Microsoft stirs up another security storm

It's all about Palladium (but you won't find Jimmy Tarbuck making any jokes)...

Software giant Microsoft is coming under fire for its latest security initiative, called Palladium. Yet again Microsoft has roused the ire of the privacy lobby with a proposal that is already being described as 'Big Brother-ish'. Palladium is the name of a new system, part-hardware, part-software, which the company (in partnership with the likes of Intel) proposes be installed on every PC. It will provide high-level authentication of users, and will use encryption to control who can access content - be it Word documents or audio files. It would also provide built-in support for the kind of digital rights management technology being promoted by the music industry to fight back against the increasingly popular P2P networks. However, details on what exactly Microsoft is doing are scarce, as the venture was not announced with any press conference or official explanation from Microsoft. The story was given as an exclusive to US magazine Newsweek, and Microsoft still hasn't told European journalists about the technology. But according to the article, Microsoft is supported in the venture by chip giants Intel and AMD, who will together provide the hardware component of the system. Microsoft told Newsweek the system has the potential to block viruses and spam from getting into computers. Microsoft product manager Mario Juarez is quoted as saying: "This isn't just about solving problems, but expanding new realms of possibilities in the way people live and work with computers." The impact upon digital rights management is the most obvious implication of the new system. It will allow music companies to distribute content digitally and then control how it is subse quently used. The Palladium component in a computer will decide whether or not a music file has can legally be played on a certain computer. If the file is forwarded on to someone else who doesn't have the "permission" to use it, the file will simply not play. Intel is refusing to talk specifically about Palladium. However the idea does seem to have evolved out of its Trusted Computing Platform Alliance (TCPA), which has also been plagued by gripes over civil liberties. Ross Anderson, a computer privacy guru and chair of the Foundation for Information Policy Research, has written a critical FAQ on the new system on his personal website. He said: "A lot of companies stand to lose out. For example, the European smartcard industry may be hurt, as the functions now provided by their products migrate into the... chips in people's laptops, PDAs and third generation mobile phones. In fact, much of the information security industry may be upset if TCPA takes off. "But there are much deeper problems. The fundamental issue is that whoever controls the... chips will acquire a huge amount of power. There are many ways in which this power could be abused, and Intel has refused to answer questions on the governance of the TCPA consortium." Microsoft will also be able to use the technology to step-up its crackdown on software piracy by linking the PC, its software and the identity of the PC owner and embedding the information in the hardware. Chris Wysopal, director of research and development for security experts @Stake, said: "This is undoubtedly a way to make an unbreakable licensing system. What's going to be controversial here is not the technology per se, but the policy Microsoft adopts. Suddenly the user is not in full control of his or her PC and there are some real concerns here." Another area of concern is the initiative's potential to limit the ability of 'whistleblowers' within organisations to pass on documents to the press or regulators. A forwarded document will not be accessible to a recipient without the required level of permission. For more information see Ross Anderson's Palladium FAQ at: http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html