Pentium III: How bad is privacy threat?
Does the widely reported Pentium III serial number controversy really present a major threat to privacy?
Technology experts say recent reports of software programs capable of "grabbing" PC users' Pentium III serial numbers without their knowledge or consent shouldn't alarm PC users. On the other hand, those on all sides of the debate agree that no one should be overly confident about the level of security these microprocessors can ensure.
Nathan Brookwood, an analyst at Insight 64, reflects that conflict. "I'm not a good person at anticipating all the evil things people can do. But in my view, the whole role of the PSN [processor serial number] has been somewhat overstated," he said.
Yet he was quick to add: "When you have a transaction and a user at one end of the network and a machine where the transaction is being handled at the other end, and a big network in between, there are lots of ways to compromise a machine or break into a site."
Even privacy advocates concede that it is technically difficult for a hacker to do much harm if armed only with a purloined processor serial number. But these groups are concerned that future technologies and uses of the Internet could allow grave abuse of this information in ways not envisioned today.
Regardless of the actual risk, the debate has become something of a battle royal between privacy advocates and corporate interests. The emotions arising from the issue seem to transcend the mundane machinations of digital technology, introducing Orwellian rhetoric often reserved for such constitutional powder kegs as gun control.
"Individuals should be able to control their identity and other forms of authentication," said Ari Schwartz, senior policy analyst for the Center for Democracy and Technology, which has filed a complaint with the Federal Trade Commission, requesting that Intel be precluded from manufacturing the Pentium III with the serial code.
Intel's recently released Pentium III processor contains a 96-bit serial number hardwired into the chip. The number was designed to add another layer of protection for e-commerce transactions and to aid organizations in tracking assets.
Independent chip analysts say the framework in which the serial number will be exchanged makes it difficult for any third party to use a nabbed number nefariously. These experts acknowledge that hackers or marketers will be able to steal it--but a number is likely all they will get, they say, not the key to your life.
"All they have at that point is a serial number, and that doesn't really help a lot," said Peter Glaskowsky, an analyst at MicroDesign Resources. To take advantage of someone, he added, "you need a combination of an unethical Web site developer and a stupid Web site developer."
At the same time, Glaskowsky said, the serial number offers little in the way of added security. And companies looking for better ways to manage technology across large networks are not sold on the Pentium III either.
"Asset management now is not done easily--it's either done physically or through personnel," said Pete Jackson, president of Intraware, a systems integration firm. "It's a major problem throughout the enterprise, but I don't think a lot of people are going to switch to the Pentium III to solve the problem."
Security concerns have dogged the high-tech industry relentlessly, particular with the wild proliferation of Internet use. On the software side, Microsoft has faced its own share of privacy issues, acknowledging earlier this month that Windows 98 collects information on users PCs through the operating system's registration process and that documents created with Office 97 applications include information related to document authors. Microsoft halted the practice and issued patches for the security holes.
Against this backdrop, it comes as no surprise that the Pentium III serial number has enjoyed a short but tortured life. Intel revealed the serial number system in February, stating that the number was a third form of identification.
In Intel's view, those who want to gain access to number-protected sites will provide their user names and passwords, as well as let distant Web servers send down an applet to confirm the processor serial numbers, said Pat Gelsinger, corporate vice president at Intel.
Although the serial number never changes, the confirming applet "hashes" it so that sites only get a placebo of the real number--and no two Web sites get the same placebo.
In other words, if your processor serial number is X, one Web site will know you as Y, while another might know you as Z. Another layer of encryption disguises Y or Z for the confirming transaction. During the exchange, processor numbers are further disguised to minimize the possibility that the true serial number will be intercepted.
Therein lies the problem to privacy advocates, who note that this encryption technology is an option for Web sites but that there is no guarantee that all of them will use it. "We're not confident about [widespread encryption], no," Schwartz said, understatedly.
Turning it back "on"
The plan was to have computer makers leave the serial number "on," or
accessible and open to confirming software agents. After privacy groups
protested, Intel changed the software utility so that the PSN would be
disabled by default shortly after a PC boots up.
Even before the chip was available in computers, a German technology magazine claimed that it had developed a method of circumventing the Intel-developed software utility. A Canadian software firm Zero-Knowledge Systems then followed with an ActiveX control which grabs the serial number before the software utility is activated, and after tricking a user into restarting their system.
But while these groups may have succeeded if their intent was embarrassing the world's largest chipmaker, analysts say that a stolen serial code does not present much of an actual threat to a typical Pentium III user.
Even if the disabling utility is cracked, it would still be extremely difficult to do anything with the serial number, analysts maintain. For instance, if a hacker wanted to get into private accounts, they would likely need more information, they say.Most Web sites, especially e-commerce sites, which use the Processor Serial Number, require other forms of identity verification, not only to reassure visitors, but also to protect their own interests, Glaskowsky said.
"Any Web site that is intelligent is going to ask you for some kind of password," he said. "It's inevitable that responsible online businesses will have a two-stage verification process. One of those might be the serial number."
Many hacks required
Pulling this off is no small feat either, technologically speaking. A hacker couldn't just issue the PSN to a distant server. The hashed number through which the distant server knows the user would have to be determined, which involves breaking into the distant server's database as well.
Then, even if that number could be determined, the additional layer of encryption would have to be hacked so that the hacker can send a confirming transactional number that the distant server will accept.
"It's extremely difficult to [use the serial number] to impersonate another person--not impossible, but difficult," Glaskowsky explained. "It's far more straightforward for a Web site operator to steal your serial number than for a hacker to trick them."
The pervasiveness of the encryption layer dents the other theory of danger: unscrupulous sharing. Although there may be a financial incentive for Web sites to sell or share this number with other sites, there is no way to connect the encrypted number to an individual user, according to George Alfs, an Intel spokesman.
"It can't be compared to other Web site serial numbers," he said. "If sites are using the tamper-resistant tools, the numbers won't match."
Assurances fall on deaf ears
Many users, though realistic about the risks of using the Internet, are not assuaged by analyst and Intel reassurances. Web sites "knowing who you are...is pretty much available through many sources, so don't sweat the small stuff," wrote reader Randy Dickson, who raised concerns about serial number thieves impersonating PC users in chat rooms and newsgroups.
"While I think Intel had their heart in the right place, they seriously misunderstood how this information could be misused...Some of us don't mind the fact that Big Brother may be watching, as long as he can't be misled," Dickson wrote.
Others, like Norman Thorsen, are more concerned about Web sites gathering yet more personal information about visitors, regardless of whether these sites then sell or share the data. "Given this opportunity, marketers and, quite possibly government agencies, will collect as much information as possible," Thorsen wrote. "No one asked the customer about collecting this information--Intel decided to provide it without prior notification. By definition, that is an invasion of privacy."
Dickson and other readers are concerned about Web sites that will only allow surfers to visit if the personal serial number is enabled.
"Web sites will develop content that requires the PSN, so that personal privacy must be compromised in order to use the Internet," one reader wrote. "Intel's technology is fundamentally un-American. It is equivalent to installing video cameras on every street corner."
Many companies include serial numbers with their products, including software and hard drive manufacturers but do not share or sell that type of customer information. This is not necessarily out of any noble respect for the privacy of its customers, but because it would be against their own strategic interests, said Greg Blatnik, vice president of Zona Research.
"That type of information tends to have more value to the company that provided the product," Blatnik said, adding that many companies use customer lists generated with the help of serial numbers to sell more products. "Companies guard that information fiercely."
Privacy advocates concede many of these points. What has them mostly worried is the future.
Future shock?
"What's the damage that could be done from a hacker grabbing your PSN? Not
much right now," said Jason Catlett, president of Junkbusters, an advocacy group
supporting a boycott of Intel until the company removes the serial number,
in an email interview. "But if Intel's plans of turning the PSN into an
e-commerce identifier pan out in the next few years, it will be used for
theft of identity."
Catlett predicts it will be several years before the total privacy implications of the serial code are known. And by that time, he fears, such serial codes will likely have become a de facto standard in identity authentication.
"Every time you move forward with technology, this happens," Brookwood said. "Before they created credit cards, there was no credit card fraud."