Does Trusted Computing provide security for users or from them?


Mountain View (CA) - Throughout the past two decades, Bruce Schneier has provided one of the most well-reasoned, clear, and unbiased perspectives regarding the broad and complex topic of implementing security and trust in computer systems and networks. Schneier co-developed the widely used Twofish encryption algorithm, authored 1995's ground-breaking Applied Cryptography - which defined how crypto could be used reliably for authentication and communication - and founded network security provider Counterpane, where he currently serves as CTO. But his life's mission of late has been to cast a skeptical eye upon any and every measure that purports to solve the overall problem of security, even from a personal vantage point.

Swipe to scroll horizontally
Row 0 - Cell 0
Counterpane CTOBruce Schneier

So when Schneier proclaims there's something he actually fears, alarm bells should sound. Three years ago, for his Crypto-Gram Newsletter, he wrote the following about the Trusted Computing Platform, which was then championed by Microsoft, and was then referred to by its code-name, "Palladium," or "Pd" for short:

My fear is that Pd will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet. To the extent that Pd facilitates that reality, it's bad for society. I don't mind companies selling, renting, or licensing things to me, but the loss of the power, reach, and flexibility of the computer is too great a price to pay.

Last week, the Trusted Computing Group which currently leads the development of the platform, announced its extension into the realm of cell phones and mobile devices, where broadband content will eventually be delivered. In the wake of this development, I called Bruce to discuss the current state of his fear, and whether individuals have open to them the kind of sensible, practical solutions that he generally advocates. I didn't hear what I wanted to hear, but it was a fruitful conversation, nonetheless. Be advised: The opinions you'll read in this transcript - of which there are many - are not necessarily those of our respective benefactors.

TG Daily: It's easy to say that the basis of Mobile Trusted Computing is to serve the interests of users, essentially by putting security features on a secure base, getting them off of something that can be overwritten. I think that's something you've advocated, going back years and years. But whenever we pry more deeply into who's behind this movement...

Bruce Schneier: That's the problem with Trusted Computing. Is it security for the users, or security from the users? Unfortunately, the spec works both ways. It depends on how it's implemented. So my big fear of Trusted Computing is being sold as security for the users, but will turn into security from the users.

TG Daily: Who would be most responsible for turning it into security from the users, if that were to happen?

Schneier: Software companies, media companies. This isn't a hard question. Those who care. Those who feel like they have something to fear from the users.

TG Daily: Well, what are they fearing besides piracy?

Schneier: What else is there besides piracy?

TG Daily: Is that the only thing?

Schneier: Yea. Piracy, and maybe any of the pay-to-use models that they might want to implement.

It's very much a baby/bathwater thing going on: In their zeal to stamp out piracy, the media companies might actually stamp out computing. They don't want you to have computers; they want you to have Internet entertainment platforms. To the extent that you have a fully programmable computer, that's a danger, because you could do things that are unauthorized by whoever wants to start giving out authorization...It's not like a television, where you do what we tell you to do. So there's very much a clash of philosophies going on.

TG Daily: I'm not exactly a Luddite here, but I don't particularly want my computer to become an entertainment platform.

Schneier: I don't, either.

TG Daily: So what's wrong with me and you being able to tell 20th Century-Fox, in essence, "Hands off, guys?"

Schneier: Nothing's wrong with it; question is, will it work? I told the Republicans, "Hands off, guys;" that didn't work. We live in a capitalist democratic society. I tell my cell phone company I want better reception all the time; it doesn't work. Telling someone only has value if you can actually back it up. If you're dealing with a monopoly or oligopoly situation, you don't have the choice. The way we tell companies is with our buying dollars. But the cell phone companies are all alike, and nobody's competing on quality of service, then it doesn't matter that I don't like the service.