As I said in the prelude, it's important to consider the source when you are reading about issues where there are billions of dollars at stake. Here's the relevant parts of my background:
My experience with computers goes back as far as my memory goes. Early in life, my father bought a Commodore 64, because he realized that it might be important to have a computer around. I have always been fascinated by computers, and it was virtually predestined that I would be eventually studying computers in college. Previous centuries of technical development have focused on augmenting mankind's physical capabilities; computers are the first mechanical tools that can augment mankind's mental capabilities.
My experience with the Internet began with college. I created a web page in my spare time the week before college was to begin, which had a relatively large number of doo-dads and geegaws, even for student pages, but was unusual in its tastefulness, if I do say so myself. This work eventually attracted the Human Resources department of the university to hire me to work on their web page, where I worked for the four years before graduating with my Bachelors.
For the most part I was oblivious to the intellectual property issues surrounding the Internet, having done a report on the issue in high school and generally ignoring the issue after that. That changed in the summer of 1999, when I read the second Wired Article (can't find a link now) about a software product called Third Voice.
To summarize, Third Voice allows the addition of little notes on any page on the Internet, viewable by anyone else using Third Voice. I thought that was vaguely wrong somehow, but what really got my goat was when I was able to cause it to execute scripting commands on the web page it was on. That caused Wired to run another article, ``Third Voice Rips Holes In The Web'' (http://www.wired.com/news/technology/0,1282,20636,00.html), describing the effects of the security holes that I had found, and what others had extended them to do (though I had never made my discoveries public; others independently discovered them and others as well).
Among the things that Third Voice allowed for a time was the redirection of forms to any other server on the Internet. So, for instance, if you were using Third Voice, clicked on a malicious note (which looked exactly the same as any other), then used your credit card number on that page to order something, Third Voice could have been used to divert your credit card number through a cracker's server, and then send you on to the original server, with nothing but a some seemingly innocent screen flashing to alert you to the fact your credit card number was just stolen. Browsers have since developed some limited defenses against this sort of attack, commonly called the Cross-Site Scripting vulnerability, but it's a difficult problem and the defenses tend to be easy to circumvent. Third Voice caused exceptionally extreme vulnerabilities, because there was no (good) way for a website owner to defend their users against flaws in the Third Voice product, whereas ``normal'' Cross-Site Scripting vulnerabilities can be contained by fixing the server code that exposes them. You can begin to see some of the thought processes in this essay, as I began to grapple with questions like ``How can we hold anyone responsible for the performance of their software if anybody with the technical ability to modify it on the fly can, without permission, oversight, or even the theoretical knowledge of the web server operator?'' (A web server operator can in theory find out their system has been hacked by examining it. A website operator can not know, even in theory, if one of their visitors was using something that compromised the contents of the website between the website and the user. My very-eventual solution, as outlined in this essay, is of course that such software is unethical, and in the end, the fact that it can create such vulnerabilities is really more an incidental technical footnote then a fundamental reason, though I do believe it further validates my ethics; the vulnerability fundamentally arises because you can not trust anyone to manipulate the message between sender and receiver, because sometimes even the third party is simply unaware of how badly they are degrading the message!)
I was working on a secure system for my employers that day, and it bothered me that the integrity of the system could be that easily compromised and that I could do absolutely nothing to stop it. Or could I? In a couple of hours (including some work at home), I created a script to block Third Voice content from appearing on a page, and offered it to the fledgling Say No to Third Voice group.
This stuff kept my summer interesting. As I tried to put my finger on what I objected to with the product, I slowly came to understand that anything I said about Third Voice applied to many many things, and thus was born this essay. At first it was limited to a Message Integrity chapter (that looks almost nothing like the one you can see now), but as I dug deeper and deeper into the issues, I began to realize just how deeply flawed our current conceptual models of communication are. That's why this essay has taken three years to write.
During those three years, I wrote on a weblog called iRights, now available at http://www.jerf.org/iri and renamed ``iRi'', tracking the issues as they arose. I've since diversified since I feel like I was repeating myself over and over, but I do occasionally still write on the issues if something new and interesting occurs.
You should know that I am not a lawyer of any kind; I've been studying the intellectual property issues surrounding the topics I discussed and I have a decent understanding of what's going on, but I have no diploma or bar certification in law.
I believe that this is actually a good thing, for two reasons:
Indeed, it was a deep shock to me to see Lawrence Lessig, a famous intellectual property and Internet law lawyer at Harvard, write an essay explaining to lawyers why they should be listening to technically competent people when forming the law for the Internet. I would have hoped this would go without saying!