <li>Are you looking for an overview of industry support (browsers, advertisers, publishers, etc.) and real-world implementation as part of your evaluation of adoption?</li> </ol> <p>This will help me tailor the research more precisely.</p></blockquote> <p>To which I replied:</p> <blockquote> <p>Just on the Web. A comparison to open standards processes would be good. I don’t need an overview of support and implementation, but the results should take these factors into account.</p></blockquote> <h3 id="response">Response</h3> <p>After churning through data (and pushing the boundaries of copyright) for a couple of minutes, ChatGPT came up with <a href="https://chatgpt.com/s/dr_68252c4763a08191b9339f52d244060e">this voluminous report</a>. However, the heart of its response is concise and fairly damning:</p> <blockquote> <p>In summary, the Privacy Sandbox has been developed in semi-open forums (W3C community groups, public repos, Google blogs) and invites outside input, but it is not a widely supported multi-vendor standard yet. Only Google’s Chrome (and related browsers) implements the APIs, and other browser vendors have developed their own approaches. The process resembles an open-source Google project more than a classic consensus-driven SDO. As Mozilla and others have noted, standards bodies like the W3C and IETF are the “ideal forum” to vet such proposals with full stakeholder oversight. At present, Privacy Sandbox’s governance does not fully align with those open standards processes – it provides considerable transparency and documentation, but its development and adoption remain largely controlled by Google.</p></blockquote> <p>That’s not far off. W3C Community Groups aren’t standards processes; in fact, they’re little more than mailing lists where the proponents get to set almost all of the rules. ChatGPT could have made this more clear, but instead uses lots of hedging phrases like “more than” and “fully align”.</p> <p>Since the full report mentioned the chair of the Business Group that also discussed the Privacy Sandbox, <a href="http://wendy.seltzer.org">Wendy Seltzer</a>, I asked what she thought. Her response:</p> <blockquote> <p>It’s fascinating to follow the sources here, because the Wikipedia article appears to have gotten its last substantive updates in 2024, and is mostly focused on older material ([which is] sometimes wrong). A human researcher would recognize that as not the best authority for recent news. A better human researcher would also ask “is this the question you want to ask, since the non-deprecation of third party cookies has changed the landscape around all these initiatives?”</p> <p>That illuminates a broader issue of missing context. The answer starts from the premise that “Privacy Sandbox” is something that could be developed in an open standards process, rather than parsing the question, is PS more than the set of APIs and proposals that might fit into standards processes? How do open standards fit into the overall strategy? The GPT report can work for you, an expert in the field who can fill in those aspects, but it could be misleading to someone without the same background.</p> <p>Some of the sentences quoted from other sources seem off without the context of those sources, e.g. “In January 2020 Google invited ad-tech companies to join the W3C’s Improving Web Advertising Business Group (IWABG) to discuss and give feedback on Privacy Sandbox ideas” reads as implying that Google was the only one doing the inviting.</p></blockquote> <h2 id="quic">QUIC</h2> <p>Next, let’s try another effort that I’m familiar with: QUIC, the effort to define a new, performance and security-focused transport protocol. I chaired the <a href="https://quicwg.org/">QUIC Working Group</a> (along with Lars Eggert) from its inception until it shipped its core deliverables.</p> <h3 id="prompt-1">Prompt</h3> <p>I asked ChatGPT’s “deep research” mode a similar question for QUIC:</p> <blockquote> <p>Is QUIC developed in an open standards process? Consider the venue(s) it’s developed in, their governance, openness, and conformance to other widely recognised signifiers of open standards processes, breadth of implementation, and adoption.</p></blockquote> <p>and once again, it asked for a similar clarification:</p> <blockquote> <p>To best address your question about QUIC, could you please clarify what aspect you’re most interested in?</p> <ul> <li>Are you focused more on the technical development and governance process (e.g., how open the standardization process is)?</li> <li>Or are you more interested in its current implementation and adoption across the industry?</li> <li>Should I compare it to other protocols or standards in terms of openness and adoption?</li> </ul> <p>Let me know so I can tailor the research accordingly.</p></blockquote> <p>I responded:</p> <blockquote> <p>Focus on how open the standardisation process was, but consider implementation and adoption in your answer. A comparison with other relevant standards would be helpful.</p></blockquote> <h3 id="response-1">Response</h3> <p>Here’s the <a href="https://chatgpt.com/share/68253995-9f5c-8009-9dae-405a071aed61">full report</a>. The summary is positively glowing:</p> <blockquote> <p>In conclusion, QUIC’s standardization has been as open and transparent as any recent IETF protocol. It was developed in the open IETF process, adhering to OpenStand and WTO/TBT ideals of consensus, transparency, and voluntary adoption. Its final RFCs affirm community consensus, and the IETF infrastructure provided public visibility into every stage. This openness is mirrored by QUIC’s broad support: independent implementers from Google, Mozilla, Apple, Cloudflare, Facebook, and beyond have all deployed QUIC. The resulting ecosystem – with multiple browsers, CDNs, servers and apps supporting QUIC – reinforces that it is a truly open standard, not controlled by any single vendor. By contrast, older protocols like HTTP/2 and TCP underwent similar open processes (IETF consensus, public RFCs) and likewise enjoy ubiquitous implementation. Together, the history and adoption of QUIC demonstrate an effective, open standardization process in line with global best practices.</p></blockquote> <p>First of all, I love the reference to the “WTO/TBT ideals of consensus, transparency, and voluntary adoption.”</p> <p>But is it accurate? Sort of. The facts here are correct: those companies did participate in the effort, implemented it, and deployed it. The process was open (as can be seen in the minutes and other materials).</p> <p>I don’t know, however, how it justifies its statements about the quality of consensus – as I’ve written before, <a href="/blog/2024/05/24/consensus">consensus can go wrong in a variety of ways</a>. Others have <a href="https://journals.sagepub.com/doi/full/10.1177/14614448251336438">characterised</a> QUIC’s development has with Google firmly in the “driving seat.” Having been there for the whole standards process, I disagree with that assessment, but I’d at least expect academic work like that to be acknowledged.</p> <h2 id="is-ai-useful-for-assessing-open-standards">Is AI Useful for Assessing Open Standards?</h2> <p>I can’t count the number of times that I’ve seen policymakers, journalists, and community members refer to the Privacy Sandbox as “at the W3C” or “being standardised at the W3C.” Given that extremely low bar, ChatGPT’s summary is an improvement. Likewise, I largely agree with its assessment of QUIC, at a high level.</p> <p>What’s lacking here, however, is any kind of nuance. I can’t escape the feeling that it latches onto a few narratives that appear in source materials and augments them into well-worn clichés, like we see for QUIC. The IETF has a great reputation in many sources, so that gets amplified, but there’s a lack of any critical thought.</p> <p>That’s not surprising: AI can’t think. If it could, it might wonder about the criteria we’re using for “open standards” here – are those WTO/TBT ideals still relevant, and are they adequately described? Are the processes actually used in working groups lining up with the rhetoric of openness – and how would you find out if they didn’t? And, how much should all of that count if the result isn’t <a href="https://www.mnot.net/blog/2024/03/13/voluntary">proven by market adoption</a>?</p> <p>In a nutshell: if you must use AI to assess the openness of a standard, only use it for the first pass, check all of the references, and then roll up your sleeves and start talking to people to get the real story.</p>]]> </content> </entry> <entry> <title>Apple’s Best Option: Decentralize iCloud</title> <link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/02/09/decentralize-icloud" /> <id>https://www.mnot.net/blog/2025/02/09/decentralize-icloud</id> <updated>2025-02-09T00:00:00Z</updated> <author> <name>Mark Nottingham</name> <uri>https://www.mnot.net/personal/</uri> </author> <summary>What can Apple do in the face of a UK order to weaken encryption worldwide? Decentralize iCloud, to start.</summary> <category term="Tech Regulation" /> <category term="Web and Internet" /> <content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/02/09/decentralize-icloud"> <![CDATA[<p class="intro">As has been <a href="https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/">widely reported</a>, the government of the United Kingdom has secretly ordered Apple to build a back door into iCloud to allow ‘blanket capability to view fully encrypted material.’</p> <p>Assuming the UK doesn’t back down, what are Apple’s options? This is my personal take: if I’ve missed something, I’d love to hear about it.</p> <h3 id="option-1-comply">Option 1: Comply</h3> <p>Most companies would just comply with the order, but Apple is not most companies.</p> <p>That’s not just because they have <a href="https://www.apple.com/privacy/">marketed themselves as privacy and security conscious</a>, although that presumably factors into their decision. From what I’ve seen from interacting with their engineers and observing how they behave (both in technical standards bodies and in their products), this is a commitment that goes much deeper than just marketing.</p> <p>More significantly, Apple will be considering the secondary and tertiary consequences of compliance. So far, every democratic country around the world has refrained from making such an order; for example, Australia’s <a href="https://www.mnot.net/blog/2018/11/15/trust_australia">widely debated</a> legislation that mirrors the UK “Snooper’s Charter” has an explicit provision to disallow “systemic weakening” of encryption like we see here.</p> <p>If the UK successfully forces Apple’s hand, every other government in the world is likely to take notice and consider making similar (or even more extreme) demands. <a href="https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/">CSAM scanning</a> will just be the start: once access to that much data is available, it’s open season for everything from <a href="https://en.wikipedia.org/wiki/Lèse-majesté_in_Thailand">Lèse-majesté</a> to punishing activists and protesters to policing sexual orientation, abortion, and other socially motivated laws. Even if a particular country doesn’t make the same demand of Apple, arrangements like Five Eyes will allow one agency to peer over another’s shoulders.</p> <p>As I’ve written before, <a href="https://www.mnot.net/blog/2024/04/29/power">no one should have that much power</a>.</p> <p>In the tinderbox that politics has become in many parts of the world, this is gasoline. I’d pay good money to be a fly on the wall in the meetings taking place with the <a href="https://www.gov.uk/government/organisations/foreign-commonwealth-development-office">Foreign Service</a>, because they of all people should understand the potential global impact of a move like this. Of course, in a world where USAID is shut down by Elon Musk and some teenagers, nothing is off the table – and that’s why we should be so concerned about this outcome.</p> <h3 id="option-2-leave">Option 2: Leave</h3> <p>Apple’s second option is to leave the UK. Full stop.</p> <p>Close the Apple stores, online and retail. Stop providing iCloud, stop selling iPhones and all the other various i-gear. Close the <a href="https://www.businessinsider.com/apple-uk-headquarters-14-billion-redevelopment-battersea-power-station-2016-10">beautiful new UK HQ at Battersea</a>, and lay off (or transfer overseas) around 8,000 employees (reportedly).</p> <p>This is (obviously) the nuclear option. It puts Apple outside the jurisdiction of the UK,<sup id="fnref:1"><a href="#fn:1" class="footnote" rel="footnote" role="doc-noteref">1</a></sup> and at the same time orphans every UK Apple user – their phones and computers don’t quite become bricks, but they will definitely have limited utility and lifetime.</p> <p>Given that along with Apple’s claim to <a href="https://www.standard.co.uk/business/apple-s-spectacular-offices-at-battersea-power-station-b1110130.html">support 550,000 UK jobs</a>, it’s likely to be effective – these consequences would make the government extremely unpopular overnight.</p> <p>However, this option is also massively expensive: reportedly, total Apple revenue in the UK is <a href="https://www.retailgazette.co.uk/blog/2023/07/apple-uk-sales/">something like £1.5bn</a>. Add on top the one-time shutting down costs, and even Apple’s balance sheet will notice.</p> <p>Perhaps more importantly, this is also a strategically worrisome direction to go in, because it plays into the narrative that Big Tech is more powerful than sovereign nations. Other countries will take notice, and may coordinate to overcome Apple’s reticence. Apple will now have to choose the markets that it operates in based on how it feels about those country’s commitments to human rights on an ongoing basis – hardly a situation that any CEO wants to be in.</p> <p>Finally, this option simply won’t work if one of those countries is the United States, Apple’s home. I’ll leave it to you, dear reader, to decide how much you trust your predictions of its actions.</p> <h3 id="option-3-open-up">Option 3: Open Up</h3> <p>Apple’s third option is to remove itself as a target in a more subtle way than option two.</p> <p>The UK is presumably interested in Apple providing this functionality because iCloud’s design conveniently makes a massive amount of data convenient to access in one location: Apple’s servers. If that data is instead spread across servers operated by many different parties, it becomes less available.</p> <p>In effect, this is the <strong>decentralize iCloud</strong> option. Apple would open up its implementation of iCloud so that third-party and self-hosted providers could be used for the same functions. They would need to create interfaces to allow switching, publish some specifications and maybe some test suites, and make sure that there weren’t any intellectual property impediments to implementation.</p> <p>There could be some impact on Apple revenue here, but I suspect it’s not huge; many people would continue to buy iCloud for convenience, and for non-storage features that Apple bundles in <a href="https://www.apple.com/icloud/">iCloud+</a>.</p> <p>Think of it this way: Apple provides e-mail service with iCloud, but doesn’t require you to use it: you can use your own or a third party provider without any drama, because they use common protocols and formats. Why should file sync be any different? Why can’t Apple make using a third-party service as seamless and functional as iCloud?</p> <p>This isn’t a perfect option. Orders could still force weakened encryption, but now they’d have to target many different parties (depending on the details of implementation and deployment), and they’d have to get access to the stored data. If you choose a provider in another jurisdiction, that makes doing so more difficult, depending on what legal arrangements are in place between those jurisdictions; if you self-host, they’ll need to get physical access to your disks.</p> <h3 id="what-will-and-should-apple-do">What Will (and Should) Apple Do?</h3> <p>Computer operating systems are fundamental to security: once we lose trust in them, it’s pretty much game over. The UK has chosen a risky and brash path forward, and Apple will need to think carefully about how to navigate it.</p> <p>It should be no surprise that I favour option three. While Apple is notoriously a closed company, it’s not completely averse to collaborating and working in the open when doing so is in its interests – and, given its other options, that’s arguably the case here.</p> <p>Conceivably, Apple might even be forced into taking the “decentralize iCloud” option if regulators like those implementing the Digital Markets Act in the EU decide that doing so is necessary for competition. Apple has been <a href="https://ec.europa.eu/competition/digital_markets_act/cases/202344/DMA_100025_228.pdf">designated as a gatekeeper</a> for the ‘core platform service’ provided by iOS, and while that designation currently doesn’t include file synchronisation services, that might change.</p> <p>Of course, the UK government may back down. However, the barrier to some other government taking similar steps is now smaller, and Apple would do well to consider its longer term options even if action turns out to be unnecessary right now.</p> <p><em>Thanks to <a href="https://eupolicy.social/@1br0wn">Ian Brown</a> for his input to this article.</em></p> <div class="footnotes" role="doc-endnotes"> <ol> <li id="fn:1"> <p>Presumably. Both inter-jurisdictional coordination and extraterritorial application of the law may complicate that. IANAL. <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a></p> </li> </ol></div>]]> </content> </entry> <entry> <title>Platform Advantages: Not Just Network Effects</title> <link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2024/11/29/platforms" /> <id>https://www.mnot.net/blog/2024/11/29/platforms</id> <updated>2024-11-29T00:00:00Z</updated> <author> <name>Mark Nottingham</name> <uri>https://www.mnot.net/personal/</uri> </author> <summary>A new book explores an intriguing idea: that there are core processes in some platforms that naturally tilt the table towards being implemented in a single company.</summary> <category term="Tech Regulation" /> <category term="Web and Internet" /> <content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2024/11/29/platforms"> <![CDATA[<p class="intro">Over the past few years, there’s been growing legal and academic interest in <em>platforms</em> — their functioning, potential harms, and advantages over competitors.</p> <p>On that last question, most of the literature that I’ve seen has focused on factors like network effects and access to data. However, a forthcoming book by <a href="https://www.hbs.edu/faculty/Pages/profile.aspx?facId=6417">Carliss Baldwin</a> proposes some significant additional – and structural – advantages that accrue to those who control them. <em><a href="https://mitpressbookstore.mit.edu/book/9780262049337">Design Rules Volume 2: How Technology Shapes Organizations</a></em><sup id="fnref:1"><a href="#fn:1" class="footnote" rel="footnote" role="doc-noteref">1</a></sup>builds on Volume One (which I <a href="https://www.mnot.net/blog/2024/05/10/design-rules-vol-one">wrote about earlier</a>) with a goal to ‘build and defend a general theory explaining how technologies affect the structure and evolution of organizations that implement the technologies.’</p> <p>Baldwin argues that “whether a technology will generate the most value through single, unified corporations, through platform-based business ecosystems, or through open source projects depends on the balance of <em>complementarity</em> within the technical system.” Let’s unpack that (in my words, with apologies for any misinterpretation of her work).</p> <h3 id="modularity">Modularity</h3><p>Imagine a technical system, such as a service provided across the Internet, that comprises numerous components. This is a common occurrence because, as mentioned in Volume One, we manage complexity through modularity. We break down tasks into smaller units that can be distributed among many individuals, preventing any single person from having to comprehend the entire system’s intricacies.</p> <p>These components can have various degrees of <em>coupling</em> – i.e., interdependency. While we always strive for <em>loose</em> coupling, which allows for easy modification or replacement of components without affecting others, it’s not always feasible to avoid <em>tight</em> coupling when there are close dependencies.</p> <h3 id="coupling-and-governance">Coupling and Governance</h3><p>Baldwin points out that systems with many tightly coupled functions are better situated in a single company due to the ease of managing these relationships within the hierarchical and closely related environment of a modern corporation. Conversely, she suggests that those with very loosely coupled functions are more appropriate for implementation across multiple entities because this arrangement enables the generation of greater overall value.</p> <p>In the middle lies a “Goldilocks zone,” where some amount of coordination is necessary, but there’s still a benefit to distributing functions amongst many actors. These conditions allow formation of a <em>business ecosystem</em> – a set of “independent organizations and individuals engaged in complimentary activities and investments.” As Baldwin points out:</p> <blockquote> <p>Ecosystems rely on <em>distributed governance</em>, meaning that each member has the right to make certain decisions according to his or her own interests and perceptions. In place of direct authority, coordination of an ecosystem requires <em>negotiation</em> among members with different priorities and interests.</p></blockquote> <h3 id="platforms">Platforms</h3><p>There are many examples of such distributed governance schemes, including Open Source and Open Standards. However, it’s hard to ignore the dominance of <em>platforms</em> in the current landscape, which she defines as ‘a technological means of coordinating design, production, and exchange within modular architectures.’ Platforms aren’t so much distributed governance schemes as they are centralised control points (or even <a href="https://www.rfc-editor.org/rfc/rfc9518.html">choke points</a>).</p> <p>She then goes on to break down a typology of platforms, with particular focus on <em>transaction platforms</em>, like eBay, Amazon, and Chrono24 – and <em>communication platforms</em>, such as Facebook, Bluesky, and X.</p> <p>Here’s where things get really interesting. Baldwin argues that certain <em>core processes</em> which are essential to implement these types of platforms are bound to be tightly coupled, thereby heavily tilting the table towards implementation by a single company:</p> <blockquote> <p>The need for tight integration of core processes is the first reason for-profit corporations subject to unified governance have replaced organizations subject to distributed governance in almost all digital exchange platforms. Traditional exchange processes did not require the same high degree of synchronization as algorithmic processes.</p></blockquote> <p>In transaction platforms, she identifies <em>search and ad placement</em>, <em>dynamic pricing</em>, and <em>data analysis and prediction</em> as processes that must occur within milliseconds to provide a satisfactory user experience. For communication platforms, the relevant core services are <em>search and ad placement</em>, <em>ad selection</em>, <em>dynamic pricing of an ad</em>, and (again) <em>data analysis and prediction</em>.</p> <h3 id="what-this-means-for-the-internet">What this means for the Internet</h3><p>Yes, search is more difficult on a federated platform like Mastodon, but it’s possible if you relax the need for immediate updates – as it can be if you <a href="https://berjon.com/fixing-search/#how-does-search-work-">rework the relationships in that arena</a>. When you get past that, it’s also hard not to notice that these core processes are mostly advertising-related.</p> <p>And that’s crucial. These companies have stepped in to solve coordination problems (“How do we communicate around the globe? How do we do transactions with people we haven’t met?”) by creating platforms that fully exploit their centralization. They are supported by real-time advertising systems because the table is tilted towards that outcome, and building a real-time advertising-supported ecosystem with distributed governance is <em>hard</em>.<sup id="fnref:2"><a href="#fn:2" class="footnote" rel="footnote" role="doc-noteref">2</a></sup></p> <p>Much of that friction goes away if you relax the constraint of being advertising-supported, or even remove the real-time requirement from advertising (e.g., by using contextual advertising). However, you still have a coordination problem, and because real-time advertising is the most lucrative way to monetise a centralized position, decentralizing these systems means big companies won’t be nearly as interested in these outcomes.</p> <p>The history of the Internet is illustrative here. We had RSS and Atom feeds, but there wasn’t a business model in that: however, there was in ‘news feeds’ on Facebook. We had open messaging protocols like XMPP, but they were supplanted by proprietary chat platforms that wanted to lock their users in and monetise them. Meanwhile, e-mail is being slowly swallowed by GMail and a few others as we helplessly watch.</p> <p>In short: <strong>there are less-recognised structural forces that push key Internet services into centralized, real-time advertising-supported platforms</strong>. Along with factors like network effects and access to data, they explain some of why the Internet landscape looks like it does.</p> <p>Decentralized alternatives must overcome those forces where they can’t be avoided. They also need to be developed and supported, and to compete with those centralised platforms, they will need to be well-funded. To go back to the RSS/Atom example, there is a <a href="https://www.mnot.net/blog/2024/08/25/feeds">lot of work that could improve that ecosystem</a>, but no one has a strong incentive to do so.</p> <p>In these conditions, ‘build it and they will come’ is insufficient; simply creating Internet standards and Open Source software won’t solve the coordination challenges. Most current Internet companies lack the incentive to fund such efforts since they’re unlikely to accommodate real-time advertising.</p> <p>Who might? My thoughts turn to the various discussions surrounding <a href="https://www.undp.org/digital/digital-public-infrastructure">Digital Public Infrastructure</a>. Exploring how to make that viable is a crucial (and important) topic that I’ll leave for another day.</p> <p>This is just one aspect of <em>Design Rules Volume 2</em>; there’s much more to discover in this excellent book. I’ve been enthusiastically recommending it to anyone who takes the time to listen.</p> <p><em>Thanks to <a href="https://berjon.com/">Robin Berjon</a> for reviewing this article.</em></p> <div class="footnotes" role="doc-endnotes"> <ol> <li id="fn:1"> <p>To be published on 24 December. Many thanks to Professor Baldwin for an early copy. <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a></p> </li> <li id="fn:2"> <p>Again, not necessarily impossible; for example, look at what Mozilla et al are doing in the <a href="https://patcg.github.io">Private Advertising Technology</a> effort. <a href="#fnref:2" class="reversefootnote" role="doc-backlink">↩</a></p> </li> </ol></div>]]> </content> </entry> <entry> <title>On Opting Out of Copyright</title> <link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2024/09/18/opt-out" /> <id>https://www.mnot.net/blog/2024/09/18/opt-out</id> <updated>2024-09-18T00:00:00Z</updated> <author> <name>Mark Nottingham</name> <uri>https://www.mnot.net/personal/</uri> </author> <summary>The EU AI Act and emerging practice flip copyright’s default opt-in regime to an opt-out one. What effects is this likely to have on the balance of power between rights holders and reuse?</summary> <category term="Tech Regulation" /> <category term="Web and Internet" /> <content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2024/09/18/opt-out"> <![CDATA[<p class="intro">The EU AI Act and emerging practice flip copyright’s default opt-in regime to an opt-out one. What effects is this likely to have on the balance of power between rights holders and reuse?</p> <p>Copyright is a default opt-in regime, from the standpoint of the rights holder. If I publish something on this blog, the presumption is that I retain rights unless I specifically license them – for example, by attaching a <a href="http://creativecommons.org">creative commons</a> license. If I don’t do that, you can’t legally reuse my content (unless your use falls within certain exemptions).</p> <p>You can think about this arrangement in terms of protocol design: it’s an agreement between parties whose nature creates certain incentives and barriers to behaviour. Someone who wants to reuse my content has the burden of getting a license from me, and proving that they have one if I challenge them. I have the burden of finding misuse of my content and pursuing it.</p> <p>Technical systems can assist both parties in these tasks. I can use search engines of various sorts to find potential abuses; a licensee can prove that a particular license was available by showing its existence in the cache of a disinterested third party (often, one of the same search engines).</p> <p>This creates an equilibrium: the burdens are balanced to favour certain behaviours. You might argue that the balance is unjust (and many <a href="https://pluralistic.net">do</a>), but it is known and stable.</p> <p class="hero">As <a href="https://www.mnot.net/blog/2024/04/21/ai-control">discussed previously</a>, the EU AI Act and emerging practice flip copyright’s default opt-in regime to an opt-out one. A rights holder now has to take positive action if they want to reserve their rights. While on the face of it they still have the same capability, this ends up being a significant practical shift in power.</p> <p>That’s partly because of the nature of opt-out itself. The burden shifts: now, the rights holder must find misuse of their content, <em>and</em> prove that they opted out.</p> <p>Proving that you consistently opted out at every opportunity is difficult, because it’s effectively proving a negative – that you never failed to opt out. Search engines don’t see every request made on the Internet; they just crawl it periodically, sampling what they see. An AI crawler can plausibly claim that the opt out wasn’t present when they crawled, and the rights holder is reduced to proving that the teapot isn’t in orbit.</p> <p>Notably, this is the case whether the opt-out is attached to the content by a mechanism like robots.txt or if it’s embedded in the content itself as metadata. In the former case, content without the opt-out might be obtained at a different location, or at a different time; in the latter, the opt-out might be stripped from the content or a copy of it, either intentionally or unintentionally (e.g. it is a common to strip metadata from images to optimise performance and improve privacy).</p> <p>On top of that, using this regime for AI makes finding misuse difficult too. There’s no easy way to query an LLM for a particular bit of content in the corpus that was used to train it; instead, you have to trust the vendor to tell you what they used. While transparency measures are being discussed as a policy solution to this issue, they don’t have the same properties as third-party or technical verification, in that they require trusting assertions from the vendor.</p> <p>In this manner, changing copyright’s default opt-in to an opt-out for AI dramatically shifts the burden of compliance to rights holders, and the lack of support for managing those burdens brings into question the practical enforceability of the regime. It could be argued that this is appropriate for policy reasons – in particular, to enable innovation. However, it is a mistake to say it doesn’t represent a change in the balance of power as compared to opt-in.</p>]]> </content> </entry> </feed> If you would like to create a banner that links to this page (i.e. this validation result), do the following:
Download the "valid Atom 1.0" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):
If you would like to create a text link instead, here is the URL you can use:
http://www.feedvalidator.org/check.cgi?url=http%3A//www.mnot.net/blog/index.atom
