There\u2019s a fundamental architectural flaw in how the internet works that most people have never heard of, but it explains nearly every frustration you have with modern technology. Why your photos are trapped in Apple\u2019s ecosystem. Why you can\u2019t easily move data between apps. Why every promising new service starts from scratch, knowing nothing about you. And most importantly, why AI\u2014for all its revolutionary potential\u2014risks making Big Tech even bigger instead of putting powerful tools in your hands.<\/p>\n
Former Google and Stripe executive Alex Komoroske (who recently wrote for us about why the future of AI\u00a0need not be centralized<\/a>) has written\u00a0an equally brilliant analysis<\/u><\/a>\u00a0that traces all of these problems back to something called the \u201csame origin paradigm\u201d\u2014a quick security fix that Netscape\u2019s browser team implemented one night in the 1990s that somehow became the invisible physics governing all modern software.<\/p>\n The same origin paradigm is simple but devastating: Every website and app exists in its own completely isolated universe. Amazon and Google might as well be on different planets as far as your browser is concerned. The Instagram app and the Uber app on your phone can never directly share information. This isolation was meant to keep you safe, but it created something Komoroske calls \u201cthe aggregation ratchet\u201d\u2014a system where data naturally flows toward whoever can accumulate the most of it.<\/p>\n This is a much clearer explanation of a problem\u00a0I identified almost two decades ago<\/a>\u2014the fundamental absurdity of having to keep uploading the same data to new services, rather than being able to tell a service to access our data at a specific location on the internet. Back then, I argued that the entire point of the open internet shouldn\u2019t be locking up data in private silos, but enabling users to control their data and grant services access to it on their own terms, for their own benefit.<\/p>\n What Komoroske\u2019s analysis reveals is the architectural root cause of why that vision failed. The \u201cpromise\u201d of what we optimistically called \u201cthe cloud\u201d was that you could more easily connect data and services. The reality became a land grab by internet giants to collect and hold all the data they could. Now we understand why: the same origin paradigm made the centralized approach the path of least resistance.<\/p>\n As Komoroske explains, this architectural choice creates an impossible constraint for system designers.<\/p>\n This creates what I call the iron triangle of modern software. It\u2019s a constraint that binds the hands of system designers\u2014the architects of operating systems and browsers we all depend on. These designers face an impossible choice. They can build systems that support:<\/em><\/p>\n But they can only enable two at once\u2014never all three. If untrusted code can both access your sensitive data and communicate over the network, it could steal everything and send it anywhere.<\/em><\/p>\n So system designers picked safety through isolation. Each app becomes a fortress\u2014secure but solitary. Want to use a cool new photo organization tool? The browser or operating system forces a stark choice: Either trust it completely with your data (sacrificing the \u201cuntrusted\u201d part), or keep your data out of it entirely (sacrificing functionality).<\/em><\/p>\n Even when you grant an app or website permission only to look at your photos, you\u2019re not really saying, \u201cYou can use my photos for this specific purpose.\u201d You\u2019re saying, \u201cI trust whoever controls this origin, now and forever, to do anything they want with my photos, including sending them anywhere.\u201d It\u2019s an all-or-nothing proposition.<\/em><\/p>\n<\/blockquote>\n This creates massive friction every time data needs to move between services. But that friction doesn\u2019t just slow things down\u2014it fundamentally reshapes where data accumulates. The service with the most data can provide the most value, which attracts more users, which generates more data. Each click of the ratchet makes it harder for new entrants to compete.<\/p>\n Consider how you might plan a trip: You\u2019ve got flights in your email, hotel confirmations in another app, restaurant recommendations in a Google document, your calendar in yet another tool. Every time you need to connect these pieces you have to manually copy, paste, reformat, repeat. So you grant one service (like Google) access to all of this. Suddenly there\u2019s no friction. Everything just works. Later, when it comes time to share your trip details with your fellow travelers, you follow the path of least resistance. It\u2019s simply easier to use the service that already knows your preferences, history, and context.<\/em><\/p>\n The service with the most data can provide the most value, which attracts more users, which generates more data. Each click of the ratchet makes it harder for new entrants to compete. The big get bigger not because they\u2019re necessarily better, but because the physics of the system tilts the playing field in their favor.<\/em><\/p>\n This isn\u2019t conspiracy or malice. It\u2019s emergent behavior from architectural choices. Water flows downhill. Software with the same origin paradigm aggregates around a few dominant platforms.<\/em><\/p>\n<\/blockquote>\n Enter artificial intelligence. As Komoroske notes, AI represents something genuinely new: it makes software creation effectively free. We\u2019re entering an era of \u201cinfinite software\u201d\u2014endless custom tools tailored to every conceivable need.<\/p>\n AI needs context to be useful. An AI that can see your calendar, email, and documents together might actually help you plan your day. One that only sees fragments is just another chatbot spouting generic advice. But our current security model\u2014with policies attached at the app level\u2014makes sharing context an all-or-nothing gamble.<\/em><\/p>\n So what happens? What always happens: The path of least resistance is to put all the data in one place.<\/em><\/p>\n Think about what we\u2019re trading away: Instead of the malleable, personal tools that Litt envisions, we get one-size-fits-all assistants that require us to trust megacorporations with our most intimate data. The same physics that turned social media into a few giant platforms is about to do the same thing to AI.<\/em><\/p>\n We only accept this bad trade because it\u2019s all we know. It\u2019s an architectural choice made before many of us were born. But it doesn\u2019t have to be this way\u2014not anymore.<\/em><\/p>\n<\/blockquote>\n But here\u2019s the hopeful part: the technical pieces for a fundamentally different approach are finally emerging. The hopes I had two decades ago about the cloud being able to separate us from having to let services collect and control all our data may finally be possible.<\/p>\n Perhaps most interestingly, Komoroske argues that the technological element that makes this possible is the secure enclaves now found in chips. This is actually a tech that many of us\u00a0were concerned<\/a>\u00a0would lead to the death of general purpose computers, and give more power to the large companies. Cory Doctorow has warned about how these systems can be abused\u2014he calls them Demon-haunted computers<\/a>\u2014but could we also use that same tech to regain control?<\/p>\n That\u2019s part of Komoroske\u2019s argument:<\/p>\n These secure enclaves can also do something called remote attestation. They can provide cryptographic proof\u2014not just a promise, but mathematical proof\u2014of exactly what software is running inside them. It\u2019s like having a tamper-proof seal that proves the code handling your data is exactly what it claims to be, unmodified and uncompromised.<\/em><\/p>\n If you combine these ingredients in just the right way, what this enables, for the first time, are policies attached not to apps but to data itself. Every piece of data could carry its own rules about how it can be used. Your photos might say, \u201cAnalyze me locally but never transmit me.\u201d Your calendar might allow, \u201cExtract patterns but only share aggregated insights in a way that is provably anonymous.\u201d Your emails could permit reading but forbid forwarding. This breaks the iron triangle: Untrusted code can now work with sensitive data and have network access, because the policies themselves\u2014not the app\u2019s origin\u2014control what can be done with the data.<\/em><\/p>\n<\/blockquote>\n Years of recognizing that Cory\u2019s warnings are usually dead-on accurate has me approaching this embrace of secure enclaves with some amount of caution. The same underlying technologies that could liberate users from platform silos could also be used to create more sophisticated forms of control. But Komoroske\u2019s vision represents a genuinely different deployment\u2014using these tools to give users direct control over their own data and to cryptographically limit what systems can do with that data, rather than giving platforms more power to lock things down. The key difference is who controls the policies. (And I\u2019m genuinely curious to hear what Cory thinks of this approach!)<\/p>\n The vision Komoroske paints is compelling: imagine tools that feel like extensions of your will, private by default, adapting to your every need\u2014software that works\u00a0for<\/em>\u00a0you, not\u00a0on<\/em>\u00a0you. A personal research assistant that understands your note-taking system. A financial tracker designed around your specific approach to budgeting. A task manager that reshapes itself around your changing work style.<\/p>\n To the extent that any of this was possible before, it required you simply handing over all your data to a big tech firm. The possibility of being able to separate those things\u2026 is exciting.<\/p>\n This isn\u2019t just about better apps. It\u2019s about a fundamental shift in the power dynamics of the internet. Instead of being forced to choose between security and functionality, between privacy and convenience, we could have systems where those aren\u2019t trade-offs at all.<\/p>\n The same origin paradigm got us here, creating the conditions for data monopolies and restricting user agency. But as Komoroske argues in both the piece he wrote for us and this new piece, we built these systems\u2014we can build better ones. We might finally deliver on its promises of user empowerment rather than further concentration.<\/p>\n As we\u2019ve argued at Techdirt for years, the internet works best when it empowers users rather than platforms. The same-origin paradigm was an understandable choice given the constraints of the 1990s. But we\u2019re no longer bound by those constraints. The tools now exist to put users back in control of their data and their digital experiences.<\/p>\n We can move past\u00a0the learned helplessness<\/a>\u00a0that has characterized the last decade of internet discourse. We can reject the false choice that says the only way to access powerful new technologies is to surrender our freedoms to tech giants. We can actually build toward a world where end users themselves have\u00a0both the power and control<\/a>.<\/p>\n We just need to embrace that opportunity, rather than assuming that the way the internet has worked for the past 30 years is the way it has to run going forward.<\/p>\n How One 1990s Browser Decision Created Big Tech\u2019s Data Monopolies (And How We Might Finally Fix It)<\/a><\/p>\n More Law-Related Stories From Techdirt:<\/strong><\/p>\n The IRS Is Building A Vast System To Share Millions Of Taxpayers\u2019 Data With ICE<\/a> The post How One 1990s Browser Decision Created Big Tech\u2019s Data Monopolies (And How We Might Finally Fix It)<\/a> appeared first on Above the Law<\/a>.<\/p>\n There\u2019s a fundamental architectural flaw in how the internet works that most people have never heard of, but it explains nearly every frustration you have with modern technology. Why your photos are trapped in Apple\u2019s ecosystem. Why you can\u2019t easily move data between apps. Why every promising new service starts from scratch, knowing nothing about you. And most importantly, why AI\u2014for all its revolutionary potential\u2014risks making Big Tech even bigger instead of putting powerful tools in your hands.<\/p>\n Former Google and Stripe executive Alex Komoroske (who recently wrote for us about why the future of AI\u00a0need not be centralized<\/a>) has written\u00a0an equally brilliant analysis<\/u><\/a>\u00a0that traces all of these problems back to something called the \u201csame origin paradigm\u201d\u2014a quick security fix that Netscape\u2019s browser team implemented one night in the 1990s that somehow became the invisible physics governing all modern software.<\/p>\n The same origin paradigm is simple but devastating: Every website and app exists in its own completely isolated universe. Amazon and Google might as well be on different planets as far as your browser is concerned. The Instagram app and the Uber app on your phone can never directly share information. This isolation was meant to keep you safe, but it created something Komoroske calls \u201cthe aggregation ratchet\u201d\u2014a system where data naturally flows toward whoever can accumulate the most of it.<\/p>\n This is a much clearer explanation of a problem\u00a0I identified almost two decades ago<\/a>\u2014the fundamental absurdity of having to keep uploading the same data to new services, rather than being able to tell a service to access our data at a specific location on the internet. Back then, I argued that the entire point of the open internet shouldn\u2019t be locking up data in private silos, but enabling users to control their data and grant services access to it on their own terms, for their own benefit.<\/p>\n What Komoroske\u2019s analysis reveals is the architectural root cause of why that vision failed. The \u201cpromise\u201d of what we optimistically called \u201cthe cloud\u201d was that you could more easily connect data and services. The reality became a land grab by internet giants to collect and hold all the data they could. Now we understand why: the same origin paradigm made the centralized approach the path of least resistance.<\/p>\n As Komoroske explains, this architectural choice creates an impossible constraint for system designers.<\/p>\n This creates what I call the iron triangle of modern software. It\u2019s a constraint that binds the hands of system designers\u2014the architects of operating systems and browsers we all depend on. These designers face an impossible choice. They can build systems that support:<\/em><\/p>\n But they can only enable two at once\u2014never all three. If untrusted code can both access your sensitive data and communicate over the network, it could steal everything and send it anywhere.<\/em><\/p>\n So system designers picked safety through isolation. Each app becomes a fortress\u2014secure but solitary. Want to use a cool new photo organization tool? The browser or operating system forces a stark choice: Either trust it completely with your data (sacrificing the \u201cuntrusted\u201d part), or keep your data out of it entirely (sacrificing functionality).<\/em><\/p>\n Even when you grant an app or website permission only to look at your photos, you\u2019re not really saying, \u201cYou can use my photos for this specific purpose.\u201d You\u2019re saying, \u201cI trust whoever controls this origin, now and forever, to do anything they want with my photos, including sending them anywhere.\u201d It\u2019s an all-or-nothing proposition.<\/em><\/p>\n<\/blockquote>\n This creates massive friction every time data needs to move between services. But that friction doesn\u2019t just slow things down\u2014it fundamentally reshapes where data accumulates. The service with the most data can provide the most value, which attracts more users, which generates more data. Each click of the ratchet makes it harder for new entrants to compete.<\/p>\n Consider how you might plan a trip: You\u2019ve got flights in your email, hotel confirmations in another app, restaurant recommendations in a Google document, your calendar in yet another tool. Every time you need to connect these pieces you have to manually copy, paste, reformat, repeat. So you grant one service (like Google) access to all of this. Suddenly there\u2019s no friction. Everything just works. Later, when it comes time to share your trip details with your fellow travelers, you follow the path of least resistance. It\u2019s simply easier to use the service that already knows your preferences, history, and context.<\/em><\/p>\n The service with the most data can provide the most value, which attracts more users, which generates more data. Each click of the ratchet makes it harder for new entrants to compete. The big get bigger not because they\u2019re necessarily better, but because the physics of the system tilts the playing field in their favor.<\/em><\/p>\n This isn\u2019t conspiracy or malice. It\u2019s emergent behavior from architectural choices. Water flows downhill. Software with the same origin paradigm aggregates around a few dominant platforms.<\/em><\/p>\n<\/blockquote>\n Enter artificial intelligence. As Komoroske notes, AI represents something genuinely new: it makes software creation effectively free. We\u2019re entering an era of \u201cinfinite software\u201d\u2014endless custom tools tailored to every conceivable need.<\/p>\n AI needs context to be useful. An AI that can see your calendar, email, and documents together might actually help you plan your day. One that only sees fragments is just another chatbot spouting generic advice. But our current security model\u2014with policies attached at the app level\u2014makes sharing context an all-or-nothing gamble.<\/em><\/p>\n So what happens? What always happens: The path of least resistance is to put all the data in one place.<\/em><\/p>\n Think about what we\u2019re trading away: Instead of the malleable, personal tools that Litt envisions, we get one-size-fits-all assistants that require us to trust megacorporations with our most intimate data. The same physics that turned social media into a few giant platforms is about to do the same thing to AI.<\/em><\/p>\n We only accept this bad trade because it\u2019s all we know. It\u2019s an architectural choice made before many of us were born. But it doesn\u2019t have to be this way\u2014not anymore.<\/em><\/p>\n<\/blockquote>\n But here\u2019s the hopeful part: the technical pieces for a fundamentally different approach are finally emerging. The hopes I had two decades ago about the cloud being able to separate us from having to let services collect and control all our data may finally be possible.<\/p>\n Perhaps most interestingly, Komoroske argues that the technological element that makes this possible is the secure enclaves now found in chips. This is actually a tech that many of us\u00a0were concerned<\/a>\u00a0would lead to the death of general purpose computers, and give more power to the large companies. Cory Doctorow has warned about how these systems can be abused\u2014he calls them Demon-haunted computers<\/a>\u2014but could we also use that same tech to regain control?<\/p>\n That\u2019s part of Komoroske\u2019s argument:<\/p>\n These secure enclaves can also do something called remote attestation. They can provide cryptographic proof\u2014not just a promise, but mathematical proof\u2014of exactly what software is running inside them. It\u2019s like having a tamper-proof seal that proves the code handling your data is exactly what it claims to be, unmodified and uncompromised.<\/em><\/p>\n If you combine these ingredients in just the right way, what this enables, for the first time, are policies attached not to apps but to data itself. Every piece of data could carry its own rules about how it can be used. Your photos might say, \u201cAnalyze me locally but never transmit me.\u201d Your calendar might allow, \u201cExtract patterns but only share aggregated insights in a way that is provably anonymous.\u201d Your emails could permit reading but forbid forwarding. This breaks the iron triangle: Untrusted code can now work with sensitive data and have network access, because the policies themselves\u2014not the app\u2019s origin\u2014control what can be done with the data.<\/em><\/p>\n<\/blockquote>\n Years of recognizing that Cory\u2019s warnings are usually dead-on accurate has me approaching this embrace of secure enclaves with some amount of caution. The same underlying technologies that could liberate users from platform silos could also be used to create more sophisticated forms of control. But Komoroske\u2019s vision represents a genuinely different deployment\u2014using these tools to give users direct control over their own data and to cryptographically limit what systems can do with that data, rather than giving platforms more power to lock things down. The key difference is who controls the policies. (And I\u2019m genuinely curious to hear what Cory thinks of this approach!)<\/p>\n The vision Komoroske paints is compelling: imagine tools that feel like extensions of your will, private by default, adapting to your every need\u2014software that works\u00a0for<\/em>\u00a0you, not\u00a0on<\/em>\u00a0you. A personal research assistant that understands your note-taking system. A financial tracker designed around your specific approach to budgeting. A task manager that reshapes itself around your changing work style.<\/p>\n To the extent that any of this was possible before, it required you simply handing over all your data to a big tech firm. The possibility of being able to separate those things\u2026 is exciting.<\/p>\n This isn\u2019t just about better apps. It\u2019s about a fundamental shift in the power dynamics of the internet. Instead of being forced to choose between security and functionality, between privacy and convenience, we could have systems where those aren\u2019t trade-offs at all.<\/p>\n The same origin paradigm got us here, creating the conditions for data monopolies and restricting user agency. But as Komoroske argues in both the piece he wrote for us and this new piece, we built these systems\u2014we can build better ones. We might finally deliver on its promises of user empowerment rather than further concentration.<\/p>\n As we\u2019ve argued at Techdirt for years, the internet works best when it empowers users rather than platforms. The same-origin paradigm was an understandable choice given the constraints of the 1990s. But we\u2019re no longer bound by those constraints. The tools now exist to put users back in control of their data and their digital experiences.<\/p>\n We can move past\u00a0the learned helplessness<\/a>\u00a0that has characterized the last decade of internet discourse. We can reject the false choice that says the only way to access powerful new technologies is to surrender our freedoms to tech giants. We can actually build toward a world where end users themselves have\u00a0both the power and control<\/a>.<\/p>\n We just need to embrace that opportunity, rather than assuming that the way the internet has worked for the past 30 years is the way it has to run going forward.<\/p>\n How One 1990s Browser Decision Created Big Tech\u2019s Data Monopolies (And How We Might Finally Fix It)<\/a><\/p>\n More Law-Related Stories From Techdirt:<\/strong><\/p>\n The IRS Is Building A Vast System To Share Millions Of Taxpayers\u2019 Data With ICE<\/a> There\u2019s a fundamental architectural flaw in how the internet works that most people have never heard of, but it explains nearly every frustration you have with modern technology. Why your photos are trapped in Apple\u2019s ecosystem. Why you can\u2019t easily move data between apps. Why every promising new service starts from scratch, knowing nothing about […]<\/p>\n","protected":false},"author":3,"featured_media":127150,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16],"tags":[],"class_list":["post-127149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-above_the_law"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/xira.com\/p\/wp-content\/uploads\/2025\/07\/GettyImages-499689350-gc1pxv.jpeg?fit=456%2C377&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/127149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/comments?post=127149"}],"version-history":[{"count":0,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/127149\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media\/127150"}],"wp:attachment":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media?parent=127149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/categories?post=127149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/tags?post=127149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
\n
\n
\n
DHS Abandons Fighting Actual Crime To Focus All Of Its Attention On Undocumented Migrants<\/a>
UnitedHealth\u2019s Response To People Cheering Their CEO\u2019s Murder: Silence The Critics<\/a><\/p>\n\n
\n
\n
\n
\n
DHS Abandons Fighting Actual Crime To Focus All Of Its Attention On Undocumented Migrants<\/a>
UnitedHealth\u2019s Response To People Cheering Their CEO\u2019s Murder: Silence The Critics<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"