`Trusted Computing' Frequently Asked Questions

- TC / TCG / LaGrande / NGSCB / Longhorn / Palladium / TCPA

Version 1.1 (August 2003)

Ross Anderson

This document is released under the GNU Free Documentation License. Here are links to translations into German, Spanish, Italian, Dutch, Chinese, Norwegian, Swedish, Finnish, Hungarian, Greek, Hebrew and French. See also the Economics and Security Resource Page which gives a lot of background to the issues raised here.


1. What is TC - this `trusted computing' business?

The Trusted Computing Group (TCG) is an alliance of Microsoft, Intel, IBM, HP and AMD which promotes a standard for a `more secure' PC. Their definition of `security' is controversial; machines built according to their specification will be more trustworthy from the point of view of software vendors and the content industry, but will be less trustworthy from the point of view of their owners. In effect, the TCG specification will transfer the ultimate control of your PC from you to whoever wrote the software it happens to be running. (Yes, even more so than at present.)

The TCG project is known by a number of names. `Trusted computing' was the original one, and is still used by IBM, while Microsoft calls it `trustworthy computing' and the Free Software Foundation calls it `treacherous computing'. Hereafter I'll just call it TC, which you can pronounce according to taste. Other names you may see include TCPA (TCG's name before it incorporated), Palladium (the old Microsoft name for the version due to ship in 2004) and NGSCB (the new Microsoft name). Intel has just started calling it `safer computing'. Many observers believe that this confusion is deliberate - the promoters want to deflect attention from what TC actually does.

2. What does TC do, in ordinary English?

TC provides a computing platform on which you can't tamper with the application software, and where these applications can communicate securely with their authors and with each other. The original motivation was digital rights management (DRM): Disney will be able to sell you DVDs that will decrypt and run on a TC platform, but which you won't be able to copy. The music industry will be able to sell you music downloads that you won't be able to swap. They will be able to sell you CDs that you'll only be able to play three times, or only on your birthday. All sorts of new marketing possibilities will open up.

TC will also make it much harder for you to run unlicensed software. In the first version of TC, pirate software could be detected and deleted remotely. Since then, Microsoft has sometimes denied that it intended TC to do this, but at WEIS 2003 a senior Microsoft manager refused to deny that fighting piracy was a goal: `Helping people to run stolen software just isn't our aim in life', he said. The mechanisms now proposed are more subtle, though. TC will protect application software registration mechanisms, so that unlicensed software will be locked out of the new ecology. Furthermore, TC apps will work better with other TC apps, so people will get less value from old non-TC apps (including pirate apps). Also, some TC apps may reject data from old apps whose serial numbers have been blacklisted. If Microsoft believes that your copy of Office is a pirate copy, and your local government moves to TC, then the documents you file with them may be unreadable. TC will also make it easier for people to rent software rather than buy it; and if you stop paying the rent, then not only does the software stop working but so may the files it created. So if you stop paying for upgrades to Media Player, you may lose access to all the songs you bought using it.

For years, Bill Gates has dreamed of finding a way to make the Chinese pay for software: TC looks like being the answer to his prayer.

There are many other possibilities. Governments will be able to arrange things so that all Word documents created on civil servants' PCs are `born classified' and can't be leaked electronically to journalists. Auction sites might insist that you use trusted proxy software for bidding, so that you can't bid tactically at the auction. Cheating at computer games could be made more difficult.

There are some gotchas too. For example, TC can support remote censorship. In its simplest form, applications may be designed to delete pirated music under remote control. For example, if a protected song is extracted from a hacked TC platform and made available on the web as an MP3 file, then TC-compliant media player software may detect it using a watermark, report it, and be instructed remotely to delete it (as well as all other material that came through that platform). This business model, called traitor tracing, has been researched extensively by Microsoft (and others). In general, digital objects created using TC systems remain under the control of their creators, rather than under the control of the person who owns the machine on which they happen to be stored (as at present). So someone who writes a paper that a court decides is defamatory can be compelled to censor it - and the software company that wrote the word processor could be ordered to do the deletion if she refuses. Given such possibilities, we can expect TC to be used to suppress everything from pornography to writings that criticise political leaders.

The gotcha for businesses is that your software suppliers can make it much harder for you to switch to their competitors' products. At a simple level, Word could encrypt all your documents using keys that only Microsoft products have access to; this would mean that you could only read them using Microsoft products, not with any competing word processor. Such blatant lock-in might be prohibited by the competition authorities, but there are subtler lock-in strategies that are much harder to regulate. (I'll explain some of them below.)

3. So I won't be able to play MP3s on my computer any more?

With existing MP3s, you may be all right for some time. Microsoft says that TC won't make anything suddenly stop working. But a recent software update for Windows Media Player has caused controversy by insisting that users agree to future anti-piracy measures, which may include measures that delete pirated content found on your computer. Also, some programs that give people more control over their PCs, such as VMware and Total Recorder, are not going to work properly under TC. So you may have to use a different player - and if your player will play pirate MP3s, then it may not be authorised to play the new, protected, titles.

It is up to an application to set the security policy for its files, using an online policy server. So Media Player will determine what sort of conditions get attached to protected titles. I expect Microsoft will do all sorts of deals with the content providers, who will experiment with all sorts of business models. You might get CDs that are a third of the price but which you can only play three times; if you pay the other two-thirds, you'd get full rights. You might be allowed to lend your copy of some digital music to a friend, but then your own backup copy won't be playable until your friend gives you the main copy back. More likely, you'll not be able to lend music at all. Creeping digital lockdown will make life inconvenient in many niggling ways; for example, regional coding might stop you watching the Polish version of a movie if your PC was bought outside Europe.

This could all be done today - Microsoft would just have to download a patch into your player - but once TC makes it hard for people to tamper with the player software, and easy for Microsoft and the music industry to control what players will work at all with new releases, it will be harder for you to escape. Control of media player software is so important that the EU antitrust authorities are proposing to penalise Microsoft for its anticompetitive behaviour by compelling it to unbundle Media Player, or include competing players in Windows. TC will greatly increase the depth and scope of media control.

4. How does TC work?

TC provides for a monitoring and reporting component to be mounted in future PCs. The preferred implementation in the first phase of TC emphasised the role of a `Fritz' chip - a smartcard chip or dongle soldered to the motherboard. The current version has five components - the Fritz chip, a `curtained memory' feature in the CPU, a security kernel in the operating system (the `Nexus' in Microsoft language), a security kernel in each TC application (the `NCA' in Microsoft-speak) and a back-end infrastructure of online security servers maintained by hardware and software vendors to tie the whole thing together.

The initial version of TC had Fritz supervising the boot process, so that the PC ended up in a predictable state, with known hardware and software. The current version has Fritz as a passive monitoring component that stores the hash of the machine state on start-up. This hash is computed using details of the hardware (audio card, video card etc) and the software (O/S, drivers, etc). If the machine ends up in the approved state, Fritz will make available to the operating system the cryptographic keys needed to decrypt TC applications and data. If it ends up in the wrong state, the hash will be wrong and Fritz won't release the right key. The machine may still be able to run non-TC apps and access non-TC data, but protected material will be unavailable.

The operating system security kernel (the `Nexus') bridges the gap between the Fritz chip and the application security components (the `NCAs'). It checks that the hardware components are on the TCG approved list, that the software components have been signed, and that none of them has a serial number that has been revoked. If there are significant changes to the PC's configuration, the machine must go online to be re-certified: the operating system manages this. The result is a PC booted into a known state with an approved combination of hardware and software (whose licences have not expired). Finally, the Nexus works together with new `curtained memory' features in the CPU to stop any TC app from reading or writing another TC app's data. These new features are called `Lagrande Technology' (LT) for the Intel CPUs and `TrustZone' for the ARM.

Once the machine is in an approved state, with a TC app loaded and shielded from interference by any other software, Fritz will certify this to third parties. For example, he will do an authentication protocol with Disney to prove that his machine is a suitable recipient of `Snow White'. This will mean certifying that the PC is currently running an authorised application program - MediaPlayer, DisneyPlayer, whatever - with its NCA properly loaded and shielded by curtained memory against debuggers or other tools that could be used to rip the content. The Disney server then sends encrypted data, with a key that Fritz will use to unseal it. Fritz makes the key available only to the authorised application and only so long as the environment remains `trustworthy'. For this purpose, `trustworthy' is defined by the security policy downloaded from a server under the control of the application owner. This means that Disney can decide to release its premium content only to a media player whose author agrees to enforce certain conditions. These might include restrictions on what hardware and software you use, or where in the world you're located. They can involve payment: Disney might insist, for example, that the application collect a dollar every time you view the movie. The application itself can be rented too. The possibilities seem to be limited only by the marketers' imagination.

5. What else can TC be used for?

TC can also be used to implement much stronger access controls on confidential documents. These are already available in a primitive form in Windows Server 2003, under the name of `Enterprise rights management' and people are experimenting with them.

One selling point is automatic document destruction. Following embarrassing email disclosures in the recent anti-trust case, Microsoft implemented a policy that all internal emails are destroyed after 6 months. TC will make this easily available to all corporates that use Microsoft platforms. (Think of how useful that would have been for Arthur Andersen during the Enron case.) It can also be used to ensure that company documents can only be read on company PCs, unless a suitably authorised person clears them for export. TC can also implement fancier controls: for example, if you send an email that causes embarrassment to your boss, he can broadcast a cancellation message that will cause it to be deleted wherever it's got to. You can also work across domains: for example, a company might specify that its legal correspondence only be seen by three named partners in its law firm and their secretaries. (A law firm might resist this because the other partners in the firm are jointly liable; there will be many interesting negotiations as people try to reduce traditional trust relationships to programmed rules.)

TC is also aimed at payment systems. One of the Microsoft visions is that much of the functionality now built on top of bank cards may move into software once the applications can be made tamper-resistant. This leads to a future in which we pay for books that we read, and music we listen to, at the rate of so many pennies per page or per minute. The broadband industry is pushing this vision; meanwhile some far-sighted people in the music industry are starting to get scared at the prospect of Microsoft charging a percentage on all their sales. Even if micropayments don't work out as a business model - and there are some persuasive arguments why they won't - there will be some sea-changes in online payment, with spillover effects for the user. If, in ten years' time, it's inconvenient to shop online with a credit card unless you use a TC platform, that will be tough on Mac and GNU/linux users.

The appeal of TC to government systems people is based on ERM being used to implement `mandatory access control' - making access control decisions independent of user wishes but based simply on their status. For example, an army might arrange that its soldiers can only create Word documents marked at `Confidential' or above, and that only a TC PC with a certificate issued by its own security agency can read such a document. That way, soldiers can't send documents to the press (or email home, either). Such rigidity doesn't work very well in large complex organisations like governments, as the access controls get in the way of people doing their work, but governments say they want it, and so no doubt they will have to learn the hard way. (Mandatory access control can be more useful for smaller organisations with more focused missions: for example, a cocaine smuggling ring can arrange that the spreadsheet with this month's shipment details can be read only by five named PCs, and only until the end of the month. Then the keys used to encrypt it will expire, and the Fritz chips on those five machines will never make them available to anybody at all, ever again.)

6. OK, so there will be winners and losers - Disney might win big, and some smartcard makers might go bust. But surely Microsoft and Intel are not investing nine figures just for charity? How will they make money out of it?

For Intel, which started the whole TC thing going, it was a defensive play. As they make most of their money from PC microprocessors, and have most of the market, they can only grow their company by increasing the size of the market. They were determined that the PC will be the hub of the future home network. If entertainment is the killer application, and DRM is going to be the critical enabling technology, then the PC has to do DRM or risk being displaced in the home market.

Microsoft, who are now driving TC, were also motivated by the desire to bring entertainment within their empire. But they also stand to win big if TC becomes widespread. There are two reasons. The first, and less important, is that they will be able to cut down dramatically on software copying. `Making the Chinese pay for software' has been a big thing for Bill; with TC, he can tie each PC to its individual licenced copy of Office and Windows, and lock bad copies of Office out of the shiny new TC universe.

The second, and most important, benefit for Microsoft is that TC will dramatically increase the costs of switching away from Microsoft products (such as Office) to rival products (such as OpenOffice). For example, a law firm that wants to change from Office to OpenOffice right now merely has to install the software, train the staff and convert their existing files. In five years' time, once they have received TC-protected documents from perhaps a thousand different clients, they would have to get permission (in the form of signed digital certificates) from each of these clients in order to migrate their files to a new platform. The law firm won't in practice want to do this, so they will be much more tightly locked in, which will enable Microsoft to hike its prices.

Economists who have studied the software industry concluded that the value of a software business is about equal to the total costs of its customers switching out to the competition; both are equal to the net present value of future payments from the customers to the software vendor. This means that an incumbent in a maturing market, such as Microsoft with its Office product, can grow faster than the market only if it can find ways to lock in its customers more tightly. There are some ifs and buts that hedge this theory around, but the basic idea is well known to software industry executives. This explains Bill G's comment that `We came at this thinking about music, but then we realized that e-mail and documents were far more interesting domains'.

7. Where did the technical ideas come from?

The TC concept of booting a machine into a known state is implicit in early PCs where the BIOS was in ROM and there was no hard drive in which a virus could hide. The idea of a trusted bootstrap mechanism for modern machines seems to have first appeared in a paper by Bill Arbaugh, Dave Farber and Jonathan Smith, ``A Secure and Reliable Bootstrap Architecture'', in the proceedings of the IEEE Symposium on Security and Privacy (1997) pp 65-71. It led to a US patent: ``Secure and Reliable Bootstrap Architecture'', U.S. Patent No. 6,185,678, February 6th, 2001. Bill's thinking developed from work he did while working for the NSA on code signing in 1994, and originally applied to rebooting ATM switches across a network. The Microsoft folk have also applied for patent protection on the operating system aspects. (The patent texts are here and here.)

There may be quite a lot of prior art. Markus Kuhn wrote about the TrustNo1 Processor years ago, and the basic idea behind a trustworthy operating system - a `reference monitor' that supervises a computer's access control functions - goes back at least to a paper written by James Anderson for the USAF in 1972. It has been a feature of US military secure systems thinking since then.

8. How is this related to the Pentium 3 serial number?

Intel started an earlier program in the mid-1990s that would have put the functionality of the Fritz chip inside the main PC processor, or the cache controller chip, by 2000. The Pentium serial number was a first step on the way. The adverse public reaction seems to have caused them to pause, set up a consortium with Microsoft and others, and seek safety in numbers. The consortium they set up, the Trusted Computer Platform Alliance (TCPA), was eventually incorporated and changed its name to TCG.

9. Why call the monitor chip a `Fritz' chip?

It was named in honour of Senator Fritz Hollings of South Carolina, who worked tirelessly in Congress to make TC a mandatory part of all consumer electronics. (Hollings' bill failed; he lost his chairmanship of the Senate Committee on Commerce, Science and Trasportation, and he's retiring in 2004. But the Empire will be back. For example, Microsoft is spending a fortune in Brussels promoting a draft Directive on IP enforcement which is seriously bad stuff.)

10. OK, so TC stops kids ripping off music and will help companies keep data confidential. It may help the Mafia too, unless the FBI get a back door, which I assume they will. But apart from pirates, industrial spies and activists, who has a problem with it?

A lot of companies stand to lose out directly, such as information security vendors. When it first launched TC as Palladium, Microsoft claimed that Palladium would stop spam, viruses and just about every other bad thing in cyberspace - if so, then the antivirus companies, the spammers, the spam-filter vendors, the firewall firms and the intrusion detection folk could all have their lunch stolen. That's now been toned down, but Bill Gates admits that Microsoft will pursue the computer security market aggressively: "Because it's a growth area, we're not being that coy with them about what we intend to do."

Meanwhile, the concerns about the effects on competition and innovation continue to grow. The problems for innovation are well explained in a recent New York Times column by the distinguished economist Hal Varian.

But there are much deeper problems. The fundamental issue is that whoever controls the TC infrastructure will acquire a huge amount of power. Having this single point of control is like making everyone use the same bank, or the same accountant, or the same lawyer. There are many ways in which this power could be abused.

11. How can TC be abused?

One of the worries is censorship. TC was designed from the start to support the centralised revocation of pirate bits. Pirate software won't run in the TC world as TC will make the registration process tamper-resistant. But what about pirated songs or videos? How do you stop someone recording a track - if necessary by putting microphones next the speakers of a TC machine, and ripping it into an MP3? The proposed solution is that protected content will contain digital watermarks, and lawful media players that detect a watermark won't play that song unless it comes with an appropriate digital certificate for that device. But what if someone hacks a Fritz chip and does a transaction that `lawfully' transfers ownership of the track? In that case, traitor tracing technology will be used to find out which PC the track was ripped from. Then two things will happen. First, the owner of that PC will be prosecuted. (That's the theory, at least; it probably won't work as the pirates will use hacked PCs.) Second, tracks that have been through that machine will be put on a blacklist, which all TC players will download from time to time.

Blacklists have uses beyond music copying. They can be used to screen all files that the application opens - by content, by the serial number of the application that created them, or by any other criteria that you can program. The proposed use for this is that if everyone in China uses the same copy of Office, you do not just stop this copy running on any machine that is TC-compliant; that would just motivate the Chinese to use normal PCs instead of TC PCs. You also cause every TC-compliant PC in the world to refuse to read files that have been created using this pirate program. This will put huge pressure on the Chinese. (The precedent is that when spammers started using Chinese accounts, many US ISPs simply blackholed China, which forced the government to crack down on spam.)

The potential for abuse extends far beyond commercial bullying and economic warfare into political censorship. I expect that it will proceed a step at a time. First, some well-intentioned police force will get an order against a pornographic picture of a child, or a manual on how to sabotage railroad signals. All TC-compliant PCs will delete, or perhaps report, these bad documents. Then a litigant in a libel or copyright case will get a civil court order against an offending document; perhaps the Scientologists will seek to blacklist the famous Fishman Affidavit. A dictator's secret police could punish the author of a dissident leaflet by deleting everything she ever created using that system - her new book, her tax return, even her kids' birthday cards - wherever it had ended up. In the West, a court might use confiscation doctrine to `blackhole' a machine that had been used to make a pornographic picture of a child. Once lawyers, policemen and judges realise the potential, the trickle will become a flood.

The modern age only started when Gutenberg invented movable type printing in Europe, which enabled information to be preserved and disseminated even if princes and bishops wanted to ban it. For example, when Wycliffe translated the Bible into English in 1380-1, the Lollard movement he started was suppressed easily; but when Tyndale translated the New Testament in 1524-5, he was able to print over 50,000 copies before they caught him and burned him at the stake. The old order in Europe collapsed, and the modern age began. Societies that tried to control information became uncompetitive, and with the collapse of the Soviet Union it seemed that democratic liberal capitalism had won. But now, TC has placed at risk the priceless inheritance that Gutenberg left us. Electronic books, once published, will be vulnerable; the courts can order them to be unpublished and the TC infrastructure will do the dirty work.

The Soviet Union attempted to register and control all typewriters and fax machines. TC similarly attempts to register and control all computers. The problem is that everything is becoming computerised. We have absolutely no idea where ubiquitous content control mechanisms will lead us.

12. Scary stuff. But can't you just turn it off?

Sure - unless your system administrator configures your machine in such a way that TC is mandatory, you can always turn it off. You can then run your PC as before, and use insecure applications.

There is one small problem, though. If you turn TC off, Fritz won't hand out the keys you need to decrypt your files and run your bank account. Your TC-enabled apps won't work as well, or maybe at all. It will be like switching from Windows to Linux nowadays; you may have more freedom, but end up having less choice. If the TC apps are more attractive to most people, or are more profitable to the app vendors, you may end up simply having to use them - just as many people have to use Microsoft Word because all their friends and colleagues send them documents in Microsoft Word. By 2008, you may find that the costs of turning TC off are simply intolerable.

This has some interesting implications for national security. At a TCG symposium in Berlin, I put it this way: in 2010 President Clinton may have two red buttons on her desk - one that sends the missiles to China, and another that turns off all the PCs in China - and guess which the Chinese will fear the most? (At this point, a heckler from the audience said, `What about the button that turns off the PCs in Europe?') This may be an exaggeration, but it's only a slight one. Technology policy and power politics have been intertwined since the Roman empire, and prudent rulers cannot disregard the strategic implications of TC. It would be rather inconvenient for a government to have to switch all its systems from Windows to GNU/linux, and at the height of an international crisis.

13. So politics and economics are going to be significant here?

Exactly. The biggest profits in IT goods and services markets tend to go to companies that can establish platforms and control compatibility with them, so as to manage the markets in complementary products. A very topical example comes from computer printers. Since the Xerox N24 appeared in 1996, printer makers have been putting authentication chips in ink cartridges, so that printers can recognise third-party or refilled cartridges and refuse to work with them. Cartridge tying is now leading to trade conflict between the USA and Europe. In the USA, a court has granted Lexmark an injunction preventing the sale of cartridges with chips that interoperate with Lexmark's printers. Meanwhile, the European Commission has adopted a Directive on waste electrical and electronic equipment which will force member states to outlaw, by the end of 2007, the circumvention of EU recycling rules by companies who design products with chips to ensure that they cannot be recycled.

This is not just a printer issue. Some mobile phone vendors use embedded authentication chips to check that the phone battery is a genuine part rather than a clone. The Sony Playstation 2 uses similar authentication to ensure that memory cartridges were made by Sony rather than by a low-price competitor. The Microsoft Xbox is no different. But up until now, everyone who wanted to engage in product tying had to come up with his own hardware technology. This could be cheap for hardware product vendors, but was too expensive for most software companies.

TC will enable application software vendors to engage in product tying and similar business strategies to their hearts' content. As the application vendor will control the security policy server, he can dictate the terms under which anyone else's software will be able to interoperate with his own. In the old days, software innovation was fast and furious because there were millions of PCs out there, with data in formats that were understood. So if you thought up a cool new way to manipulate address books, you could write an app that would deal with the half-dozen formats common in PCs, PDAs and phones, and you were in business: you had millions of potential clients. In the future, the owners of these formats will be very strongly tempted to lock them down using TC (`for your privacy') and charge third parties rental to access them. This will be bad for innovation. It's possible because the app policy server enforces arbitrary rules about which other applications will be allowed to use the files a TC app creates.

So a successful TC application will be worth much more money to the software company that controls it, as they can rent out access to their interfaces for whatever the market will bear. So most software developers will enable their applications for TC; and if Windows is the first operating system to support TC, it in turn will get a further competitive advantage over GNU/Linux and MacOS with the developer community.

14. But hang on, doesn't the law give people a right to reverse engineer interfaces for compatibility?

Yes, and this is very important to the functioning of IT goods and services markets; see Samuelson and Scotchmer, ``The Law and Economics of Reverse Engineering,'' Yale Law Journal, May 2002, 1575-1663. In Europe, the EU Software Directive allows EU companies to reverse engineer their competitors' products in order to produce compatible, competing products. But such laws in most cases just give you the right to try, not to succeed. Back when compatibility meant messing around with file formats, there was a real contest - when Word and Word Perfect were fighting for dominance, each tried to read the other's files and make it hard for the other to read its own. But with TC that game is over; without access to the keys, you've had it.

Locking competitors out of application file formats was one of the motivations for TC: see a post by Lucky Green, and go to his talk at Def Con to hear more. It's a tactic that's spreading beyond the computer world. Congress is getting upset at carmakers using data format lockout to stop their customers getting repairs done at independent dealers. And the Microsoft folk say they want TC everywhere, even in your watch. The economic consequences could be globally significant.

15. Can't TC be broken?

The early versions will be vulnerable to anyone with the tools and patience to crack the hardware (e.g., get clear data on the bus between the CPU and the Fritz chip). However, in a few years, the Fritz chip may disappear inside the main processor - let's call it the `Hexium' - and things will get a lot harder. Really serious, well funded opponents will still be able to crack it. But it's likely to go on getting more difficult and expensive.

Also, in many countries, cracking Fritz will be illegal. In the USA the Digital Millennium Copyright Act already does this, while in the EU we will have to deal with the EU Copyright Directive and (if it passes) the draft enforcement directive. (In some countries, the implementation of the Copyright Directive already makes cryptography research technically illegal.)

Also, in many products, compatibility control is already being mixed quite deliberately with copyright control. The Sony Playstation's authentication chips also contain the encryption algorithm for DVD, so that reverse engineers can be accused of circumventing a copyright protection mechanism and hounded under the Digital Millennium Copyright Act. The situation is likely to be messy - and that will favour large firms with big legal budgets.

16. What's the overall economic effect likely to be?

The content industries may gain a bit from cutting music copying - expect Sir Michael Jagger to get very slightly richer. But I expect the most significant economic effect will be to strengthen the position of incumbents in information goods and services markets at the expense of new entrants. This may mean a rise in the market cap of firms like Intel, Microsoft and IBM - but at the expense of innovation and growth generally. Eric von Hippel documents how most of the innovations that spur economic growth are not anticipated by the manufacturers of the platforms on which they are based; and technological change in the IT goods and services markets is usually cumulative. Giving incumbents new ways to make life harder for people trying to develop novel uses for their products is a bad idea.

By centralising economic power, TC will favour large companies over small ones; and TC apps will enable large companies to capture more of the spillover from their economic activities, as with the car companies forcing car-owners to have their maintenance done at authorised dealerships. As most employment growth occurs in the small to medium business sector, this could have consequences for unemployment.

There may also be distinct regional effects. For example, many years of government sponsorship have made Europe's smartcard industry strong, at the cost of crowding out other technological innovation in the region. Senior industry people to whom I have spoken anticipate that once the second phase of TC puts the Fritz functionality in the main processor, this will hammer smartcard sales. Senior TC company people have admitted to me that displacing smartcards from the authentication token market is one of their business goals. Many of the functions that smartcard makers want you to do with a card will instead be done in the Fritz chips of your laptop, your PDA and your mobile phone. If this industry is killed off by TC, Europe could be a significant net loser. Other large sections of the information security industry may also become casualties.

17. Who else will lose?

There will be many places where existing business processes break down in ways that allow copyright owners to extract new rents. For example, I recently applied for planning permission to turn some agricultural land that we own into garden; to do this, we needed to supply our local government with six copies of a 1:1250 map of the field. In the old days, everyone just got a map from the local library and photocopied it. Now, the maps are on a server in the library, with copyright control, and you can get a maximum of four copies of any one sheet. For an individual, that's easy enough to circumvent: buy four copies today and send a friend along tomorrow for the extra two. But businesses that use a lot of maps will end up paying more money to the map companies. This may be a small problem; mutiply it a thousandfold to get some idea of the effect on the overall economy. The net transfers of income and wealth are likely, once more, to be from small firms to large and from new firms to old.

One well-known UK lawyer said that copyright law is only tolerated because it is not enforced against the vast majority of petty infringers. And there will be some particularly high-profile hard-luck cases. I expect that copyright regulations due out later this year in Britain will deprive the blind of the fair-use right to use their screen scraper software to read e-books. Normally, a bureaucratic stupidity like this might not matter much, as people would just ignore it, and the police would not be idiotic enough to prosecute anybody. But if the copyright regulations are enforced by hardware protection mechanisms that are impractical to break, then the blind may lose out seriously. (There are many other marginal groups under similar threat.)

18. Ugh. What else?

TC will undermine the General Public License (GPL), under which many free and open source software products are distributed. The GPL is designed to prevent the fruits of communal voluntary labour being hijacked by private companies for profit. Anyone can use and modify software distributed under this licence, but if you distribute a modified copy, you must make it available to the world, together with the source code so that other people can make subsequent modifications of their own.

IBM and HP have apparently started work on a TC-enhanced version of GNU/linux. This will involve tidying up the code and removing a number of features. To get an evaluation certificate acceptable to TCG, the sponsor will then have to submit the pruned code to an evaluation lab, together with a mass of documentation showing why various known attacks on the code don't work. (The evaluation is at level EAL3 - expensive enough to keep out the free software community, yet lax enough for most commercial software vendors to have a chance to get their lousy code through.) Although the modified program will be covered by the GPL, and the source code will be free to everyone, it will not work in the TC ecosystem unless you have a certificate for it that is specific to the Fritz chip on your own machine. That is what will cost you money (if not at first, then eventually).

You will still be free to make modifications to the modified code, but you won't be able to get a certificate that gets you into the shiny new TC world. Something similar happens with the linux supplied by Sony for the Playstation 2; the console's copy protection mechanisms prevent you from running an altered binary, and from using a number of the hardware features. Even if a philanthropist does a not-for-profit secure GNU/linux, the resulting product would not really be a GPL version of a TC operating system, but a proprietary operating system that the philanthropist could give away free. (There is still the question of who would pay for the user certificates.)

People believed that the GPL made it impossible for a company to come along and steal code that was the result of community effort. This helped make people willing to give up their spare time to write free software for the communal benefit. But TC changes that. Once the majority of PCs on the market are TC-enabled, the GPL won't work as intended. The benefit for Microsoft is not that this will destroy free software directly. The point is this: once people realise that even GPL'led software can be hijacked for commercial purposes, idealistic young programmers will be much less motivated to write free software.

19. I can see that some people will get upset about this.

And there are many other political issues - the transparency of processing of personal data enshrined in the EU data protection directive; the sovereignty issue of whether copyright regulations will be written by national governments, as at present, or an application developer in Portland or Redmond; whether TC will be used by Microsoft as a means of killing off Apache; and whether people will be comfortable about the idea of having their PCs operated, in effect, under remote control - control that could be usurped by courts or by government agencies without their knowledge.

20. But hang on, isn't TC illegal under antitrust law?

In the USA, maybe not. Intel has honed a `platform leadership' strategy, in which they lead industry efforts to develop technologies that will make the PC more useful, such as the PCI bus and USB. Their modus operandi is described in a book by Gawer and Cusumano. Intel sets up a consortium to share the development of the technology, has the founder members put some patents into the pot, publishes a standard, gets some momentum behind it, then licenses it to the industry on the condition that licensees in turn cross-license any interfering patents of their own, at zero cost, to all consortium members.

The positive view of this strategy was that Intel grew the overall market for PCs; the dark side was that they prevented any competitor achieving a dominant position in any technology that might have threatened their dominance of the PC hardware. Thus, Intel could not afford for IBM's microchannel bus to prevail, not just as a competing nexus of the PC platform but also because IBM had no interest in providing the bandwidth needed for the PC to compete with high-end systems. The effect in strategic terms is somewhat similar to the old Roman practice of demolishing all dwellings and cutting down all trees close to their roads or their castles. No competing structure may be allowed near Intel's platform; it must all be levelled into a commons. But a nice, orderly, well-regulated commons: interfaces should be `open but not free'.

This consortium approach has evolved into a highly effective way of skirting antitrust law. So far, the FTC and the Department of Justice do not seem to have been worried about such consortia - so long as the standards are open and accessible to all companies. They may need to become slightly more sophisticated.

As for Europe, the law does explicitly cover consortia, and is being tightened up. There was a conference on TC in Berlin, organised by the German ministry for economics and labour, which heard speakers from the pro- and anti-TC camps state their cases. If you read German, there is a very thorough analysis of the competition policy aspects by Professor Christian Koenig; the executive summary is that TC appears to break European competition law on a number of grounds. Standards groups are allowed as an exemption to cartel law only if they're non-binding, open and non-discriminatory. TCG isn't. It discriminates against non-members; its high membership fees make it hard for small businesses to join; and its use of paid rather than free licensing discriminates against free software. There are also many issues with market power and market interdependence. The EU is about to find Microsoft guilty of trying to extend its monopoly in PCs to servers by keeping interfaces obscure. If interfaces can be locked down by TC mechanisms, that will be worse. TC may also enable Microsoft to extend its monopoly in operating systems to the provision of online music services, or to mobile phone software.

However, law is one thing, and enforcement another. By the end of 2003, the EU should have convicted Microsoft of anti-competitive behaviour over Netscape and over server interfaces. This judgement will come too late to restore Netscape to life or create competition in the browser market. By the time the EU gets round to convicting Microsoft over TC, it will be 2008. By then our society may be addicted to TC, and it may not be politically possible to do anything effective.

21. When is TC going to hit the streets?

It has. The version 1.0 specification was published in 2000. Atmel is already selling a Fritz chip, and you have been able to buy it installed in the IBM Thinkpad series of laptops since May 2002. Some of the existing features in Windows XP and the X-Box are TC features: for example, if you change your PC configuration more than a little, you have to re-register all your software with Redmond. Also, since Windows 2000, Microsoft has been working on certifying all device drivers: if you try to load an unsigned driver, XP will complain. The Enterprise Rights Management stuff is shipping with Windows Server 2003. There is also growing US government interest in the technical standardisation process. TC developers' kits will be available in October 2003, or so we're told. The train is rolling.

22. What's TORA BORA?

This seems to have been an internal Microsoft joke: see the Palladium announcement. The idea is that `Trusted Operating Root Architecture' (Palladium) will stop the `Break Once Run Anywhere' attack, by which they mean that pirated content, once unprotected, can be posted to the net and used by anyone. It will do so by traitor tracing - the technology of ubiquitous censorship.

They seem to have realised since then that this joke might just be in bad taste. At a talk on traitor tracing I attended on the 10th July 2002 at Microsoft Research, the slogan had changed to `BORE-resistance', where BORE standards for `Break Once Run Everywhere'. (By the way, the speaker there described copyright watermarking as `content screening', a term that used to refer to stopping minors seeing pornography: the PR machine is obviously twitching! He also told us that it would not work unless everyone used a trusted operating system. When I asked him whether this meant getting rid of linux he replied that linux users would have to be made to use content screening.)

23. But isn't PC security a good thing?

The question is: security for whom? You might prefer not to have to worry about viruses, but TC won't fix that: viruses exploit the way software applications (such as Microsoft Office and Outlook) use scripting. You might get annoyed by spam, but that won't get fixed either. (Microsoft claimed that it will be fixed, by filtering out all unsigned messages - but you can already configure mail clients to filter out mail from people you don't know and putting it in a folder you scan briefly once a day.) You might be worried about privacy, but TC won't fix that; almost all privacy violations result from the abuse of authorised access, and TC will increase the incentives for companies to collect and trade personal data on you. The medical insurance company that requires you to consent to your data being shared with your employer and with anyone else they can sell it to, isn't going to stop just because their PCs are now officially `secure'. On the contrary, they are likely to sell it even more widely once computers are called `trusted computers'. Economists call this a `social choice trap'. Making something slightly less dangerous, or making it appear less dangerous, often causes people to use it more, or use it carelessly, so that the overall harm increases. The classic example is that Volvo drivers have more accidents.

A mildly charitable view of TC was put forward by the late Roger Needham who directed Microsoft's research in Europe: there are some applications in which you want to constrain the user's actions. For example, you want to stop people fiddling with the odometer on a car before they sell it. Similarly, if you want to do DRM on a PC then you need to treat the user as the enemy.

Seen in these terms, TC does not so much provide security for the user as for the PC vendor, the software supplier, and the content industry. They do not add value for the user, but destroy it. They constrain what you can do with your PC in order to enable application and service vendors to extract more money from you. This is the classic definition of an exploitative cartel - an industry agreement that changes the terms of trade so as to diminish consumer surplus.

24. So why is this called `Trusted Computing'? I don't see why I should trust it at all!

It's almost an in-joke. In the US Department of Defense, a `trusted system or component' is defined as `one which can break the security policy'. This might seem counter-intuitive at first, but just stop to think about it. The mail guard or firewall that stands between a Secret and a Top Secret system can - if it fails - break the security policy that mail should only ever flow from Secret to Top Secret, but never in the other direction. It is therefore trusted to enforce the information flow policy.

Or take a civilian example: suppose you trust your doctor to keep your medical records private. This means that he has access to your records, so he could leak them to the press if he were careless or malicious. You don't trust me to keep your medical records, because I don't have them; regardless of whether I like you or hate you, I can't do anything to affect your policy that your medical records should be confidential. Your doctor can, though; and the fact that he is in a position to harm you is really what is meant (at a system level) when you say that you trust him. You may have a warm feeling about him, or you may just have to trust him because he is the only doctor on the island where you live; no matter, the DoD definition strips away these fuzzy, emotional aspects of `trust' (that can confuse people).

During the late 1990s, as people debated government control over cryptography, Al Gore proposed a `Trusted Third Party' - a service that would keep a copy of your decryption key safe, just in case you (or the FBI, or the NSA) ever needed it. The name was derided as the sort of marketing exercise that saw the Russian colony of East Germany called the `German Democratic Republic'. But it really does chime with DoD thinking. A Trusted Third Party is a third party that can break your security policy.

25. So a `Trusted Computer' is a computer that can break my security?

That's a polite way of putting it.

Ross Anderson


Further reading (roughly in chronological order from July 2002 onwards)

I spoke in public about TC on the 2nd July in Berlin at the "Trusted Computing Group" Symposium; then in Brussels on the 8th July at an event organised by DG Infosoc; then on the 14th July at PODC; then at the Helsinki IPR workshop in August. I'm sure there will be many more. Meanwhile, a version of my economic study of TC has appeared a special issue of Upgrade that deals with IP and computing issues (June 2003). A longer version of the paper deals in detail with many of the issues raised here about competition policy.

Ross Anderson

Cambridge, England