Perspectives on Global Information Ethics

You have free access to this content

The principle of distribution

  1. G.M. Reed,
  2. J.W. Sanders

Article first published online: 15 APR 2008

DOI: 10.1002/asi.20854

Issue

Journal of the American Society for Information Science and Technology

Journal of the American Society for Information Science and Technology

Volume 59, Issue 7, pages 1134–1142, May 2008

Additional Information

How to Cite

Reed, G.M. and Sanders, J.W. (2008), The principle of distribution. J. Am. Soc. Inf. Sci., 59: 1134–1142. doi: 10.1002/asi.20854

Author Information

  1. International Institute for Software Technology, United Nations University, P.O. Box 3058, Macao, SAR China

Publication History

  1. Issue published online: 18 APR 2008
  2. Article first published online: 15 APR 2008

SEARCH

SEARCH BY CITATION

ARTICLE TOOLS

Get PDF (247K)

Abstract

  1. Top of page
  2. Abstract
  3. Introduction
  4. Distributed Multi-agent Systems
  5. Principle of Distribution
  6. Discussion and Brief Examples
  7. Application of the Principle
  8. Conclusions and Future Research
  9. Acknowledgments
  10. References

This article introduces a normative principle for the behavior of contemporary computing and communication systems and considers some of its consequences. The principle, named the principle of distribution, says that in a distributed multi-agent system, control resides as much as possible with the individuals constituting the system rather than in centralized agents; and when that is unfeasible or becomes inappropriate due to environmental changes, control evolves upwards from the individuals to an appropriate intermediate level rather than being imposed from above. The setting for the work is the dynamically changing global space resulting from ubiquitous communication. Accordingly, the article begins by determining the characteristics of the distributed multi-agent space it spans. It then fleshes out the principle of distribution, with examples from daily life as well as from Computer Science. The case is made for the principle of distribution to work at various levels of abstraction of system behavior: to inform the high-level discussion that ought to precede the more low-level concerns of technology, protocols, and standardization, but also to facilitate those lower levels. Of the more substantial applications given here of the principle of distribution, a technical example concerns the design of secure ad hoc networks of mobile devices, achievable without any form of centralized authentication or identification but in a solely distributed manner. Here, the context is how the principle can be used to provide new and provably secure protocols for genuinely ubiquitous communication. A second, more managerial example concerns the distributed production and management of open-source software, and a third investigates some pertinent questions involving the dynamic restructuring of control in distributed systems, important in times of disaster or malevolence.

Introduction

  1. Top of page
  2. Abstract
  3. Introduction
  4. Distributed Multi-agent Systems
  5. Principle of Distribution
  6. Discussion and Brief Examples
  7. Application of the Principle
  8. Conclusions and Future Research
  9. Acknowledgments
  10. References

We live in an age in which information and communications technologies span the globe, providing users with mobile and real-time access to information, services, and each other. Increasingly, the services offered are becoming not mere luxury but an established part of our everyday lives; a typical example is provided by the growing importance of e-services such as e-government.11 The resulting structure goes under a multitude of names;22 here, we refer to ubiquitous communication in the comsphere. By using “ubiquitous communication,” we mean to emphasize the importance of both synchronous and asynchronous communications and the growing mobility of the devices; and by using “comsphere” (rather than the more accepted “cyberspace”), we mean to emphasize the difference that ubiquitous communication brings to the Internet: the dynamic reconfigurability not only of communications but also of actions.

The twin features of globality33 and mobility provide distinct opportunities, but also reveal distinct difficulties. The former enables a global distribution of resources, but regardless of boundaries and perhaps therefore of propriety; the latter empowers users in remote or transient locations, but with an increased risk of insecurity. As has been stressed by the International Telecommunication Union at its World Summit on the Information Society (ITU, WSIS Declaration of Principles, 2003; ITU, WSIS Plan of Action, 2003; ITU, WSIS Thematic Meeting on Cybersecurity, 2005), means are needed to increase globality by increasing the penetration of ubiquitous communication in developing nations while making the comsphere more secure. To address those specific points, we introduce a normative, or ethical, principle that extends to the comsphere the style of reasoning by now established in the various fields of applied ethics. But since the principle has application far beyond those specific topics, and for that matter far outside Computer Science, it is introduced from first principles in a general setting.

Important features of any principle like that introduced here are its consistency with the standard normative principles of ethics and the breadth and depth of its applicability. We take care to address both points.

In the next section, we summarize the kind of system that abstracts the important features of the comsphere: a distributed multi-agent system able dynamically to reconfigure its actions in response to external change. Then we introduce the general, but novel, ethical principle—the principle of distribution—in the context of the principles of “standard” ethics and of applied ethics; discussion of the principle is enhanced by examples from everyday life. Finally, we provide a discussion of the principle applied to more dynamic systems and to the two major examples mentioned in the previous paragraph—security in the comsphere and making software more openly available—despite their apparent incompatibility.

Distributed Multi-agent Systems

  1. Top of page
  2. Abstract
  3. Introduction
  4. Distributed Multi-agent Systems
  5. Principle of Distribution
  6. Discussion and Brief Examples
  7. Application of the Principle
  8. Conclusions and Future Research
  9. Acknowledgments
  10. References

The kind of system facilitated by ubiquitous communication in particular, and by contemporary Information and Communication Technology in general, is composed of (typically many) spatially distributed agents able dynamically to configure their communications and the way actions are performed. Distributed multi-agent systems, and the notions on which they are based, have been studied in some depth in Computer Science44 , although with more emphasis to date on systems whose design (in particular, the way in which actions are executed) remains static. For the purposes of the present article, it suffices to settle on a system composed of agents that interact with each other dynamically, either pairwise or in larger groups. If a system action is performed autonomously by the agents, then it is said to be “fully” distributed; if it requires coordination through one particular agent, then it is said to be “fully” centralized. Evidently, those are extremes in a spectrum of possibilities. If a system supports one primary action (with others being components in its execution), as is the case for the applications in this article, then we say that the system is distributed or centralized according to whether that primary action is.

Such a system is normally subject to environmental (or external) influences, which we model as the setting of system parameters whose values lie, although within determined limits, beyond the influence of the system itself. It is in response to such influences that the system configures itself dynamically. How it does so is not our concern here; we may think of the agents, individually and in groups, as having strategies that enable them to optimize their own private concerns in the face of external adversity and competition from other agents. Instead, we are concerned with the system-wide principles behind such strategies, and in the next section. introduce a normative principle for them. While each agent might be thought of as being guided by the normative principles of “standard” ethics, the new principle acts at the system level, offering a range of behaviors and analyses that would not be possible were the system to be modeled as an individual agent guided by “standard” ethics.

To appreciate the difference between distribution and centralization—the extremes of control in a distributed multi-agent system—consider the games of soccer and baseball. In each case, the system under consideration consists of a side whose players constitute agents. The opponent side forms part of its environment, as do weather and other conditions. In each case, the primary system action is to score, something that is achieved by the agents performing component actions (e.g., delivering the ball—whether by kicking, pitching, or batting, as appropriate—to a certain position on the field with a certain trajectory and speed). Soccer might be said to be more distributed because no central agent is responsible for a team's play from moment to moment: The ball is passed between the distributed players following no centralized “algorithm” but according to decisions made “locally” by individual players despite the “global” aim of scoring goals. Indeed, therein lies much of the interest of the game: How can such local decisions reach a globally desirable event? (Observe that the use of plays-in-a-down in American football imposes partial centralization on such distribution.) By comparison, in baseball there is far less scope for distributed decision making: The game evolves on the basis of centralized decisions (except for double plays, and the routine decision by a fielder where to return the ball, and by a runner on base whether to run for the next base, and if so, how to do so).

Note the effect a malicious team member would have in each style of game. In the centralized game of baseball, were the pitcher or catcher in collusion with the opposition, the result would be disastrous. However in the distributed game of soccer, a malevolent team member would be gradually marginalized (the most difficult case being the goalkeeper, although defenders could to some extent compensate).

We thus see that a major concern with centralized control is its fragility: If a central agent becomes corrupted or fails, then recovery of the entire system may be extremely difficult or even impossible. The inefficiency of centralized systems also is a concern: If each individual in the system has to coordinate his or her activities with the central agent (as is typically the case), then many communications may be required and bottlenecks may cripple the system. Despite those disadvantages, an advantage of centralized systems is that they are often conceptually simpler to design and maintain. Recent examples in which distributed control has played an essential role are (a) from the East: the use of cell phones in responding to the Tsunami disaster and in organizing demonstrations in the face of centralized resistance (Sang-Hun, 2005; Yardley, 2005) and (b) from the West: in Pentagon defense55 (Needleman, 2005).

As seen from the sport example, the centralized—distributed spectrum is important for qualifying forms of control in a multi-agent system. Its use was begun by Wiener (1948) for “control systems” with only a single agent, but it is in the distributed algorithms of Computer Science that it finds its richest expression to date (Attiya & Welch, 1998; Coulouris et al., 2001). We highlight the need for further research into systems able dynamically to reconfigure themselves, a possibility now offered by the comsphere and required of any system that is expected to respond to environmental changes, whether routinely or in adversity. This is the setting in which we present the principle of distribution.

Principle of Distribution

  1. Top of page
  2. Abstract
  3. Introduction
  4. Distributed Multi-agent Systems
  5. Principle of Distribution
  6. Discussion and Brief Examples
  7. Application of the Principle
  8. Conclusions and Future Research
  9. Acknowledgments
  10. References

We subscribe to the view, promoted by Moor (1985) over 2 decades ago, that problems in Computer Ethics arise from a policy vacuum concerning the use of new technology and, moreover, that the standard normative ethical principles are incomplete for reasoning about such problems. Moor expressed that latter point simply, although without justification (loc. cit.): “Applied ethics is not simply ethics applied” (p. 271).

Although that incompleteness has been affirmed by several authors in the intervening 2 decades and was a decade ago named (slightly “uniquely”) the uniqueness problem by Maner (1996), there remains continued opposition to it, notably by Johnson (1994), and no convincing arguments or accepted examples to substantiate it have been proposed.

In this section, we propose a novel normative principle of applied ethics, here interpreted in the realm of Information Ethics, and argue that since it does not follow from any of the principles of “standard” ethics, it establishes incompleteness. We take the view that the normative principles of “standard” ethics have been proposed and developed with the aim of enlightening the individual in analyzing his or her role in an individual-centered, ethically loaded situation. It is therefore scarcely surprising that for systems in which an individual is merely one of many components bearing ethical responsibility, as in multi-agent systems, such ethical principles are by themselves insufficient. In a “fully” centralized system, the central agent is sometimes able to play the part of the individual and so provide a vehicle for the application of standard ethics. But otherwise, something more than uni-agent ethics is to be expected in expressing classes (or properties) of agent-based strategies that achieve the dynamic execution of the system action. The standard view corresponds to normative behavior of each agent in isolation; the view proposed here is that more coordinated, system-wide views are required.

The ethical principle of distributed multi-agent systems is not a consequence of the normative principles of “standard” ethics for precisely that reason: It is not individual-centered. It is, consequently, more involved than the standard principles. That seems to reflect the fact that distributed systems are comprehensively more complex than are centralized systems, in exactly the same way that societies are comprehensively more complex than are individuals.

Principle of distribution: A multi-agent (distributed) system satisfies the principle of distribution if control for its primary action resides, as much as feasible, with the individual agents constituting the system; and if, in dynamically reconfiguring execution of that action in response to environmental factors, control arises from its individual agents (rather than being imposed centrally). Note that the principle involves two conditions: The first is “static,” pertaining to the system in its steady state and the second is “dynamic,” pertaining to the system as it responds to external influence.

The usual normative principles from Ethics, which until now have been the only tools available for use in Information Ethics, include consequentialism (teleologism); utilitarianism (greatest good; Bentham & Mill); deontologism (duty); virtue ethics (Aristotle); universal law (Kant); contractualism (Plato, Hobbes, Rousseau, Rawls, game theory); and particularism (Crisp, Dancey). The principle of distribution relates most closely to utilitarianism and contractualism; the former insofar as it might be used to support the Marxist–Leninist distribution of wealth and control across the population at large instead of investing it in a minority; the latter because of the dynamic nature of the evolution of control arising—in real time and from the bottom up—as in game theory with each node performing its local strategy and the system as a whole evolving as a result.

It is important to observe that the principle of distribution is entirely free of anthropomorphic association. While the standard normative principles of ethics depend upon the responsible agent having free will, and hence being restricted essentially to humans (in fact, to adults of sound mind), the principle of distribution makes no such assumption. It can thus be applied to systems composed of artificial agents (Floridi & Sanders, 2004b) or of any combination of artificial and sentient agents.

Of course, like any normative principle, the principle of distribution seldom holds unequivocally, and when it does hold, that fact seldom provides the whole answer to the matter under analysis. It is an ideal situation—a guiding principle—to be used in conjunction with others in resolving complex issues. It has, as might be expected and as will be substantiated later in the article, implications for the design of protocols, the management of software development, education, and policy. Let us continue discussion of the principle with the consideration of two brief, but typical, examples.

Discussion and Brief Examples

  1. Top of page
  2. Abstract
  3. Introduction
  4. Distributed Multi-agent Systems
  5. Principle of Distribution
  6. Discussion and Brief Examples
  7. Application of the Principle
  8. Conclusions and Future Research
  9. Acknowledgments
  10. References

Many families find themselves confronted with the problem of what access to the Web66 to allow their children. A centralized or “top-down” solution would involve system-based control (perhaps at the national level) of undesirable sites (Here, we identify the agents with individual users of the Web, grouped by computers which they use, and we identify the system action as that of accessing the Web.) But one difficulty with that centralized policy is: Who has the right to make a choice for all, particularly in the context of the Web (whose design supports democratic access)? By comparison, the principle of distribution leads us to consider “bottom-up” solutions, empowering individual homes or communities. For instance, each household could filter access to the Web using software chosen and configured by the guardians of the household77 (Ideally, free open-source software would be available online.)

The direct empowerment of each user is not feasible in this case since that would be to ignore the problem. The choice of the family or community as a small group of agents upon which to impose control reflects the natural structure of the system.

It is interesting to compare this example with that of spam. A fully distributed solution results in a system in which each user decides individually what he or she regards as spam by configuring a filter program (typically composed of “black” and “white” lists of sending addresses). A centralized solution results in a system in which e-mail from certain addresses is simply deleted from the system. The former solution now turns out to be naïve (ITU, WSIS Thematic Meeting on Cybersecurity, 2005) as it is in practice not strong enough to deal with the massive quantities of spam while the latter solution suffers the same flaw as that of centralized screening of Web sites. So in practice, an intermediate “bipartite” design is currently adopted: In addition to each user maintaining a filter, certain key servers suppress e-mail from particular addresses.

This example demonstrates how in response to an increase in spam the fully distributed, individual-based design is refined to one that also incorporates partially centralized control. Both the static and the dynamic conditions of the principle are needed.

The dynamic bottom-up imposition of control takes time and is not appropriate in every situation. Indeed, there are some situations in which a distributed solution does not exist. For example, if each agent behaves deterministically and identically and all agents start in the same state, then no matter what communications they exchange and what internal decisions they reach, they will be unable to reach a state in which one of them differs from the others. So, if the primary system action affects such a difference, it is unachievable in a fully distributed manner. This demonstrates the need for the qualification “feasible” in the statement of the principle. As a practical example, it is far from clear what level of control is needed to control malicious minority groups; the obvious solution is highly centralized, but that exhibits the usual problems involving misuse. It may well be that a hybrid design proves most acceptable. It is interesting to compare with current practice for neighborhood security in some Western countries, which combines a centralized police force with partially centralized security services (for businesses) and a distributed neighborhood watch (for individual homes). For such difficult situations, the principle of distribution at least provides a framework and body of concepts to facilitate discussion.

In view of the aforementioned proof that fully distributed symmetrical deterministic systems do not exist, it is important as well as interesting to consider how close we can get to constructing such systems. By weakening the hypothesis “deterministic” in the situation in which an average-case bound on system efficiency is acceptable, it suffices to permit each agent the extra capability of coin tossing (or, equivalently, of random number generation). This is a technique which can be expected to find substantial use in the comsphere; it already is used in computation-intensive simulations. We illustrate with a remarkably successful distributed protocol from Computer Science: Rabin's (1982) distributed algorithm for coordinating choice between two alternatives which, without going into details of the protocol, can be appreciated in our terms like this.

A coach-load of tourists arrives in a new city and is to decide, by the end of the day, at which of two places to meet: inside a certain church or inside a certain hotel. The agents of our system thus consist of the tourists, and the system action consists of their gathering in a single location by the end of the day. There is no central agent (e.g., a tour guide), and so the tourists are unable to communicate “centrally” as a group: The tourists function as members of a “fully” distributed, multi-agent system. Rabin's (1982) algorithm shows that merely with a noticeboard at each location and a coin (to toss) for each tourist, by alternatively visiting each location and following a certain rule, the tourists all end up choosing the same location in, with high probability, a small number of visits. A centralized goal has been reached on the basis of distributed decisions. Thus, the principle of distribution supports the design of realistic, efficient, multi-agent protocols.

In part, the richness of the principle of distribution derives from the fact that it may be applied at many levels of abstraction: one for each level of abstraction at which the system under analysis is considered (Floridi & Sanders, 2004a). If matters of policy are being analyzed, a rarified level of abstraction will be chosen in which much of the system detail is abstracted. If matters of system design are under consideration, a much lower level of abstraction will be chosen, revealing relevant details of exactly how the system behaves. The level of abstraction at which the system is considered and at which the principle is applied are determined by the kind of analysis sought.

Application of the Principle

  1. Top of page
  2. Abstract
  3. Introduction
  4. Distributed Multi-agent Systems
  5. Principle of Distribution
  6. Discussion and Brief Examples
  7. Application of the Principle
  8. Conclusions and Future Research
  9. Acknowledgments
  10. References

In this section, we return to the context of the Introduction to illustrate the principle of distribution with two more substantial examples followed by a third to emphasize the dynamic nature of the comsphere.

Human-Centric Computing and FORWARD

At present, the multifarious applications of ubiquitous communication remain largely untapped due partly to the increased opportunity that ubiquity in general and mobility in particular offer for malevolence. It appears vital that mobile users be able to spontaneously generate a secure network. So, for our first case study, we consider the important topic of security in the comsphere.

We begin by adapting Kizza's (1998) definition to incorporate Schneier's (2000) point that security is a dynamic process rather than a static product, and interpret security to consist of the process of maintaining:

  • confidentiality: Information is available only to those authorized to have it;

  • integrity: Data may be manipulated only by those authorized to do so;

  • availability: Information is accessible to all those authorized to access it.

The notion of authorized access underpins each requirement: Access is permitted only if authority has been validated. Thus, we concentrate on authorized access: The system under consideration comprises all users of the comsphere, determined in this case by attribute rather than by identity, and the system action consists of authorized access.

Traditionally, it has been identities (of either users or devices) that are authenticated. But in the context of the comsphere, it has been argued by Creese, Goldsmith, Roscoe, and Zakiuddin (2003b, 2004) that attributes, and not identities, must be authorized. Attributes include a device's location, name, manufacturer, internal state, service history, and so on. Attributes appropriate to a given situation must be authenticated and must be chosen to provide assurance not only about which devices are interacting but also about what they can do.

Centralized implementations ensuring authorized access (and hence also the requirements for security) are straightforward and rely on maintaining a central trusted list which is consulted to validate authentication. But in line with the principle of distribution, it is preferable to use instead distributed authorization (if feasible). This provokes the quest for new protocols; we report here the recent work of Creese et al., expressed in our context.

Imagine that a group, not necessarily previously known to each other, meets (perhaps it is parents' night at the local school) and wishes to form—spontaneously and in real time—a network with your wireless personal digital assistants and cell phones. You cannot assume that your devices have unique identifiers or that any such identifiers are known in advance; and, of course, you wish to ensure that the network is established in a distributed manner, that it contains only those devices you want it to contain (those present), and that messages sent within the group are secure to the network. You must assume, naturally, that no one in the group is malevolent. It is perhaps not obvious that those requirements can be met; but Creese et al. (2005; Creese et al., 2003a) provided and verified a protocol which meets them. Its verification is achieved by weakening the accepted (Dolev-Yao) model of security to take account of a second kind of channel. The normal insecure channel with high bandwidth over which it is desired to send data securely is augmented by a second, secure but low bandwidth, channel like that established by empirical engagement (e.g., permitted by physical proximity in the example of the group meeting). The protocol (for whose details, we refer to Creese et al. (2003a), and more recently, Roscoe (2005), for the extension showing that device identifiers are not required) uses the low-bandwidth channel to “bootstrap security” on the high-bandwidth channel. In the case of the group meeting, that would be achieved by comparing the postcommunication values displayed on each others' devices which in particular enables participants to compare the number of devices in communication with the number present in the group (an empirical engagement that is extremely secure) to ensure that only they are included in their network. The formalism used by Creese et al. for verification of the protocol is that of automated Communicating Sequential Processes (Ryan, Schneider, Goldsmith, Lowe, & Roscoe, 2001).

That work forms part of the FORWARD program (http://www.forward-project.org.uk), begun in January 2003 under the United Kingdom's Department of Trade and Industry's initiative into Next Wave Technologies. Part of the thrust of that program has been the use of ubiquitous communication and computation to support human-centric goals, such as providing information in a form and at a time that is appropriate to the human user and exploiting the human user's empirical senses to complement digital bandwidth. We mention this area (of Computer Science) as one in which further work is required.

Open Source

We turn to address the issue of making software available, open source, particularly to developing nations. The productivity and management processes appropriate to such novel modes of production yield unusual consequences for the assurance that open-source software meets its requirements: It appears to be very difficult to certify such software. We are thus left with a divide between (a) freely available, reconfigurable “open-source” software that is potentially of huge benefit in developing countries but for which authentication is difficult and (b) verified authenticated “closed-source” software that is necessary in a growing number of secure applications. Evidently, a balance between both types of software is required. Accordingly, in this section we view software itself in light of the principle of distribution.

Commercial “shrink-wrapped” software may be seen to be the result of a centralized process: The producer retains all rights and, while allowing the user to use the code, does not provide direct access to it. The user is thus completely at a loss to modify the code in any way. By comparison, open-source software may be seen as the result of a distributed process: It is typically available for free over the Web, and the user may take a copy to which he or she then has complete access. The differences between the two processes—the cathedral versus the bazaar—have been graphically documented [for a graphic exposition of the different business models appropriate to commercial software and open source, see Raymond, 2001; in particular, see the chapter after which the book is titled (pp. 19–63) and “The magic cauldron” (pp. 113–166)]. The resulting difference is important because having access to the source enables software to be adapted to its context, for example, so that an interface appears with locally appropriate features (at the very least, linguistic). It also promotes local software productivity and so, eventually, promotes commerce. Perhaps it will one day produce a Third World Bill Gates.

Also of interest to us here is the process underlying open source. In the standard model of software production, software is produced with some (varying, depending on use and style of software) degree of assurance that it meets its requirements. The extreme case is formally specified and verified code (e.g., the protocols reported in the previous section). But regarding open source, what guarantees are there that a module downloaded from the Web meets its requirements? And what protection is there against malevolent contributors to an open-source project? At stake here is the kind of management that is appropriate as open source moves into a more widely promoted forum. What are the appropriate partially centralized management structures?

Part of the resolution to those problems requires an appreciation that a different model of software conformity is involved. The production of open source, typical of an example of distributed control, is managed dynamically by feedback with some degree of conformance, but also with attrition. Important, kernel code is checked before release by one of a small number of agreed individuals. For less critical software, poor code suffers an ‘evolutionary disadvantage’ and is gradually superseded. This may seem strange from the traditional viewpoint based on the concern that even a single bug may lead to program malfunction. The conclusion, however, is simple. Open-source and fully authenticated code lie at opposite ends of a spectrum, the whole range of which has a place in the comsphere. Fly-by-wire software, for example, with a huge cost of error, would traditionally be produced by a more centralized process; uncritical applications software could be open source and thus produced by a more distributed process. There remains the difficult issue of how much trust to place in any copy of a piece of software, whether downloaded or on disk, regardless of the claims that are made of it; but that is a topic of current research. We highlight the case of open source, including its conformity and the management of its expansion, as being particularly important.

At the United Nations University's International Institute for Software Technology (UNU-IIST) in Macau, an Open Computing Initiative has recently been launched. The idea is to train representatives from Third World nations in the development of open source, thereby at once expanding the applications available in open source and empowering Third World programmers. Together with the fact that Negroponte88 is set to make a huge impact on the underdeveloped nations and will contain only open-source software, we can expect a swing in the accepted style of software, from almost entirely centralized, commercial software to a more balanced hybrid of the two styles.

But the principle of distribution may be used for a deeper analysis of what privacy measures the $100 laptop should exhibit. It is quite conceivable that with ill-chosen software allowing centralized control, the laptop could become a powerful weapon in the hands of an oppressive regime or militant splinter group. In line with the principle of distribution, one might reason that the laptop should have (ignoring economic feasibility) robust encryption built in, perhaps at the hardware level, to ensure secure communication and data storage. It otherwise would be difficult to avoid misuse and the usual resulting insecurities such as eavesdropping, intrusion, impersonation, and so on.

It is to be appreciated that many of the existing structures on which ubiquitous communication is based already are partially centralized. An extreme case is U.S. control of encryption,99 which is not easily reconciled with the principle of distribution. It has been argued by many that precisely that conflict is a flaw in U.S. policy. One response is that without national U.S. control, no realistic control is possible. Perhaps, guided by the principle of distribution, other alternatives can be considered in other countries because it does seem that misuse of the centralized platforms implementing ubiquitous communication can be even more iniquitous, in the presence of the novel functionality of ubiquitous communication, than the more “time-honored” misuse of centralized agencies.

Response to Adversity

Most examples considered so far function in their “steady state:” They continue to behave as they were originally conceived to do. But the principle of distribution provides important insight into systems that respond to duress by reconfiguring their “primary” system action. To return to less technical examples, we reconsider team sports—this time the Tour de France.

The agents are the cyclists and the action in which each agent repeatedly engages is that of cycling, with the aim of achieving the system action of a win (for the team, or individual, depending on the agent; thus while Lance Armstrong and a novice rider both perform the same actions, their strategies are vastly different).

Before a race begins, each agent performs an entirely autonomous warm-up action (ignoring warm-up by team). At this point, the system is behaving in a fully distributed manner, with almost no coordination between agents as they cycle to warm up for the event.

For the bulk of each daily race, the cyclists typically act in teams within the peloton. The mechanics of cycling are such that wind resistance (an external influence on the agents) is of paramount concern, with the result that riders help each other to overcome it. Thus, within a team, cyclists take turns to lead, dropping back to benefit from “slip streaming” after having expended energy in the lead. At this stage, much (but not all) of the control for an agent's cycling action resides with the team. It is complicated, in fact, by extra-team individual behavior and by the teams or individuals jockeying for position within the peloton or even beyond it. At this point, the system is behaving in a slightly more centralized manner.

The final interesting agent behavior concerns pursuit, when one or more agents leave the peloton to catch the leaders. At this point, the cyclist's action takes account of the state of the leaders and of his immediate neighbors in pursuit: The action returns to being less centralized, being controlled by fewer other agents.

Thus, the different phases in the Tour de France are helpfully expressed in terms of the degree of distribution of control with which each agent performs its action. The principle of distribution expresses the autonomy of each cyclist while recognizing the unfeasibility of each continuing to remain autonomous in the face of external conditions. Consistent with it is the practice of team behavior, which provides an intermediate level of control to manage the inherent decentralization of the system.

More technical examples of systems that respond to duress, and to which the principle of distribution applies, come from Computer Science, Economics, Sociology, and Ecology. From the world around us, any community with ubiquitous communication has the capability to organize, in real time, events that would be impossible to organize without a form of centralized control (which may simply be impractical for geographic, economic, or political reasons). The design and study of systems that reconfigure themselves dynamically is of pressing current interest.

Conclusions and Future Research

  1. Top of page
  2. Abstract
  3. Introduction
  4. Distributed Multi-agent Systems
  5. Principle of Distribution
  6. Discussion and Brief Examples
  7. Application of the Principle
  8. Conclusions and Future Research
  9. Acknowledgments
  10. References

The main purpose of this article has been to introduce the principle of distribution and indicate its use in the resolution of issues ranging from high-level matters of policy, through standards down to implementation concerns of protocol design. It has been presented as a novel principle of IE (though its application is much broader) and the case made that it is not a consequence of standard ethics.

The major examples presented here indicate the principle's flexibility and promise. They have been motivated by the characteristics of ubiquitous communication, which we have emphasized by introducing the comsphere for the resulting space because the features of that space must be exploited if progress is to be made. The principle of distribution may be applied at any level of abstraction. In the protocol example, we have considered it at the level of system design. In the example of open source, we have considered it at the level of software management and production.

Of course, we have here merely scratched the surface; much work remains. The principle of distribution promises a great deal for the work of the Information Ethics Group (see http://web.comlab.ox.ac.uk/oucl/research/areas/ieg/), one of whose main interests lies in the investigation of the ethics of information and the extent to which it is dissociated from homocentric values, and hence applies to contemporary information systems.

Important technical work remains in designing security protocols that take into account the various characteristics of the comsphere; we have mentioned but one kind of example. It will be interesting to investigate the specification and implementation of “ethical protocols” that enable ethical priorities to be expressed and enforced (e.g., one may wish not to view certain kinds of Web sites but be content to be a member of a network that includes their access).

Overcoming the digital divide is of global importance. The promotion, particularly in developing countries, of software safeguarded against misuse by militant minorities is key. Here, the $100 laptop of Negroponte and its open-source code are expected to make a huge contribution. More generally, the promulgation of open source is important, including the management of its production, until now largely fully distributed (e.g., What are the appropriate partially centralized management structures?), and some measures and guarantees of its authenticity and conformity.

Perhaps the most exciting topic demanding further work concerns the concepts underpinning systems that reconfigure the way they execute actions in response to external influence. Such studies should include a rigorous development of the theory (Turilli, 2006) and discovery of appropriate algorithms.

It will be interesting to see the extent to which the principle of distribution will be useful in this work, ranging from the discussion of policy to specific matters of system design.

Acknowledgments

  1. Top of page
  2. Abstract
  3. Introduction
  4. Distributed Multi-agent Systems
  5. Principle of Distribution
  6. Discussion and Brief Examples
  7. Application of the Principle
  8. Conclusions and Future Research
  9. Acknowledgments
  10. References

The principle of distribution was introduced by the present authors as “the principle of distributed ethics” (Reed & Sanders, 2005), written in response to the proposal “Ethical strategies for human security,” by Elisabeth Porter (Research Director for INCORE, the Centre for International Conflict Resolution, a joint initiative between the United Nations University and the University of Ulster), circulated following CONDIR 29, April 4–5, 2005, Bonn, Germany. The authors are grateful to her for the chance to provide an early draft of their views.

We also thank colleagues Sadie Creese (Systems Assurance Group, QinetiQ, Malvern Technology Centre, United Kingdom) and Scott McNeil (UNU-IIST, Macau) for suggestions made in the writing of this article, which extends the presentation (Creese, Reed, Roscoe, & Sanders, 2005) to the International Telecommunication Union's World Summit Thematic Meeting on Cybersecurity in Geneva.

  • 1

    See for example the international survey by Ojo, Janowski, and Estevez (2005). To quote a specific instance, the aim of the recent u-Japan project is to make 80% of citizens feel comfortable with ICTand to appreciate its role in resolving issues, by the Year 2010 (see http://www.nri.co.jp/english/opin ion/papers/2003/np200366.html).

  • 2

    By comparison with comsphere, cyberspace is usually interpreted as comprising networked, static users. It is vital for progress that mobility be acknowledged and catered for, particularly in the context of security. Cell phones provide point-to-point synchronous communication either by voice, text, or image. Computers and personal digital assistants, increasingly by wireless link, provide asynchronous access to vast repositories of data as well as to e-mail. Interactive (digital) televisions (with memory) increasingly resemble networked computers. Embedded chips (e.g., with radio-frequency identification), screens (Weiser, 1993), surveillance systems, global-positioning systems, and “smart” communicating devices (Gershenfeld, 2000) are changing our work, domestic, and even communal environments. Communications are “anytime, anywhere, by anything and anyone.” Just a few alternative terms for the activity of computing on the comsphere are:

    • Mobile Computing: IEEE Transactions on Mobile Computing, founded 2002; pervasive computing: IEEE Pervasive Computing: Mobile and Ubiquitous Systems, founded 2002;

    • Ubiquitous Computing: Weiser (1993); Personal Computing: a term apparently coined by IBM and now interpreted more generally to mean individual local access to information facilities;

    • Ubiquitous Network Societies: for the International Telecommunication Union's Workshop on Ubiquitous Network Societies (e.g., see http://www.itu.int/ubiquitous);

    • Ubiquitous Communication: itself, interpreted to describe wearable systems: The UbiCom Project, the Faculty of Information Technology and Systems at the University of Delft, led by R.L. Lagendijk.

  • 3

    The comsphere is not restricted to just developed countries. In China, the largest cell phone market in the world, more than one quarter of the population owns a cell phone and about 100-million text messages are sent daily, although just under a 10th of the population uses the Internet (Yardley, 2005). In Singapore, 80% of the population has a cell phone; in Malaysia, just under half the population does. For comparison, in Australia, for example, more than half the population uses the Internet, and about three quarters use cell phones (see https://www.cia.gov/library/publications/the-world-factbook/index.html); and Japan has moved from its e-Japan project to u-Japan to re-flect developments in ubiquitous communication (see http://www.nri.co.jp/english/opinion/papers/2003/np200366.html). The ease of achieving mobile point-to-point connection is matched only by the empowerment it provides by the applications it finds. Evidently, ubiquitous communication and the com-sphere constitute a global phenomenon.

  • 4

    The field is so young that many of the important textbooks study the topic using their own notation, which unfortunately makes them relatively inaccessible (for a quite-general textbook, see Coulouris, Dollimore, & Kindberg, 2001; for a slightly more representative text, see Attiya & Welch, 1998).

  • 5

    For an account of how a genuinely distributed system (investing as much control as possible in its distributed components) averted disaster when American Airlines Flight 77 hit the Pentagon on September 11, 2001, see the article by Needleman (2005), which concludes:

    …the system also remained functional even though a large part of it had been destroyed . . . . In addition to playing well in large complex systems, they are able to autonomously perform actions that previously required a connection to a central control system.

  • 6

    From McGraw (1995): “Two-point-five million use [America Online]. That's like a city. Parents wouldn't let their kids go wandering in a city of 2.5 million people without them, or without knowing what they're going to be doing.”

  • 7

    This is an established commercial enterprise. Off-the-shelf programs include CyberSitter, SurfWatch, and NetNanny.

  • 8

    See http://laptop.media.mit.edu Asimilar, but established and successful, project is the Jhai Foundation's PC used in particular to provide Inter-net access to villages in Laos without electricity (see http://www.jhai.org/jhai_remoteIT.htm).

  • 9

    See the Communications Assistance for Law Enforcement Act, CALEA, 1994 (http://www.askcalea.net). In summary, the U.S. government, with appropriate authority, should be able to:

    • intercept all wire and electronic communications originating from or coming to a particular subscriber;

    • intercept communications to and from mobile users, for example people using portable phones or portable computers;

    • obtain call-identifying information, including the phone number from which a call originates and the phone number of the destination;

    • have the intercepted communications and call-identifying information transmitted to a location specified by the government.

References

  1. Top of page
  2. Abstract
  3. Introduction
  4. Distributed Multi-agent Systems
  5. Principle of Distribution
  6. Discussion and Brief Examples
  7. Application of the Principle
  8. Conclusions and Future Research
  9. Acknowledgments
  10. References
  • Attiya, H., & Welch, J. (1998). Distributed computing: Fundamentals, simulations and advanced topics. New York: McGraw-Hill.
  • Coulouris, G., Dollimore, J., & Kindberg, T. (2001). Distributed systems: Concepts and design (3rd ed.). Reading, MA: Addison-Wesley.
  • Creese, S.J., Goldsmith, M.H., Roscoe, A.W., & Zakiuddin, I. (2003a). The attacker in ubiquitous computing environments: Formalizing the threat model. In T. Dimitrakos & F. Martinelli (Eds.), Formal aspects of security and trust. IIT-CNR Technical Report.
  • Creese, S.J., Goldsmith, M.H., Harrison, R., Roscoe, A.W., Whittaker, P., & Zakiuddin, I. (2005). Exploiting empirical engagement in authentication protocol design. In D.Hutter & M.Ullmann (Eds.), Proceedings of the 2nd International Conference on Security in Pervasive Computing (pp. 119133). Springer LNCS. Berlin, Heidelberg.
  • Creese, S.J., Goldsmith, M.H., Roscoe, A.W., & Zakiuddin, I. (2003b). Authentication in pervasive computing. In D.Hutter & M.Ullmann (Eds.), First International Conference on Security in Pervasive Computing, Boppard, Germany. Springer LNCS.
  • Creese, S.J., Goldsmith, M.H., Roscoe, A.W., & Zakiuddin, I. (2004). Security properties and mechanisms in human-centric computing. In P. Robinson, H. Vogt, & W. Wagealla (Eds.), Privacy, security and trust within the context of pervasive computing. Kluwer International Series in Engineering and Computer Science. Proceedings of the Workshop on Security and Privacy in Pervasive Computing, Wien, Austria.
  • Creese, S.J., Reed, G.M., Roscoe, A.W., & Sanders, J.W. (2005). Security and trust for ubiquitous communication. ITU WSIS Thematic Meeting on Cybersecurity, Geneva. Available at: http://www.itu.int/osg/spu/cybersecurity/contributions/UNU-IIST_contribution.pdf
  • Floridi, L., & Sanders, J.W. (2004a). The method of abstraction. In M.Negrotti (Ed.), Yearbook of the artificial nature, culture and technology: Models in contemporary sciences (pp. 177220). Bern, Switzerland: Peter Lang.
  • Floridi, L., & Sanders, J.W. (2004b). On the morality of artificial agents. Minds and Machines, 14(3), 349379.
  • The FORWARD Project. (2003). Available at: http://www.forward-project.org.uk
  • Gershenfeld, N. (2000). When things start to think. Owl Books, NY
  • International Telecommunication Union. (2003, December). Declaration of principles. World Summit on the Information Society (Document No. WSIS-03/GENEVA/DOC/4-E).
  • International Telecommunication Union. (2003, December). Plan of action. World Summit on the Information Society (Document No. WSIS-03/GENEVA/DOC/5-E). ITU, Geneva.
  • International Telecommunication Union. (2005). Thematic meeting on cybersecurity. World Summit on the Information Society. Available at: http://www.itu.int/osg/spu/cybersecurity/index.phtml
  • Johnson, D.G. (1994). Computer ethics (2nd ed.). Upper Saddle River, NJ: Prentice-Hall.
  • Kizza, J.M. (1998). Ethical and social issues in the information age. New York: Springer-Verlag.
  • Maner, W. (1996, April). Unique ethical problems in information technology. In T.W.Bynum & S.Rogerson (Eds.), Global information ethics (pp. 137152). Science and Engineering Ethics. Guildford: Opragen.
  • McGraw, P. (1995). On-line runaways safe. Available at: http://www.cybertoday.com/v1n4/runaway.html
  • Moor, J.H. (1985). What is computer ethics? In T.W.Bynum (Ed.), Computers & ethics (pp. 266275). Oxford: Basil Blackwell.
  • Needleman, R. (2005). Disaster response: Distributed building management proves itself under critical circumstances. Available at: http://www.microsoft.com/business/executivecircle/content/page.aspx?cID=979&subcatID=1
  • Ojo, A., Janowski, T., & Estevez, E. (2005, March). Global survey of e-government. e-Macau Task 2 Report.
  • Rabin, M.O. (1982). The choice-coordination problem. Acta Informatica, 17(2), 121134.
  • Raymond, E.S. (2001). The cathedral and the bazaar. O'Reilly. Sebastopol, CA.
  • Reed, G.M., & Sanders, J.W. (2005, May 25). Ethical principles for secure ubiquitous communication (Draft). UNU/IIST.
  • Roscoe, A.W. (2005, November 15). Human-centered computer security. Available at: http://web/comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/113.pdf
  • Ryan, P.Y.A., Schneider, S.A., Goldsmith, M.H., Lowe, G., & Roscoe, A.W. (2001). The modelling and analysis of security protocols: The CSP approach. Reading, MA: Addison-Wesley.
  • Sang-Hun, C. (2005, May 9). In South Korea, Students push back. Article. International Herald Tribune.
  • Schneier, B. (2000). Secrets and lies: Digital security in a networked world. New York: Wiley.
  • Turilli, M. (2007). Ethical protocols design. Ethics and Information Technology, 9(1): 4962.
  • Weiser, M. (1993). Hot topics: Ubiquitous computing. IEEE Computer. 7172, October
  • Wiener, N. (1948). Cybernetics: Or control and communication in the animal and the machine. Technology Press. Cambridge, MA.
  • Yardley, J. (2005, April 25). A hundred cellphones bloom, and Chinese take to the streets. Available at: http://www.nytimes.com/2005/04/25/international/asia/25china.html?pagewanted=1
Get PDF (247K)