The security codes to be embedded in Intel's Pentium III processor can potentially be misused to identify and collect data on Web surfers, some privacy advocates warn. But Intel argues that the technology will actually make the Net a safer place.
The controversy has emerged as 30 Web sites prepare to conduct trials of the processor, to be released in February. Critics claim that the number
scheme can be used to monitor the Internet habits of virtually anyone with
a modern, Intel-based computer.
Intel countered that the serial number will actually
improve security. The Web sites in the trials, for instance, will use the
serial number as a third form of identification, complementing the user
name and password schemes currently in place, said Pat Gelsinger,
corporate vice president of the Desktop Products Group at Intel. Ideally,
hackers couldn't just assume your identity by swiping your user name and
cracking a password; they would have to steal your computer as well.
In any event, Intel won't be stepping into the shoes of Big Brother any
time soon, Gelsinger added. "We are not keeping those processor numbers in any
form at all," he said, which means Intel shipping records won't be turned
into a police log. Users can also disable and re-enable the serial number
scheme at will.
The plan was developed as a way to provide greater security for
PC transactions and communications, said Gelsinger. Intel will
imprint a 96-bit identification number on Pentium III chips and their
successors. The number cannot be erased, but users will be able to choose whether to
disable the feature or to keep the number active to be "read"
for identification by outsiders.
Web sites, for example, may require user name, password, and
processor serial number before giving access to certain pages. An agent from
the Web site reads the processor number to ensure authenticity.
The number will therefore foil common hacking techniques because hackers
will have access to the PC so that the agent can read the identification
number. The numbers can also be used to lock out users who have been
kicked out of chat rooms and re-registered under a new name.
Identification, Gelsinger said, is also a voluntary process. A blue number sign
will appear in the Windows control shelf [the series of icons at the bottom right corner of the screen]
whenever the serial number is enabled. By clicking the icon, users can pull up
a control panel to disable it so outside agents can't read the serial
number. Turning it off may prevent access for certain transactions, he
said, but it returns anonymity. Users can then re-enable the number by
Most computers, however, will likely be using the enabled setting as their
default. "Our customers have been asking for this for years," Gelsinger said.
Will the system give Intel or its partners the power to monitor PC users?
No, Gelsinger said. The company is not keeping a record of the serial
numbers, so records cannot be used to trace Internet use. In
addition, the numbers are technically serial numbers anyway. A program
generates them randomly and they do not fall into a simple ordering sequence.
Privacy advocates, however, see a high potential for misuse in the system,
although they admit that the specific negative implications of the scheme
are difficult to pin down because it hasn't rolled out yet. Many also seem
to fear retribution from the company. Few are willing to go on the record so far.
"Intel's product has some serious security and privacy implications. It is
really incumbent on the folks who are developing technology, folks in the
policy community, and folks in advocacy community to look at code as having
serious social implications," said
Deirdre Mulligan, staff counsel at the Center for
Democracy and Technology, a nonprofit civil liberties organization
focusing on the Internet
"The hard part is figuring out the implications. Until it's put out into
the marketplace, it is difficult to tell," she added. "Like law, software
code has great social implications for privacy and speech."
Gelsinger, in fact, acknowledged that Intel's decision to not keep a database on
these numbers is strictly voluntary. There is technically nothing stopping
the company from keeping a registry. Computer companies could do the same,
he allowed, although he said he believes business considerations weighed
against tracking these numbers, as they did with Intel.