Apps? No root? Your device serves others: Berners-Lee

Apps? No root? Your device serves others: Berners-Lee

Summary: Sir Tim Berners-Lee has warned that if you don't have administrator access on your device and it's full of proprietary apps, it really serves masters other than you.

TOPICS: Mobility, Privacy

"The right to have root on your machine," that is, full administrator access to your computing devices including smartphones, is a "key issue," Sir Tim Berners-Lee told a geek-heavy audience at the 2013 conference in Canberra this morning.

"The right to have root on your machine is the right to store things which operate on your behalf," he said.

Berners-Lee recognised that when ordinary users have administrator rights on their devices, it introduces a security risk: The applications they install might inherit those rights and use them to perform malicious actions.

"In the situation that we have apps working on someone else's behalf, then we need to work on the security models. The JavaScript security models, the containment of cross-site access, are the best we can do at the moment...If you've got ideas about how we can make it more manageable and more powerful...I'd like to hear."

Berners-Lee also spoke out against the trend of writing a native application for every platform — that is, an iPhone and iPad app for Apple's iOS devices, another for Android, and so on. It's a duplication of effort, and it's "boring for developers" to write and test similar code for each device, he said.

More importantly, each app becomes an isolated island of information, rather than being connected to the living web. "There's no URL in the top bar, so I can't bookmark it. I can't tweet it. I can't like it. I can't dislike it. It's not part of the discourse," Berners-Lee said.

Business should instead use open standards such as HTML5.

While the HTML5 specification is now an "embarrassingly large" document, the web's markup language now includes tags that allow video and other motion graphics to be embedded. Once JavaScript and all of its application programming interfaces (APIs) are added, HTML5 can do pretty much anything that Adobe's Flash or other proprietary web front end can do.

Berners-Lee pointed to the Financial Times' award-winning mobile site at as an example of what can be achieved. "Once you load the page, it pulls in all the pages of today's paper and sticks them on your device...just as though you're running an app," he said.

"Use the fact that, more and more, you can do [in HTML5] the things that a native app can do."

One of the key challenges, though, is building adaptable sites and the associated authentication systems that can allow a transaction begun "on my wristwatch" to be continued seamlessly on a wall-sized device with vastly more pixels.

Topics: Mobility, Privacy


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Simple Solution and a Silly Spammer

    I think mobile devices are getting to the point where they will be able to handle a sand boxed environment for new app installs. When the app has proved itself then it can come and live on the bare metal .Ha Ha Spammer you couldn't have chosen a less likely site for your malware infested rubbish.
    roger andre
  • Bzzzt... chuck, CHUCK

    Welcome, my friend, to the machine. Where have you been?... Microsoft Singularity and it's continual research has been contemplating this for years. App Contracts, app specific minimized driver models, and user mode to kernel mode tiers are nothing new in the lab space. Device root is no advancement, it is inherent security vulnerability. One quick example, place a user rooted device within the grasp of any savvy user. Leaving devices in debut mode is like begging for negative attention. Yet. many do it to their devices daily, by simply not following up on the instructions or an instructional website to accomplish root. Most never continue on to actually lock their device back down, leaving their device with open doors and windows.
    • Couldn't agree more...

      I couldn't agree more, with both points. The point of the speaker in this article, and to your point FBS. Folks just need to face it, if you want root use Android. If you want security, piece of mind, a better experience, and higher ease of use stick to iOS or WP8. Easy enough.
    • Rooted Android Has Protection

      Anyone researching rooting Android systems knows that SuperUser App is axiomatically fundamental to the process, in all the literature available.
      Anything seeking root access has to request my permission, as a major function of SuperUser installed, That's a 1st line of defense, mandatory to all rooted Android systems. After that one applies your normal layers of defense available.
  • Need an edit...

    *debut = debug
  • Sounds like a rather self contradictary guy

    So first he points out that if you don't have root access to a device, the device serves others.

    Then he goes on to support the web, which is 100% your device serving others.

    Sounds like a rather self contradictary guy.
    • Re: Then he goes on to support the web, which is 100% your device serving o

      No it isn't. I am the one who has complete control over my web browser, it is the entire rest of the web that is confined in my sandbox.
  • Trust will disrupt Openness

    There are a couple of factors that will disrupt the Web architecture.

    The Web has trained us to build dumb clients and centralize anything of value on the server, at a huge cost and never enough trust. We can safely predict today that light-weight protocols, mediated by the mobile OS (and its Platform) will directly challenge the Web architecture, precisely because we can leverage the platform trust model. That evolution is extremely profound.

    For instance, apps running on your device can securely and privately share information without requiring a complex temporal integration involving a 3rd party service (such as Google AdSense). The information is produced and consumed on the device or the device of a related end-user. What happens on your device can now stay on your device.

    Just to be clear, and to show how disruptive that architecture is, the primary key of your private data becomes your phone, not your identity. Merchants no longer need to identify you. They can’t care less about YOU, they just care to know some information about you. The problem with the Web Architecture was that the only way to do that was to associate PII to a primary key on a server and hence merchants needed to identify you to track your every move (and they shamelessly did).

    The second factor is just as profound: the very open nature of the Web is driving scale over scope. The Web has successfully nurtured the largest Catalog, the largest Search engine, the largest Auction site, the largest Social Network, but I see this as a negative side effect of the Web architecture because it limits the scope of what people can do. In other words, the scope of what Amazon, Google or Facebook offer is limited by the scale (and hence the revenue) they can achieve.

    I actually argue that a trust-based neutral Platform will support a more vibrant and diverse ecosystem than a truly open model because in essence a Web business couples the leve of trust it can achieve with the functionality it can deliver. The Platform decouples the trust from the functionality and it enables much smaller actors to deliver a lot more scenarios while relying on the trust establish by the Platform.

    I would be surprised if the Web can resist being disrupted by the Platform. Actually, I think it already is.
    • Like sheriffs and judges

      Is that sort of like, in the wild west frontier, when professional gun slinging criminals started showing up in serious number and the average citizens with their amateur gun skills decided it would be prudent to go with a formal legal platform, like sheriffs and judges, despite the platform's costs and other trade offs.

      Maybe those frontier citizens should have spent more time perfecting their gun slinging skills in order to protect themselves. On the other hand most of those average citizen had other affairs and skills to focus on?
    • What difference ?

      If you really think there is a large difference between what apps build with web technologies can do and apps build with native can do then you are mistaken. Most of the apps you install on your smartphone or tablet are already build with web technologies. Also a large number of apps you install already sent information to a server somewhere. apps build with web technologies can exchange information between them without involving a server just fine.

      Really, have a good look at the details and you see there isn't a difference.
  • The web is islands of information already.

    He comments on the problem of not being able to root your device which really doesn't concern most users, and the problem of apps becoming islands of information, something that he says would be improved by using HTML5. But that's just packaging and delivery of information; native of web-based really doesn't matter.

    The fact is that the web has already become islands of information long before it ever gets to a mobile device. Every service we use, be it Google, Facebook, Twitter, Instagram, Dropbox, or whatever else is already an island of information. This information is controlled by these companies, used for their purposes, and shared only when it benefits them. It is no longer part of the "open web" - witness the latest kerfuffle between Twitter and Instagram.

    Will Mr. Berners-Lee be demanding full root administrator access to Facebook? How far does he think he would get? And if not, why the double standard? If I rooted my phone and ran the Facebook HTML5 app I would have the exact same access to my data as if I was on the web. And it sure wouldn't be root access.
    • How about Big-Data-Silos with open API standards funded as public utilities

      and data access controlled by end users and/or their professional/algorithmic agents, with end users able to establish unique identities either public or anonymous for different purposes.
  • Mandatory Access Control (MAC) - remember??

    Somehow the ICT industry has total amnesia every 20 years!

    We knew by 1983 that the old "discretionary access control (DAC)" framework of the mainframe days could not be sufficient for the new commodity hardware and software world - as per Sir Tim's WWW. The philosophy behind the USA's Orange Book's (TCSEC) "B" level structure is as relevant today as ever - OK - the details need to be updated but the underlying thinking is there and still appropriate. BUT - outside SELinux and its equivalents (that really only a very few use) - the solution is there. The idea that a program from the WWW "inherits" all your permissions is ridiculous BUT is reality today because manufacturers have not been compelled to do any better by users - keep it cheap - or government - by legislation.

    The bit about incompatibilities, as reported, is also intriguing! Remember OSI - Open Systems Interconnection with POSIX and attempts to standardise those parameters for exactly the reasons Sir Tim outlines... what happened? NOTHING - even though, for example, the Australian Federal Government, as done overseas, issued a "Government OSI Profile (GOSIP)" that clearly required such compatibilities and interoperabilities.

    BUT what happened? Governments just took the easy way out and gave up on enforcing that compatibility requirement and the rest - as they say - is history! (Remember that Microsoft's Windows'NT first came out with a POSIX shell for compatibility in software development - not just the OS/2 "presentation manager" API and the Win'32 API.)