Meditations on Trusted Computing

Trusted computing, however, does more than allow you to trust your own computer; it also aims to enable *others* to trust your computer. The key to this capability is in a feature called “remote attestation.” This allows another person to ask the software running on the trusted side of your computer to identify itself. Because the answer comes from the tamper- resistant hardware on the motherboard of your computer, the “attestation” is relatively reliable. This feature certainly has some desirable uses (for employees logging into corporate networks from offsite locations, for example).

But there is a dark side. If others are able to verify that particular software is running on the trusted side of your computer, then some may refuse to communicate with you at all *unless* you are running their software. In other words, companies may begin demanding that you install and run the software *of their choice* on the trusted side of your computer. This would effectively give them control over a portion of your computer. You would be free to refuse, but then you would not be able to do business with them.

In a competitive market, this might not be a problem, as vendors would avoid anything that might alienate customers. In a market where competition is compromised, however, trusted computing can dramatically increase the power of a monopolist or cartel to impose “take it or leave it” terms on the public, by giving them the capability to insist on a relatively unassailable beachhead inside your computer.

Donna points to others pointing to Seth Schoen’s discussion of TCPA: Trusted Computing: Promise and Risk

One important similarity between the NGSCB [Next Generation Secure Computing Base] design and the existing TCG [Trusted Computing Group] specification is that both contain a “remote attestation” feature, which we will criticize extensively below. Even though there are differences between Microsoft’s and TCG’s technical descriptions of remote attestation, both can, given proper operating system support, be used in functionally equivalent ways. Whether or not the NGSCB and TCG projects converge on a single hardware design, the general criticisms of attestation here will properly apply to either.

[...] Remote attestation is the most significant and the most revolutionary of the four major feature groups described by Microsoft. Broadly, it aims to allow “unauthorized” changes to software to be detected. If an attacker has replaced one of your applications, or a part of your operating system with a maliciously altered version, you should be able to tell. Because the attestation is “remote”, others with whom you interact should be able to tell, too. Thus, they can avoid sending sensitive data to a compromised system. If your computer should be broken into, other computers can refrain from sending private information to it, at least until it has been fixed.

While remote attestation is obviously useful, the current TCG approach to attestation is flawed. TCG attestation conspicuously fails to distinguish between applications that protect computer owners against attack and applications that protect a computer against its owner. In effect, the computer’s owner is sometimes treated as just another attacker or adversary who must be prevented from breaking in and altering the computer’s software.

Hoo-boy - this is a press release that gives one all kinds of things to wonder about: MPEG LA Announces Plan for Joint Patent License for DRM Technology

Filmmakers Criticize Move to Curb Piracy [pdf]

Independent filmmakers strongly criticized on Wednesday a decision by the Motion Picture Association of America to stop sending out copies of new movies in advance of the awards season in an effort to halt piracy.

[...] In recent years, studios and independent companies have distributed copies of new movies on DVD and videotape before the Academy Awards season, to enable voters to watch the films at home instead of going to a theater or screening room. The so-called screeners have been especially beneficial to smaller independent companies, which cannot compete financially with the big studios but have earned numerous Academy Award nominations because many voters saw their films at home.

On Tuesday, the motion picture association halted distribution of the screeners in an effort to curb piracy, a growing concern among studios.

“It’s just a stupid assumption that this will stop piracy,” [director Robert Altman] added.

A fscinating story in the Times about the law of data disclosure when you’re a cable company: Your Own Affair, More (VCR) or Less (MP3) [pdf]

It turns out that consumers’ cable-television records enjoy more legal protection than just about any other sort of electronic media or communications records: more than satellite-television records, more than Internet logs, more than telephone records. The Cable Communications Policy Act of 1984 said that before the government could obtain cable television records, it had to go to court to show “clear and convincing evidence” that the subject of the request was reasonably suspected of criminal activity. Moreover, the customer was entitled to a hearing to contest the disclosure.

[...] This year, the recording industry has had things a lot easier than the I.R.S. Since July, the music industry’s lobbying wing, the Recording Industry Association of America, has obtained the names, addresses, telephone numbers and e-mail addresses of more than 1,000 people around the nation whom the group suspects of Internet music piracy. The group has sued 261 of them so far, and promises that more suits are to come.

The Digital Millennium Copyright Act of 1998 says that copyright holders may issue subpoenas signed only by a court clerk - not a judge - that require Internet providers to turn over personal information about their subscribers. The law does not require the subscribers to be notified. Every major Internet provider except SBC has complied with the record industry’s requests.

Between the stringent provisions of the cable law and the relatively wide-open provisions of the digital copyright act, a crazy quilt of laws - a product of decades of ad hoc legislation - govern what your phone company, cable company, Internet service provider or video store may be compelled to tell about you.

[...] For all the inconsistencies among these various laws, one of the more significant shifts in privacy protection came in 1998 with the Digital Millennium Copyright Act.

To many legal experts, the right that the digital copyright act granted to copyright holders to subpoena personal information about Internet users goes far beyond earlier legal frameworks. Verizon, the big phone company and Internet provider, challenged the subpoena provisions of the law but lost in court. That case is being appealed, and Verizon and other Internet providers are pushing Congress to change the law.

This NYTimes article, Campuses Move to Block Music Sharing [pdf], does all it can to scare colleges, while promoting system changes that break the end-to-end design of the network. Moreover, we get the now obligatory plug for to Graham Spanier’s plan to make MP3s a part of student fees (note the membership of Penn State’s Board of Trustees includes one Barry K. Robinson, Senior Counsel for Corporate Affairs, Recording Industry Association of America.)

Jeff Karp, a partner at Swidler, Berlin, Shereff, Friedman in Washington who specializes in copyright protection law and has counseled several institutions on file-sharing issues, said colleges were feeling the heat. “If they’re the ones operating the system and they’re aware of infringement activities occurring and they fail to take steps to stop it, they could be facing a lawsuit for contributory or vicarious copyright infringement,” he said.

[...] Traffic shaping, probably the most popular form of music-sharing prevention, is the management of network traffic and bandwidth use to limit bottlenecks. The number of clients using Packeteer, an appliance that helps campus officials manage Internet traffic, has increased from around 200 three years ago to more than 700 universities, including Stanford, Florida State and U.C.L.A., the program’s maker said.

Packeteer relies on hardware next to a server’s router to monitor Internet use and to help limit bandwidth for certain types of downloads, like MP3’s. Jeff Barker, Packeteer’s marketing director, said that Packeteer cannot be circumvented by file-sharing programmers who disguise Internet protocol addresses.

Donna Wentworth "Nesson discussion circle" has a few contributions:

• Derek Slater’s - More on Nesson’s Technodefense

• Donna’s response to Derek - Let the Music Pay V

• My own addition - Some thoughts on Charlie’s “copyright by DoS” (rereading it this AM suggests that I can easily be accused of fuzzy idealism, but I remain convinced that vigilante behavior carries with it too many destructive consequences to make it worthwhile. Not to mention the widespread investment in a new kind of non-productive capital — we need policies that promote investment in innovation, not in digital weaponry.)

Donna’s e-mail included a few others, including Ernest Miller at LawMeme (who has commented in e-mail followups) (sorry, wrong topic — I’m not getting enough sleep, clearly!), Mary Hodder at bIPlog and Lawrence Solum at Legal Theory Blog. I have a class this AM, so I’ll be checking in there this afternoon.

Update: Ed Felten’s jumped in: “Hacktivism” by Artists

Mary Hodder of bIPlog has pointed to a New Scientist article, Innocent file-sharers could appear guilty, which itself refers to an anonymously posted paper that appears to show how a malicious actor on a P2P network can act, through subversion of the P2P protocols, to make "innocent" users appear to be engaging in activity that is being probed by a third party. (Entrapment — Incriminating Peer to Peer Network Users, local copy)

This paper describes something that can be used to challenge a subpoena, or to introduce doubt in a court of law, albeit there is a question of just how much doubt it will engender, particularly in a civil case (see Slashdot link below). Whether this is something that actually goes on at the moment is a little harder to establish. It looks credible, but the motivation factor is a little hard to penetrate, and I don’t know enough about how the RIAA is collecting their data to know its vulnerability to these attacks. Note that the paper identifies this actor pretty well at the outset of the paper:

Attacker - a P2P user who turns an innocent P2P user into an apparent offender. The attacker could be someone with a vested interest or merely someone with too much spare time.

The Slashdot commentary: Innocent File-Sharers Could Appear Guilty? includes this summary statement: Flaws in the paper, suggesting that the RIAA’s methods are generally immune to most of these attacks.