<D <M <Y
Y> M> D>

Vernor Vinge has written what sounds like a very interesting new novel called Rainbows End; I haven't gotten ahold of it yet. One of the conceits of the novel is that all sorts of entities with an interest in various sorts of regulation and surveillance have gotten together and produced a common technological platform built into hardware to assist in surveillance and remote control of devices.

Reviewers have noticed that Vinge's idea must have been inspired by trusted computing (and some regulatory proposals, and some dystopian suggestions about trusted computing applications, perhaps including Lucky Green's and John Walker's).

In a review in the Guardian, Wendy Grossman picks up on this parallel:

As novelist Doris Lessing has observed, barons on opposite sides of the river don't need to be in cahoots if their interests coincide. In our case, defence, homeland security, financial crime enforcement, police, tax collectors and intellectual property rights holders offer reasons to want to control the hardware we use. Then there are geeks, who can be tempted to forget the consequences if the technology is cool enough. Vinge quotes the most famous line from the comic strip Pogo: "We have met the enemy, and he is us."

Vinge's technology to satisfy these groups' dreams is the Secure Hardware Environment (She), which dedicates some bandwidth and a small portion of every semiconductor for regulatory use. Deployment is progressive, as standards are implemented. Built into new chips, She will spread inevitably through its predecessors' obsolescence.

This part is terribly plausible. It sounds much like the Trusted Computing Platform, implemented in Intel chips and built into machines from Dell, Fujitsu-Siemens and others. Most people don't realise their new computer contains a chip designed to block the operation of any software not certified by the group. Now enhance that and build it into RFID chips, networked embedded systems, shrink and distribute as "smart dust". All are current trends or works in progress.

I just wrote the following response to this description of TCG's trusted computing work:

I agree that there are some trends pointing in the direction that Vernor Vinge outlines, but this description of TCG is not quite right.

What the TPM does do is support remote attestation so that a computer user can tell the computer to prove to a remote party what software it is running (if the software that's running also supports being proven in a way that the remote party understands). Then the remote party can make its own decision about whether the software is good or bad, and what it wants to do about that.

This sounds innocuous in a certain sense. We have learned to mistrust the notion of a single centralized entity that decides what we can and can't do. TCG is not that entity, and TCG is not chartering that entity; instead, we have an unlimited number of entities that potentially make their own decisions, on various scales, about what we can and can't do in particular contexts, small and large. (We don't know yet which of those entities will turn out to have enough power to set which kinds of policies, or how the network externalities will shake out. Some entities with a lot of power, like Microsoft, can try to delegate some of their power, but there are plenty of technical and business obstacles to be worked out on both sides of that sort of delegation.)

What the TPM does do is support remote attestation so that a computer user can tell the computer to prove to a remote party what software it is running (if the software that's running also supports being proven in a way that the remote party understands). Then the remote party can make its own decision about whether the software is good or bad, and what it wants to do about that. The user could also choose not to offer any proof at all; however, although the user has the right to remain silent, the user's silence can and will be used against her. Not offering proof is, of necessity, the functional equivalent of offering proof of the most unacceptable and contrary-to-policy facts imaginable.

That does offer an avenue for a lot of control over you via your computer -- if someone else controls a resource that you need, there is a prospect of conditioning your access to that resource upon the provision of proof that you're running software that the resource controller considers "good". Not TCG, but the individual entities that you deal with: a bank, an entertainment company, an employer, an ISP. Furthermore, each of them could have its own independent definition of what "good" means, because there is no central signing or certifying authority. It is logically quite possible that one entity might refuse to talk to you if you're running configuration A instead of B, whereas another entity would refuse to talk to you if you're running B instead of A. (This is trivially true if each entity gave you a bootable CD and said "you can only communicate with us while you're running from our CD" -- with a TPM and the appropriate software, they can actually tell, and you probably can't fool them.)

The ISP scenario is the point at which the most pervasive possible control could be exercised. TCG has already developed a specification called Trusted Network Connect which is based on the idea that you can be forbidden to connect to a network unless you're running a software configuration that the nework operator approves. This is designed for use in corporations, most of which are accustomed to having a high (but imperfect) degree of control over the software running on their employees' PCs. Of course, the technology is more general, and, as TCG told me, there is nothing to stop it from being used by the People's Republic of China, or by a commercial ISP.

Imposing this requirement on a general population has a very high cost; for one thing, it means forbidding them to use (on the network) any computer without a TPM chip. For another, TNC (like all current-generation attestation applications) doesn't deal well with heterogeneity of hardware or software platforms; each supported platform and configuration will require the network operator to do a lot of research to figure out exactly what it ought to look like. Therefore, a commercial ISP that implemented a TNC restriction today would effectively be banning almost all of its users from its network -- which would certainly lead those users to decamp to rival ISPs.

It's possible to imagine scenarios under which the use of TNC or some equivalent on commercial ISP networks would become widespread, but they aren't imminent. Nonetheless, the technology does support in principle the idea of banning users from a particular network or set of networks for running unapproved software (as defined by the network operator). It does not support the idea of banning them from running such software at all. TCG offers, in effect, a starting point for a language (and inspection mechanism) for enforcing policy in interactions with a particular set of power relationships, but not for enforcing policy globally in the abstract. (I don't think the computer manufacturers would have signed on in the latter case; they don't want to put all their eggs in one basket by eliminating the general-purpose nature of the PC. So we now have to think not just of whether a PC is general-purpose -- sure it is -- but whether it's general-purpose in a particular context of a particular application, and who gets to decide and in how much detail what purpose it will be put to. Users, for instance, might want the ability to run "arbitrary code", but they don't want to run arbitrary code; if they have a sufficiently sophisticated mental model of the computer, they want to be the arbiters!)

(The DRM application would come in if you had to prove that you had a particular OS, version, and set of media software in order to be permitted to download or "stream" a movie, for example. There is nothing preventing you from altering them or using different software instead, but, if you do, your access to download could be restricted until you reverse the modifications.)

[Main]
Support Bloggers' Rights!
Support Bloggers' Rights!


Contact: Seth David Schoen