Comment Articles

The two-edged sword of trust

Rupert Goodwins ZDNet.co.uk

Published: 27 Nov 2002 18:03 GMT

Remember Palladium? That was Microsoft's summer fun announcement this year -- security add-ins for Windows that turn it into a 'trusted system'. In other words, both data and software running on your computer will be able to guarantee that it -- and you -- are what they claim to be, and deny access to anything that hasn't been approved. Not in itself a bad thing even if Microsoft insist on selling it as some sort of super antivirus package, entirely intended to make the lives of the users better.

Predictably, there's been a lot of fuss about Palladium. For some reason, people find the thought of Microsoft setting itself up as the creator and arbiter of trusted systems risible. Perhaps it's the idea of trusting a company that piously intones "we're doing what's right for the users" while religiously making 85 percent profit from those users. And it's true that Palladium could easily be used for very heavy-handed rights management, with the creator of a program or data being able to restrict or destroy your access even after you've bought and registered it. Microsoft says that what people do with it is up to the users and the applications writers and not the company itself -- a tad disingenuous, given the company's history of writing most of the important Windows applications.

Microsoft is right on one point: we need security in our computing. That's long been recognised, with an industry consortium called the Trusted Computing Platform Alliance beavering away to sort out the hardware and software necessary to provide core trusted services. A hundred and seventy companies are in the club with the Gang of Four presiding -- HP, Intel, IBM and Microsoft -- and so far they've produced a specification called TCPA 1.1. Until recently, it wasn't too inaccurate to think of TCPA as being like the hardware and BIOS specification of a PC, with Palladium being the operating system component. The two work together along open standards: there may be a near-monopoly on the OS, but lots of people can do the hardware.

But earlier today, that all changed. In a TV interview for the BBC, Microsoft's UK chief security officer, Stuart Okin, told me that Microsoft is proposing Palladium as the whole of the next version of TCPA, v 1.2. What the other members of the consortium have to say, I cannot tell -- they're unable to talk about it by dint of non-disclosure agreement. That's scary in its own right. But if this goes through, then the single most important standard in e-commerce, digital rights management and program licensing will be controlled by Microsoft, who will own the key intellectual property and will licence it. How much that will cost and what happens if Microsoft takes a dislike to a company isn't clear, but if Microsoft chooses to exercise those rights to maximise its profits it'll make the Windows monopoly seem like a pleasant dream of childhood innocence.