Freedom versus safety on the global stage

Rupert Goodwins: Microsoft's Palladium promises ultimate security, but does that mean paying the ultimate price?

By now, you'll probably have read the first round of reaction to Microsoft's proposed Palladium, the system that makes absolutely sure that only authorised data and software can live on your computer. There's not been much technical information published, probably because Microsoft is waiting to see what people make of the idea before it commits itself to anything solid. And the people have been suspicious, verging on paranoid. For some reason, the idea that Microsoft should be trusted as the arbiter of all aspects of computing, with the power of life and death over data and programs, has not been greeted as the dawning of a new golden age.

Such reactions are to be expected, and they will neither surprise nor concern Microsoft. All this doesn't matter. It doesn't matter what you or I think about the idea of a global network of centrally controlled software and data that requires us to be authorised before we can use it. Other opinions do matter and this is where Palladium will either fail or succeed.

Let's say I'm the government of a reasonably prosperous, developed and democratic country. I am aware of the need for IT in my machineries of state and, of course, of the implications for law. There is a balance between the powers of the state and the rights of the people, and IT reflects this.

Suddenly, I have to decide whether to adopt Secure Windows -- or whatever the Palladium product turns out to be called. Do I trust Microsoft with immediate and absolute control of my computing? If it's not going to be Microsoft, then who? Do I want to assume the responsibilities myself, assuming its possible? State control of commercial enterprises is somewhat out of fashion these days, and with good reason. In any case, whoever controls the gates of Palladium controls whoever uses it: without a doubt, this is a disproportionate imbalance of power.

That's assuming that everything that Microsoft says is true. We can safely say, without impugning Microsoft's corporate honour, that this is not the whole truth. Take something like the FBI's Magic Lantern project -- a little piece of software that runs surreptitiously on the computer of a suspect and relays keystrokes, especially password and PGP pass-phrases, to the Feds. A useful tool in the fight against crime and, like phone tapping, is entirely to be desired if used wisely. But how would that work under Palladium, this utterly trustworthy and completely secure system? Would the FBI and its cousins in spookcraft voluntarily give up the ability to tap the bad guys? Would we want them to?

So, Palladium will have to have holes built into it, and they'll have to be secret. And Microsoft will be in control on a day-by-day basis. Now, governments know full well that this sort of thing goes on, because they already do it to each other -- even the best of friends -- but voluntarily handing the keys over to whoever's in the server rooms at Redmond is beyond a joke.

Looking at this from my position of responsibility for the safety of my country and the rights of my people, I might be disinclined to use Secure Windows for my tax gathering, my benefit system, my health and education and military organisations. If I was already thinking of ditching Windows, as are Peru, Mexico, Finland and China among others, Palladium will be doing nothing to make me change my mind.

However, this is a high stakes game. Under the Bush administration, big business has had little trouble in conflating the interests of commerce and the interests of the US. I doubt very much that Enron or Worldcom have changed that -- and the US is even now preparing a list of over 100 major changes in world trade rules that it will be putting on the table at the next major set of international talks. You may hazard a guess at how many of these give US companies more access to other countries markets, and you won't be wrong.

Now, access control to digital content and secure distribution of software can easily be argued to be essential to big business, and you can be sure that this will have a sympathetic hearing in Washington. How far are we away from the bald statement that if you want to conduct business electronically with the US, you must adopt Palladium? Or, if you don't like that, if you want to be friends with the US at all you must run our security software to help detect and prevent terrorism?

"As that noted American patriot, Ben Franklin said: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." Palladium isn't about who gets to run some software, it's about who gets to run the world.