20 June 2002. Ross Anderson's Toulouse paper:


20 June 2002
Source: http://www.nytimes.com/2002/06/20/technology/20CODE.html

Ross Anderson website: http://www.cl.cam.ac.uk/users/rja14/

The New York Times, June 20, 2002

Fears of Misuse of Encryption System Are Voiced


SAN FRANCISCO, June 19 — A leading European computer security and privacy advocate is challenging an effort by the American computer industry to create a standard to protect software and digital content, calling the plan a smoke screen by established companies to protect their existing markets.

In a paper to be presented at a technical conference in Toulouse, France, on Thursday, Ross Anderson, a University of Cambridge computer scientist, attacks the Trusted Computing Platform Alliance, an organization formed in October 1999 by Compaq Computer, Hewlett-Packard, I.B.M., Intel and Microsoft. The companies say their intent is to provide a cryptographic system that would ensure privacy and protect intellectual property.

The technology that the alliance has developed uses an encryption method intended to identify computer hardware and operating system software and determine that their configuration has not been altered. The companies say it will help detect virus invasions and provide security for commercial transactions like online purchases and banking.

But Dr. Anderson argues that the potential exists for the technology to be used in a more sinister fashion: to create a new form of censorship based on the ability to track and identify electronic information.

He compares the technology to a proposal by Intel in January 1999 to insert a distinct serial number into each of its Pentium processors, an effort that drew widespread consumer opposition after privacy advocates warned that the technology could be used for surveillance purposes. The plan was withdrawn.

Dr. Anderson also warns that widespread adoption of the standard from the alliance, known as T.C.P.A., could put large United States computer companies in a position to thwart competition by controlling who gets to use the standard and on what computer platforms.

"The T.C.P.A. appears likely to change the ecology of information goods and services markets so as to favor incumbents, penalize challengers and slow down the pace of innovation and entrepreneurship," he wrote.

Spokesmen for Intel and for Microsoft said their companies had not been able to review the paper and would not comment.

Dr. Anderson is a Cambridge computer scientist who is also chairman of the Foundation for Information Policy Research, a British Internet policy research group. In a telephone interview today from France, he said there was growing concern within the European Union that the T.C.P.A. standard could emerge into a competitor for so-called smart cards, used for authentication, which are now the basis of a significant European industry.

"This is something that has potential macroeconomic effects, and it will become the big new controversy over the next six months," he said.

Although encryption technologies have not been used widely in the personal computer industry to protect intellectual property, they have become standard in the video game market, where companies like Sony, Nintendo and Microsoft use built-in encryption to protect against piracy and to force software developers to pay royalties to write software for the game machines.

The T.C.P.A. standard would not directly control what software a user could run on a personal computer. But according to several people who have examined the specification, it could be used to make a catalog of software on a machine available for action by a third party — barring, for example, someone with decryption software from playing a copy-protected DVD.

That capability has touched off an internal debate within at least one privacy rights group in the United States. The Electronic Frontier Foundation has been discussing the implications of the technology this week and is divided on the consequences.

"On the one hand some of our board members have argued that it might effectively protect you from viruses," said Seth Schoen, the foundation's staff technologist. "On the other hand some of our board members believe that if any information is made available automatically to a third party that is a privacy issue."

Among the board members who are potential defenders of the technology is David Farber, a longtime computer industry technologist and a computer scientist at the University of Pennsylvania. Dr. Farber said that he had been on the alliance's advisory board for the last three years and more recently had consulted with Intel and others about technical and social issues related to the proposed standard.

"I was attracted to the T.C.P.A. effort due to its focus on providing security and privacy in a dynamic, flexible way," he said. "It should be capable of supporting a digital rights management regime that can be used to both protect intellectual property and individual privacy and the individual's fair use of the intellectual property."

The initiative, which would encrypt information while it was being processed inside the computer, would also violate European Union directives governing the transparency of computer data, Dr. Anderson said.

He said he was concerned as well that the advent of the standard would permit the pursuit of previously impossible electronic censorship campaigns, because the technology could make it possible to locate and delete specific documents on any computer connected to the Internet.

"We could have a huge swing from the current situation where the Internet can be used to distribute information to something at the other extreme," he said.

In May, with a fellow researcher, Dr. Anderson reported on a vulnerability in the current generation of smart cards, which are used for identity and financial transactions.