Trusted Computing: Trusted by Whom?

[originally written 12-Apr-2000]

Last year Intel, Microsoft, and a bunch of other companies quietly formed a new initiative, the Trusted Computing Platform Alliance, to improve "trust" in personal computers.

I was alerted to this by an article in The Register:

Intel, MS, other names face fresh privacy row

TCPA has published a FAQ, several white papers, and some specs.

Of course, what they don't clearly say is that it's not to improve the customer's trust, but the content-providers. In fact, the real point is to make the computer secure against the customer. Just as Intel explicitly stated about the PIII serial number:

"This is a new focus for the security community, [...] The actual user of the PC -- someone who can do anything they want -- is the enemy."
-- David Aucsmith, security architect for Intel, as quoted in an article by Robert Lemos of ZD Network News, Feburary 25, 1999

This makes me shudder every time I hear the Intel jingle in a radio ad. How many other Fortune-500 companies consider the end-user of their product to be the enemy? And do you really want to use products from such a company?

You might think that I don't have to worry about this since I use open-source software. But if this crap is actually successful, eventually a commodity PC will be unable to boot an open-source operating system, because it won't be able to authenticate it. Similarly, Windows would probably refuse to boot on an untrusted PC. Will we get to the point where open-source operating systems and commercial operating systems actually require different hardware platforms?

Intel's been making noises for years about building this sort of BS into their chipsets, but will they actually move it into the processors? Then Microsoft's "Designed for Windows" logo on the chips will actually mean something significant.

I guess if the RIAA and MPAA get their way, eventually I won't buy any more music and movies, because I won't be able to play them.

Update, 14-July-2002

The TCPA claims that verification of code signatures is not part of their current spec. But it's certainly part of Microsoft's Palladium, which carries the TCPA ideas even further. (Note that the Newsweek article by Steven Levy mysteriously disappeared from MSNBC!)

Microsoft offers a Palladium Q&A document.

TCPA and Palladium may not be "mandatory", but how long will it be before you can't use most Internet resources without being "trusted", just as today there are many web sites that only work with Microsoft's Internet Explorer?

Ross Anderson has written a good TCPA/Palladium FAQ.

Richard Stallman has written an article "Can you trust your computer?" detailing the reasons "Trusted Computing" is bad, and could better be termed "Treacherous Computing".

home Back to Eric's home page

Last updated October 22, 2002

Copyright 2000, 2002 Eric Smith

Best Viewed With Any Browser Valid HTML 4.01! check now