Trials set for Intel's embedded security

Civil-liberties advocates warn that the identification codes to be embedded in the forthcoming Pentium III could pose a threat to privacy. But Intel says there's not a problem.

Michael Kanellos Staff Writer, CNET News.com
Michael Kanellos is editor at large at CNET News.com, where he covers hardware, research and development, start-ups and the tech industry overseas.
Michael Kanellos
3 min read
The security codes to be embedded in Intel's Pentium III processor can potentially be misused to identify and collect data on Web surfers, some privacy advocates warn. But Intel argues that the technology will actually make the Net a safer place.

The controversy has emerged as 30 Web sites prepare to conduct trials of the processor, to be released in February. Critics claim that the number scheme can be used to monitor the Internet habits of virtually anyone with a modern, Intel-based computer.

Intel countered that the serial number will actually improve security. The Web sites in the trials, for instance, will use the serial number as a third form of identification, complementing the user name and password schemes currently in place, said Pat Gelsinger, corporate vice president of the Desktop Products Group at Intel. Ideally, hackers couldn't just assume your identity by swiping your user name and cracking a password; they would have to steal your computer as well.

In any event, Intel won't be stepping into the shoes of Big Brother any time soon, Gelsinger added. "We are not keeping those processor numbers in any form at all," he said, which means Intel shipping records won't be turned into a police log. Users can also disable and re-enable the serial number scheme at will.

The plan was developed as a way to provide greater security for PC transactions and communications, said Gelsinger. Intel will imprint a 96-bit identification number on Pentium III chips and their successors. The number cannot be erased, but users will be able to choose whether to disable the feature or to keep the number active to be "read" for identification by outsiders.

Web sites, for example, may require user name, password, and processor serial number before giving access to certain pages. An agent from the Web site reads the processor number to ensure authenticity.

The number will therefore foil common hacking techniques because hackers will have access to the PC so that the agent can read the identification number. The numbers can also be used to lock out users who have been kicked out of chat rooms and re-registered under a new name.

Identification, Gelsinger said, is also a voluntary process. A blue number sign will appear in the Windows control shelf [the series of icons at the bottom right corner of the screen] whenever the serial number is enabled. By clicking the icon, users can pull up a control panel to disable it so outside agents can't read the serial number. Turning it off may prevent access for certain transactions, he said, but it returns anonymity. Users can then re-enable the number by re-booting.

Most computers, however, will likely be using the enabled setting as their default. "Our customers have been asking for this for years," Gelsinger said.

Will the system give Intel or its partners the power to monitor PC users? No, Gelsinger said. The company is not keeping a record of the serial numbers, so records cannot be used to trace Internet use. In addition, the numbers are technically serial numbers anyway. A program generates them randomly and they do not fall into a simple ordering sequence.

Privacy advocates, however, see a high potential for misuse in the system, although they admit that the specific negative implications of the scheme are difficult to pin down because it hasn't rolled out yet. Many also seem to fear retribution from the company. Few are willing to go on the record so far.

"Intel's product has some serious security and privacy implications. It is really incumbent on the folks who are developing technology, folks in the policy community, and folks in advocacy community to look at code as having serious social implications," said Deirdre Mulligan, staff counsel at the Center for Democracy and Technology, a nonprofit civil liberties organization focusing on the Internet

"The hard part is figuring out the implications. Until it's put out into the marketplace, it is difficult to tell," she added. "Like law, software code has great social implications for privacy and speech."

Gelsinger, in fact, acknowledged that Intel's decision to not keep a database on these numbers is strictly voluntary. There is technically nothing stopping the company from keeping a registry. Computer companies could do the same, he allowed, although he said he believes business considerations weighed against tracking these numbers, as they did with Intel.