Fears of Misuse of Encryption System Are Voiced

[R. A. Hettinga]

http://www.nytimes.com/2002/06/20/technology/20CODE.html?pagewanted=print&position=top


June 20, 2002

Fears of Misuse of Encryption System Are Voiced
By JOHN MARKOFF

AN FRANCISCO, June 19 - A leading European computer security and privacy
advocate is challenging an effort by the American computer industry to
create a standard to protect software and digital content, calling the plan
a smoke screen by established companies to protect their existing markets.

In a paper to be presented at a technical conference in Toulouse, France,
on Thursday, Ross Anderson, a University of Cambridge computer scientist,
attacks the Trusted Computing Platform Alliance, an organization formed in
October 1999 by Compaq Computer, Hewlett-Packard, I.B.M., Intel and
Microsoft. The companies say their intent is to provide a cryptographic
system that would ensure privacy and protect intellectual property.

The technology that the alliance has developed uses an encryption method
intended to identify computer hardware and operating system software and
determine that their configuration has not been altered. The companies say
it will help detect virus invasions and provide security for commercial
transactions like online purchases and banking.

But Dr. Anderson argues that the potential exists for the technology to be
used in a more sinister fashion: to create a new form of censorship based
on the ability to track and identify electronic information.

He compares the technology to a proposal by Intel in January 1999 to insert
a distinct serial number into each of its Pentium processors, an effort
that drew widespread consumer opposition after privacy advocates warned
that the technology could be used for surveillance purposes. The plan was
withdrawn.

Dr. Anderson also warns that widespread adoption of the standard from the
alliance, known as T.C.P.A., could put large United States computer
companies in a position to thwart competition by controlling who gets to
use the standard and on what computer platforms.

"The T.C.P.A. appears likely to change the ecology of information goods and
services markets so as to favor incumbents, penalize challengers and slow
down the pace of innovation and entrepreneurship," he wrote.

Spokesmen for Intel and for Microsoft said their companies had not been
able to review the paper and would not comment.

Dr. Anderson is a Cambridge computer scientist who is also chairman of the
Foundation for Information Policy Research, a British Internet policy
research group. In a telephone interview today from France, he said there
was growing concern within the European Union that the T.C.P.A. standard
could emerge into a competitor for so-called smart cards, used for
authentication, which are now the basis of a significant European industry.

"This is something that has potential macroeconomic effects, and it will
become the big new controversy over the next six months," he said.

Although encryption technologies have not been used widely in the personal
computer industry to protect intellectual property, they have become
standard in the video game market, where companies like Sony, Nintendo and
Microsoft use built-in encryption to protect against piracy and to force
software developers to pay royalties to write software for the game
machines.

The T.C.P.A. standard would not directly control what software a user could
run on a personal computer. But according to several people who have
examined the specification, it could be used to make a catalog of software
on a machine available for action by a third party - barring, for example,
someone with decryption software from playing a copy-protected DVD.

That capability has touched off an internal debate within at least one
privacy rights group in the United States. The Electronic Frontier
Foundation has been discussing the implications of the technology this week
and is divided on the consequences.

"On the one hand some of our board members have argued that it might
effectively protect you from viruses," said Seth Schoen, the foundation's
staff technologist. "On the other hand some of our board members believe
that if any information is made available automatically to a third party
that is a privacy issue."

Among the board members who are potential defenders of the technology is
David Farber, a longtime computer industry technologist and a computer
scientist at the University of Pennsylvania. Dr. Farber said that he had
been on the alliance's advisory board for the last three years and more
recently had consulted with Intel and others about technical and social
issues related to the proposed standard.

"I was attracted to the T.C.P.A. effort due to its focus on providing
security and privacy in a dynamic, flexible way," he said. "It should be
capable of supporting a digital rights management regime that can be used
to both protect intellectual property and individual privacy and the
individual's fair use of the intellectual property."

The initiative, which would encrypt information while it was being
processed inside the computer, would also violate European Union directives
governing the transparency of computer data, Dr. Anderson said.

He said he was concerned as well that the advent of the standard would
permit the pursuit of previously impossible electronic censorship
campaigns, because the technology could make it possible to locate and
delete specific documents on any computer connected to the Internet.

"We could have a huge swing from the current situation where the Internet
can be used to distribute information to something at the other extreme,"
he said.

In May, with a fellow researcher, Dr. Anderson reported on a vulnerability
in the current generation of smart cards, which are used for identity and
financial transactions.

Copyright 2002 The New York Times Company | Permissions | Privacy Policy
-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com