IP: Ross Anderson -- TCPA / Palladium Frequently Asked Questions

[Dave Farber <dave () farber net>]

Please note these are from one side of the coin. I invite someone from the
TCPA group to answer this if they disagree   djf


------ Forwarded Message
From: Ross Anderson <Ross.Anderson () cl cam ac uk>
Reply-To: Ross Anderson <Ross.Anderson () cl cam ac uk>
Date: Wed, 26 Jun 2002 23:39:44 +0100
To: open-source () csl sri com
Subject: [open-source] TCPA

I have gathered a few thoughts on TCPA together into a first draft of a FAQ:

http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

Ross


------ End of Forwarded Message


TCPA / Palladium Frequently Asked Questions

Version 0.1 26 June 2002

1. What are TCPA and Palladium?

TCPA stands for the Trusted Computing Platform Alliance (TCPA), an
initiative led by Intel. Their website is here. Their stated goal is `a new
computing platform for the next century that will provide for improved trust
in the PC platform.' Palladium appears to be a Microsoft version which will
be rolled out in future versions of Windows, will build on TCPA hardware,
and will add some extra features. The Palladium announcement appears to have
been provoked by a paper I presented on the security issues relating to open
source and free software at a conference on Open Source SoftwareEconomics in
Toulouse on the 20th June. This paper critised TCPA as anticompetitive.

2. What does TCPA / Palladium do, in ordinary English?

Its obvious application is to embed digital rights management (DRM)
technology in the PC. The less obvious implications include making it easier
for application software vendors to lock in their users.

3. So I won't be able to play MP3s on my PC any more?

With existing MP3s, you may be all right for some time. But in future, TCPA
/ Palladium will make it easier to sell music, movies, books and other
content packaged so that people can play them on their PCs but not copy
them. You might be allowed to lend your copy of some digital music to a
friend, but then your own backup copy won't be playable until your friend
gives you the main copy back. Quite possibly you will not be able to lend
music at all. (It looks likely that the music publisher will be able to make
the rules - and to change them at will by remote control.)

4. How does it work?

TCPA provides for a monitoring component to be mounted in future PCs. The
likely implementation in the first phase of TCPA is a `Fritz' chip - a
smartcard chip or dongle soldered to the motherboard.

When you boot up your PC, Fritz takes charge. He checks that the boot ROM is
as expected, executes it, measures the state of the machine; then checks the
first part of the operating system, loads and executes it, checks the state
of the machine; and so on. The trust boundary, of hardware and software
considered to be known and verified, is steadily expanded. A table is
maintained of the hardware (audio card, video card etc) and the software
(O/S, drivers, etc); if there are significant changes, the machine must be
re-certified. The result is a PC booted into a known state with an approved
combination of hardware and software. Control is then handed over to
enforcement software in the operating system - this is presumably Palladium
if your operating system in Windows.

Once the machine is in this state, Fritz can certify it to third parties:
for example, he will do an authentication protocol with Disney to prove that
his machine is a suitable recipient of `Snow White'. The Disney server then
sends encrypted data, with a key that Fritz will use to unseal it. Fritz
makes the key available only so long as the environment remains
`trustworthy'. For this purpose, `trustworthy' means that the media player
application won't make any unauthorised copies of content.

5. What else can TCPA and Palladium be used for?

TCPA can be used to implement much stronger access controls on confidential
documents. For example, you might arrange that your soldiers can only create
word processing documents marked at `confidential' or above, and that only a
TCPA PC with a certificate issued by your own armed forces can read such a
document. This is called `mandatory access control', and governments are
keen on it. The Palladium announcement implies that the Microsoft product
will support this. Once TCPA is widespread, corporations can do this too -
and so, for that matter, can the Mafia. This can make life harder for spies,
corporate whistleblowers, and FBI agents alike (though it is always possible
that the FBI will get some kind of access to master keys). A whistleblower
who emails a document to a journalist will achieve little, as the
journalist's Fritz chip won't give him the key to decipher it.

6. This all seems on balance fairly worthwhile. But surely Intel are not
investing all this money just for charity? How do they propose to make money
out of it? 

My spies at Intel tell me that it was a defensive play. As they make most of
their money from PC microprocessors, and have most of the market, they can
only grow their company by increasing the size of the market. They are
determined that the PC will be the hub of the future home network. If
entertainment is the killer application, and DRM is going to be the critical
enabling technology, then the PC has to do DRM or risk being displaced in
the home market. 

7. Where did the idea come from?

It first appeared in a paper by Bill Arbaugh, Dave Farber and Jonathan
Smith, ``A Secure and Reliable Bootstrap Architecture'', in the proceedings
of the IEEE Symposium on Security and Privacy (1997) pp 65-71. It led to a
US patent: ``Secure and Reliable Bootstrap Architecture'', U.S. Patent No.
6,185,678, February 6th, 2001. The basic idea, of a specially trusted
`reference monitor' that supervises a computer's access control functions,
goes back to the early 1970s and has been a feature of US military secure
systems thinking since then.

8. How is this related to the Pentium 3 serial number?

Intel started an earlier program in about 1997 that would have put the
functionality of the Fritz chip inside the main PC processor, or the cache
controller chip, by 2000. The Pentium serial number was a first step on the
way. The adverse public reaction seems to have caused them to pause, set up
a consortium with Microsoft and others, and seek safety in numbers.

9. Why call the monitor chip a `Fritz' chip?

In honour of Senator Fritz Hollings of North Carolina, who is working
tirelessly in Congress to make TCPA a mandatory part of all consumer
electronics. 

10. OK, so TCPA stops kids ripping off music and will help companies keep
data confidential. It may help the Mafia too, but apart from the pirates,
the industrial spies and the FBI, who has a problem with it?

A lot of companies stand to lose out. For example, the European smartcard
industry may be hurt, as the functions now provided by their products
migrate into the Fritz chips in peoples' laptops, PDAs and third generation
mobile phones. In fact, much of the information security industry may be
upset if TCPA takes off.

But there are much deeper problems. The fundamental issue is that whoever
controls the Fritz chips will acquire a huge amount of power. There are many
ways in which this power could be abused, and Intel has refused to answer
questions on the governance of the TCPA consortium.

11. How can TCPA be abused?

One of the worries is censorship. An application enabled for TCPA, such as a
media player or word processor, will typically have its security policy
administered remotely by a server. This is so that content owners can react
to new piracy techniques. However, the mechanisms might also be used for
censorship. 

For example, the police could get an order against a specific pornographic
picture of a child, and cause the policy servers to instruct all PCs under
their control to search for it and notify them if it were found. As another
example, the scientologists have a record of getting courts to give them
injunctions against their critics. In future, if they can convince a court
that a certain document should be banned, they might also get an order
against a policy server.

12. Scary stuff. But can't you just turn it off?

Sure - one feature of TCPA is that the user can always turn it off. But then
your TCPA-enabled applications won't work, or won't work as well. It will be
like switching from Windows to Linux nowadays; you may have more freedom,
but end up having less choice. If the applications that use TCPA / Palladium
are more attractive to the majority of people, you may end up simply having
to use them - just as many people have to use Microsoft Word because all
their friends and colleagues send them documents in Microsoft Word.

13. So economics are going to be significant here?

Exactly. The biggest profits in IT goods and services markets tend to go to
companies that can establish platforms (such as Windows, or Word) and
control compatibility with them, so as to manage the markets in
complementary products. For example, some mobile phone vendors use
challenge-response authentication to check that the phone battery is a
genuine part rather than a clone - in which case, the phone will refuse to
recharge it, and may even drain it as quickly as possible. Some printers
authenticate their toner cartridges electronically; if you use a cheap
substitute, the printer silently downgrades from 1200 dpi to 300 dpi. The
Sony Playstation 2 uses similar authentication to ensure that memory
cartridges were made by Sony rather than by a low-price competitor.

TCPA appears designed to maximise the effect, and thus the economic power,
of such plays. Given Microsoft's record of competitive strategic plays, I
expect that Palladium will support them. So if you control a TCPA-enabled
application, then your policy server can enforce your choice of rules about
which other applications will be allowed to use the files your code creates.
These files can be protected using strong cryptography, with keys controlled
by the Fritz chips on everybody's machines. What this means is that a
successful TCPA-enabled application will be worth much more money to the
software company that controls it, as they can rent out access to their
interfaces for whatever the market will bear. So there will be huge
pressures on software developers to enable their applications for TCPA; and
if Palladium is the first operating system to support TCPA, this will give
it a competitive advantage over GNU/Linux and MacOS with the developer
community. 

14. But hang on, doesn't the law give people a right to reverse engineer
interfaces for compatibility?

Yes, and this is very important to the functioning of IT goods and services
markets; see Samuelson and Scotchmer, ``The Law and Economics of Reverse
Engineering'', Yale Law Journal, May 2002, 1575-1663. But the law in most
cases just gives you the right to try, not to succeed. Back when
compatibility meant messing around with file formats, there was a real
contest - when Word and Word Perfect were fighting for dominance, each tried
to read the other's files and make it hard for the other to read its own.
However, with TCPA that game is over; without access to the keys, or some
means of breaking into the chips, you've had it.

15. So can't TCPA be broken?

The early versions will be vulnerable to anyone with the tools and patience
to crack the hardware (e.g., get clear data on the bus between the CPU and
the Fritz chip). However, from phase 2, the Fritz chip will disappear inside
the main processor - let's call it the `Hexium' - and things will get a lot
harder. Really serious, well funded opponents will still be able to crack
it. However, it's likely to go on getting more difficult and expensive.

Also, in many countries, cracking Fritz will be illegal. In the USA the
Digital Millennium Copyright Act already does this, while in the EU the
situation may vary from one country to another, depending on the way
national regulations implement the EU Copyright Directive.

Also, in many products, compatibility control is already being mixed quite
deliberately with copyright control. The Sony Playstation's authentication
chips also contain the encryption algorithm for DVD, so that reverse
engineers can be accused of circumventing a copyright protection mechanism
and hounded under the Digital Millennium Copyright Act. The situation is
likely to be messy - and that will favour large firms with big legal
budgets. 

16. What's the overall economic effect likely to be?

The content industries may gain a bit from cutting music copying - expect
Sir Michael Jagger to get very slightly richer. But I expect the most
significant economic effect will be to strengthen the position of incumbents
in information goods and services markets at the expense of new entrants.
This may mean a rise in the market cap of firms like Intel, Microsoft and
IBM - but at the expense of innovation and growth generally. The majority of
the innovations that spur economic growth are not anticipated by the
manufacturers of the platforms on which they are based; and technological
change in the IT goods and services markets is usually cumulative. Giving
incumbents new ways to make life harder for people trying to develop novel
uses for their products will create all sorts of traps and perverse
incentives. 

There may also be distinct regional effects. For example, many years of
government sponsorship have made Europe's smartcard industry strong, at the
cost of crowding out other innovation. Senior industry people to whom I have
spoken anticipate that once the second phase of TCPA puts the Fritz
functionality in the main processor, this will hammer smartcard sales. Many
of the functions that smartcard makers want you to do with a card will
instead be done in the Fritz chips of your laptop, your PDA and your mobile
phone. If this industry becomes a casualty of TCPA, Europe could be a
significant net loser. Other large sections of the information security
industry may also become casualties.

17. Who else will lose?

We expect that copyright regulations due out later this year in Britain will
deprive the blind of the fair-use right to use their screen scraper software
to read e-books. Normally, a bureaucratic stupidity like this might not
matter much, as people would just ignore it, and the police would not be
idiotic enough to prosecute anybody. But if the copyright regulations are
enforced by hardware protection mechanisms that are impractical to break,
then the blind may lose out seriously. (There are many other marginal groups
under similar threat.)

18. Ugh. What else?

TCPA may undermine the General Public License (GPL), the license under which
many free and open source software products are distributed. The GPL is
designed to prevent the fruits of communal voluntary labour being hijacked
by private companies for profit. Anyone can use and modify software
distributed under this licence, but if you distribute a modified copy, you
must make it available to the world for free.

At least one company has started a development program to produce a
TCPA-enhanced version of GNU/linux. How could they make money out of this?
Well, making a TCPA version of the product will involve tidying up the code
and removing a number of features. The sponsor will then submit the pruned
code to an evaluation lab, together with a mass of documentation for the
work that's been done, including a whole lot of analyses showing why various
known attacks on the code don't work.

The trick is this. Although the modified program will be covered by the GPL,
and will be free to everyone, it will not make full use of the TCPA features
unless you have it signed, and have a certificate that enables you to use
the TCPA Public Key Infrastructure (PKI). That is what will cost you money
(if not at first, then eventually).

You will still be free to make modifications to the modified code, but you
won't be able to sign the resulting code (at least, not with a key that will
make third parties trust the code). Something similar happens with the linux
supplied by Sony for the Playstation 2; the console's copy protection
mechanisms prevent you from running an altered binary, and from using a
number of the hardware features. Even if a philanthropist does a
not-for-profit secure linux, the resulting product would not really be a GPL
version of a TCPA operating system, but a proprietary operating system that
the philanthropist could give away free. (There are still issues about who
would pay for use of the PKI that hands out user certs.)

People believed that the GPL made it impossible for a company to come along
and steal code that was the result of community effort. That may have been
the case so long as the processor was open, and anyone could access
supervisor mode. But TCPA changes that. Once the majority of PCs on the
market are TCPA-enabled, the GPL won't work as intended.

19. I can see that some people will get upset about this.

And there are many other political issues -- the transparency of processing
of personal data enshrined in the EU data protection directive; the
sovereignty issue, of whether copyright regulations will be written by
national governments, as at present, or an application developer in Portland
or Redmond; whether TCPA will be used by Microsoft as a means of killing off
competitors such as Apache; and whether people will be comfortable about the
idea of having their PCs operated, in effect, under remote control --
control that could be usurped by courts or government agencies without their
knowledge. 

20. But hang on, isn't TCPA illegal under antitrust law?

Intel have honed a `platform leadership' strategy, in which they lead
industry efforts to develop technologies that will make the PC more useful,
such as the PCI bus and USB. Their modus operandi is to set up a consortium
to share the development of the technology, have the founder members of the
consortium put some IP into the pot, publish a standard, get some momentum
behind it, then license it to the industry on the condition that licensees
in turn cross-license any interfering IP of their own, at zero cost, to all
corsortium members.

The positive view of this strategy was that Intel grew the overall market
for PCs; the dark side was that they prevented any competitor achieving a
dominant position in any technology that might have threatened Intel's
dominance of the PC hardware. Thus, Intel could not afford for IBM's
microchannel bus to prevail, not just as a competing nexus of the PC
platform but also because IBM had no interest in providing the bandwidth
needed for the PC to compete with high-end systems. The effect in strategic
terms is somewhat similar to the old Roman practice of demolishing all
dwellings and cutting down all trees close to their roads or their castles.
No competing structure may be allowed near Intel's platform; it must all be
levelled into a commons. But a nice, orderly, well-regulated commons:
interfaces should be `open but not free'.

The consortium approach has evolved into a highly effective way of skirting
antitrust law. So far, the authories do not seem to have been worried about
such consortia - so long as the standards are open and accessible to all
companies. They may need to become slightly more sophisticated.

21. When is this going to hit the streets?

It has. The first specification was published in 2000. In May, IBM launched
the T-30 version of the Thinkpad which can be bought with a TCPA-compliant
security subsystem. Some of the features in Windows XP and the X-Box are
TCPA features: for example, if you change your PC configuration more than a
little, you have to reregister all your software with Redmond. The train is
rolling. 

22. But isn't PC security a good thing?

The question is: security for whom? The average user might prefer not to
have to worry about viruses, but TCPA won't fix that: viruses exploit the
way software applications (such as Microsoft Office) use scripting. He might
be worried about privacy, but TCPA won't fix that; almost all privacy
violations result from the abuse of authorised access, often obtained by
coercing consent. If anything, by entrenching and expanding monopolies, TCPA
will increase the incentives to price discriminate and thus to harvest
personal data for profiling.

The most charitable view of TCPA is put forward by a Microsoft researcher:
there are some applications in which you want to constrain the user's
actions. For example, you want to stop people fiddling with the odometer on
a car before they sell it. Similarly, if you want to do DRM on a PC then you
need to treat the user as the enemy.

Seen in these terms, TCPA and Palladium do not so much provide security for
the user, but for the PC vendor, the software supplier, and the content
industry. They do not add value for the user. Rather, they destroy it, by
constraining what you can do with your PC - in order to enable application
and service vendors to extract more money from you.

No doubt Palladium will be bundled with new features so that the package as
a whole appears to add value in the short term, but the long-term economic,
social and legal implications require serious thought.

Ross Anderson 

------------------------------------------------------------------------

For archives see:
http://www.interesting-people.org/archives/interesting-people/