banner
toolbar
Click Here for Microsoft News
January 30, 1999

Debate on Intel Chip Misses Piracy Issue
By PETER WAYNER
When Patrick Gelsinger, a vice president at Intel, gave one of the first public presentations of the company's new security enhancements before an audience at the RSA Data Security conference in San Francisco this month, he must have realized that the idea of tagging each computer chip with a unique identification number would be controversial.


News Analysis
He was careful to mention that the user could disable the feature at any time. But he, and the rest of the engineering staff at Intel, probably did not expect that the new feature in the Pentium III chip would enrage people enough to generate calls for a boycott from groups like the Electronic Privacy Information Center.

If the engineers didn't expect a great deal of trouble, it may be because they didn't see the feature as a tool for tracking people. They promoted it as a feature for corporate users and the major content industries of Hollywood, both of whom want to track individual machines in order to monitor the flow of information and control the piracy of software and multimedia content.

The movie and record industry are clearly responsible for some of the demand for hardwired ID numbers in computers. They see the personal computer as a tool that makes it easy to make copies without paying for them. A well-equipped modern computer can duplicate most of the features of the average VCR, stereo and videocamera.

"New users is really the mantra around here," Chuck Mulloy, a spokesman for Intel, said Friday in an interview. "We're enabling a more secure environment. People will develop more uses and therefore the PC and Intel will grow."

If Intel does not provide many of the technical foundations for the copy-protection schemes being developed by Hollywood, then it could face the possibility that Hollywood will not release the latest movies and music in a format that will play on PCs.
But such a solution will hurt the honest people as well as the dishonest ones.

A unique chip ID like the one in the Pentium III could be used to help track subscriptions to digital content. When someone bought a subscription, they would provide the ID number for the computer on which it would be used. This solution could help control the distribution of all electronic data. For instance, before an Internet browser could download a copy of pay-per-view movie, the central office could check the unique ID number to make sure it was on an approved list.

"It's a great tool for businesses to manage their computers," Mulloy said. "They have many site licenses for their software. They can maintain lists of PCs and upgrade them remotely."

Intel also imagines that it will be used as another piece of information for adding security to Web sites and data centers. Andrew Barker, the marketing director of platform security at Intel, said: "Ordinarily, you give your account number or name and a password. That's two factors for getting into [a database]. What we're suggesting is that this [processor ID] could become another factor when you go to access a Web site or some information."

The technique may also be attractive for companies controlling access to files. " If you require that they have not only a password, but they also must have a particular machine then it is much harder for them to break in," he said.

But such a solution will hurt the honest people as well as the dishonest ones. People who subscribed to a magazine at home might not be able to read it at work anymore. Nor would it be possible for people to access their subscriptions or restricted Web sites from the road or while visiting friends.

The technology also promises to be salt in the wounds of anyone with a computer that breaks down and must be replaced. Even if the data and software are recovered successfully from the broken machine, they won't work on a new machine until the subscriptions and licenses are recalibrated to use the ID number of the new machine.

This hassle of changing software may also discourage people from upgrading their computer, a development that would not help Intel.

"When you move, you change your address, Barker said. "When you get married, people often change their name. All of these things [indicate] that there are already models for changing." He suggested that the industry would be able to make the change relatively simple.

Still, these debates about access control and the solutions in use are not particularly new. Software piracy has always been a problem for the computer industry, and many companies have experimented with many different copy-protection schemes. Most companies, however, stopped using them because the systems were easy to circumvent. In the end, only the honest users were inconvenienced.


Related Article
Privacy Groups Seek Recall of Intel Chip
(January 29, 1999)

Bruce Schneier, a well-known cryptographer who has designed many similar systems, expresses his doubts about the Intel plan. "We are asked to build these systems all the time and the thing you learn is to attack the weak link," he said. "I'm not worried about the hardware. My problem is that the hardware is only accessed from the software and that's the weak link."

Rob Rivest, another well-known cryptographer, agreed, saying: "It's a small fence, but I think small fences are useful as long as you realize what you're getting."

Mulloy agrees with this characterization. "Nobody's said it has said it's the be all and end all," he said.

A thief could easily edit the copy-protection part of the software and either remove or disable the instructions that check the user ID. A clever user might simply replace them with new instructions that provide the user ID of someone with a legitimate subscription. This easy attack is one of the reasons that many computer software companies don't attempt to build in copy protection.

Still, the new chip ID number is part of an industry effort to create a set of standard features known as the Common Data Security Architecture. Intel is widely believed to be studying more sophisticated solutions that will preclude these simple attacks. Mulloy says that the ID number is " a single piece, in an overall security umbrella" and the other features will begin appearing later.

The Intel engineers may not have anticipated a furor over the Pentium III because computer IDs are already in wide use in the industry. Many high-end computers and workstations from companies like Sun Microsystems already come with a unique number, called the "hostid." Also, one of the most popular technologies for creating local networksn known as an ethernetn is based on giving each computer a unique ID. This assures that two computers can be hooked up to the same network and the information sent to each will not be misrouted.

Intel is implementing the new feature by extending an older feature that provides the model number of a processor chip. In the past, this feature would return a 32-bit number that was calibrated to the model of the chip, so software could assess its power. Now, the feature returns 96 bits and the last 64 bits are a random number that is unique to each chip.

The electronics industry already has a fair amount of experience dealing with the limits of unique ID numbers. The cellular phone industry used to guard against fraud by relying on the security of giving each new cell phone a unique number. Thieves quickly discovered they could capture people's numbers with radios and use them to create new cloned phones. Any calls made with these clones would be billed to the legitimate owner of the phone.

In recent years, the cellular phone industry has adopted more sophisticated encryption technology that helps minimize fraud. Intel is widely believed to be studying such solutions. Still, any such features face major opposition from the Clinton Administration, which continues to heavily regulate the export of computer hardware with encryption capabilities.

Still, while Intel has tried to promote the chip ID as an effort to combat piracy, the debate continues to center on privacy. In response to the criticism, Intel engineers altered the chip's software so that the ID feature arrives disabled. In order to turn it on, the user must access the software that enables the ID then shut down the power of the computer and restart it. This procedure insures that other software will not secretly enable the feature without a user knowing it has happened.

Although privacy experts recognize Intel's effort, they do not feel it is a successful solution. Marc Rotenberg, the director of the Electronic Privacy Information Center, said that once a user visits one Web site that requires the ID, they will have to turn it on and leave it on permanently to continue to visit that site. Reactivating the ID feature just to visit a few demanding Web sites would be too cumbersome.

"This is not like a light switch that you can turn on and off easily. This is more like a switch that's buried deep inside and that not something that will be very easy for end users to take advantage of," he said. "We've got enough experience with Social Security numbers to know that this will become like information flypaper. Everything will stick to this number."

Related Sites
These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability.

Peter Wayner at pwayner@nytimes.com welcomes your comments and suggestions.



Click Here for Microsoft News

Home | Site Index | Site Search | Forums | Archives | Marketplace

Quick News | Page One Plus | International | National/N.Y. | Business | Technology | Science | Sports | Weather | Editorial | Op-Ed | Arts | Automobiles | Books | Diversions | Job Market | Real Estate | Travel

Help/Feedback | Classifieds | Services | New York Today

Copyright 1999 The New York Times Company