[Fsfe-france] TCPA: Microsoft's plan to improve computer security could set off fight over use of online materials

[pplf]

The Chronicle of Higher Education
http://chronicle.com/free/v49/i24/24a02701.htm



Control Issues

Microsoft's plan to improve computer security could set off fight over 
use of online materials

By FLORENCE OLSEN

Computing experts in academe often blame Microsoft for producing 
software that is vulnerable to viruses and hackers. But, of late, the 
experts have been criticizing the company's sweeping plan to correct 
those very deficiencies.

Under the plan, announced seven months ago under the name Palladium, new 
computers would be equipped with security hardware and a new version of 
the Windows operating system.

The goal, Microsoft officials say, is to make servers and desktop PC's 
that people can trust. But critics say the technology, which Microsoft 
recently renamed "the next-generation secure computing base," could 
stifle the free flow of information that has come to characterize the 
Internet, and could give Microsoft too much control over colleges' own 
computerized information.

With the new technology, information-systems officials could use 
cryptographic hardware "keys" rather than software controls, like user 
names and passwords, to lock up student records and prevent illegal 
copying of materials. Registrars would have tamper-proof controls over 
who could see, copy, or alter the records. The advances could be used to 
prevent identity thieves from invading campus computer networks to steal 
Social Security numbers, grades, and other personal data.

Money and Access

Palladium would require colleges to make expenditures on new computers 
and software. Existing computers could not be retrofitted.

Colleges would decide whether to buy Palladium-capable software and 
hardware, and then whether to activate Palladium's security functions. 
But practically speaking, they would face enormous pressures to do so, 
especially if publishers of books, journals, software, and other 
electronic "content" were to adopt Microsoft's standard to deliver their 
materials online. The publishers could dictate that colleges had to use 
Palladium or else be denied access to the material. That worries many in 
academe, who believe that publishers would use Palladium to bar some 
uses of digital materials to which scholars argue that they are entitled 
under copyright law. That loss may outweigh the advantages of tighter 
security over student records, the critics say.

"If Palladium is adopted, and if other technology vendors exploit it 
fully to restrict access to copyrighted works, education and research 
will suffer," says Edward W. Felten, an associate professor of computer 
science at Princeton University, who was the U.S. Justice Department's 
chief computer-science expert in its antitrust case against Microsoft.

Microsoft officials respond that their new technology will simply give 
all users -- whether colleges or publishers -- more control over the 
information they own. Colleges have been demanding more computer 
security, says Brian LaMacchia, a software architect in Microsoft's 
trusted-platform-technologies group, which is responsible for Palladium. 
"It's a two-edged sword," he says, acknowledging that commercial 
publishers have demanded greater protection for their copyrighted works.

Palladium's software components will be part of the next major version 
of Windows, which Microsoft has said it may release toward the end of 
2004. Some hardware components that Palladium needs, including a 
security chip, are available already in a notebook computer, the IBM 
ThinkPad T30. Chip manufacturers and the major computer companies -- 
Dell, Gateway, Hew-lett-Packard, and IBM, among others -- have begun 
work to redesign PC's so that they will work with Palladium software.

A key component of Microsoft's new technology is the "nexus," a 
minisystem that runs in a sealed-off area in the computer's memory, 
where private transactions can be conducted, and where designated 
security and copyright policies would be enforced. In theory, the nexus 
is immune to many of the problems that plague Windows machines, like 
viruses.

Moving away from password-protected security and toward security that is 
built into the hardware would make campus networks less vulnerable to 
hacker attacks, Microsoft officials and academic experts agree. "Once 
you move to hardware security, then you're talking about deterring 98 to 
99 percent of all hackers," says David C. Rice, a security consultant 
who is an adjunct faculty member in the graduate program in information 
security at James Madison University.

Here's how Palladium works: If a program -- with its nexus -- were 
running on a server in, say, a college registrar's office, the server 
would ask any computer that tried to gain access to student records on 
the server to certify what program it was running. The server would 
block access to the records if the computer were running an insecure 
program. Such questioning of another computer is not part of most 
security mechanisms in use today. As a result, college computer systems 
are repeatedly victimized by hacker attacks.

Mr. LaMacchia says that Palladium also would permit personal data and 
other files to be kept secret on the computer's hard drive in an area 
where the data would be unreadable by any program other than the one on 
the computer that created them.

"It's definitely going to solve a lot of security problems, but it's 
like any kind of new technology," says William A. Arbaugh, an assistant 
professor of computer science at the University of Maryland at College 
Park. "It can do good or evil."

Fair Use

Whether it is used for "good" or "evil," he says, will depend on who 
gets to control the technology -- colleges or the publishers whose 
"content" the colleges use.

Most of the early controversy surrounding Palladium in academe has 
concerned its impact on "fair use," a gray area in copyright law that 
gives professors and researchers limited but free use of copyrighted 
materials. In the past, faculty members could decide on their own that 
"fair use" permitted them to distribute a journal article to, say, 10 
students. But publishers could use Palladium's controls to unilaterally 
limit use of their materials, such as by restricting professors to a 
read-only view of the article, from which they could not "cut and paste" 
the text.

With Palladium, owners of content would gain at the expense of consumers 
of content, including professors and students, says Eben Moglen, a 
professor of law and legal history at Columbia University. In fact, if 
Palladium were to become a widely accepted way of protecting copyrighted 
material, Mr. Moglen says, it would create "a closed system, in which 
each piece of knowledge in the world is identified with a particular 
owner, and that owner has a right to resist its copying, modification, 
and redistribution."

In such a scenario, he says, "the very concept of fair use has been lost."

Ross Anderson, who holds a faculty post as a reader in security 
engineering at the University of Cambridge's Computer Laboratory, says 
Palladium will "turn the clock back" to the days before online 
information was widely available.

The biggest losers, he says, will be "small colleges, poor schools, 
universities in Africa, hospitals in India -- the people who have 
benefited hugely from the availability of vast amounts of information 
that was simply unavailable to them before."

Publishers generally support the type of copyright-enforcement 
mechanisms that would be in Palladium systems, although "there would be 
some concerns about bugs in those systems," says Ed McCoyd, director of 
digital policy for the Association of American Publishers. For example, 
he says, even now, while publishers complain about the inflexibility of 
technical controls in electronic-book readers, they do not want to share 
those controls with users.

"They certainly want to have sufficient flexibility in the publisher 
settings -- one publisher might choose to enable printing, one might 
not," Mr. McCoyd says. But with the new technology, he predicts, 
publishers will insist on controlling the software settings for what 
they "consider to be fair use."

Some experts argue that computer and network security are so weak today 
that the benefits of Palladium outweigh any risks that Microsoft, or 
content providers, would abuse the new controls.

"Microsoft could decide to lock everything up," says David J. Farber, a 
professor of telecommunications systems and of business and public 
policy at the University of Pennsylvania. "But there is nothing a priori 
that says they'll be all bad boys."

Indeed, Microsoft says it is listening to its critics. It has been 
talking with academic researchers about the new technology far earlier 
than usual in Microsoft's product-development process. "Part of the 
reason has been to hear the feedback -- positive and negative -- from 
the academic community, analysts, influentials, and others," says Amy 
Carroll, group manager of Microsoft's trusted-platform-technologies group.

Palladium's software architects have given several guest lectures at 
universities in the United States and Britain, in part, Ms. Carroll 
says, to listen to academic concerns "and, hopefully, assuage them."

Many of the concerns are a result of misunderstanding what the new 
technology will do and how it will work, Ms. Carroll says. Microsoft 
plans to publish the source code for its nexus, she says, so that 
"people can view the code and see that it will do what we say it will 
do," and see that it will not give the company control over colleges' 
computerized information.

Even Palladium's critics see good uses for the technology, like 
maintaining the privacy of student records. Colleges may want to have 
Palladium activated on some servers to keep them from running "pirated 
software, MP3's, or anything that is illegal," says Mr. Rice, the 
security consultant.

More Worries

But Palladium is worrisome to college officials for reasons other than 
an erosion in the fair use of copyrighted materials. Jeffrey I. 
Schiller, a network manager at the Massachusetts Institute of 
Technology, says software companies most likely would use the program to 
enforce license agreements that many in academe believe are legally 
unenforceable. For example, more and more software licenses forbid users 
from running tests known as benchmarks to measure the performance of one 
company's software against that of its competitors.

Some critics, like Mr. Schiller, say Palladium might achieve the results 
intended by the Uniform Computer Information Transactions Act, a model 
law devised by the National Conference of Commissioners on Uniform State 
Laws, which has been enacted only in Maryland and Virginia. Ucita is "an 
attempt to give these software licenses the force of a signed contract, 
even though you didn't sign a contract," Mr. Schiller says. With 
Palladium, technology would "enforce" the licenses de facto, he says.

Microsoft insists that its new technology is a neutral platform. "It is 
certainly possible that an application vendor could choose to use 
[Palladium] to evaluate and enforce some software licensing terms," 
acknowledges Ms. Carroll. But "at the end of the day," she says, "the 
terms of the license for an application are strictly an issue between 
the vendor and the university."

Others think Palladium would be an anti-competitive tool in the hands of 
software publishers, especially Microsoft, which, in 1999, was found 
guilty by a federal-district court of monopolistic practices. With 
Palladium, software publishers could decide to create programs that 
refuse to work with rival programs, a tactic that is difficult for them 
to get away with now, says Seth Schoen, a staff technologist at the 
Electronic Frontier Foundation, a group that promotes civil liberties in 
cyberspace.

Critics of Palladium frequently cite a hypothetical situation in which a 
company makes a word-processing program that requires Palladium to run 
and that encrypts all of the documents that it creates. "Any other 
Palladium user who is also using that same word processor will be able 
to decrypt and view the documents," Mr. Schoen says, "but nobody without 
access to Palladium or who uses a different word processor would be able 
to derive the necessary decryption keys."

Microsoft faces an uphill battle to win acceptance for Palladium in 
academe. College students, many of whom are used to playing illegal 
copies of music and videos on their personal computers, may be resistant.

"They're not going to consciously go out and buy a product that 
necessarily limits their ability to do what they want to do," says Mr. 
Rice, the security consultant. "They'll definitely buy a product if it 
means security for them. I don't know if they're going to buy a product 
if it means security for somebody else."

The Business Software Alliance, a trade group representing software 
companies, declined to comment on Palladium, citing a policy of not 
talking about its members' products. But Robert M. Kruger, vice 
president for enforcement, says the group is beginning to tilt more 
toward technology to enforce copyrights.

In dealing with software and other copyright piracy on campuses, 
colleges "aren't sending the message as aggressively as we would like," 
he says.

Will MIT, whose researchers have studied Palladium, want to run it? 
Maybe not, says Mr. Schiller, the university's network manager. 
"Personally, I would never use this technology," he says. As for MIT, 
though, it's an open question, he says. "Palladium has to become more 
real for us to really decide if we can use it."

"If I had my druthers, I'd love the technology to be available and used 
for all the good things we could use it for," Mr. Schiller says. "But 
I'm enough of a realist to know that's not how it's going to play out."

WHAT PALLADIUM WILL AND WON'T DO

Microsoft's Palladium project is designed to make Windows computers more 
secure. But computer experts are concerned that the technologies being 
used to make computers more secure will block the free flow of 
information needed for teaching and research.

Palladium will:

    * Run programs that could prevent illegal copying of or 
unauthorized access to information stored in PC's.

    * Permit owners of digital information, whether copyright holders 
or registrars responsible for student records, to set tamper-proof 
controls on who can see, copy, and alter digital files.

    * Prevent unauthorized access, via a computer network or the 
Internet, to Social Security numbers, credit-card information, and other 
personal data stored in PC's.

Palladium will not:

    * Replace the Windows operating system.

    * Search the Internet to detect and delete pirated software, music, 
and movies.

    * Eliminate spam and software viruses.

    * Prevent a digital thief from gaining access to a computer in 
person and disabling its hardware security features.

SOURCE: Chronicle reporting




--
pplf - French OpenPGP page    <address@hidden>
"OpenPGP en francais"         PGP: 8263 8399 2074 5277 a6d3
http://www.openpgp.fr.st           622d 1b66 ea3d caa0 8c94