RealTime IT News

Is Microsoft's Palladium a Trojan Horse?

When a Microsoft Corp. manager talks about the company's new far-reaching computer-security initiative, codenamed Palladium, he takes care to use inclusive words like "stakeholders" and "dialogue." While far from chastened by its continued legal battles, the software giant knows that Palladium faces an uphill battle to convince its many critics to put their trust in Microsoft.

The challenge now facing Microsoft is how to convince the skeptics that Palladium, which the company says will revolutionize computer security and digital rights management (DRM), isn't all a plot to gain ever more control of how technology evolves.

Who Do You Trust?

Although Microsoft has not revealed most of the details, Palladium project manager Mario Juarez describes it as a virtual vault residing within each computer, allowing users to store encrypted information and only authorize certain entities to see it. Palladium would double as a DRM tool, since it could authenticate who is allowed to see a file or use a program. Microsoft even boasts it would help users put a stop to the endless amount of spam hitting their in-boxes.

"This represents a set of new features in the Windows PC architecture," Juarez says. "They are all generally focused on giving people better system integrity, better privacy, and better overall security."

Since Palladium will reside on the hardware level, Microsoft has signed up Intel and Advanced Micro Devices (AMD) to make Palladium chips. Microsoft also has to convince software makers to buy into the Palladium architecture.

"This is something you really need to have in a computer for it to do secure operations," explains Chris Wysopal, the director of R&D at @stake, a computer security firm. "Once you have better security on the hardware platform, you can start to use for a variety of things."

It is that variety of things that has critics already lining up to take shots at the Redmond, Wash., company, with Slashdot users claiming this is another insidious Redmond plot and privacy advocates questioning whether putting Microsoft in charge of computer security is like putting the fox in charge of guarding the hen house.

"The big question from everyone is," says Elias Levy, a computer-security expert and CTO of Security Focus, "who is going to have control - is it going to be in the hands of the user or Microsoft?"

Who Holds the Keys?

When Microsoft talks about Palladium controlling information after it is sent, stopping unauthorized programs from running, and salting away data, many eyebrows are arched.

"It's the ultimate in an Orwellian presentation of the issue," says Chris Hoofnagle, the legislative counsel at the Electronic Privacy Information Center. "You dress up an invasive tool as a helpful one."

Hoofnagle point to two patents Microsoft took out late last year for a DRM system, saying such a system could be the kernel of what Palladium will shape up as, with the potential of putting Microsoft in the position of blocking, or at least steering, users from non-Microsoft-approved applications and software.

Juarez says the user will decide whether or not to turn on Palladium.

"Some would like to seize upon the fact that we don't have all the answers, and some are skeptical," he says. "But we know it doesn't pay to go out to say anyone has all the answers."

The skeptics seize on the lack of detailed information to doubt Microsoft's intentions.

"Many of the desirable elements [of Palladium] can be obtained without a system of authentication and control," Hoofnagle says. "The way Microsoft wants to solve these problems is to be the gatekeeper of identity."

For Jason Catlett, the privacy advocate and head of Junkbusters.com, Palladium appears just as invasive and flawed as Passport, Microsoft's online-authentication scheme that rankled privacy groups.

"Microsoft keeps re-labeling their plans for controlling the world's personal data," he says. "I don't think any number of new names will make it palatable for Microsoft to be in charge of so much information."

Will Microsoft Share?

Juarez argues that Microsoft is short on details because Palladium is so early in development, with it unlikely to be available until at least 2004.

With Intel and AMD signed up, Microsoft has made the first steps toward in the painstaking task of building widespread industry support for Palladium. Ironically, the success of Microsoft's trustworthy computing initiative will hinge on how much trust it can engender in the industry.

"This can't be a Microsoft[-only] initiative," Juarez says. "If it is, it fails."

Yet while needing partners Microsoft has chosen to develop Palladium separately from the Trustworthy Computing Platform Alliance (TCPA), which it founded in 1999 with HP, Compaq, Intel and IBM.

"We view TCPA as a complementary effort," Juarez says. "We think what we're doing here is not designed to be competitive."

But by integrating Palladium with its Windows operating system (OS), Microsoft is taking another strike at Linux users. Juarez won't rule out Palladium ever being available for alternative operating systems, but it won't be initially.

"It's a technology that has a number of different fronts," says Levy, the computer-security expert. "One of which is the push for more secure OS, and the DRM component, and if they can use it to stall the advancement of open source, all the better."

In consulting a variety of government agencies, consumer groups, and industry analysts, Microsoft hopes Palladium does not become a flashpoint for criticism.

"We've put ourselves in an interesting position here because we've invited a variety of people to get involved here," Juarez says. "They're going to hold our feet to the fire."