by Jonathan Zittrain

A Great Cloud Debate: Zittrain Counters Criticism

Aug 03, 20098 mins
Cloud ComputingData CenterVirtualization's Bernard Golden took issue last week with Jonathan Zittrain's recent cloud computing missive in the New York Times. Here's Zittrain's rebuttal to Golden. Do iPhone and cloud belong in the same discussion? You decide. n

Consultant Bernard Golden has some intense reactions to my recent piece in the New York Times on cloud computing. In it I shared some basic worries—and one advanced worry—to be dealt with. I’ll boil them down a little further here.

The basics: privacy, security, and data portability. When your data is in someone else’s hands, it’s given less protection under the law than if it were on your hard drive. E-mail in Outlook is given more protection from government surveillance than e-mail at Gmail. That’s an unfair tilt in the playing field against cloud enterprises, and the law ought to be fixed.

Remotely stored data can have less protection in practice, too, since client-server communications aren’t always encrypted. We know how to fix that, too: companies that offer remote services ought to have secure communications built in, and many already do. This can be particularly helpful when a service’s customers are located in places governed by authoritarian regimes. Why make it easy for the Iranian government to spy on its people? And user error can be magnified when everything’s online: compromise a password and the bad guys get into all your stuff. Your PC can be prone to malware—I have a chapter devoted to that issue in the book—but spilling your one-for-all password much more readily compromises your online data than your PC data. Absent malware, hackers need physical access to your machine to use your password against you. But even without hacking the Yahoo! server they can be anywhere in the world and still get your Yahoo! mail if they’ve got the password.

[For timely cloud computing news and expert analysis, see’s Cloud Computing Drilldown section. ]

Finally, data portability: your data can be difficult to extract from some of the most popular online platforms, making it difficult to cast a vote with your feet and move to a new provider if you’re not satisfied. This is especially true for social networking sites like Facebook.

Mr. Golden’s reply on privacy is agreement: he thinks it will be “the cloud issue in the future.”

On security he thinks it’s your fault for losing your password, so don’t blame the cloud. That’s like saying it’s your fault for sliding off the road in rainy weather—don’t also blame a car manufacturer who, say, not only neglected to put in seat belts, but also placed an ornamental spike on the steering wheel. We can agree that people should have better password practices, but we know so many won’t. That’s why it’s important to better secure data in the cloud. Passwords are convenient, but for anything truly sensitive we can do better—as banks are slowly starting to discover as they react to so many successful phishing attacks against their customers.

On securing data communications, Mr. Golden says that doesn’t really count as a cloud problem. Much depends on how you define “cloud,” and that’s been a surprisingly difficult task. More on that later—it’s true, I define it quite broadly, and I’ll explain why.

On data portability, for which I’d used Facebook as an example, Mr. Golden says that some sites have APIs through which data can be extracted, and for many of the rest it doesn’t matter much, since “social sites are a transitional phenomenon anyway.” (I’m curious: transitional to what?) I disagree with that prediction, and crystal balls aside, social sites are a huge phenomenon right now—at least in the mainstream consumer space rather than the enterprise environment. People share their lives through them: photos, videos, news, relationships. How to let people manage their data within them, not simply what they submit themselves, but also “mouse dropping” data like the stuff that can routinely appear in their news feeds as they act elsewhere on the site or in the world, and data that implicates their relationships with their friends—this is a nuanced question. Facebook says that its barriers to quick data extraction can help protect the privacy of your friends as against you, and maybe they have a point. The issue really deserves analysis, not dismissal. The groundwork for treating private data is being laid now—much of the most interesting dialogue in this space happens when Facebook makes a privacy or rights change in its terms of service.

Now the advanced worry: freedom to control the code you run—and that runs your life. In the environment of the past thirty years—that of the PC—users could choose what would and wouldn’t run on their machines. If someone handed you a floppy disk, or gave you an icon to click on, that would open up a new functionality, it was yours for the taking. Some of the most popular and well-known providers of remote consumer-oriented applications that are replacing those of the PC allow no such freedom. I’ve written a book about this (available for free), but that’s the essence of the worry. When you can’t control the code you run, not only can you be foreclosed by a gatekeeper from innovations that you want (and that an author wants to share with you), but the gatekeeper can then be asked by regulators to control or monitor the flow of code and content. The debacle that erupted when Orwell’s Nineteen Eighty-Four was remotely deleted from owners’ Amazon Kindles is a textbook example of the power that can be wielded.

There Mr. Golden first emphasizes that Microsoft was found to have engaged in bullying behavior with its operating system monopoly. True! My point is that Microsoft’s behavior pales in comparison to the dangers of platforms much more controllable by vendors than Windows was by Microsoft—whether Facebook Apps, Google mash-ups (like Maps, which is currently open but which Google naturally reserves the right to close), or the iPhone. Mr. Golden points out how innovative something like Google Voice is—and then admits that Apple has rejected the Voice App from all iPhones, the sort of behavior Microsoft never dared to attempt with Windows. (The closest it came was in trying to make sure its own software, like Internet Explorer, was preloaded on machines running Windows, even against the wishes of manufacturers like HP or Dell.) So, yes, of course cloud computing can see innovation happen—so long as platform makers don’t gain too much power and exclude apps they find competitive to their own interests.

Does an iPhone count as part of the cloud since it fits in your pocket? For these purposes, yes. In a key respect—that of your freedom to control your code and data—these devices act like cloud services. That’s because the vendors have privilege to say how they will operate long after you’ve brought the devices home, updating the way the devices work, and their contents, over the Internet or a cellular network. Sometimes that control is total. For example, no outside code is permitted on a Kindle or TiVo. Sometimes it is partial: Apple allows outsiders to code for the iPhone, but code must be vetted by Apple and distributed exclusively through the iPhone apps store. For all of these devices, it’s more like allowing Amazon and TiVo and Apple to set up a beachhead in your home (or pocket), a little server of their own that’s a cloud service that happens to be near you.

No one wants to rewind the clock back to the PC era of the 1980’s—not even Bill Gates. My worries here are not “anti-cloud” any more than someone worrying about uninsulated wires is “anti-electricity.” when I say I’m troubled about the cloud, it’s a shorthand for being troubled about consigning some of our longstanding technological freedoms to others. They can affect (for their own reasons or by government order) our digital environment in real time. This is comparatively new in the public’s experience of technology, even as we’ve seen forms of cloud computing within firms for years—places where we might naturally not care as much about personal freedom, since the computers (and most of the activity taking place on them) belong to the company. I don’t begrudge operators of cloud-based services, or vendors wanting to sell or consult about exciting new cloud technology, their enthusiasm about ubiquitous networks—or their outrage when they feel their parade being rained on a little. But for the areas many of us should be caring and thinking about, the sea change occurring in our control over our code and content must be addressed, especially since the move to the cloud can be appealing for so many other reasons.

Jonathan Zittrain, a law professor at Harvard, is the author of “The Future of the Internet—And How to Stop It.”