Is The Browser Part of the Operating System?

An exercise in misdirection

In 1998, the United States Federal Government charged Microsoft with anti-trust violations. One of the the complaints was that Microsoft had "bundled" its Internet Explorer (IE) web browser with its Windows operating system (OS). From the customer's point of view, IE came free with the OS. Since Windows had, at the time, a market share in excess of 95%, this meant that virtually everyone who bought a computer also got IE. This severely undercut use of the only competing commercial browser, Netscape, and Netscape Communications Corporation subsequently declined.

In its defense, Microsoft asserted that the web browser was, in fact, part of the operating system. Therefore, it made no sense to talk of bundling the browser; it was in the natural order of things that an OS vendor would include a browser in their product.

Facially, this is a valid argument. All products have parts, and we don't fault manufacturers for including the parts of their own products. When you buy a car, it comes with an engine. This makes it very difficult for independent engine manufacturers to sell automobile engines to the general public. But we don't accuse car companies of bundling engines with their cars in order to drive engine manufacturers out of business: we accept the fact that the engine is part of the car.

So the charge against Microsoft came down to a question of fact: is the web browser part of the operating system? Needless to say, there was a great deal of testimony and argument about this during the trial. I followed the trial casually; to me, the question seemed opaque, and I could hear little more in the arguments than "is so"— "is not".

In the end, Microsoft was found to be a monopoly, but received only minimal sanctions. Microsoft still ships IE with Windows, yet stand-alone browsers, like FireFox, are now regaining market share. Arguably, the question still stands: is the browser part of the OS?

Well, is it???

There are (at least) four different questions wound up together here, and Microsoft has worked hard for many years to confuse and confound them. They don't want people to have a clear understanding of this issue, because a clear understanding of it does not at all serve their case. Let's take the questions one at a time and see if we can sort out the issues. Here are the questions:
  1. Does the customer expect the computer to come with a web browser?
  2. Who should select the browser and integrate it with the computer?
  3. Is the browser part of the broad collection of software referred to as the "operating system"?
  4. Should the code that implements the browser be integrated with the operating system kernel?

Does the customer expect the computer to come with a web browser ?

This is a question about consumer behavior and expectations. When Joe Consumer—or Joe Businessman—buys a computer, takes it out of the box, and turns it on, do they expect to find a web browser already installed on it? To find out the answer, we simply talk to consumers and watch their behavior. The answer turns out to be yes.

In pre-trail discussions with the government, a Microsoft lawyer said of the Windows operating system

We could put in a ham sandwich, but nobody would buy it.
The part about the ham sandwich was taken out of context and held up as an example of Microsoft's arrogance; however, the point that the lawyer was making is that Microsoft is responsive to consumer expectations—and consumers expect their computers to come with web browsers.

The answer to this question supports Microsoft's position.

Who should select the browser and integrate it with the computer?

This is a question about industrial organization: how should the manufacture and distribution of computers be organized? In the United States, we let the markets decide most questions like this.

The personal computer (PC) industry is about 25 years old. There have been some changes during that time, but the basic outlines are clear and stable. Computers are built by original equipment manufacturers (OEMs)—companies like Dell, Gateway and Hewlett-Packard. The OEM

The OEM takes responsibility for selecting and integrating all the software that comes on the computer—with one exception. Microsoft dictates that OEMs who install Windows also install IE on all computers. Microsoft enforces this through terms in the Windows license.

Absent Microsoft's exercise of monopoly power, there is every reason to believe that OEMs would select the web browser, just as they select all the other components of their products.

The answer to this question does not support Microsoft's position.

Is the browser part of the broad collection of software referred to as the "operating system"?

This question is either a matter of opinion, or simply unanswerable. The reason is that the term "operating system", as used here, has no specific technical meaning. It is more like the term "city".

Cities are big and sprawling, and their boundaries can be fuzzy. True, the city has a geographic boundary, defined by statute and recorded in the registry of deeds, but how many people know exactly where it is—or care?

Asking whether the browser is part of the operating system is like asking whether the bus line is part of the city. In the end, it depends on what you mean by "city".

The answer to this question is irrelevant to Microsoft's case.

Should the code that implements the browser be integrated with the operating system kernel?

This is an engineering question. Unlike the broad term "operating system", the term "operating system kernel" has a specific technical meaning, and this question has a definite answer. On very strong engineering grounds, the answer is no.

Operating systems are organized, either actually or notionally, in layers, like an onion. The innermost layer is commonly called the kernel.

The kernel is the first part of the OS that runs after the computer starts up, and the first thing the kernel does is take control of all the hardware on the computer

All other programs run under control of the kernel. The kernel Importantly—crucially—the computer hardware guarantees that the kernel regains control if a program hangs, crashes, or otherwise misbehaves. When this happens, the kernel stops the program, cleans up the mess, and goes on.

As long as the kernel is functioning properly, the OS can recover from any error in any other program. Conversely, if the kernel is compromised, by

then errant programs may Usually, the only way to recover from a problem with the kernel is to reboot the machine. If data corruption extends to the hard drive, it may be necessary to reinstall the OS.

In view of all this, good engineering practice is to keep the kernel as small and simple as possible. Over time, kernels tend to become large and complicated, because they do many complicated things. However, the principle stands: nothing should be put in the kernel without a good reason.

Good reasons

Good reasons to put things in the kernel include

Necessity

Some programs simply can't be made to work unless they are inside the kernel. The web browser isn't one of them. There are web browsers—widely used, full-featured web browsers—that run on Microsoft Windows and are not part of the kernel. These include The existence of these browsers demonstrates that it is not necessary for the browser to be part of the kernel.

Performance

There are some programs that run faster—much faster—if they are part of the kernel. The browser isn't one of them. Microsoft's Internet Explorer doesn't run any faster inside the kernel than other browsers run outside the kernel. Besides, under current technology and typical usage patterns, web browsers spend more time waiting for network I/O than CPU execution.

Security

Some programs run inside the kernel because they need to be inside its security boundary. The file system is a good example of this. The web browser is not. The browsers cited above that run outside the kernel are secure—by many accounts, more secure than Internet Explorer, which runs inside the kernel. Security is not a good reason to put a web browser inside the kernel.

Integration

Another reason sometimes given for making the browser part of the kernel is integration. "Integrated" is just a fancy word for "part of", so this argument is ultimately circular. Upon inspection, the benefits of integration usually turn out to be claims for greater performance, security, or convenience. We've already seen that performance and security considerations don't justify making the browser part of the kernel. We'll discuss convenience below.

Keeping it out

Since there aren't any good reasons to put the browser inside the kernel, good engineering practice is to keep it outside. But it isn't just a matter of good practice: there are positive reasons why the browser should be kept out of the kernel. The two most important are

Stability

People have been writing operating system kernels for half a century. We know how to People have been writing web browsers for just over a decade. Design, implementation, and basic requirements are still in flux. Dragging a web browser into the kernel destabilizes it.

Security

The kernel enforces a security boundary at its interfaces. Every datum that crosses these interfaces must be checked to see that it does not violate the kernel's security requirements. The kernel may be complex, but its interfaces are These properties are crucial to making the kernel secure. If the kernel interfaces are ill defined, poorly understood, or just too complicated, then ensuring the security of the kernel becomes an impossible task.

If the kernel includes a web browser, then its security boundary must extend out to the interface between the browser and the World Wide Web. This interface includes

The phrase "World Wide Web" aptly describes the size, complexity, and fuzziness of the data that the browser must handle. Validating this data is impossible, and dragging a browser into the kernel hopelessly compromises its security.

Recap

For reference, here are the answers that we got to our four questions
  1. Does the customer expect the computer to come with a web browser?

    Yes.

  2. Who should select and integrate the browser with the computer?

    The OEM.

  3. Is the browser part of the broad collection of software referred to as the operating system?

    depends what you mean by "operating system"

  4. Should the code that implements the browser be integrated with the operating system kernel?

    Absolutely not.

Now let's look at what Microsoft actually does with Internet Explorer
  1. Microsoft ships Internet Explorer with the Windows operating system

    Fair enough; customers expect to get a web browser with their computer

  2. Microsoft coerces OEMs into shipping IE, and no other browser, on computers that have Windows

    Dirty pool, and illegal, besides. Unfortunately, the OEMs are too dependent on Microsoft to complain, and the U.S. government refuses to impose meaningful sanctions on Microsoft, apparently for political reasons.

  3. Microsoft says the browser is part of the operating system

    They're entitled to their opinion.

  4. Microsoft integrates the code that implements Internet Explorer into the Windows kernel

    AAAAAAArrrrggggghhhhh!!!!!!!

Is it really that bad?

It's really that bad.

The discussion above is technical and somewhat abstract, but the problems it describes are not. Putting the browser into the kernel causes real problems for ordinary users.

All browsers have bugs; all browsers crash. When a browser like FireFox crashes, you lose the web page you were viewing. If you want to see it again, you have to reopen the browser and reenter the URL. When Internet Explorer crashes, it takes the kernel, the OS, and the computer with it. Recovery generally requires a reboot, and data loss in other programs is not uncommon.

All browsers have security holes; all browsers are subject to attacks from hostile web sites. When a browser like FireFox is compromised, the attacker gains control of the browser. When Internet Explorer is compromised, the attacker gains control of the kernel, and through it, the entire computer.

Why do they do it?

If integrating the browser with the kernel is such a bad idea, we have to ask why Microsoft does it. The answer comes in two parts

Why they say they do it

Microsoft's first answer, of course, is simply that the browser is part of the operating system. However, this answer rests on a confusion of the more detailed questions discussed above. No one is disputing the assertion that the general term "operating system" can be construed broadly enough to include a web browser. The question is what possessed Microsoft to drag the browser into the kernel.

Microsoft doesn't like to say much more about the issue; however, if you read their marketing literature and their advertising copy, you can see some other claims coming out around the edges.

Microsoft touts the conveniences and features that they can offer on account of IE being integrated with the kernel. It's always there; it's always on. Content from any source on the web can be seamlessly passed into any application on the computer. Data from any application can be displayed as a web page. The bothersome distinction between your computer and the internet fades into the background: Windows takes care of it all for you.

Ironically, it is just this kind of integration that makes Internet Explorer such an effective vector for malware. The "convenience" that Microsoft offers comes at a crushing cost in security and stability.

Why they really do it

In its early days, Microsoft sold products on their features, performance, and convenience, and it still gives lip service to these customer benefits. Today, however, Microsoft's primary strategy for selling its products is to deny the customer any other choices.

One way they do this is by driving competitors out of business—for example, through bundling. But merely shipping IE in the same box with Windows isn't enough: if all Microsoft did was put it in the box, someone else could as easily take it out of the box.

There is also an historical reason for integrating IE with Windows. Up until the early 1990's, the internet was essentially a research project, funded by the government, and restricted to universities and large corporations. Then, a confluence of developments made it practical for consumers to use the internet. These included When this happened, the internet, and—especially—the web were suddenly propelled into public awareness. For a brief period of time, there was serious speculation that the web browser would supplant the operating system as the user's primary interface to the computer.

The prospect of this doubtless terrified Microsoft. If users spend all their time inside the web browser, then they don't care what operating system runs underneath it. OEMs are then free to sell computers with competing operating systems, and Microsoft's monopoly evaporates.

Microsoft was famously unprepared for the commercialization of the internet. Their first response was to write their own web browser, but they also made sure that that browser was wired right into the OS. That way, even if the browser somehow became the OS, the user would still be running Windows, and Microsoft would still control the desktop.

It didn't turn out that way. Consumers have been on the Internet for 10 years now, they don't spend all their time inside the web browser, and they still care what OS they run. But Microsoft has never backed down from their original decision to integrate the browser with the OS—if anything, they have worked to make them inseparable, scattering code for the browser across the system in multiple files, and blurring the distinction between the web and the desktop at the user interface.

Notes

Netscape Communications Corporation
Wikipedia gives a short history of Netscape Communications Corporation. The name Netscape survives as a trademark of AOL.
operating system kernel
This discussion applies most specifically to operating systems with monolithic kernels, such as GNU/Linux and Windows 95/98/ME. For operating systems with a micro-kernel architecture, such as GNU/Hurd and Windows NT/2000/XP, terminology and details are somewhat different; however, the underlying issues are the same.
features, performance, and convenience
I used Microsoft's excellent C compiler throughout much of the 1980s.
backed down
Joel Spolsky argues that Microsoft has deliberately neglected development of IE, for fear that a more capable browser—even their own—could still threaten their monopoly on the desktop.

Translations

Romanian courtesy of The Word Point
Russian completed by Edubirdie
Spanish courtesy of Susan Brown
Ukrainian courtesy of Diane Sherron at PickWriters
Uzbek courtesy of Sherali Niyazova
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.
Steven W. McDougall / resume / swmcd@theworld.com / 2005 Feb 26