The Cost of Monoculture
I traveled to South Korea last fall to learn more about the South Korean Internet market and came away disappointed and frankly stunned.
I met with leading businesses in the search market, the music download market, the games market and all reported the same situation- a monoculture of users using MS Windows. The S. Korean market is in a unique situation where decisions made long ago have created a consumer monoculture which is having unintended repercussions that are affecting anyone with a computer in South Korea. It is a fascinating story because it is true.
The history goes back to 1998, when the 128 bit SSL protocol was still not finalized (it was finalized by the IETF as RFC 2246 in Jan. ’99.) South Korean legislation did not allow 40 bit encryption for online transactions (and Bill Clinton did not allow for the export of 128 bit encryption until December 1999) and the demand for 128 bit encryption was so great that the South Korean government funded (via the Korean Information Security Agency) a block cipher called SEED. SEED is, of course, used nowhere else except South Korea, because every other nation waited for the 128 bit SSL protocol to be finalized (and exported from the US) and have standardized on that.
In the early years of SEED, users downloaded the SEED plugin to their IE or Netscape browsers, either an Active X control or a NSplugin, which was then tied to a certificate issued by a Korean government certificate authority. (Can you see where this is going?) When Netscape lost the browser war, the NSplugin fell out of use and for years, S. Korean users have only had an Active X control with the SEED cipher to do their online banking or commerce or government.
So we end up in 2007, 9 years after SEED was created for Korean users, and one legacy of the fall of Netscape is that Korean computer/Internet users only have an Active X control to do any encrypted communication online. So in late 2006, a group of Korean computer/Internet users, Citizens Action Network at Open Web Korea, having documented the problem with accessibility of sites via anything other than Microsoft IE, have decided to sue the Korean government.
It gets worse.
Remember how Active X controls were and continue to be a significant vector of viruses and malware because Microsoft originally architected Active X to run by default instead of with a user action? Maliciously programmed websites would be able to automatically install software on users’ computers just by visiting a web page in IE 6. In IE 7 and in Vista, Microsoft has re-architected Active X controls in such a way to make them “more safe” by requiring a user action for the control to run. This is obviously impacting every web site and company that uses active X controls on their websites, which include just about every website in Korea that handles any kind of secure transaction. Every online bank, every governmental agency, every ecommerce site. Without enough time to re-architect Korean websites, 3 S. Korean governmental ministries, the Ministry of Information and Communication, the Ministry of Government Administration and Home Affairs, and the Financial Supervisory Service, warned S. Korean users that upgrading to Vista would disable the user from making any secure transaction online. Can you imagine spending thousands of dollars on a new machine (because the requirements of Vista generally require new hardware) and a new OS from Redmond only to be locked out of any secure transaction online? It’s Kafkaesque.
To add insult to injury, the monopolist who absolutely controls the Korean market for computers won’t delay the launch of Vista to alllow for Korean websites to re-code their sites. “We’ve been testing Vista with banks and other service providers since September, but we encountered more delays than we expected. We plan to release the product as scheduled.”
A related problem is that KISA and Microsoft announce “plans to work together to improve computer security awareness” or “mark anniversary of cooperation with renewed pledge” when in fact the situation in 2007 is no better than it was in 2003 when KISA decided to “work with Microsoft.” I can’t tell who is the fox and which is the hen house, but either way, the two should not be near each other.
Another part of the Korea story that I cannot comprehend are articles about Linux in Korea. The Korean Army considering Linux. Kwangju City as “Linux City.” If the Korean Army or Kwangju city cannot do any encrypted communications because their operating system of choice does not work with Active X controls, I’m not sure if this is hype or confusion.
To get the most depth and perspective on this topic, from the people in Korea who are suing the government, it’s best to read the documents at Open Web Korea.
This issue with the launch of Vista and IE 7 and the work of thousands and thousands of web programmers in Korea who are feverishly working to reprogram their sites to work with Microsoft’s new standards – do they realize that their efforts only bring them back to square 0 – there’s no more heterogeneity in the Korean Internet market post-Vista than pre. The problem for Korean websites wasn’t competition from MSN Korea, it was their sole dependence on infrastructure from Microsoft.
Korea will only get beyond this problem by 1) applying Korean laws on open standards to the certificate authorities, 2) reassigning new certificates which work with open web standards to all Koreans, 3) reprogramming all Korean websites to support 128 bit SSL which will allow for a heterogeneous marketplace of operating systems and web browsers. This is a herculean task and thus Korea stays hostage to Redmond.