Yes, Trusted Computing Is Used For DRMDo you trust Microsoft and the TCG more than your own employees and business partners?
Ever since the Trusted Computing Group went public about its plan
to put a security chip inside every PC, its members have been denying
that the group is really a thinly disguised conspiracy to embed DRM
everywhere. IBM and Microsoft have instead stressed genuinely useful
applications, like signing programs to be certain they don’t
contain a rootkit. But at this week’s RSA show, Lenovo showed
off a system that does use the chips for DRM after all.
The system is particularly frightening because it looks so simple.
There’s no 20-digit software key to type in, no dongle to
attach to the printer port, no XP-style activation. (Is this what
Bill Gates was thinking of when he said
in his keynote that security needs to be easier to use?) The user
interface is just a Thinkpad, albeit one of the new models with an
integrated fingerprint sensor.
When someone tries to open a DRM-restricted document (in this
case, a PDF file: break that DRM and go
to jail), Lenovo software asks the user to swipe a finger across
the sensor. My finger results in an access denied message; the Lenovo
security guy’s finger opens the document.
If you’ve ever had a laptop stolen, this might sound useful.
It is. In fact, encrypting
hard disks or individual files is the main use that most vendors
are promoting for the chip. Thinkpads have been able to do that since
their IBM days, and now most other laptops can too. You can probably
try it out by downloading software from your laptop manufacturer’s
site, and Microsoft is building similar functionality into Vista as
Palladium NGSCB Secure Startup BitLocker.
The fingerprint sensor is also a good thing, if it’s just
used for encryption. It’s even good
for privacy: It means that network servers can authenticate you
based on your fingerprint, without sending any fingerprint data over
the network. (How? You authenticate
to the chip in your laptop with your fingerprint, then the chip
authenticates to the server with a digital certificate.)
But DRM goes beyond encryption. In the system that Lenovo
demonstrated, the decision about who can do what with the file is
made by whoever generates the PDF, not by the person or
organization that owns the laptop. According to Lenovo, the system is
also aimed at tracking who reads a document and when, because the
chip can report back every access attempt. If you access the file,
your fingerprint is recorded.
That might also sound useful, provided of course that you’re
the one doing the recording and restricting. (I’d love to be
Big Brother! Wouldn’t we all?) The problem is that you won’t
be. Even if we forget about media companies for the moment, and
assume that DRM is just for businesses that need to protect their
sensitive documents from disclosure by employees or outsourcing
partners, it’s still a bad tradeoff.
A DRM system may seem to empower whoever is setting the
restrictions (in this case, the PDF creator), but that’s just
power by proxy. The real control lies with the hardware and software
companies. They’re the ones who actually enforce the DRM and
have the encryption keys, so they can hold your
data to ransom.
DRM customers are already locked into a single vendor: A
DRM-restricted Word document can only be read by Word (not OO.org,
or Writely), just as a
DRM-restricted iTunes download can only be played on an iPod. Present
versions of Word and iTunes still let customers escape by using the
Windows clipboard or a CD burner, but that capability can be removed
at any time.
Relying on DRM means trusting all the vendors involved (in this
case, Microsoft, Adobe, Lenovo and its component suppliers) more than
you trust the users of the system. You need to trust the vendors both
morally and practically: Can Microsoft be trusted not to abuse its
power? And can Microsoft be trusted to develop a system that isn’t
full of security holes?
If you’re a movie studio or a record label, the users are
your customers. You probably do trust Microsoft and the TCG more than
your customers, so DRM might make sense. But if you’re an
organization seeking to protect sensitive data, the users are your
own employees and business partners. Are they really less trustworthy
than Microsoft, its employees and its business partners?
Do you trust Microsoft and the TCG more than your own employees and business partners?