The central thing I deeply admire about Lessig is that he takes on gigantic battles with care and determination. He’s not deluded about his chances, but he fights anyways. He looks for, and finds, incredibly aggressive wins. Copyright reform against the Disneys of the world didn’t work, but Creative Commons is genuinely affecting how we share. The corruption of the political process is an impossible challenge, yet Lessig sees a path, and I believe his is the the most likely path to success. I don’t yet know how Lessig will find the equivalent of the Creative-Commons-win in this much larger battle. But I know he’s thinking about it, and I believe that, in time, he will move the needle, significantly.

That kind of “crazy” optimism is deeply inspiring, because it is, indeed, the only way to change the world. Time is too precious not to focus on the big, gigantic, mind-blowing battles. Lessig reminds me of that every time I attend one of his talks.

So, a quibble. Lessig brought up one argument I’ve seen him make before: because vaccine policy is influenced by experts who may have received compensation from the pharmaceutical industry, people may lose trust in vaccine policy. Now let’s be clear: Lessig is not saying that vaccines are unsafe. He’s saying that, because some vaccine experts do not appear to be fully unbiased, it is understandable that people lose trust in vaccine policy.

I disagree, and I think it weakens Lessig’s argument to make this connection. I’d like to see Paul Offit and his peers deciding our vaccine policy (in a public forum of course), even though he’s getting rich from his amazing Rotavirus vaccine. Checks and balances in areas that require deep expertise cannot be achieved by banning from advisory boards all experts with a potential conflict of interest. In fact, that’s a recipe for disaster by way of mediocrity. We have other checks and balances for this. We can require peer-reviewed publications. We can fund counter-studies. We can let the truth rise to the top via competition. This country’s national vaccine policy is something to be proud of.

There is, however, a subtle but serious corruption in the medical world that should make it into Lessig’s slideshow: pharmaceutical reps routinely treat physicians to dinners, trips, etc. They leave free drug samples, they leave pens and paper pads with drug logos prominently featured, they suggest that new drugs are better than old tried-and-true drugs, and sometimes they very subtly suggest off-label uses. Drug companies receive prescription records for individual physicians: they know where they’re having an impact and can calculate very clear Return On Investment. The result: Vioxx. Physicians aren’t evil, but they are human. The grey areas in medicine are large and common, providing fertile ground for skilled influencing.

That needs to stop: where vaccine policy is a mostly public forum with competing ideas, there isn’t any oversight or counter-balance to drug-rep influence. We can change this. Doctors could be required to provide to all patients, alongside the insane HIPAA disclosure form, a funding disclosure form of all compensation received from drug reps. That disclosure form alone might make doctors think twice before prescribing a drug, and drug reps before paying for dinner. And institutions should follow the path blazed by Mass General, banning their physicians from accepting gifts and banning pharmaceutical reps from physician offices.

We’re at a unique time in history in terms of technologists having so much direct power. There’s just something about the picture of an engineer in Silicon Valley pushing a feature live at the end of a week, and then heading out for some beer, while people halfway around the world wake up and start using the feature and trusting their lives to it. It gives you pause.

So true. I’ve been thinking about this issue a lot recently, especially as good technologists in the Valley are in exceptionally good financial / career health, while the rest of the country, and sometimes even the other half of our cities, are suffering through a long and deep recession.

Here’s one story that blew my mind a few months ago. Facebook (and I don’t mean to pick on Facebook, they just happen to have a lot of data) introduced a feature that shows you photos from your past you haven’t seen in a while. Except, that turned out to include a lot of photos of ex-boyfriends and ex-girlfriends, and people complained. But here’s the thing: Facebook photos often contain tags of people present in the photo. And you’ve told Facebook about your relationships over time (though it’s likely that, even if you didn’t, they can probably guess from your joint social network activity.) So what did Facebook do? They computed the graph of ex-relationships, and they ensured that you are no longer proactively shown photos of your exes. They did this in a matter of days. Think about that one again: in a matter of days, they figured out all the romantic relationships that ever occurred between their 600M+ users. The power of that knowledge is staggering, and if what I hear about Facebook is correct, that power is in just about every Facebook engineer’s hands.

Here’s another story. I used to lecture MIT Undergraduates about web security. My approach was basically: (a) hack a few of the student project web sites, then (b) hack a few public web sites to make the students understand how widespread the problems are. In late 2003, I showed students how to buy movie tickets for free (the price of the ticket was held in a hidden variable in a web form… duh). I ended my lecture with “but just because you can do this, doesn’t mean you should. Please don’t do this.” Over the years, I’ve received a few emails from former students to the tune of “hey Ben, you gave an awesome lecture, I still remember how a bunch of us went out to see Matrix 3 for free that weekend!”

I shudder to think about what happens when you put those two stories together. While the earliest hackers may have had a particularly well developed ethical sense, I get the sense that our profession’s average ethical sense doesn’t nearly measure up to the incredible power we have gained precipitously over the last 15 years.

And then there’s the additional point Arvind makes, which I’ve observed directly too:

I often hear a willful disdain for moral issues. Anything that’s technically feasible is seen as fair game and those who raise objections are seen as incompetent outsiders trying to rain on the parade of techno-utopia.

Yes! There’s this continued and surprisingly widespread delusion that technology is somehow neutral, that moral decisions are for other people to make. But that’s just not true. Lessig taught me (and a generation of other technologists) that Code is Law, or as I prefer to think about it, that Code defines the Laws of Physics on the Internet. Laws of Physics are only free of moral value if they are truly natural. When they are artificial, they become deeply intertwined with morals, because the technologists choose which artificial worlds to create, which defaults to set, which way gravity pulls you. Too often, artificial gravity tends to pull users in the direction that makes the providing company the most money.

A parting thought. In 2008, the world turned against bankers, because many profited by exploiting their expertise in a rapidly accelerating field (financial instruments) over others’ ignorance of even basic concepts (adjustable-rate mortgages). How long before we software engineers find our profession in a similar position? How long will we shield ourselves from the responsibility we have, as experts in the field much like experts in any other field, to guide others to make the best decision for them?

warning signs

Last year, Chris Soghoian and Sid Stamm published a paper, Certified Lies [PDF], which identified the very issue that is at the center of this week’s crisis. Matt Blaze provided, as usual, a fantastic explanation:

A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don’t even do that much.

A Certificate Authority is a company that your web browser trusts to tell it who is who on the Internet. When you go to https://facebook.com, a Certificate Authority is vouching that, yes, this is indeed Facebook you’re talking to directly over a secure channel.

What Chris and Sid highlighted is an interesting detail of how web browsers have chosen to handle trust: any Certificate Authority can certify any web site. That design decision was reasonable in 1994, when there were only two Certificate Authorities and the world was in a rush to secure web transactions. But it’s not so great now, where a Certificate Authority in Italy can delegate its authority to a small reseller, who can then, in turn, certify any web site, including Facebook and Gmail, using more or less the level of assurance the small reseller sees fit.

what happened

It looks like someone from Iran hacked into one of the small resellers three degrees of delegation away from Comodo to issue to some unknown entity (the Iranian government?) certificates for major web sites, including Google and Microsoft. This gave that entity the power to impersonate those web sites, even over secure connections indicated by your browser padlock icon. It’s important to understand that this is not Google or Microsoft’s fault. They couldn’t do anything about it, nor could they detect this kind of attack. When Comodo discovered the situation, they revoked those certificates… but that didn’t do much good because the revocation protocol does not fail safely: if your web browser can’t contact the revocation server, it assumes the certificate is valid.

a detour via Dawkins, Evolution, and the Giraffe

Richard Dawkins, the world-famous evolutionary biologist, illustrates the truly contrived effects of evolution on a giraffe. The laryngeal nerve, which runs from the brain to the larynx, takes a detour around the heart. In the giraffe, it’s a ludicrous detour: down the animal’s enormous neck, around the heart, and back up the neck again to the larynx, right near where the nerve started to begin with!

If you haven’t seen this before, you really need to spend the 4 minutes to watch it:

In Dawkins’s words:

Over millions of generations, this nerve gradually lengthened, each small step simpler than a major rewiring to a more direct route.

and we’re back

This evolution is, in my opinion, exactly what happened with certificate authorities. At first, with only two certificate authorities, it made sense to keep certificate issuance as simple as possible. With each added certificate authority, it still made no sense to revamp the whole certification process; it made more sense each time to just add a certificate authority to the list. And now we have a giraffe-scale oddity: hundreds of certificate authorities and all of their delegates can certify anyone, and it makes for a very weak system.

This isn’t, in my mind, a failure of software design. It’s just the natural course of evolution, be it biology or software systems. We can and should try to predict how certain designs will evolve, so that we can steer clear of obvious problems. But it’s very unlikely we can predict even a reasonable fraction of these odd evolutions.

the opportunity

So now that we’ve had a crisis, we have an opportunity to do something that Nature simply cannot do: we can explore radically redesigned mechanisms. We can intelligently design trust. But let’s not be surprised, in 15 years, when the wonderful design we outline today has evolved once again into something barely viable.

taking further example from nature?

Nature deals with this problem of evolutionary dead-ends in an interesting way: there isn’t just one type of animal. There are thousands. All different, all evolving under slightly different selection pressures, all interacting with one another. Some go extinct, others take over.

Should we apply this approach to software system design? I think so. Having a rich ecosystem of different components is better. We shouldn’t all use the same web browser. We shouldn’t all use the same trust model. We should allow for niches of feature evolution in this grand ecosystem we call the Web, because we simply don’t know how the ecosystem will evolve. How do we design software systems and standards that way? Now that’s an interesting question…

So the recent crisis has changed my mind. I don’t think we can afford the risk of nuclear power. I’m not a nuclear power expert, and I would welcome counter-arguments. But I am fairly well versed in thinking about risk and risk mitigation. Three things now worry me greatly about nuclear power:

• Dramatic outcomes: in case of dramatic failure, the outcome could be disastrous on a scale that’s difficult to comprehend. You think the oil spill in the Gulf of Mexico was bad (and it was)? Try decades or centuries of life-killing radioactivity. Imagine a meltdown that could contaminate large, heavily populated areas. The damage could be enormous. Yes, the probability is very, very low. But as we are seeing today in Japan, it’s far from zero, and if they had not reacted as well as they did, the result could be indeed as bad as I describe here. (To folks I work with on voting technology: isn’t this what we worry about regarding Internet voting for public office? That the outcome of an attack would be dramatically bad, not matter how low the likelihood?)
• Storing nuclear waste: a friend on Facebook said “if Romans had used nuclear power, we would still be guarding their nuclear dump sites.” Think about that for a second. That’s just breathtaking. Are we ready to impose on our descendents 1000 years from now? We can barely figure out broad swaths of history from that long ago, let alone instructions on how to safeguard nuclear materials. Maybe it can be done. But it seems incredibly arrogant of us to assume that it’s okay to impose this burden on the next hundred generations.
• Regulation (or lack thereof): this is my most pragmatic point, and it applies mostly to the US. We can’t even get our act together in this country to agree on requiring relief wells for deep-water oil drilling. Do we really think we can get our act together to regulate a nuclear industry to be truly safe? It looks like even Japan couldn’t quite do it, and they’re far more open to government safety regulation than we are.

So, I’m open to others’ arguments. But right now, I’m thinking nuclear power is not such a great idea.

On the one hand, there is no doubt that the mainstream press is failing miserably in its role of investigating and breaking stories about illegal secret activities. We’ve seen numerous high-profile publications delay stories for fear of impacting elections (e.g. the NY Times and Bush-era warrantless wiretapping). Where the War in Iraq is concerned, it seems fairly clear that the US government misled its people, and that, in my opinion, deserves complete whistleblower protection.

On the other hand, while Wikileaks claims to have information proving banking corruption during the financial crisis, BP corruption during the oil spill, and many others, they chose to release secret diplomatic cables first. The argument that the people have the right to know everything the government does in real time does not hold water: many lives have been saved by secret operations and negotiations. Secrecy has a role to play in a peaceful society. Of course, all information should eventually be made public, so the Freedom of Information Act is critical, and multi-partisan oversight of secret operations and negotiations is necessary while those are ongoing. So what is the justification for this particular leak? Does it reveal significant lies by the US government where the public is being deeply misled? I don’t quite see it, although it’s possible that I’m not looking closely enough.

All that said, in this fog of uncertainty, some (many) are arguing that Wikileaks is a terrorist organization and that Julian Assange should be arrested. Senators are pressuring tech companies to censor the information, and tech companies are buckling at record speed (ahem, Amazon, Paypal,…) This line of argument is deeply disturbing, and the speed with which the system is cracking down on Wikileaks through political pressure is surprisingly scary. Where is due process? Whatever happened to freedom of the press? Recently, some members of the State Department have implied that students vying for jobs with them should refrain from publicly discussing Wikileaks. Ummm, which country is this again? Home of the Brave, Land of the Free, right?

One note to the Wikileaks folks: why not focus on the areas that are clear no-brainers first? Tell us about the BP corruption. Tell us about how the banks abused the bailout funds. This is true, unadulterated whistle blowing. In the end, there may well be a case that releasing these diplomatic cables is proper whistleblowing. Unfortunately, it’s not nearly as clear-cut, and that is going to hurt the Wikileaks mission significantly in the long run.

All that said, Mr. Assange, you have balls of steel. I can’t quite believe that you are real, but I’m glad people like you exist to fight bravely for freedom of information, even if, in some cases, I’m not sure I agree with your judgment calls.

Kim points out that two issues got confused in the flurry of press activity: the accidental collection of payload data, i.e. the URLs and web content you browsed on unsecured wifi at the moment the Google Street View car was driving by, and the intentional collection of device identifiers, i.e. the network hardware identifiers and network names of public wifi access points. Kim thinks the network identifiers are inherently more problematic than the payload, because they last for quite a bit of time, while payload data, collected for a few randomly chosen milliseconds, are quite ephemeral and unlikely to be problematic.

Kim’s right on both points. Discussion of device identifiers, which I missed in my first post, is necessary, because the data collection, in this case, was intentional, and apparently was not disclosed, as documented in EPIC’s letter to the FCC. If Google is collecting public wifi data, they should at least disclose it. In their blog post on this topic, Google does not clarify that issue.

So, Google, please tell us how long you’ve been collecting network identifiers, and how long you failed to disclose it. It may have been an oversight, but, given how much other data you’re collecting, it would really improve the public’s trust in you to be very precise here.

Now, two points:

1. taking a second look at EPIC’s letter and Kim’s original post, it still seems to me that there’s some confusion of the device identifier and payload data issues: the uproar materialized after Google revealed they had mistakenly collected payload data, and EPIC’s letter and Kim’s original post seem to weave back and forth between both issues, never really mentioning intent. Is this because the payload data story is juicier in headlines, and so bundling the two issues helps make the more important point? Maybe, but still, I think we should be more precise and careful when we attack on privacy grounds.
2. I agree that device privacy can be a big deal, especially when many people are walking around with RFIDs in their passports, pants, and with bluetooth headsets. But, in this particular case, is it a problem? If Google really only did collect the SSIDs of open, public networks that effectively invite anyone to connect to them and thus discover network name and device identifier, is that a violation of privacy, or of the Laws of Identity? I’m having trouble seeing the harm or the questionable act. Once again, these are public/open wifi networks. For the most part, these are static access points. Given Google’s stated interests in providing geolocation services, it would be detrimental to them if they catalogued roving access points. So, what’s the worst-case scenario here? Is it that, when I move to a new apartment, Google will know?

None of this excuses Google’s lack of disclosure. This was intentional data collection, it should be disclosed, period.

And it’s worth asking the questions that Kim asks, raising awareness of device privacy. I’m not sure I’m as worried as Kim is on this particular issue, but the questions are certainly legitimate.

So, in the end, the privacy advocacy theater is coming first and foremost from the EU privacy folks, who did get enraged about payload data more than anything else. There’s still some coming from EPIC and, to remain blunt, a little bit from Kim’s first post. But his second post brings up very legitimate questions, and Google should take some additional action here, at least to let us know what they were collecting, when, and whether they properly disclosed it.

I want to focus on a related problem that I’ll call privacy advocacy theater. This is a problem that my friends and colleagues are guilty of, and I’m sure I’m guilty of it at times, too. Privacy Advocacy Theater is the act of extreme criticism for an accidental data breach rather than a systemic privacy design flaw. Example: if you’re up in arms over the Google Street View privacy “fiasco” of the last few days, you’re guilty of Privacy Advocacy Theater. (If you’re generally worried about Google Street View, that’s a different problem, there are real concerns there, but I’m only talking about the collection of wifi network payload data Google performed by mistake.)

I’m looking at you, EU Privacy folks, who are investigating Google over accidental data collection. Where is your investigation of Opera, which provides Opera Mini, billed as “smarter web browsing”, smarter in the sense that it relays all data, including secure connections to your bank, through Opera’s servers? We should be much more concerned about designs that inherently create privacy risk. Oh sure, it’s easy political points to harp on accidental breaches for weeks, but it doesn’t help privacy much.

I also have to be harsh with people I respect deeply, like Kim Cameron who says that Google broke two of his very nicely crafted Laws of Identity. Come on, Kim, this was accidental data collection by code that the Google Street View folks didn’t even realize was running. (I’m giving them the benefit of the doubt. If they are lying, that’s a different problem, but no one’s claiming they’re lying, as far as I know.) The Laws of Identity apply predominantly to the systems that individuals choose to use to manage their data. If anyone is breaking the Laws of Identity, it’s the wifi access points that don’t actively nudge users towards encrypting their wifi network.

Another group I deeply admire and respect is EPIC. Here, they are also guilty of Privacy Advocacy Theater: they’re asking for an investigation into Google’s accidental wifi data collection. Now, I’m not a lawyer, and I certainly wouldn’t dare argue the law with Marc Rotenberg. But using common sense here, shouldn’t intent have something to do with this? Google did not intend to collect this data, didn’t even know they had it, and didn’t make any use of it. Shouldn’t we, instead of investigating them, help them define a process, maybe with third-party auditing from folks at EPIC, that helps them catalog what data they’re collecting, what data they’re using, etc…? At the very least, can we stop the press releases that make no distinction between intentional and unintentional data collection?

I’m getting worked up about this Privacy Advocacy Theater because, in the end, I believe it hurts privacy. Google is spending large amounts of time and money on this issue which is, as I’ve described previously, an inevitability in computer systems: accidental breaches happen all the time. We should be mostly commending them for revealing this flaw, and working with them to continue regular disclosure so that, with public oversight, these mistakes are discovered and addressed. Google has zero interest in making these mistakes. Slapping them on the wrist and having them feel some pain may be appropriate, but too much pain and too much focus on this non-issue is akin to a full-on criminal trial for driving 10 miles per hour over the speed limit: everyone’s doing it. Just fine them and move on. Then spend your time going after the folks who, by design, are endangering millions of users’ privacy.

There are plenty of real, systemic privacy issues: Facebook’s data sharing and privacy controls, Opera Mini’s design (tens of millions of users relaying all of their data to Opera, by design), Google’s intentional data retention practices, web-based ad networks, … We have enough real issues to deal with, who needs the advocacy theater?

In every instance, the companies involved didn’t mean to cause these data breaches. In every instance, they would gladly pay serious cash to prevent these bugs, given the negative publicity they cause. In every instance, most security folks I know are unfazed by these news, which they find quite unsurprising. And in each instance, the companies in question, Facebook and Google, reacted admirably: rapid disclosure, rapid response.

If you’re shocked, outraged, writing lengthy TechCrunch posts about these developments, you probably don’t understand computer security very well, and you’d better sit down with a stiff drink, because these issues are the tip of the iceberg. Accidental breaches happen all the time. Writing secure software is incredibly difficult, especially when, like Google and Facebook, you’re pushing the envelope and releasing features as quickly as possible to outpace your competitors.

We do not know how to write secure software. We do not know how to ensure that the software we write follows a given set of policies. Anyone who tries to sell you a perfectly secure system is either lying to you or doesn’t know what he’s talking about.

There are measures we can take to minimize risk, but they aren’t very sexy. Mistakes will be made, so the point is to minimize the bad consequences of those inevitable mistakes. Think of the awfully boring things you’ve heard security geeks tell you:

• don’t store user passwords in the clear.
• don’t make up your own crypto protocols, be conservative.
• defend in depth: even if you’ve got one defense, it’s always a good idea to have other defenses against the same potential breach.
• look upon large data aggregations with deep skepticism: Google, Facebook, government DNA databases, etc.
• look upon wide-ranging integration of disparate systems with deep skepticism: OpenID, Facebook Instant Personalization, etc.
• be skeptical of software vetting claims, i.e. the Apple app store.
• ask that new protocols do much more than be “no less secure” than existing protocols (I’m looking at you oAuth 2.0, no less secure than cookies).
• demand that the public be informed of all significant data breaches.

So freaking boring, right? But that’s real security. Minimize the target, minimize the risk, maximize the defenses, and always seek to strengthen security measures, because attacks only get stronger, too. And finally, provide the incentive to companies to constantly improve their defenses, by mandating disclosure.

If you’re shocked about the Facebook and Google bugs, just remember that those are the bugs we know about. There are a whole bunch more we don’t know about that Google and Facebook caught before any harm occurred. And there are a whole bunch more that nobody but bad guys know about that are actively causing harm right this minute. So the question is, as a software engineer, did you take those boring precautions to limit the damage? As a user, did you consider what data you’re storing with whom, how big a target they may be to attackers, and how motivated they are to truly secure your data?

That is some twisted backwards logic.

Apple needs to remove apps it finds “not useful enough” for the iPad to work well? Apple needs to be the sole app distributor for the iPad to be so desirable? It would make the iPad worse if, say, Firefox were allowed to compete with Safari on it? No, absolutely not. There is no inherent tradeoff. Apple chose to close the ecosystem. They could have had just as good a product with an open ecosystem… or, gasp, maybe an even better product where fixing a bug doesn’t require approval from the appstore overlords.

So enough with the uni-dimensional thinking. Those of us criticizing the iPad aren’t saying it’s all bad. If it were all bad, we wouldn’t be spending any time worrying about its impact on computing, because, if it were all bad, it wouldn’t have an impact. John Lilly and Ben Fry, who also expressed issues with the iPad, are probably getting one. I may well be getting one.

Apple is very good at bundling a little bit of badness with a lot of goodness and making you think there’s an inevitable tradeoff: iPod DRM, iPhone approved apps to prevent the phone network from being “taken down by a rogue app,” etc. But the only tradeoff here is that, if Apple opened the ecosystem, they would make a little bit less money. (Apple does not benefit as much as others do from an open ecosystem because their closed hardware is already so freaking popular.) For the user, the closed ecosystem is not a trade-off, it’s an unnecessary constraint.

I want to build software for this thing. I’m really excited about the idea of a touch-screen computing platform that’s available for general use from a known brand who has successfully marketed unfamiliar devices to a wide audience.
[..]
It represents an incredible opportunity, but I can’t get excited about it because of Apple’s attempt to control who creates for it, and what they can create for it. Their policy of being the sole distributor of applications, and even worse, requiring approval on all applications, is insulting to developers.
[..]
I find it offensive on a very basic level, because I know that if such restrictions were in place when I was first learning to write software — mostly on Apple machines, no less — I would not have a career in the field.

John Lilly followed up brilliantly:

In a nutshell, what worries me about the trajectory of computing is not so much the emergence of tightly-controlled, non-tinkerable boxes, but the presumption that “normal people” don’t ever want to tinker, don’t want to be bothered with understanding how things work. I think it’s not true, really — certainly not for everyone — but I even think that this distinction between “normal people” and “tinkerers” or “techies” or “makers” is bogus at best, and really dangerously corrosive at worst.
[..]
It’s not like I was born an engineer — the instinct to fiddle with things isn’t something we’re born with. I became a tinkerer because I was exposed to surfaces that allowed — that invited — it. I figured out that I liked tweaking and building and creating because I got a bunch of chances to do that stuff, from hardware to software and everything in between. I knew I could do it because Dad modeled that behavior, but also because the stuff we had around the house was inspectable and malleable.
[..]
We all have the potential inside us to make things. But we’re not born into the world as makers — the world around us — the people in it and the artifacts in it — help us to discover what we can be.

I don’t know that I agree 100% with John: not everyone is a tinkerer. But, for sure, we need “surfaces that invite tinkering,” otherwise those who would be tinkerers might never discover it.

I was a tinkerer from an early age, but most of my tinkering in the physical world sucked, because, well, I don’t have good instincts about physics or analog things: I’m a digital kind of guy. So my egg-drop competition entries were overly complicated, my solar ovens were a perfect fit for a raw diet, my matchstick suspension bridges were unsafe at any speed, and my analog-circuit-based room-alarm systems would go off at random times in the middle of the night, or not at all, but at least would consistently end up blowing out the LED indicator (what do you mean you can’t connect the power source straight to the LED?)

I might have given up on tinkering, were it not for software… that was something else.

When my father brought home our first computer, a Thomson MO5, I was hooked. I spent hours transcribing BASIC programs from the 3 magazines I could find on the topic (this was Paris, France, not exactly Silicon Valley.) My dad took me to the office so I could talk to some Thomson engineers and debug my floppy disk drive. Later came the TO7, and eventually the Apple IIGS, my first “major” Pascal program to help my mother schedule carpooling (and my first taste of how hard it is to write a scheduling algorithm), my second “major” Pascal program to manage the Prom guest list. I wrote my final Geography report using a page-layout program on the Apple IIGS that probably cost me hours of extra time because of its bugs and the work-arounds I had to find, and got a worse grade for it because “not everyone can afford such fancy software, so we took off a couple of points” (for those of you still confused, THAT is socialism.) Not long after that I was applying to MIT and tinkering with one of the first e-commerce web sites. I love what I do, but would I have discovered this love without those first few lines of BASIC on that MO5 computer, written without anyone’s permission or knowledge?

Over time, though, I have become a little bit complacent about openness. I own an iPhone, and I’ve bought a few apps. I bought music on iTunes, and figured the DRM was not so problematic. I got a Kindle and bought some books. And then one day Apple’s DRM server went down and I couldn’t play music for a few hours. And Amazon decided to recall the book “1984″. And Apple decided to retroactively remove a bunch of apps they considered “not useful enough.” So I started thinking, maybe it’s time to get a different phone.

But I can’t. See, in the interim, I got unexpectedly locked in. I sync my calendar via MobileMe. I sync my music/TV shows via iTunes. Moving to something like a Palm Pre is going to take a significant effort. So how much worse will it be if I get an iPad, get some apps, and Apple decides to change the rules in a way that I don’t like? How locked in will I be then?

This change is happening gradually. At no point are you going to be shocked by an unfortunate Apple decision. You’ll enjoy your iPad, you’ll buy more apps, you’ll enjoy it even more. Apple will make a few decisions that inconvenience you, but you’ll deal. Until one day you’re inconvenienced enough that you might begin to look elsewhere. But you won’t be able to, because your data will be locked in. 3 years ago, we didn’t even have 3rd-party apps on the iPhone. Today, we have more than 100,000, and they’re all rushing to the iPad at warp speed. Change is happening.

One last point. A few months ago, I became a father. My wonderful little boy has an incredible appetite for life. Will he be a tinkerer? I don’t know, but if I had to bet I’d say yes. Will I be able to do for him what my father did for me? What will he tinker with, if everything in the house is a polished, professional, touch-but-don’t-tinker device? If he is to be a maker, a tinkerer, will he be able to fully explore his ideas if the rules of his digital universe are decided by the whims of Apple, Facebook, and Google?

I’m not sure. Maybe he will find a way, the way that kids do. Or maybe we, the generation that is witnessing this change, need to make sure that the rules of computing do not become a permanent, universal, inescapable sandbox.