Source: http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html

`Trusted Computing' Frequently Asked Questions

Version 1.1 (August 2003)
Trusted Computing' Frequently Asked Questions

- TC / TCG / LaGrande / NGSCB / Longhorn / Palladium / TCPA
Ross Anderson


1. What is TC - this `trusted computing' business?

The Trusted Computing Group (TCG) is an alliance of Microsoft, Intel, IBM,
HP and AMD which promotes a standard for a `more secure' PC. Their
definition of `security' is controversial; machines built according to
their specification will be more trustworthy from the point of view of
software vendors and the content industry, but will be less trustworthy
from the point of view of their owners. In effect, the TCG specification
will transfer the ultimate control of your PC from you to whoever wrote the
software it happens to be running. (Yes, even more so than at present.)

The TCG project is known by a number of names. `Trusted computing' was the
original one, and is still used by IBM, while Microsoft calls it
`trustworthy computing' and the Free Software Foundation calls it
`treacherous computing'. Hereafter I'll just call it TC, which you can
pronounce according to taste. Other names you may see include TCPA (TCG's
name before it incorporated), Palladium (the old Microsoft name for the
version due to ship in 2004) and NGSCB (the new Microsoft name). Intel has
just started calling it `safer computing'. Many observers believe that this
confusion is deliberate - the promoters want to deflect attention from what
TC actually does.

2. What does TC do, in ordinary English?

TC provides a computing platform on which you can't tamper with the
application software, and where these applications can communicate securely
with their authors and with each other. The original motivation was digital
rights management (DRM): Disney will be able to sell you DVDs that will
decrypt and run on a TC platform, but which you won't be able to copy. The
music industry will be able to sell you music downloads that you won't be
able to swap. They will be able to sell you CDs that you'll only be able to
play three times, or only on your birthday. All sorts of new marketing
possibilities will open up.

TC will also make it much harder for you to run unlicensed software. In the
first version of TC, pirate software could be detected and deleted
remotely. Since then, Microsoft has sometimes denied that it intended TC to
do this, but at WEIS 2003 a senior Microsoft manager refused to deny that
fighting piracy was a goal: `Helping people to run stolen software just
isn't our aim in life', he said. The mechanisms now proposed are more
subtle, though. TC will protect application software registration
mechanisms, so that unlicensed software will be locked out of the new
ecology. Furthermore, TC apps will work better with other TC apps, so
people will get less value from old non-TC apps (including pirate apps).
Also, some TC apps may reject data from old apps whose serial numbers have
been blacklisted. If Microsoft believes that your copy of Office is a
pirate copy, and your local government moves to TC, then the documents you
file with them may be unreadable. TC will also make it easier for people to
rent software rather than buy it; and if you stop paying the rent, then not
only does the software stop working but so may the files it created. So if
you stop paying for upgrades to Media Player, you may lose access to all
the songs you bought using it.

For years, Bill Gates has dreamed of finding a way to make the Chinese pay
for software: TC looks like being the answer to his prayer.

There are many other possibilities. Governments will be able to arrange
things so that all Word documents created on civil servants' PCs are `born
classified' and can't be leaked electronically to journalists. Auction
sites might insist that you use trusted proxy software for bidding, so that
you can't bid tactically at the auction. Cheating at computer games could
be made more difficult.

There are some gotchas too. For example, TC can support remote censorship.
In its simplest form, applications may be designed to delete pirated music
under remote control. For example, if a protected song is extracted from a
hacked TC platform and made available on the web as an MP3 file, then
TC-compliant media player software may detect it using a watermark, report
it, and be instructed remotely to delete it (as well as all other material
that came through that platform). This business model, called traitor
tracing, has been researched extensively by Microsoft (and others). In
general, digital objects created using TC systems remain under the control
of their creators, rather than under the control of the person who owns the
machine on which they happen to be stored (as at present). So someone who
writes a paper that a court decides is defamatory can be compelled to
censor it - and the software company that wrote the word processor could be
ordered to do the deletion if she refuses. Given such possibilities, we can
expect TC to be used to suppress everything from pornography to writings
that criticise political leaders.

The gotcha for businesses is that your software suppliers can make it much
harder for you to switch to their competitors' products. At a simple level,
Word could encrypt all your documents using keys that only Microsoft
products have access to; this would mean that you could only read them
using Microsoft products, not with any competing word processor. Such
blatant lock-in might be prohibited by the competition authorities, but
there are subtler lock-in strategies that are much harder to regulate.
(I'll explain some of them below.)

3. So I won't be able to play MP3s on my computer any more?

With existing MP3s, you may be all right for some time. Microsoft says that
TC won't make anything suddenly stop working. But a recent software update
for Windows Media Player has caused controversy by insisting that users
agree to future anti-piracy measures, which may include measures that
delete pirated content found on your computer. Also, some programs that
give people more control over their PCs, such as VMware and Total Recorder,
are not going to work properly under TC. So you may have to use a different
player - and if your player will play pirate MP3s, then it may not be
authorised to play the new, protected, titles.

It is up to an application to set the security policy for its files, using
an online policy server. So Media Player will determine what sort of
conditions get attached to protected titles. I expect Microsoft will do all
sorts of deals with the content providers, who will experiment with all
sorts of business models. You might get CDs that are a third of the price
but which you can only play three times; if you pay the other two-thirds,
you'd get full rights. You might be allowed to lend your copy of some
digital music to a friend, but then your own backup copy won't be playable
until your friend gives you the main copy back. More likely, you'll not be
able to lend music at all. Creeping digital lockdown will make life
inconvenient in many niggling ways; for example, regional coding might stop
you watching the Polish version of a movie if your PC was bought outside
Europe.

This could all be done today - Microsoft would just have to download a
patch into your player - but once TC makes it hard for people to tamper
with the player software, and easy for Microsoft and the music industry to
control what players will work at all with new releases, it will be harder
for you to escape. Control of media player software is so important that
the EU antitrust authorities are proposing to penalise Microsoft for its
anticompetitive behaviour by compelling it to unbundle Media Player, or
include competing players in Windows. TC will greatly increase the depth
and scope of media control.

4. How does TC work?

TC provides for a monitoring and reporting component to be mounted in
future PCs. The preferred implementation in the first phase of TC
emphasised the role of a `Fritz' chip - a smartcard chip or dongle soldered
to the motherboard. The current version has five components - the Fritz
chip, a `curtained memory' feature in the CPU, a security kernel in the
operating system (the `Nexus' in Microsoft language), a security kernel in
each TC application (the `NCA' in Microsoft-speak) and a back-end
infrastructure of online security servers maintained by hardware and
software vendors to tie the whole thing together.

The initial version of TC had Fritz supervising the boot process, so that
the PC ended up in a predictable state, with known hardware and software.
The current version has Fritz as a passive monitoring component that stores
the hash of the machine state on start-up. This hash is computed using
details of the hardware (audio card, video card etc) and the software (O/S,
drivers, etc). If the machine ends up in the approved state, Fritz will
make available to the operating system the cryptographic keys needed to
decrypt TC applications and data. If it ends up in the wrong state, the
hash will be wrong and Fritz won't release the right key. The machine may
still be able to run non-TC apps and access non-TC data, but protected
material will be unavailable.

The operating system security kernel (the `Nexus') bridges the gap between
the Fritz chip and the application security components (the `NCAs'). It
checks that the hardware components are on the TCG approved list, that the
software components have been signed, and that none of them has a serial
number that has been revoked. If there are significant changes to the PC's
configuration, the machine must go online to be re-certified: the operating
system manages this. The result is a PC booted into a known state with an
approved combination of hardware and software (whose licences have not
expired). Finally, the Nexus works together with new `curtained memory'
features in the CPU to stop any TC app from reading or writing another TC
app's data. These new features are called `Lagrande Technology' (LT) for
the Intel CPUs and `TrustZone' for the ARM.

Once the machine is in an approved state, with a TC app loaded and shielded
from interference by any other software, Fritz will certify this to third
parties. For example, he will do an authentication protocol with Disney to
prove that his machine is a suitable recipient of `Snow White'. This will
mean certifying that the PC is currently running an authorised application
program - MediaPlayer, DisneyPlayer, whatever - with its NCA properly
loaded and shielded by curtained memory against debuggers or other tools
that could be used to rip the content. The Disney server then sends
encrypted data, with a key that Fritz will use to unseal it. Fritz makes
the key available only to the authorised application and only so long as
the environment remains `trustworthy'. For this purpose, `trustworthy' is
defined by the security policy downloaded from a server under the control
of the application owner. This means that Disney can decide to release its
premium content only to a media player whose author agrees to enforce
certain conditions. These might include restrictions on what hardware and
software you use, or where in the world you're located. They can involve
payment: Disney might insist, for example, that the application collect a
dollar every time you view the movie. The application itself can be rented
too. The possibilities seem to be limited only by the marketers' imagination.

5. What else can TC be used for?

TC can also be used to implement much stronger access controls on
confidential documents. These are already available in a primitive form in
Windows Server 2003, under the name of `Enterprise rights management' and
people are experimenting with them.

One selling point is automatic document destruction. Following embarrassing
email disclosures in the recent anti-trust case, Microsoft implemented a
policy that all internal emails are destroyed after 6 months. TC will make
this easily available to all corporates that use Microsoft platforms.
(Think of how useful that would have been for Arthur Andersen during the
Enron case.) It can also be used to ensure that company documents can only
be read on company PCs, unless a suitably authorised person clears them for
export. TC can also implement fancier controls: for example, if you send an
email that causes embarrassment to your boss, he can broadcast a
cancellation message that will cause it to be deleted wherever it's got to.
You can also work across domains: for example, a company might specify that
its legal correspondence only be seen by three named partners in its law
firm and their secretaries. (A law firm might resist this because the other
partners in the firm are jointly liable; there will be many interesting
negotiations as people try to reduce traditional trust relationships to
programmed rules.)

TC is also aimed at payment systems. One of the Microsoft visions is that
much of the functionality now built on top of bank cards may move into
software once the applications can be made tamper-resistant. This leads to
a future in which we pay for books that we read, and music we listen to, at
the rate of so many pennies per page or per minute. The broadband industry
is pushing this vision; meanwhile some far-sighted people in the music
industry are starting to get scared at the prospect of Microsoft charging a
percentage on all their sales. Even if micropayments don't work out as a
business model - and there are some persuasive arguments why they won't -
there will be some sea-changes in online payment, with spillover effects
for the user. If, in ten years' time, it's inconvenient to shop online with
a credit card unless you use a TC platform, that will be tough on Mac and
GNU/linux users.

The appeal of TC to government systems people is based on ERM being used to
implement `mandatory access control' - making access control decisions
independent of user wishes but based simply on their status. For example,
an army might arrange that its soldiers can only create Word documents
marked at `Confidential' or above, and that only a TC PC with a certificate
issued by its own security agency can read such a document. That way,
soldiers can't send documents to the press (or email home, either). Such
rigidity doesn't work very well in large complex organisations like
governments, as the access controls get in the way of people doing their
work, but governments say they want it, and so no doubt they will have to
learn the hard way. (Mandatory access control can be more useful for
smaller organisations with more focused missions: for example, a cocaine
smuggling ring can arrange that the spreadsheet with this month's shipment
details can be read only by five named PCs, and only until the end of the
month. Then the keys used to encrypt it will expire, and the Fritz chips on
those five machines will never make them available to anybody at all, ever
again.)

6. OK, so there will be winners and losers - Disney might win big, and some
smartcard makers might go bust. But surely Microsoft and Intel are not
investing nine figures just for charity? How will they make money out of it?

For Intel, which started the whole TC thing going, it was a defensive play.
As they make most of their money from PC microprocessors, and have most of
the market, they can only grow their company by increasing the size of the
market. They were determined that the PC will be the hub of the future home
network. If entertainment is the killer application, and DRM is going to be
the critical enabling technology, then the PC has to do DRM or risk being
displaced in the home market.

Microsoft, who are now driving TC, were also motivated by the desire to
bring entertainment within their empire. But they also stand to win big if
TC becomes widespread. There are two reasons. The first, and less
important, is that they will be able to cut down dramatically on software
copying. `Making the Chinese pay for software' has been a big thing for
Bill; with TC, he can tie each PC to its individual licenced copy of Office
and Windows, and lock bad copies of Office out of the shiny new TC universe.

The second, and most important, benefit for Microsoft is that TC will
dramatically increase the costs of switching away from Microsoft products
(such as Office) to rival products (such as OpenOffice). For example, a law
firm that wants to change from Office to OpenOffice right now merely has to
install the software, train the staff and convert their existing files. In
five years' time, once they have received TC-protected documents from
perhaps a thousand different clients, they would have to get permission (in
the form of signed digital certificates) from each of these clients in
order to migrate their files to a new platform. The law firm won't in
practice want to do this, so they will be much more tightly locked in,
which will enable Microsoft to hike its prices.

Economists who have studied the software industry concluded that the value
of a software business is about equal to the total costs of its customers
switching out to the competition; both are equal to the net present value
of future payments from the customers to the software vendor. This means
that an incumbent in a maturing market, such as Microsoft with its Office
product, can grow faster than the market only if it can find ways to lock
in its customers more tightly. There are some ifs and buts that hedge this
theory around, but the basic idea is well known to software industry
executives. This explains Bill G's comment that `We came at this thinking
about music, but then we realized that e-mail and documents were far more
interesting domains'.

7. Where did the technical ideas come from?

The TC concept of booting a machine into a known state is implicit in early
PCs where the ROM was in BIOS and there was no hard drive in which a virus
could hide. The idea of a trusted bootstrap mechanism for modern machines
seems to have first appeared in a paper by Bill Arbaugh, Dave Farber and
Jonathan Smith, ``A Secure and Reliable Bootstrap Architecture'', in the
proceedings of the IEEE Symposium on Security and Privacy (1997) pp 65-71.
It led to a US patent: ``Secure and Reliable Bootstrap Architecture'', U.S.
Patent No. 6,185,678, February 6th, 2001. Bill's thinking developed from
work he did while working for the NSA on code signing in 1994, and
originally applied to rebooting ATM switches across a network. The
Microsoft folk have also applied for patent protection on the operating
system aspects. (The patent texts are here and here.)

There may be quite a lot of prior art. Markus Kuhn wrote about the TrustNo1
Processor years ago, and the basic idea behind a trustworthy operating
system - a `reference monitor' that supervises a computer's access control
functions - goes back at least to a paper written by James Anderson for the
USAF in 1972. It has been a feature of US military secure systems thinking
since then.

8. How is this related to the Pentium 3 serial number?

Intel started an earlier program in the mid-1990s that would have put the
functionality of the Fritz chip inside the main PC processor, or the cache
controller chip, by 2000. The Pentium serial number was a first step on the
way. The adverse public reaction seems to have caused them to pause, set up
a consortium with Microsoft and others, and seek safety in numbers. The
consortium they set up, the Trusted Computer Platform Alliance (TCPA), was
eventually incorporated and changed its name to TCG.

9. Why call the monitor chip a `Fritz' chip?

It was named in honour of Senator Fritz Hollings of South Carolina, who
worked tirelessly in Congress to make TC a mandatory part of all consumer
electronics. (Hollings' bill failed; he lost his chairmanship of the Senate
Committee on Commerce, Science and Trasportation, and he's retiring in
2004. But the Empire will be back. For example, Microsoft is spending a
fortune in Brussels promoting a draft Directive on IP enforcement which is
seriously bad stuff.)

10. OK, so TC stops kids ripping off music and will help companies keep
data confidential. It may help the Mafia too, unless the FBI get a back
door, which I assume they will. But apart from pirates, industrial spies
and activists, who has a problem with it?

A lot of companies stand to lose out directly, such as information security
vendors. When it first launched TC as Palladium, Microsoft claimed that
Palladium would stop spam, viruses and just about every other bad thing in
cyberspace - if so, then the antivirus companies, the spammers, the
spam-filter vendors, the firewall firms and the intrusion detection folk
could all have their lunch stolen. That's now been toned down, but Bill
Gates admits that Microsoft will pursue the computer security market
aggressively: "Because it's a growth area, we're not being that coy with
them about what we intend to do."

Meanwhile, the concerns about the effects on competition and innovation
continue to grow. The problems for innovation are well explained in a
recent New York Times column by the distinguished economist Hal Varian.

But there are much deeper problems. The fundamental issue is that whoever
controls the TC infrastructure will acquire a huge amount of power. Having
this single point of control is like making everyone use the same bank, or
the same accountant, or the same lawyer. There are many ways in which this
power could be abused.

11. How can TC be abused?

One of the worries is censorship. TC was designed from the start to support
the centralised revocation of pirate bits. Pirate software won't run in the
TC world as TC will make the registration process tamper-resistant. But
what about pirated songs or videos? How do you stop someone recording a
track - if necessary by putting microphones next the speakers of a TC
machine, and ripping it into an MP3? The proposed solution is that
protected content will contain digital watermarks, and lawful media players
that detect a watermark won't play that song unless it comes with an
appropriate digital certificate for that device. But what if someone hacks
a Fritz chip and does a transaction that `lawfully' transfers ownership of
the track? In that case, traitor tracing technology will be used to find
out which PC the track was ripped from. Then two things will happen. First,
the owner of that PC will be prosecuted. (That's the theory, at least; it
probably won't work as the pirates will use hacked PCs.) Second, tracks
that have been through that machine will be put on a blacklist, which all
TC players will download from time to time.

Blacklists have uses beyond music copying. They can be used to screen all
files that the application opens - by content, by the serial number of the
application that created them, or by any other criteria that you can
program. The proposed use for this is that if everyone in China uses the
same copy of Office, you do not just stop this copy running on any machine
that is TC-compliant; that would just motivate the Chinese to use normal
PCs instead of TC PCs. You also cause every TC-compliant PC in the world to
refuse to read files that have been created using this pirate program. This
will put huge pressure on the Chinese. (The precedent is that when spammers
started using Chinese accounts, many US ISPs simply blackholed China, which
forced the government to crack down on spam.)

The potential for abuse extends far beyond commercial bullying and economic
warfare into political censorship. I expect that it will proceed a step at
a time. First, some well-intentioned police force will get an order against
a pornographic picture of a child, or a manual on how to sabotage railroad
signals. All TC-compliant PCs will delete, or perhaps report, these bad
documents. Then a litigant in a libel or copyright case will get a civil
court order against an offending document; perhaps the Scientologists will
seek to blacklist the famous Fishman Affidavit. A dictator's secret police
could punish the author of a dissident leaflet by deleting everything she
ever created using that system - her new book, her tax return, even her
kids' birthday cards - wherever it had ended up. In the West, a court might
use confiscation doctrine to `blackhole' a machine that had been used to
make a pornographic picture of a child. Once lawyers, policemen and judges
realise the potential, the trickle will become a flood.

The modern age only started when Gutenberg invented movable type printing
in Europe, which enabled information to be preserved and disseminated even
if princes and bishops wanted to ban it. For example, when Wycliffe
translated the Bible into English in 1380-1, the Lollard movement he
started was suppressed easily; but when Tyndale translated the New
Testament in 1524-5, he was able to print over 50,000 copies before they
caught him and burned him at the stake. The old order in Europe collapsed,
and the modern age began. Societies that tried to control information
became uncompetitive, and with the collapse of the Soviet Union it seemed
that democratic liberal capitalism had won. But now, TC has placed at risk
the priceless inheritance that Gutenberg left us. Electronic books, once
published, will be vulnerable; the courts can order them to be unpublished
and the TC infrastructure will do the dirty work.

The Soviet Union attempted to register and control all typewriters and fax
machines. TC similarly attempts to register and control all computers. The
problem is that everything is becoming computerised. We have absolutely no
idea where ubiquitous content control mechanisms will lead us.

12. Scary stuff. But can't you just turn it off?

Sure - unless your system administrator configures your machine in such a
way that TC is mandatory, you can always turn it off. You can then run your
PC as before, and use insecure applications.

There is one small problem, though. If you turn TC off, Fritz won't hand
out the keys you need to decrypt your files and run your bank account. Your
TC-enabled apps won't work as well, or maybe at all. It will be like
switching from Windows to Linux nowadays; you may have more freedom, but
end up having less choice. If the TC apps are more attractive to most
people, or are more profitable to the app vendors, you may end up simply
having to use them - just as many people have to use Microsoft Word because
all their friends and colleagues send them documents in Microsoft Word. By
2008, you may find that the costs of turning TC off are simply intolerable.

This has some interesting implications for national security. At a TCG
symposium in Berlin, I put it this way: in 2010 President Clinton may have
two red buttons on her desk - one that sends the missiles to China, and
another that turns off all the PCs in China - and guess which the Chinese
will fear the most? (At this point, a heckler from the audience said, `What
about the button that turns off the PCs in Europe?') This may be an
exaggeration, but it's only a slight one. Technology policy and power
politics have been intertwined since the Roman empire, and prudent rulers
cannot disregard the strategic implications of TC. It would be rather
inconvenient for a government to have to switch all its systems from
Windows to GNU/linux, and at the height of an international crisis.

13. So politics and economics are going to be significant here?

Exactly. The biggest profits in IT goods and services markets tend to go to
companies that can establish platforms and control compatibility with them,
so as to manage the markets in complementary products. A very topical
example comes from computer printers. Since the Xerox N24 appeared in 1996,
printer makers have been putting authentication chips in ink cartridges, so
that printers can recognise third-party or refilled cartridges and refuse
to work with them. Cartridge tying is now leading to trade conflict between
the USA and Europe. In the USA, a court has granted Lexmark an injunction
preventing the sale of cartridges with chips that interoperate with
Lexmark's printers. Meanwhile, the European Commission has adopted a
Directive on waste electrical and electronic equipment which will force
member states to outlaw, by the end of 2007, the circumvention of EU
recycling rules by companies who design products with chips to ensure that
they cannot be recycled.

This is not just a printer issue. Some mobile phone vendors use embedded
authentication chips to check that the phone battery is a genuine part
rather than a clone. The Sony Playstation 2 uses similar authentication to
ensure that memory cartridges were made by Sony rather than by a low-price
competitor. The Microsoft Xbox is no different. But up until now, everyone
who wanted to engage in product tying had to come up with his own hardware
technology. This could be cheap for hardware product vendors, but was too
expensive for most software companies.

TC will enable application software vendors to engage in product tying and
similar business strategies to their hearts' content. As the application
vendor will control the security policy server, he can dictate the terms
under which anyone else's software will be able to interoperate with his
own. In the old days, software innovation was fast and furious because
there were millions of PCs out there, with data in formats that were
understood. So if you thought up a cool new way to manipulate address
books, you could write an app that would deal with the half-dozen formats
common in PCs, PDAs and phones, and you were in business: you had millions
of potential clients. In the future, the owners of these formats will be
very strongly tempted to lock them down using TC (`for your privacy') and
charge third parties rental to access them. This will be bad for
innovation. It's possible because the app policy server enforces arbitrary
rules about which other applications will be allowed to use the files a TC
app creates.

So a successful TC application will be worth much more money to the
software company that controls it, as they can rent out access to their
interfaces for whatever the market will bear. So most software developers
will enable their applications for TC; and if Windows is the first
operating system to support TC, it in turn will get a further competitive
advantage over GNU/Linux and MacOS with the developer community.

14. But hang on, doesn't the law give people a right to reverse engineer
interfaces for compatibility?

Yes, and this is very important to the functioning of IT goods and services
markets; see Samuelson and Scotchmer, ``The Law and Economics of Reverse
Engineering,'' Yale Law Journal, May 2002, 1575-1663. In Europe, the EU
Software Directive allows EU companies to reverse engineer their
competitors' products in order to produce compatible, competing products.
But such laws in most cases just give you the right to try, not to succeed.
Back when compatibility meant messing around with file formats, there was a
real contest - when Word and Word Perfect were fighting for dominance, each
tried to read the other's files and make it hard for the other to read its
own. But with TC that game is over; without access to the keys, you've had it.

Locking competitors out of application file formats was one of the
motivations for TC: see a post by Lucky Green, and go to his talk at Def
Con to hear more. It's a tactic that's spreading beyond the computer world.
Congress is getting upset at carmakers using data format lockout to stop
their customers getting repairs done at independent dealers. And the
Microsoft folk say they want TC everywhere, even in your watch. The
economic consequences could be globally significant.

15. Can't TC be broken?

The early versions will be vulnerable to anyone with the tools and patience
to crack the hardware (e.g., get clear data on the bus between the CPU and
the Fritz chip). However, in a few years, the Fritz chip may disappear
inside the main processor - let's call it the `Hexium' - and things will
get a lot harder. Really serious, well funded opponents will still be able
to crack it. But it's likely to go on getting more difficult and expensive.

Also, in many countries, cracking Fritz will be illegal. In the USA the
Digital Millennium Copyright Act already does this, while in the EU we will
have to deal with the EU Copyright Directive and (if it passes) the draft
enforcement directive. (In some countries, the implementation of the
Copyright Directive already makes cryptography research technically illegal.)

Also, in many products, compatibility control is already being mixed quite
deliberately with copyright control. The Sony Playstation's authentication
chips also contain the encryption algorithm for DVD, so that reverse
engineers can be accused of circumventing a copyright protection mechanism
and hounded under the Digital Millennium Copyright Act. The situation is
likely to be messy - and that will favour large firms with big legal budgets.

16. What's the overall economic effect likely to be?

The content industries may gain a bit from cutting music copying - expect
Sir Michael Jagger to get very slightly richer. But I expect the most
significant economic effect will be to strengthen the position of
incumbents in information goods and services markets at the expense of new
entrants. This may mean a rise in the market cap of firms like Intel,
Microsoft and IBM - but at the expense of innovation and growth generally.
Eric von Hippel documents how most of the innovations that spur economic
growth are not anticipated by the manufacturers of the platforms on which
they are based; and technological change in the IT goods and services
markets is usually cumulative. Giving incumbents new ways to make life
harder for people trying to develop novel uses for their products is a bad
idea.

By centralising economic power, TC will favour large companies over small
ones; and TC apps will enable large companies to capture more of the
spillover from their economic activities, as with the car companies forcing
car-owners to have their maintenance done at authorised dealerships. As
most employment growth occurs in the small to medium business sector, this
could have consequences for unemployment.

There may also be distinct regional effects. For example, many years of
government sponsorship have made Europe's smartcard industry strong, at the
cost of crowding out other technological innovation in the region. Senior
industry people to whom I have spoken anticipate that once the second phase
of TC puts the Fritz functionality in the main processor, this will hammer
smartcard sales. Senior TC company people have admitted to me that
displacing smartcards from the authentication token market is one of their
business goals. Many of the functions that smartcard makers want you to do
with a card will instead be done in the Fritz chips of your laptop, your
PDA and your mobile phone. If this industry is killed off by TC, Europe
could be a significant net loser. Other large sections of the information
security industry may also become casualties.

17. Who else will lose?

There will be many places where existing business processes break down in
ways that allow copyright owners to extract new rents. For example, I
recently applied for planning permission to turn some agricultural land
that we own into garden; to do this, we needed to supply our local
government with six copies of a 1:1250 map of the field. In the old days,
everyone just got a map from the local library and photocopied it. Now, the
maps are on a server in the library, with copyright control, and you can
get a maximum of four copies of any one sheet. For an individual, that's
easy enough to circumvent: buy four copies today and send a friend along
tomorrow for the extra two. But businesses that use a lot of maps will end
up paying more money to the map companies. This may be a small problem;
mutiply it a thousandfold to get some idea of the effect on the overall
economy. The net transfers of income and wealth are likely, once more, to
be from small firms to large and from new firms to old.

One well-known UK lawyer said that copyright law is only tolerated because
it is not enforced against the vast majority of petty infringers. And there
will be some particularly high-profile hard-luck cases. I expect that
copyright regulations due out later this year in Britain will deprive the
blind of the fair-use right to use their screen scraper software to read
e-books. Normally, a bureaucratic stupidity like this might not matter
much, as people would just ignore it, and the police would not be idiotic
enough to prosecute anybody. But if the copyright regulations are enforced
by hardware protection mechanisms that are impractical to break, then the
blind may lose out seriously. (There are many other marginal groups under
similar threat.)

18. Ugh. What else?

TC will undermine the General Public License (GPL), under which many free
and open source software products are distributed. The GPL is designed to
prevent the fruits of communal voluntary labour being hijacked by private
companies for profit. Anyone can use and modify software distributed under
this licence, but if you distribute a modified copy, you must make it
available to the world, together with the source code so that other people
can make subsequent modifications of their own.

IBM and HP have apparently started work on a TC-enhanced version of
GNU/linux. This will involve tidying up the code and removing a number of
features. To get an evaluation certificate acceptable to TCG, the sponsor
will then have to submit the pruned code to an evaluation lab, together
with a mass of documentation showing why various known attacks on the code
don't work. (The evaluation is at level EAL3 - expensive enough to keep out
the free software community, yet lax enough for most commercial software
vendors to have a chance to get their lousy code through.) Although the
modified program will be covered by the GPL, and the source code will be
free to everyone, it will not work in the TC ecosystem unless you have a
certificate for it that is specific to the Fritz chip on your own machine.
That is what will cost you money (if not at first, then eventually).

You will still be free to make modifications to the modified code, but you
won't be able to get a certificate that gets you into the shiny new TC
world. Something similar happens with the linux supplied by Sony for the
Playstation 2; the console's copy protection mechanisms prevent you from
running an altered binary, and from using a number of the hardware
features. Even if a philanthropist does a not-for-profit secure GNU/linux,
the resulting product would not really be a GPL version of a TC operating
system, but a proprietary operating system that the philanthropist could
give away free. (There is still the question of who would pay for the user
certificates.)

People believed that the GPL made it impossible for a company to come along
and steal code that was the result of community effort. This helped make
people willing to give up their spare time to write free software for the
communal benefit. But TC changes that. Once the majority of PCs on the
market are TC-enabled, the GPL won't work as intended. The benefit for
Microsoft is not that this will destroy free software directly. The point
is this: once people realise that even GPL'led software can be hijacked for
commercial purposes, idealistic young programmers will be much less
motivated to write free software.

19. I can see that some people will get upset about this.

And there are many other political issues - the transparency of processing
of personal data enshrined in the EU data protection directive; the
sovereignty issue of whether copyright regulations will be written by
national governments, as at present, or an application developer in
Portland or Redmond; whether TC will be used by Microsoft as a means of
killing off Apache; and whether people will be comfortable about the idea
of having their PCs operated, in effect, under remote control - control
that could be usurped by courts or by government agencies without their
knowledge.

20. But hang on, isn't TC illegal under antitrust law?

In the USA, maybe not. Intel has honed a `platform leadership' strategy, in
which they lead industry efforts to develop technologies that will make the
PC more useful, such as the PCI bus and USB. Their modus operandi is
described in a book by Gawer and Cusumano. Intel sets up a consortium to
share the development of the technology, has the founder members put some
patents into the pot, publishes a standard, gets some momentum behind it,
then licenses it to the industry on the condition that licensees in turn
cross-license any interfering patents of their own, at zero cost, to all
consortium members.

The positive view of this strategy was that Intel grew the overall market
for PCs; the dark side was that they prevented any competitor achieving a
dominant position in any technology that might have threatened their
dominance of the PC hardware. Thus, Intel could not afford for IBM's
microchannel bus to prevail, not just as a competing nexus of the PC
platform but also because IBM had no interest in providing the bandwidth
needed for the PC to compete with high-end systems. The effect in strategic
terms is somewhat similar to the old Roman practice of demolishing all
dwellings and cutting down all trees close to their roads or their castles.
No competing structure may be allowed near Intel's platform; it must all be
levelled into a commons. But a nice, orderly, well-regulated commons:
interfaces should be `open but not free'.

This consortium approach has evolved into a highly effective way of
skirting antitrust law. So far, the FTC and the Department of Justice do
not seem to have been worried about such consortia - so long as the
standards are open and accessible to all companies. They may need to become
slightly more sophisticated.

As for Europe, the law does explicitly cover consortia, and is being
tightened up. There was a conference on TC in Berlin, organised by the
German ministry for economics and labour, which heard speakers from the
pro- and anti-TC camps state their cases. If you read German, there is a
very thorough analysis of the competition policy aspects by Professor
Christian Koenig; the executive summary is that TC appears to break
European competition law on a number of grounds. Standards groups are
allowed as an exemption to cartel law only if they're non-binding, open and
non-discriminatory. TCG isn't. It discriminates against non-members; its
high membership fees make it hard for small businesses to join; and its use
of paid rather than free licensing discriminates against free software.
There are also many issues with market power and market interdependence.
The EU is about to find Microsoft guilty of trying to extend its monopoly
in PCs to servers by keeping interfaces obscure. If interfaces can be
locked down by TC mechanisms, that will be worse. TC may also enable
Microsoft to extend its monopoly in operating systems to the provision of
online music services, or to mobile phone software.

However, law is one thing, and enforcement another. By the end of 2003, the
EU should have convicted Microsoft of anti-competitive behaviour over
Netscape and over server interfaces. This judgement will come too late to
restore Netscape to life or create competition in the browser market. By
the time the EU gets round to convicting Microsoft over TC, it will be
2008. By then our society may be addicted to TC, and it may not be
politically possible to do anything effective.

21. When is TC going to hit the streets?

It has. The version 1.0 specification was published in 2000. Atmel is
already selling a Fritz chip, and you have been able to buy it installed in
the IBM Thinkpad series of laptops since May 2002. Some of the existing
features in Windows XP and the X-Box are TC features: for example, if you
change your PC configuration more than a little, you have to re-register
all your software with Redmond. Also, since Windows 2000, Microsoft has
been working on certifying all device drivers: if you try to load an
unsigned driver, XP will complain. The Enterprise Rights Management stuff
is shipping with Windows Server 2003. There is also growing US government
interest in the technical standardisation process. TC developers' kits will
be available in October 2003, or so we're told. The train is rolling.

22. What's TORA BORA?

This seems to have been an internal Microsoft joke: see the Palladium
announcement. The idea is that `Trusted Operating Root Architecture'
(Palladium) will stop the `Break Once Run Anywhere' attack, by which they
mean that pirated content, once unprotected, can be posted to the net and
used by anyone. It will do so by traitor tracing - the technology of
ubiquitous censorship.

They seem to have realised since then that this joke might just be in bad
taste. At a talk on traitor tracing I attended on the 10th July 2002 at
Microsoft Research, the slogan had changed to `BORE-resistance', where BORE
standards for `Break Once Run Everywhere'. (By the way, the speaker there
described copyright watermarking as `content screening', a term that used
to refer to stopping minors seeing pornography: the PR machine is obviously
twitching! He also told us that it would not work unless everyone used a
trusted operating system. When I asked him whether this meant getting rid
of linux he replied that linux users would have to be made to use content
screening.)

23. But isn't PC security a good thing?

The question is: security for whom? You might prefer not to have to worry
about viruses, but TC won't fix that: viruses exploit the way software
applications (such as Microsoft Office and Outlook) use scripting. You
might get annoyed by spam, but that won't get fixed either. (Microsoft
claimed that it will be fixed, by filtering out all unsigned messages - but
you can already configure mail clients to filter out mail from people you
don't know and putting it in a folder you scan briefly once a day.) You
might be worried about privacy, but TC won't fix that; almost all privacy
violations result from the abuse of authorised access, and TC will increase
the incentives for companies to collect and trade personal data on you. The
medical insurance company that requires you to consent to your data being
shared with your employer and with anyone else they can sell it to, isn't
going to stop just because their PCs are now officially `secure'. On the
contrary, they are likely to sell it even more widely once computers are
called `trusted computers'. Economists call this a `social choice trap'.
Making something slightly less dangerous, or making it appear less
dangerous, often causes people to use it more, or use it carelessly, so
that the overall harm increases. The classic example is that Volvo drivers
have more accidents.

A mildly charitable view of TC was put forward by the late Roger Needham
who directed Microsoft's research in Europe: there are some applications in
which you want to constrain the user's actions. For example, you want to
stop people fiddling with the odometer on a car before they sell it.
Similarly, if you want to do DRM on a PC then you need to treat the user as
the enemy.

Seen in these terms, TC does not so much provide security for the user as
for the PC vendor, the software supplier, and the content industry. They do
not add value for the user, but destroy it. They constrain what you can do
with your PC in order to enable application and service vendors to extract
more money from you. This is the classic definition of an exploitative
cartel - an industry agreement that changes the terms of trade so as to
diminish consumer surplus.

24. So why is this called `Trusted Computing'? I don't see why I should
trust it at all!

It's almost an in-joke. In the US Department of Defense, a `trusted system
or component' is defined as `one which can break the security policy'. This
might seem counter-intuitive at first, but just stop to think about it. The
mail guard or firewall that stands between a Secret and a Top Secret system
can - if it fails - break the security policy that mail should only ever
flow from Secret to Top Secret, but never in the other direction. It is
therefore trusted to enforce the information flow policy.

Or take a civilian example: suppose you trust your doctor to keep your
medical records private. This means that he has access to your records, so
he could leak them to the press if he were careless or malicious. You don't
trust me to keep your medical records, because I don't have them;
regardless of whether I like you or hate you, I can't do anything to affect
your policy that your medical records should be confidential. Your doctor
can, though; and the fact that he is in a position to harm you is really
what is meant (at a system level) when you say that you trust him. You may
have a warm feeling about him, or you may just have to trust him because he
is the only doctor on the island where you live; no matter, the DoD
definition strips away these fuzzy, emotional aspects of `trust' (that can
confuse people).

During the late 1990s, as people debated government control over
cryptography, Al Gore proposed a `Trusted Third Party' - a service that
would keep a copy of your decryption key safe, just in case you (or the
FBI, or the NSA) ever needed it. The name was derided as the sort of
marketing exercise that saw the Russian colony of East Germany called the
`German Democratic Republic'. But it really does chime with DoD thinking. A
Trusted Third Party is a third party that can break your security policy.

25. So a `Trusted Computer' is a computer that can break my security?

That's a polite way of putting it.

Ross Anderson

      * See also the Economics and Security Resource Page which gives a lot
of background to the issues raised here.
      * Here are translations into German, Spanish, Italian, Dutch, Chinese,
Norwegian, Swedish, Finnish, Hungarian, Hebrew and French.

Further reading (roughly in chronological order from July 2002 onwards)

      * Here is a link to the first online version of this FAQ, version 0.2,
and a link to version 1.0, which was online from July 2002 to August 2003.
      * Initial publicity, from late 2002, included articles on ZDNet, the
BBC, Internetnews, PBS, O'Reilly, , Salon.com, and Extremetech. Larry
Lessig's comments in a seminar at Harvard are also relevant. There was a
story allegedly by a former Microsoft employee about how Palladium was
launched, and two blog entries (here and here) by Seth Schoen on a
Palladium briefing my MS to EFF. The European Union started to take note,
and the fuss we managed to stir up depressed PC market analysts in
Australia. There was a speech by Bush's CyberCzar Richard Clark praising
TCPA (see p 12); at the same conference, Intel CEO Craig Barrett said that
government should let industry do DRM rather than mandating a solution (p
58). That may make some sense out of this story story about Intel opposing
the Hollings bill, at the same time as they were pushing TCPA. There is
also an email from Bill.
      * Many TC issues had already been anticipated by Richard Stallman in
his famous article The Right to Read.
      * TC inventor Bill Arbaugh had second thoughts, and made some
proposals about how TC could be changed to mitigate its worst effects, for
example by letting users load their own trusted root certificates or turn
the Fritz chip off entirely.
      * Lucky Green was also an early TC insider, who later repented. The
slides from his Def Con talk are now available at his site.
      * In this exchange from the cryptography list, Peter Biddle, technical
director of TC within Microsoft, explains some of the changes between TC
version 1.0 and 1.2. (Executive summary: in TC 1.0, a machine that was
running a trusted process and that started an untrusted process was
supposed to close down the trusted process and clear memory. This would
have made TC unusable in practice with modern ways of working. It was
therefore necessary to expand the spec and get Intel to bring in curtained
memory, so that trusted and untrusted apps could run simultaneously on the
same PC.
      * A post from John Gilmore to the cypherpunks list, and further
commentary by Adam Back, Seth Schoen and others.
      * An opinion from Bruce Schneier; some controversy stirred up by Bill
Thompson, who really does appear to believe that the world of trusted
computing will be spam- and virus-free, and allow you to exercise your fair
use rights; and some reaction ...
      * Microsoft released a Palladium FAQ in August 2002 in which they
backed off from their initial claims that Palladium will stop spam and viruses.
      * In September 2002, Intel announced LaGrande. This chip will be the
successor to the Pentium 4 and will support the `curtained memory' mode
needed for TC version 1.2 et seq. It was named after a town in Eastern
Oregon. The initial reaction was hostile. Civil liberties groups started to
wake up; there appeared a web page at EPIC, for example.
      * October 2002 saw an article in Linux devices on the problems TCPA
may cause for embedded systems, and an article in German in c't magazine.
But the highlight of the month was that Richard Stallman denounced TC. Two
French translations appeared overnight, here and here. France started to
pay attention.
      * On the 7th November, there was a public debate on TCPA between the
suits (Microsoft, HP, Infineon) and the geeks (Alan Cox and me). We got TV
coverage (now unfortunately pulled from the web by Channel 4), and a
shorter debate in Cambridge the following day as one of our regular
security group meetings.
      * In November, TC also made its way into science fiction - in the
latest short story by Cory Doctorow.
      * French interest continued to grow through January 2003, with this
article in Le Monde.
      * The main event in January, though, was that Microsoft's TC offering,
Palladium, got renamed. The first rule of spin-doctoring is that when you
have a problem on your hands, rename it! So Palladium is now officially
knows as NGSCB - for `Next Generation Secure Computing Base'.
      * In February 2003, Microsoft announced that it would ship many of the
application-level TC features with Windows Server 2003 later in the year,
including Rights Management mechanisms that will allow you make an email
evaporate on the recipient's machine after 30 days. This is still
software-based; it won't work unless the recipient also has a compatible
client or server from Microsoft, and can be defeated by patching the
software (though this may be illegal in the USA). However, it will start
getting this lock-in functionality out into the marketplace and pave the
way for full TC later. Comment in places like Geek News, VNUnet and Zdnet
has been mixed but is still muted.
      * In April, distinguished cryptographers Whit Diffie and Ron Rivest
denounced TC at the RSA conference.
      * In May, TCPA was relaunched as TCG (the Trusted Computing Group,
which announced that it's working on version 1.2 of the Fritz chip, with
systems shipping late 2004 or early 2005, and that the scope of TC is to be
extended from PCs to PDAs and mobile phones. See the story in EE Times, and
the followup; and read about how Chairman Bill struck back at the Windows
Hardware Engineering Conference when NGSCB was finally unveiled.
      * In July 2003, The Times reported various abuses by printer
manufacturers, including setting their toner cartridges to show `empty'
when only about two-thirds of the ink has been used up. This is the sort of
business model that will become pervasive throughout the IT world if TC
succeeds, and the devices that you can use to unlock printer cartridges
that still have ink in them will be outlawed in Europe by the enforcement
directive - as will technical workarounds for TC mechanisms that undermine
competition and exploit consumers.
      * Also in July,Bill Gates admitted to the New York Times that
Microsoft would pursue the computer security market aggressively: "Because
it's a growth area, we're not being that coy with them about what we intend
to do." He stressed that the company's biggest bet is on the next version
of Windows - code name Longhorn - in other words, the technology formerly
known as Palladium and now known as NGSCB. You have been warned.

I spoke in public about TC on the 2nd July in Berlin at the "Trusted
Computing Group" Symposium; then in Brussels on the 8th July at an event
organised by DG Infosoc, then on the 14th July at PODC. I next expect to
speak at the Helsinki IPR workshop in August. I'm sure there will be many
more. Meanwhile, a version of my economic study of TC has appeared a
special issue of Upgrade that deals with IP and computing issues (June
2003). A longer version of the paper deals in detail with many of the
issues raised here about competition policy.

Ross Anderson

Cambridge, England, August 2003
______________________________________________________________
Related Links:

http://www.againsttcpa.com/

http://www.notcpa.org/

http://www.google.com/search/node/sourceid=mozclient&ie=utf-8&oe=utf-8&q=tcpa

http://freewarearena.org/PHPNuke/modules.php?name=Content&pa=showpage&pid=14