Trusted Computing Frequently Asked Questions

- TCPA / Palladium / NGSCB / Longhorn / TCG

Version 1.0

Ross Anderson

Translations into German, Spanish, Italian, Dutch, Chinese, Norwegian, Swedish, Finnish, Hungarian, Greek, Hebrew and French. This document is released under the GNU Free Documentation License.

Additions since July 2002 are at the foot of this document. See also the Economics and Security Resource Page which gives a lot of background to the issues raised here.

Microsoft has renamed Palladium NGSCB - for `Next Generation Secure Computing Base' and pronounced `enscub', while TCPA has been renamed (somewhat brusquely) as TCG - for the Trusted Computing Group. Meanwhile, opposition is mounting. Expect further twists and turns as the battle develops. And read on ...


1. What are TCPA and Palladium?

TCPA stands for the Trusted Computing Platform Alliance, an initiative led by Intel. Their stated goal is `a new computing platform for the next century that will provide for improved trust in the PC platform.' Palladium is software that Microsoft says it plans to incorporate in future versions of Windows; it will build on the TCPA hardware, and will add some extra features. Palladium has recently been renamed NGSCB while TCPA has been renamed TCG; however I'll continue to refer to them here by their original names as they are still more widely used.

2. What does TCPA / Palladium do, in ordinary English?

It provides a computing platform on which you can't tamper with the applications, and where these applications can communicate securely with the vendor. The obvious application is digital rights management (DRM): Disney will be able to sell you DVDs that will decrypt and run on a Palladium platform, but which you won't be able to copy. The music industry will be able to sell you music downloads that you won't be able to swap. They will be able to sell you CDs that you'll only be able to play three times, or only on your birthday. All sorts of new marketing possibilities will open up.

TCPA / Palladium will also make it much harder for you to run unlicensed software. Pirate software can be detected and deleted remotely. It will also make it easier for people to rent software rather than buying it; and if you stop paying the rent, then not only does the software stop working but so may the files it created. For years, Bill Gates has dreamed of finding a way to make the Chinese pay for software: Palladium could be the answer to his prayer.

There are many other possibilities. Governments will be able to arrange things so that all Word documents created on civil servants' PCs are `born classified' and can't be leaked electronically to journalists. Auction sites might insist that you use trusted proxy software for bidding, so that you can't bid tactically at the auction. Cheating at computer games could be made more difficult.

There is a downside too. There will be remote censorship: the mechanisms designed to delete pirated music under remote control may be used to delete documents that a court (or a software company) has decided are offensive - this could be anything from pornography to writings that criticise political leaders. Software companies can also make it harder for you to switch to their competitors' products; for example, Word could encrypt all your documents using keys that only Microsoft products have access to; this would mean that you could only read them using Microsoft products, not with any competing word processor.

3. So I won't be able to play MP3s on my PC any more?

With existing MP3s, you may be all right for some time. Microsoft says that Palladium won't make anything suddenly stop working. But a recent software update for Windows Media Player has caused controversy by insisting that users agree to future anti-piracy measures, which may include measures that delete pirated content found on your computer. Also, some programs that give people more control over their PCs, such as VMware and Total Recorder, are unlikely to work under TCPA. So you may have to use a different player - and if your player will play pirate MP3s, then it seems unlikely to be authorised to play the new, protected, titles.

It is up to an application to set the security policy for its files, using an online policy server. So Media Player will determine what sort of conditions get attached to protected titles, and I expect Microsoft will do all sorts of deals with the content providers, who will experiment with all sorts of business models. You might get CDs that are a third of the price but which you can only play three times; if you pay the other two-thirds, you'd get full rights. You might be allowed to lend your copy of some digital music to a friend, but then your own backup copy won't be playable until your friend gives you the main copy back. More likely, you will not be able to lend music at all. These policies will make life inconvenient for some people; for example, regional coding might stop you watching the Polish version of a movie if your PC was bought outside Europe.

This could all be done today - Microsoft would just have to download a patch into your player - but once TCPA / Palladium makes it hard for people to tamper with the player software, and easier for Microsoft to control upgrades and patches, it will be harder for you to escape, and will therefore be a more attractive way of doing business.

4. How does it work?

TCPA provides for a monitoring and reporting component to be mounted in future PCs. The preferred implementation in the first phase of TCPA is a `Fritz' chip - a smartcard chip or dongle soldered to the motherboard.

When you boot up your PC, Fritz takes charge. He checks that the boot ROM is as expected, executes it, measures the state of the machine; then checks the first part of the operating system, loads and executes it, checks the state of the machine; and so on. The trust boundary, of hardware and software considered to be known and verified, is steadily expanded. A table is maintained of the hardware (audio card, video card etc) and the software (O/S, drivers, etc); Fritz checks that the hardware components are on the TCPA approved list, that the software components have been signed, and that none of them has a serial number that has been revoked. If there are significant changes to the PC's configuration, the machine must go online to be re-certified. The result is a PC booted into a known state with an approved combination of hardware and software (whose licences have not expired). Control is then handed over to enforcement software in the operating system - this will be Palladium if your operating system is Windows.

Once the machine is in this state, Fritz can certify it to third parties: for example, he will do an authentication protocol with Disney to prove that his machine is a suitable recipient of `Snow White'. This will mean certifying that the PC is currently running an authorised application program - MediaPlayer, DisneyPlayer, whatever. The Disney server then sends encrypted data, with a key that Fritz will use to unseal it. Fritz makes the key available only to the authorised application and only so long as the environment remains `trustworthy'. For this purpose, `trustworthy' is defined by the security policy downloaded from a server under the control of the application owner. This means that Disney can decide to release its premium content to a given media player application in return for a contract that the application will not make any unauthorised copies of content, will impose a certain set of conditions (including what level of security has to be set in TCPA). This can involve payment: Disney might insist, for example, that the application collect a dollar every time you view the movie. In fact, the application itself can be rented too, and this is of great interest to software companies. The possibilities seem to be limited only by the marketers' imagination.

5. What else can TCPA and Palladium be used for?

TCPA can also be used to implement much stronger access controls on confidential documents. For example, an army might arrange that its soldiers can only create Word documents marked at `Confidential' or above, and that only a TCPA PC with a certificate issued by its own security agency can read such a document. This is called `mandatory access control', and governments are keen on it. The Palladium announcement implies that the Microsoft product will support this: you will be able to configure Word so that it will encrypt all documents generated in a given compartment on your machine, and share it only with other users in a defined group.

Corporations will be able to do this too, to make life harder for whistleblowers. They can arrange that company documents can only be read on company PCs, unless a suitably authorised person clears them for export. They can also implement timelocks: they can arrange, for example, that all emails evaporate after 90 days unless someone makes a positive effort to preserve them. (Think of how useful that would have been for Enron, or Arthur Andersen, or for Microsoft itself during the antitrust case.) The Mafia might use the same facilities: they could arrange that the spreadhseet with the latest drug shipments can only be read on accredited Mafia PCs, and will vanish at the end of the month. This might make life harder for the FBI - though Microsoft is in discussions with governments about whether policemen and spies will get some kind of access to master keys. But, in any case, a whistleblower who emails a document to a journalist will achieve little, as the journalist's Fritz chip won't give him the key to decipher it.

TCPA / Palladium also seems destined for use in electronic payment systems. One of the Microsoft visions appears to be that much of the functionality now built on top of bank cards may move into software once the applications can be made tamper-resistant. This is needed if we are to have a future in which we pay for books that we read, and music we listen to, at the rate of so many pennies per page or per minute. Even if this doesn't work out as a business model - and there are good arguments why it won't - there is clearly a competitive issue for a number of online payment systems, and there may be spillover effects for the user. If, in ten years' time, it's inconvenient to shop online with a credit card unless you use a TCPA or Palladium platform, then this could move a lot of people over to the system.

6. OK, so there will be winners and losers - Disney might win big, and smartcard makers might go bust. But surely Microsoft and Intel are not investing nine figures just for charity? How do they propose to make money out of it?

My spies at Intel tell me that it was a defensive play. As they make most of their money from PC microprocessors, and have most of the market, they can only grow their company by increasing the size of the market. They are determined that the PC will be the hub of the future home network. If entertainment is the killer application, and DRM is going to be the critical enabling technology, then the PC has to do DRM or risk being displaced in the home market.

Microsoft were also motivated by the desire to bring all of entertainment within their empire. But they also stand to win big if either TCPA or Palladium becomes widespread, as they will be able to use it to cut down dramatically on software copying. `Making the Chinese pay for software' has been a big thing for Bill; with Palladium, he can tie each PC to its individual licenced copy of Office, and with TCPA he can tie each motherboard to its individual licenced copy of Windows. TCPA will also have a worldwide blacklist for the serial numbers of any copies of Office that get pirated.

Finally, Microsoft would like to make it more expensive for people to switch away from their products (such as Office) to rival products (such as OpenOffice). This will enable them to charge more for upgrades without making their users jump ship.

7. Where did the idea come from?

It first appeared in a paper by Bill Arbaugh, Dave Farber and Jonathan Smith, ``A Secure and Reliable Bootstrap Architecture'', in the proceedings of the IEEE Symposium on Security and Privacy (1997) pp 65-71. It led to a US patent: ``Secure and Reliable Bootstrap Architecture'', U.S. Patent No. 6,185,678, February 6th, 2001. Bill's thinking developed from work he did while working for the NSA on code signing in 1994. The Microsoft folk have also applied for patent protection on the operating system aspects. (The patent texts are here andhere.)

There may be quite a lot of prior art. Markus Kuhn wrote about the TrustNo1 Processor years ago, and the basic idea - a specially trusted `reference monitor' that supervises a computer's access control functions - goes back at least to a paper written by James Anderson for the USAF in 1972. It has been a feature of US military secure systems thinking since then.

8. How is this related to the Pentium 3 serial number?

Intel started an earlier program in the mid-1990s that would have put the functionality of the Fritz chip inside the main PC processor, or the cache controller chip, by 2000. The Pentium serial number was a first step on the way. The adverse public reaction seems to have caused them to pause, set up a consortium with Microsoft and others, and seek safety in numbers.

9. Why call the monitor chip a `Fritz' chip?

In honour of Senator Fritz Hollings of South Carolina, who is working tirelessly in Congress to make TCPA a mandatory part of all consumer electronics.

10. OK, so TCPA stops kids ripping off music and will help companies keep data confidential. It may help the Mafia too, unless the FBI get a back door, which I assume they will. But apart from pirates, industrial spies and activists, who has a problem with it?

A lot of companies stand to lose out. For example, the European smartcard industry looks likely to be hurt, as the functions now provided by their products migrate into the Fritz chips in peoples' laptops, PDAs and third generation mobile phones. In fact, much of the information security industry may be upset if TCPA takes off. Microsoft claims that Palladium will stop spam, viruses and just about every other bad thing in cyberspace - if so, then the antivirus companies, the spammers, the spam-filter vendors, the firewall firms and the intrusion detection folk could all have their lunch stolen.

There are serious concerns about the effects on the information goods and services industries, and in particular on innovation, on the rate at which new businesses are formed and on the likelihood that incumbent companies will be able to hang on to their monopolies. The problems for innovation are well explained in a recent New York Times column by the distinguished economist Hal Varian.

But there are much deeper problems. The fundamental issue is that whoever controls the Fritz chips will acquire a huge amount of power. Having this single point of control is like making everyone use the same bank, or the same accountant, or the same lawyer. There are many ways in which this power could be abused.

11. How can TCPA be abused?

One of the worries is censorship. TCPA was designed from the start to support the centralised revocation of pirate bits. Pirate software will be spotted and disabled by Fritz when you try to load it, but what about pirated songs or videos? And how could you transfer a song or video that you own from one PC to another, unless you can revoke it on the first machine? The proposed solution is that an application enabled for TCPA, such as a media player or word processor, will have its security policy administered remotely by a server, which will maintain a hot list of bad files. This will be downloaded from time to time and used to screen all files that the application opens. Files can be revoked by content, by the serial number of the application that created them, and by a number of other criteria. The proposed use for this is that if everyone in China uses the same copy of Office, you do not just stop this copy running on any machine that is TCPA-compliant; that would just motivate the Chinese to use normal PCs instead of TCPA PCs in order to escape revocation. So you also cause every TCPA-compliant PC in the world to refuse to read files that have been created using this pirate program.

This is bad enough, but the potential for abuse extends far beyond commercial bullying and economic warfare into political censorship. I expect that it will proceed a step at a time. First, some well-intentioned police force will get an order against a pornographic picture of a child, or a manual on how to sabotage railroad signals. All TCPA-compliant PCs will delete, or perhaps report, these bad documents. Then a litigant in a libel or copyright case will get a civil court order against an offending document; perhaps the Scientologists will seek to blacklist the famous Fishman Affidavit. Once lawyers and government censors realise the potential, the trickle will become a flood.

Now the modern age only started when Gutenberg invented movable type printing in Europe, which enabled information to be preserved and disseminated even if princes and bishops wanted to ban it. For example, when Wycliffe translated the Bible into English in 1380-1, the Lollard movement he started was suppressed easily; but when Tyndale translated the New Testament in 1524-5, he was able to print over 50,000 copies before they caught him and burned him at the stake. The old order in Europe collapsed, and the modern age began. Societies that tried to control information became uncompetitive, and with the collapse of the Soviet Union it seemed that democratic liberal capitalism had won. But now, TCPA and Palladium have placed at risk the priceless inheritance that Gutenberg left us. Electronic books, once published, will be vulnerable; the courts can order them to be unpublished and the TCPA infrastructure will do the dirty work.

So after the Soviet Union's attempts to register and control all typewriters and fax machines, TCPA attempts to register and control all computers. The implications for liberty, democracy and justice are worrying.

12. Scary stuff. But can't you just turn it off?

Sure - unless your system administrator configures your machine in such a way that TCPA is mandatory, you can always turn it off. You can then run your PC with administrator privileges, and use insecure applications.

There is one respect, though, in which you can't turn Fritz off. You can't make him ignore pirated software. Even if he's been informed that the PC is booting in untrusted mode, he still checks that the operating system isn't on the serial number revocation list. This has implications for national sovereignty. If Saddam is stupid enough to upgrade his PCs to use TCPA, then the American government will be able to hot-list his Windows licences, and thus shut down his PCs, next time there's a war. Booting in untrusted mode won't help. He'd have to dig out old copies of Windows 2000, change to GNU/linux, or find a way to isolate the Fritz chips from his motherboards without breaking them.

If you aren't someone the US President hates personally, this may not be an issue. But if you turn TCPA off, then your TCPA-enabled applications won't work, or won't work as well. It will be like switching from Windows to Linux nowadays; you may have more freedom, but end up having less choice. If the applications that use TCPA / Palladium are more attractive to the majority of people, you may end up simply having to use them - just as many people have to use Microsoft Word because all their friends and colleagues send them documents in Microsoft Word. Microsoft says that Palladium, unlike vanilla TCPA, will be able to run trusted and untrusted applications at the same time in different windows; this will presumably make it easier for people to start using it.

13. So economics are going to be significant here?

Exactly. The biggest profits in IT goods and services markets tend to go to companies that can establish platforms (such as Windows, or Word) and control compatibility with them, so as to manage the markets in complementary products. For example, some mobile phone vendors use challenge-response authentication to check that the phone battery is a genuine part rather than a clone - in which case, the phone will refuse to recharge it, and may even drain it as quickly as possible. Some printers authenticate their toner cartridges electronically; if you use a cheap substitute, the printer silently downgrades from 1200 dpi to 300 dpi. The Sony Playstation 2 uses similar authentication to ensure that memory cartridges were made by Sony rather than by a low-price competitor.

TCPA appears designed to maximise the effect, and thus the economic power, of such behaviour. Given Microsoft's record of competitive strategic plays, I expect that Palladium will support them. So if you control a TCPA-enabled application, then your policy server can enforce your choice of rules about which other applications will be allowed to use the files your code creates. These files can be protected using strong cryptography, with keys controlled by the Fritz chips on everybody's machines. What this means is that a successful TCPA-enabled application will be worth much more money to the software company that controls it, as they can rent out access to their interfaces for whatever the market will bear. So there will be huge pressures on software developers to enable their applications for TCPA; and if Palladium is the first operating system to support TCPA, this will give it a competitive advantage over GNU/Linux and MacOS with the developer community.

14. But hang on, doesn't the law give people a right to reverse engineer interfaces for compatibility?

Yes, and this is very important to the functioning of IT goods and services markets; see Samuelson and Scotchmer, ``The Law and Economics of Reverse Engineering'', Yale Law Journal, May 2002, 1575-1663. But the law in most cases just gives you the right to try, not to succeed. Back when compatibility meant messing around with file formats, there was a real contest - when Word and Word Perfect were fighting for dominance, each tried to read the other's files and make it hard for the other to read its own. However, with TCPA that game is over; without access to the keys, or some means of breaking into the chips, you've had it.

Locking competitors out of application file formats was one of the motivations for TCPA: see a post by Lucky Green, and go to his talk at Def Con to hear more. It's a tactic that's spreading beyond the computer world. Congress is getting upset at carmakers using data format lockout to stop their customers getting repairs done at independent dealers. And the Microsoft folk say they want Palladium everywhere, even in your watch. The economic consequences for independent businesses everywhere could be significant.

15. Can't TCPA be broken?

The early versions will be vulnerable to anyone with the tools and patience to crack the hardware (e.g., get clear data on the bus between the CPU and the Fritz chip). However, from phase 2, the Fritz chip will disappear inside the main processor - let's call it the `Hexium' - and things will get a lot harder. Really serious, well funded opponents will still be able to crack it. However, it's likely to go on getting more difficult and expensive.

Also, in many countries, cracking Fritz will be illegal. In the USA the Digital Millennium Copyright Act already does this, while in the EU the situation may vary from one country to another, depending on the way national regulations implement the EU Copyright Directive.

Also, in many products, compatibility control is already being mixed quite deliberately with copyright control. The Sony Playstation's authentication chips also contain the encryption algorithm for DVD, so that reverse engineers can be accused of circumventing a copyright protection mechanism and hounded under the Digital Millennium Copyright Act. The situation is likely to be messy - and that will favour large firms with big legal budgets.

16. What's the overall economic effect likely to be?

The content industries may gain a bit from cutting music copying - expect Sir Michael Jagger to get very slightly richer. But I expect the most significant economic effect will be to strengthen the position of incumbents in information goods and services markets at the expense of new entrants. This may mean a rise in the market cap of firms like Intel, Microsoft and IBM - but at the expense of innovation and growth generally. Eric von Hippel documents how most of the innovations that spur economic growth are not anticipated by the manufacturers of the platforms on which they are based; and technological change in the IT goods and services markets is usually cumulative. Giving incumbents new ways to make life harder for people trying to develop novel uses for their products will create all sorts of traps and perverse incentives.

The huge centralisation of economic power that TCPA / Palladium represents will favour large companies over small ones; there will be similar effects as Palladium applications enable large companies to capture more of the spillover from their economic activities, as with the car companies forcing car-owners to have their maintenance done at authorised dealerships. As most employment growth occurs in the small to medium business sector, this could have consequences for jobs.

There may also be distinct regional effects. For example, many years of government sponsorship have made Europe's smartcard industry strong, at the cost of crowding out other technological innovation in the region. Senior industry people to whom I have spoken anticipate that once the second phase of TCPA puts the Fritz functionality in the main processor, this will hammer smartcard sales. A number of TCPA company insiders have admitted to me that displacing smartcards from the authentication token market is one of their business goals. Many of the functions that smartcard makers want you to do with a card will instead be done in the Fritz chips of your laptop, your PDA and your mobile phone. If this industry is killed off by TCPA, Europe could be a significant net loser. Other large sections of the information security industry may also become casualties.

17. Who else will lose?

There will be many places where existing business processes break down in ways that allow copyright owners to extract new rents. For example, I recently applied for planning permission to turn some agricultural land that we own into garden; to do this, we needed to supply our local government with six copies of a 1:1250 map of the field. In the old days, everyone just got a map from the local library and photocopied it. Now, the maps are on a server in the library, with copyright control, and you can get a maximum of four copies of any one sheet. For an individual, that's easy enough to circumvent: buy four copies today and send a friend along tomorrow for the extra two. But businesses that use a lot of maps will end up paying more money to the map companies. This may be a small problem; mutiply it a thousandfold to get some idea of the effect on the overall economy. The net transfers of income and wealth are likely, once more, to be from small firms to large and from new firms to old.

This may hopefully cause political resistance. One well-known UK lawyer said that copyright law is only tolerated because it is not enforced against the vast majority of petty infringers. And there will be some particularly high-profile hard-luck cases. I understand that copyright regulations due out later this year in Britain will deprive the blind of the fair-use right to use their screen scraper software to read e-books. Normally, a bureaucratic stupidity like this might not matter much, as people would just ignore it, and the police would not be idiotic enough to prosecute anybody. But if the copyright regulations are enforced by hardware protection mechanisms that are impractical to break, then the blind may lose out seriously. (There are many other marginal groups under similar threat.)

18. Ugh. What else?

TCPA will undermine the General Public License (GPL), under which many free and open source software products are distributed. The GPL is designed to prevent the fruits of communal voluntary labour being hijacked by private companies for profit. Anyone can use and modify software distributed under this licence, but if you distribute a modified copy, you must make it available to the world, together with the source code so that other people can make subsequent modifications of their own.

At least two companies have started work on a TCPA-enhanced version of GNU/linux. This will involve tidying up the code and removing a number of features. To get a certificate from the TCPA corsortium, the sponsor will then have to submit the pruned code to an evaluation lab, together with a mass of documentation showing why various known attacks on the code don't work. (The evaluation is at level E3 - expensive enough to keep out the free software community, yet lax enough for most commercial software vendors to have a chance to get their lousy code through.) Although the modified program will be covered by the GPL, and the source code will be free to everyone, it will not make full use of the TCPA features unless you have a certificate for it that is specific to the Fritz chip on your own machine. That is what will cost you money (if not at first, then eventually).

You will still be free to make modifications to the modified code, but you won't be able to get a certificate that gets you into the TCPA system. Something similar happens with the linux supplied by Sony for the Playstation 2; the console's copy protection mechanisms prevent you from running an altered binary, and from using a number of the hardware features. Even if a philanthropist does a not-for-profit secure GNU/linux, the resulting product would not really be a GPL version of a TCPA operating system, but a proprietary operating system that the philanthropist could give away free. (There is still the question of who would pay for the user certificates.)

People believed that the GPL made it impossible for a company to come along and steal code that was the result of community effort. This helped make people willing to give up their spare time to write free software for the communal benefit. But TCPA changes that. Once the majority of PCs on the market are TCPA-enabled, the GPL won't work as intended. The benefit for Microsoft is not that this will destroy free software directly. The point is this: once people realise that even GPL'led software can be hijacked for commercial purposes, idealistic young programmers will be much less motivated to write free software.

19. I can see that some people will get upset about this.

And there are many other political issues - the transparency of processing of personal data enshrined in the EU data protection directive; the sovereignty issue, of whether copyright regulations will be written by national governments, as at present, or an application developer in Portland or Redmond; whether TCPA will be used by Microsoft as a means of killing off Apache; and whether people will be comfortable about the idea of having their PCs operated, in effect, under remote control -- control that could be usurped by courts or government agencies without their knowledge.

20. But hang on, isn't TCPA illegal under antitrust law?

Intel has honed a `platform leadership' strategy, in which they lead industry efforts to develop technologies that will make the PC more useful, such as the PCI bus and USB. Their modus operandi is described in a book by Gawer and Cusumano. Intel sets up a consortium to share the development of the technology, has the founder members put some patents into the pot, publishes a standard, gets some momentum behind it, then licenses it to the industry on the condition that licensees in turn cross-license any interfering patents of their own, at zero cost, to all consortium members.

The positive view of this strategy was that Intel grew the overall market for PCs; the dark side was that they prevented any competitor achieving a dominant position in any technology that might have threatened their dominance of the PC hardware. Thus, Intel could not afford for IBM's microchannel bus to prevail, not just as a competing nexus of the PC platform but also because IBM had no interest in providing the bandwidth needed for the PC to compete with high-end systems. The effect in strategic terms is somewhat similar to the old Roman practice of demolishing all dwellings and cutting down all trees close to their roads or their castles. No competing structure may be allowed near Intel's platform; it must all be levelled into a commons. But a nice, orderly, well-regulated commons: interfaces should be `open but not free'.

The consortium approach has evolved into a highly effective way of skirting antitrust law. So far, the authories do not seem to have been worried about such consortia - so long as the standards are open and accessible to all companies. They may need to become slightly more sophisticated.

Of course, if Fritz Hollings manages to get his bill through Congress, then TCPA will become compulsory and the antitrust issue will fall away, at least in America. One may hope that European regulators will have more backbone.

21. When is this going to hit the streets?

It has. The specification was published in 2000. Atmel is already selling a Fritz chip, and although you need to sign a non-disclosure agreement to get a data sheet, you have been able to buy it installed in the IBM Thinkpad series of laptops since May 2002. Some of the existing features in Windows XP and the X-Box are TCPA features: for example, if you change your PC configuration more than a little, you have to reregister all your software with Redmond. Also, since Windows 2000, Microsoft has been working on certifying all device drivers: if you try to load an unsigned driver, XP will complain. There is also growing US government interest in the technical standardisation process. The train is rolling.

The timing of Palladium is less certain. There appears to be a power struggle going on between Microsoft and Intel; Palladium will also run on competing hardware from suppliers such as Wave Systems, and applications written to run on top of vanilla TCPA will need to be rewritten to run on Palladium. This seems a play to ensure that the secure computing platform of the future is controlled by Microsoft alone. It might also be a tactic to deter other companies from trying to develop software platforms based on TCPA. Intel and AMD appear to plan for the second generation of TCPA functionality to be provided in the main processor for free. This might provide higher security, but would enable them to control developments rather than Microsoft.

I do know that the Palladium announcement was brought forward by over a month after I presented a paper at a conference on Open Source Software Economics on the 20th June. This paper criticised TCPA as anticompetitive, as amply confirmed by new revelations since.

22. What's TORA BORA?

This seems to have been an internal Microsoft joke: see the Palladium announcement. The idea is that `Trusted Operating Root Architecture' (Palladium) will stop the `Break Once Run Anywhere' attack, by which they mean that pirated content, once unprotected, can be posted to the net and used by anyone.

They seem to have realised since that this joke might be thought to be in bad taste. At a talk I attended on the 10th July at Microsoft Research, the slogan had changed to `BORE-resistance', where BORE standards for `Break Once Run Everywhere'. (By the way, the speaker there described copyright watermarking as `content screening', a term that used to refer to stopping minors seeing pornography: the PR machine is obviously twitching! He also told us that it would not work unless everyone used a trusted operating system. When I asked him whether this meant getting rid of linux he replied that linux users would have to be made to use content screening.)

23. But isn't PC security a good thing?

The question is: security for whom? You might prefer not to have to worry about viruses, but neither TCPA nor Palladium will fix that: viruses exploit the way software applications (such as Microsoft Office and Outlook) use scripting. You might get annoyed by spam, but that won't get fixed either. (Microsoft implies that it will be fixed, by filtering out all unsigned messages - but the spammers will just buy TCPA PCs. You'd be better off using your existing mail client to filter out mail from people you don't know and putting it in a folder you scan briefly once a day.) You might be worried about privacy, but neither TCPA nor Palladium will fix that; almost all privacy violations result from the abuse of authorised access, often obtained by coercing consent. The medical insurance company that requires you to consent to your data being shared with your employer and with anyone else they can sell it to, isn't going to stop just because their PCs are now officially `secure'. On the contrary, they are likely to sell it even more widely, because computers are now `trusted'.

Economists have noted that when a manufacturer makes a `green' product available, it often increases pollution, as people buy green rather than buying less; we may see a security equivalent of this `social choice trap', as it's called. In addition, by entrenching and expanding monopolies, TCPA will increase the incentives to price discriminate and thus to harvest personal data for profiling.

The most charitable view of TCPA is put forward by a Microsoft researcher: there are some applications in which you want to constrain the user's actions. For example, you want to stop people fiddling with the odometer on a car before they sell it. Similarly, if you want to do DRM on a PC then you need to treat the user as the enemy.

Seen in these terms, TCPA and Palladium do not so much provide security for the user as for the PC vendor, the software supplier, and the content industry. They do not add value for the user, but destroy it. They constrain what you can do with your PC in order to enable application and service vendors to extract more money from you. This is the classic definition of an exploitative cartel - an industry agreement that changes the terms of trade so as to diminish consumer surplus.

No doubt Palladium will be bundled with new features so that the package as a whole appears to add value in the short term, but the long-term economic, social and legal implications require serious thought.

24. So why is this called `Trusted Computing'? I don't see why I should trust it at all!

It's almost an in-joke. In the US Department of Defense, a `trusted system or component' is defined as `one which can break the security policy'. This might seem counter-intuitive at first, but just stop to think about it. The mail guard or firewall that stands between a Secret and a Top Secret system can - if it fails - break the security policy that mail should only ever flow from Secret to Top Secret, but never in the other direction. It is therefore trusted to enforce the information flow policy.

Or take a civilian example: suppose you trust your doctor to keep your medical records private. This means that he has access to your records, so he could leak them to the press if he were careless or malicious. You don't trust me to keep your medical records, because I don't have them; regardless of whether I like you or hate you, I can't do anything to affect your policy that your medical records should be confidential. Your doctor can, though; and the fact that he is in a position to harm you is really what is meant (at a system level) when you say that you trust him. You may have a warm feeling about him, or you may just have to trust him because he is the only doctor on the island where you live; no matter, the DoD definition strips away these fuzzy, emotional aspects of `trust' (that can confuse people).

Remember during the late 1990s, as people debated government control over cryptography, Al Gore proposed a `Trusted Third Party' - a service that would keep a copy of your decryption key safe, just in case you (or the FBI, or the NSA) ever needed it. The name was derided as the sort of marketing exercise that saw the Russian colony of East Germany called a `Democratic Republic'. But it really does chime with DoD thinking. A Trusted Third Party is a third party that can break your security policy.

25. So a `Trusted Computer' is one that can break my security?

Now you've got it.

Ross Anderson


Additions since July 2002:

See also the Economics and Security Resource Page which gives a lot of background to the issues raised here.

Here are translations into German, Spanish, Italian, Dutch, Chinese, Norwegian, Swedish, Finnish, Hungarian, Greek, Hebrew and French.

Here is a link to the first online version of this FAQ, version 0.2.

Here are further comments on TCPA / Palladium from ZDNet, the BBC, Internetnews, PBS, O'Reilly, , Salon.com, and Extremetech. Larry Lessig's comments in a seminar at Harvard are relevant. There is a story allegedly by a former Microsoft employee about how Palladium was launched, and two blog entries (here and here) by Seth Schoen on a Palladium briefing my MS to EFF. The European Union is starting to take note. The fuss we've managed to stir up has now depressed PC market analysts in Australia. There is a speech by Bush's CyberCzar Richard Clark praising TCPA (see p 12); at the same conference, Intel CEO Craig Barrett says that government should let industry do DRM rather than mandating a solution (p 58). That may make some sense out of this story story about Intel opposing the Hollings bill, at the same time as they were pushing TCPA. There is also a White Paper from Microsoft, backed up by an email from Bill. Of course, many of the issues had already been anticipated by Richard Stallman.

TCPA inventor Bill Arbaugh has second thoughts. Here he makes some proposals about how TCPA could be changed to mitigate its worst effects, for example by letting users load their own trusted root certificates or turn the Fritz chip off entirely.

Atmel have released the data sheet for their Fritz chip.

The slides of Lucky Green's Def Con talk are now available online.

An exchange with Peter Biddle, technical director of Palladium, from the cryptography list.

A post from John Gilmore to the cypherpunks list, and further commentary by Adam Back, Seth Schoen and others.

An opinion from Bruce Schneier; some controversy stirred up by Bill Thompson, who really does appear to believe that the world of trusted computing will be spam- and virus-free, and allow you to exercise your fair use rights; and some reaction ...

In an act of blatant intellectual property infringement :-), Microsoft have released a competing Palladium FAQ. They've backed off from the initial media claims that Palladium will stop spam and viruses. Nice spin doctoring; but on a careful, literal reading, it's remarkable how little of what I said above is effectively denied.

Intel have announced that from the second half of 2003, the Pentium 4's successor will support Palladium. This chip, to which I referred above as the `Hexium', has now been officially named `LaGrande' after a town in Eastern Oregon - a break from the previous policy of naming chips after rivers (I must say I prefer `Hexium'). The initial reaction was hostile, and the later reaction too. Civil liberties groups are starting to wake up; there's a web page at EPIC, for example.

An article in Linux devices on the problems TCPA may cause for embedded systems.

An article in German in c't magazine.

On the 7th November, there was a public debate on TCPA between the suits and the geeks. There was a related item on Channel 4 News, and a shorter debate free of charge in Cambridge the following day as one of our regular security group meetings. I also expect that the Foundation for Information Policy Research will organise an event early in the new year.

At last - Stallman speaks! (there's also two French translations, here and here)

Trusted computing has now made its way into science fiction - see the latest short story by Cory Doctorow (15/11/02).

France starts to wake up - see article in Le Monde (Jan 2003).

Microsoft has renamed Palladium NGSCB - for `Next Generation Secure Computing Base'. This is the acronym under which new articles are starting to appear on the search engines. (Feb 2003)

Microsoft has announced that it will ship many of the application-level TC features with Windows Server 2003 later this year, including Rights Management mechanisms that will allow you, for example, to specify that a particular email must evaporate on the recipient's machine after 30 days. This is still software-based; it won't work unless the recipient also has a compatible client or server from Microsoft, and can be defeated by patching the software (though this may be illegal in the USA). However, it will start getting this lock-in functionality out into the marketplace and pave the way for full TC implementations next year. Comment in places like Geek News, VNUnet and Zdnet has been mixed but is still muted. (March 2003)

TCPA has been relaunched as TCG (the Trusted Computing Group and announced that it's working on version 1.2 of the Fritz chip, with systems shipping late 2004 or early 2005: they want to extend the scope of TC from PCs to PDAs and mobile phones. See the story in EE Times, and the followup; read a denunciation by the great and the good at the RSA conference; and read about how Chairman Bill struck back at the Windows Hardware Engineering Conference when NGSCB was finally unveiled. (May 2003)

I'm next talking in public about TC on the 2nd July in Berlin at the "Trusted Computing Group" Symposium; then on the 14th July at PODC. I may also be speaking in Brussels on the 8th July (to be confirmed), and I expect to speak at the Helsinki IPR workshop in August. I'm sure there will be many more. Meanwhile, a version of my economic study of TC has appeared a special issue of Upgrade that deals with IP and computing issues (June 2003).

The Times reports various abuses by printer manufacturers, including setting their toner cartridges to show `empty' when only about two-thirds of the ink has been used up. This is the sort of business model that will become pervasive throughout the IT world if TC succeeds, and the devices that you can use to unlock printer cartridges that still have ink in them will be outlawed - as will technical workarounds for TC mechanisms that undermine competition and exploit consumers (July 2003).

Bill Gates admits that Microsoft would pursue the computer security market aggressively: "Because it's a growth area, we're not being that coy with them about what we intend to do." He stressed that the company's biggest bet is on the next version of Windows - code name Longhorn - in other words, the technology formerly known as Palladium and now known as NGSCB. You have been warned (August 2003).