Microsoft Palladium: Access denied!

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

A new plan by Microsoft to redesign personal computers in the name of improved security may clamp a virtual lock on every new PC, and hand media companies a key to allow them to track and limit how media files are played. The initiative is named after the Greek goddess Palladium, who guarded the gates of Troy. Microsoft casts its Palladium as the digital gatekeeper of the computer world, protecting consumers by checking what can get in and out of PCs. It's touting consumer security, such as an ability to block spam by quarantining e-mails whose senders are not verifiable, and encrypting data in real time, so that only the people and companies you authorise can access it.

But, since details of Palladium leaked out in an unquestioning "exclusive" granted to Newsweek last month, industry analysts, security experts and privacy advocates have unleashed a torrent of criticism. Palladium will give Hollywood studios and record companies the virtually uncrackable digital rights management (DRM) system they dream of. Media files will be embedded with secret codes, programmed by the copyright owners, to play only on machines with verified encryption chips. They will include instructions specifying how many times the files could be copied, how long they could be accessed and to whom they could be sent.

The Palladium virtual vault that will be at the heart of future computers will be dominated by Microsoft and other large software companies, and allow only authorised code to run. This might hobble pirated software and malicious worms, but also block programs that have not gained the Microsoft stamp of approval. Its potential to block open-source software has earned Palladium the reputation of a "Linux killer" on internet message boards. "One word: We're doomed," said Slashdot regular Fuzzup.

Yet Palladium can count on industry support, which sees it as Microsoft's contribution to the Trusted Computing Platform Alliance (TCPA), a consortium founded by HP, IBM, Microsoft and Intel that now includes some 180 prominent companies.

It aims to devise a cryptographic computer system to ensure privacy and protect intellectual property. Giant chipmakers, such as Intel and AMD, are working on security chips with unique identification numbers, which will authenticate identities and encrypt information at the heart of the system. All this could happen as early as 2004, when Palladium is expected to be bundled into a major Windows upgrade.

Yet improving consumer security, and blocking spam and viruses, seem to be only a small portion of the package, according to Dr Ross Anderson, the Cambridge computer scientist who chairs the Foundation for Information Policy Research. "TCPA and Palladium do not so much provide security for the user, but for the PC vendor, the software supplier, and the content industry," Anderson says. "They do not add value for the user. Rather, they destroy it, by constraining what you can do with your PC – in order to enable application and service vendors to extract more money from you."

You're not meant to notice that, though. "No doubt Palladium will be bundled with new features so that the package appears to add value in the short term. But the long-term economic, social and legal implications require serious thought," Anderson warns.

But will Palladium work? Steph Marr, a well-known security consultant, sees it as "dangerous and misguided", because it will limit consumers' choice of software to that authorised by Microsoft and its allies. "A lack of cyber-diversity is always dangerous," says Marr. "It increases the effectiveness of any program that can find a flaw in the system."

Bruce Schneier, a cryptography expert and author of Secrets & Lies: Digital Security in a Networked World, says: "If this works, it will be the first time in the history of computing that it works. Lots of encryption is broken all the time because it's done wrong. The odds that this will be secure are actually zero."

Michael Cherry, an ex-Microsoft programmer who now writes about security for the industry newsletter Directions on Microsoft, also has misgivings. But he believes that Microsoft is determined to press on. The initiative stems from Bill Gates's "trustworthy computing" memo: in January, he called on the company to undertake a security jihad. Cherry says that Microsoft may be committed to improving consumer security, but its goals are far from altruistic.

Without trustworthy computing, Microsoft can wave goodbye to its long-term strategy, which envisages web services where you and I store sensitive personal and financial information online, to browse from any computing platform.

But winning corporate trust may trump consumers' interests. "If there is one thing Gates doesn't want, it's for the PC to be prohibited from running protected content. He wants the PC to be the hub of home entertainment, and doesn't want companies such as Sony or Disney to come up with digital-content players that box it out of the marketplace," says Cherry. "He wants to put in enough safeguards so that digital-content owners are comfortable with PCs. It may not be censorship. But it's censorchip."

Consumer-rights advocates have fought such schemes. But with the US Congress signalling its willingness to mandate copy-protection technology into every consumer electronics device, "such a system seems inevitable," says Stephen Keating, executive director of the Privacy Foundation. "The question is whether Microsoft's scheme is the best one. That's hard to know right now. But who else is in a position to do it?"

Even with these drawbacks, Microsoft's vision could be attractive to segments of the market. It would likely be built in as part of Windows to most of the 120 to 150 million computers sold each year. Most computer users would probably be glad to trade some rights to be free of spam and viruses.

Palladium-enabled computers with built-in DRM would also be attractive to media companies, which could feel emboldened to roll out services such as downloadable video-on-demand. Companies buying computers with Palladium could limit what software their staff install, to stop them downloading music or videos. (Not that they can't already; but it would make it easier.)

Palladium will also apply DRM technology to company documents. Incriminating e-mails from the CEO down would expire long before they could reach investigators. Sensitive information would be better protected against intruders and disgruntled employees wishing to unmask the company secrets. Though in the light of WorldCom and Enron, some might say that the present recording system has its attractions.

"It's a comprehensive change to the security of personal computing," says Rob Enderle, the Microsoft expert at research firm Giga Information Group. "Microsoft wants to make the house secure at the core, rather than just locking the windows."

Enderle, however, believes that leaving the project under the wing of Microsoft and other American companies will doom it to failure, arguing that Microsoft's tainted past will prevent it gaining trust. Without European involvement, he adds, the EU would likely balk at yet another extension of Microsoft and American computer hegemony.

Microsoft, though, is consulting with privacy groups, to contend with some of Palladium's implications for consumer rights. It has promised to make Palladium open-source, though it is too early to tell who will be allowed what access to the code. So Microsoft may yet delight its critics, though its track record suggests not. If it fails, the version of Windows it releases in 2004 has a Slashdot nickname already: Windows 1984.