Is Microsoft’s Palladium a Trojan Horse?

When a Microsoft Corp. manager talks about the company’s
new far-reaching computer-security initiative, codenamed Palladium, he
takes care to use inclusive words like “stakeholders” and
“dialogue.” While far from chastened by its continued legal battles, the
software giant knows that Palladium faces an uphill battle to convince its
many critics to put their trust in Microsoft.

The challenge now facing Microsoft is how to convince the skeptics that
Palladium, which the company says will revolutionize computer security and
digital rights management (DRM), isn’t all a plot to gain ever more control
of how technology evolves.

Who Do You Trust?

Although Microsoft has not revealed most of the details, Palladium project
manager Mario Juarez describes it as a virtual vault residing within each
computer, allowing users to store encrypted information and only authorize
certain entities to see it. Palladium would double as a DRM tool, since it
could authenticate who is allowed to see a file or use a program. Microsoft
even boasts it would help users put a stop to the endless amount of spam
hitting their in-boxes.

“This represents a set of new features in the Windows PC architecture,”
Juarez says. “They are all generally focused on giving people better system
integrity, better privacy, and better overall security.”

Since Palladium will reside on the hardware level, Microsoft has signed up
Intel and Advanced Micro Devices (AMD) to make Palladium chips. Microsoft
also has to convince software makers to buy into the Palladium architecture.

“This is something you really need to have in a computer for it to do secure
operations,” explains Chris Wysopal, the director of R&D at @stake, a
computer security firm. “Once you have better security on the hardware
platform, you can start to use for a variety of things.”

It is that variety of things that has critics already lining up to take
shots at the Redmond, Wash., company, with Slashdot users claiming this is
another insidious Redmond plot and privacy advocates questioning whether
putting Microsoft in charge of computer security is like putting the fox in
charge of guarding the hen house.

“The big question from everyone is,” says Elias Levy, a computer-security
expert and CTO of Security Focus, “who is going to have control – is it
going to be in the hands of the user or Microsoft?”

Who Holds the Keys?

When Microsoft talks about Palladium controlling information after it is
sent, stopping unauthorized programs from running, and salting away data,
many eyebrows are arched.

“It’s the ultimate in an Orwellian presentation of the issue,” says Chris
Hoofnagle, the legislative counsel at the Electronic Privacy Information
Center. “You dress up an invasive tool as a helpful one.”

Hoofnagle point to two patents Microsoft took out late last year for a DRM
system, saying such a system could be the kernel of what Palladium will
shape up as, with the potential of putting Microsoft in the position of
blocking, or at least steering, users from non-Microsoft-approved
applications and software.

Juarez says the user will decide whether or not to turn on Palladium.

“Some would like to seize upon the fact that we don’t have all the answers,
and some are skeptical,” he says. “But we know it doesn’t pay to go out to
say anyone has all the answers.”

The skeptics seize on the lack of detailed information to doubt Microsoft’s
intentions.

“Many of the desirable elements [of Palladium] can be obtained without a
system of authentication and control,” Hoofnagle says. “The way Microsoft
wants to solve these problems is to be the gatekeeper of identity.”

For Jason Catlett, the privacy advocate and head of Junkbusters.com,
Palladium appears just as invasive and flawed as Passport, Microsoft’s
online-authentication scheme that rankled privacy groups.

“Microsoft keeps re-labeling their plans for controlling the world’s
personal data,” he says. “I don’t think any number of new names will make it
palatable for Microsoft to be in charge of so much information.”

Will Microsoft Share?

Juarez argues that Microsoft is short on details because Palladium is so
early in development, with it unlikely to be available until at least 2004.

With Intel and AMD signed up, Microsoft has made the first steps toward in
the painstaking task of building widespread industry support for Palladium.
Ironically, the success of Microsoft’s trustworthy computing initiative will
hinge on how much trust it can engender in the industry.

“This can’t be a Microsoft[-only] initiative,” Juarez says. “If it is, it fails.”

Yet while needing partners Microsoft has chosen to develop Palladium
separately from the Trustworthy Computing Platform Alliance (TCPA), which it
founded in 1999 with HP, Compaq, Intel and IBM.

“We view TCPA as a complementary effort,” Juarez says. “We think what we’re
doing here is not designed to be competitive.”

But by integrating Palladium with its Windows operating system (OS),
Microsoft is taking another strike at Linux users. Juarez won’t rule out
Palladium ever being available for alternative operating systems, but it
won’t be initially.

“It’s a technology that has a number of different fronts,” says Levy, the
computer-security expert. “One of which is the push for more secure OS, and
the DRM component, and if they can use it to stall the advancement of open
source, all the better.”

In consulting a variety of government agencies, consumer groups, and
industry analysts, Microsoft hopes Palladium does not become a flashpoint
for criticism.

“We’ve put ourselves in an interesting position here because we’ve invited a
variety of people to get involved here,” Juarez says. “They’re going to hold
our feet to the fire.”

News Around the Web