The New York Times reports that RealNetworks has introduced an “authorized” version of “Scrabble by Mattel” to Facebook, in an effort to compete with the enormously popular Scrabulous. CNet is puzzled, in part because the “official” app is unavailable in the United States or Canada.

For those not yet hooked, Scrabulous has been providing a Facebook application that lets Facebook friends play the game of Scrabble online. If the game numbers increment sequentially, it has served more than 2 and a half million games, and claims 629,256 daily active users.

In January, BBC and others reported that the Scrabulous team and Facebook had received takedown demands from Hasbro and Mattel (the two companies divide worldwide rights to the Scrabble trademark). Months later, however, Scrabulous remains online, probably because the threats’ legal merits are murky: there are few rights to “a game” as such.

Three kinds of intellectual property might protect aspects of a game — patent, trademark, and copyright — but each has limits that leave plenty of room for imitators and emulators.

Berkman’s Stop Badware project just released a new study, in which they report the “paradox” that most users feel safe online, despite a rash of malefactors and potential mishaps:

CAMBRIDGE, Mass., March 31, 2008 - Nearly 90 percent of Americans say they feel safe online despite the rising tide of spyware, phishing and other badware threatening Internet users, according to a new poll sponsored by StopBadware.org, the consumer protection initiative aimed at combating dangerous software.

…

“What we have here is an Internet security paradox,” said Maxim Weinstein, who manages the StopBadware.org team at Harvard Law School’s Berkman Center for Internet & Society. “Americans see themselves as safe online, even as we see an ongoing trend of organized criminal elements using the Internet to target unsuspecting users.” Weinstein will testify at the Federal Trade Commission on April 1 about how to better educate users about the dangers of phishing, a deceptive practice responsible for $2.1 billion in identity theft damages last year, according to Consumer Reports.

I wonder, though, do we think that mistaken feeling of safety is a bad thing? I don’t — I think it’s great that we have enough of a safety net that people who don’t have the technical competence to deal with PC security threats nonetheless are being generative and participatory. I don’t think we’d gain by scaring those Internet users, even through education. While malware problems are often compared to public health, we don’t have a solution that’s as easy and effective as one-time vaccination to make computer users safer.

I’d suggest instead that social insurance and systematic efforts to prosecute criminal use of malware are better responses than demanding that individual Internet users pay attention, educate themselves, and stay vigilant against ever-mutating threats.

The FCC is in Cambridge today, for a Berkman-hosted open meeting (PDF) on Network Neutrality.

Congressman Ed Markey introduces the panel with recollections of his fight against mandated access charges for dial-up connections. Flat rate connections, initially allowed Internet to flourish, as Internet users built out a Net freed from the shackles of long-distance timers.

Markey clearly gets the ‘Net: “The Internet is as much mine and yours as it is AT&T’s, Verizon’s, and Comcast’s…. The nature of the ‘Net is not about the carriers and the services they provide… they provide access, not service. … This is ‘No Country for Old Bandwidth.’”

Markey understands that the value of the Internet’s potential, is greater than even the best current application: “The beauty of the internet is its wonderfully chaotic, ever-evolving nature… its ability to reinvent itself every single year.” Let’s hope the rest of the hearing strengthens that vision.

Join in: Join the Berkman IRC channel or post questions.

Over at Huffington Post, David Weinberger posts a critique of Facebook’s new “social advertising”: Facebook’s Privacy Default.

The new ad infrastructure enables Facebook to extend their reach onto other companies’ sites. For example, if you rent a copy of “Biodome” from Blockbuster.com, Blockbuster will look for a Facebook cookie on your computer. If it finds one, it will send a ping to Facebook. The Blockbuster site will pop up a “toast” (= popup) asking if you want to let your friends at Facebook know that you rented “Biodome.” If you say yes, next time you log into Facebook, Facebook will ask you to confirm that you want to let your friends know of your recent rental. If you say yes, that becomes an event that’s propagated in the news feed going to your friends.

…

Yet, I find myself creeped out by this system because Facebook gets the defaults wrong in two very significant areas.

When Blockbuster gives you the popup asking if you want to let your Facebook friends know about your rental, if you do not respond in fifteen seconds, the popup goes away … and a “yes” is sent to Facebook. Wow, is that not what should happen! Not responding far more likely indicates confusion or dismissal-through-inaction than someone thinking “I’ll save myself the click.”

Further, we are not allowed to opt out of the system. At your Facebook profile, you can review a list of all the sites you’ve been to that have presented you with the Facebook spam-your-friends option, and you can opt out of the sites one at a time. But you cannot press a big red button that will take you out of the system entirely. So, if you’ve deselected Blockbuster and the Manly Sexual Inadequacy Clinic from the list, if you go to a new site that’s done the deal with Facebook, you’ll get the popup again there. We should be allowed to Just Say No, once and for all.

Why? Because privacy is not just about information. It’s all about the defaults.

In one sense, what Facebook is doing is merely a progression from what credit card companies and loyalty card programs already do. In another sense, though, it seems like a breach of the norms of the Net.

If you want to be unaggregable in the real world, you pay in cash at stores large enough or far enough from home that the cashiers don’t recognize you. If you pay by credit card, Amex learns your purchase history across merchants, and can sell targeted lists to advertisers or advertising space in its billing statements. If you use a “partner” card, such as an airline rewards card or affiliate card, the partner gets access to your information while the credit card issuer learns one more piece of your profile. It’s as though American Airlines gets to tag along to watch all your purchases.

Facebook’s cookie mechanism puts that into web browsing, except instead of using a credit card to trigger it, you do nothing, just keep using your web browser. So it’s as though Facebook has dropped clerks (with incredible powers of recognition and infallible memory) into every store that you might visit, giving you no indication up-front.

The possibility of generating multiple profiles and of visiting sites without leaving trails from one to the next has led us to expect that the Net is less like using a credit card and more like paying cash: we can keep activities distinct online. Facebook has thrived on that, offering a space in which many participate because they think they can say there what they wouldn’t say in their neighborhood bar or the pages of the New York Times.

But new features tamper with sense of place, aggregating information brought in across contextual boundaries. The upside is that Facebook is doing this visibly: so pushing information about your commercial behavior into a social space can trigger user backlash. (Browse with a plugin like noscript to see who else is trying this with less warning.) Based on the similarities this “toast” behavior has to cross-sites scripting attacks, I hope it prompts browser or plugin developers to offer finer-grained viewing and control.

Update: Ethan Zuckerman gives detail on the sequence and some privacy thoughts of his own.

Update2: Thomas Roessler adds some ideas for policy hooks in code.

The One Laptop Per Child program has opened its give-one get-one campaign. For a limited time, members of the general public can get in on what’s otherwise a kids-only affair: get a rugged hackable meshable laptop.

The OLPC could be the next generation’s erector set — finished product yes, but even more building-block for further creativity. The computers are built on open-source software, designed for rather than against their users. As the FAQ indicates, in response to questions about technical support: “One goal of the project is that children will learn to troubleshoot the XO themselves and subsequently use their experiences to help others.”

Get yours while you can!

Entertainment lobbyists have dumped a nasty trojan horse into the Higher Education bill scheduled for markup Wednesday in the House Committee on Education and Labor. On page 412 of the massive 747-page “College Opportunity and Affordability Act of 2007″ is a requirement that educational institutions spend their scarce resources to

develop a plan for offering alternatives to illegal downloading or peer-to-peer distribution of intellectual property as well as a plan to explore technology-based deterrents to prevent such illegal activity.

So even as the committee asserts it wants to “make college more affordable and accessible,” it frustrates that purpose by letting Hollywood-driven mandates suck money away from the educational mission of colleges and universities. While “encourag[ing] colleges to rein in price increases,” the bill would force campuses to spend money exploring broken anti peer-to-peer technologies that make their networks less useful. Colleges that don’t fall into line risk losing federal student aid.

“Technology-based deterrents” are bound to be both over- and under-inclusive: blocking true educational uses while failing to stop piracy. A school cannot screen or filter all its Internet traffic without seriously impeding network innovation and research. If the “deterrents” block unknown communications, they stop students from experimenting on an end-to-end network, blocking the development of lawful peer-to-peer applications in the mold of Skype, distributed search, or LOCKSS (Lots of Copies Keep Stuff Safe), a library archival system. If they block encrypted traffic, they compromise privacy and security. If they don’t, they’re trivially circumvented.

Finally, there’s no automated way to determine whether “unauthorized” uses are fair. Even were a technology to have perfect access to all Internet traffic for comparison against a corpus of works, it would not be able to incorporate the judge necessary to determine whether a given use were fair, transformative, educational, or merely substitutive and unfair.

Half-baked ideas like these have no place in an education bill. Rather than forcing schools to spend scarce resources on entertainment companies’ agendas, Hollywood should do its own homework, offering students enough compelling, compatible alternatives that they choose authorized access.

Meanwhile, you should call congress to keep this mess out of our schools. Educause provides a page of resources including committee member phone numbers.

Via BoingBoing, comes the account of a sports writer and avid fan who spent $280 to purchase video footage of Major League Baseball games, only to lose the ability to watch his purchases when MLB switched DRM providers.

As Allan Wood, who wrote a book on the 1918 Red Sox blogs tells it:

Since MLB started this download service, I have bought and downloaded 71 games — many of them from the Red Sox’s August-September 2004 hot streak — which works out to a total cost of $280.45 (plus the price of the blank discs). Thanks to MLB, I now have nearly six dozen coasters.

Calling MLB to inquire, he was told:

“MLB no longer supports the DDS system” that it once used and so any CDs with downloaded games on them “are no good. They will not work with the current system.”

Thus rather than supporting the fans who paid money to watch games, MLB is turning them away — and turning them off from purchasing future content. What you rip from your DVR is more useful, long-term, than what you can buy. And all DRM has this bug built-in — it’s protecting content against its end-users, and can as easily break with less functionality than the users paid for if its supporting infrastructure is pulled.

In the comments, thread, a poster points to the Fairuse4WM utility in the Doom9 forums, suggesting that purchasers can extract the video. Of course that seems perfectly reasonable, as they paid for the content and were promised it would remain accessible, but the good old DMCA makes it legally questionable — circumvention of a “technological measure that effectively controls access to a work protected [by copyright]” is forbidden by sec. 1201(a)(1). Don’t purchasers have “authorization”? That’s what DVD owners argue, unsuccessfully so far.

What about exemptions? The Copyright Office, in its 2006 rulemaking created an exemption from circumvention liability for those who circumvent “obsolete” technological protections — seemingly the case here — but it applies only to computer programs and video games. While telecast baseball might be a “video game,” it’d take some creative lawyering to squeeze into the exception for archival use and preservation.

Apple’s recent update, which “bricked” unlocked iPhones and reverted the rest to block third party applications, caused Gizmodo’s reviewer to revise early enthusiasm for the gadget:

It’s about 3 months after the iPhone launch, and happy with the improvements, I was planning to change our “Wait” verdict to a full-on and rabid “Buy”. That wasn’t because of Apple, but because of the cool apps being offered by independent developers. All that came to an end yesterday after the new Apple firmware 1.1.1 neutered the handset. Sure, unlocked iPhones were broken. But more importantly, Apple wiped away the powerful programs that helped push the iPhone to greatness. With this, I’m going to have to move our recommendation from “Wait” to “Don’t hold your breath.” I’m done with this handset until third-party apps come back.

For a brief while, it seemed Apple got it. Lowering the iPhone’s price enlarged the virtual network of users and potential hackers who might get one, and acquiescence toward third-party applications let those flourish, both expanding the device’s utility beyond what was built in by Apple. Then, just as the gadget’s ecosystem was getting interesting, Apple razed the ground for some new silos.

Some Gizmodo commenters ridicule the protest, arguing that few iPhone owners are hackers, but they overlook the range of hack or customization desires. After all, people regularly install new programs on their Mac computers; they buy an estimated $1 billion in iPod accessories annually. When people spend up to a third of the price of their iPods to customize the devices’ appearance or connectivity options, it’s because those increase the value of the devices. It’s not a leap to expect they also want to add some internal customization to their phones.

But Apple’s Mr. Hyde side took precedence once again, as it bowed to the whims of its carrier partners: As the NYT reports, “Steven P. Jobs, Apple’s chief executive, has said the company wanted to maintain control over the iPhone’s functions to protect carrier networks and to make sure the phone was not damaged.”

All of which suggests that no matter how large a gadget’s virtual network is, it’s vulnerable if a closure-prone sponsor with closed-source core is its chief node.

Right in the middle of my New York Times today (yes, I still read it, and on paper) are two full-page color ads for Nokia’s N95, with the taglines “Comes with unlimited potential. We believe the smartest devices should keep getting smarter. That’s why we’ve left the Nokia Nseries open to enhancement, experimentation, and evolution. Open to anything.” url nseries.com/open (warning, flash-heavy)

I love it. Just the stance toward user innovation I’d like to see more companies adopt. They’ve borrowed a few pages right out of von Hippel’s Democratizing Innovation, mashed up with Benkler’s Wealth of Networks and Zittrain’s Generativity.

This contrasts, of course, with the advertised nature of the iPhone, locked to Apple’s apps and carrier. But we’ve also seen that within weeks of the iPhone’s launch, hackers have opened it, unlocked it, and built scores of apps.

So I wonder, how does the level of independent development on the N95, and Symbian, which powers it, compare with that on the iPhone? The N95 retails for $749 in the U.S., limiting the community likely to embrace it. Apple’s price drop brought the iPhone to $400; would it have engendered the same creativity if left at $600? Does Apple’s “cool” factor do more to bring in the hackers than Nokia’s; are touch gestures more of a draw than built-in GPS?

Or am I just seeing one side of the U.S.- Europe cellphone divide, and do Symbian developers prevail abroad where they’ve had more access to unlocked phones and fewer lock-subsidies to compete with?

After blogging about ICANN’s new gTLD policy or lack thereof, I’ve had several people ask me why I care so much about ICANN and new top-level domains. Domain names barely matter in a world of search and hyperlinks, I’m told, and new domains would amount to little more than a cash transfer to new registries from those trying to protect their names and brands. While I agree that type-in site-location is less and less relevant, and we haven’t yet seen much end-user focused innovation in the use of domain names, I’m not ready to throw in the towel. I think ICANN is still in a position to do affirmative harm to Internet innovation.

You see, I don’t concede that we know all the things the Internet will be used for, or all the things that could be done on top of and through its domain name system. I certainly don’t claim that I do, and I don’t believe that the intelligence gathered in ICANN would make that claim either.

Yet that’s what it’s doing by bureaucratizing the addition of new domain names: Asserting that no further experiments are possible; that the “show me the code” mode that built the Internet can no longer build enhancements to it. ICANN is unnecessarily ossifying the Internet’s DNS at version 1.0, setting in stone a cumbersome model of registries and registrars, a pay-per-database-listing, semantic attachments to character strings, and limited competition for the lot. This structure is fixed in place by the GNSO constituency listing: Those who have interests in the existing setup are unlikely to welcome a new set of competitors bearing disruptions to their established business models. The “PDP” in the headline, ICANN’s over-complex “Policy Development Process” (not the early DEC computer), gives too easy a holdout veto.

Meanwhile, we lose the chance to see what else could be done: whether it’s making domain names so abundant that every blogger could have a meaningful set on a business card and every school child one for each different face of youthful experimentation, using the DNS hierarchy to store simple data or different kinds of pointers, spawning new services with new naming conventions, or something else entirely.

I don’t know if any of these individually will “add value.” Historically, however, we leave that question to the market where there’s someone willing to give it a shot. Amazingly, after years of delay, there are still plenty of people waiting in ICANN queues to give new gTLDs a try. The collective value in letting them experiment and new services develop is indisputably greater than that constrained by the top-down imaginings of the few on the ICANN board and councils, as by their inability to pronounce .iii.

“How do you get an answer from the web?” the joke goes: “Put your guess into Wikipedia, then wait for the edits.” While Wikipedians might prefer you at least source your guess, the joke isn’t far from the mark. The lesson of Web 2.0 has been one of user-driven innovation, of launching services in beta and improving them by public experimentation. When your users know more than you or the regulators, the best you can do is often to give them a platform and support their efforts. Plan for the first try to break, and be ready to learn from the experience.

To trust the market, ICANN must be willing to let new TLDs fail. Instead of insisting that every new business have a 100-year plan, we should prepare the businesses and their stakeholders for contingency. Ensuring the “stable and secure operation of the Internet’s unique identifier systems” should mean developing predictable responses to failure, not demanding impracticable guarantees of perpetual success. Escrow, clear consumer information, streamlined processes, and flexible responses to the expected unanticipated, can all protect the end-users better than the dubious foresight of ICANN’s central regulators. These same regulators, bear in mind, didn’t foresee that a five-day add-grace period would swell the ranks of domains with “tasters” gaming the loophole with ad-based parking pages.

At ten years old, we don’t think of our mistakes as precedent, but as experience. Kids learn by doing; the ten-year-old ICANN needs to do the same. Instead of believing it can stabilize the Internet against change, ICANN needs to streamline for unpredictability. Expect the unexpected and be able to act quickly in response. Prepare to get some things wrong, at first, and so be ready to acknowledge mistakes and change course.

I anticipate the counter-argument here that I’m focused on the wrong level, that stasis in the core DNS enhances innovative development on top, but I don’t think I’m suggesting anything that would destabilize established resources. Verisign is contractually bound to keep .com open for registrations and resolving as it has in the past, even if .foo comes along with a different model. But until Verisign has real competition for .com, stability on its terms thwarts rather than fosters development. I think we can still accommodate change on both levels.

The Internet is too young to be turned into a utility, settled against further innovation. Even for mature layers, ICANN doesn’t have the regulatory competence to protect the end-user in the absence of market competition, while preventing change locks out potential competitive models. Instead, we should focus on protecting principles such as interoperability that have already proved their worth, to enhance user-focused innovation at all levels. A thin ICANN should merely coordinate, not regulate.