WAP Flap Zaps Spec Credibility.
The market for wireless Web phones is hot, but heated patent battles and uncertainty about security services are threatening to confuse consumers and delay product rollouts. Over the past several months, issues surrounding the intellectual property rights to pieces of the WAP specification and flaws in the spec itself have thrown this heady market into turmoil. Now, members of the WAP Forum--the consortium that promotes the specification--are squabbling, problems with transport layer security have arisen, and HDML, which was superseded by WAP two years ago, is still being promoted by some Forum members.
First, a bit of background on the standards involved. Recall that WAP (Wireless Access Protocol) is designed to allow Web content to be delivered to small footprint/small display devices--especially phones. Phones with WAP-enabled browsers (sometimes called microbrowsers) access the Web through gateway servers, which are responsible for connecting the cellular and wired networks, as well as for security and other relevant technologies like caching. (See the September 1999 issue of CTR for a complete discussion of WAP, available at www.wwpi.com.)
WAP devices do not use standard HTML, because it is not suited to small devices with small screens. Rather, WAP uses a subset of HTML called WML (Wireless Markup Language), which was specifically designed to allow developers to code Web content that can be interpreted by phones. Some of today's confusion can be traced to WAP's use of WML. This is because before there was WML (actually, even before there was WAP), there was HDML (Handheld Device Markup Language), which was developed by Unwired Planet and is closer to standard HMTL than WML. An HDML developers kit was first published by Unwired Planet (now Phone.com), which was also a founding member of the WAP Forum.
HDML was originally intended for various types of mobile computing devices, including phones. However, it was not optimized for phones, and it was intended to be used with IP, since there was no WAP (essentially a wireless-optimized version of IP) at the time. The problem today is a result of that HDML toolkit published in 1997. Thousands of Web developers have used HDML for three years, and several of the largest cellcos provide information services based on it, including AT&T, Bell Atlantic, GTE, and Sprint PCS. Kathy Simpson, Phone.com's director of developer marketing, says that 50 of Phone.com's customers deployed HDML services and are still supporting it while they explore WML and WAP. She expects to see WAP phones shipping in bulk in the U.S. by the end of the year.
Today, HDML is well entrenched and, Simpson says, because of the lag time between new phone designs and the actual shipping of the phones (18 months), WAP implementation itself has been slow this year. While phone makers Nokia and Ericsson are firmly behind WAP (no surprise there; they founded the WAP Forum), cellco service providers have been slow to embrace WAP at the expense of HDML. The other problem has been vendor interoperability. Because of problems in spec interpretations, early products based on WAP 1.0 did not interoperate, and WAP 1.1, which was introduced in June of 1999, is still in the early stages of adoption.
To address some of these issues, the WAP Forum recently instituted a certification program for WAP 1.1 devices, which is being administered by The Open Group. The program will test devices for standards compliance and only products that are certified will be able to display the WAP 1.1 and WAP Forum logo. Version 1.3 is expected to be released shortly after you read this.
But WAP, which includes a vast alphabet soup of protocols and numerous standards within its overall framework, has come up against some intellectual property issues that may make certification a bit more complex. Last year, Geoworks Corporation claimed that WAP includes a patented user interface element that Geoworks created in 1994, called Flex UI. Geoworks holds the patent for Flex UI on wireless devices, including mobile phones, which are based on WAP and which were already in circulation at the time of the claim.
After a contentious February WAP Forum meeting in Rome, the group acknowledged the patent, and Geoworks is now in full pursuit of the "licensing of its patented technology on fair, reasonable and non-discriminatory terms and conditions," according to a company statement. In the same statement, Geoworks president and CEO Dave Grannan said that there are already "a number of industry participants who have recognized both our good intentions and the validity of our IPR claims, and have entered into licensing discussions with us. The WAP Forum reiterated their desire to have member companies pursue licensing IPR claims between the member companies with no direct involvement of the WAP Forum."
In other words, companies that want to use WAP must license Flex UI from Geoworks directly; certification by the WAP Forum is not sufficient. Unlike other wireless specs (such as Bluetooth, for example), WAP does not include an Open IP contract, in which members donate their intellectual property in exchange for the use of other members' IP. "Lots of companies in the WAP Forum have intellectual property in WAP," says Phone.com's Simpson. "IP is a complex issue, and it's going to be up to the legal teams to figure it all out," she says.
According to patent and licensing documents examined by CTR, the lawyers may be the ones profiting from WAP; Geoworks has no plans to make its technology freely available. In fact, the company is charging $20,000 per annum plus royalty fees and/or seat license fees, depending on the WAP application. At press time, Geoworks had agreed to release companies from liability owing to past infringement provided licensing agreements are in place by July of this year. Companies licensing the technology after that time may be subject to higher licensing fees; those fees were unannounced as this issue went to press.
Don Ezzell, general counsel for Geoworks, says that the company's belief is that the licensing program will not have an impact on the viability of WAP. "We believe this is a modest royalty arrangement, and we have an obligation to recover our substantial research and development expenses." Ezzell notes. "There has been no challenge to the validity of Geoworks patent from a WAP Forum member," he declares flatly. "Lots of other companies, including Nokia, NEC, and Phone.com have declared that their IP is part of WAP."
While no one can blame Geoworks for attempting to recoup its research and development costs for Flex UI, the fact remains that the company has thrown a wrench into the WAP works. What was once freely available, open technology is now linked to the goals--financial and otherwise--of Geoworks. While other companies may have announced their IP, no one besides Geoworks has yet to demand licensing fees; Ezzell believes they probably will.
Much of the contentiousness may be due to the WAP Forum's charter, which Ezzell says has strict rules regarding anti-trust behavior: the membership cannot take collective action, and companies cannot act in concert if they feel another member company is acting unfairly. According to Ezzell, one of the most important seminars at WAP Forum meetings is run not by engineers but by WAP Forum lawyers: the anti-trust workshop. "It's pretty unusual for what are generally technical conferences," Ezzell admits.
Security At Risk?
WAP is also being assailed on a different front due to a possible security hole in the specification. Published reports indicate that when a WML-based document is transferred from the wireline (IP) to the wireless (WAP) network at the gateway (WAP proxy) server, the data must change encryption schemes--SSL to WTLS (Wireless Transport Layer Security) in this direction and WTLS to SSL in the reverse. In the moment before data is re-encrypted, it is left vulnerable to a hack. Alastair Angwin of IBM's UK Laboratories (and of the WAP Forum) acknowledges that there is a problem here, and notes that IBM raised the issue as early as 1998. "It is a small problem for transactions where security is paramount, [but] even here the risks are very low."
Ericsson's Espen Kristensen, the WAP Forum's security expert, adds that because the WAP gateway translates between SSL and WTLS for the fixed and the mobile sides, data is "in the clear" inside the gateway. "The security implication is that the gateway should be within the same security domain as the application server, or you will need to trust the gateway operator." He notes, however, that the algorithms involved in WTLS are as strong as those of SSL (most of them are the same). IBM's Angwin says we can expect to see this hole plugged in the near future. (On the advice of IBM lawyers, he too declined to comment on the significance of Geoworks' patent claim.)
Still, WTLS only works if both sides of a WAP conversation (proxy server and WAP phone) have it installed. At press time, only a few proxy servers and almost no phones in the U.S. did; most are using SSL to talk to origin servers on the Web and have not yet adopted WTLS.
And that isn't the only problem for WAP. WTLS is being besieged on another front by a predominantly European consortium called Radicchio. Radicchio member companies (including Gemplus, Vodafone AirTouch, Ericsson, Sonera, and Siemans, plus Geoworks, TI, and VeriSign in the U.S.) are pushing for standardization of PKI-based encryption schemes that are more secure than those provided for in the WAP spec. "E-services like Internet banking and online [stock trading] are already possible on mobile phones, but one of the main things holding organizations back from offering them is concern about the security of their data and their customers' data," Harri Vatanen, of Sonera SmartTrust, said last year at the organization's founding.
The problem is that PKI security schemes require third party certificate authorities, who guarantee the identity of transaction participants. PKI adoption in the U.S. has been stagnant to slow at best because of this added layer of complexity. WAP 1.3 may include some provisions for PKI, though in what form is an open question.
As if all this were not enough, Ericsson, Nokia, and Motorola have taken security one step further: the three companies have announced an initiative to combine WAP with WIM (Wireless Identification Module) to create a standard that not only guarantees security but also identity, via digital signature technology. The companies note that without proof of identity, all the security technology in the world won't make a difference if a phone is lost or stolen.
But all of these technologies are indicative of the larger problem facing wireless hardware makers and service providers: creating international, wireless Internet standards is difficult business. With so many different companies pushing so many different wireless networks, coming up with a unifying Web standard for all those phones is no easy task. At this point, picking a winner is a difficult call.
WAP Goes Open Source
It had to happen. It was just a matter of time. WAP has now gone open source. Kannel (www.kannel.org), an open source WAP gateway, provides the essential parts of the WAP infrastructure freely to those interested in developing both products and services based on WAP and WML/WMLScript. (Kannel also serves as an SMS--Short Messaging Service--gateway for GSM networks.)
Kannel is being developed on Linux (Red Hat 6.1 and Debian), and is expected to be ported to other versions on Unix, although at press time it did not support any other platforms. Kannel uses a BSD-style license. Visit www.kannel.org/overviews.html for detailed system requirements.
Kannel was founded by Helsinki-based WapIT (www.wapit.com), which develops mobile services and is a member of the WAP Forum. The site is run by Lars Wirzenius, who works at WapIt. But what does Kannel actually mean? According to Mato Valtonen, WapIT's marketing director, Kannel is a romantic name for a traditional Finnish musical instrument.
Worried About Cellular Privacy? Worry About NYML
The widespread implementation of digital cellular with strong encryption algorithms has reduced fears of phone cloning and service theft But a specification formed by IBM and Fujitsu now being considered by the W3C raises a whole host of privacy issues that may not be so easy to address.
The specification, called NaVigation Markup Language (NVML), is intended to allow service providers to pinpoint, with near precision, the geographic location of users of mobile devices. Global positioning services are currently confined to cars (OnStar) and GPS devices, which use them for mapping and for emergency assistance. NVML wants to bring positioning and navigation to any and all devices, including PDAs and cell phones. According to the specification's authors, NVML is a markup language for describing the location of points and route information. NVML enables a device to use a navigation service at any time and anywhere, and has the potential to be used as a guide service for sightseeing, as a travel planning service, and as a publishing service for tourists.
The authors of NVML foresee the spec used not just by service providers (say, the maker of trip planning or sightseeing software), but by individuals, who can "mail NVML data to their friends", presumably allowing individuals to be tracked wherever they go. A similar specification, called POIX (Point Of Interest eXchange Language Specification) is also currently under review by the W3C.
The W3C acknowledges that both specifications are controversial, in that they can be used for "significant violations of the users [sic] privacy. While privacy protection for cases where the position information is used as an entity in itself are foreseen in the standards for mobile systems privacy protection for cases where the position is used to retrieve customized information is not." (Current technology allows the location of devices to be pinpointed to within 1.5 meters.)
While no one is crying Big Brother yet the technology seems ripe for abuse It could -- and most probably will--be used legally by marketers for some frighteningly precise targeted advertising. If you think cookies say a lot bout your travels on the Web imagine your cell phone broadcasting the fact that you're about to walk into the Gap. Yikes.
|Printer friendly Cite/link Email Feedback|
|Publication:||Computer Technology Review|
|Date:||May 1, 2000|
|Previous Article:||Serial ATA Will Implement Next Generation Performance By 2002--Transparently.|
|Next Article:||Microsoft Fought The Law And The Law Won. Does Anybody Still Care?|
|Present documents via technology.|