Microsoft's AI-Powered Bing Google's ChatGPT Rival Hogwarts Legacy Review Ozempic vs. Obesity Best Super Bowl Ads 2023 Honda Accord Hybrid Review OnePlus 11 Phone Review Super Bowl: How to Watch
Want CNET to notify you of price drops and the latest stories?
No, thank you

Trust or treachery?

"Trusted computing" may secure the PCs of the masses, but it also threatens to turn people's computers into spies for software makers and Hollywood.

Trust or treachery?
Security technologies could backfire against consumers

By Robert Lemos
Staff Writer, CNET
November 7, 2002, 4:00 a.m. PT

SAN FRANCISCO--At the USENIX Security Conference held here recently, Microsoft developers touted the company's upcoming Palladium architecture as technology that would enhance privacy, stymie piracy and increase a corporation's control over its computers.

Others, however, see a more nefarious role for the security software.

Instead of just keeping hackers out, critics say programs like Palladium could also block computer users from certain data. For example, the technology could be used as a policing mechanism that bars people from material stored on their own computers if they have not met licensing and other requirements.

"The perception is that the security protects content on the user's PC from third parties," said a security consultant who goes by the moniker of Lucky Green. "That's wrong."

The conflict highlights a growing debate over "trusted computers"--machines equipped with the technology to wall off data, secure communications and verify the characteristics of their system. Although military and intelligence agencies have used such systems, the concept has been met with opposition in mainstream consumer markets.

The reason: The masses don't necessarily trust the companies developing "trusted computing" technology.

Richard Stallman, founder of the Free Software Foundation and of the GNU project for creating free versions of key Unix programs, lampooned the technology in a recent column as "treacherous computing."

"Large media corporations, together with computer companies such as Microsoft and Intel, are planning to make your computer obey them instead of you," he wrote. "Proprietary programs have included malicious features before, but this plan would make it universal."

He and others, such as Cambridge University professor Ross Anderson, argue that the intention of so-called trusted computing is to block data from consumers and other PC users, not from attackers. The main goal of such technology, they say, is "digital-rights management," or the control of copyrighted content. Under today's laws, copyright owners maintain control over content even when it resides on someone else's PC--but many activists are challenging that authority.

Special report

Hollywood sets the stage for a
piracy battle with the PC industry

Microsoft denies that Palladium is designed as a mechanism to police consumers' use content. The company plans to release the technology in 2005, as part of a major update to Windows. "We get very strong feedback from our customers about the freedom for data migration," said Peter Biddle, a Microsoft product manager pushing the initiative. "We are not going to use Palladium to make our customers--our favorite people--angry at us."

In fact, Microsoft sees the initial markets for the Palladium technology to be in the business realm. The new software and hardware could secure VPNs (virtual private networks) by allowing administrators to positively identify computers on the network. Corporate executives, concerned that embarrassing e-mail messages might end up appearing in court and in the news, could require employees to use trusted computing technologies that could throw away the digital keys to any message more than one month old. Such considerations could make Palladium and other trusted technologies a fairly easy sell to businesses.

It's consumers that could be the hitch.

Concerns about trusted computing initiatives have been fueled by policies and legislation such as the Digital Millennium Copyright Act (DMCA), which has been used repeatedly by the music industry, movie studios and even the software industry to attack programmers and consumers who break the copyright protections. While several challenges are being waged in court, opponents worry that "trusted" technologies will preempt these cases.

Moreover, lawmakers have introduced controversial bills this year that could strengthen copyright controls over computers and the data they store. A measure proposed by Sen. Ernest "Fritz" Hollings, D-S.C., would require hardware makers to include anti-copying mechanisms in all new consumer electronic devices. Another bill promoted by Rep. Howard Berman, D-Calif., would allow copyright owners to use technical measures, including unauthorized access and attacks on file-sharing networks, to prevent copyright infringement.

Such pro-security measures have gained momentum in the post-Sept. 11 political climate, which has focused attention on Internet threats of terrorism.

"I think we need a trusted environment. Things are too insecure," said David Farber, a telecommunications law professor at the University of Pennsylvania and one of four advisers to the Trusted Platform Computing Alliance (TPCA), a hardware-based security initiative. "They were insecure before 9/11, and they are needed more now."

Advertising their trust
With TPCA or Palladium technology, a computer can advertise its trustworthiness to other systems, such as Web sites. Trojan horses and applications for pirating software, meanwhile, won't be able to change data processed in the trusted parts of the PC.

"A trusted platform can attest to its configuration, and I, a merchant, can decide if I want to deal with that PC," Marcus Varady, marketing manager for Intel's safer computing initiative and the chair of the TCPA steering committee, said in a recent interview. "I can then drop my wall of protection within that environment to collaborate with them on a trusted level."

A Web site selling music, for example, could determine if a customer has a PC outfitted with such copyright protections before allowing any songs to be downloaded from the Internet. However, opponents maintain that the price of such protection would be a reversal of the Information Age, in that it would impose more restrictions on people's use of information than any previous technology.

William Arbaugh, an associate professor of computer science at the University of Maryland, acknowledged that the TPCA could improve security but said hardware and software modifications could do even more harm if abused by companies.

"The TCPA as it stands now is unacceptable," Arbaugh concluded.

In addition, even proponents of the technology concede that it is not foolproof in preventing piracy. Palladium, for instance, could not stop a hardware attack, which might cause some information to leak out. The technology's security disappears when data is outside the Palladium infrastructure, Microsoft's Biddle said.

"Once Elvis has left the building, Elvis can't get back in the building," he added.

Small changes, big results
The modifications to PC hardware are fairly mild for technology that could completely change how data is dealt with in the future.

The TCPA and Microsoft's Palladium rely on additions to the hardware of normal PCs. While Palladium calls for more extensive changes, the modifications are remarkably similar.

Both call for a new chip to be placed on the motherboard of all future computers. The chip would include new encryption functions as well as a small amount of memory that would act as a digital vault to store important keys to decrypt protected data. The TCPA refers to the chip as the "trusted platform module," a successor to Intel's processor ID--an idea the chipmaker abandoned in 1999 after a public outcry over privacy. Microsoft refers to the hardware component of Palladium as the "security support component."

Special report

For the first time in years,
Microsoft may be vulnerable.

Microsoft and the TCPA envision that operating-system makers will add code to take advantage of the new hardware features. The software side of Palladium is Microsoft's vision of where such features can lead: Called the nexus or nub--or, more formally, the "trusted operating root"--the core software will handle all access to the new security. Microsoft will release the code for its nexus so that security-concerned developers can vet the software for flaws.

Opponents criticize any process or technology controlled by a single company that may have ulterior motives--especially when that company is Microsoft. Eben Moglen, a noted Free Software Foundation attorney and professor of law at Columbia University, has argued that such proprietary initiatives could stunt the growth of open-source technologies like Linux, which is gathering strength as a challenger to the Windows operating system.

More empire-building?
Lucky Green warns that Palladium-like technologies could end up giving too much power to manufacturers of operating systems, such as Microsoft, at the expense of applications makers.

"Since operating systems that restrict data can determine which applications can run, it changes the software landscape into first-citizen applications that have access to the content and second-citizen applications that don't have access," he said. "That puts the software makers at the mercy of the hardware vendors."

Green suspects that Microsoft wants to use Palladium to enforce software licenses. He claims the day after attending the USENIX Security Conference, he contacted an attorney and filed two patents on ways that Palladium-like systems could be used for such enforcement. While Green won't discuss his intentions, many believe he is trying to preempt companies from using the technology for this purpose.

"The objective and capabilities are to secure the applications and data against the end user to the benefit of third parties," he said of trusted computing initiatives in general.

Proponents scoff at such notions as conspiracy theory. "I have seen no signs that Microsoft and Intel are out to screw the world; and if they do screw the world, I think Congress will stop them," said the University of Pennsylvania's Farber.

Nevertheless, all parties involved acknowledge the confounding complexity of the issue, and even Microsoft doesn't know where it will end up.

"We can speak to what we intend to have happen," said Mario Juarez, another product manager for Palladium, but "there are so many unanswered questions at this point." 

New features take control
Computers that incorporate Palladium or the TCPA design should have a range of new functions, from preventing piracy to protecting corporate information. Several steps are involved, which are outlined below.

Prevent piracy

• Jeff wants to download the latest music CD.
• When Jeff tries to retrieve the music from a legitimate music site, the server checks to make sure his PC is trusted.
• Once his PC is OK'd, Jeff downloads the music, key parts of which are coded to his computer.
• Jeff can listen to the music, but if he tries to send it to someone else's PC, it won't play.

Protect corporate info

• Jeff wants to send the latest marketing plan to his employees, but wants to ensure the information isn't leaked.
• His e-mail software codes the message so it can only be opened on a trusted PC and restricts the message so it can't be forwarded or printed.
• The message is sent to employees.
• Employees can read the message, but their own trusted e-mail client won't let them forward or print it.

Limit Internet attacks

• An attacker who wants to take over Jeff's system may send Jeff a Trojan horse, a malicious program that appears to be benign.
• Thinking the program is a fun utility, Jeff runs the Trojan horse.
• The Trojan horse runs and perhaps accesses some unprotected data.
• As long as Jeff doesn't run the program in the PC's trusted environment, any protected data is still restricted.

Restrict applications

• Jeff writes a letter using a particular application, say Microsoft Word.
• Word could use the trusted PC's functions to encrypt the letter, blocking other applications from accessing it.
• Jeff decides to switch to another application, say Corel's WordPerfect.
• While WordPerfect can understand the format in which the letter is saved, it can't open the letter, because it is protected.

Related news

Challenges remain for Microsoft

Net movies: Ready for prime time?

Microsoft's multiple personalities

Software piracy dips in some states

Microsoft, Real featured on Movielink

Mexico summit urges anti-piracy action

Perspective: Honest talk about downloads

A mortal Microsoft

All XML, all the time

Microsoft's security challenges

Pirate this, go to jail

Gates: Slow going for .Net

Microsoft to reveal Palladium source code

Windows security gain or privacy pain?

Study: Equal security in all software

Editors: Mike Yamamoto, Lara Wright
Copy editor: Karen Said
Design: Ellen Ng
Production: Mike Markovich