March 3, 1999

A Growing Compatibility Issue in the Digital Age:
Computers and Their Users' Privacy

By JOHN MARKOFF

AN FRANCISCO -- The Intel Corporation recently blinked in a confrontation with privacy advocates protesting the company's plans to ship its newest generation of microprocessors with an embedded serial number that could be used to identify a computer -- and by extension, its user.

But those on each side of the dispute acknowledge that it was only an initial skirmish in a wider struggle. From computers to cellular phones to digital video players, everyday devices and software programs increasingly embed telltale identifying numbers that let them interact.

Related Articles Exploiting -- and Protecting -- Personal Information (March 1, 1999) Consumer Groups Ask U.S. to Investigate Intel Chip (February 26, 1999) Privacy Concerns Aside, Consumers and Schools Rush to Get Free PCs (February 25, 1999) Forum Join a Discussion on Online Privacy

Whether such digital fingerprints constitute an imminent privacy threat or are simply part of the foundation of advanced computer systems and networks is the subject of a growing debate between the computer industry and privacy groups.

At its heart is a fundamental disagreement over the role of electronic anonymity in a democratic society.

Privacy groups argue fiercely that the merger of computers and the Internet has brought the specter of a new surveillance society in which it will be difficult to find any device that cannot be traced to the user when it is used. But a growing alliance of computer industry executives, engineers, law enforcement officials and scholars contend that absolute anonymity is not only increasingly difficult to obtain technically, but is also a potential threat to democratic order because of the possibility of electronic crime and terrorism.

"You already have zero privacy -- get over it," Scott McNealy, chairman and chief executive of Sun Microsystems, said at a recent news conference held to introduce the company's newest software, known as Jini, intended to interconnect virtually all types of electronic devices from computers to cameras.

Privacy advocates contend that software like Jini, which assigns an identification number to each device each time it connects to a network, could be misused as networks envelop almost everyone in society in a dense web of devices that see, hear, and monitor behavior and location.

"Once information becomes available for one purpose there is always pressure from other organizations to use it for their purposes," said Lauren Weinstein, editor of Privacy Forum, an online journal.

This week, a programmer in Massachusetts found that identifying numbers can easily be found in word processing and spreadsheet files created with Microsoft's popular Word and Excel programs and in the Windows 95 and 98 operating systems.

Moreover, unlike the Intel serial number, which the computer user can conceal, the numbers used by the Microsoft programs -- found in millions of personal computers -- cannot be controlled by the user.

The programmer, Richard M. Smith, president of Phar Lap Software, a developer of computer programming tools in Cambridge, Mass., noticed that the Windows operating system contains a unique registration number stored on each personal computer in a small data base known as the Windows registry.

His curiosity aroused, Smith investigated further and found that the number that uniquely identifies his computer to the network used in most office computing systems, known as the Ethernet, was routinely copied to each Microsoft Word or Excel document he created.

The number is used to create a longer number, known as a globally unique identifier. It is there, he said, to enable computer users to create sophisticated documents comprising word processing, spreadsheet, presentation and data base information.

Each of those components in a document needs a separate identity, and computer designers have found the Ethernet number a convenient and widely available identifier, he said. But such universal identifiers are of particular concern to privacy advocates because they could be used to compile information on individuals from many data bases.

"The infrastructure relies a lot on serial numbers," Smith said. "We've let the genie out of the bottle."

Jeff Ressler, a Microsoft product manager, said that if a computer did not have an Ethernet adaptor then another identifying number was generated that was likely to be unique. "We need a big number which is a unique identifier," he said. "If we didn't have, it would be impossible to make our software programs work together across networks."

Indeed, an increasing range of technologies have provisions for identifying their users for either technical reasons (such as connecting to a network) or commercial ones (such as determining which ads to show to Web surfers). But engineers and network designers argue that identity information is a vital aspect of modern security design because it is necessary to authenticate an individual in a network, thereby preventing fraud or intrusion.

Last month at the introduction of Intel's powerful Pentium III chip, Intel executives showed more than a dozen data security uses for the serial number contained electronically in each of the chips, ranging from limiting access to protecting documents or software against piracy.

Intel, the largest chip maker, had recently backed down somewhat after it was challenged by privacy advocates over the identity feature, agreeing that at least some processors for the consumer market would be made in a way that requires the user to activate the feature.

Far from scaling back its vision, however, Intel said it was planning an even wider range of features in its chips to help companies protect copyrighted materials. It also pointed to software applications that would use the embedded number to identify participants in electronic chat rooms on the Internet and thereby, for example, protect children from Internet stalkers.

The trade-off: Advanced systems require a profusion of ID numbers.

But in achieving those goals, it would also create a universal identifier, which could be used by software applications to track computer users wherever they surfed on the World Wide Web. And that, despite the chip maker's assertions that it is working to enhance security and privacy, has led some privacy advocates to taunt Intel and accuse it of a "Big Brother Inside" strategy.

They contend that by uniquely identifying each computer it will make it possible for marketers or Government and law enforcement officials to track the activities of anyone connected to a computer network more closely. They also say that such a permanent identifier could be used in a similar fashion to the data, known as "cookies," that are placed on a computer's hard drive by Web sites to track the comings and goings of Internet users.

Putting Privacy on the Defensive

Intel's decision to forge ahead with identity features in its chip technology may signal a turning point in the battle over privacy in the electronic age.

Until now, privacy concerns have generally put industry executives on the defensive.

Now questions are being raised about whether there should be limits to privacy in an Internet era.

"Judge Brandeis's definition of privacy was 'the right to be left alone,' not the right to operate in absolute secrecy," said Paul Saffo, a researcher at the Institute for the Future in Menlo Park, Calif.

Some Silicon Valley engineers and executives say that the Intel critics are being naïve and have failed to understand that all devices connected to computer networks require identification features simply to function correctly.

Moreover, they note that identifying numbers have for more than two decades been a requirement for any computer connected to an Ethernet network.

(Although still found most widely in office settings, Ethernet connections are increasingly being used for high-speed Internet service in the home via digital telephone lines and cable modems.)

All of Apple Computer's popular iMac machines come with an Ethernet connection that has a unique permanent number installed in the factory. The number is used to identify the computer to the local network.

While the Ethernet number is not broadcast over the Internet at large, it could easily be discovered by a software application like a Web browser and transmitted to a remote Web site tracking the identities of its users, a number of computer engineers said.

Moreover, they say that other kinds of networks require identity numbers to protect against fraud. Each cellular telephone currently has two numbers: the telephone number, which can easily be changed, and an electronic serial number, which is permanently put in place at the factory to protect against theft or fraud.

The serial number is accessible to the cellular telephone network, and as cellular telephones add Internet browsing and E-mail capabilities, it will potentially have the same identity capability as the Intel processor serial number.

Other examples include DIVX DVD disks, which come with a serial number that permits tracking the use of each movie by a centralized network-recording system managed by the companies that sell the disks.

Fearing the Misuse of All Those Numbers

Industry executives say that as the line between communications and computing becomes increasingly blurred, every electronic device will require some kind of identification to attach to the network.

Making those numbers available to networks that need to pass information or to find a mobile user while at the same time denying the information to those who wish to gather information into vast data bases may be an impossible task.

Privacy advocates argue that even if isolated numbers look harmless, they are actually harbingers of a trend toward ever more invasive surveillance networks.

"Whatever we can do to actually minimize the collection of personal data is good," said Marc Rotenberg, director of the Electronic Privacy Information Center, one of three groups trying to organize a boycott of Intel's chips.

The groups are concerned that the Government will require ever more invasive hardware modifications to keep track of individuals.

Already they point to the 1994 Communications Assistance for Law Enforcement Act, which requires that telephone companies modify their network switches to make it easier for Government wiretappers.

Also, the Federal Communications Commission is developing regulations that will require every cellular telephone to be able to report its precise location for "911" emergency calls.

Privacy groups are worried that this feature will be used as a tracking technology by law enforcement officials.

"The ultimate danger is that the Government will mandate that each chip have special logic added" to track identities in cyberspace, said Vernor Vinge, a computer scientist at San Diego State University. "We're on a slide in that direction."

Vinge is the author of "True Names" (Tor Books, 1984), a widely cited science fiction novel in the early 1980's, that forecast a world in which anonymity in computer networks is illegal.

Intel executives insist that their chip is being misconstrued by privacy groups.

"We're going to start building security architecture into our chips, and this is the first step," said Pat Gelsinger, Intel vice president and general manager of desktop products. "The discouraging part of this is our objective is to accomplish privacy."

That quandary -- that it is almost impossible to compartmentalize information for one purpose so that it cannot be misused -- lies at the heart of the argument.

Moreover, providing security while at the same time offering anonymity has long been a technical and a political challenge.

"We need to find ways to distinguish between security and identity," said James X. Dempsey, a privacy expert at the Center for Democracy and Technology, a Washington lobbying organization.

So far the prospects are not encouraging. One technical solution developed by a cryptographer, David Chaum, made it possible for individuals to make electronic cash payments anonymously in a network.

In the system Chaum designed, a user employs a different number with each organization, thereby insuring that there is no universal tracking capability.

But while Chaum's solution has been widely considered ingenious, it has failed in the marketplace. Last year, his company, Digicash Inc., based in Palo Alto, Calif., filed for bankruptcy protection.

"Privacy never seems to sell," said Bruce Schneier, a cryptographer and a computer industry consultant. "Those who are interested in privacy don't want to pay for it."