Re: awareness + flexibility + security

[Jonathan S. Shapiro]

On Mon, 2005-11-14 at 10:28 +0900, Andre Caldas wrote:

> I don't think this should be a matter of: 'Is there any good uses?'
> Probably people can come up with good uses for it easily. The problem 
> here is:
>       Is it possible to separate the good and bad uses?
> 
> Is it a trade? Do I have to agree with the 'bad uses' in order to have 
> the 'good uses'? 

Yes. This is a generic condition of living.


I want to suggest an analogy that may be thought provoking.

Prior to the invention of the printing press, duplication of documents
was incredibly expensive. As a practical matter, it was available only
to governments and members of the aristocracy. If you look at the
documents that were widely duplicated, many of them can be seen as tools
of social control.

The printing press changed this. Later, the web changed it further. But
if you had evaluated the social benefit of duplication prior to the
printing press, you would have concluded that it was basically an
anti-freedom technology.

I want to suggest that TPM is now in the stage comparable to
"duplication before the printing press". Just as we would have been
wrong to discourage scribes, we would now be wrong to discourage TPM.

Consider, for example, that effective DRM would essentially destroy
centralization of content ownership. The basic job of RIAA is license
management, but in a connected world with widely available TPM hardware,
any musician can now do this for themselves directly and cheaply. This
is certainly not the type of freedom that FSF is trying to advance, but
decentralization of this form is definitely a change in the direction of
freedom.

I also want to suggest another historical parallel:

Nobody worried much about copyright prior to the printing press. It was
the newfound low cost of bits that prompted the introduction of
copyright. This has now happened again in computing, and a new
technology is emerging to enforce property rights for bits. This
technology isn't going to go away, and it doesn't defeat open source.

In the end, open source will not succeed or fail with the masses on the
strength of its moral position. The masses mostly don't care. Open
source will succeed or fail because it is better, more agile, more
responsive, and more robust. GPL is a very effective tool for building
collaborations, which is why it sits underneath so much good code. If
you go out and say to people "give bits away because it is right", they
will mostly laugh at you. If you go out and say "give bits away because
it serves to accomplish something you care about" you stand a chance of
success.

In my personal opinion, the technical battle over TPM hardware and the
unrestricted ability to copy bits is already lost. Content protection is
feasible, and it is only a matter of time before it is ubiquitous.
Ironically, this is WONDERFUL for open source. The first time some
vendor tries to lock down their user's content seriously, there will be
a thundering hurd (sorry) of people switching to OpenOffice. We, on the
other hand, can use attestation as a marketing tool in the opposite
direction: we'll attest that the software *won't* do that.

The real danger in TPM doesn't lie in DRM. It lies in the difficulty of
configuration management. In the end, the party who successfully tracks
all of those cryptographic checksums is the real source of trust in the
system. It's too big a job for any one company to do, so a small number
of tracking companies will emerge, and they will have very powerful
roles in the determination of which systems are trusted to do what.
There is a significant opportunity here for an open-minded, open source
friendly company to be first, and to have major impact on the behavior
of the industry merely by structuring the attestation interaction
properly.

shap