Feed fetched in 142 ms.
Warning Content type is application/atom+xml, not text/xml or applicaton/xml.
Feed is 53,862 characters long.
Feed has an ETag of "d4e5-648dc2f7c3ba1".
Feed has a last modified date of Wed, 21 Jan 2026 01:53:06 GMT.
Feed is well-formed XML.
Warning Feed has no styling.
This is an Atom feed.
Feed title: mark nottingham
Feed self link matches feed URL.
Warning Feed is missing an image.
Feed has 5 items.
First item published on 2026-01-20T00:00:00.000Z
Last item published on 2025-02-09T00:00:00.000Z
All items have published dates.
Newest item was published on 2026-01-20T00:00:00.000Z.
Info Feed's Last-Modified date is newer than the newest item's published date (2026-01-21T01:53:06.000Z > 2026-01-20T00:00:00.000Z).
Home page URL: https://www.mnot.net/blog/
Home page has feed discovery link in <head>.
Home page has a link to the feed in the <body>
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>mark nottingham</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/"/>
<link rel="self" type="application/atom+xml" href="https://www.mnot.net/blog/index.atom"/>
<id>tag:www.mnot.net,2010-11-11:/blog//1</id>
<updated>2026-01-21T01:53:01Z</updated>
<subtitle></subtitle>
<entry>
<title>Some Thoughts on the Open Web</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2026/01/20/open_web"/>
<id>https://www.mnot.net/blog/2026/01/20/open_web</id>
<updated>2026-01-20T00:00:00Z</updated>
<author>
<name>Mark Nottingham</name>
<uri>https://www.mnot.net/personal/</uri>
</author>
<summary>The Open Web means several things to different people, depending on context, but recently discussions have focused on the Web's Openness in terms of access to information -- how easy it is to publish and obtain information without barriers there.</summary>
<category term="Web and Internet"/>
<content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2026/01/20/open_web"><![CDATA[<p class="intro">“The Open Web” means several things to different people, depending on context, but recently discussions have focused on the Web’s Openness in terms of <strong>access to information</strong> -- how easy it is to publish and obtain information without barriers there.</p>
<p>David Schinazi and I hosted a pair of ad hoc sessions on this topic at the last IETF meeting in Montreal and the subsequent W3C Technical Plenary in Kobe; you can see the <a href="https://docs.google.com/document/d/1WaXDfwPP6olY-UVQxDZKNkUyqvmHt-u4kREJW4ys6ms/edit?usp=sharing">notes and summaries from those sessions</a>. This post contains my thoughts on the topic so far, after some simmering.</p>
<h3 id="the-open-web-is-amazing">The Open Web is Amazing</h3>
<p>For most of human history, it’s been difficult to access information. As an average citizen, you had to work pretty hard to access academic texts, historical writings, literature, news, public information, and so on. Libraries were an amazing innovation, but locating and working with the information there was still a formidable challenge.</p>
<p>Likewise, publishing information for broad consumption required resources and relationships that were unavailable to most people. Gutenberg famously broke down some of those barriers, but many still remained: publishing and distributing books (or articles, music, art, films) required navigating extensive industries of gatekeepers, and often insurmountable costs and delays.</p>
<p>Tim Berners-Lee’s invention cut through all of that; it was now possible to communicate with the whole world at very low cost and almost instantaneously. Various media industries were disrupted (but not completely displaced) by this innovation, and reinterpreted roles for intermediaries (e.g., search engines for librarians, online marketplaces for ‘brick and mortar’ shops) were created.</p>
<p>Critically, a norm was also created; an expectation that content was easy to access, didn’t require paying or logging in. This was not enforced, and it was not always honoured: there were still subscription sites, and that’s OK, but they didn’t see the massive network effects that hyperlinks and browsers brought.</p>
<p>It is hard to overstate the benefits of this norm. Farmers in developing countries now have easy access to guidelines and data that help their crops succeed. Students around the world have access to resources that were unimaginable even a few decades ago. They can also contribute to that global commons of content, benefiting others as they build a reputation for themselves.</p>
<p>The Open Web is an amazing public good, both for those who consume information and those who produce it. By reducing costs and friction on both sides, it allows people all over the world to access and create information in a way -- and with an ease -- that would have been unimaginable to our predecessors. It’s worth fighting for.</p>
<h3 id="people-have-different-motivations-for-opening-content">People Have Different Motivations for Opening Content</h3>
<p>We talk about “The Open Web” in the singular, but in fact there are many motivations for making content available freely online.</p>
<p>Some people consciously make their content freely available on the Web because they want to contribute to the global commons, to help realise all of the benefits described above.</p>
<p>Many don’t, however.</p>
<p>Others do it because they want to be discovered and build a reputation. Or because they want to build human connections. Or because they want revenue from putting ads next to the content. Or because they want people to try their content out and then subscribe to it on the less-than-open Web.</p>
<p>Most commonly, it’s a blend of many (or even all) of these motivations.</p>
<p>Discussions of the Open Web need to consider all of them distinctly -- what about their environments are changing, and what might encourage or discourage different kinds of Open Web publishers. Only focusing on some motivations or creating “purity tests” for content isn’t helpful.</p>
<h3 id="there-are-many-degrees-of-open">There are Many Degrees of “Open”</h3>
<p>Likewise, there are many degrees of “open.” While some Open Web content doesn’t come with any strings, much of it does. You might have to allow tracking for ads. While an article might be available to search engines (to drive traffic), you might have to register for an account to view the content as an individual.</p>
<p>There are serious privacy considerations associated with both of these, but those concerns should be considered as distinct from those regarding open access to information. People sometimes need to get a library card to access information at their local library (in person or online), but that doesn’t make the information less open.</p>
<p class="callout">One of the most interesting assertions at the meetings we held was about advertising-supported content: that it was <em>more</em> equitable than “micro-transactions” and similar pay-to-view approaches, because it makes content available to those who would otherwise not be able to afford it.</p>
<p>At the same time, these ‘small’ barriers – for example, requirements to log in after reading three articles – add up, reducing the openness of the content. If the new norm is that everyone has to log in everywhere to get Web content (and we may be well on our way to that), the Open Web suffers.</p>
<p>Similarly, some open content is free to all comers and can be reused at will, where other examples have technical barriers (such as bot blockers or other selective access schemes) and/or legal barriers (namely, copyright restrictions).</p>
<h3 id="it-has-to-be-voluntary">It Has to be Voluntary</h3>
<p>Everyone who publishes on the Open Web does so because they want to – because the benefits they realise (see above) outweigh any downsides.</p>
<p>Conversely, any content not on the Open Web is not there because the owner has made the judgement that it is not worthwhile for them to do so. They cannot be forced to “open up” that content -- they can only be encouraged.</p>
<p>Affordances and changes in infrastructure, platforms, and other aspects of the ecosystem -- sometimes realised in technical standards, sometimes not -- might change that incentive structure and create the conditions for more or less content on the Open Web. They cannot, however, be forced or mandated.</p>
<p>To me, this means that attempts to coerce different parties into desired behaviors are unlikely to succeed – they have to <em>want</em> to provide their content. That includes strategies like withholding capabilities from them; they’ll just go elsewhere to obtain them, or put their content beyond a paywall.</p>
<h3 id="its-changing-rapidly">It’s Changing Rapidly</h3>
<p>We’re talking about the Open Web now because of the introduction of AI -- a massive disruption to the incentives of many content creators and publishers, because AI both leverages their content (through scraping for training) and competes with it (because it is generative).</p>
<p>For those who opened up their content because they wanted to establish reputation and build connectivity, this feels exploitative. They made their content available to benefit people, and it turns out that it’s benefiting large corporations who claim to be helping humanity but have failed to convince many.</p>
<p>For those who want to sell ads next to their content or entice people to subscribe, this feels like betrayal. Search engines built an ecosystem that benefited publishers and the platforms,but publishers see those same platforms as continually taking more value from the relationship -- as seen in efforts to force intermediation like AMP, and now AI, where sites get drastically reduced traffic in exchange for nothing at all.</p>
<p>And so people are blocking bots, putting up paywalls, changing business models, and yanking their content off the Open Web. The commons is suffering because technology (which always makes <em>something</em> easier) now makes content creation <em>and</em> consumption easier, so long as you trust your local AI vendor.</p>
<p>This change is unevenly distributed. There are still people happily publishing open content in formats like RSS, which doesn’t facilitate tracking or targeting, and is wide open to scraping and reuse. That said, there are large swathes of content that are disappearing from the Open Web because it’s no longer viable for the publisher; the balance of incentives for them has changed.</p>
<h3 id="open-is-not-free-to-provide">Open is Not Free to Provide</h3>
<p>Information may be a non-rivalrous good, but that doesn’t mean it’s free to provide. The people who produce it need to support themselves.</p>
<p>That doesn’t mean that their interests dominate all others, nor that the structures that have evolved are the best (or even a good) way to assure that they can do so; these are topics better suited for copyright discussions (where there is a very long history of such considerations being debated).</p>
<p>Furthermore, on a technical level serving content to anyone who asks for it on a global scale might be a commodity service now -- and so very inexpensive to do, in some cases -- but it’s not free, and the costs add up at scale. These costs -- again, alongside the perceived extractive nature of the relationship -- are causing some to <a href="https://social.kernel.org/notice/B2JlhcxNTfI8oDVoyO">block or otherwise try to frustrate</a> these uses.</p>
<p>Underlying this factor is an argument about whether it’s legitimate to say you’re on ‘the Open Web’ while selectively blocking clients you don’t like – either because they’re abusive technically (over-crawling), or because you don’t like what they do with the data. My observation here is that however you feel about it, that practice is now very, very widespread – evidence of great demand on the publisher side. If that capability were taken away, I strongly suspect the net result would be very negative for the Open Web.</p>
<h3 id="its-about-control">It’s About Control</h3>
<p>Lurking beneath all of these arguments is a tension between the interests of those who produce and use content. Forgive me for resorting to hyperbole: some content people want pixel-perfect control not only over how their information is presented but how it is used and who uses it, and some open access advocates want all information to be usable for any purpose any time and anywhere.</p>
<p>Either of these outcomes (hyperbole as they are) would be bad for the Open Web.</p>
<p>The challenge, then, is finding the right balance – a Web where content producers have incentives to make their content available in a way that can be reused as much as is reasonable. That balance needs to be stable and sustainable, and take into account shocks like the introduction of AI.</p>
<h3 id="a-way-forward">A Way Forward</h3>
<p>Having an Open Web available for humanity is not a guaranteed outcome; we may end up in a future where easily available information is greatly diminished or even absent.</p>
<p>With that and all of the observations above in mind, what’s most apparent to me is that we should focus on finding ways to create and strengthen incentives to publish content that’s open (for some definition of open) -- understanding that people might have a variety of motivations for doing so. If environmental factors like AI change their incentives, we need to understand why and address the underlying concerns if possible.</p>
<p>In other words, we have to create an Internet where people <em>want</em> to publish content openly – for some definition of “open.” Doing that may challenge the assumptions we’ve made about the Web as well as what we want “open” to be. What’s worked before may no longer create the incentive structure that leads to the greatest amount of content available to the greatest number of people for the greatest number of purposes.</p>]]></content>
</entry>
<entry>
<title>Principles for Global Online Meetings</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/10/26/equitable-meetings"/>
<id>https://www.mnot.net/blog/2025/10/26/equitable-meetings</id>
<updated>2025-10-26T00:00:00Z</updated>
<author>
<name>Mark Nottingham</name>
<uri>https://www.mnot.net/personal/</uri>
</author>
<summary>Some thoughts about how to schedule online meetings for a global organisation in an equitable way.</summary>
<content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/10/26/equitable-meetings"><![CDATA[<p class="intro">One of the tricker problems for organisations that aspire to be global is scheduling a series of meetings. While the Internet has brought the ability to meet with colleagues and stakeholders all over the world, it hasn’t been able to get everyone on the same daily tempo – the earth is still not flat.</p>
<p>As someone who has participated in such organisations from Australia for nearly two decades, I’ve formed some fairly strong opinions about how their meetings should be arranged. What follows is an attempt to distill those thoughts into a set of principles that’s flexible enough to apply to a variety of situations.</p>
<p>Keep in mind the intended application is to a series of global meetings, not a single one-off event. Also, if the set of people who need to attend a given meeting are in timezones that lead to an agreed-to “good” time, you should use that time – but then I question if your organisation is really global. For the rest, read on.</p>
<h3 id="0-its-about-equity">0. It’s About Equity</h3>
<p>For global organisations, meeting scheduling is an equity issue. Arranging a meeting where some people can attend from the convenience of their office in normal business hours while others have to stay up into the middle of the night is not equitable – the former have very low friction for attending, while the latter have to disrupt their lives, families, relationships, and sleep cycles to attend.</p>
<p>When a person does make the extra effort to attend at a less-than-ideal hour, they will not be at their best. Being awake outside your normal hours means that you aren’t thinking as clearly and might react more emotionally than otherwise. Interrupting an evening after a long day can impact your focus. Effective participation is difficult under these conditions.</p>
<p>I cast this as an equity issue because I’ve observed that many don’t perceive it that way. This is often the case if someone’s experience is that most meetings are scheduled at reasonable hours, they don’t have to think about it, and people in other parts of the world staying up late or getting up early to talk to them is normal. It’s only when people realise this privilege and challenge what’s normal that progress can be made. If you want a truly global organisation, people need to be able to participate on equal footing, and that means that some people will need to make what looks like – to them – sacrifices, because they’re used to things being a certain way.</p>
<h3 id="1-share-pain-with-rotation">1. Share Pain with Rotation</h3>
<p>With that framing as an equity issue in mind, it becomes clear what must be done: the ‘pain’ of participating needs to be shared in a way that’s equitable. The focus then becomes characterising what pain is, and how to dole it out in a fair way while still holding functional meetings.</p>
<p>The most common method for scheduling a meeting that involves people from all over the globe involves picking “winners” and “losers”. Mary and Joe in North America get a meeting in their daytime; the Europeans have something in their evening, and Asia/Pacific folks have to get up early. Australians get the hardest service – they’re usually up past midnight, but sometimes get roused at 5am or so, depending on the fluctuations of daylight savings. Often, this will be justified with a poll or survey asking for preferences, but one where all options are reasonable for a priviledged set of participants, and most are unreasonable for others.</p>
<p>This is all wrapped up in very logical explanations: it’s the constraints we work within, the locations of the participants narrow down the options, it doesn’t make sense to inconvenience a large number of people for the benefit of a few. Or the kicker: if we scheduled the meeting at that time, the folks who are used to having meetings at good times for them wouldn’t come.</p>
<p>All of those are poor excuses that should be challenged, but often aren’t because this privilege is so deeply embedded.</p>
<p>What can be done? The primary tool for pain-sharing is <strong>rotation</strong>. Schedule meetings in rotating time slots so that everyone has approximately the same number of “good”, “ok”, and “bad” time slots. This is how you put people on even footing.</p>
<p>It may even mean intentionally scheduling in a way that people will miss a slot – e.g., two out of three. In this case, you’ll need to build tools to make sure that information is shared between meetings (you should be keeping minutes and, tracking action items, and creating summaries anyway!), that decisions don’t happen in any one meeting, and that people have a chance to see a variety of people, not just the same subset every time.</p>
<p>For example, imagine an organisation that needs to meet weekly, and has three members in different parts of Europe, five across North America, two in China, and one each in Australia and India. If they rotate between three time slots for their meetings, they might end up with:</p>
<ul>
<li>UTC: 02:00 / 11:00 / 17:00</li>
<li>Australia/Eastern: 12:00 / 21:00 / 03:00 (+1d)</li>
<li>China/Shanghai: 10:00 / 19:00 / 01:00 (+1d)</li>
<li>US/Eastern: 22:00 (-1d) / 07:00 / 14:00</li>
<li>Europe/Central: 04:00 / 13:00 / 19:00</li>
<li>India/Mumbai: 07:30 / 16:30 / 22:30</li>
</ul>
<p>Notice that everyone has approximately one “good” slot, one “ok” slot, and one “bad” slot – depending on each individual’s preferences, of course.</p>
<p>One objection I’ve heard to this approach is that it would lead to a state where most of the people go to just one or two of the meetings, and the others are poorly attended. That kind of fragmentation is certainly possible, but in my opinion it says more about the diversity of your organisation and the commitment of the people attending the meeting – both factors that should be separately addressed, not loaded onto some of the participants as meeting pain. Doing so is saying that some people won’t attend if they’re exposed to the conditions that they ask of others.</p>
<h3 id="2-pain-is-individual">2. Pain is Individual</h3>
<p>A common approach to scheduling weighs decisions by how many people are in each timezone. For example, if you’ve got ten people in North America, three in Europe, and one in Asia, you should obviously arrange things to inconvenience the fewest number of people, right?</p>
<p>The problem is, each of those people experiences the pain individually – it is not a collective phenomenon. The person in Asia doesn’t experience 1/14th of the pain if they need to get up at 4:30am for a call. Making things slightly inconvenient for the North Americans doesn’t magnify the pain they experience times ten.</p>
<p>So, don’t weigh your decisions by how many people are in a particular timezone or region. Of course there are limits to this principle – if it’s 100:1 you need to be able to function as a group (e.g., be quorate). But again, I’m questioning whether you’re really a global organisation here; you’re effectively gaslighting the people who are trying to participate from elsewhere by calling yourself one.</p>
<h3 id="3-pain-is-specific">3. Pain is Specific</h3>
<p>It’s easy to fall into the trap of assuming that everyone’s circumstances are the same – that if a 7am meeting is painful for you, it’s equally painful for someone else.</p>
<p>In reality, some people are morning people, while others don’t mind staying up until 2am. Some people might have a family dinner every Thursday night that would be disrupted by your meeting, while others are happy to use that time because that’s when they have the house to themselves.</p>
<p>This means you need to ask what people’s preferences and conflicts are, rather than (for example) assume that 7am-9am is ok, 9am-5pm is good, 5pm-10pm is ok, and everything else is bad. The mechanics of how that information is gathered depends upon the nature of your group, but it needs to be sensitive to privacy and resistant to gaming.</p>
<h3 id="4-pain-is-relative">4. Pain is Relative</h3>
<p>One of the complications of scheduling meetings across timezones is balancing the various kinds of conflicts and inconveniences that they bring up for a proposed time slot. John has to pick up the kids in that timeslot; Hiro is eating breakfast. Marissa needs to have dinner with her family. And Mark just wants a good night’s sleep for once.</p>
<p>I propose a hierarchy of inconvenience and pain, from most to least impactful:</p>
<ol>
<li>Rearranging your life - changing your sleep schedule, working on weekends (remember, Friday in North America is Saturday in other parts of the world)</li>
<li>Rearranging family life - shifting meals, changing child or elderly care arrangements</li>
<li>Moving other meetings - managing conflicts with other professional commitments</li>
</ol>
<p>When asking for conflicts for a given time slot, the higher items should always override the lower forms of pain. I’m sure this could be elaborated upon and extended, but it’s a good starting point.</p>
<p>I sometimes also hear about another kind of pain: that rotating meetings makes it hard for some people to keep their calendars. To me, this isn’t #4; it’s #100.</p>
<h3 id="5-circumstances-change">5. Circumstances Change</h3>
<p>People aren’t static. Their lives change, their families change, their health changes. If your meetings are scheduled over long periods of time, that means you need to be responsive to these changes, periodically checking to see if their preferences need updating.</p>
<p>I used to be a night person. I’d be up until at least midnight, sometimes two or three, and mornings would be a real struggle. However, as I’ve gotten older, I’m finding that many mornings I wake naturally at five or so, and I’m ready to sleep at around 10pm unless I’m out of the house. That change has fundamentally affected how I attend meetings.</p>
<p>And, of course, if you have participants in the Southern hemisphere (and you should!), you have to account for the differences in daylight savings, due to the differences in seasons. It’s not just a one-hour shift – it’s two, and that can make a big difference to someone’s quality of life.</p>
<h3 id="6-respect-peoples-time">6. Respect People’s Time</h3>
<p>Appreciate that what’s just another meeting in the middle of your workday is a huge effort in the middle of the night for someone else; don’t fritter away a substantial portion on chitchat. Have an agenda and be prepared to make the meeting valuable. Use offline, asynchronous tools when they’re more appropriate.</p>
<p>Likewise, don’t cancel or re-schedule a meeting at the last minute (or even last day). Setting an alarm for an early meeting and struggling through getting presentable and caffeinated only to find it’s been axed is distinctly unpleasant.</p>]]></content>
</entry>
<entry>
<title>Bridging the Gap Between Standards and Policy</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/09/20/configuration"/>
<id>https://www.mnot.net/blog/2025/09/20/configuration</id>
<updated>2025-09-20T00:00:00Z</updated>
<author>
<name>Mark Nottingham</name>
<uri>https://www.mnot.net/personal/</uri>
</author>
<summary>Achieving policymakers' goals in coordination with Internet standards activity can be difficult. This post explores some of the options and considerations involved.</summary>
<category term="Tech Regulation"/>
<category term="Standards"/>
<category term="Web and Internet"/>
<content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/09/20/configuration"><![CDATA[<p>Internet standards bodies like the IETF and W3C are places where experts can come to agreement about the details of how technology should work. These communities have the deep experience that allows them to guide the evolution of the Internet towards common goals.</p>
<p>Policymakers have none of that technical expertise, but are the legitimate source of policy decisions in any functioning society. They don’t have the means to develop new technical proposals: while most countries have a national standard body, their products are a poor fit for a global Internet, and those bodies generally lack specific expertise.</p>
<p>So, it might seem logical for policymakers to turn to Internet standards bodies to develop the technical solutions for their policy goals, trusting the open process and community involvement to produce a good solution. Unfortunately, doing so can create problems that will cause such efforts to fail.</p>
<h3 id="whats-the-problem">What’s the Problem?</h3>
<p>A few different issues often become apparent when policymakers pre-emptively specify a standard.</p>
<p>First, as discussed previously the <a href="https://www.mnot.net/blog/2024/03/13/voluntary">voluntary nature of Internet standards</a> acts as a proving function for them: if implementers don’t implement or users don’t use, the standard doesn’t matter. If a legal mandate to use a particular standard precedes that proof of viability, it distorts the incentives for participation in the process, because the power relationships between participants have changed – it’s no longer voluntary for the targets of the regulation, and the tone of the effort shifts from being <a href="https://www.mnot.net/blog/2024/07/16/collaborative_standards">collaborative</a> to competitive.</p>
<p>Second, Internet standards are created by <a href="https://www.mnot.net/blog/2024/05/24/consensus">consensus</a>. That approach to decision making is productive when there is reasonable alignment between participants’ motives, but it’s not well suited to handling fundamental conflicts about societal values. That’s because while technical experts might be good at weighing technical arguments and generally adhering to widely agreed-to principles (whether they be regarding Internet architecture or human rights), it’s much more difficult for them to adjudicate direct conflict between values outside their areas of expertise. In these circumstances, the outcome is often simply a lack of consensus.</p>
<p>Third, jurisdictions often have differences in their policy goals, but the Internet is global, and so are its standards bodies, who want the Internet to be interoperable regardless of borders. If policy goals aren’t widely shared and aligned between countries, it becomes even more difficult to come to consensus.</p>
<p>Fourth, making decisions with societal impact in a technical expert body raises fundamental legitimacy issues. That’s not to say that Internet standards can’t or shouldn’t (or don’t) change society in significant ways, but that’s done from the position of private actors coordinating to achieve a common goal through well-understood processes, within the practical boundaries of the commonalities of the applicable legal frameworks. It’s entirely different for a contentious policy decision to be delegated by policymakers to a non-representative technical body.</p>
<p>So, what’s a policymaker to do?</p>
<h3 id="patience-is-a-virtue">Patience is a Virtue</h3>
<p>One widely repeated recommendation for policymakers is to avoid specifying the work or even a venue for it in regulation or legislation until <em>after</em> it’s been created and its viability is proven by some amount of market adoption. Instead, the policymaker should just hint that an industry standard that serves a particular policy goal would be useful.</p>
<p>However, this approach comes with a few caveats:</p>
<ul>
<li>A set of proponents that drives the standards work has to emerge, and they need to be at least somewhat aligned with the policy goal</li>
<li>Consensus-based technical standards are slow, so policymakers have to have realistic expectations about the timeline</li>
<li>If the targets of the regulation don’t participate in the standards process, they may be able to reasonably claim that what results can’t be implemented by them</li>
</ul>
<p>These issues aren’t impossible to address: they just require good communication, alignment of incentives, management of expectations, and careful diligence.</p>
<h3 id="add-a-configuration-layer">Add a Configuration Layer</h3>
<p>Even if the policymaker waits for the outcome of the standards process, it’s rare for the policy decisions to be cleanly separable from the technology that needed to be created. Choices need to be made about how the technology is used and how it maps to the policy goals of a specific jurisdiction.</p>
<p>One intriguing way to manage that gap is to span it with a new entity – one that creates neither technical specifications nor policy goals, but instead is explicitly constituted to define how to meet the stated policy goals using already available technology. That leaves policy formation in the hands of policymakers and technical design in the hands of technologists.</p>
<p>In technology terms, this is a configuration layer: clearly and cleanly separating the concerns of how the technology is designed from how it is used. It still requires the technology to exist and have the appropriate configuration “interfaces”, but promises to take a large part of the policy pressure off of the standards process.</p>
<p>An example of this approach is just being started by the European Commission now. At IETF 123, they explained a proposal for a <a href="https://www.iepg.org/2025-07-20-ietf123/slides-123-iepg-sessa-multi-stakeholder-forum-on-internet-standards-deployment-00.pdf">Multi-stakeholder Forum on Internet Standards Deployment</a> that fills the gap between the definition of Internet security mechanisms and the policy intent of making European networks more secure. Policymakers have no desire to refer to specific RFCs in legislation, and Internet technologists don’t want to define regulatory requirements for Europe, so the idea is that this third entity will make those decisions without defining new technology <em>or</em> policy intent.</p>
<p>Getting this right requires the new forum to be constituted in a particular way. It has to be constrained by the policymaker’s intent, and can’t define new technology. That means that the technology has to be amenable to configuration – the relevant options need to be available. The logical host for the discussion is a venue controlled by the policymaker, but it needs to be open to broad participation (including online and asynchronous participation) so that the relevant experts can participate. Transparency will be key, and I suspect that the decision making policy will be critical to get right – ideally something close to a consensus model, but the policymaker may need to reserve the right to overrule objections or handle appeals.</p>
<p>Needless to say, I’m excited to see how this forum will work out. If successful, it’s a pattern that could be useful elsewhere.</p>]]></content>
</entry>
<entry>
<title>Using AI to Evaluate Internet Standards</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/06/04/using_ai"/>
<id>https://www.mnot.net/blog/2025/06/04/using_ai</id>
<updated>2025-06-04T00:00:00Z</updated>
<author>
<name>Mark Nottingham</name>
<uri>https://www.mnot.net/personal/</uri>
</author>
<summary>Is AI a useful option for policymakers who want to evaluate open standards? Let's take a look.</summary>
<category term="Standards"/>
<category term="Web and Internet"/>
<content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/06/04/using_ai"><![CDATA[<p class="intro">One of the reasons I’m writing the <a href="/blog/series/internet-standards/">Nature of Internet Standards</a> series is to give policymakers tools that help them to understand and evaluate open standards efforts. A big part of that is understanding whether a specification (and the effort that led to it) is really a reflection of open deliberation, consensus processes, appropriate governance, and various other hallmarks of open standards.</p>
<p>Evaluating these factors requires a fair amount of context and nuance. What’s the most 2025 way to avoid that work? Using AI, of course.</p>
<p>Some colleagues were using AI to ask similar questions, and that inspired me to wonder whether it would be a useful option for policymakers who want to evaluate the openness of Internet standards. Let’s find out.</p>
<h2 id="the-privacy-sandbox">The Privacy Sandbox</h2>
<p>Our first experiment is an effort that I’m fairly familiar with, having engaged with it both professionally and <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3891335">academically</a> – Google’s Privacy Sandbox. How will AI portray this longstanding and very politicised effort?</p>
<h3 id="prompt">Prompt</h3>
<p>I started by asking ChatGPT’s “deep research” mode:</p>
<blockquote>
<p>Is the Privacy Sandbox developed in an open standards process? Consider the venue(s) it’s developed in, their governance, openness, and conformance to other widely recognised signifiers of open standards processes, breadth of implementation, and adoption.</p>
</blockquote>
<p>It asked for a few clarifications:</p>
<blockquote>
<p>To give you the most accurate and up-to-date analysis, could you clarify a few things:</p>
<ol>
<li>Are you primarily interested in the Privacy Sandbox on the web (i.e., as developed by Chrome and the W3C), or are you also considering the Android Privacy Sandbox?</li>
<li>Do you want a comparison to established open standards processes (e.g., W3C, IETF), or just an evaluation of the Privacy Sandbox initiatives on their own merits?</li>
<li>Are you looking for an overview of industry support (browsers, advertisers, publishers, etc.) and real-world implementation as part of your evaluation of adoption?</li>
</ol>
<p>This will help me tailor the research more precisely.</p>
</blockquote>
<p>To which I replied:</p>
<blockquote>
<p>Just on the Web. A comparison to open standards processes would be good. I don’t need an overview of support and implementation, but the results should take these factors into account.</p>
</blockquote>
<h3 id="response">Response</h3>
<p>After churning through data (and pushing the boundaries of copyright) for a couple of minutes, ChatGPT came up with <a href="https://chatgpt.com/s/dr_68252c4763a08191b9339f52d244060e">this voluminous report</a>. However, the heart of its response is concise and fairly damning:</p>
<blockquote>
<p>In summary, the Privacy Sandbox has been developed in semi-open forums (W3C community groups, public repos, Google blogs) and invites outside input, but it is not a widely supported multi-vendor standard yet. Only Google’s Chrome (and related browsers) implements the APIs, and other browser vendors have developed their own approaches. The process resembles an open-source Google project more than a classic consensus-driven SDO. As Mozilla and others have noted, standards bodies like the W3C and IETF are the “ideal forum” to vet such proposals with full stakeholder oversight. At present, Privacy Sandbox’s governance does not fully align with those open standards processes – it provides considerable transparency and documentation, but its development and adoption remain largely controlled by Google.</p>
</blockquote>
<p>That’s not far off. W3C Community Groups aren’t standards processes; in fact, they’re little more than mailing lists where the proponents get to set almost all of the rules. ChatGPT could have made this more clear, but instead uses lots of hedging phrases like “more than” and “fully align”.</p>
<p>Since the full report mentioned the chair of the Business Group that also discussed the Privacy Sandbox, <a href="http://wendy.seltzer.org">Wendy Seltzer</a>, I asked what she thought. Her response:</p>
<blockquote>
<p>It’s fascinating to follow the sources here, because the Wikipedia article appears to have gotten its last substantive updates in 2024, and is mostly focused on older material ([which is] sometimes wrong). A human researcher would recognize that as not the best authority for recent news. A better human researcher would also ask “is this the question you want to ask, since the non-deprecation of third party cookies has changed the landscape around all these initiatives?”</p>
<p>That illuminates a broader issue of missing context. The answer starts from the premise that “Privacy Sandbox” is something that could be developed in an open standards process, rather than parsing the question, is PS more than the set of APIs and proposals that might fit into standards processes? How do open standards fit into the overall strategy? The GPT report can work for you, an expert in the field who can fill in those aspects, but it could be misleading to someone without the same background.</p>
<p>Some of the sentences quoted from other sources seem off without the context of those sources, e.g. “In January 2020 Google invited ad-tech companies to join the W3C’s Improving Web Advertising Business Group (IWABG) to discuss and give feedback on Privacy Sandbox ideas” reads as implying that Google was the only one doing the inviting.</p>
</blockquote>
<h2 id="quic">QUIC</h2>
<p>Next, let’s try another effort that I’m familiar with: QUIC, the effort to define a new, performance and security-focused transport protocol. I chaired the <a href="https://quicwg.org/">QUIC Working Group</a> (along with Lars Eggert) from its inception until it shipped its core deliverables.</p>
<h3 id="prompt-1">Prompt</h3>
<p>I asked ChatGPT’s “deep research” mode a similar question for QUIC:</p>
<blockquote>
<p>Is QUIC developed in an open standards process? Consider the venue(s) it’s developed in, their governance, openness, and conformance to other widely recognised signifiers of open standards processes, breadth of implementation, and adoption.</p>
</blockquote>
<p>and once again, it asked for a similar clarification:</p>
<blockquote>
<p>To best address your question about QUIC, could you please clarify what aspect you’re most interested in?</p>
<ul>
<li>Are you focused more on the technical development and governance process (e.g., how open the standardization process is)?</li>
<li>Or are you more interested in its current implementation and adoption across the industry?</li>
<li>Should I compare it to other protocols or standards in terms of openness and adoption?</li>
</ul>
<p>Let me know so I can tailor the research accordingly.</p>
</blockquote>
<p>I responded:</p>
<blockquote>
<p>Focus on how open the standardisation process was, but consider implementation and adoption in your answer. A comparison with other relevant standards would be helpful.</p>
</blockquote>
<h3 id="response-1">Response</h3>
<p>Here’s the <a href="https://chatgpt.com/share/68253995-9f5c-8009-9dae-405a071aed61">full report</a>. The summary is positively glowing:</p>
<blockquote>
<p>In conclusion, QUIC’s standardization has been as open and transparent as any recent IETF protocol. It was developed in the open IETF process, adhering to OpenStand and WTO/TBT ideals of consensus, transparency, and voluntary adoption. Its final RFCs affirm community consensus, and the IETF infrastructure provided public visibility into every stage. This openness is mirrored by QUIC’s broad support: independent implementers from Google, Mozilla, Apple, Cloudflare, Facebook, and beyond have all deployed QUIC. The resulting ecosystem – with multiple browsers, CDNs, servers and apps supporting QUIC – reinforces that it is a truly open standard, not controlled by any single vendor. By contrast, older protocols like HTTP/2 and TCP underwent similar open processes (IETF consensus, public RFCs) and likewise enjoy ubiquitous implementation. Together, the history and adoption of QUIC demonstrate an effective, open standardization process in line with global best practices.</p>
</blockquote>
<p>First of all, I love the reference to the “WTO/TBT ideals of consensus, transparency, and voluntary adoption.”</p>
<p>But is it accurate? Sort of. The facts here are correct: those companies did participate in the effort, implemented it, and deployed it. The process was open (as can be seen in the minutes and other materials).</p>
<p>I don’t know, however, how it justifies its statements about the quality of consensus – as I’ve written before, <a href="/blog/2024/05/24/consensus">consensus can go wrong in a variety of ways</a>. Others have <a href="https://journals.sagepub.com/doi/full/10.1177/14614448251336438">characterised</a> QUIC’s development has with Google firmly in the “driving seat.” Having been there for the whole standards process, I disagree with that assessment, but I’d at least expect academic work like that to be acknowledged.</p>
<h2 id="is-ai-useful-for-assessing-open-standards">Is AI Useful for Assessing Open Standards?</h2>
<p>I can’t count the number of times that I’ve seen policymakers, journalists, and community members refer to the Privacy Sandbox as “at the W3C” or “being standardised at the W3C.” Given that extremely low bar, ChatGPT’s summary is an improvement. Likewise, I largely agree with its assessment of QUIC, at a high level.</p>
<p>What’s lacking here, however, is any kind of nuance. I can’t escape the feeling that it latches onto a few narratives that appear in source materials and augments them into well-worn clichés, like we see for QUIC. The IETF has a great reputation in many sources, so that gets amplified, but there’s a lack of any critical thought.</p>
<p>That’s not surprising: AI can’t think. If it could, it might wonder about the criteria we’re using for “open standards” here – are those WTO/TBT ideals still relevant, and are they adequately described? Are the processes actually used in working groups lining up with the rhetoric of openness – and how would you find out if they didn’t? And, how much should all of that count if the result isn’t <a href="https://www.mnot.net/blog/2024/03/13/voluntary">proven by market adoption</a>?</p>
<p>In a nutshell: if you must use AI to assess the openness of a standard, only use it for the first pass, check all of the references, and then roll up your sleeves and start talking to people to get the real story.</p>]]></content>
</entry>
<entry>
<title>Apple’s Best Option: Decentralize iCloud</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/02/09/decentralize-icloud"/>
<id>https://www.mnot.net/blog/2025/02/09/decentralize-icloud</id>
<updated>2025-02-09T00:00:00Z</updated>
<author>
<name>Mark Nottingham</name>
<uri>https://www.mnot.net/personal/</uri>
</author>
<summary>What can Apple do in the face of a UK order to weaken encryption worldwide? Decentralize iCloud, to start.</summary>
<category term="Tech Regulation"/>
<category term="Web and Internet"/>
<content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/02/09/decentralize-icloud"><![CDATA[<p class="intro">As has been <a href="https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/">widely reported</a>, the government of the United Kingdom has secretly ordered Apple to build a back door into iCloud to allow ‘blanket capability to view fully encrypted material.’</p>
<p>Assuming the UK doesn’t back down, what are Apple’s options? This is my personal take: if I’ve missed something, I’d love to hear about it.</p>
<h3 id="option-1-comply">Option 1: Comply</h3>
<p>Most companies would just comply with the order, but Apple is not most companies.</p>
<p>That’s not just because they have <a href="https://www.apple.com/privacy/">marketed themselves as privacy and security conscious</a>, although that presumably factors into their decision. From what I’ve seen from interacting with their engineers and observing how they behave (both in technical standards bodies and in their products), this is a commitment that goes much deeper than just marketing.</p>
<p>More significantly, Apple will be considering the secondary and tertiary consequences of compliance. So far, every democratic country around the world has refrained from making such an order; for example, Australia’s <a href="https://www.mnot.net/blog/2018/11/15/trust_australia">widely debated</a> legislation that mirrors the UK “Snooper’s Charter” has an explicit provision to disallow “systemic weakening” of encryption like we see here.</p>
<p>If the UK successfully forces Apple’s hand, every other government in the world is likely to take notice and consider making similar (or even more extreme) demands. <a href="https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/">CSAM scanning</a> will just be the start: once access to that much data is available, it’s open season for everything from <a href="https://en.wikipedia.org/wiki/Lèse-majesté_in_Thailand">Lèse-majesté</a> to punishing activists and protesters to policing sexual orientation, abortion, and other socially motivated laws. Even if a particular country doesn’t make the same demand of Apple, arrangements like Five Eyes will allow one agency to peer over another’s shoulders.</p>
<p>As I’ve written before, <a href="https://www.mnot.net/blog/2024/04/29/power">no one should have that much power</a>.</p>
<p>In the tinderbox that politics has become in many parts of the world, this is gasoline. I’d pay good money to be a fly on the wall in the meetings taking place with the <a href="https://www.gov.uk/government/organisations/foreign-commonwealth-development-office">Foreign Service</a>, because they of all people should understand the potential global impact of a move like this. Of course, in a world where USAID is shut down by Elon Musk and some teenagers, nothing is off the table – and that’s why we should be so concerned about this outcome.</p>
<h3 id="option-2-leave">Option 2: Leave</h3>
<p>Apple’s second option is to leave the UK. Full stop.</p>
<p>Close the Apple stores, online and retail. Stop providing iCloud, stop selling iPhones and all the other various i-gear. Close the <a href="https://www.businessinsider.com/apple-uk-headquarters-14-billion-redevelopment-battersea-power-station-2016-10">beautiful new UK HQ at Battersea</a>, and lay off (or transfer overseas) around 8,000 employees (reportedly).</p>
<p>This is (obviously) the nuclear option. It puts Apple outside the jurisdiction of the UK,<sup id="fnref:1"><a href="#fn:1" class="footnote" rel="footnote" role="doc-noteref">1</a></sup> and at the same time orphans every UK Apple user – their phones and computers don’t quite become bricks, but they will definitely have limited utility and lifetime.</p>
<p>Given that along with Apple’s claim to <a href="https://www.standard.co.uk/business/apple-s-spectacular-offices-at-battersea-power-station-b1110130.html">support 550,000 UK jobs</a>, it’s likely to be effective – these consequences would make the government extremely unpopular overnight.</p>
<p>However, this option is also massively expensive: reportedly, total Apple revenue in the UK is <a href="https://www.retailgazette.co.uk/blog/2023/07/apple-uk-sales/">something like £1.5bn</a>. Add on top the one-time shutting down costs, and even Apple’s balance sheet will notice.</p>
<p>Perhaps more importantly, this is also a strategically worrisome direction to go in, because it plays into the narrative that Big Tech is more powerful than sovereign nations. Other countries will take notice, and may coordinate to overcome Apple’s reticence. Apple will now have to choose the markets that it operates in based on how it feels about those country’s commitments to human rights on an ongoing basis – hardly a situation that any CEO wants to be in.</p>
<p>Finally, this option simply won’t work if one of those countries is the United States, Apple’s home. I’ll leave it to you, dear reader, to decide how much you trust your predictions of its actions.</p>
<h3 id="option-3-open-up">Option 3: Open Up</h3>
<p>Apple’s third option is to remove itself as a target in a more subtle way than option two.</p>
<p>The UK is presumably interested in Apple providing this functionality because iCloud’s design conveniently makes a massive amount of data convenient to access in one location: Apple’s servers. If that data is instead spread across servers operated by many different parties, it becomes less available.</p>
<p>In effect, this is the <strong>decentralize iCloud</strong> option. Apple would open up its implementation of iCloud so that third-party and self-hosted providers could be used for the same functions. They would need to create interfaces to allow switching, publish some specifications and maybe some test suites, and make sure that there weren’t any intellectual property impediments to implementation.</p>
<p>There could be some impact on Apple revenue here, but I suspect it’s not huge; many people would continue to buy iCloud for convenience, and for non-storage features that Apple bundles in <a href="https://www.apple.com/icloud/">iCloud+</a>.</p>
<p>Think of it this way: Apple provides e-mail service with iCloud, but doesn’t require you to use it: you can use your own or a third party provider without any drama, because they use common protocols and formats. Why should file sync be any different? Why can’t Apple make using a third-party service as seamless and functional as iCloud?</p>
<p>This isn’t a perfect option. Orders could still force weakened encryption, but now they’d have to target many different parties (depending on the details of implementation and deployment), and they’d have to get access to the stored data. If you choose a provider in another jurisdiction, that makes doing so more difficult, depending on what legal arrangements are in place between those jurisdictions; if you self-host, they’ll need to get physical access to your disks.</p>
<h3 id="what-will-and-should-apple-do">What Will (and Should) Apple Do?</h3>
<p>Computer operating systems are fundamental to security: once we lose trust in them, it’s pretty much game over. The UK has chosen a risky and brash path forward, and Apple will need to think carefully about how to navigate it.</p>
<p>It should be no surprise that I favour option three. While Apple is notoriously a closed company, it’s not completely averse to collaborating and working in the open when doing so is in its interests – and, given its other options, that’s arguably the case here.</p>
<p>Conceivably, Apple might even be forced into taking the “decentralize iCloud” option if regulators like those implementing the Digital Markets Act in the EU decide that doing so is necessary for competition. Apple has been <a href="https://ec.europa.eu/competition/digital_markets_act/cases/202344/DMA_100025_228.pdf">designated as a gatekeeper</a> for the ‘core platform service’ provided by iOS, and while that designation currently doesn’t include file synchronisation services, that might change.</p>
<p>Of course, the UK government may back down. However, the barrier to some other government taking similar steps is now smaller, and Apple would do well to consider its longer term options even if action turns out to be unnecessary right now.</p>
<p><em>Thanks to <a href="https://eupolicy.social/@1br0wn">Ian Brown</a> for his input to this article.</em></p>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:1">
<p>Presumably. Both inter-jurisdictional coordination and extraterritorial application of the law may complicate that. IANAL. <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>]]></content>
</entry>
</feed>
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>mark nottingham</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/" />
<link rel="self" type="application/atom+xml" href="https://www.mnot.net/blog/index.atom" />
<id>tag:www.mnot.net,2010-11-11:/blog//1</id>
<updated>2026-01-21T01:53:01Z</updated>
<subtitle></subtitle>
<entry>
<title>Some Thoughts on the Open Web</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2026/01/20/open_web" />
<id>https://www.mnot.net/blog/2026/01/20/open_web</id>
<updated>2026-01-20T00:00:00Z</updated>
<author>
<name>Mark Nottingham</name>
<uri>https://www.mnot.net/personal/</uri>
</author>
<summary>The Open Web means several things to different people, depending on context, but recently discussions have focused on the Web's Openness in terms of access to information -- how easy it is to publish and obtain information without barriers there.</summary>
<category term="Web and Internet" />
<content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2026/01/20/open_web">
<![CDATA[<p class="intro">“The Open Web” means several things to different people, depending on context, but recently discussions have focused on the Web’s Openness in terms of <strong>access to information</strong> -- how easy it is to publish and obtain information without barriers there.</p>
<p>David Schinazi and I hosted a pair of ad hoc sessions on this topic at the last IETF meeting in Montreal and the subsequent W3C Technical Plenary in Kobe; you can see the <a href="https://docs.google.com/document/d/1WaXDfwPP6olY-UVQxDZKNkUyqvmHt-u4kREJW4ys6ms/edit?usp=sharing">notes and summaries from those sessions</a>. This post contains my thoughts on the topic so far, after some simmering.</p>
<h3 id="the-open-web-is-amazing">The Open Web is Amazing</h3>
<p>For most of human history, it’s been difficult to access information. As an average citizen, you had to work pretty hard to access academic texts, historical writings, literature, news, public information, and so on. Libraries were an amazing innovation, but locating and working with the information there was still a formidable challenge.</p>
<p>Likewise, publishing information for broad consumption required resources and relationships that were unavailable to most people. Gutenberg famously broke down some of those barriers, but many still remained: publishing and distributing books (or articles, music, art, films) required navigating extensive industries of gatekeepers, and often insurmountable costs and delays.</p>
<p>Tim Berners-Lee’s invention cut through all of that; it was now possible to communicate with the whole world at very low cost and almost instantaneously. Various media industries were disrupted (but not completely displaced) by this innovation, and reinterpreted roles for intermediaries (e.g., search engines for librarians, online marketplaces for ‘brick and mortar’ shops) were created.</p>
<p>Critically, a norm was also created; an expectation that content was easy to access, didn’t require paying or logging in. This was not enforced, and it was not always honoured: there were still subscription sites, and that’s OK, but they didn’t see the massive network effects that hyperlinks and browsers brought.</p>
<p>It is hard to overstate the benefits of this norm. Farmers in developing countries now have easy access to guidelines and data that help their crops succeed. Students around the world have access to resources that were unimaginable even a few decades ago. They can also contribute to that global commons of content, benefiting others as they build a reputation for themselves.</p>
<p>The Open Web is an amazing public good, both for those who consume information and those who produce it. By reducing costs and friction on both sides, it allows people all over the world to access and create information in a way -- and with an ease -- that would have been unimaginable to our predecessors. It’s worth fighting for.</p>
<h3 id="people-have-different-motivations-for-opening-content">People Have Different Motivations for Opening Content</h3>
<p>We talk about “The Open Web” in the singular, but in fact there are many motivations for making content available freely online.</p>
<p>Some people consciously make their content freely available on the Web because they want to contribute to the global commons, to help realise all of the benefits described above.</p>
<p>Many don’t, however.</p>
<p>Others do it because they want to be discovered and build a reputation. Or because they want to build human connections. Or because they want revenue from putting ads next to the content. Or because they want people to try their content out and then subscribe to it on the less-than-open Web.</p>
<p>Most commonly, it’s a blend of many (or even all) of these motivations.</p>
<p>Discussions of the Open Web need to consider all of them distinctly -- what about their environments are changing, and what might encourage or discourage different kinds of Open Web publishers. Only focusing on some motivations or creating “purity tests” for content isn’t helpful.</p>
<h3 id="there-are-many-degrees-of-open">There are Many Degrees of “Open”</h3>
<p>Likewise, there are many degrees of “open.” While some Open Web content doesn’t come with any strings, much of it does. You might have to allow tracking for ads. While an article might be available to search engines (to drive traffic), you might have to register for an account to view the content as an individual.</p>
<p>There are serious privacy considerations associated with both of these, but those concerns should be considered as distinct from those regarding open access to information. People sometimes need to get a library card to access information at their local library (in person or online), but that doesn’t make the information less open.</p>
<p class="callout">One of the most interesting assertions at the meetings we held was about advertising-supported content: that it was <em>more</em> equitable than “micro-transactions” and similar pay-to-view approaches, because it makes content available to those who would otherwise not be able to afford it.</p>
<p>At the same time, these ‘small’ barriers – for example, requirements to log in after reading three articles – add up, reducing the openness of the content. If the new norm is that everyone has to log in everywhere to get Web content (and we may be well on our way to that), the Open Web suffers.</p>
<p>Similarly, some open content is free to all comers and can be reused at will, where other examples have technical barriers (such as bot blockers or other selective access schemes) and/or legal barriers (namely, copyright restrictions).</p>
<h3 id="it-has-to-be-voluntary">It Has to be Voluntary</h3>
<p>Everyone who publishes on the Open Web does so because they want to – because the benefits they realise (see above) outweigh any downsides.</p>
<p>Conversely, any content not on the Open Web is not there because the owner has made the judgement that it is not worthwhile for them to do so. They cannot be forced to “open up” that content -- they can only be encouraged.</p>
<p>Affordances and changes in infrastructure, platforms, and other aspects of the ecosystem -- sometimes realised in technical standards, sometimes not -- might change that incentive structure and create the conditions for more or less content on the Open Web. They cannot, however, be forced or mandated.</p>
<p>To me, this means that attempts to coerce different parties into desired behaviors are unlikely to succeed – they have to <em>want</em> to provide their content. That includes strategies like withholding capabilities from them; they’ll just go elsewhere to obtain them, or put their content beyond a paywall.</p>
<h3 id="its-changing-rapidly">It’s Changing Rapidly</h3>
<p>We’re talking about the Open Web now because of the introduction of AI -- a massive disruption to the incentives of many content creators and publishers, because AI both leverages their content (through scraping for training) and competes with it (because it is generative).</p>
<p>For those who opened up their content because they wanted to establish reputation and build connectivity, this feels exploitative. They made their content available to benefit people, and it turns out that it’s benefiting large corporations who claim to be helping humanity but have failed to convince many.</p>
<p>For those who want to sell ads next to their content or entice people to subscribe, this feels like betrayal. Search engines built an ecosystem that benefited publishers and the platforms,but publishers see those same platforms as continually taking more value from the relationship -- as seen in efforts to force intermediation like AMP, and now AI, where sites get drastically reduced traffic in exchange for nothing at all.</p>
<p>And so people are blocking bots, putting up paywalls, changing business models, and yanking their content off the Open Web. The commons is suffering because technology (which always makes <em>something</em> easier) now makes content creation <em>and</em> consumption easier, so long as you trust your local AI vendor.</p>
<p>This change is unevenly distributed. There are still people happily publishing open content in formats like RSS, which doesn’t facilitate tracking or targeting, and is wide open to scraping and reuse. That said, there are large swathes of content that are disappearing from the Open Web because it’s no longer viable for the publisher; the balance of incentives for them has changed.</p>
<h3 id="open-is-not-free-to-provide">Open is Not Free to Provide</h3>
<p>Information may be a non-rivalrous good, but that doesn’t mean it’s free to provide. The people who produce it need to support themselves.</p>
<p>That doesn’t mean that their interests dominate all others, nor that the structures that have evolved are the best (or even a good) way to assure that they can do so; these are topics better suited for copyright discussions (where there is a very long history of such considerations being debated).</p>
<p>Furthermore, on a technical level serving content to anyone who asks for it on a global scale might be a commodity service now -- and so very inexpensive to do, in some cases -- but it’s not free, and the costs add up at scale. These costs -- again, alongside the perceived extractive nature of the relationship -- are causing some to <a href="https://social.kernel.org/notice/B2JlhcxNTfI8oDVoyO">block or otherwise try to frustrate</a> these uses.</p>
<p>Underlying this factor is an argument about whether it’s legitimate to say you’re on ‘the Open Web’ while selectively blocking clients you don’t like – either because they’re abusive technically (over-crawling), or because you don’t like what they do with the data. My observation here is that however you feel about it, that practice is now very, very widespread – evidence of great demand on the publisher side. If that capability were taken away, I strongly suspect the net result would be very negative for the Open Web.</p>
<h3 id="its-about-control">It’s About Control</h3>
<p>Lurking beneath all of these arguments is a tension between the interests of those who produce and use content. Forgive me for resorting to hyperbole: some content people want pixel-perfect control not only over how their information is presented but how it is used and who uses it, and some open access advocates want all information to be usable for any purpose any time and anywhere.</p>
<p>Either of these outcomes (hyperbole as they are) would be bad for the Open Web.</p>
<p>The challenge, then, is finding the right balance – a Web where content producers have incentives to make their content available in a way that can be reused as much as is reasonable. That balance needs to be stable and sustainable, and take into account shocks like the introduction of AI.</p>
<h3 id="a-way-forward">A Way Forward</h3>
<p>Having an Open Web available for humanity is not a guaranteed outcome; we may end up in a future where easily available information is greatly diminished or even absent.</p>
<p>With that and all of the observations above in mind, what’s most apparent to me is that we should focus on finding ways to create and strengthen incentives to publish content that’s open (for some definition of open) -- understanding that people might have a variety of motivations for doing so. If environmental factors like AI change their incentives, we need to understand why and address the underlying concerns if possible.</p>
<p>In other words, we have to create an Internet where people <em>want</em> to publish content openly – for some definition of “open.” Doing that may challenge the assumptions we’ve made about the Web as well as what we want “open” to be. What’s worked before may no longer create the incentive structure that leads to the greatest amount of content available to the greatest number of people for the greatest number of purposes.</p>]]>
</content>
</entry>
<entry>
<title>Principles for Global Online Meetings</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/10/26/equitable-meetings" />
<id>https://www.mnot.net/blog/2025/10/26/equitable-meetings</id>
<updated>2025-10-26T00:00:00Z</updated>
<author>
<name>Mark Nottingham</name>
<uri>https://www.mnot.net/personal/</uri>
</author>
<summary>Some thoughts about how to schedule online meetings for a global organisation in an equitable way.</summary>
<content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/10/26/equitable-meetings">
<![CDATA[<p class="intro">One of the tricker problems for organisations that aspire to be global is scheduling a series of meetings. While the Internet has brought the ability to meet with colleagues and stakeholders all over the world, it hasn’t been able to get everyone on the same daily tempo – the earth is still not flat.</p>
<p>As someone who has participated in such organisations from Australia for nearly two decades, I’ve formed some fairly strong opinions about how their meetings should be arranged. What follows is an attempt to distill those thoughts into a set of principles that’s flexible enough to apply to a variety of situations.</p>
<p>Keep in mind the intended application is to a series of global meetings, not a single one-off event. Also, if the set of people who need to attend a given meeting are in timezones that lead to an agreed-to “good” time, you should use that time – but then I question if your organisation is really global. For the rest, read on.</p>
<h3 id="0-its-about-equity">0. It’s About Equity</h3>
<p>For global organisations, meeting scheduling is an equity issue. Arranging a meeting where some people can attend from the convenience of their office in normal business hours while others have to stay up into the middle of the night is not equitable – the former have very low friction for attending, while the latter have to disrupt their lives, families, relationships, and sleep cycles to attend.</p>
<p>When a person does make the extra effort to attend at a less-than-ideal hour, they will not be at their best. Being awake outside your normal hours means that you aren’t thinking as clearly and might react more emotionally than otherwise. Interrupting an evening after a long day can impact your focus. Effective participation is difficult under these conditions.</p>
<p>I cast this as an equity issue because I’ve observed that many don’t perceive it that way. This is often the case if someone’s experience is that most meetings are scheduled at reasonable hours, they don’t have to think about it, and people in other parts of the world staying up late or getting up early to talk to them is normal. It’s only when people realise this privilege and challenge what’s normal that progress can be made. If you want a truly global organisation, people need to be able to participate on equal footing, and that means that some people will need to make what looks like – to them – sacrifices, because they’re used to things being a certain way.</p>
<h3 id="1-share-pain-with-rotation">1. Share Pain with Rotation</h3>
<p>With that framing as an equity issue in mind, it becomes clear what must be done: the ‘pain’ of participating needs to be shared in a way that’s equitable. The focus then becomes characterising what pain is, and how to dole it out in a fair way while still holding functional meetings.</p>
<p>The most common method for scheduling a meeting that involves people from all over the globe involves picking “winners” and “losers”. Mary and Joe in North America get a meeting in their daytime; the Europeans have something in their evening, and Asia/Pacific folks have to get up early. Australians get the hardest service – they’re usually up past midnight, but sometimes get roused at 5am or so, depending on the fluctuations of daylight savings. Often, this will be justified with a poll or survey asking for preferences, but one where all options are reasonable for a priviledged set of participants, and most are unreasonable for others.</p>
<p>This is all wrapped up in very logical explanations: it’s the constraints we work within, the locations of the participants narrow down the options, it doesn’t make sense to inconvenience a large number of people for the benefit of a few. Or the kicker: if we scheduled the meeting at that time, the folks who are used to having meetings at good times for them wouldn’t come.</p>
<p>All of those are poor excuses that should be challenged, but often aren’t because this privilege is so deeply embedded.</p>
<p>What can be done? The primary tool for pain-sharing is <strong>rotation</strong>. Schedule meetings in rotating time slots so that everyone has approximately the same number of “good”, “ok”, and “bad” time slots. This is how you put people on even footing.</p>
<p>It may even mean intentionally scheduling in a way that people will miss a slot – e.g., two out of three. In this case, you’ll need to build tools to make sure that information is shared between meetings (you should be keeping minutes and, tracking action items, and creating summaries anyway!), that decisions don’t happen in any one meeting, and that people have a chance to see a variety of people, not just the same subset every time.</p>
<p>For example, imagine an organisation that needs to meet weekly, and has three members in different parts of Europe, five across North America, two in China, and one each in Australia and India. If they rotate between three time slots for their meetings, they might end up with:</p>
<ul>
<li>UTC: 02:00 / 11:00 / 17:00</li>
<li>Australia/Eastern: 12:00 / 21:00 / 03:00 (+1d)</li>
<li>China/Shanghai: 10:00 / 19:00 / 01:00 (+1d)</li>
<li>US/Eastern: 22:00 (-1d) / 07:00 / 14:00</li>
<li>Europe/Central: 04:00 / 13:00 / 19:00</li>
<li>India/Mumbai: 07:30 / 16:30 / 22:30</li>
</ul>
<p>Notice that everyone has approximately one “good” slot, one “ok” slot, and one “bad” slot – depending on each individual’s preferences, of course.</p>
<p>One objection I’ve heard to this approach is that it would lead to a state where most of the people go to just one or two of the meetings, and the others are poorly attended. That kind of fragmentation is certainly possible, but in my opinion it says more about the diversity of your organisation and the commitment of the people attending the meeting – both factors that should be separately addressed, not loaded onto some of the participants as meeting pain. Doing so is saying that some people won’t attend if they’re exposed to the conditions that they ask of others.</p>
<h3 id="2-pain-is-individual">2. Pain is Individual</h3>
<p>A common approach to scheduling weighs decisions by how many people are in each timezone. For example, if you’ve got ten people in North America, three in Europe, and one in Asia, you should obviously arrange things to inconvenience the fewest number of people, right?</p>
<p>The problem is, each of those people experiences the pain individually – it is not a collective phenomenon. The person in Asia doesn’t experience 1/14th of the pain if they need to get up at 4:30am for a call. Making things slightly inconvenient for the North Americans doesn’t magnify the pain they experience times ten.</p>
<p>So, don’t weigh your decisions by how many people are in a particular timezone or region. Of course there are limits to this principle – if it’s 100:1 you need to be able to function as a group (e.g., be quorate). But again, I’m questioning whether you’re really a global organisation here; you’re effectively gaslighting the people who are trying to participate from elsewhere by calling yourself one.</p>
<h3 id="3-pain-is-specific">3. Pain is Specific</h3>
<p>It’s easy to fall into the trap of assuming that everyone’s circumstances are the same – that if a 7am meeting is painful for you, it’s equally painful for someone else.</p>
<p>In reality, some people are morning people, while others don’t mind staying up until 2am. Some people might have a family dinner every Thursday night that would be disrupted by your meeting, while others are happy to use that time because that’s when they have the house to themselves.</p>
<p>This means you need to ask what people’s preferences and conflicts are, rather than (for example) assume that 7am-9am is ok, 9am-5pm is good, 5pm-10pm is ok, and everything else is bad. The mechanics of how that information is gathered depends upon the nature of your group, but it needs to be sensitive to privacy and resistant to gaming.</p>
<h3 id="4-pain-is-relative">4. Pain is Relative</h3>
<p>One of the complications of scheduling meetings across timezones is balancing the various kinds of conflicts and inconveniences that they bring up for a proposed time slot. John has to pick up the kids in that timeslot; Hiro is eating breakfast. Marissa needs to have dinner with her family. And Mark just wants a good night’s sleep for once.</p>
<p>I propose a hierarchy of inconvenience and pain, from most to least impactful:</p>
<ol>
<li>Rearranging your life - changing your sleep schedule, working on weekends (remember, Friday in North America is Saturday in other parts of the world)</li>
<li>Rearranging family life - shifting meals, changing child or elderly care arrangements</li>
<li>Moving other meetings - managing conflicts with other professional commitments</li>
</ol>
<p>When asking for conflicts for a given time slot, the higher items should always override the lower forms of pain. I’m sure this could be elaborated upon and extended, but it’s a good starting point.</p>
<p>I sometimes also hear about another kind of pain: that rotating meetings makes it hard for some people to keep their calendars. To me, this isn’t #4; it’s #100.</p>
<h3 id="5-circumstances-change">5. Circumstances Change</h3>
<p>People aren’t static. Their lives change, their families change, their health changes. If your meetings are scheduled over long periods of time, that means you need to be responsive to these changes, periodically checking to see if their preferences need updating.</p>
<p>I used to be a night person. I’d be up until at least midnight, sometimes two or three, and mornings would be a real struggle. However, as I’ve gotten older, I’m finding that many mornings I wake naturally at five or so, and I’m ready to sleep at around 10pm unless I’m out of the house. That change has fundamentally affected how I attend meetings.</p>
<p>And, of course, if you have participants in the Southern hemisphere (and you should!), you have to account for the differences in daylight savings, due to the differences in seasons. It’s not just a one-hour shift – it’s two, and that can make a big difference to someone’s quality of life.</p>
<h3 id="6-respect-peoples-time">6. Respect People’s Time</h3>
<p>Appreciate that what’s just another meeting in the middle of your workday is a huge effort in the middle of the night for someone else; don’t fritter away a substantial portion on chitchat. Have an agenda and be prepared to make the meeting valuable. Use offline, asynchronous tools when they’re more appropriate.</p>
<p>Likewise, don’t cancel or re-schedule a meeting at the last minute (or even last day). Setting an alarm for an early meeting and struggling through getting presentable and caffeinated only to find it’s been axed is distinctly unpleasant.</p>]]>
</content>
</entry>
<entry>
<title>Bridging the Gap Between Standards and Policy</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/09/20/configuration" />
<id>https://www.mnot.net/blog/2025/09/20/configuration</id>
<updated>2025-09-20T00:00:00Z</updated>
<author>
<name>Mark Nottingham</name>
<uri>https://www.mnot.net/personal/</uri>
</author>
<summary>Achieving policymakers' goals in coordination with Internet standards activity can be difficult. This post explores some of the options and considerations involved.</summary>
<category term="Tech Regulation" />
<category term="Standards" />
<category term="Web and Internet" />
<content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/09/20/configuration">
<![CDATA[<p>Internet standards bodies like the IETF and W3C are places where experts can come to agreement about the details of how technology should work. These communities have the deep experience that allows them to guide the evolution of the Internet towards common goals.</p>
<p>Policymakers have none of that technical expertise, but are the legitimate source of policy decisions in any functioning society. They don’t have the means to develop new technical proposals: while most countries have a national standard body, their products are a poor fit for a global Internet, and those bodies generally lack specific expertise.</p>
<p>So, it might seem logical for policymakers to turn to Internet standards bodies to develop the technical solutions for their policy goals, trusting the open process and community involvement to produce a good solution. Unfortunately, doing so can create problems that will cause such efforts to fail.</p>
<h3 id="whats-the-problem">What’s the Problem?</h3>
<p>A few different issues often become apparent when policymakers pre-emptively specify a standard.</p>
<p>First, as discussed previously the <a href="https://www.mnot.net/blog/2024/03/13/voluntary">voluntary nature of Internet standards</a> acts as a proving function for them: if implementers don’t implement or users don’t use, the standard doesn’t matter. If a legal mandate to use a particular standard precedes that proof of viability, it distorts the incentives for participation in the process, because the power relationships between participants have changed – it’s no longer voluntary for the targets of the regulation, and the tone of the effort shifts from being <a href="https://www.mnot.net/blog/2024/07/16/collaborative_standards">collaborative</a> to competitive.</p>
<p>Second, Internet standards are created by <a href="https://www.mnot.net/blog/2024/05/24/consensus">consensus</a>. That approach to decision making is productive when there is reasonable alignment between participants’ motives, but it’s not well suited to handling fundamental conflicts about societal values. That’s because while technical experts might be good at weighing technical arguments and generally adhering to widely agreed-to principles (whether they be regarding Internet architecture or human rights), it’s much more difficult for them to adjudicate direct conflict between values outside their areas of expertise. In these circumstances, the outcome is often simply a lack of consensus.</p>
<p>Third, jurisdictions often have differences in their policy goals, but the Internet is global, and so are its standards bodies, who want the Internet to be interoperable regardless of borders. If policy goals aren’t widely shared and aligned between countries, it becomes even more difficult to come to consensus.</p>
<p>Fourth, making decisions with societal impact in a technical expert body raises fundamental legitimacy issues. That’s not to say that Internet standards can’t or shouldn’t (or don’t) change society in significant ways, but that’s done from the position of private actors coordinating to achieve a common goal through well-understood processes, within the practical boundaries of the commonalities of the applicable legal frameworks. It’s entirely different for a contentious policy decision to be delegated by policymakers to a non-representative technical body.</p>
<p>So, what’s a policymaker to do?</p>
<h3 id="patience-is-a-virtue">Patience is a Virtue</h3>
<p>One widely repeated recommendation for policymakers is to avoid specifying the work or even a venue for it in regulation or legislation until <em>after</em> it’s been created and its viability is proven by some amount of market adoption. Instead, the policymaker should just hint that an industry standard that serves a particular policy goal would be useful.</p>
<p>However, this approach comes with a few caveats:</p>
<ul>
<li>A set of proponents that drives the standards work has to emerge, and they need to be at least somewhat aligned with the policy goal</li>
<li>Consensus-based technical standards are slow, so policymakers have to have realistic expectations about the timeline</li>
<li>If the targets of the regulation don’t participate in the standards process, they may be able to reasonably claim that what results can’t be implemented by them</li>
</ul>
<p>These issues aren’t impossible to address: they just require good communication, alignment of incentives, management of expectations, and careful diligence.</p>
<h3 id="add-a-configuration-layer">Add a Configuration Layer</h3>
<p>Even if the policymaker waits for the outcome of the standards process, it’s rare for the policy decisions to be cleanly separable from the technology that needed to be created. Choices need to be made about how the technology is used and how it maps to the policy goals of a specific jurisdiction.</p>
<p>One intriguing way to manage that gap is to span it with a new entity – one that creates neither technical specifications nor policy goals, but instead is explicitly constituted to define how to meet the stated policy goals using already available technology. That leaves policy formation in the hands of policymakers and technical design in the hands of technologists.</p>
<p>In technology terms, this is a configuration layer: clearly and cleanly separating the concerns of how the technology is designed from how it is used. It still requires the technology to exist and have the appropriate configuration “interfaces”, but promises to take a large part of the policy pressure off of the standards process.</p>
<p>An example of this approach is just being started by the European Commission now. At IETF 123, they explained a proposal for a <a href="https://www.iepg.org/2025-07-20-ietf123/slides-123-iepg-sessa-multi-stakeholder-forum-on-internet-standards-deployment-00.pdf">Multi-stakeholder Forum on Internet Standards Deployment</a> that fills the gap between the definition of Internet security mechanisms and the policy intent of making European networks more secure. Policymakers have no desire to refer to specific RFCs in legislation, and Internet technologists don’t want to define regulatory requirements for Europe, so the idea is that this third entity will make those decisions without defining new technology <em>or</em> policy intent.</p>
<p>Getting this right requires the new forum to be constituted in a particular way. It has to be constrained by the policymaker’s intent, and can’t define new technology. That means that the technology has to be amenable to configuration – the relevant options need to be available. The logical host for the discussion is a venue controlled by the policymaker, but it needs to be open to broad participation (including online and asynchronous participation) so that the relevant experts can participate. Transparency will be key, and I suspect that the decision making policy will be critical to get right – ideally something close to a consensus model, but the policymaker may need to reserve the right to overrule objections or handle appeals.</p>
<p>Needless to say, I’m excited to see how this forum will work out. If successful, it’s a pattern that could be useful elsewhere.</p>]]>
</content>
</entry>
<entry>
<title>Using AI to Evaluate Internet Standards</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/06/04/using_ai" />
<id>https://www.mnot.net/blog/2025/06/04/using_ai</id>
<updated>2025-06-04T00:00:00Z</updated>
<author>
<name>Mark Nottingham</name>
<uri>https://www.mnot.net/personal/</uri>
</author>
<summary>Is AI a useful option for policymakers who want to evaluate open standards? Let's take a look.</summary>
<category term="Standards" />
<category term="Web and Internet" />
<content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/06/04/using_ai">
<![CDATA[<p class="intro">One of the reasons I’m writing the <a href="/blog/series/internet-standards/">Nature of Internet Standards</a> series is to give policymakers tools that help them to understand and evaluate open standards efforts. A big part of that is understanding whether a specification (and the effort that led to it) is really a reflection of open deliberation, consensus processes, appropriate governance, and various other hallmarks of open standards.</p>
<p>Evaluating these factors requires a fair amount of context and nuance. What’s the most 2025 way to avoid that work? Using AI, of course.</p>
<p>Some colleagues were using AI to ask similar questions, and that inspired me to wonder whether it would be a useful option for policymakers who want to evaluate the openness of Internet standards. Let’s find out.</p>
<h2 id="the-privacy-sandbox">The Privacy Sandbox</h2>
<p>Our first experiment is an effort that I’m fairly familiar with, having engaged with it both professionally and <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3891335">academically</a> – Google’s Privacy Sandbox. How will AI portray this longstanding and very politicised effort?</p>
<h3 id="prompt">Prompt</h3>
<p>I started by asking ChatGPT’s “deep research” mode:</p>
<blockquote>
<p>Is the Privacy Sandbox developed in an open standards process? Consider the venue(s) it’s developed in, their governance, openness, and conformance to other widely recognised signifiers of open standards processes, breadth of implementation, and adoption.</p>
</blockquote>
<p>It asked for a few clarifications:</p>
<blockquote>
<p>To give you the most accurate and up-to-date analysis, could you clarify a few things:</p>
<ol>
<li>Are you primarily interested in the Privacy Sandbox on the web (i.e., as developed by Chrome and the W3C), or are you also considering the Android Privacy Sandbox?</li>
<li>Do you want a comparison to established open standards processes (e.g., W3C, IETF), or just an evaluation of the Privacy Sandbox initiatives on their own merits?</li>
<li>Are you looking for an overview of industry support (browsers, advertisers, publishers, etc.) and real-world implementation as part of your evaluation of adoption?</li>
</ol>
<p>This will help me tailor the research more precisely.</p>
</blockquote>
<p>To which I replied:</p>
<blockquote>
<p>Just on the Web. A comparison to open standards processes would be good. I don’t need an overview of support and implementation, but the results should take these factors into account.</p>
</blockquote>
<h3 id="response">Response</h3>
<p>After churning through data (and pushing the boundaries of copyright) for a couple of minutes, ChatGPT came up with <a href="https://chatgpt.com/s/dr_68252c4763a08191b9339f52d244060e">this voluminous report</a>. However, the heart of its response is concise and fairly damning:</p>
<blockquote>
<p>In summary, the Privacy Sandbox has been developed in semi-open forums (W3C community groups, public repos, Google blogs) and invites outside input, but it is not a widely supported multi-vendor standard yet. Only Google’s Chrome (and related browsers) implements the APIs, and other browser vendors have developed their own approaches. The process resembles an open-source Google project more than a classic consensus-driven SDO. As Mozilla and others have noted, standards bodies like the W3C and IETF are the “ideal forum” to vet such proposals with full stakeholder oversight. At present, Privacy Sandbox’s governance does not fully align with those open standards processes – it provides considerable transparency and documentation, but its development and adoption remain largely controlled by Google.</p>
</blockquote>
<p>That’s not far off. W3C Community Groups aren’t standards processes; in fact, they’re little more than mailing lists where the proponents get to set almost all of the rules. ChatGPT could have made this more clear, but instead uses lots of hedging phrases like “more than” and “fully align”.</p>
<p>Since the full report mentioned the chair of the Business Group that also discussed the Privacy Sandbox, <a href="http://wendy.seltzer.org">Wendy Seltzer</a>, I asked what she thought. Her response:</p>
<blockquote>
<p>It’s fascinating to follow the sources here, because the Wikipedia article appears to have gotten its last substantive updates in 2024, and is mostly focused on older material ([which is] sometimes wrong). A human researcher would recognize that as not the best authority for recent news. A better human researcher would also ask “is this the question you want to ask, since the non-deprecation of third party cookies has changed the landscape around all these initiatives?”</p>
<p>That illuminates a broader issue of missing context. The answer starts from the premise that “Privacy Sandbox” is something that could be developed in an open standards process, rather than parsing the question, is PS more than the set of APIs and proposals that might fit into standards processes? How do open standards fit into the overall strategy? The GPT report can work for you, an expert in the field who can fill in those aspects, but it could be misleading to someone without the same background.</p>
<p>Some of the sentences quoted from other sources seem off without the context of those sources, e.g. “In January 2020 Google invited ad-tech companies to join the W3C’s Improving Web Advertising Business Group (IWABG) to discuss and give feedback on Privacy Sandbox ideas” reads as implying that Google was the only one doing the inviting.</p>
</blockquote>
<h2 id="quic">QUIC</h2>
<p>Next, let’s try another effort that I’m familiar with: QUIC, the effort to define a new, performance and security-focused transport protocol. I chaired the <a href="https://quicwg.org/">QUIC Working Group</a> (along with Lars Eggert) from its inception until it shipped its core deliverables.</p>
<h3 id="prompt-1">Prompt</h3>
<p>I asked ChatGPT’s “deep research” mode a similar question for QUIC:</p>
<blockquote>
<p>Is QUIC developed in an open standards process? Consider the venue(s) it’s developed in, their governance, openness, and conformance to other widely recognised signifiers of open standards processes, breadth of implementation, and adoption.</p>
</blockquote>
<p>and once again, it asked for a similar clarification:</p>
<blockquote>
<p>To best address your question about QUIC, could you please clarify what aspect you’re most interested in?</p>
<ul>
<li>Are you focused more on the technical development and governance process (e.g., how open the standardization process is)?</li>
<li>Or are you more interested in its current implementation and adoption across the industry?</li>
<li>Should I compare it to other protocols or standards in terms of openness and adoption?</li>
</ul>
<p>Let me know so I can tailor the research accordingly.</p>
</blockquote>
<p>I responded:</p>
<blockquote>
<p>Focus on how open the standardisation process was, but consider implementation and adoption in your answer. A comparison with other relevant standards would be helpful.</p>
</blockquote>
<h3 id="response-1">Response</h3>
<p>Here’s the <a href="https://chatgpt.com/share/68253995-9f5c-8009-9dae-405a071aed61">full report</a>. The summary is positively glowing:</p>
<blockquote>
<p>In conclusion, QUIC’s standardization has been as open and transparent as any recent IETF protocol. It was developed in the open IETF process, adhering to OpenStand and WTO/TBT ideals of consensus, transparency, and voluntary adoption. Its final RFCs affirm community consensus, and the IETF infrastructure provided public visibility into every stage. This openness is mirrored by QUIC’s broad support: independent implementers from Google, Mozilla, Apple, Cloudflare, Facebook, and beyond have all deployed QUIC. The resulting ecosystem – with multiple browsers, CDNs, servers and apps supporting QUIC – reinforces that it is a truly open standard, not controlled by any single vendor. By contrast, older protocols like HTTP/2 and TCP underwent similar open processes (IETF consensus, public RFCs) and likewise enjoy ubiquitous implementation. Together, the history and adoption of QUIC demonstrate an effective, open standardization process in line with global best practices.</p>
</blockquote>
<p>First of all, I love the reference to the “WTO/TBT ideals of consensus, transparency, and voluntary adoption.”</p>
<p>But is it accurate? Sort of. The facts here are correct: those companies did participate in the effort, implemented it, and deployed it. The process was open (as can be seen in the minutes and other materials).</p>
<p>I don’t know, however, how it justifies its statements about the quality of consensus – as I’ve written before, <a href="/blog/2024/05/24/consensus">consensus can go wrong in a variety of ways</a>. Others have <a href="https://journals.sagepub.com/doi/full/10.1177/14614448251336438">characterised</a> QUIC’s development has with Google firmly in the “driving seat.” Having been there for the whole standards process, I disagree with that assessment, but I’d at least expect academic work like that to be acknowledged.</p>
<h2 id="is-ai-useful-for-assessing-open-standards">Is AI Useful for Assessing Open Standards?</h2>
<p>I can’t count the number of times that I’ve seen policymakers, journalists, and community members refer to the Privacy Sandbox as “at the W3C” or “being standardised at the W3C.” Given that extremely low bar, ChatGPT’s summary is an improvement. Likewise, I largely agree with its assessment of QUIC, at a high level.</p>
<p>What’s lacking here, however, is any kind of nuance. I can’t escape the feeling that it latches onto a few narratives that appear in source materials and augments them into well-worn clichés, like we see for QUIC. The IETF has a great reputation in many sources, so that gets amplified, but there’s a lack of any critical thought.</p>
<p>That’s not surprising: AI can’t think. If it could, it might wonder about the criteria we’re using for “open standards” here – are those WTO/TBT ideals still relevant, and are they adequately described? Are the processes actually used in working groups lining up with the rhetoric of openness – and how would you find out if they didn’t? And, how much should all of that count if the result isn’t <a href="https://www.mnot.net/blog/2024/03/13/voluntary">proven by market adoption</a>?</p>
<p>In a nutshell: if you must use AI to assess the openness of a standard, only use it for the first pass, check all of the references, and then roll up your sleeves and start talking to people to get the real story.</p>]]>
</content>
</entry>
<entry>
<title>Apple’s Best Option: Decentralize iCloud</title>
<link rel="alternate" type="text/html" href="https://www.mnot.net/blog/2025/02/09/decentralize-icloud" />
<id>https://www.mnot.net/blog/2025/02/09/decentralize-icloud</id>
<updated>2025-02-09T00:00:00Z</updated>
<author>
<name>Mark Nottingham</name>
<uri>https://www.mnot.net/personal/</uri>
</author>
<summary>What can Apple do in the face of a UK order to weaken encryption worldwide? Decentralize iCloud, to start.</summary>
<category term="Tech Regulation" />
<category term="Web and Internet" />
<content type="html" xml:lang="en" xml:base="https://www.mnot.net/blog/2025/02/09/decentralize-icloud">
<![CDATA[<p class="intro">As has been <a href="https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/">widely reported</a>, the government of the United Kingdom has secretly ordered Apple to build a back door into iCloud to allow ‘blanket capability to view fully encrypted material.’</p>
<p>Assuming the UK doesn’t back down, what are Apple’s options? This is my personal take: if I’ve missed something, I’d love to hear about it.</p>
<h3 id="option-1-comply">Option 1: Comply</h3>
<p>Most companies would just comply with the order, but Apple is not most companies.</p>
<p>That’s not just because they have <a href="https://www.apple.com/privacy/">marketed themselves as privacy and security conscious</a>, although that presumably factors into their decision. From what I’ve seen from interacting with their engineers and observing how they behave (both in technical standards bodies and in their products), this is a commitment that goes much deeper than just marketing.</p>
<p>More significantly, Apple will be considering the secondary and tertiary consequences of compliance. So far, every democratic country around the world has refrained from making such an order; for example, Australia’s <a href="https://www.mnot.net/blog/2018/11/15/trust_australia">widely debated</a> legislation that mirrors the UK “Snooper’s Charter” has an explicit provision to disallow “systemic weakening” of encryption like we see here.</p>
<p>If the UK successfully forces Apple’s hand, every other government in the world is likely to take notice and consider making similar (or even more extreme) demands. <a href="https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/">CSAM scanning</a> will just be the start: once access to that much data is available, it’s open season for everything from <a href="https://en.wikipedia.org/wiki/Lèse-majesté_in_Thailand">Lèse-majesté</a> to punishing activists and protesters to policing sexual orientation, abortion, and other socially motivated laws. Even if a particular country doesn’t make the same demand of Apple, arrangements like Five Eyes will allow one agency to peer over another’s shoulders.</p>
<p>As I’ve written before, <a href="https://www.mnot.net/blog/2024/04/29/power">no one should have that much power</a>.</p>
<p>In the tinderbox that politics has become in many parts of the world, this is gasoline. I’d pay good money to be a fly on the wall in the meetings taking place with the <a href="https://www.gov.uk/government/organisations/foreign-commonwealth-development-office">Foreign Service</a>, because they of all people should understand the potential global impact of a move like this. Of course, in a world where USAID is shut down by Elon Musk and some teenagers, nothing is off the table – and that’s why we should be so concerned about this outcome.</p>
<h3 id="option-2-leave">Option 2: Leave</h3>
<p>Apple’s second option is to leave the UK. Full stop.</p>
<p>Close the Apple stores, online and retail. Stop providing iCloud, stop selling iPhones and all the other various i-gear. Close the <a href="https://www.businessinsider.com/apple-uk-headquarters-14-billion-redevelopment-battersea-power-station-2016-10">beautiful new UK HQ at Battersea</a>, and lay off (or transfer overseas) around 8,000 employees (reportedly).</p>
<p>This is (obviously) the nuclear option. It puts Apple outside the jurisdiction of the UK,<sup id="fnref:1"><a href="#fn:1" class="footnote" rel="footnote" role="doc-noteref">1</a></sup> and at the same time orphans every UK Apple user – their phones and computers don’t quite become bricks, but they will definitely have limited utility and lifetime.</p>
<p>Given that along with Apple’s claim to <a href="https://www.standard.co.uk/business/apple-s-spectacular-offices-at-battersea-power-station-b1110130.html">support 550,000 UK jobs</a>, it’s likely to be effective – these consequences would make the government extremely unpopular overnight.</p>
<p>However, this option is also massively expensive: reportedly, total Apple revenue in the UK is <a href="https://www.retailgazette.co.uk/blog/2023/07/apple-uk-sales/">something like £1.5bn</a>. Add on top the one-time shutting down costs, and even Apple’s balance sheet will notice.</p>
<p>Perhaps more importantly, this is also a strategically worrisome direction to go in, because it plays into the narrative that Big Tech is more powerful than sovereign nations. Other countries will take notice, and may coordinate to overcome Apple’s reticence. Apple will now have to choose the markets that it operates in based on how it feels about those country’s commitments to human rights on an ongoing basis – hardly a situation that any CEO wants to be in.</p>
<p>Finally, this option simply won’t work if one of those countries is the United States, Apple’s home. I’ll leave it to you, dear reader, to decide how much you trust your predictions of its actions.</p>
<h3 id="option-3-open-up">Option 3: Open Up</h3>
<p>Apple’s third option is to remove itself as a target in a more subtle way than option two.</p>
<p>The UK is presumably interested in Apple providing this functionality because iCloud’s design conveniently makes a massive amount of data convenient to access in one location: Apple’s servers. If that data is instead spread across servers operated by many different parties, it becomes less available.</p>
<p>In effect, this is the <strong>decentralize iCloud</strong> option. Apple would open up its implementation of iCloud so that third-party and self-hosted providers could be used for the same functions. They would need to create interfaces to allow switching, publish some specifications and maybe some test suites, and make sure that there weren’t any intellectual property impediments to implementation.</p>
<p>There could be some impact on Apple revenue here, but I suspect it’s not huge; many people would continue to buy iCloud for convenience, and for non-storage features that Apple bundles in <a href="https://www.apple.com/icloud/">iCloud+</a>.</p>
<p>Think of it this way: Apple provides e-mail service with iCloud, but doesn’t require you to use it: you can use your own or a third party provider without any drama, because they use common protocols and formats. Why should file sync be any different? Why can’t Apple make using a third-party service as seamless and functional as iCloud?</p>
<p>This isn’t a perfect option. Orders could still force weakened encryption, but now they’d have to target many different parties (depending on the details of implementation and deployment), and they’d have to get access to the stored data. If you choose a provider in another jurisdiction, that makes doing so more difficult, depending on what legal arrangements are in place between those jurisdictions; if you self-host, they’ll need to get physical access to your disks.</p>
<h3 id="what-will-and-should-apple-do">What Will (and Should) Apple Do?</h3>
<p>Computer operating systems are fundamental to security: once we lose trust in them, it’s pretty much game over. The UK has chosen a risky and brash path forward, and Apple will need to think carefully about how to navigate it.</p>
<p>It should be no surprise that I favour option three. While Apple is notoriously a closed company, it’s not completely averse to collaborating and working in the open when doing so is in its interests – and, given its other options, that’s arguably the case here.</p>
<p>Conceivably, Apple might even be forced into taking the “decentralize iCloud” option if regulators like those implementing the Digital Markets Act in the EU decide that doing so is necessary for competition. Apple has been <a href="https://ec.europa.eu/competition/digital_markets_act/cases/202344/DMA_100025_228.pdf">designated as a gatekeeper</a> for the ‘core platform service’ provided by iOS, and while that designation currently doesn’t include file synchronisation services, that might change.</p>
<p>Of course, the UK government may back down. However, the barrier to some other government taking similar steps is now smaller, and Apple would do well to consider its longer term options even if action turns out to be unnecessary right now.</p>
<p><em>Thanks to <a href="https://eupolicy.social/@1br0wn">Ian Brown</a> for his input to this article.</em></p>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:1">
<p>Presumably. Both inter-jurisdictional coordination and extraterritorial application of the law may complicate that. IANAL. <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>]]>
</content>
</entry>
</feed>
{
"cache-control": "max-age=43200",
"cf-cache-status": "DYNAMIC",
"cf-ray": "9c508b4a803b724e-CMH",
"connection": "keep-alive",
"content-language": "en",
"content-length": "54501",
"content-type": "application/atom+xml",
"date": "Wed, 28 Jan 2026 12:37:57 GMT",
"etag": "\"d4e5-648dc2f7c3ba1\"",
"last-modified": "Wed, 21 Jan 2026 01:53:06 GMT",
"server": "cloudflare",
"strict-transport-security": "max-age=15552000"
}
{
"meta": {
"type": "atom",
"version": "1.0"
},
"language": null,
"title": "mark nottingham",
"description": null,
"copyright": null,
"url": "https://www.mnot.net/blog/",
"self": "https://www.mnot.net/blog/index.atom",
"published": null,
"updated": "2026-01-21T01:53:01.000Z",
"generator": null,
"image": null,
"authors": [],
"categories": [],
"items": [
{
"id": "https://www.mnot.net/blog/2026/01/20/open_web",
"title": "Some Thoughts on the Open Web",
"description": "The Open Web means several things to different people, depending on context, but recently discussions have focused on the Web's Openness in terms of access to information -- how easy it is to publish and obtain information without barriers there.",
"url": "https://www.mnot.net/blog/2026/01/20/open_web",
"published": null,
"updated": "2026-01-20T00:00:00.000Z",
"content": "<p class=\"intro\">“The Open Web” means several things to different people, depending on context, but recently discussions have focused on the Web’s Openness in terms of <strong>access to information</strong> -- how easy it is to publish and obtain information without barriers there.</p>\n\n<p>David Schinazi and I hosted a pair of ad hoc sessions on this topic at the last IETF meeting in Montreal and the subsequent W3C Technical Plenary in Kobe; you can see the <a href=\"https://docs.google.com/document/d/1WaXDfwPP6olY-UVQxDZKNkUyqvmHt-u4kREJW4ys6ms/edit?usp=sharing\">notes and summaries from those sessions</a>. This post contains my thoughts on the topic so far, after some simmering.</p>\n\n<h3 id=\"the-open-web-is-amazing\">The Open Web is Amazing</h3>\n\n<p>For most of human history, it’s been difficult to access information. As an average citizen, you had to work pretty hard to access academic texts, historical writings, literature, news, public information, and so on. Libraries were an amazing innovation, but locating and working with the information there was still a formidable challenge.</p>\n\n<p>Likewise, publishing information for broad consumption required resources and relationships that were unavailable to most people. Gutenberg famously broke down some of those barriers, but many still remained: publishing and distributing books (or articles, music, art, films) required navigating extensive industries of gatekeepers, and often insurmountable costs and delays.</p>\n\n<p>Tim Berners-Lee’s invention cut through all of that; it was now possible to communicate with the whole world at very low cost and almost instantaneously. Various media industries were disrupted (but not completely displaced) by this innovation, and reinterpreted roles for intermediaries (e.g., search engines for librarians, online marketplaces for ‘brick and mortar’ shops) were created.</p>\n\n<p>Critically, a norm was also created; an expectation that content was easy to access, didn’t require paying or logging in. This was not enforced, and it was not always honoured: there were still subscription sites, and that’s OK, but they didn’t see the massive network effects that hyperlinks and browsers brought.</p>\n\n<p>It is hard to overstate the benefits of this norm. Farmers in developing countries now have easy access to guidelines and data that help their crops succeed. Students around the world have access to resources that were unimaginable even a few decades ago. They can also contribute to that global commons of content, benefiting others as they build a reputation for themselves.</p>\n\n<p>The Open Web is an amazing public good, both for those who consume information and those who produce it. By reducing costs and friction on both sides, it allows people all over the world to access and create information in a way -- and with an ease -- that would have been unimaginable to our predecessors. It’s worth fighting for.</p>\n\n<h3 id=\"people-have-different-motivations-for-opening-content\">People Have Different Motivations for Opening Content</h3>\n\n<p>We talk about “The Open Web” in the singular, but in fact there are many motivations for making content available freely online.</p>\n\n<p>Some people consciously make their content freely available on the Web because they want to contribute to the global commons, to help realise all of the benefits described above.</p>\n\n<p>Many don’t, however.</p>\n\n<p>Others do it because they want to be discovered and build a reputation. Or because they want to build human connections. Or because they want revenue from putting ads next to the content. Or because they want people to try their content out and then subscribe to it on the less-than-open Web.</p>\n\n<p>Most commonly, it’s a blend of many (or even all) of these motivations.</p>\n\n<p>Discussions of the Open Web need to consider all of them distinctly -- what about their environments are changing, and what might encourage or discourage different kinds of Open Web publishers. Only focusing on some motivations or creating “purity tests” for content isn’t helpful.</p>\n\n<h3 id=\"there-are-many-degrees-of-open\">There are Many Degrees of “Open”</h3>\n\n<p>Likewise, there are many degrees of “open.” While some Open Web content doesn’t come with any strings, much of it does. You might have to allow tracking for ads. While an article might be available to search engines (to drive traffic), you might have to register for an account to view the content as an individual.</p>\n\n<p>There are serious privacy considerations associated with both of these, but those concerns should be considered as distinct from those regarding open access to information. People sometimes need to get a library card to access information at their local library (in person or online), but that doesn’t make the information less open.</p>\n\n<p class=\"callout\">One of the most interesting assertions at the meetings we held was about advertising-supported content: that it was <em>more</em> equitable than “micro-transactions” and similar pay-to-view approaches, because it makes content available to those who would otherwise not be able to afford it.</p>\n\n<p>At the same time, these ‘small’ barriers – for example, requirements to log in after reading three articles – add up, reducing the openness of the content. If the new norm is that everyone has to log in everywhere to get Web content (and we may be well on our way to that), the Open Web suffers.</p>\n\n<p>Similarly, some open content is free to all comers and can be reused at will, where other examples have technical barriers (such as bot blockers or other selective access schemes) and/or legal barriers (namely, copyright restrictions).</p>\n\n<h3 id=\"it-has-to-be-voluntary\">It Has to be Voluntary</h3>\n\n<p>Everyone who publishes on the Open Web does so because they want to – because the benefits they realise (see above) outweigh any downsides.</p>\n\n<p>Conversely, any content not on the Open Web is not there because the owner has made the judgement that it is not worthwhile for them to do so. They cannot be forced to “open up” that content -- they can only be encouraged.</p>\n\n<p>Affordances and changes in infrastructure, platforms, and other aspects of the ecosystem -- sometimes realised in technical standards, sometimes not -- might change that incentive structure and create the conditions for more or less content on the Open Web. They cannot, however, be forced or mandated.</p>\n\n<p>To me, this means that attempts to coerce different parties into desired behaviors are unlikely to succeed – they have to <em>want</em> to provide their content. That includes strategies like withholding capabilities from them; they’ll just go elsewhere to obtain them, or put their content beyond a paywall.</p>\n\n<h3 id=\"its-changing-rapidly\">It’s Changing Rapidly</h3>\n\n<p>We’re talking about the Open Web now because of the introduction of AI -- a massive disruption to the incentives of many content creators and publishers, because AI both leverages their content (through scraping for training) and competes with it (because it is generative).</p>\n\n<p>For those who opened up their content because they wanted to establish reputation and build connectivity, this feels exploitative. They made their content available to benefit people, and it turns out that it’s benefiting large corporations who claim to be helping humanity but have failed to convince many.</p>\n\n<p>For those who want to sell ads next to their content or entice people to subscribe, this feels like betrayal. Search engines built an ecosystem that benefited publishers and the platforms,but publishers see those same platforms as continually taking more value from the relationship -- as seen in efforts to force intermediation like AMP, and now AI, where sites get drastically reduced traffic in exchange for nothing at all.</p>\n\n<p>And so people are blocking bots, putting up paywalls, changing business models, and yanking their content off the Open Web. The commons is suffering because technology (which always makes <em>something</em> easier) now makes content creation <em>and</em> consumption easier, so long as you trust your local AI vendor.</p>\n\n<p>This change is unevenly distributed. There are still people happily publishing open content in formats like RSS, which doesn’t facilitate tracking or targeting, and is wide open to scraping and reuse. That said, there are large swathes of content that are disappearing from the Open Web because it’s no longer viable for the publisher; the balance of incentives for them has changed.</p>\n\n<h3 id=\"open-is-not-free-to-provide\">Open is Not Free to Provide</h3>\n\n<p>Information may be a non-rivalrous good, but that doesn’t mean it’s free to provide. The people who produce it need to support themselves.</p>\n\n<p>That doesn’t mean that their interests dominate all others, nor that the structures that have evolved are the best (or even a good) way to assure that they can do so; these are topics better suited for copyright discussions (where there is a very long history of such considerations being debated).</p>\n\n<p>Furthermore, on a technical level serving content to anyone who asks for it on a global scale might be a commodity service now -- and so very inexpensive to do, in some cases -- but it’s not free, and the costs add up at scale. These costs -- again, alongside the perceived extractive nature of the relationship -- are causing some to <a href=\"https://social.kernel.org/notice/B2JlhcxNTfI8oDVoyO\">block or otherwise try to frustrate</a> these uses.</p>\n\n<p>Underlying this factor is an argument about whether it’s legitimate to say you’re on ‘the Open Web’ while selectively blocking clients you don’t like – either because they’re abusive technically (over-crawling), or because you don’t like what they do with the data. My observation here is that however you feel about it, that practice is now very, very widespread – evidence of great demand on the publisher side. If that capability were taken away, I strongly suspect the net result would be very negative for the Open Web.</p>\n\n<h3 id=\"its-about-control\">It’s About Control</h3>\n\n<p>Lurking beneath all of these arguments is a tension between the interests of those who produce and use content. Forgive me for resorting to hyperbole: some content people want pixel-perfect control not only over how their information is presented but how it is used and who uses it, and some open access advocates want all information to be usable for any purpose any time and anywhere.</p>\n\n<p>Either of these outcomes (hyperbole as they are) would be bad for the Open Web.</p>\n\n<p>The challenge, then, is finding the right balance – a Web where content producers have incentives to make their content available in a way that can be reused as much as is reasonable. That balance needs to be stable and sustainable, and take into account shocks like the introduction of AI.</p>\n\n<h3 id=\"a-way-forward\">A Way Forward</h3>\n\n<p>Having an Open Web available for humanity is not a guaranteed outcome; we may end up in a future where easily available information is greatly diminished or even absent.</p>\n\n<p>With that and all of the observations above in mind, what’s most apparent to me is that we should focus on finding ways to create and strengthen incentives to publish content that’s open (for some definition of open) -- understanding that people might have a variety of motivations for doing so. If environmental factors like AI change their incentives, we need to understand why and address the underlying concerns if possible.</p>\n\n<p>In other words, we have to create an Internet where people <em>want</em> to publish content openly – for some definition of “open.” Doing that may challenge the assumptions we’ve made about the Web as well as what we want “open” to be. What’s worked before may no longer create the incentive structure that leads to the greatest amount of content available to the greatest number of people for the greatest number of purposes.</p>",
"image": null,
"media": [],
"authors": [
{
"name": "Mark Nottingham",
"email": null,
"url": "https://www.mnot.net/personal/"
}
],
"categories": [
{
"label": "Web and Internet",
"term": "Web and Internet",
"url": null
}
]
},
{
"id": "https://www.mnot.net/blog/2025/10/26/equitable-meetings",
"title": "Principles for Global Online Meetings",
"description": "Some thoughts about how to schedule online meetings for a global organisation in an equitable way.",
"url": "https://www.mnot.net/blog/2025/10/26/equitable-meetings",
"published": null,
"updated": "2025-10-26T00:00:00.000Z",
"content": "<p class=\"intro\">One of the tricker problems for organisations that aspire to be global is scheduling a series of meetings. While the Internet has brought the ability to meet with colleagues and stakeholders all over the world, it hasn’t been able to get everyone on the same daily tempo – the earth is still not flat.</p>\n\n<p>As someone who has participated in such organisations from Australia for nearly two decades, I’ve formed some fairly strong opinions about how their meetings should be arranged. What follows is an attempt to distill those thoughts into a set of principles that’s flexible enough to apply to a variety of situations.</p>\n\n<p>Keep in mind the intended application is to a series of global meetings, not a single one-off event. Also, if the set of people who need to attend a given meeting are in timezones that lead to an agreed-to “good” time, you should use that time – but then I question if your organisation is really global. For the rest, read on.</p>\n\n<h3 id=\"0-its-about-equity\">0. It’s About Equity</h3>\n<p>For global organisations, meeting scheduling is an equity issue. Arranging a meeting where some people can attend from the convenience of their office in normal business hours while others have to stay up into the middle of the night is not equitable – the former have very low friction for attending, while the latter have to disrupt their lives, families, relationships, and sleep cycles to attend.</p>\n\n<p>When a person does make the extra effort to attend at a less-than-ideal hour, they will not be at their best. Being awake outside your normal hours means that you aren’t thinking as clearly and might react more emotionally than otherwise. Interrupting an evening after a long day can impact your focus. Effective participation is difficult under these conditions.</p>\n\n<p>I cast this as an equity issue because I’ve observed that many don’t perceive it that way. This is often the case if someone’s experience is that most meetings are scheduled at reasonable hours, they don’t have to think about it, and people in other parts of the world staying up late or getting up early to talk to them is normal. It’s only when people realise this privilege and challenge what’s normal that progress can be made. If you want a truly global organisation, people need to be able to participate on equal footing, and that means that some people will need to make what looks like – to them – sacrifices, because they’re used to things being a certain way.</p>\n\n<h3 id=\"1-share-pain-with-rotation\">1. Share Pain with Rotation</h3>\n<p>With that framing as an equity issue in mind, it becomes clear what must be done: the ‘pain’ of participating needs to be shared in a way that’s equitable. The focus then becomes characterising what pain is, and how to dole it out in a fair way while still holding functional meetings.</p>\n\n<p>The most common method for scheduling a meeting that involves people from all over the globe involves picking “winners” and “losers”. Mary and Joe in North America get a meeting in their daytime; the Europeans have something in their evening, and Asia/Pacific folks have to get up early. Australians get the hardest service – they’re usually up past midnight, but sometimes get roused at 5am or so, depending on the fluctuations of daylight savings. Often, this will be justified with a poll or survey asking for preferences, but one where all options are reasonable for a priviledged set of participants, and most are unreasonable for others.</p>\n\n<p>This is all wrapped up in very logical explanations: it’s the constraints we work within, the locations of the participants narrow down the options, it doesn’t make sense to inconvenience a large number of people for the benefit of a few. Or the kicker: if we scheduled the meeting at that time, the folks who are used to having meetings at good times for them wouldn’t come.</p>\n\n<p>All of those are poor excuses that should be challenged, but often aren’t because this privilege is so deeply embedded.</p>\n\n<p>What can be done? The primary tool for pain-sharing is <strong>rotation</strong>. Schedule meetings in rotating time slots so that everyone has approximately the same number of “good”, “ok”, and “bad” time slots. This is how you put people on even footing.</p>\n\n<p>It may even mean intentionally scheduling in a way that people will miss a slot – e.g., two out of three. In this case, you’ll need to build tools to make sure that information is shared between meetings (you should be keeping minutes and, tracking action items, and creating summaries anyway!), that decisions don’t happen in any one meeting, and that people have a chance to see a variety of people, not just the same subset every time.</p>\n\n<p>For example, imagine an organisation that needs to meet weekly, and has three members in different parts of Europe, five across North America, two in China, and one each in Australia and India. If they rotate between three time slots for their meetings, they might end up with:</p>\n\n<ul>\n <li>UTC: 02:00 / 11:00 / 17:00</li>\n <li>Australia/Eastern: 12:00 / 21:00 / 03:00 (+1d)</li>\n <li>China/Shanghai: 10:00 / 19:00 / 01:00 (+1d)</li>\n <li>US/Eastern: 22:00 (-1d) / 07:00 / 14:00</li>\n <li>Europe/Central: 04:00 / 13:00 / 19:00</li>\n <li>India/Mumbai: 07:30 / 16:30 / 22:30</li>\n</ul>\n\n<p>Notice that everyone has approximately one “good” slot, one “ok” slot, and one “bad” slot – depending on each individual’s preferences, of course.</p>\n\n<p>One objection I’ve heard to this approach is that it would lead to a state where most of the people go to just one or two of the meetings, and the others are poorly attended. That kind of fragmentation is certainly possible, but in my opinion it says more about the diversity of your organisation and the commitment of the people attending the meeting – both factors that should be separately addressed, not loaded onto some of the participants as meeting pain. Doing so is saying that some people won’t attend if they’re exposed to the conditions that they ask of others.</p>\n\n<h3 id=\"2-pain-is-individual\">2. Pain is Individual</h3>\n<p>A common approach to scheduling weighs decisions by how many people are in each timezone. For example, if you’ve got ten people in North America, three in Europe, and one in Asia, you should obviously arrange things to inconvenience the fewest number of people, right?</p>\n\n<p>The problem is, each of those people experiences the pain individually – it is not a collective phenomenon. The person in Asia doesn’t experience 1/14th of the pain if they need to get up at 4:30am for a call. Making things slightly inconvenient for the North Americans doesn’t magnify the pain they experience times ten.</p>\n\n<p>So, don’t weigh your decisions by how many people are in a particular timezone or region. Of course there are limits to this principle – if it’s 100:1 you need to be able to function as a group (e.g., be quorate). But again, I’m questioning whether you’re really a global organisation here; you’re effectively gaslighting the people who are trying to participate from elsewhere by calling yourself one.</p>\n\n<h3 id=\"3-pain-is-specific\">3. Pain is Specific</h3>\n<p>It’s easy to fall into the trap of assuming that everyone’s circumstances are the same – that if a 7am meeting is painful for you, it’s equally painful for someone else.</p>\n\n<p>In reality, some people are morning people, while others don’t mind staying up until 2am. Some people might have a family dinner every Thursday night that would be disrupted by your meeting, while others are happy to use that time because that’s when they have the house to themselves.</p>\n\n<p>This means you need to ask what people’s preferences and conflicts are, rather than (for example) assume that 7am-9am is ok, 9am-5pm is good, 5pm-10pm is ok, and everything else is bad. The mechanics of how that information is gathered depends upon the nature of your group, but it needs to be sensitive to privacy and resistant to gaming.</p>\n\n<h3 id=\"4-pain-is-relative\">4. Pain is Relative</h3>\n<p>One of the complications of scheduling meetings across timezones is balancing the various kinds of conflicts and inconveniences that they bring up for a proposed time slot. John has to pick up the kids in that timeslot; Hiro is eating breakfast. Marissa needs to have dinner with her family. And Mark just wants a good night’s sleep for once.</p>\n\n<p>I propose a hierarchy of inconvenience and pain, from most to least impactful:</p>\n\n<ol>\n <li>Rearranging your life - changing your sleep schedule, working on weekends (remember, Friday in North America is Saturday in other parts of the world)</li>\n <li>Rearranging family life - shifting meals, changing child or elderly care arrangements</li>\n <li>Moving other meetings - managing conflicts with other professional commitments</li>\n</ol>\n\n<p>When asking for conflicts for a given time slot, the higher items should always override the lower forms of pain. I’m sure this could be elaborated upon and extended, but it’s a good starting point.</p>\n\n<p>I sometimes also hear about another kind of pain: that rotating meetings makes it hard for some people to keep their calendars. To me, this isn’t #4; it’s #100.</p>\n\n<h3 id=\"5-circumstances-change\">5. Circumstances Change</h3>\n<p>People aren’t static. Their lives change, their families change, their health changes. If your meetings are scheduled over long periods of time, that means you need to be responsive to these changes, periodically checking to see if their preferences need updating.</p>\n\n<p>I used to be a night person. I’d be up until at least midnight, sometimes two or three, and mornings would be a real struggle. However, as I’ve gotten older, I’m finding that many mornings I wake naturally at five or so, and I’m ready to sleep at around 10pm unless I’m out of the house. That change has fundamentally affected how I attend meetings.</p>\n\n<p>And, of course, if you have participants in the Southern hemisphere (and you should!), you have to account for the differences in daylight savings, due to the differences in seasons. It’s not just a one-hour shift – it’s two, and that can make a big difference to someone’s quality of life.</p>\n\n<h3 id=\"6-respect-peoples-time\">6. Respect People’s Time</h3>\n<p>Appreciate that what’s just another meeting in the middle of your workday is a huge effort in the middle of the night for someone else; don’t fritter away a substantial portion on chitchat. Have an agenda and be prepared to make the meeting valuable. Use offline, asynchronous tools when they’re more appropriate.</p>\n\n<p>Likewise, don’t cancel or re-schedule a meeting at the last minute (or even last day). Setting an alarm for an early meeting and struggling through getting presentable and caffeinated only to find it’s been axed is distinctly unpleasant.</p>",
"image": null,
"media": [],
"authors": [
{
"name": "Mark Nottingham",
"email": null,
"url": "https://www.mnot.net/personal/"
}
],
"categories": []
},
{
"id": "https://www.mnot.net/blog/2025/09/20/configuration",
"title": "Bridging the Gap Between Standards and Policy",
"description": "Achieving policymakers' goals in coordination with Internet standards activity can be difficult. This post explores some of the options and considerations involved.",
"url": "https://www.mnot.net/blog/2025/09/20/configuration",
"published": null,
"updated": "2025-09-20T00:00:00.000Z",
"content": "<p>Internet standards bodies like the IETF and W3C are places where experts can come to agreement about the details of how technology should work. These communities have the deep experience that allows them to guide the evolution of the Internet towards common goals.</p>\n\n<p>Policymakers have none of that technical expertise, but are the legitimate source of policy decisions in any functioning society. They don’t have the means to develop new technical proposals: while most countries have a national standard body, their products are a poor fit for a global Internet, and those bodies generally lack specific expertise.</p>\n\n<p>So, it might seem logical for policymakers to turn to Internet standards bodies to develop the technical solutions for their policy goals, trusting the open process and community involvement to produce a good solution. Unfortunately, doing so can create problems that will cause such efforts to fail.</p>\n\n<h3 id=\"whats-the-problem\">What’s the Problem?</h3>\n\n<p>A few different issues often become apparent when policymakers pre-emptively specify a standard.</p>\n\n<p>First, as discussed previously the <a href=\"https://www.mnot.net/blog/2024/03/13/voluntary\">voluntary nature of Internet standards</a> acts as a proving function for them: if implementers don’t implement or users don’t use, the standard doesn’t matter. If a legal mandate to use a particular standard precedes that proof of viability, it distorts the incentives for participation in the process, because the power relationships between participants have changed – it’s no longer voluntary for the targets of the regulation, and the tone of the effort shifts from being <a href=\"https://www.mnot.net/blog/2024/07/16/collaborative_standards\">collaborative</a> to competitive.</p>\n\n<p>Second, Internet standards are created by <a href=\"https://www.mnot.net/blog/2024/05/24/consensus\">consensus</a>. That approach to decision making is productive when there is reasonable alignment between participants’ motives, but it’s not well suited to handling fundamental conflicts about societal values. That’s because while technical experts might be good at weighing technical arguments and generally adhering to widely agreed-to principles (whether they be regarding Internet architecture or human rights), it’s much more difficult for them to adjudicate direct conflict between values outside their areas of expertise. In these circumstances, the outcome is often simply a lack of consensus.</p>\n\n<p>Third, jurisdictions often have differences in their policy goals, but the Internet is global, and so are its standards bodies, who want the Internet to be interoperable regardless of borders. If policy goals aren’t widely shared and aligned between countries, it becomes even more difficult to come to consensus.</p>\n\n<p>Fourth, making decisions with societal impact in a technical expert body raises fundamental legitimacy issues. That’s not to say that Internet standards can’t or shouldn’t (or don’t) change society in significant ways, but that’s done from the position of private actors coordinating to achieve a common goal through well-understood processes, within the practical boundaries of the commonalities of the applicable legal frameworks. It’s entirely different for a contentious policy decision to be delegated by policymakers to a non-representative technical body.</p>\n\n<p>So, what’s a policymaker to do?</p>\n\n<h3 id=\"patience-is-a-virtue\">Patience is a Virtue</h3>\n\n<p>One widely repeated recommendation for policymakers is to avoid specifying the work or even a venue for it in regulation or legislation until <em>after</em> it’s been created and its viability is proven by some amount of market adoption. Instead, the policymaker should just hint that an industry standard that serves a particular policy goal would be useful.</p>\n\n<p>However, this approach comes with a few caveats:</p>\n<ul>\n <li>A set of proponents that drives the standards work has to emerge, and they need to be at least somewhat aligned with the policy goal</li>\n <li>Consensus-based technical standards are slow, so policymakers have to have realistic expectations about the timeline</li>\n <li>If the targets of the regulation don’t participate in the standards process, they may be able to reasonably claim that what results can’t be implemented by them</li>\n</ul>\n\n<p>These issues aren’t impossible to address: they just require good communication, alignment of incentives, management of expectations, and careful diligence.</p>\n\n<h3 id=\"add-a-configuration-layer\">Add a Configuration Layer</h3>\n\n<p>Even if the policymaker waits for the outcome of the standards process, it’s rare for the policy decisions to be cleanly separable from the technology that needed to be created. Choices need to be made about how the technology is used and how it maps to the policy goals of a specific jurisdiction.</p>\n\n<p>One intriguing way to manage that gap is to span it with a new entity – one that creates neither technical specifications nor policy goals, but instead is explicitly constituted to define how to meet the stated policy goals using already available technology. That leaves policy formation in the hands of policymakers and technical design in the hands of technologists.</p>\n\n<p>In technology terms, this is a configuration layer: clearly and cleanly separating the concerns of how the technology is designed from how it is used. It still requires the technology to exist and have the appropriate configuration “interfaces”, but promises to take a large part of the policy pressure off of the standards process.</p>\n\n<p>An example of this approach is just being started by the European Commission now. At IETF 123, they explained a proposal for a <a href=\"https://www.iepg.org/2025-07-20-ietf123/slides-123-iepg-sessa-multi-stakeholder-forum-on-internet-standards-deployment-00.pdf\">Multi-stakeholder Forum on Internet Standards Deployment</a> that fills the gap between the definition of Internet security mechanisms and the policy intent of making European networks more secure. Policymakers have no desire to refer to specific RFCs in legislation, and Internet technologists don’t want to define regulatory requirements for Europe, so the idea is that this third entity will make those decisions without defining new technology <em>or</em> policy intent.</p>\n\n<p>Getting this right requires the new forum to be constituted in a particular way. It has to be constrained by the policymaker’s intent, and can’t define new technology. That means that the technology has to be amenable to configuration – the relevant options need to be available. The logical host for the discussion is a venue controlled by the policymaker, but it needs to be open to broad participation (including online and asynchronous participation) so that the relevant experts can participate. Transparency will be key, and I suspect that the decision making policy will be critical to get right – ideally something close to a consensus model, but the policymaker may need to reserve the right to overrule objections or handle appeals.</p>\n\n<p>Needless to say, I’m excited to see how this forum will work out. If successful, it’s a pattern that could be useful elsewhere.</p>",
"image": null,
"media": [],
"authors": [
{
"name": "Mark Nottingham",
"email": null,
"url": "https://www.mnot.net/personal/"
}
],
"categories": [
{
"label": "Tech Regulation",
"term": "Tech Regulation",
"url": null
},
{
"label": "Standards",
"term": "Standards",
"url": null
},
{
"label": "Web and Internet",
"term": "Web and Internet",
"url": null
}
]
},
{
"id": "https://www.mnot.net/blog/2025/06/04/using_ai",
"title": "Using AI to Evaluate Internet Standards",
"description": "Is AI a useful option for policymakers who want to evaluate open standards? Let's take a look.",
"url": "https://www.mnot.net/blog/2025/06/04/using_ai",
"published": null,
"updated": "2025-06-04T00:00:00.000Z",
"content": "<p class=\"intro\">One of the reasons I’m writing the <a href=\"/blog/series/internet-standards/\">Nature of Internet Standards</a> series is to give policymakers tools that help them to understand and evaluate open standards efforts. A big part of that is understanding whether a specification (and the effort that led to it) is really a reflection of open deliberation, consensus processes, appropriate governance, and various other hallmarks of open standards.</p>\n\n<p>Evaluating these factors requires a fair amount of context and nuance. What’s the most 2025 way to avoid that work? Using AI, of course.</p>\n\n<p>Some colleagues were using AI to ask similar questions, and that inspired me to wonder whether it would be a useful option for policymakers who want to evaluate the openness of Internet standards. Let’s find out.</p>\n\n<h2 id=\"the-privacy-sandbox\">The Privacy Sandbox</h2>\n\n<p>Our first experiment is an effort that I’m fairly familiar with, having engaged with it both professionally and <a href=\"https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3891335\">academically</a> – Google’s Privacy Sandbox. How will AI portray this longstanding and very politicised effort?</p>\n\n<h3 id=\"prompt\">Prompt</h3>\n\n<p>I started by asking ChatGPT’s “deep research” mode:</p>\n\n<blockquote>\n <p>Is the Privacy Sandbox developed in an open standards process? Consider the venue(s) it’s developed in, their governance, openness, and conformance to other widely recognised signifiers of open standards processes, breadth of implementation, and adoption.</p>\n</blockquote>\n\n<p>It asked for a few clarifications:</p>\n\n<blockquote>\n <p>To give you the most accurate and up-to-date analysis, could you clarify a few things:</p>\n\n <ol>\n <li>Are you primarily interested in the Privacy Sandbox on the web (i.e., as developed by Chrome and the W3C), or are you also considering the Android Privacy Sandbox?</li>\n <li>Do you want a comparison to established open standards processes (e.g., W3C, IETF), or just an evaluation of the Privacy Sandbox initiatives on their own merits?</li>\n <li>Are you looking for an overview of industry support (browsers, advertisers, publishers, etc.) and real-world implementation as part of your evaluation of adoption?</li>\n </ol>\n\n <p>This will help me tailor the research more precisely.</p>\n</blockquote>\n\n<p>To which I replied:</p>\n\n<blockquote>\n <p>Just on the Web. A comparison to open standards processes would be good. I don’t need an overview of support and implementation, but the results should take these factors into account.</p>\n</blockquote>\n\n<h3 id=\"response\">Response</h3>\n\n<p>After churning through data (and pushing the boundaries of copyright) for a couple of minutes, ChatGPT came up with <a href=\"https://chatgpt.com/s/dr_68252c4763a08191b9339f52d244060e\">this voluminous report</a>. However, the heart of its response is concise and fairly damning:</p>\n\n<blockquote>\n <p>In summary, the Privacy Sandbox has been developed in semi-open forums (W3C community groups, public repos, Google blogs) and invites outside input, but it is not a widely supported multi-vendor standard yet. Only Google’s Chrome (and related browsers) implements the APIs, and other browser vendors have developed their own approaches. The process resembles an open-source Google project more than a classic consensus-driven SDO. As Mozilla and others have noted, standards bodies like the W3C and IETF are the “ideal forum” to vet such proposals with full stakeholder oversight. At present, Privacy Sandbox’s governance does not fully align with those open standards processes – it provides considerable transparency and documentation, but its development and adoption remain largely controlled by Google.</p>\n</blockquote>\n\n<p>That’s not far off. W3C Community Groups aren’t standards processes; in fact, they’re little more than mailing lists where the proponents get to set almost all of the rules. ChatGPT could have made this more clear, but instead uses lots of hedging phrases like “more than” and “fully align”.</p>\n\n<p>Since the full report mentioned the chair of the Business Group that also discussed the Privacy Sandbox, <a href=\"http://wendy.seltzer.org\">Wendy Seltzer</a>, I asked what she thought. Her response:</p>\n\n<blockquote>\n <p>It’s fascinating to follow the sources here, because the Wikipedia article appears to have gotten its last substantive updates in 2024, and is mostly focused on older material ([which is] sometimes wrong). A human researcher would recognize that as not the best authority for recent news. A better human researcher would also ask “is this the question you want to ask, since the non-deprecation of third party cookies has changed the landscape around all these initiatives?”</p>\n\n <p>That illuminates a broader issue of missing context. The answer starts from the premise that “Privacy Sandbox” is something that could be developed in an open standards process, rather than parsing the question, is PS more than the set of APIs and proposals that might fit into standards processes? How do open standards fit into the overall strategy? The GPT report can work for you, an expert in the field who can fill in those aspects, but it could be misleading to someone without the same background.</p>\n\n <p>Some of the sentences quoted from other sources seem off without the context of those sources, e.g. “In January 2020 Google invited ad-tech companies to join the W3C’s Improving Web Advertising Business Group (IWABG) to discuss and give feedback on Privacy Sandbox ideas” reads as implying that Google was the only one doing the inviting.</p>\n</blockquote>\n\n<h2 id=\"quic\">QUIC</h2>\n\n<p>Next, let’s try another effort that I’m familiar with: QUIC, the effort to define a new, performance and security-focused transport protocol. I chaired the <a href=\"https://quicwg.org/\">QUIC Working Group</a> (along with Lars Eggert) from its inception until it shipped its core deliverables.</p>\n\n<h3 id=\"prompt-1\">Prompt</h3>\n\n<p>I asked ChatGPT’s “deep research” mode a similar question for QUIC:</p>\n\n<blockquote>\n <p>Is QUIC developed in an open standards process? Consider the venue(s) it’s developed in, their governance, openness, and conformance to other widely recognised signifiers of open standards processes, breadth of implementation, and adoption.</p>\n</blockquote>\n\n<p>and once again, it asked for a similar clarification:</p>\n\n<blockquote>\n <p>To best address your question about QUIC, could you please clarify what aspect you’re most interested in?</p>\n\n <ul>\n <li>Are you focused more on the technical development and governance process (e.g., how open the standardization process is)?</li>\n <li>Or are you more interested in its current implementation and adoption across the industry?</li>\n <li>Should I compare it to other protocols or standards in terms of openness and adoption?</li>\n </ul>\n\n <p>Let me know so I can tailor the research accordingly.</p>\n</blockquote>\n\n<p>I responded:</p>\n\n<blockquote>\n <p>Focus on how open the standardisation process was, but consider implementation and adoption in your answer. A comparison with other relevant standards would be helpful.</p>\n</blockquote>\n\n<h3 id=\"response-1\">Response</h3>\n\n<p>Here’s the <a href=\"https://chatgpt.com/share/68253995-9f5c-8009-9dae-405a071aed61\">full report</a>. The summary is positively glowing:</p>\n\n<blockquote>\n <p>In conclusion, QUIC’s standardization has been as open and transparent as any recent IETF protocol. It was developed in the open IETF process, adhering to OpenStand and WTO/TBT ideals of consensus, transparency, and voluntary adoption. Its final RFCs affirm community consensus, and the IETF infrastructure provided public visibility into every stage. This openness is mirrored by QUIC’s broad support: independent implementers from Google, Mozilla, Apple, Cloudflare, Facebook, and beyond have all deployed QUIC. The resulting ecosystem – with multiple browsers, CDNs, servers and apps supporting QUIC – reinforces that it is a truly open standard, not controlled by any single vendor. By contrast, older protocols like HTTP/2 and TCP underwent similar open processes (IETF consensus, public RFCs) and likewise enjoy ubiquitous implementation. Together, the history and adoption of QUIC demonstrate an effective, open standardization process in line with global best practices.</p>\n</blockquote>\n\n<p>First of all, I love the reference to the “WTO/TBT ideals of consensus, transparency, and voluntary adoption.”</p>\n\n<p>But is it accurate? Sort of. The facts here are correct: those companies did participate in the effort, implemented it, and deployed it. The process was open (as can be seen in the minutes and other materials).</p>\n\n<p>I don’t know, however, how it justifies its statements about the quality of consensus – as I’ve written before, <a href=\"/blog/2024/05/24/consensus\">consensus can go wrong in a variety of ways</a>. Others have <a href=\"https://journals.sagepub.com/doi/full/10.1177/14614448251336438\">characterised</a> QUIC’s development has with Google firmly in the “driving seat.” Having been there for the whole standards process, I disagree with that assessment, but I’d at least expect academic work like that to be acknowledged.</p>\n\n<h2 id=\"is-ai-useful-for-assessing-open-standards\">Is AI Useful for Assessing Open Standards?</h2>\n\n<p>I can’t count the number of times that I’ve seen policymakers, journalists, and community members refer to the Privacy Sandbox as “at the W3C” or “being standardised at the W3C.” Given that extremely low bar, ChatGPT’s summary is an improvement. Likewise, I largely agree with its assessment of QUIC, at a high level.</p>\n\n<p>What’s lacking here, however, is any kind of nuance. I can’t escape the feeling that it latches onto a few narratives that appear in source materials and augments them into well-worn clichés, like we see for QUIC. The IETF has a great reputation in many sources, so that gets amplified, but there’s a lack of any critical thought.</p>\n\n<p>That’s not surprising: AI can’t think. If it could, it might wonder about the criteria we’re using for “open standards” here – are those WTO/TBT ideals still relevant, and are they adequately described? Are the processes actually used in working groups lining up with the rhetoric of openness – and how would you find out if they didn’t? And, how much should all of that count if the result isn’t <a href=\"https://www.mnot.net/blog/2024/03/13/voluntary\">proven by market adoption</a>?</p>\n\n<p>In a nutshell: if you must use AI to assess the openness of a standard, only use it for the first pass, check all of the references, and then roll up your sleeves and start talking to people to get the real story.</p>",
"image": null,
"media": [],
"authors": [
{
"name": "Mark Nottingham",
"email": null,
"url": "https://www.mnot.net/personal/"
}
],
"categories": [
{
"label": "Standards",
"term": "Standards",
"url": null
},
{
"label": "Web and Internet",
"term": "Web and Internet",
"url": null
}
]
},
{
"id": "https://www.mnot.net/blog/2025/02/09/decentralize-icloud",
"title": "Apple’s Best Option: Decentralize iCloud",
"description": "What can Apple do in the face of a UK order to weaken encryption worldwide? Decentralize iCloud, to start.",
"url": "https://www.mnot.net/blog/2025/02/09/decentralize-icloud",
"published": null,
"updated": "2025-02-09T00:00:00.000Z",
"content": "<p class=\"intro\">As has been <a href=\"https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/\">widely reported</a>, the government of the United Kingdom has secretly ordered Apple to build a back door into iCloud to allow ‘blanket capability to view fully encrypted material.’</p>\n\n<p>Assuming the UK doesn’t back down, what are Apple’s options? This is my personal take: if I’ve missed something, I’d love to hear about it.</p>\n\n<h3 id=\"option-1-comply\">Option 1: Comply</h3>\n\n<p>Most companies would just comply with the order, but Apple is not most companies.</p>\n\n<p>That’s not just because they have <a href=\"https://www.apple.com/privacy/\">marketed themselves as privacy and security conscious</a>, although that presumably factors into their decision. From what I’ve seen from interacting with their engineers and observing how they behave (both in technical standards bodies and in their products), this is a commitment that goes much deeper than just marketing.</p>\n\n<p>More significantly, Apple will be considering the secondary and tertiary consequences of compliance. So far, every democratic country around the world has refrained from making such an order; for example, Australia’s <a href=\"https://www.mnot.net/blog/2018/11/15/trust_australia\">widely debated</a> legislation that mirrors the UK “Snooper’s Charter” has an explicit provision to disallow “systemic weakening” of encryption like we see here.</p>\n\n<p>If the UK successfully forces Apple’s hand, every other government in the world is likely to take notice and consider making similar (or even more extreme) demands. <a href=\"https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/\">CSAM scanning</a> will just be the start: once access to that much data is available, it’s open season for everything from <a href=\"https://en.wikipedia.org/wiki/Lèse-majesté_in_Thailand\">Lèse-majesté</a> to punishing activists and protesters to policing sexual orientation, abortion, and other socially motivated laws. Even if a particular country doesn’t make the same demand of Apple, arrangements like Five Eyes will allow one agency to peer over another’s shoulders.</p>\n\n<p>As I’ve written before, <a href=\"https://www.mnot.net/blog/2024/04/29/power\">no one should have that much power</a>.</p>\n\n<p>In the tinderbox that politics has become in many parts of the world, this is gasoline. I’d pay good money to be a fly on the wall in the meetings taking place with the <a href=\"https://www.gov.uk/government/organisations/foreign-commonwealth-development-office\">Foreign Service</a>, because they of all people should understand the potential global impact of a move like this. Of course, in a world where USAID is shut down by Elon Musk and some teenagers, nothing is off the table – and that’s why we should be so concerned about this outcome.</p>\n\n<h3 id=\"option-2-leave\">Option 2: Leave</h3>\n\n<p>Apple’s second option is to leave the UK. Full stop.</p>\n\n<p>Close the Apple stores, online and retail. Stop providing iCloud, stop selling iPhones and all the other various i-gear. Close the <a href=\"https://www.businessinsider.com/apple-uk-headquarters-14-billion-redevelopment-battersea-power-station-2016-10\">beautiful new UK HQ at Battersea</a>, and lay off (or transfer overseas) around 8,000 employees (reportedly).</p>\n\n<p>This is (obviously) the nuclear option. It puts Apple outside the jurisdiction of the UK,<sup id=\"fnref:1\"><a href=\"#fn:1\" class=\"footnote\" rel=\"footnote\" role=\"doc-noteref\">1</a></sup> and at the same time orphans every UK Apple user – their phones and computers don’t quite become bricks, but they will definitely have limited utility and lifetime.</p>\n\n<p>Given that along with Apple’s claim to <a href=\"https://www.standard.co.uk/business/apple-s-spectacular-offices-at-battersea-power-station-b1110130.html\">support 550,000 UK jobs</a>, it’s likely to be effective – these consequences would make the government extremely unpopular overnight.</p>\n\n<p>However, this option is also massively expensive: reportedly, total Apple revenue in the UK is <a href=\"https://www.retailgazette.co.uk/blog/2023/07/apple-uk-sales/\">something like £1.5bn</a>. Add on top the one-time shutting down costs, and even Apple’s balance sheet will notice.</p>\n\n<p>Perhaps more importantly, this is also a strategically worrisome direction to go in, because it plays into the narrative that Big Tech is more powerful than sovereign nations. Other countries will take notice, and may coordinate to overcome Apple’s reticence. Apple will now have to choose the markets that it operates in based on how it feels about those country’s commitments to human rights on an ongoing basis – hardly a situation that any CEO wants to be in.</p>\n\n<p>Finally, this option simply won’t work if one of those countries is the United States, Apple’s home. I’ll leave it to you, dear reader, to decide how much you trust your predictions of its actions.</p>\n\n<h3 id=\"option-3-open-up\">Option 3: Open Up</h3>\n\n<p>Apple’s third option is to remove itself as a target in a more subtle way than option two.</p>\n\n<p>The UK is presumably interested in Apple providing this functionality because iCloud’s design conveniently makes a massive amount of data convenient to access in one location: Apple’s servers. If that data is instead spread across servers operated by many different parties, it becomes less available.</p>\n\n<p>In effect, this is the <strong>decentralize iCloud</strong> option. Apple would open up its implementation of iCloud so that third-party and self-hosted providers could be used for the same functions. They would need to create interfaces to allow switching, publish some specifications and maybe some test suites, and make sure that there weren’t any intellectual property impediments to implementation.</p>\n\n<p>There could be some impact on Apple revenue here, but I suspect it’s not huge; many people would continue to buy iCloud for convenience, and for non-storage features that Apple bundles in <a href=\"https://www.apple.com/icloud/\">iCloud+</a>.</p>\n\n<p>Think of it this way: Apple provides e-mail service with iCloud, but doesn’t require you to use it: you can use your own or a third party provider without any drama, because they use common protocols and formats. Why should file sync be any different? Why can’t Apple make using a third-party service as seamless and functional as iCloud?</p>\n\n<p>This isn’t a perfect option. Orders could still force weakened encryption, but now they’d have to target many different parties (depending on the details of implementation and deployment), and they’d have to get access to the stored data. If you choose a provider in another jurisdiction, that makes doing so more difficult, depending on what legal arrangements are in place between those jurisdictions; if you self-host, they’ll need to get physical access to your disks.</p>\n\n<h3 id=\"what-will-and-should-apple-do\">What Will (and Should) Apple Do?</h3>\n\n<p>Computer operating systems are fundamental to security: once we lose trust in them, it’s pretty much game over. The UK has chosen a risky and brash path forward, and Apple will need to think carefully about how to navigate it.</p>\n\n<p>It should be no surprise that I favour option three. While Apple is notoriously a closed company, it’s not completely averse to collaborating and working in the open when doing so is in its interests – and, given its other options, that’s arguably the case here.</p>\n\n<p>Conceivably, Apple might even be forced into taking the “decentralize iCloud” option if regulators like those implementing the Digital Markets Act in the EU decide that doing so is necessary for competition. Apple has been <a href=\"https://ec.europa.eu/competition/digital_markets_act/cases/202344/DMA_100025_228.pdf\">designated as a gatekeeper</a> for the ‘core platform service’ provided by iOS, and while that designation currently doesn’t include file synchronisation services, that might change.</p>\n\n<p>Of course, the UK government may back down. However, the barrier to some other government taking similar steps is now smaller, and Apple would do well to consider its longer term options even if action turns out to be unnecessary right now.</p>\n\n<p><em>Thanks to <a href=\"https://eupolicy.social/@1br0wn\">Ian Brown</a> for his input to this article.</em></p>\n\n<div class=\"footnotes\" role=\"doc-endnotes\">\n <ol>\n <li id=\"fn:1\">\n <p>Presumably. Both inter-jurisdictional coordination and extraterritorial application of the law may complicate that. IANAL. <a href=\"#fnref:1\" class=\"reversefootnote\" role=\"doc-backlink\">↩</a></p>\n </li>\n </ol>\n</div>",
"image": null,
"media": [],
"authors": [
{
"name": "Mark Nottingham",
"email": null,
"url": "https://www.mnot.net/personal/"
}
],
"categories": [
{
"label": "Tech Regulation",
"term": "Tech Regulation",
"url": null
},
{
"label": "Web and Internet",
"term": "Web and Internet",
"url": null
}
]
}
]
}