Why should CIOs care about the DMCA's jailbreaking rules? Despite Pollyanna assurances that locking down a box will make everybody more secure, that's just not true--and it decreases choice.
How do you boil a frog? That's the classic thought experiment. The answer: slowly. If you throw the frog into the boiling water, he'll jump out. But turn up the heat slowly, and it's curtains.
I'm starting to think this way about Secure Boot, the Digital Millennium Copyright Act (DMCA), anti-jailbreaking sentiments, and the gradual erosion of IT's ability to extend the life of business assets and/or take other actions that may be in the interest of the organization. With the DMCA exemption for jailbreaking expiring, CIOs need to weigh in with the U.S. Copyright office.
Like many of us, I have been working in IT long enough to see lots of companies and technologies wax and wane. When an organization buys something, that organization tends to want to use it a good, long time, particularly in particularly in manufacturing or point-of-sale use cases. Witness all of the WinXP--heck, WinNT--kiosks that are still in use. Witness all of the old PCs that get turned into thin clients. We also all know folks who have had to go in and reverse-engineer something because the app developer went out of business, and the customer needed their data exported to something else.
The immediate battle cry of DMCA is to prevent intellectual property theft. That's fine, but the larger perspective is that an organization may need an asset to survive the whims of fashion, and be able to continue servicing an asset without being forced into an upgrade or a rip-and-replace treadmill.
How is the heat being turned up on IT? On the one hand, there's a huge celebration to be had because it appears that the PC lifecycle treadmill, rip-and-replace every four years, shows signs of slowing, or at least thinning out. After all, we have tablets, and not every worker needs a tablet. But, now let's look at the lifecycle of mobile devices, which can be shorter than a PC's. For example, the original iPhone, released on June 29, 2007, was essentially end-of-life when Apple released iOS 4 on June 21, 2010, since app manufacturers started creating apps with features not supported on iOS 3.
Now it appears that app stores and walled gardens are being quietly erected on IT's Swiss Army knife--the desktop computer. Apple led the way in creating a sandboxed app store for Mac OS/X, where no system-level apps were allowed. Windows 8 will require a secure, trusted boot, which in some scenarios will mean that users cannot install another operating system. In particular, ARM devices running Windows 8 must offer Secure Boot, and the user must not be able to change it in order to get Windows logo compliance.
This creates joy in some circles--"oh, good, we're secure," but the fact of the matter is that you're actually faced with fewer options, and you're not all that secure. Don't believe me? Ask "Bunnie" Huang, the MIT-educated engineer who famously hacked and modded the ostensibly-secure Xbox.
In a recent conversation, he told me, "Secure Boot doesn't get you all the security you thought you had. While you're locked from the boot, a program's buffer overflow still compromises your system. It doesn't save you, ultimately, from a determined attacker. It just makes it highly inconvenient and illegal."
Just because we wear suits and work in office buildings does NOT mean that we are on the same side as DMCA proponents. Anything that makes life harder for IT is bad. And, despite Pollyanna assurances that locking down a box will make everybody more secure, that's just not true, and it decreases choice.
Huang said, "For equipment manufacturers who have to deal with issues of sustainability, service, and cultivating the aftermarket: I'd like them to know that it's possible to have it both ways. They can design secure systems with an 'opt-out.' A simple example is to equip a switch with a tamper-evident seal that, when flipped, opts you out of Secure Boot. Breakage of the tamper-evident seal would void your warranty, but it also allows customers to load an alternate firmware that's not signed or secured by the original corporation...To date I haven't seen any vendor intentionally create an opt-out switch (some have by mistake). Without a DMCA exemption, it means that the IT equipment companies are buying this isn't really 'theirs' because technically they have no clear legal method for circumventing the Secure Boot and doing things like patching bugs, servicing parts, or repurposing old equipment."
When I spoke to Jay "Saurik" Freeman, a software developer and tech consultant who runs the Cydia alternative app store for the iPhone, he said, "Classically, when you had a computer at a company, it was owned by the IT, but now, it's essentially owned by Apple. If a company needs something beyond what is provided by Apple or the vendor, they can't." Is that really what we want?
And that's the major question: Who really owns the tech? If you wanted to lease the tech, you'd lease it. But no, you're buying it, except that it gets treated as if it doesn't belong to your organization.
I'm not saying that we should all go out and void our warranties on our iPhones. But I am saying that the DMCA provides what Huang calls "The 'nuclear' option when it comes to the uneasy truce between OEMs and IT. IT absolutely needs to reserve the right to service and support platforms after the whims of fashion bring the OEMs elsewhere. And IT needs to reserve the right to exit the upgrade treadmill and avoid planned obsolescence. The nuclear option criminalizes something that should not be criminalized.
Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina. Write to him at firstname.lastname@example.org or at @_jfeldman.
As enterprises ramp up cloud adoption, service-level agreements play a major role in ensuring quality enterprise application performance. Follow our four-step process to ensure providers live up to their end of the deal. It's all in our Cloud SLA report. (Free registration required.)