"Microsoft's plan to improve computer security could set off fight over use of online materials"

[Dave Farber <dave () farber net>]

Front Page

Today's News

Information Technology

Teaching

Publishing

Money

Government & Politics

Community Colleges

Science

Students

Athletics

International

People

Events

The Chronicle Review

Jobs


Colloquy

Colloquy Live

Magazines & Journals

New Grant Competitions

Facts & Figures

Issues in Depth

Site Sampler


This Week's Issue

Back Issues

Related Materials


About The Chronicle

How to Contact Us

How to Register

How to Subscribe

Subscriber Services

Change Your User Name
Change Your Password

Forgot Your Password?

How to Advertise

Press Inquiries

Corrections

Privacy Policy

The Mobile Chronicle

Help
    
    
 
From the issue dated February 21, 2003


     
Control Issues
Microsoft's plan to improve computer security could set off fight over use
of online materials
By FLORENCE OLSEN
Computing experts in academe often blame Microsoft for producing software
that  is vulnerable to viruses and hackers. But, of late, the experts have
been criticizing the company's sweeping plan to correct those very
deficiencies.
Under the plan, announced seven months ago under the name Palladium, new
computers would be equipped with security hardware and a new version of the
Windows operating system.
The goal, Microsoft officials say, is to make servers and desktop PC's that
people can trust. But critics say the technology, which Microsoft recently
renamed "the next-generation secure computing base," could stifle the free
flow of information that has come to characterize the Internet, and could
give Microsoft too much control over colleges' own computerized information.
With the new technology, information-systems officials could use
cryptographic hardware "keys" rather than software controls, like user names
and passwords, to lock up student records and prevent illegal copying of
materials. Registrars would have tamper-proof controls over who could see,
copy, or alter the records. The advances could be used to prevent identity
thieves from invading campus computer networks to steal Social Security
numbers, grades, and other personal data.
Money and Access
Palladium would require colleges to make expenditures on new computers and
software. Existing computers could not be retrofitted.
Colleges would decide whether to buy Palladium-capable software and
hardware, and then whether to activate Palladium's security functions. But
practically speaking, they would face enormous pressures to do so,
especially if publishers of books, journals, software, and other electronic
"content" were to adopt Microsoft's standard to deliver their materials
online. The publishers could dictate that colleges had to use Palladium or
else be denied access to the material. That worries many in academe, who
believe that publishers would use Palladium to bar some uses of digital
materials to which scholars argue that they are entitled under copyright
law. That loss may outweigh the advantages of tighter security over student
records, the critics say.
"If Palladium is adopted, and if other technology vendors exploit it fully
to restrict access to copyrighted works, education and research will
suffer," says Edward W. Felten, an associate professor of computer science
at Princeton University, who was the U.S. Justice Department's chief
computer-science expert in its antitrust case against Microsoft.
Microsoft officials respond that their new technology will simply give all
users -- whether colleges or publishers -- more control over the information
they own. Colleges have been demanding more computer security, says Brian
LaMacchia, a software architect in Microsoft's trusted-platform-technologies
group, which is responsible for Palladium. "It's a two-edged sword," he
says, acknowledging that commercial publishers have demanded greater
protection for their copyrighted works.
Palladium's software components will be part of the next major version of
Windows, which Microsoft has said it may release toward the end of 2004.
Some hardware components that Palladium needs, including a security chip,
are available already in a notebook computer, the IBM ThinkPad T30. Chip
manufacturers and the major computer companies -- Dell, Gateway,
Hew-lett-Packard, and IBM, among others -- have begun work to redesign PC's
so that they will work with Palladium software.
A key component of Microsoft's new technology is the "nexus," a minisystem
that runs in a sealed-off area in the computer's memory, where private
transactions can be conducted, and where designated security and copyright
policies would be enforced. In theory, the nexus is immune to many of the
problems that plague Windows machines, like viruses.
Moving away from password-protected security and toward security that is
built into the hardware would make campus networks less vulnerable to hacker
attacks, Microsoft officials and academic experts agree. "Once you move to
hardware security, then you're talking about deterring 98 to 99 percent of
all hackers," says David C. Rice, a security consultant who is an adjunct
faculty member in the graduate program in information security at James
Madison University.
Here's how Palladium works: If a program -- with its nexus -- were running
on a server in, say, a college registrar's office, the server would ask any
computer that tried to gain access to student records on the server to
certify what program it was running. The server would block access to the
records if the computer were running an insecure program. Such questioning
of another computer is not part of most security mechanisms in use today. As
a result, college computer systems are repeatedly victimized by hacker
attacks.
Mr. LaMacchia says that Palladium also would permit personal data and other
files to be kept secret on the computer's hard drive in an area where the
data would be unreadable by any program other than the one on the computer
that created them.
"It's definitely going to solve a lot of security problems, but it's like
any kind of new technology," says William A. Arbaugh, an assistant professor
of computer science at the University of Maryland at College Park. "It can
do good or evil." 
Fair Use
Whether it is used for "good" or "evil," he says, will depend on who gets to
control the technology -- colleges or the publishers whose "content" the
colleges use.
Most of the early controversy surrounding Palladium in academe has concerned
its impact on "fair use," a gray area in copyright law that gives professors
and researchers limited but free use of copyrighted materials. In the past,
faculty members could decide on their own that "fair use" permitted them to
distribute a journal article to, say, 10 students. But publishers could use
Palladium's controls to unilaterally limit use of their materials, such as
by restricting professors to a read-only view of the article, from which
they could not "cut and paste" the text.
With Palladium, owners of content would gain at the expense of consumers of
content, including professors and students, says Eben Moglen, a professor of
law and legal history at Columbia University. In fact, if Palladium were to
become a widely accepted way of protecting copyrighted material, Mr. Moglen
says, it would create "a closed system, in which each piece of knowledge in
the world is identified with a particular owner, and that owner has a right
to resist its copying, modification, and redistribution."
In such a scenario, he says, "the very concept of fair use has been lost."
Ross Anderson, who holds a faculty post as a reader in security engineering
at the University of Cambridge's Computer Laboratory, says Palladium will
"turn the clock back" to the days before online information was widely
available.
The biggest losers, he says, will be "small colleges, poor schools,
universities in Africa, hospitals in India -- the people who have benefited
hugely from the availability of vast amounts of information that was simply
unavailable to them before."
Publishers generally support the type of copyright-enforcement mechanisms
that would be in Palladium systems, although "there would be some concerns
about bugs in those systems," says Ed McCoyd, director of digital policy for
the Association of American Publishers. For example, he says, even now,
while publishers complain about the inflexibility of technical controls in
electronic-book readers, they do not want to share those controls with
users.
"They certainly want to have sufficient flexibility in the publisher
settings -- one publisher might choose to enable printing, one might not,"
Mr. McCoyd says. But with the new technology, he predicts, publishers will
insist on controlling the software settings for what they "consider to be
fair use." 
Some experts argue that computer and network security are so weak today that
the benefits of Palladium outweigh any risks that Microsoft, or content
providers, would abuse the new controls.
"Microsoft could decide to lock everything up," says David J. Farber, a
professor of telecommunications systems and of business and public policy at
the University of Pennsylvania. "But there is nothing a priori that says
they'll be all bad boys."
Indeed, Microsoft says it is listening to its critics. It has been talking
with academic researchers about the new technology far earlier than usual in
Microsoft's product-development process. "Part of the reason has been to
hear the feedback -- positive and negative -- from the academic community,
analysts, influentials, and others," says Amy Carroll, group manager of
Microsoft's trusted-platform-technologies group.
Palladium's software architects have given several guest lectures at
universities in the United States and Britain, in part, Ms. Carroll says, to
listen to academic concerns "and, hopefully, assuage them."
Many of the concerns are a result of misunderstanding what the new
technology will do and how it will work, Ms. Carroll says. Microsoft plans
to publish the source code for its nexus, she says, so that "people can view
the code and see that it will do what we say it will do," and see that it
will not give the company control over colleges' computerized information.
Even Palladium's critics see good uses for the technology, like maintaining
the privacy of student records. Colleges may want to have Palladium
activated on some servers to keep them from running "pirated software,
MP3's, or anything that is illegal," says Mr. Rice, the security consultant.
More Worries
But Palladium is worrisome to college officials for reasons other than an
erosion in the fair use of copyrighted materials. Jeffrey I. Schiller, a
network manager at the Massachusetts Institute of Technology, says software
companies most likely would use the program to enforce license agreements
that many in academe believe are legally unenforceable. For example, more
and more software licenses forbid users from running tests known as
benchmarks to measure the performance of one company's software against that
of its competitors.
Some critics, like Mr. Schiller, say Palladium might achieve the results
intended by the Uniform Computer Information Transactions Act, a model law
devised by the National Conference of Commissioners on Uniform State Laws,
which has been enacted only in Maryland and Virginia. Ucita is "an attempt
to give these software licenses the force of a signed contract, even though
you didn't sign a contract," Mr. Schiller says. With Palladium, technology
would "enforce" the licenses de facto, he says.
Microsoft insists that its new technology is a neutral platform. "It is
certainly possible that an application vendor could choose to use
[Palladium] to evaluate and enforce some software licensing terms,"
acknowledges Ms. Carroll. But "at the end of the day," she says, "the terms
of the license for an application are strictly an issue between the vendor
and the university."
Others think Palladium would be an anti-competitive tool in the hands of
software publishers, especially Microsoft, which, in 1999, was found guilty
by a federal-district court of monopolistic practices. With Palladium,
software publishers could decide to create programs that refuse to work with
rival programs, a tactic that is difficult for them to get away with now,
says Seth Schoen, a staff technologist at the Electronic Frontier
Foundation, a group that promotes civil liberties in cyberspace.
Critics of Palladium frequently cite a hypothetical situation in which a
company makes a word-processing program that requires Palladium to run and
that encrypts all of the documents that it creates. "Any other Palladium
user who is also using that same word processor will be able to decrypt and
view the documents," Mr. Schoen says, "but nobody without access to
Palladium or who uses a different word processor would be able to derive the
necessary decryption keys."
Microsoft faces an uphill battle to win acceptance for Palladium in academe.
College students, many of whom are used to playing illegal copies of music
and videos on their personal computers, may be resistant.
"They're not going to consciously go out and buy a product that necessarily
limits their ability to do what they want to do," says Mr. Rice, the
security consultant. "They'll definitely buy a product if it means security
for them. I don't know if they're going to buy a product if it means
security for somebody else."
The Business Software Alliance, a trade group representing software
companies, declined to comment on Palladium, citing a policy of not talking
about its members' products. But Robert M. Kruger, vice president for
enforcement, says the group is beginning to tilt more toward technology to
enforce copyrights.
In dealing with software and other copyright piracy on campuses, colleges
"aren't sending the message as aggressively as we would like," he says.
Will MIT, whose researchers have studied Palladium, want to run it? Maybe
not, says Mr. Schiller, the university's network manager. "Personally, I
would never use this technology," he says. As for MIT, though, it's an open
question, he says. "Palladium has to become more real for us to really
decide if we can use it."
"If I had my druthers, I'd love the technology to be available and used for
all the good things we could use it for," Mr. Schiller says. "But I'm enough
of a realist to know that's not how it's going to play out."
------------------------------------------------------------------------
WHAT PALLADIUM WILL AND WON'T DO
Microsoft's Palladium project is designed to make Windows computers more
secure. But computer experts are concerned that the technologies being used
to make computers more secure will block the free flow of information needed
for teaching and research.
Palladium will:

*    Run programs that could prevent illegal copying of or unauthorized
access to information stored in PC's.
*    Permit owners of digital information, whether copyright holders or
registrars responsible for student records, to set tamper-proof controls on
who can see, copy, and alter digital files.
*    Prevent unauthorized access, via a computer network or the Internet, to
Social Security numbers, credit-card information, and other personal data
stored in PC's. 

Palladium will not:

*    Replace the Windows operating system.
*    Search the Internet to detect and delete pirated software, music, and
movies.
*    Eliminate spam and software viruses.
*    Prevent a digital thief from gaining access to a computer in person and
disabling its hardware security features.

SOURCE: Chronicle reporting
------------------------------------------------------------------------
ALSO SEE:
What Palladium Will and Won't Do
Pressing Issues for College Officials
Colloquy Live: Join a live, online discussion with Brian A. LaMacchia, a
software architect at the Microsoft Corporation, about the company's
controversial new Palladium system of protecting the security of computer
information, on Thursday, February 20, at 2 p.m., U.S. Eastern time.
------------------------------------------------------------------------

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/