Let¹s see some ID, please
The end of anonymity on the Internet?
By Michael Rogers
Special to MSNBC
Updated: 7:53 a.m. ET Dec. 13, 2005
URL: http://www.msnbc.msn.com/ID/10441443/

As the joke goes, on the Internet nobody knows you¹re a dog. But although
anonymity has been part of Internet culture since the first browser, it¹s
also a major obstacle to making the Web a safe place to conduct business:
Internet fraud and identity theft cost consumers and merchants several
billion dollars last year. And many of the other more troubling aspects of
the Internet, from spam emails to sexual predators, also have their roots in
the ease of masking one¹s identity in the online world.

Change, however, is on the way. Already over 20 million PCs worldwide are
equipped with a tiny security chip called the Trusted Platform Module,
although it is as yet rarely activated. But once merchants and other online
services begin to use it, the TPM will do something never before seen on the
Internet: provide virtually fool-proof verification that you are who you say
you are.

Some critics say that the chip will change the free-wheeling Web into a
police state, while others argue that it¹s needed to create a safe public
space.  But the train has already left the station: by the end of this
decade, a TPM will almost certainly be part of your desktop, laptop and even
cell phone.

The TPM chip was created by a coalition of over one hundred hardware and
software companies, led by AMD, Hewlett-Packard, IBM, Microsoft and Sun. The
chip permanently assigns a unique and permanent identifier to every computer
before it leaves the factory and that identifier can¹t subsequently be
changed. It also checks the software running on the computer to make sure it
hasn¹t been altered to act malevolently when it connects to other machines:
that it can, in short, be trusted. For now, TPM-equipped computers are
primarily sold to big corporations for securing their networks, but starting
next year TPMs will be installed in many consumer models as well.

With a TPM onboard, each time your computer starts, you prove your identity
to the machine using something as simple as a PIN number or, preferably, a
more secure system such as a fingerprint reader. Then if your bank has TPM
software, when you log into their Web site, the bank¹s site also ³reads² the
TPM chip in your computer to determine that it¹s really you. Thus, even if
someone steals your username and password, they won¹t be able to get into
your account unless they also use your computer and log in with your
fingerprint. (In fact, with TPM, your bank wouldn¹t even need to ask for
your username and password ‹ it would know you simply by the identification
on your machine.)

The same would go for online merchants ‹ once you¹d registered yourself and
your computer with an Amazon or an e-Bay, they¹d simply look for the TPM on
your machine to confirm it¹s you at the other end. (Of course you could
always ³fool² the system by starting your computer with your unique PIN or
fingerprint and then letting another person use it, but that¹s a choice
similar to giving someone else your credit card.)

Another plus for the TPM is that your computer will be able to make sure
that it¹s really a legitimate e-commerce site you¹re connected to, and not
some phishing-style fraud. There would still, of course, be ways that you
could access your bank or e-commerce accounts from other computers when you
were traveling, but the connection wouldn¹t be as secure as using your own
computer. Plans are already underway to put TPMs into smartphones and other
portable devices as well.

The TPM will become even more important as we move toward Web-based
applications, where we may actually store our documents and files on remote
servers. The TPM could automatically encrypt any files as soon as they left
your computer, and only allow decryption privileges to your TPM and any
others you might specify. It could automatically encrypt email as well, so
that only specific recipients are able to read it. And it could more firmly
identify where email originates, taking a big step forward in controlling
spam at the source.

That is the potential good news. But some critics are worried that the TPM
is a step too far.  Their concern particularly revolves around using the TPM
to control ³digital rights management² ‹ that is, what you can and cannot do
with the music, movies and software you run on your computer.

A movie, for example, would be able to look at the TPM and know whether it
was legally licensed to run on that machine, whether it could be copied or
sent to others, or whether it was supposed to self-destruct after three
viewings. If you tried to do something with the movie that wasn¹t allowed in
the license, your computer simply wouldn¹t cooperate.

The same would go for software. Now that Apple is moving to Intel
processors, Mac fans are watching closely to see if the new machines will
incorporate TPMs. That may be the way that Apple makes sure that its
Macintosh operating system only runs on Apple computers ‹ otherwise, hackers
will probably be quick to figure out ways to make the new Intel-based
Macintosh software run on HP or Dell machines as well. Similar concerns
arise around how Microsoft might make use of TPM to insure that its software
is used only on machines with paid-up licenses (as one joke has it: ³TPM is
Bill Gates¹ way of finally getting the Chinese to pay for software.²)

Ultimately the TPM itself isn¹t inherently evil or good.  It will depend
entirely on how it¹s used, and in that sphere, market and political forces
will be more important than technology.  Users will still control how much
of their identity they wish to reveal ‹ in fact, for complex technical
reasons, the TPM will actually also make truly anonymous connections
possible, if that¹s what both ends of the conversation agree on.  And should
a media or software company come up with overly Draconian restrictions on
how its movies or music or programs can be used, consumers will go
elsewhere.  (Or worse: Sony overstepped with the DRM on its music CDs
recently and is now the target of a dozen or so lawsuits, including ones
filed by California and New York.)

To future historians, the anonymity we¹ve experienced in the first decade of
the commercial Internet may in retrospect seem aberrant.  In the real world,
after all, we carry multiple forms of fixed identification, ranging from our
faces and fingerprints to drivers¹ licenses and social security numbers.
Some of these are easier to counterfeit than others, but generally most of
us are more comfortable when we can prove who we are.  In some situations ‹
driving cars, boarding aircraft ‹ we¹re required to have identification.  Of
course, our real world policies on identification ‹ what kind we must have,
when we need to display it ‹ have evolved over centuries of social and
political thought and is still, post 9/11, a national hot-button.  With the
arrival of the Trusted Computing Module, the argument will now extend to
cyberspace as well.

© 2005 MSNBC Interactive

© 2005 MSNBC.com

You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.

Reply via email to