[linux-elitists] IP: Fears of Misuse of Encryption System Are Voiced (fwd)

Eugen Leitl eugen@leitl.org
Sat Jun 22 03:40:09 PDT 2002

-- Eugen* Leitl <a href="http://leitl.org">leitl</a>
ICBMTO: N48 04'14.8'' E11 36'41.2'' http://www.leitl.org
57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3

---------- Forwarded message ----------
Date: Sat, 22 Jun 2002 06:30:26 -0400
From: Dave Farber <dave@farber.net>
Reply-To: farber@cis.upenn.edu
To: ip <ip-sub-1@majordomo.pobox.com>
Subject: IP: Fears of Misuse of Encryption System Are Voiced

I have attached to the end of this article the email I sent John (on
request) With my opinions which were quotable djf

June 20, 2002

Fears of Misuse of Encryption System Are Voiced

AN FRANCISCO, June 19 ‹ A leading European computer security and privacy
advocate is challenging an effort by the American computer industry to
create a standard to protect software and digital content, calling the plan
a smoke screen by established companies to protect their existing markets.

In a paper to be presented at a technical conference in Toulouse, France, on
Thursday, Ross Anderson, a University of Cambridge computer scientist,
attacks the Trusted Computing Platform Alliance, an organization formed in
October 1999 by Compaq Computer, Hewlett-Packard, I.B.M., Intel and
Microsoft. The companies say their intent is to provide a cryptographic
system that would ensure privacy and protect intellectual property.

The technology that the alliance has developed uses an encryption method
intended to identify computer hardware and operating system software and
determine that their configuration has not been altered. The companies say
it will help detect virus invasions and provide security for commercial
transactions like online purchases and banking.

But Dr. Anderson argues that the potential exists for the technology to be
used in a more sinister fashion: to create a new form of censorship based on
the ability to track and identify electronic information.

He compares the technology to a proposal by Intel in January 1999 to insert
a distinct serial number into each of its Pentium processors, an effort that
drew widespread consumer opposition after privacy advocates warned that the
technology could be used for surveillance purposes. The plan was withdrawn.

Dr. Anderson also warns that widespread adoption of the standard from the
alliance, known as T.C.P.A., could put large United States computer
companies in a position to thwart competition by controlling who gets to use
the standard and on what computer platforms.

"The T.C.P.A. appears likely to change the ecology of information goods and
services markets so as to favor incumbents, penalize challengers and slow
down the pace of innovation and entrepreneurship," he wrote.

Spokesmen for Intel and for Microsoft said their companies had not been able
to review the paper and would not comment.

Dr. Anderson is a Cambridge computer scientist who is also chairman of the
Foundation for Information Policy Research, a British Internet policy
research group. In a telephone interview today from France, he said there
was growing concern within the European Union that the T.C.P.A. standard
could emerge into a competitor for so-called smart cards, used for
authentication, which are now the basis of a significant European industry.

"This is something that has potential macroeconomic effects, and it will
become the big new controversy over the next six months," he said.

Although encryption technologies have not been used widely in the personal
computer industry to protect intellectual property, they have become
standard in the video game market, where companies like Sony, Nintendo and
Microsoft use built-in encryption to protect against piracy and to force
software developers to pay royalties to write software for the game

The T.C.P.A. standard would not directly control what software a user could
run on a personal computer. But according to several people who have
examined the specification, it could be used to make a catalog of software
on a machine available for action by a third party ‹ barring, for example,
someone with decryption software from playing a copy-protected DVD.

That capability has touched off an internal debate within at least one
privacy rights group in the United States. The Electronic Frontier
Foundation has been discussing the implications of the technology this week
and is divided on the consequences.

"On the one hand some of our board members have argued that it might
effectively protect you from viruses," said Seth Schoen, the foundation's
staff technologist. "On the other hand some of our board members believe
that if any information is made available automatically to a third party
that is a privacy issue."

Among the board members who are potential defenders of the technology is
David Farber, a longtime computer industry technologist and a computer
scientist at the University of Pennsylvania. Dr. Farber said that he had
been on the alliance's advisory board for the last three years and more
recently had consulted with Intel and others about technical and social
issues related to the proposed standard.

"I was attracted to the T.C.P.A. effort due to its focus on providing
security and privacy in a dynamic, flexible way," he said. "It should be
capable of supporting a digital rights management regime that can be used to
both protect intellectual property and individual privacy and the
individual's fair use of the intellectual property."

The initiative, which would encrypt information while it was being processed
inside the computer, would also violate European Union directives governing
the transparency of computer data, Dr. Anderson said.

He said he was concerned as well that the advent of the standard would
permit the pursuit of previously impossible electronic censorship campaigns,
because the technology could make it possible to locate and delete specific
documents on any computer connected to the Internet.

"We could have a huge swing from the current situation where the Internet
can be used to distribute information to something at the other extreme," he

In May, with a fellow researcher, Dr. Anderson reported on a vulnerability
in the current generation of smart cards, which are used for identity and
financial transactions.

From: David Farber <dave@farber.net>
Date: Wed, 19 Jun 2002 17:02:25 -0400
To: markoff@nyt.com
Cc: farber@cis.upenn.edu
Subject: Comments on TPCA Quotable slight change

I have been associated with the TPCA effort for about three years as an
Advisory Board member pf TPCA and recently advising Intel and others on
both the technical and societal issues raised by TPCA.

It is worth noting that an extraordinary amount of my  time with them was
spent understanding and dealing with  the impacts on individual privacy and
fair use doctrines.

In the past there have been a large number of attempts, often through the
Hill,  to impose access rights to IP by the use of hardware with serious
problems -- both technical and in the usage models they allowed. Often they
required "cops to enforce" them in the long run.

I was attracted to the TPCA effort due to its focus on providing security
and privacy in a dynamic flexible way. It should be capable, among a lot of
other uses, of supporting a Digital Rights Management (DRM) regime that can
be used to both protect intellectual property and individual privacy and
the individuals fair use of the IP.

As in any such technology it could be miss-used in the market place by
devious suppliers of hardware and software. But for what it is worth I
found a remarkable sensitivity and caution to the societal issues at all
levels of the TPCA leading companies and the willingness to "do things
right" Only time will tell but I , for one, would like to take the
decisions out of the hands of the Congress and into the hands of
intelligently motivated industry.

Finally note that if things end up going wrong, I and others who have
helped the activity as Advisors will be among the first to bring it  into
the light no matter who likes or dislikes that.

For archives see:

More information about the linux-elitists mailing list