TCPA / Palladium Frequently Asked Questions

Version 0.1 26 June 2002

Please revisit this page shortly - I'm working on version 1.0 which should be ready during the week of the 8th July. There is also a Spanish version.

1. What are TCPA and Palladium?

TCPA stands for the Trusted Computing Platform Alliance (TCPA), an initiative led by Intel. Their website is here. Their stated goal is `a new computing platform for the next century that will provide for improved trust in the PC platform.' Palladium appears to be a Microsoft version which will be rolled out in future versions of Windows, will build on TCPA hardware, and will add some extra features. The Palladium announcement appears to have been provoked by a paper I presented on the security issues relating to open source and free software at a conference on Open Source Software Economics in Toulouse on the 20th June. This paper criticised TCPA as anticompetitive. This has been amply confirmed by new revelations over the past few days.

2. What does TCPA / Palladium do, in ordinary English?

Its obvious application is to embed digital rights management (DRM) technology in the PC. The less obvious implications include making it easier for application software vendors to lock in their users.

3. So I won't be able to play MP3s on my PC any more?

With existing MP3s, you may be all right for some time. But in future, TCPA / Palladium will make it easier to sell music, movies, books and other content packaged so that people can play them on their PCs but not copy them. You might be allowed to lend your copy of some digital music to a friend, but then your own backup copy won't be playable until your friend gives you the main copy back. Quite possibly you will not be able to lend music at all. (It looks likely that the music publisher will be able to make the rules - and to change them at will by remote control.)

4. How does it work?

TCPA provides for a monitoring component to be mounted in future PCs. The likely implementation in the first phase of TCPA is a `Fritz' chip - a smartcard chip or dongle soldered to the motherboard.

When you boot up your PC, Fritz takes charge. He checks that the boot ROM is as expected, executes it, measures the state of the machine; then checks the first part of the operating system, loads and executes it, checks the state of the machine; and so on. The trust boundary, of hardware and software considered to be known and verified, is steadily expanded. A table is maintained of the hardware (audio card, video card etc) and the software (O/S, drivers, etc); if there are significant changes, the machine must be re-certified. The result is a PC booted into a known state with an approved combination of hardware and software. Control is then handed over to enforcement software in the operating system - this is presumably Palladium if your operating system in Windows.

Once the machine is in this state, Fritz can certify it to third parties: for example, he will do an authentication protocol with Disney to prove that his machine is a suitable recipient of `Snow White'. The Disney server then sends encrypted data, with a key that Fritz will use to unseal it. Fritz makes the key available only so long as the environment remains `trustworthy'. For this purpose, `trustworthy' means that the media player application won't make any unauthorised copies of content.

5. What else can TCPA and Palladium be used for?

TCPA can be used to implement much stronger access controls on confidential documents. For example, you might arrange that your soldiers can only create word processing documents marked at `confidential' or above, and that only a TCPA PC with a certificate issued by your own armed forces can read such a document. This is called `mandatory access control', and governments are keen on it. The Palladium announcement implies that the Microsoft product will support this. Once TCPA is widespread, corporations can do this too - and so, for that matter, can the Mafia. This can make life harder for spies, corporate whistleblowers, and FBI agents alike (though it is always possible that the FBI will get some kind of access to master keys). A whistleblower who emails a document to a journalist will achieve little, as the journalist's Fritz chip won't give him the key to decipher it.

6. This all seems on balance fairly worthwhile. But surely Intel are not investing all this money just for charity? How do they propose to make money out of it?

My spies at Intel tell me that it was a defensive play. As they make most of their money from PC microprocessors, and have most of the market, they can only grow their company by increasing the size of the market. They are determined that the PC will be the hub of the future home network. If entertainment is the killer application, and DRM is going to be the critical enabling technology, then the PC has to do DRM or risk being displaced in the home market.

7. Where did the idea come from?

It first appeared in a paper by Bill Arbaugh, Dave Farber and Jonathan Smith, ``A Secure and Reliable Bootstrap Architecture'', in the proceedings of the IEEE Symposium on Security and Privacy (1997) pp 65-71. It led to a US patent: ``Secure and Reliable Bootstrap Architecture'', U.S. Patent No. 6,185,678, February 6th, 2001. Jonathan's thinking came from work done at Cambridge while he was here on sabbatical in 1996(ish): see here for the most relevant published work.

The basic idea, of a specially trusted `reference monitor' that supervises a computer's access control functions, goes back to the early 1970s and has been a feature of US military secure systems thinking since then.

8. How is this related to the Pentium 3 serial number?

Intel started an earlier program in about 1997 that would have put the functionality of the Fritz chip inside the main PC processor, or the cache controller chip, by 2000. The Pentium serial number was a first step on the way. The adverse public reaction seems to have caused them to pause, set up a consortium with Microsoft and others, and seek safety in numbers.

9. Why call the monitor chip a `Fritz' chip?

In honour of Senator Fritz Hollings of South Carolina, who is working tirelessly in Congress to make TCPA a mandatory part of all consumer electronics.

10. OK, so TCPA stops kids ripping off music and will help companies keep data confidential. It may help the Mafia too, but apart from the pirates, the industrial spies and the FBI, who has a problem with it?

A lot of companies stand to lose out. For example, the European smartcard industry may be hurt, as the functions now provided by their products migrate into the Fritz chips in peoples' laptops, PDAs and third generation mobile phones. In fact, much of the information security industry may be upset if TCPA takes off.

But there are much deeper problems. The fundamental issue is that whoever controls the Fritz chips will acquire a huge amount of power. There are many ways in which this power could be abused, and Intel has refused to answer questions on the governance of the TCPA consortium.

11. How can TCPA be abused?

One of the worries is censorship. An application enabled for TCPA, such as a media player or word processor, will typically have its security policy administered remotely by a server. This is so that content owners can react to new piracy techniques. However, the mechanisms might also be used for censorship.

For example, the police could get an order against a specific pornographic picture of a child, and cause the policy servers to instruct all PCs under their control to search for it and notify them if it were found. As another example, the scientologists have a record of getting courts to give them injunctions against their critics. In future, if they can convince a court that a certain document should be banned, they might also get an order against a policy server.

12. Scary stuff. But can't you just turn it off?

Sure - one feature of TCPA is that the user can always turn it off. But then your TCPA-enabled applications won't work, or won't work as well. It will be like switching from Windows to Linux nowadays; you may have more freedom, but end up having less choice. If the applications that use TCPA / Palladium are more attractive to the majority of people, you may end up simply having to use them - just as many people have to use Microsoft Word because all their friends and colleagues send them documents in Microsoft Word.

13. So economics are going to be significant here?

Exactly. The biggest profits in IT goods and services markets tend to go to companies that can establish platforms (such as Windows, or Word) and control compatibility with them, so as to manage the markets in complementary products. For example, some mobile phone vendors use challenge-response authentication to check that the phone battery is a genuine part rather than a clone - in which case, the phone will refuse to recharge it, and may even drain it as quickly as possible. Some printers authenticate their toner cartridges electronically; if you use a cheap substitute, the printer silently downgrades from 1200 dpi to 300 dpi. The Sony Playstation 2 uses similar authentication to ensure that memory cartridges were made by Sony rather than by a low-price competitor.

TCPA appears designed to maximise the effect, and thus the economic power, of such plays. Given Microsoft's record of competitive strategic plays, I expect that Palladium will support them. So if you control a TCPA-enabled application, then your policy server can enforce your choice of rules about which other applications will be allowed to use the files your code creates. These files can be protected using strong cryptography, with keys controlled by the Fritz chips on everybody's machines. What this means is that a successful TCPA-enabled application will be worth much more money to the software company that controls it, as they can rent out access to their interfaces for whatever the market will bear. So there will be huge pressures on software developers to enable their applications for TCPA; and if Palladium is the first operating system to support TCPA, this will give it a competitive advantage over GNU/Linux and MacOS with the developer community.

14. But hang on, doesn't the law give people a right to reverse engineer interfaces for compatibility?

Yes, and this is very important to the functioning of IT goods and services markets; see Samuelson and Scotchmer, ``The Law and Economics of Reverse Engineering'', Yale Law Journal, May 2002, 1575-1663. But the law in most cases just gives you the right to try, not to succeed. Back when compatibility meant messing around with file formats, there was a real contest - when Word and Word Perfect were fighting for dominance, each tried to read the other's files and make it hard for the other to read its own. However, with TCPA that game is over; without access to the keys, or some means of breaking into the chips, you've had it. (Locking competitors out of application file formats was one of the motivations for TCPA: see a post by Lucky Green.)

15. So can't TCPA be broken?

The early versions will be vulnerable to anyone with the tools and patience to crack the hardware (e.g., get clear data on the bus between the CPU and the Fritz chip). However, from phase 2, the Fritz chip will disappear inside the main processor - let's call it the `Hexium' - and things will get a lot harder. Really serious, well funded opponents will still be able to crack it. However, it's likely to go on getting more difficult and expensive.

Also, in many countries, cracking Fritz will be illegal. In the USA the Digital Millennium Copyright Act already does this, while in the EU the situation may vary from one country to another, depending on the way national regulations implement the EU Copyright Directive.

Also, in many products, compatibility control is already being mixed quite deliberately with copyright control. The Sony Playstation's authentication chips also contain the encryption algorithm for DVD, so that reverse engineers can be accused of circumventing a copyright protection mechanism and hounded under the Digital Millennium Copyright Act. The situation is likely to be messy - and that will favour large firms with big legal budgets.

16. What's the overall economic effect likely to be?

The content industries may gain a bit from cutting music copying - expect Sir Michael Jagger to get very slightly richer. But I expect the most significant economic effect will be to strengthen the position of incumbents in information goods and services markets at the expense of new entrants. This may mean a rise in the market cap of firms like Intel, Microsoft and IBM - but at the expense of innovation and growth generally. The majority of the innovations that spur economic growth are not anticipated by the manufacturers of the platforms on which they are based; and technological change in the IT goods and services markets is usually cumulative. Giving incumbents new ways to make life harder for people trying to develop novel uses for their products will create all sorts of traps and perverse incentives.

There may also be distinct regional effects. For example, many years of government sponsorship have made Europe's smartcard industry strong, at the cost of crowding out other innovation. Senior industry people to whom I have spoken anticipate that once the second phase of TCPA puts the Fritz functionality in the main processor, this will hammer smartcard sales. Many of the functions that smartcard makers want you to do with a card will instead be done in the Fritz chips of your laptop, your PDA and your mobile phone. If this industry becomes a casualty of TCPA, Europe could be a significant net loser. Other large sections of the information security industry may also become casualties.

17. Who else will lose?

We expect that copyright regulations due out later this year in Britain will deprive the blind of the fair-use right to use their screen scraper software to read e-books. Normally, a bureaucratic stupidity like this might not matter much, as people would just ignore it, and the police would not be idiotic enough to prosecute anybody. But if the copyright regulations are enforced by hardware protection mechanisms that are impractical to break, then the blind may lose out seriously. (There are many other marginal groups under similar threat.)

18. Ugh. What else?

TCPA may undermine the General Public License (GPL), the license under which many free and open source software products are distributed. The GPL is designed to prevent the fruits of communal voluntary labour being hijacked by private companies for profit. Anyone can use and modify software distributed under this licence, but if you distribute a modified copy, you must make it available to the world for free.

At least one company has started a development program to produce a TCPA-enhanced version of GNU/linux. How could they make money out of this? Well, making a TCPA version of the product will involve tidying up the code and removing a number of features. The sponsor will then submit the pruned code to an evaluation lab, together with a mass of documentation for the work that's been done, including a whole lot of analyses showing why various known attacks on the code don't work.

The trick is this. Although the modified program will be covered by the GPL, and will be free to everyone, it will not make full use of the TCPA features unless you have it signed, and have a certificate that enables you to use the TCPA Public Key Infrastructure (PKI). That is what will cost you money (if not at first, then eventually).

You will still be free to make modifications to the modified code, but you won't be able to sign the resulting code (at least, not with a key that will make third parties trust the code). Something similar happens with the linux supplied by Sony for the Playstation 2; the console's copy protection mechanisms prevent you from running an altered binary, and from using a number of the hardware features. Even if a philanthropist does a not-for-profit secure linux, the resulting product would not really be a GPL version of a TCPA operating system, but a proprietary operating system that the philanthropist could give away free. (There are still issues about who would pay for use of the PKI that hands out user certs.)

People believed that the GPL made it impossible for a company to come along and steal code that was the result of community effort. That may have been the case so long as the processor was open, and anyone could access supervisor mode. But TCPA changes that. Once the majority of PCs on the market are TCPA-enabled, the GPL won't work as intended.

19. I can see that some people will get upset about this.

And there are many other political issues -- the transparency of processing of personal data enshrined in the EU data protection directive; the sovereignty issue, of whether copyright regulations will be written by national governments, as at present, or an application developer in Portland or Redmond; whether TCPA will be used by Microsoft as a means of killing off competitors such as Apache; and whether people will be comfortable about the idea of having their PCs operated, in effect, under remote control -- control that could be usurped by courts or government agencies without their knowledge.

20. But hang on, isn't TCPA illegal under antitrust law?

Intel has honed a `platform leadership' strategy, in which they lead industry efforts to develop technologies that will make the PC more useful, such as the PCI bus and USB. Their modus operandi is to set up a consortium to share the development of the technology, have the founder members of the consortium put some IP into the pot, publish a standard, get some momentum behind it, then license it to the industry on the condition that licensees in turn cross-license any interfering IP of their own, at zero cost, to all corsortium members.

The positive view of this strategy was that Intel grew the overall market for PCs; the dark side was that they prevented any competitor achieving a dominant position in any technology that might have threatened Intel's dominance of the PC hardware. Thus, Intel could not afford for IBM's microchannel bus to prevail, not just as a competing nexus of the PC platform but also because IBM had no interest in providing the bandwidth needed for the PC to compete with high-end systems. The effect in strategic terms is somewhat similar to the old Roman practice of demolishing all dwellings and cutting down all trees close to their roads or their castles. No competing structure may be allowed near Intel's platform; it must all be levelled into a commons. But a nice, orderly, well-regulated commons: interfaces should be `open but not free'.

The consortium approach has evolved into a highly effective way of skirting antitrust law. So far, the authories do not seem to have been worried about such consortia - so long as the standards are open and accessible to all companies. They may need to become slightly more sophisticated.

21. When is this going to hit the streets?

It has. The first specification was published in 2000. In May, IBM launched the T-30 version of the Thinkpad which can be bought with a TCPA-compliant security subsystem. Some of the features in Windows XP and the X-Box are TCPA features: for example, if you change your PC configuration more than a little, you have to reregister all your software with Redmond. The train is rolling.

22. But isn't PC security a good thing?

The question is: security for whom? The average user might prefer not to have to worry about viruses, but TCPA won't fix that: viruses exploit the way software applications (such as Microsoft Office) use scripting. He might be worried about privacy, but TCPA won't fix that; almost all privacy violations result from the abuse of authorised access, often obtained by coercing consent. If anything, by entrenching and expanding monopolies, TCPA will increase the incentives to price discriminate and thus to harvest personal data for profiling.

The most charitable view of TCPA is put forward by a Microsoft researcher: there are some applications in which you want to constrain the user's actions. For example, you want to stop people fiddling with the odometer on a car before they sell it. Similarly, if you want to do DRM on a PC then you need to treat the user as the enemy.

Seen in these terms, TCPA and Palladium do not so much provide security for the user, but for the PC vendor, the software supplier, and the content industry. They do not add value for the user. Rather, they destroy it, by constraining what you can do with your PC - in order to enable application and service vendors to extract more money from you.

No doubt Palladium will be bundled with new features so that the package as a whole appears to add value in the short term, but the long-term economic, social and legal implications require serious thought.

Ross Anderson