next up previous contents
Next: Misc. Up: The Ethics of Modern Previous: Privacy   Contents


Message Integrity

Message integrity is an often-overlooked problem for much the same reason that it is not generally recognized that the expression doctrine is dead. The technical ease of having an intelligent medium modify the message en route is not like anything in the past. Previous attention to message integrity has mostly been focused on the physical threats, because to modify a message required a physical change. This can be seen in the ``locked briefcase handcuffed to a guard'' model, which guards solely against physical attack. This is no longer the case, as messages can be both intercepted and changed without physical access. As tempting as it is to try to resort to physical metaphors, such an approach is as doomed to failure as it was in the expression case.

Throughout this chapter, the assumption is that the sender or the receiver does not consent to the changes made to the message, and thus that there is a third party involved in making the change. If both sides agree to a change, such as in the example of a newspaper digesting a press release instead of re-printing it directly, or informed consent to one of these technologies by both sender and receiver, then there is no issue.

Because of the difficulty of even conceptualizing non-physical integrity attacks under the past frameworks, it has been very difficult to explain the extreme danger such things pose. I know from personal experience that the metaphors alluded to previously are doomed, because they have never worked for me, despite a lot of time spent(/wasted) polishing them. The issue of message integrity is much more easily handled in the Concrete Part/Human Perception model.

Figure 23: Concrete Parts and Human Perceptions, divided


First, there are two aspects to message integrity, one pertaining to each side of the dividing line in figure 23. The left side is very easy to deal with.

Concrete Message Integrity

As mentioned in section 3.3.3, I do not want to get too deeply into the issues of determining whether the ``sense'' of a message is changed by some action, because therein lies an infinite quagmire of philosophy. Fortunately in the case of concrete communication, especially when using computers, it's quite easy to determine if the concrete message has been changed between the sender and receiver. Simply answer the question ``Did the bits change en route?'' If yes, the message integrity has been violated. If no, it has not been. In the case of non-computer communication, you can still ask largely the same question by ``virtually'' digitizing the message and comparing what was sent to what was received, within reason. If the concrete parts are adequately contained in the final message, then everything is fine.

Example of ``within reason'': A person making a speech in an auditorium won't sound precisely the same to any two people, in the sense that a microphone would pick up a slightly different version of the speech. In this case, we do have to make the reasonable determination that the differences are irrelevant to the contents of the speech, or unavoidable due to the nature of the auditorium. It should not strain anyone's mental faculties to say that everyone is hearing the same speech, unless someone quite deliberately censors it somehow.

Hopefully you can see this is exactly what I defined as censorship in section 4.3, because changes in the concrete parts are the same as changing the message, so this topic is previously covered.

Human Perception Integrity

The integrity of the human perception is much, much more difficult, yet correspondingly more important, because what really matters is what the human finally perceives, not the mere data that is delivered. How can we ever determine whether someone has disturbed a message?

Concrete parts are amenable to comparison before sending and after reception. Messages are significantly more fluid. As discussed elsewhere, a web page may be viewed in a virtually infinite number of ways, with different fonts, color schemes, or graphics handling. Even the sensory modality it is rendered into can change, with someone perhaps listening to a computer reading the web page, or reading it through a specialized Braille interface. At first, it would seem impossible to say whether a supposed modification is truly a modification, or merely another legitimate way of perceiving the message.

Yet even though there may be an effectively infinite number of ways of viewing my web page, and an effectively infinite number of ways of viewing the New York Time's homepage, it is immediately obvious that there is some real difference. The answer lies in the fact that the message is not independent of the concrete parts that went into making it. No matter what settings you set your browser to, my web page will never have the same content of the New York Time's page, because they have articles, advertisements, and other things that my web page simply does not have, and vice versa. It is this point that has been missed in previous debates on the Internet about the real-world examples of message integrity attacks, because it is easy to be blinded by the apparently infinite number of ways of experiencing a particular message. (This is another manifestation of the common misconception that any infinite set must contain all possibilities within it. This is obviously false; the set of ``all integers'' contains infinite numbers, yet no matter how long you look, you will never find 1.5. Similarly, even though there are an incredibly wide variety of experiencing a given web page, perhaps even infinite in some sense, the content the web page is based on always remains constant.)

Human Perception Integrity Defined

It is this recognition that allows us to formulate a rational and meaningful definition of the integrity of a human-perceived message, even in the light of infinite rendering variations.

human-perceived message integrity
When the message perceived by a human is composed of the same concrete parts, mixed as intended by the sender, the integrity is preserved. If parts have been added, removed, or modified, or rendering instructions have been added, removed, or modified, in ways not intended by the sender, then the message integrity is violated.
Again, we do not try to read the mind of the sender, but pay attention solely to the flow of concrete parts and their assembly. For instance, a novice web page creator may place an image tag in their HTML page and intend that every user see it. However, it is not this ``intent'' that is transmitted, instead it is an HTML image tag, <IMG SRC=''something''>. In HTML, the IMG tag does not truly mean ``display this image'', in the sense of an unbreakable contract. Instead, it is on the level of ``strong suggestion to the browser'', which it can take or leave as it wills, or as it is technically capable. Users may visit the web page with a graphical browser with image loading off, or with a text-only browser, or with an alternate-media browser with no visual component at all. All of these are acceptable under both the general understanding of the web, and even the technical specification of the HTML language8; actually displaying the image is not a prerequisite to legitimately claiming that one can ``render HTML''.

In general, the actual message won't precisely match what the sender intends to convey, unless they are deliberately limiting their communication to the capabilities of whatever language they are using. In HTML, there isn't a way to say ``The browser absolutely must display this image.'' The message can only match the sender's intent if the sender deliberately limits themselves to the limitations of HTML. The inability to truly express concepts completely correctly in any language is a deep philosophical problem, but such discussion does not gain us anything. The fact we can not narrowly and precisely define the intended ``true message'' does not mean that we must therefore deny it exists.

There is a lot of flexibility in how an HTML message is rendered. There is no flexibility in what set of concrete parts will go into a message. There is some set of images, text, applets, data, etc. that might be used to render the page, or might be elided by the browser. The set is finite and quite well defined with some simple analysis of the HTML page itself. Loading content from an additional source not described in an HTML page is a very distinct, identifiable event, and this constitutes an integrity breach.

Recognizing Integrity Violation: Delimiting Messages

There is one more issue to resolve before considering this discussion complete, though, and that is the issue of delimiting messages. Consider the case where a person creates a web page and ``intends'' for it to be viewed in Netscape. Now consider two people visiting that page, one with Netscape and one with Internet Explorer. One sees the page as ``intended'', with the Netscape logo on the browser. Another sees it with the Internet Explorer logo. It seems that a part of the message has been ``modified'', yet intuitively we do not see this as an attack on integrity.

Suppose now we use a browser that adds the word ``WRONG'' in huge red type to every third web page. This does seem to be an attack on the message's integrity. Many debaters I've seen on the Internet happily munge these two together in their zeal to prove their point, but intuitively, there does seem to be a real difference. What is it?

The rather straightforward answer lies in the dependence of the messages.

Message A depends on Message B if a change in B significantly affects how A is perceived by the human.
There is some fuzziness in the word ``significantly'', but that is just the real world rearing its ugly head at us again. In the case of a browser, it may draw a title from the current web page and use it in its title bar, or as the title of the bookmarks, so technically what web page it is currently viewing does affect how the browser is perceived by the human, but these are really rather insignificant changes under any reasonable interpretation. Practically speaking, the browser, considered as a human-experienced message, is independent of the human-experienced message of the current web page. As evidence, consider the visual similarity between a browser showing an empty page, and one with an actual page. Flipping it around, it is possible for the web page to affect the browser in certain limited, well-documented manners (such as opening a new window without toolbars), but again it is not really a case of ``the web page'' manipulating the browser, it is a case of the browser doing its best to render the web page as the HTML suggests. The user can override those manipulations either with certain browser settings, or by using a browser that doesn't understand those concepts.

One frequent counterargument to earlier, cruder versions of this concept is that it would outlaw such things as a television, which always have the name of the television manufacturer on it, thus affecting all television programs viewed on the set. Of course this does not happen because the name is completely independent of what is on the television, persisting even when the device is completely unpowered. Similarly, on-screen menus overlayed on top of television programs are harmless, because they are also almost completely independent of the television program, with the possible exception of displaying basic information about what is currently being viewed, which has already been discussed.

This is the answer to the problem of how to delimit the interactions of messages. If two messages co-exist, and do not depend on each other in the sense given above, then neither violate the integrity of the other, no matter how they came to be co-existent. Dependence analysis thus degrades gracefully in the pre-smart message case, when messages could never react to each other and thus could not become dependent, and shows that no messages were ever dependent on another message, so this is indeed a new ethical problem, one almost completely misunderstood by most people at this time.

Renderers Should Be Independent

In 9.2, I said the following:

No matter what settings you set your browser to, my web page will never have the same content of the New York Time's page...
Obviously, a special browser can be written that will show my homepage identically to the way it shows the New York Time's page. That does not negate my assertion, because such a browser is no longer an independent browser; it must be getting those New York Times concrete parts from somewhere, be it through accessing the New York Times website ``behind the scenes'' or through storing parts of the New York Times website in its own files. Either way, the important thing is that those parts are still not coming from my web site.

From this, we can derive an important rule of thumb: In general, a renderer should be independent of its content. This is how our intuition measures whether a given browser is ``honestly'' rendering a site. Considering that a renderer such as a web browser can stand between its user and thousands of other people, it is very important that the browser function independently, so the user is clearly aware of who is sending the messages.

Is this an abstract consideration? Of course not. While large scale manipulation by a browser manufacturer remains a hypothetical, a small-scale demonstration of the possibilities was provided by Opera in February, 2003 with the release of the ``Bork'' edition of their Opera browser. From their press release (

Two weeks ago it was revealed that Microsoft's MSN portal targeted Opera users, by purposely providing them with a broken page. As a reply to MSN's treatment of its users, Opera Software today released a very special Bork edition of its Opera 7 for Windows browser. The Bork edition behaves differently on one Web site: MSN. Users accessing the MSN site will see the page transformed into the language of the famous Swedish Chef from the Muppet Show: Bork, Bork, Bork!...

"Hergee berger snooger bork," says Mary Lambert, product line manager desktop, Opera Software. "This is a joke. However, we are trying to make an important point. The MSN site is sending Opera users what appear to be intentionally distorted pages. The Bork edition illustrates how browsers could also distort content, as the Bork edition does. The real point here is that the success of the Web depends on software and Web site developers behaving well and rising above corporate rivalry."
Or, in terms of this analysis, the success of the Web depends on web browsers remaining independent of web content. Opera's ``Bork'' edition functions by containing a special message internally that is executed only on the MSN site, which adds content to the site that does not exist on MSN servers. While this is a largely harmless release, made to underscore a point, it demonstrates that browsers have a great deal of power over the content they are rendering. This standard of ``Independence'' provides a usable metric to determine whether they are wielding that power responsibly or not.


In the context of web pages, annotation refers to the practice of using some software program to leave notes on web pages that others using the same program can view. (Note that if only the author can view the notes, it doesn't matter.) Perhaps the most famous example of this is the now-defunct Third Voice, which no longer exists even as a website I can point you to, only the odd screen shot here and there.

Figure 24: Third Voice screen shot, from screenshots/thirdvoice_annotated.html. One note is opened, ``Is it art?''. Another note is attached to ``Photos & Images''. In the upper left corner you see the Third Voice control panel. If I remember correctly, and based on the ``More notes on Visual Arts'' part that's cut off, this was one of Third Voice's ``official'' conversation threads, which they would feature on their home page in an attempt to encourage people to use the software for discussing various things, such as the given topic here.

Figure 25: A screenshot of Third Voice on the White House web site, during the Clinton Administration. Unsurprisingly, the White House site was one of the more active ones. This is a later version of the software, which added threading capabilities to the message (you can see I've opened the ``Al Gore 2000'' thread on the left), and the hint of the ability to have a distinction between ``Public'' and ``Private'' notes, which, to the best of my knowledge, was never implemented, at least not publically.

It is instructive to take a look at how Third Voice and related software accomplish this technically, because it is a paradigmatic example of how to effect large-scale integrity attacks. Despite the demise of Third Voice, other software still exists which has similar capabilities.

How Does Annotation Work Technically?

Figure 26: Third Voice-style annotation

The way Third Voice worked is outlined in figure 26. How the annotation author leaves a note on a given page, and how it is shown to the annotation viewer, worked like this:

  1. The annotation author would request a web page, let us say for concreteness, from the web server. The browser would retrieve it normally.
  2. Once the browser was done retrieving the page normally, the annotation program, which was a plug-in to the browser and thus deeply integrated with the browser so it could detect things like when the page was done loading, would send a query off to the annotation server, asking if there are any notes for `` ''.
  3. In this case, we'll say there wasn't any yet, so the server returns that there are no notes on that page yet.
  4. When the user decides to leave a note, he tells his annotation software where he wants to leave it, and what the title and contents should be.
  5. The annotation software reports to the annotation server the contents of the note and where to put it.
  6. When another user of the same program goes to , their browser downloads the web page.
  7. Their annotation program asks the annotation server whether there are any notes on the page.
  8. This time, the server reports that there is a note on that page, and sends it to the annotation program, which then allows the user to browse it.
One consequence of this design is that only other users of the particular annotation software can see the annotations on that system. Different software systems can have entirely separate databases of annotations, and conceivably if this technology ever takes off, someone might build a ``meta-annotation'' software program that could hook into many different annotation databases. Another one is that the annotation server gets a complete log of the pages visited by the user.

Figure 27: Proxy-based annotation

The other major way that an annotation service can function is by using a proxy, which is a computer that acts on behalf of another computer. In this case, the proxy gets the web page for the requesting computer, and additionally adds the annotation information.

  1. The user asks the browser for a web page, .
  2. The browser asks for that web page from the proxy.
  3. The proxy retrieves the web page from , and adds the annotations to the HTML. The proxy returns this modified HTML to the browser.
  4. The browser displays the modified page.
Adding annotations is done by sending special requests through the browser, which the proxy server detects and processes to add the annotation into its internal database.

While very different technically (different bandwidth requirements, different bottlenecks in the system), the theoretical capabilities of the two techniques are identical. Some effects are easier in one model then the other, but there is nothing that is possible in one that is impossible in the other.

Why Annotate?

The justification for annotation was based on the observation that the web is largely controlled by corporations, as measured by the number of pages viewed, who have no mechanism for allowing feedback about the writing. (This was even more true in 2000 than it is now, with the proliferation of web-based forums, many even hosted directly by the big content producers.) Annotation was proposed as a solution to this problem, allowing people to metaphorically gather together on a web page and discuss the content. (The name ``Third Voice'' presumably comes from the idea that the web visitor is one ``voice'', the web page author a second voice, and the Third Voice program provided a third voice on the web page.)

Numerous examples of such things were proposed by Third Voice, such as criticizing products, posting reactions to news stories, or carrying on discussions about the contents of the page, but they all boil down to the same thing, discussing the content of the page.

So What's Wrong?

Certainly those are noble goals, which is probably why the system was defended by so many people who meant well, including the program's authors. The problem is that by doing so, the defenders are opening the door to a subtle, insidious form of censorship.

One might consider granting a pass to these sorts of things because they appear on first glance to offer a way for ``the little guy'' to strike a blow against the corporate powers. But this is a dangerous illusion... because both practically and ethically, anything that the ``little people'' can do, the ``big people'' can do, too, only bigger and with a huge marketing push. In reality, all that is being created is the ability to slap arbitrary content into the middle of a web page, and if any of these services ever becomes large enough, it would be co-opted by the very same ``corporate'' voices is was created to provide a counterbalance to, in the end only making sure that not only do the corporations own their own spaces, but anybody else's they wish as well. This isn't just theory; see ``Smart Tags'' in section 9.4.1.

Annotation As Censorship

Using the models we've built so far, it's easy to see how this is censorship. Analyzing the concrete parts that go into building a web page like that in figure 24, there is the glaring intrusion of the comment from ``shaina'' that the author of the web page clearly did not intend. That is certainly content not coming from the author or even the reader, but from this ``shaina'' person. Without consent from both the web page reader and the web page author, such an addition clearly meets our definition of censorship.

This is not just academic. One of the most popular uses of Third Voice, measured by ``pages with the most annotations'' (Third Voice provided a little graph showing the ``most active'' pages on the web for some period of time, and while I obviously can't point to it, it allows me to know this was one of the most popular uses of the program; ``Say No to Third Voice'' monopolized the top position for a long time), was to visit the sites protesting Third Voice and attempt to ``shout down'' the protest sites through sheer volume of posted notes, sometimes so many that the browser would crash for some people. I'm almost sorry the program is shut down now, because you simply have to take my word for this: Even if you believe for a moment that Third Voice users would indeed use the service for the noble causes the creators claimed for it, a quick cruise around the system indicates that it was only rarely used for that, and you would quickly become disabused of the notion that it was being used for ``debate''. What little content on the service that was truly related to the page was almost entirely of the ``shout-down censorship'' type. Just as the readers have the Free Speech-based right to visit a web page, read it, and draw their own conclusions about the content, web page authors have the right to present their material without ``interruption'' from people, even if the reader desires that interruption.

Going even further, there is nothing special about ``annotation''. The symmetry of communication inevitably bites those who wish to make exceptions. If we try to make web annotation legal by dropping the requirement that the content author consent to the modification, then that applies equally to the annotations themselves. Many Third Voice users would have cried ``Censorship!'' if Third Voice started taking down notes for any reason other then community standards (and many certainly cried ``Censorship!'' when my techniques were used to prevent Third Voice from working on certain web pages), or even modifying them to suit their own purposes, but once you forfeit protection for the author, your own communication loses that protection as well. If anybody who has the technical ability can modify a web page by inserting content, then there's no way to limit that to just ``annotation'' or ``good'' uses; that means if somebody at AOL intercepts an email you send via their service and adds something to it ``just because they can'', there is no basis for complaint.

Perhaps the best way to look at this is to look at the Chain of Responsibility for the communication. For the original web page, only the original author of the web page is on it, since all other entities who are involved with transmitting the message do not affect it. When viewing a Third Voice ``enhanced'' web page, there's the web page author, the Third Voice company (who controls content via their centralized server), all the other people who used Third Voice to leave a note, and the user of the web page itself, because they installed and turned on the software.

One of the consequences of our right to free speech can be expressed as the right to control the chain of responsibility to the extent possible. Without the ability to deny others the ability to modify our messages we can not have confidence that what we are communicating is being expressed. The only possible ethical justification for Third Voice I saw given by its defenders is that a receiver has an ethical ``right'' to modify the page as they see fit. The reason this seems so plausible is that it is partially true; once the message has been received the recipient is free to do with it as they please in their own possession. But it is not completely true, because the recipient does not have the right to add other people to the chain of responsibility, allowing them to modify the message. Once the intended message of the author is altered or destroyed, the value of the web page to the author is also destroyed, and the end user does not have the ethical right to do that.

This is another way of looking at how the breaking of symmetry inevitably bites the very people who wish to benefit from it. Note that the end user does not have the power to insert the other entities onto the chain of responsibility. When two parties are involved, changes in the relationship require the consent of both parties; it's the same fundamental reason that when someone invites you over for dinner, it is impolite to invite somebody to come with you against the wishes of the dinner host, or when two people sign a contract, it takes the consent of both to change it. The wishes of the end user are not sufficient, so if we wish to claim that behavior is ethical, we must find some other basis to say that such external addition is ethical. But in the final analysis, the only basis that is even a candidate for that is mere technical ability to add other entities to the chain. Therefore, by opening the door to annotation we open the door to arbitrary content manipulation by anybody who has the technical ability. Annotation is merely a convenient term we give to certain types of content modification, but there is nothing fundamental about it; there are no sharp lines you can draw between it and more conventional content-based censorship of all kinds. In all cases, the ability of a sender to express themselves without interference from outside parties is irretrievably compromised.

In the long run, communication's value is directly connected to the reliability of the transmission of the information it contains. To allow messages to be arbitrarily degraded for a small short-term gain will inevitably make the system useless for all in the long term.

Follow The Effects

One last perspective on annotation from a technology point of view. One of the themes of this essay is follow the effects, not the technology. In this case, the effect of annotation technology is identical to what could happen if someone hacked into a web server, and installed software onto it that would cause it to provide annotation services to people who used it from that point on. That would literally change the contents of the server.

For people using the annotation programs, the effects are identical to the server serving out changed content. Yet nearly nobody would claim that this is legal or ethical. But this is really a contradiction; two things with exactly the same effect, yet one is ethical and one is not?

So, follow the effects. If it looks exactly like the content on the server is being modified, then treat it that way. If it looks like the server is being hacked to provide this service, then treat it that way. Otherwise, we open a loophole that will allow people to ``hack'' servers without hacking them, by riding the line between what even current law recognizes as illegal access and ``allowed'' annotation. For example, suppose I own a computer that a certain website uses as its connection to the Internet, so all packets that computer sends must go through my machine. Suppose I configure this machine to dynamically add a nasty picture to that machine's home page every time someone accesses it from the Internet. This looks exactly like somebody hacked the machine to include that nasty picture, yet it's all done by hardware I legally own, and if we're to allow arbitrary additions to the chain of responsibility, you are left with no real way to call the action unethical communication behavior. Yet we would certainly all feel this is highly unethical.

It is a testament to the consistency of the model we have built so far that three different ways of looking at the issue (as censorship, as insertion onto the chain of responsibility, and from the perspective of effects) all have the same result: Annotation should not be allowed.

No Annotation

In the end, the only workable way to allow free speech is to forbid anybody from altering the message between the sender or the receiver. Otherwise, nobody will be able to reliably transmit messages without assurances that the sense has been completely altered, even if we only allow ``additions'', even if we require those additions to be clearly labelled.

And why would we want to allow it, anyhow? For all those objections above, for all the problems it causes, including the fact it would eventually be co-opted by the companies themselves (see ``Smart Tags''), it doesn't actually solve anything. For all the speech it throws away, it does not enable any speech that people did not already have the ability to do. You can already complain about a company. You can already discuss products. You can already post reactions to news stories.

The only reason annotation is even interesting is that it adds the content ``directly to the page itself''. But this is not sufficient to counterbalance annotation's costs. The reality is that while you have the right to speak, and the right to listen, you do not have the right to be heard. If nobody choses to listen to you, that does not give you the right to start defacing the speech of others. You have no claim on somebody else's web page, only your own.

The solution to the annotation problem is, mercifully, the one that seems to be winning on the Internet: Give people their own spaces, and let them say what they like. The purest incarnation of this is found in the proliferation of weblogs. Protect these spaces, and everybody can say their piece with confidence that the messages they post will be reliably transmitted to their receivers. This, not an anarchy where anybody can fiddle with a message, is the true path to free speech.

Other Integrity Attacks

Annotation is probably the most interesting and perhaps the most direct attack on message integrity we've seen so far, but it is not alone. We need to make this entire class of activities illegal before one of them manages to become deeply entrenched.

Smart Tags

Smart Tags are a Microsoft technology that can automatically turn words into link-like entities on HTML pages, without the web page author's consent or even knowledge, and potentially without the viewer's consent or knowledge9. For instance, if the word ``Ford'' appeared on the page, it might add a link to the Ford homepage, or a page with information about Ford stock, or anything else Microsoft thinks might be a good idea... even if the word was used in the context of ``fording a river''.

The definitive article on Smart Tags is probably , from A List Apart. Note the parallel between the Microsoft's quote and the arguments in favor of annotation, framing them in terms of ``user empowerment'' to the exclusion of ``author empowerment'', as if there was a meaningful distinction between ``users'' and ``authors''.

This isn't quite annotation, but it's about as close as you can get without actually doing it, and it does demonstrate how large companies will swiftly co-opt that sort of technology if given the chance, and turn it into anything but a way for the little guy to ``strike back''. The technology is very similar to Third Voice, though a little more sophisticated and flexible (more then one central server, more flexible client manipulations). Adding new ``Smart Tags'' is limited to developers, since it would require programming, which practically means it is limited to companies since most ``normal users'' aren't programmers. ``Smart Tags'' were going to be used for the very things Third Voice was supposed to counterattack.

``Smart Tags'' do nothing for the users that they could not already do for themselves; if one is reading about greyhound dogs and suddenly has the urge to look up the stock value of the Greyhound Lines, Inc., they can do it for themselves plenty easily without assistance.

Advertisement Blocking

As advertisements become ever more annoying on the web, people are developing ways to fight back against the intrusion. Exactly how they do so brings up some subtle issues in how ethical that is, because there are several types of techniques with different ethical implications.

Browser-based blocking

Browser-based blocking is probably the easiest blocking technique there is, and if you didn't know about this before, consider this your reward for slogging through the essay this far. In the latest versions of Mozilla and derivatives, there are simple options to prevent pop-up windows for appearing. For instance, in Mozilla 1.3, going to Edit->Preferences, opening the Privacy and Security tab, and clicking on the Popup Windows text, will show a dialog that allows you to turn off pop-up windows. It's really nice in 1.3 and above because you can enter exceptions, if you have certain sites which require pop-ups to work correctly but you trust them to use pop-ups in a manner you approve of. In addition, in the Images section (just above ``Popup Windows''), you can tell images not to animate, which for the most part only affects advertisements. And finally, if you open the Advanced list and click on Scripts & Plugins you can disable a whole raft of ``features'' used mostly to annoy the user.

I personally recommend using Mozilla and activating these features, and leaving Internet Explorer only for things that absolute require it. Generally, after taking these steps the annoyance at the advertisements subsides enough that you don't feel the need to do the more extreme things I'm about to discuss.

Two interesting things about this: First, not all browsers even support the idea of opening new windows in the first place, so it can't be that big a deal to tell your browser not to open new windows. Second, everything I mentioned is solely under the users control, and none of these things depend on the content of the web page. All animating images will not animate, without regard to whether it's an advertisement or who created it. No pop-up windows open, unless they are from an approved site, without regard for what they will contain. These features are independent of the content. They happen to mostly affect advertisements but that's a consequence of the fact that mostly advertisers (ab)use these features. None of these settings do anything to block the simple, pure-text ads that uses, for instance, showing they are not directly targeting advertising.

Based on that analysis, there's certainly nothing wrong with configuring your browser like this, because as we've mentioned earlier, web pages are not unbreakable contracts to display certain things in certain ways, they are loose instructions for assembling images on the screen to the browser, and the browser and the browser user are free within the parameters of those instructions to render the content in many ways.

Some people are developing technologies that try to detect when the user is blocking popups and not allow them to proceed without viewing the ads. It is probably not ethical then to bypass these checks, as the content owner is clearly making access contingent on the ad viewing, which is within their rights. It's probably not a good idea to annoy a consumer that devoted to dodging ads, though, and it's unlikely the contents of the ad will leave such people with a favorable impression, so hopefully the open market will realize this and an arms race will not be necessary.

Filtering Proxies

The most sophisticated ad-blocking solutions are filtering proxies. The proxy works as in the proxy-based annotator, but instead of adding information, it takes it away.

An example of such a program is The Internet JunkBuster Proxy(TM), which can block certain URLs (including that of advertising images), and prevents certain information from being transmitted to web servers that most browsers send by default, such as cookie ( information. As seen in the annotation example, a proxy server can transform content in nearly any imaginable fashion, so the mature ones such as The Internet JunkBuster Proxy(TM) are very flexible and powerful.

Used as a tool by a single user, again I don't see any significant problem with such software, again because the ``contract'' of the web is not that the user must see all content precisely as intended by the author. A single user adding sites to his filtering proxy is similar to simply refusing to visit those sites, which it is in the power of the receiver to do. Some browsers, such as the variants on Mozilla, even build this into the browser; by right-clicking on an image you can tell the browser to stop loading images from that server.

There is an obvious scaling problem with this, though, in that advertising sites are popping up faster then a user can smack them down, and there is obviously a lot of redundancy in what each user does, as many of them choose to block the same sites. It seems like it would be a good idea to create a tool with a centralized list of bad sites, let users update it dynamically, and distribute software that checks the centralized database for what should be blocked. One piece of software that does this is Guidescope (

Unfortunately, this crosses the same line that annotation software does, by allowing third parties to influence the communication without the permission of the sender. It seems like it would be nice if we could salvage the ability to use this ethically, but that's an artifact of considering only the receiver's point of view. In the larger context, this must be considered a form of censorship and the limited benefits to certain people do not justify how dangerous it is to open the doors to censorship... even if you are yourself one who would benefit. Acting ethically is not always pleasant in the short term.

Using a filtering proxy as a tool is acceptable, until the proxy is using input that did not come directly from the user. This also implies that while it's OK to distribute the proxy server, the list that it uses to block sites with should start out empty so that only the user's input is used by the program.

Practically speaking, I find that using Mozilla and blocking popups and animating images, and optionally telling Mozilla to be conservative about what cookies it accepts, takes care of the majority of the problem with privacy and annoying advertisements without the use of unethical group censorship programs, so once again the benefits of such a scheme are quite marginal compared with the real damage to free speech (even commercial free speech) such programs do.

Spam Filtering via Blocking Lists

Almost completely analogous to how advertisement-filtering proxies can download a list of sites to filter out, a mail server on the Internet can download a list of sites to ignore the mail from. Many such lists exist, one of the most famous being the Realtime Blackhole List ( created and distributed by the MAPS (Mail Abuse Prevention System) (

Such lists have been used for censorship, deliberately and otherwise, many times already. For instance, see ``MAPS RBL is Now Censorware'' ( Even if you ignore for a moment whether the precise allegations in that article are true, it is true that the power to arbitrarily block communication for large numbers of people is given to these blocking list maintainers. The point is not that it is bad the power was misused, the point is they should not have this power at all. Spams cost the receiver money, but that still does not justify censorship as a solution to that problem. Instead, other techniques should be pursued.

Once again, the benefits of this scheme are marginal, compared to the significant costs. Not only are these blocking lists not working, there are better solutions that are also perfectly ethical. We are not handed a choice between discarding our ethics or living with spam, we simply must use solutions that do not involve third-party communications not consented to by the sender.

Such solutions include, but are not limited to:

None of these solutions require third-party influence on message reception. The only unethical solution to the spam problem is blocking lists, which also happens to be worse then all the solutions on that list. (Why are we using it then, you ask? Because it's also the easiest to implement.) Ethics need not tie our hands.

Automated Movie Censoring

In early 2003, a debate over a technology called ClearPlay arose (see, ClearPlay ( is a movie technology that takes a DVD movie and a data file from the ClearPlay service that describes how to play the movie, and will selectively censor the movie in accordance with those directions. ClearPlay is designed to clean movies up to the standards of its customers, removing nudity, violence, profanity, etc. and thus allowing these movies to be viewed in a family setting, where such things may be considered inappropriate.

Hollywood objects to this, such as is seen in this quote from USA Today (

"Artistically, we're offended by an arbitrary outsider deciding how you should see a film," says Martha Coolidge, president of the Directors Guild of America and director of such movies as Rambling Rose and Introducing Dorothy Dandridge.
I'm long overdue to finally say this: Hollywood is right. A parent is free to take a film and clean it up themselves, for viewing by their children (who legally are an extension of the parent), but when content from a third party, in this case ClearPlay, is included, that is the bad kind of censorship without permission from the original owner.

Unlike the other examples mentioned so far where the gain is negligible, there is a small loss of capabilities here in the case where even parents would like to see a movie, but without the profanity. This small loss does not justify the costs of allowing this sort of manipulation, however.

The theoretical ideal would be for ClearPlay to license the movies, make their changes, and sell the resulting movies, with some reasonable fee going back to Hollywood, so everybody wins. While Hollywood is theoretically within their rights to shut this down without debate, one does have to question how committed to this sort of integrity they really are, when they are perfectly willing to censor their movies to run them on television. Still, just as it is my choice about how to distribute this essay, it is a movie owner's choice about how to distribute their movie.

In 2003 the Electronic Frontier Foundation came out in favor of this (, demonstrating how hard it can be to recognize censorship if you aren't careful about understanding what's going on.


I'm not going out of my way to make an exhaustive listing of these things, so I've probably missed some currently existing systems that do this. And certainly until we come to a clearer understanding of the boundaries as a society, more people are going to have more bright ideas for this sort of censorship that seems to solve some short-term problem, while remaining blind to the long term disaster allowing such things will cause. I would be willing to bet money that within a year of the ``publication'' of this essay, to the extent this is ``published'', at least one more system will be proposed based around this idea. When it does, I hope you can recognize it.

The ``Patch'' Hole

What all of these things have in common is that on some level, they are applying ``patches'' to a message.

What Is A Patch?

A ``patch'' is a technical term in the computing industry that most closely matches this concept, of all the terms I am aware of. A ``patch'' represents the differences between two files. For instance, if I have a file that contains ``This is a dog.'' and a file ``This is a cat.'', the difference is the word ``dog'' in the first and ``cat'' in the second. A patch file describes how to start with one file and get to the other.

Patch files are usually written for computers, but they are generally very easy for a skilled programmers to read. Since it would not be very useful for you to know how to read them if you don't already know how, I'll simply discuss them in terms of English instructions. Patch files can be considered as instructions being fed to a proper interpreter, so re-expressing them as another set of instructions doesn't lose anything significant in the translation.

A patch from the first sentence I mentioned above to the second sentence might read as ``Remove 'This is a dog.', and insert 'This is a cat.'.'' That correctly describes how to get from one sentence to the other, but there are two problems with that. One is that it contains all of both files within it, which is a waste of space. The second problem is that there is a much more efficient way to obtain the same effect: A patch file that says ``Remove the word 'dog' and replace it with 'cat'.'' Now the patch is very space-efficient (especially in computer terms, where that entire sentence might boil down to just ``s/dog/cat/'' or some equally cryptic, but precise, formulation), and it also does a good job of highlighting the differences without repeating the similarities, which can be useful to human readers.

There are no particular limitations on the capabilities of a patch. As the two messages become increasingly dissimilar, the patch grows in size, until eventually it simply contains both files (the negative of the source file and the positive of the destination file, if you want to think of it that way; the photographic analogy is reasonably accurate), but the differences between any two messages can be expressed as a patch. Even the differences between two human-experienced messages can be expressed by a patch, in a sufficiently powerful patching language.

``Annotation'' works by patching the incoming web page to include the annotations in it. In the Third Voice implementation of annotation, you could even watch the patching happen, as the annotation markers trickled in and caused the page to be re-formatted. ``Smart Tags'' work by patching the web page to include new, special links that weren't in the original page. ClearPlay patches selected parts of the movie entirely out of existence; spam filtering patches entire messages out of existence. (The equivalent in terms of the sentence examples above would be ``Replace 'This is a dog.' with nothing.'') Advertising blocking uses all of these techniques, depending on which implementation you chose.

Complete Power Over Messages

Any single one of those things may seem harmless... ``How can it be bad to add annotations to a web page?'' The problem is that there are no technical limits to what patching can do. On a technical level, once you grant a third party patcher access to a message, they have complete control over it. They can change it to anything they please, with or without notifying the sender or the receiver of exactly what they are doing. (In the receiver-initiated cases, the patcher tells the receiver something about what they are doing, but there is no way for the receiver to be certain that the patcher is telling the whole truth, except through trust. To be fair, this is true of any software program.)

It is never a matter of ``just adding annotation'' or ``just censoring certain scenes'' or ``just blocking advertisements''. A patcher may claim that they are exercising restraint but at any time that restraint can end.

It is entirely unethical to ask a sender to send a message under those conditions. The value of the communication to the sender extends only so far as they have sufficient control over the message to do their best to ensure that their message expresses what they want it to express. When a third-party patcher is invited into the transaction against the sender's will, no matter what the patcher claims to be doing or even what the patcher actually is doing, the message ceases to be under the senders control and it becomes the patcher's message.

How can I claim it's actually becomes the patcher's message when it (usually) looks so much like the original message? Well, ask yourself who has control over the contents. For the purposes of concreteness let us talk about proxy-based annotation in particular for a moment, though the principle trivially extends to all other instances of patching. Support the web page author decides to add something to the page. Who controls whether that gets to the receiver if the receiver requests the page again? The proxy server can completely mask the new change out, in such a way that the receiver never notices. On the other hand, the author exerts no control over the proxy whatsoever; the author is probably not even aware of the proxy's existence. If the change gets through to the receiver, it is because the proxy graciously allowed the change through, not because the author made the change. There is nothing the author can do that the proxy can not veto, while the author has no say in what the proxy does.

Again, follow the effects. The patcher can effectively make any change they want. The patcher effectively has full control, even to explicitly contradict the author's wish. Therefore, the logical conclusion is that they do have full control. In terms of the effects, a patching system is equivalent from the receiver's point of view to the patcher actually changing the source code of the original message. If they actually did that in the real world, if ClearPlay actually went and modified the actual movie, if annotation servers actually hacked into web servers and changed the code for the page, if spam blocking programs actually hacked into other's computers and broke the mail sending facilities (and remember that very little spam comes directly from spammers nowadays, they relay from other people so you'd be hitting innocent victims, as tempting as such a drastic solution might sound), we would instantly know that something unethical has been done.

This is the ``patch hole'', a hole not just in the law but in our understanding of the world. Where we should see one unified effect, we see two sources and some technology for combination. We allow ourselves to be distracted by irrelevant technology behind the scenes and allow the technology to obscure the fact that accomplished in another manner (direct modification of the original source material) the action is obviously unethical.

Each of these patch-based technologies seems so innocent on first glance, but taken together, and taken to their logical conclusion, it paints the picture of a world where nobody can every have any assurance that a received message bears any resemblance to what they meant to say.

In each instance, there is a better way, or it's simply better not to do it. Any information a patch is adding can be communicated by other means; one need not mark up a web page to discuss the contents, one can go online to any number of bulletin boards dedicated to the task of communicating for that. Any patch that removes information, such as ClearPlay's product, should either simply not be done since removing information is a violent act that does unquantifiable and unqualifiable damage to a message, damage that nobody is fit to judge, or should be done with the explicit cooperation of the sender. Even if you aren't quite willing to believe right now that the costs are as high as I say they are, I hope you'll agree that the benefits are still so marginal and of such low quality compared to better solutions as to not be worth it.

Patching In Terms Of The Communication Model

Like ``censorship'' and ``privacy'', it's best to finally produce a concrete definition that we can use as a yardstick to tell whether or not someone is doing something unethical. Let's clearly lay down the criterion for what constitutes ``unethical patching'' so we can recognize it when we see it.

unethical patching
a message from a sender to a receiver is modified by the receiver in accordance with a message from a third party in such a way that the human-experienced message automatically depends on the third-party message (as ``dependence'' is defined in 9.2.2), without the consent of both the sender and the receiver, then the act of modifying the message is unethical patching.
This definition is actually quite elegant, because of the way it is based on the earlier definition of ``depends''. If there is no change at all to the human-experienced message, then there is no patch, whatever technical stuff may have been going on behind the scene. (Translation: It is actually OK to use an annotation service if you go to a webpage that has no annotations. Pointless, but ethical.) If the change is ``independent'', then there is no problem. (Translation: It's even OK for the annotation service to provide a console on the screen for controlling the service, as long as it is independent of the web page; the ones I've seen are.) Once the human-experienced message changes in a way that depends on the third-party content, the line has been crossed. The simplicity of the definition is the source of it's power; something so simple can not be danced around by hiding in a corner; either there are concrete parts intruding from a third party or there are not. This is an advantage held by this definition over every other ad-hoc attempt to justify annotation, but not changing the web page... or changing the web page by adding Smart Tags, but not changing the actual ``words''... or justifying ClearPlay while standing against other things in this chapter... or even trying to justify all of these things while still pretending that the result isn't simple anarchy, with the corresponding loss of free speech.

There are things that this definition explicitly does not cover. Note that ``unethical patching'' includes the concept of ``dependence'', so things that are independent of the message are still OK. For example, there are several toolbars you can download that will allow you to easily get a list of web page that link to the one you are currently reading. These links are independent of the message, so adding this information in an independent way would not constitute unethical patching. Such functionality is not ``unethical patching''.

The line starts to get fuzzy here; consider web pages. Alexa's tool bar shows the links in what is clearly a separate window not belonging to a web page., in addition to providing annotation services also provides a back-link service, but puts the information in the web page itself (which it can do because it functions as a proxy server). (As of this writing, it seems may have been unplugged.) So it's possible that even the same information in different places could affect how the original message is perceived and thus violate the independence of the original message. I personally would draw the line between Alexa and, saying that the information should not appear to belong on the web page, but I think it's much more important to understand that dependent content is bad then argue about exactly where independent content should go to make it clear it's independent, which will be strongly medium-dependent and even message-dependent anyhow.

The implied definition of ``independent content'' here would be ``content that it is at least possible to present in a fashion preserving the independence of the original message''. Backlinks can be shown in an independent manner; annotations can not, because by their very nature they depend on the annotation target for context.

Also note the word automatically. It's a critical word in the definition. Suppose you are running a advertisement-filtering web proxy and a friend emails you and comments that is serving a lot of ads. You can still manually add that domain to your blocking list, because there's nothing ``automatic'' about that addition. ``Automatic'' here means that the control over the results lies not in the hands of the receiver, but in some third party. Adding a single domain to the proxy, and thereby blocking content from that domain, is clearly an action of the proxy owner. On the other extreme, a proxy that automatically downloads updates every hour from some centralized server not under the proxy owner's control is giving the control to that central server owner.

Of course there is no way to easily draw a line that completely delimits how much control is given to a third party and how much is given to the receiver. You could sit all day and spin borderline scenarios... ``What if the user has to individually agree to each annotation?'' ``What if we make the user do something like copy & paste the annotations into the web page?'' ``What if the user has to type the annotation before viewing it?'' While there may be a thin boundary condition, what it boils down to is pretty simple: you can't allow someone else direct access to the message, to change it in any way. The message is between you and the sender. The key is the level of involvement you have with the decision.

Determining who is responsible for the unethical behavior depends on exactly who is doing what; the patcher may doing it against both the will of the sender and the receiver (perhaps it's government censorship), in which case it's the patcher's responsibility. Or the receiver may be doing something with the received message and using information from a third party without the third party's knowledge, such as in the case of framing, in which case it's the receiver's responsibility. The receiver and the third party may be cooperating, like annotation. It is not likely that the author is responsible, since in such cases the activity of the third party would then simply become part of the message; for instance, many large web sites outsource their advertising to a large advertising company, who will add images to the company's pages. However, this is intentionally part of the message the company wishes to send, so that isn't really a ``third party''. Accepting any third party the author invites essentially becomes one of the conditions of communication. Remember that since everybody is a sender at some point there's nothing asymmetrical about this; when it comes time for the current receiver to send a message they are equally free to impose such conditions.

Example: The GPL

Another aspect of ``the patch hole'' is that by allowing such things you effectively preclude certain very legitimate forms of protection.

Consider the GNU GPL. The ``GNU General Public License'' is a ``copyleft'' license, designed to be applied to software source code. Summed up very succinctly, the GNU GPL (usually referred to just as the GPL) allows you to take GPL-licensed code and do nearly anything you want to it, including change it and further distribute it, except you must distribute copies of the modified source code to anyone who asks for it whom you have distributed the program to, and the source code must remain itself licensed under the GPL. In essence, this allows for the creation of a common pool of code that is Free, and must remain Free, preventing anyone from swooping in, grabbing some code, making a lot of proprietary changes to it, and profiting thereby without sharing the changes back to the community who created the foundation in the first place. For more information, please see the GPL FAQ (

The GPL is an unusual use of the copyright system, but a very legitimate one, and while many have questioned its validity, it is difficult (and some would say ``impossible'') to formulate an objection to the license that would not apply equally to all copyright-based licenses. Unlike many copyright-based licenses that restrict your rights, the GPL focuses on guaranteeing certain rights, subject to agreement to its conditions.

The Linux Kernel, the very core of Linux itself, is protected under the GPL. Now, suppose Microsoft decides to distribute a Linux kernel. Under the terms of the GPL, Microsoft can do so, but must provide the source code to the changes to anyone who has a copy of their changed kernel. This doesn't fit into their strategy, so they seek to bypass this requirement. Instead of creating a single file that contains the changed kernel directly, they compile a ``clean'' version of the kernel. They then make their changes, and compile a version of the kernel containing their changes. They then create a patch that converts the clean kernel to their changed kernel.

Suppose Microsoft now distributes this clean kernel and the patch. (In other words, they never directly distribute the modified kernel.) In the process of installing the Microsoft product, the installation program dynamically combines the pristine kernel and the patch on the user's system to produce a copy of the Microsoft modified kernel. With sufficiently clever programming, the system can even do this in such a way that an actual copy of the modified kernel never actually exists anywhere all at once, only bits and pieces of it.

Linux hackers notice the inclusion of the Linux code and triumphantly demand that Microsoft distribute their source to the kernel. Microsoft does so by sending out a copy of the ``pristine'' kernel source, straight from the original source code, declare they never distributed the modified kernel and are therefore not required to distribute the changes. Voila; one inconvenient license, patched around.

When you allow people to patch with ``clean hands'', you destroy all derivation-based protections afforded under traditional copyright, and still valid for concrete parts. Any derived work can be expressed as the original work(s) plus a patch. This destroys the GPL, many clauses of many software licenses, and a wide variety of established protections for messages of all kinds.

``Patching'' is not an ethically neutral event. Follow the effects. Patching is effectively the same as distributing the final product.

Integrity of Messages as Derivation Trees

Recall that in section 6.2.2, we observed that expressions are their derivation trees. The same is true of messages, they are their derivation trees, it's just that messages may have much more complicated relationships then traditional expressions. In fact, it was an exploration of those more complicated relationships that first convinced me that the expression doctrine is not useful for understanding the current communication world.

This chapter's thesis is a somewhat subtle argument, so let me re-cast it in terms of derivation trees (see 6.2.1) and quickly run through the argument in terms of derivation trees, with the advantage that I get to use pretty pictures that way. First, we need to make two simple observations:

Observation 1: All Human-Experienced Messages consist solely of Concrete Parts

The difference between ``expression'' and ``message'' is mostly that a ``message'' can lead a much more dynamic life. Many modern, dynamic messages are only useful in relation to other messages. For instance, ``the homepage of CNN'', in the most pure sense, is really ``a program that assembles the latest news and a list of links to CNN's other web services and shows it to the user'', not the specific HTML you receive when your browser retrieves ``''. That specific HTML page may never be seen again, but the description based on what the homepage program does is always true, regardless of the news.

Figure 28: The ``real'' CNN homepage, simplified (the page contains more then just stories, but this is enough)

Thus, the best representation of ``the home page of CNN'' is as seen in figure 28. There's this program, that draws from variable input, and produces a web page as output.

Figure 29: A fully concrete CNN homepage, simplified

But in the end, a given human-experienced message must be entirely concrete. You can not directly ``experience'' CNN's homepage without actual content. (The closest you can come is that you can examine the source code of the ``home page program'', but that's not the same.) Until all of the arrows are actually coming from something concrete, you can't experience the abstract page. You can only experience something as in figure 29.

It's important to understand that figure 28 is a more accurate representation of ``the home page of CNN'' and that 29 really represents just a particular incarnation of that message.

Observation Two: The ``Sender'' is Always On Top

The way I'm drawing these diagrams, the sender is always on top.

Why is that? Because of the dynamism of messages, as demonstrated by annotation and composition and all of that other stuff we see in the real world, it is obvious that no matter what concrete parts go into making up the message, the person who has the final say has full control over the message; they choose whether to bring two things together, or mask something out, or replace this with that, or what have you. That entity has the power, and therefore the responsibility, of being the sender.

The complementary statement is also true, effectively by definition. The entity that has the final power to change the message is the one that belongs on top, as near the receiver as possible. Of all the entities who may be involved in a given message, that is that one, the only one that makes sense to represent as interacting with the receiver.

This is why in section 7.3.2, when I modelled this essay as a real published book, it is the publisher who is the sender. Intuitively, it may seem like the author is the sender, but it is not the author who has final authority over what is in the book. It is the publisher, who has contracted with the author for the rights to use the book in the publisher's complete message, which will include the text of the book itself, but also additional content, such as a cover and advertisements in the back. If the publisher decides to simply not print pages 26 and 27, then the author can not truly stop them. Thus, it only makes sense to call the publisher the sender; they enjoy privileges that no other entity does, or even can. Being a sender is a meaningful privilege and responsibility.

In summation, an entity is the sender of exactly that content which they can change and nobody else can override that change. Any other definition of sender will result in situations where the putative ``sender'' is responsible for something they can't change, or situations where the sender can change things they are not responsible for, both ethically repugnant.

Representing Integrity

Figure 30: Annotation Derivation Tree One: Annotations and Original Content fully independent

Figure 31: Annotation Derivation Tree Two: Annotations using Original Content as source material for a new annotated composite message

Reducing the equation down to the Receiver, the Original Content, and the Annotations (encapsulating the rest of the details), the question is which diagram more accurately captures the spirit of the situation.

Obviously, an annotation defender would claim the diagram in figure 30 is more correct. The annotations are separate from the original content, at no time are they truly ``mixed'', and the receiver is just choosing to use a program that happens to allow them to view both the annotations and the annotation target at the same time. The final viewed page with the annotation content is not a ``derivative message'', it's just two things being displayed simultaneously.

This argument falls down in many ways, any one of which is fatal.

  1. The annotation program and the annotators have full control over the annotated web page. By the discussion in 9.6.2, that means the annotation provider is the sender of a combined communication, since the annotation vendor can unilaterally make changes to the original web page, and the original web page owner can do nothing about it. Therefore the annotations do constitute a change to the message and the original sender does have the power to object to that.
  2. Having two communications, and two senders, implies that the two communications are independent, in the sense that a change to one should not affect the other. But that is not true, in either direction. A change in the annotations appears as a difference on the original content. A change in the original content has the power to completely shift the context of the annotation comments, or, depending on the technical implementation, ``orphan'' the annotations (by removing the text the annotation is anchored to). Figure 30 completely fails to capture this fact, and as such is not the correct way of looking at things.
  3. Perhaps most damning of all, the diagram does not capture our intuition of what is taking place. The annotations are intimately related to the web page, or they wouldn't be annotations. Trying to understand them as separate is a disingenuous attempt to justify something that can't be justified. (Many annotation supporters find themselves straddling this fence: On the one side, they defend annotation as being independent and totally unrelated to the original content, and therefore not constituting a derivative product. On the other side, they promote annotation in the first place as a way of commenting directly on the original content, because the very attraction of annotation is that it is directly based on the original content. Consciously or unconsciously, they find themselves dancing ( between these two propositions.)
The reality is that figure 31 is far more accurate.

Figure 32: Annotation as an ``overlay'' on top of content

The other major argument can be summed up as a diagram in figure 32. Translated roughly into English, this is the ``Annotation as overlay'' argument; that an annotation is just an overlay placed on top of other webpages and as such does not truly affect them. The problem with this argument is that it is only true in the abstract. Without mixing in the original web page, the annotations, well, aren't annotation at all, they're just posts on a message board somewhere. This argument runs smack into Observation One in section 9.6.1. The act of ``overlaying'' is not an ethically neutral act, it can damage the concrete message it is overlaying, and annotation (and other integrity attacks) require the overlaying to be what they are.

The root of this disconnect is that people making the ``annotation as overlay'' argument are implicitly defending their right to comment on things, and believe the annotations themselves are being attacked. This is not true; it is the act of overlaying that is being attacked. Your ``annotations'' are free to exist as message board postings on another site, or as commentary on television, or whatever other independent message you care to use to comment on my message, but as soon as you ``concretize'' figure 32 by using my content as the ``...'', you have stepped over the line and created a derivative of my original message, no matter how cleverly you try to use technology to obfuscate the act of creating the derivative product.

Applications And Examples

Applications and examples of the principles so far explored, to make sure we all understand what I'm saying:

TiVo: Tools vs. Content.

TiVo ( is the most well-known ``Personal Video Recorder'' (PVR). It ``knows'' when television shows are going to be on, and can record them for you according to a variety of conditions you can give it. Since it records to a hard drive, you can then later watch these shows however you wish, whenever you wish, jumping around them, fast forwarding, rewinding, or skipping back with impunity. It also provides the same services for up to 30 minutes of Live TV. I highly recommend owning one if you like TV at all, or if you ``don't like TV'' but find that you sometimes like certain programs either. (I don't know that there are very many people who ``like TV'' as in ``liking the vast majority of programs they see''; I'd suspect nearly all of us only like single-digit percentages at best.)

The television industry has mixed opinions about the whole thing; on the one hand it vastly increases the value of their offering with no particular effort on their part. On the other hand it allows consumers to skip commercials, and it seems some television executives believed that there was an unbreakable contract between the television producers and consumers that the consumers must watch the commercials ( Apparently these executives don't watch TV much themselves, or they'd know about the invention of the Mute Button, along with Channel Surfing, Using the Bathroom, Getting a Snack, and of course just plain Ignoring the Commercials, along with the wide variety of other ways people have found to not watch commercials on television.

Interestingly, and perhaps to the television executive's chagrin, none of this message integrity analysis affects TiVo. TiVo is just a tool that does as you say, it contains very little content of its own (and that content is correctly independent of the television shows). Skipping around and such under control of the user are perfectly valid uses of the message. While television executives may prefer that you watch a television program straight through, they really have no grounds to make that demand.

If TiVo tried to send a programmed sequence of commands to your machine so that you could, say, skip over commercials automatically, that would be over the line, because that would be sending a patch to remove commercials from the television show using a TiVo, patches very dependent on the exact show being shown. The current TiVo is fine, though, and is just another example of how the receiver will continue to be empowered by technology.

ReplayTV provides a great borderline case. ReplayTV is another PVR, one that tried to ship just such an automatic commercial skipping algorithm. This automated commercial skip, which is also a feature in at least some VCRs (my parents have one) is technically not accomplished by sending patches through to the user, especially in the case of the VCR which is not connected to anything. In the end, though, it's equivalent to such a patch and is basically a smart filter, and is probably a textbook case of being just barely over the line. As such, it was ethically correct to remove it from the product (,1367,58957,00.html). (Though that does bring up the question of how ethical it is to remove a paid-for feature from a product after the owner buys it.)

But What About...

I've been thinking about this and debating these issues for a while. I see the same counterarguments over and over again, but the problem is not that they are wrong, it's that they simply don't apply. As usual, they boil down to bad physical metaphors being applied in a domain where our physical intuition is nearly useless:

All of these misinterpretations of what I'm saying center around missing the primary point: The point is not about trying to limit what the receiver can do. The point is the message should be kept pure. As long as the message remains untouched by other external messages, the receiver is free to do as they please.

Of course identical arguments can be made in any physical domain, not just television. I use television because it's the one that seems to be brought up most often, even when the debate does not otherwise involve them.

Similarly, even when the debate doesn't involve annotation, people frequently defend integrity attacks in terms of annotation, so for the flip side arguments let me express them in terms of shared website annotation:

The basic fallacy here is an attempt to divorce the effects of a process from its technical implementation. These metaphors are all trying to justify the technical methods used to do the annotation, but fail twice: First because the physical metaphors can't conceivably apply anyhow, and second because it's not the mechanism that's the problem anyhow. Follow the effects. The real pertinent question is whether or not the effect of website annotation is ethical or not, regardless of how it is done, and I believe I've made a convincing argument that they are not ethical.

In fact this argument traps most people who use it, because they are not willing to follow it to its logical conclusion. First, if the technology is OK regardless of how it is used, as these metaphors implicitly argue, then they must prepare to have it used against them by other people, including big corporations. Secondly, the same technology can do all of the things mentioned in this chapter; sure, it may seem like fun to annotation Microsoft's web page, but are they prepared to live in a world where Microsoft can make 90%+ of the web browsers hitting their web site see a special Microsoft-approved version, where Microsoft dynamically twists the page to say what Microsoft wants it to say? It's the same technology; to be consistent this needs to bother you not at all.

This reveals a strength of this ethical theory. Many people proposing the arguments above genuinely have a hard time seeing the difference between website annotation and scribbling a note to their buddy, which I can't blame them for because it took me a long time to articulate it myself. Using this theory helps us see the differences like differences of scale and differences of effect on the concrete parts that go into a final message. Even if you don't agree that the differences affect anything, you can still now see that there are indeed real differences between the two actions, and that as a result, proving that note-scribbling is ethical by no means automatically proves wide-scale website annotation is; they are more different then they are similar and convincing me otherwise will take much more then that.

Why Is Integrity Desirable?

It is worth taking a moment, having carefully defined and explored message integrity, to justify why it is a good thing, and why protecting message integrity is important enough to justify trumping the theoretical benefits some of the integrity attacks, such as annotation or ClearPlay's service, offer.

The logic is quite simple, flowing almost directly from the definition of free speech:

the right to free speech
The right to send any message in public, and the corresponding right to receive anybody's message in public, without being pressured, denied access, arrested, or otherwise punished by anyone, subject to somewhat fuzzy, but fairly well-understood exceptions.
This is straight from 4.2, suitably updated for a message model rather then an expression model. The bold parts are the key point: If you can not know that your message is going to be accurately transmitted without someone else degrading its integrity, then you have lost the right to ``send any message'' in public; instead, you only have the right to ``send a message subject to somebody else's modifications''. This is not Free Speech.

On the flip side, the more-unusual case of externally-imposed integrity attacks (forcing everyone to use censorware for instance) means that you can not access anybody's message. You can only ``receive a message subject to somebody else's modifications''. This is not Free Speech.

You can not have Free Speech without guaranteeing integrity.


Message integrity attacks are very dangerous because of their ability to destroy the value of communication for everyone who can not afford to ``defend'' their message against all possible attackers. (Since ``defending'' a message is effectively impossible, that's basically everyone.) Moreover, the ``gains'' of such integrity-attacking schemes are themselves marginal, as compared to the damage they can do.

Unfortunately, message integrity attacks are also very subtle, taking advantage of weaknesses in our physical intuition, weaknesses in our understanding of communication ethics, or cloaking themselves in fancy-sounding technology while downplaying the effects of such technology. Even otherwise well-meaning people will defend some integrity attacks, especially when they seem to be a way for the Underdog to strike a blow against the people in power, a narrative we Americans have a weak spot for. The best way to combat this is to acquire a clear understanding of what message integrity is, and to defend it where ever we see it under attack.

In the long run, the only way to have true Free Speech is to allow everybody to speak their messages with the assurance that it will be transmitted with integrity. Free Speech is only guaranteed when nobody has the ability to alter our messages without our permission.

next up previous contents
Next: Misc. Up: The Ethics of Modern Previous: Privacy   Contents