[DMCA-Activists] Palladiation is Here

[Seth Johnson]

> http://www.msnbc.msn.com/ID/10441443/


Let’s see some ID, please

The end of anonymity on the Internet?


By Michael Rogers

Updated: 7:53 a.m. ET Dec. 13, 2005


As the joke goes, on the Internet nobody knows you’re a dog. But
although anonymity has been part of Internet culture since the
first browser, it’s also a major obstacle to making the Web a
safe place to conduct business: Internet fraud and identity theft
cost consumers and merchants several billion dollars last year.
And many of the other more troubling aspects of the Internet,
from spam emails to sexual predators, also have their roots in
the ease of masking one’s identity in the online world.

Change, however, is on the way. Already over 20 million PCs
worldwide are equipped with a tiny security chip called the
Trusted Platform Module, although it is as yet rarely activated.
But once merchants and other online services begin to use it, the
TPM will do something never before seen on the Internet: provide
virtually fool-proof verification that you are who you say you
are.

Some critics say that the chip will change the free-wheeling Web
into a police state, while others argue that it’s needed to
create a safe public space.  But the train has already left the
station: by the end of this decade, a TPM will almost certainly
be part of your desktop, laptop and even cell phone.

The TPM chip was created by a coalition of over one hundred
hardware and software companies, led by AMD, Hewlett-Packard,
IBM, Microsoft and Sun. The chip permanently assigns a unique and
permanent identifier to every computer before it leaves the
factory and that identifier can’t subsequently be changed. It
also checks the software running on the computer to make sure it
hasn’t been altered to act malevolently when it connects to other
machines: that it can, in short, be trusted. For now,
TPM-equipped computers are primarily sold to big corporations for
securing their networks, but starting next year TPMs will be
installed in many consumer models as well.

With a TPM onboard, each time your computer starts, you prove
your identity to the machine using something as simple as a PIN
number or, preferably, a more secure system such as a fingerprint
reader. Then if your bank has TPM software, when you log into
their Web site, the bank’s site also “reads” the TPM chip in your
computer to determine that it’s really you. Thus, even if someone
steals your username and password, they won’t be able to get into
your account unless they also use your computer and log in with
your fingerprint. (In fact, with TPM, your bank wouldn’t even
need to ask for your username and password — it would know you
simply by the identification on your machine.)

The same would go for online merchants — once you’d registered
yourself and your computer with an Amazon or an e-Bay, they’d
simply look for the TPM on your machine to confirm it’s you at
the other end. (Of course you could always “fool” the system by
starting your computer with your unique PIN or fingerprint and
then letting another person use it, but that’s a choice similar
to giving someone else your credit card.)

Another plus for the TPM is that your computer will be able to
make sure that it’s really a legitimate e-commerce site you’re
connected to, and not some phishing-style fraud. There would
still, of course, be ways that you could access your bank or
e-commerce accounts from other computers when you were traveling,
but the connection wouldn’t be as secure as using your own
computer. Plans are already underway to put TPMs into smartphones
and other portable devices as well.

The TPM will become even more important as we move toward
Web-based applications, where we may actually store our documents
and files on remote servers. The TPM could automatically encrypt
any files as soon as they left your computer, and only allow
decryption privileges to your TPM and any others you might
specify. It could automatically encrypt email as well, so that
only specific recipients are able to read it. And it could more
firmly identify where email originates, taking a big step forward
in controlling spam at the source.

That is the potential good news. But some critics are worried
that the TPM is a step too far.  Their concern particularly
revolves around using the TPM to control “digital rights
management” — that is, what you can and cannot do with the music,
movies and software you run on your computer.

A movie, for example, would be able to look at the TPM and know
whether it was legally licensed to run on that machine, whether
it could be copied or sent to others, or whether it was supposed
to self-destruct after three viewings. If you tried to do
something with the movie that wasn’t allowed in the license, your
computer simply wouldn’t cooperate.

The same would go for software. Now that Apple is moving to Intel
processors, Mac fans are watching closely to see if the new
machines will incorporate TPMs. That may be the way that Apple
makes sure that its Macintosh operating system only runs on Apple
computers — otherwise, hackers will probably be quick to figure
out ways to make the new Intel-based Macintosh software run on HP
or Dell machines as well. Similar concerns arise around how
Microsoft might make use of TPM to insure that its software is
used only on machines with paid-up licenses (as one joke has it:
“TPM is Bill Gates’ way of finally getting the Chinese to pay for
software.”)

(MSNBC is a Microsoft - NBC joint venture.)

Ultimately the TPM itself isn’t inherently evil or good.  It will
depend entirely on how it’s used, and in that sphere, market and
political forces will be more important than technology.  Users
will still control how much of their identity they wish to reveal
— in fact, for complex technical reasons, the TPM will actually
also make truly anonymous connections possible, if that’s what
both ends of the conversation agree on.  And should a media or
software company come up with overly Draconian restrictions on
how its movies or music or programs can be used, consumers will
go elsewhere.  (Or worse: Sony overstepped with the DRM on its
music CDs recently and is now the target of a dozen or so
lawsuits, including ones filed by California and New York.) 

To future historians, the anonymity we’ve experienced in the
first decade of the commercial Internet may in retrospect seem
aberrant.  In the real world, after all, we carry multiple forms
of fixed identification, ranging from our faces and fingerprints
to drivers’ licenses and social security numbers.  Some of these
are easier to counterfeit than others, but generally most of us
are more comfortable when we can prove who we are.  In some
situations — driving cars, boarding aircraft — we’re required to
have identification.  Of course, our real world policies on
identification — what kind we must have, when we need to display
it — have evolved over centuries of social and political thought
and is still, post 9/11, a national hot-button.  With the arrival
of the Trusted Computing Module, the argument will now extend to
cyberspace as well.