My posting yesterday on “Symbian Signed basics” has attracted more comments (containing lots of thoughtful ideas as well as evident passion) than I can quickly answer.
For now, I’d like to respond to Ian, who raised the following point:
There is no need for signing to ensure safety from malware. That’s what (platform) security is for.
Requiring signing without the option of user override is about control, pure and simple.
Can you give me a good reason why people should not have control of their property and why it should be in vendor’s hands instead?
The first answer is that, when users purchase a phone, they typically enter into a contract with the supplier, and agree to be bound by the terms of that contract. In cases when the phone is being subsidised or supported by a network operator, the network operator only enters into the relationship on account of a set of assumptions about what the user is going to do with the phone. The network operator can reasonably seek to limit what the user does with the handset – even though the user has paid money for the device.
That’s the reason, for example, why T-Mobile stipulated (and apparently received agreement from Google) that no application providing VoIP over cellular data could be installed onto the Android G1. Otherwise, the cost and revenue assumptions of T-Mobile would be invalidated. From Daniel Roth on Wired:
T-Mobile made a big deal about being one of the few carriers embracing open standards and open systems — which is true. Yet just how open is a (sorry) open question. When I talked to Cole Brodman, the CTO of T-Mobile, after the event about what would stop something like Skype from designing a program that could run on the phone, negating the need for a massive voice plan, he said he had “worked with Google” to make sure Android couldn’t run VOIP. “We want to be open in a way that consumers can rely on,” is the way Brodman put it to me.
Here’s another example. Suppose you spend a lot of money, buying a phone, and two months afterwards, you notice that the battery systematically runs down after only a few hours of use. You’re naturally upset with the device, so you take it back to the shop where you bought it from, asking for your money back. Or you spend hours on the phone to the support agents of the network operator trying to diagnose the problem. Either way, the profit made by the handset manufacturer or the network operator from selling you that phone has probably been more than wiped out by the cost of them attending to this usability issue.
But suppose it turns out that the cause of the battery running flat is a third party application you installed which, unknown to you, burns up processor cycles in background. Suppose it also turns out that you have been misled as to the origin of that application: when you installed it, you thought it said “This application has been supplied by your bank, Barclays”, but you didn’t notice that the certificate from the supplier said (eg) “Barclys” instead of “Barclays”. You thought you could trust the website where you found this application, or the people who (apparently) emailed it to you, but it turns out you were wrong. However – and this is the point – you’ve even forgotten that you installed this app.
The second answer is that, even when we own items, we have social obligations as to what we do with them. We shouldn’t play music too loudly in public places. We shouldn’t leave garbage in public places. We shouldn’t broadcast radio interference over networks. We shouldn’t hog more of our fair share of pooled public resources. And, we shouldn’t negatively impact the wireless networks (and the associated support infrastructure) on which our mobile phones live.
Both these answers are reasons in principle why users have to accept some limits on what they do with the mobile phones they have purchased.
The more interesting questions, however, are as follows:
- To what extent actual do application signing programs meet these requirements – and to what extent do these programs instead support other, less praiseworthy goals?
- Could variants of existing signing programs meet these requirements in better ways?
For example, consumers are already familiar with the idea that, when they disassemble the hardware of a device they have purchased, they typically invalidate the manufacturer warranty. (On my Psion Series 5mx, there’s still a sticker in place, over a screw, that says “Warranty void if removed”.) Would it be possible to educate handset users in a similar way that:
- Their handsets start out in a situation of having a manufacturer warranty
- However, if they install an unsigned application (or something similar), they are henceforth on their own, as regards support?