Hundreds of passwords. Misogynistic and other toxic trolls poisoning online discussions. A few dominant e-commerce providers and a decimated small retail landscape.
We celebrate the Web — England even knighted its creator, a lowly non-physicist programmer at CERN. Yet the “Web” that he created was a primitive and haphazard application layer on top of the very robust Internet protocols that had been created by Bolt Beranek and Newman and others for the US Department of Defense. According to computing pioneer Alan Kay, the Web was “created by amateurs”.
According to computing pioneer Alan Kay, the Web was “created by amateurs”.
The Web was one of those creations that was inevitable in some form: the underlying network — the Internet — had been created, and now an application layer was needed. Tim Berners-Lee was in the right place at the right time and was merely the lucky first to see the obvious: that a more visual way was needed to share data on this new network. He saw that only because he was in the position of helping physicists to get access to data. It was his job. The visual paradigm he used, hyperlinks, was not even a new idea.
Unfortunately, what he created violated a large number of basic computer science principles, and established an untrustworthy and crippled foundation for everything since. His ill-considered creations are called HTTP and HTML, and they are things that we really should shelve in their entirety and re-envision something entirely new.
Why do these things lead to our current password chaos, toxic online discussions, and retail apocalypse?
It is complicated, but the core issue is simple to express: these “Web” protocols embed no trust framework. Further, they are — due to their very poor design — inherently fragile and permeable: that is, they are easy to hack and easy to break. And that’s because — guess why! — because they violate so many basic computer science principles.
The Web broke every rule of good design.
It is not like there were no better ideas at the time. Alan Kay had proposed that an Internet application layer should serve objects, rather than pages. Berners-Lee was apparently not interested in anything so esoteric, and cobbled together something that broke every rule of good design: mixing data and control side by side (one of the sources of HTML’s insecurity, including the infamous SQL injection attack), mixing protocol semantics with application semantics (HTTP return codes, multipart message headers — things that an application programmer should not have to deal with), a typeless syntax — it is a terrible mess. It is hard to program to, and has been layered onto a hundred times to remedy problems, creating a paleontological Frankenstein mish-mash that programmers either pull their hair out over or do the minimum and hope that they don’t miss something important.
Here’s why our password chaos is a result of all this: The Web has no embedded trust framework. If I post something to a site, the only way that site knows who I am is to require me to create an account so that I can log in. That means that every website has to make me create an account with them — password and all. So now we each have hundreds of passwords, one for each of our online accounts.
After three decades of this escalating mess, an awful solution has emerged: we store our identities with companies we “trust” like Facebook and Google — LOL! — and let them log us into other things. No thanks.
The core issue is that there is no built-in way for each of us to decide at any moment if we want to share our identity with a given site. To share our identity, we have to go to the trouble of creating an account with that site — or give up on privacy and let The Devil (Google and Facebook) vouch for us.
Why is there not a universal trusted identification system, such that we can choose when to share our identity upon request? An identity system should be built into the protocols. It should leave us in control: it should not share our identity automatically; but if we choose to state who we are, it should be one click.
The Web does not have that. It could have had that. Adding it now would be hard — unless we start fresh.
What about toxic trolls online? It turns out that those jerks are a tiny minority of online posters, but like the proverbial bad apple, they ruin it for everyone. What if people could choose to only join forums that require others to reveal their identity? We would see the landscape of online forums become differentiated into those that are anonymous and those that are non-anonymous. The anonymous ones would become the toxic ones. The non-anonymous ones would become very polite.
LinkedIn is a great example. In LinkedIn, people can really see who you are: where you work, etc. Fake accounts are easy to spot. As a result, people are very polite in LinkedIn forums, most of the time. Compare that with other forums, where people are not so polite, to put it mildly.
We need anonymity to be available online — but not everywhere. It needs to be easy for a forum to require identification, without having to force people to go through the trouble of creating an account. But again, there is no optional but built-in identification system in the Web.
And what about the dominance of Amazon in online retail? Well, I know why I personally started using Amazon for everything: they had my credit card. It is a lot of trouble to create an online account with a retailer and set up a credit card: you have to go fetch your wallet and type in all those numbers. Amazon stores my card data online and provides “one click purchase” (which they have a patent on). They were devious: they started with books, but progressed to everything else. It is the ease and simplicity of buying on Amazon; and it is all because Amazon knows who we are and can link that to a purchasing instrument that we have stored with them.
But what if the Web had a built-in way to identify us, when we choose to use it? If it had that, it would be simple to layer on a built-in way to create online wallets (perhaps maintained by our bank) that are securely identifiable and linkable to one’s identity.
We then would not need for commerce websites to build in any credit card functions of their own. Amazon and other established commerce sites would lose their advantage: every site could easily provide online purchasing, without ever having to ask for our credit card data, and without even having to ask us to create an account! It could even be done in such a way that our identity remains anonymous to the website when we make a purchase.
That’s actually how services like PayPal work: a merchant can leverage your PayPal identity and its link to the credit instruments you have stored with PayPal. However, PayPal is not a universal feature of the Web, and it charges a fee. Also, its function is limited to making purchases — not enabling us to identify ourselves when we choose — so it can’t eliminate all those passwords we keep.
We need things like PayPal and our many passwords because there was no authentication system built into the Web.
Let’s start over and create a new Web. The underlying TCP/IP protocols have issues: one of them is that it does not automatically reestablish dropped connections. That is why we have to often restart our routers and other devices when something goes wrong: the Internet protocols put the burden on the application to restart a lost connection, and many applications do not handle that correctly. But TCP/IP is pretty good, and the newer version 6 is much better. And a proper Web application layer — a HTTP replacement — could solve the dropped connection problem.
There have been major improvements to the application layers that define the Web. We now have HTTP/2 and /3 is coming, but these maintain the original design approaches. More on that in a moment. (I should note that application programmers view HTTP as a “transport” protocol, but that’s a matter of perspective.)
We need a fresh start that is fundamentally non-brittle and fundamentally secure. There actually are alternatives now, and more are coming. One is HTTP/2, but while HTTP/2 has many advantages, it does not provide a built-in trust framework. On the plus side, it does make object-oriented approaches possible — such as WebSockets/WebIDL or gRPC — since it enables a much more bidirectional interaction between the user’s computer and remote computers.
However, while these approaches enable programmers to code in terms of objects, they do not fundamentally change the way that the Web works: they do not realize Alan Kay’s vision of objects interacting securely and dynamically across the Internet: for that, there needs to be a trust framework. Instead, protocols like WebSockets and gRPC merely let a browser page formulate requests as object calls. It is more robust from a programming perspective, but does not give us any truly new capabilities.
An HTTP/3 is also in the works, but that really only aims to make things more efficient, rather than changing the paradigm.
The mood is ripe: there is interest in remaking the Web among those who are in a position to do so — Google and their ilk. The question is, will they remake it for their benefit — solving their problems in their quest to monetize us and lock us in — or for our benefit and our need to retain privacy, personal agency, and freedom to choose who we obtain our products from?
It could have been better. It still can be, but I would not put money on it.
For it to get better, people would have to disempower the most toxic companies, such as Facebook, Amazon, and Google, by boycotting them, but I don’t see that happening. And organizations that actually are trying to make things better for us, such as Mozilla, would have to be given more power, yet the public does not understand that, and so usage of Mozilla’s Firefox browser has been declining.
So my money is on the Internet eventually becoming more and more of a walled garden controlled by Facebook (now “Meta” — God help us), Amazon (Jeff Bezos wants to control the resources of the asteroid belt, and make Earth a park where only “certain” people can live), and Google (who have cleverly given us a Trojan Horse called Chrome) — a kind of Disneyland, with everything controlled by a few big companies and their hierarchy of chosen partners, while our government sits by, talks big, but does nothing, and even when it does do something, it is too little and takes so long that things change to make the government’s actions irrelevant.
What we really need is more tactical oversight of the Internet, by a group in which industry representation is present but is a minority, and the majority represents us: the people who use the Internet. In the US it could be the FCC, if the FCC were less subject to political influence and also if it had a deeper technology oriented mission, which included technical issues that impact everyone.
But for that to happen, there would need to be strong public awareness that the Internet is broken. And there also needs to be public awareness of how deeply the brokenness of the Internet affects us, and will affect us even more over time, as a few companies tighten their grip.
For the public to become aware, strong voices would need to arise and come together. Public advocacy and awareness groups such as EFF, Software Freedom Law Center, Freedom To Tinker, Public Patent Foundation, FreePress, Press Freedom Foundation, ibiblio, Groklaw, MediaCitizen, and Public Knowledge would have to gain more attention by the public.
Public-minded technology organizations such as Mozilla would then gain more influence because people would be more aware of how their freedom and agency is being eroded. But for that to happen, we need the general media to pay more attention to these issues and bring attention to those advocacy groups.
I am not holding my breath on that, particularly as people increasingly allow their news to be filtered and algorithmically altered by the very companies that we need protection from. If you get your news through the recommendations of companies like Facebook, you have basically decided that you are okay living in a walled garden. As a society, we will choose, knowingly or not.