Re: DRM vs. Privacy

[Jonathan S. Shapiro]

On Mon, 2005-11-07 at 21:01 +0100, Marcus Brinkmann wrote:

> * What is the impact of not having the privacy requirements you want
>   to have?  One recent case I can think of is viruses that send random
>   files to random people in your address book.  What else is there?

Here is a more pertinent example: A while back there was a virus that
was designed to exploit the check posting function of Quicken. It did
this by writing electronic checks back to the virus author. The author,
if I recall correctly, cleared several million dollars before being
caught.

Note that in the absence of enforceable privacy, this cannot be
prevented, even if the check register is encrypted.

Identity theft would be another example.

> * More specifically: No popular system today provides this amount of
>   privacy.  Why is this currently not widely perceived as a problem?
>   (This is another way of asking: Why are current systems not good
>   enough?)

I believe that there are two reasons:

1. Most people just don't track this stuff at all until it hits them
personally. For example, most people still don't think that identity
theft is a big deal. I remember the Steve Jackson Games case with
personal pain. I've spoken to the then-boss of the two secret service
agents who arranged the raid -- they acted substantially beyond their
authority, and she has nothing but disgust for those two individuals.
Steve was essentially driven out of business in clear violation of US
first amendment protections for publishers. Most people don't even know
about the case at all, and they don't believe that it can happen to
them.

2. Most people do not understand or care about the importance of civil
liberties. The house of a colleague of mine was once a subject of a
search where the warrant was clearly and unambiguously illegally
obtained. The judge in the case *agreed* that the warrant was invalid,
but admitted the evidence on the basis of his view that if the police
wanted to search then there was probably adequate cause.

The problem is that judges like this are very real, and in the face of
such judges we cannot rely on the process of law to guard us. And the
simple fact is that *everyone* has *something* in their house that can
become an argument after the fact that something illegal was going on.
This does not make us criminals, but it does make us subject to
political pressure if we choose to be dissidents.

> * What are the legal consequences of implementing or not implementing
>   this feature?  In a system where the sysadmin can edit the content
>   of the machine, he may be liable.  In a system where every change
>   can be (presumably) traced to me, _I_ am liable.  How can I proof
>   that the machine was compromised if there is a strong scientific
>   argument that the machine is "safe"?

This depends on your country, and in some cases your state. Today, I
think that the answer is that there is no liability, as long as we are
not knowingly and actively colluding in the commission of a crime
(which, of course, we have no intention to do).

>   For completeness: If we build such a system, and it turns out to
>   _not_ be safe, are we programmers liable?  Certainly we can't afford
>   to carry such a liability as free software hackers writing in our
>   spare time.

No more so than Microsoft.

> * How do we know that we really achieve privacy?  If the
>   FBI/NSA/CIA/etc can install a cryptographic backdoor in TPM/TCPA
>   chips, it can probably replace the OS without revealing this
>   modification in the remote attestation protocol.  Isn't it better to
>   openly not have privacy than to believe to have privacy without
>   actually having it?

Of the groups you list, I am least worried about NSA. For FBI and CIA
this is a serious concern, depending on the leadership and politics of
the moment. The only answer here is that the balance of economic
interests would make this very hard to execute, because the banking
community and the computer security community would (and did) scream
very loudly. Finally, the vendors know that even a *rumor* of such a
collusion would destroy them in the marketplace.

I think the real threat is from key escrow schemes rather than built-in
compromise of the form you describe.

And even if this actually occurs, at least it will be the case that the
source of threat becomes known and narrowed.

>   Also, what happens if the FBI/NSA/CIA/etc does this, then uses my
>   account to attack some machines, and then sues me?  (Ie, a
>   combination of the last two points).

What is to stop them from doing this today?

shap