February 2, 1999

INTEL FLAP RAISES CHALLENGES CONCERNING PRIVACY AND AUTHENTICATION

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—Intel hasn’t had such trouble on the Internet since early 1995, when a scientist found a round-off error somewhere around the 25th decimal place of a Pentium division instruction. This time the issue is serial numbers on chips. I haven’t decided whether Intel is guilty of Big Brotherism or just mushy marketing, but the lesson I draw is that society needs a new attitude toward communication and the sanctity of the individual.

The funny thing about the Internet is that it offers neither true privacy nor true verification. It’s almost impossible to be completely anonymous; there are too many surreptitious ways to find out what you’re doing and combine data about you from different sources. But under the current infrastructure it’s also hard to prove who you are to the extent that you can confidently carry out a large purchase or other sensitive transaction.

Appropriately enough, the February 1999 issue of the Communications of the ACM (the leading professional organization in computing) focuses on Internet privacy. It describes a few of the many clever systems have been designed to hide who you are and what you do, by passing your traffic through proxy computer systems that strip off identifying information.

These systems are comparable to everybody putting hoods over their heads in order to attend a political demonstration. Attaining privacy shouldn’t be so hard or add so much overhead to an already burdened Internet routing system.

But while commercial or government sites can make a good guess as to who carried out a transaction, they can’t provide iron-clad proof. This is the problem of verification or authentication (related to authorization, which is what a bank has to do when you transfer funds online) and is very hard to solve.

You can witness these difficulties personally in all the email messages you’ve received from addresses like lotsacash@win.big. Your own name and IP address are also ridiculously easy to spoof.

To achieve reliable authentication, both you and your correspondent have to establish relationships with some independent party known as a certificate authority. That authority gives each of you a long string of randomly generated characters that becomes your certificate and identifies you to all the world. Anyone who trusts the certificate authority can verify that you are really you.

A number of companies, the best known of which is VeriSign, are maneuvering to occupy the crossroads of commerce as certificate authorities. The ones who succeed will enjoy the same name recognition and respect (as well as the same return on investment) as a major bank like Barclay’s.

Underlying both privacy and verification lies the technology of cryptography, which is churning in a political grinder I’ve examined in many earlier columns.

So what did Intel accomplish in their January 20 announcement? Will either problem be solved by their Processor Serial Number innovation? Or will it make them worse?

The new Intel feature is a bit complex, but represents a typical example of computer verification. Intel will burn a unique code into each of its new Pentium III chips. An instruction on the chip (presumably incorporated by compiler manufacturers into libraries that they distribute to programmers) will return this code to a program running on the computer.

A program like a Web browser can then send the code to a remote correspondent, such as an e-commerce site where you want to make a purchase. The e-commerce site will either have a pre-established relationship with you or use a certificate authority to verify you.

On the surface, the chip manufacturer has provided the Open Sesame that exposes the riches of electronic commerce to all. But any approval of Intel’s move on the part of software or Web commerce companies has been drowned out instantly by condemnation from many of the leading experts on privacy.

A boycott of Intel has been organized by the Electronic Privacy Information Center, JunkBusters, and Privacy International. These are not fringe groups. Their representatives are routinely quoted in the major world’s press and have testified before national bodies; last Thursday they brought the Intel controversy to the Federal Trade Commission.

The boycott leaders claim that the Intel serial number will allow detailed tracking of Internet users. Databases will bulge with information on our purchases and surfing habits, fodder for the relatively harmless activity of direct mail or for decisions that deeply affect our lives.

The serial number, according to the boycotting organizations, does more than let companies easily identify a consumer. As a universal identifier, it practically begs organizations to aggregate information from different places and facilitates the kind of malicious impersonation we’ve seen with Social Security numbers.

A very different but equally damning criticism comes from Bruce Schneier, one of the gurus in the field of cryptography. Writing in ZDNetNews, he claims that the serial number provides absolutely no reliability in authentication. His argument is very persuasive.

Imagine that some Web site collects your serial number in order to finish a transaction. A malicious administrator at that site can turn around and do business with a third person, passing your serial number and claiming to be you. Of course, each serial number is supposed to be retrieved from the processor by the Intel instruction, but how can the third person tell the code was faked instead? It comes from a program on the impersonator’s computer, which is totally under his control.

As a result, Schneier warns, “Those who are engaged in illicit activities will subvert the system, while those who don’t know any better will find their privacy violated.”

The Intel scheme suffers from many other conceptual problems pointed out by numerous commentators. For instance, people throw out their computers and buy new ones. (At least, Intel hopes they do.) Some computers contain multiple processors. And people move around a lot: the modern computing environment is replete with domains and directories and user profiles and protocols that make it easy to switch from one computer to another.

Multiple people also use a single computer. Would you like to make it easy for your roommate or a repair person in your home to impersonate you? (Actually, they can do so now under the common practice of storing your personal information as a cookie on your computer, which is probably running a non-secure operating system.)

The first component of trust on the Internet is for individual users to be sure the site they’ve surfed to is what it claims to be, and that it will honor its promises. A verification system based on hardware identifiers would not be very useful because large sites keep changing servers—and the problems are more social than technical in any case.

I believe that the serial number will prove most useful for companies, including Microsoft, that are trying to impose tighter product licensing. And this is a terrible application.

Given hardware serial numbers, that a software company (or movie studio, or any other content provider eager to exploit the new digital economy) can restrict you to installing your new software on only one system. You would have to register your software with them (submitting your serial number) before using it, and be forced to buy a new copy if you buy a new computer system.

You might not even know about these restrictions till you opened your product, if “shrinkwrap licenses” are codified in the new proposals for the Uniform Commercial Code. But don’t get worked up yet. I don’t think most companies will adopt the licensing practice—even softened by some method of disabling one number and transferring your software to another system, as Microsoft is offering—because the public just won’t stand for it.

Intel is not totally deaf to complaints. It has agreed to make the serial number less attractive by leaving the feature off by default and giving the user a way to turn it on. But the capability remains, and so does the boycott.

Since no person feels like being tied to a machine, the Intel approach is philosophically wrong. It is time to return to basic principles and establish the requirements for public trust on the Internet.

What we want is reliable anonymity and reliable verification. When we’re peeking at erotic pictures of naked people we’d like to be sure that nobody knows. When we change hats and buy a copy of “The Full Monty” online, we need more of an infrastructure for verification, but only enough so that we can pay with digital cash and (if we choose) remain anonymous. When we sign a contract, we want to verify the identity of both sides beyond reasonable doubt.

What we don’t want is soft surveillance, a foggy sense of being tracked and monitored, the shock of confronting an earlier instantiation of ourselves in a compromising situation. Data collection has to be explicit and tied to a purpose (which is the goal of the well-known European Community Directive on Data Protection).

As the research results in the Communications of the ACM suggest, these goals are mutually achievable. They take a commitment on the part of software companies to create the technology, of Internet servers to install it, of governments to punish infractions, and of the general public not to be hornswoggled.

Yes, I know the goals raise problems. The field of computer security is a continuous wresting match. New leaks pop up in communication pipes as old ones are patched.

There are people who exploit anonymity to organize illegal and dangerous activities. Yet the negative results of these activities usually take place in the real world, through crimes and transactions of physical products, and can be caught there.

I think the most serious misuse of electronic networks will turn out not to involve drugs, pornography, or weapons of mass destruction. It will involve money-laundering and other illicit transfers of funds to avoid taxation or the discovery of illegality. These reprobate activities will always be hard to prosecute, because they are so lucrative that they are accompanied almost automatically by sophisticated evasive techniques and corruption.

Certificate authorities for verification also present risks. Having control over commerce and contracts, these authorities will start to set standards and turn into de facto administrators of key Internet functions. Many have criticized the new body tasked with control over Internet names and numbers for overreaching its authority; the same problems will come up in spades with certificate authorities.

But we can’t reverse course 180 degrees. We have to face the challenges openly. And we can do so only if we embrace anonymity as well as verification for all.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles