Other firms evaluating processor IDs

Intel's rivals are likely follow the giant's lead and put electronically accessible serial numbers on their processors, according to company officials and analysts.
Written by ZDNet Staff, Contributor

"The technology to do it is well known," said Keith Diefendorff, industry analyst with microprocessor technology watcher MicroDesign Resources Inc. "From that point of view, why would AMD be incompatible (with Intel technology) when they didn't need to be?"

The issue arose last Wednesday at the RSA Data Security Conference, when Intel announced it would put several security features in future processors, starting with the Pentium III later this quarter. One feature that has drawn some criticism is a plan to put processor-specific IDs on each chip that can be accessed by software and transmitted over the Internet. While Advanced Micro Devices Inc. says it is still evaluating the technology, competitor National Semiconductor Corp. has decided to follow Intel's lead. "We are finalising our plans, but we just haven't nailed it down yet," said Cyrix spokeswoman Stephanie Foster.

The ID will be a 64-bit number created by fusing wires on the chip together during its manufacturing. Along with the current 32-bit CPUid - a number that groups CPUs depending on when and where they were manufactured -- the ID will create a 96-bit unique serial number accessible by software. "That's close to the number of particles in the known universe," joked Pat Gelsinger, vice president and general manager at Intel's desktop products group, adding that the company will never run out of numbers. "If we sell that many, I hope I will have retired."

The processor ID can be hidden from Net access by turning off a software "switch," said Gelsinger. Each machine will default to having the ID on, but a Windows control panel will allow users to turn it off.

While Intel hailed the technology as a feature for enhanced security, at least one cryptographer was not so sure. "As a security feature, it is not very interesting and not very useful, because it is so easy to bypass," said Bruce Schneier, author of crypto-bible Applied Cryptography and president of security firm Counterpane Systems Inc. "It is just too easy to hack." Intel remarked that it had submitted the technology for review by encryption and security experts. Schneier would not say whether he had seen the technology.

For the most part, companies seem excited about the new technology. Companies could require remote users to use the technology, while banks may offer more features to its customers that have processor IDs turned on. The ID could also help enable the ultimate in software copy protection, tying applications to a specific machine. "We expect to see our members using this technology," said Lauren Hall, chief technologists for the piracy-busting Software and Information Industry Association, whose members include software makers such as Microsoft Corp., Netscape Communications Corp. and others. "Anytime that you build a new technology for identification, the market is going to find ways to use that to enhance security."

For Schneier, the biggest application is theft and fraud protection. "As soon as you put a processor number on the chip, you won't be able to fence hot chips anymore," he said. Intel said it would not use the ID for this type of applications, citing privacy concerns.

Even with the company stepping softly, concerned were raised. Last Wednesday, Barry Steinhardt, associate director and privacy expert at the American Civil Liberties Union worried over the implications, as well. "(This plan) allows for a means of tracking individuals on the Net," said Steinhardt, who was briefed by Intel. "It does have potential problems."

Even with the off switch available, turning off the feature could pose problems. "I don't like the privacy implications," said Schneier. "Being able to turn it off and being able, socially, to turn it off are two different things. It's just like: You could choose not to have a credit card, but try living without one."

With personal information databases commonplace today, the concern is that companies will add processor IDs to the list as well. Where not everyone has a unique Internet address, every user will, eventually, have a processor associated with them.

In the end, it would be the ordinary Joe Internet that would lose out. "The normal people are going to have one more piece of anonymity chipped away," said Schneier. "This takes away the anonymity of the innocent while not doing anything to the professionals."

Editorial standards