Emerging Technologies of Ownership
posted by:Spike Gronim // 11:59 PM // June 20, 2006 // ID TRAIL MIX
The social concept of ownership as applied to physical objects is broadly accepted and easily enforced. Whoever controls an object and has the right to transfer this control to others owns the object. In principle this definition applies to digital content as well. Difficulties arise, though, when abstract legal principles meet common social practice and technological realities. People typically describe the (legally purchased) music on their computers as "my music" In fact, as the Apple iTunes® terms of service state, this music remains the property of the content producers and their affiliates. A group of companies called the Trusted Computing Platform Alliance (TCPA) are working hard to enforce ownership of digital content using new technologies. These new technologies extend the current software-only content control systems with hardware components. What can these technologies do, what are they being used for, and what does all this mean for consumers' autonomy?
The Trusted Platform Module (TPM)  is a representative example of a digital ownership enforcement technology. The TPM is a microprocessor attached to the motherboard of a notebook or desktop computer. Its purpose is to provide a "platform root of trust"  that allows a computer to prove things about itself to other computers across a network. For example a TPM allows the computer to prove that it was manufactured by a certain company and has an authentic TPM chip. In order to accomplish this the TPM has cryptographic capabilities built in, such as RSA encryption and signatures. Before a computer leaves the factory the TPM generates an RSA public/private key pair that serves as its "Endorsement Key". The TPM holds the private key in its own memory. Ideally, nobody (including the manufacturer) knows this private key. The manufacturer then uses their RSA key pair to sign the TPM's public key, creating a certificate of authenticity endorsing the TPM. All the various manufacturers' RSA key pairs are in turn endorsed with certificates from the TCPA organization. This forms a chain of trust from the TCPA to the TPM, allowing any Internet-connected computer to verify the authenticity of a given TPM.
Remotely authenticating a TPM might seem like an obtuse and technical procedure, but without hardware support content control will always be imperfect. A non-TPM computer can do anything the user programs it to do. Apple iTunes® uses software tools to prevent unauthorized use of downloaded content . The content is encrypted, and the software will only decrypt the content for use on authorized computers for authorized purposes. Software-only content control is fundamentally weak. The root of this weakness is the user's complete control over the computer. In order to play the music it must be decrypted, if only temporarily, and the decrypted form must appear somewhere in the computer's memory. A skilled user can access any portion of their computer's memory at any time. Accessing the correct parts of memory in an efficient manner is of real practical complexity, leading to practical security benefits for the content producer. Regardless of practical challenges it is theoretically possible to circumvent any such software-only content control system.
Fully incorporating the TPM into a computer's software "stack" could enable strong content control. The term stack refers the layered nature of computer software: applications depend on operating systems that in turn depend on hardware. The remote authentication feature of the TPM allows remote computers to establish a secure channel with the TPM. This means that a content producer can send messages to a consumer's computer addressed to the computer's TPM. Using basic cryptography tools and the Endorsement Key, the TPM and the content producer can each determine whether the consumer programmed their computer to alter the messages in transit. The content producer now knows that the TPM is authentic and therefore not under the consumer's control. The TPM can then examine the operating system and tell the content producer whether or not it is identical to the version released by the vendor. At this point the content producer has authenticated the bottom layers of the stack - the hardware and the operating system. Proceeding similarly, the content producer can move up the stack until they are confident that everything is in order - that is, not under the consumer's control.
Before going any further we must address some of the hype and fear surrounding TPM. The members of the TCPA hype TPM as a broad solution to many security and privacy problems. Without going into the details I have reservations about the technical and business arguments for the benefits of TPM. I am not convinced that some of the problems allegedly solved by TPM require it, nor am I convinced that the TPM architecture is sound and secure. As TPM matures, the market and the security community will answer these questions. For now I take vendors' technical statements at face value in order to evaluate how TPM affects ownership of digital content. Some security researchers and open source software advocates fear that TPM will be blatantly abused by its creators. Content, including the operating system itself, will be remotely disabled by vendors without cause. Linux won't run on TPM-enabled computers. Governments will compel vendors to use TPM to ban certain documents. In reality these fears are overblown. Intel recommends that TPM units should be shipped disabled by default and with certain potentially invasive features disabled permanently. There are serious backwards-compatibility issues involved in implementing full-stack TPM that have so far kept proposed uses in niche areas, such as digital music ownership.
The striking thing about TPM is that it takes on the role of the owner. Using the techniques outlined above, control of content is transferred from the producer to the TPM itself. Returning to our initial definition of ownership we see that the TPM, not the consumer, ends up owning TPM-protected content. The user cannot control the content; the encryption key held only by the TPM prevents this. Nor can the user transfer control without the TPM's consent. In the case of digital music this new technical reality seems to be in line with existing copyright principles. Problems arise when the technical implications of TPM content ownership are worked through. From the content producer's point of view it is meaningless to attempt TPM control of only the application layer. The application's entire memory is accessible to the operating system. In general, control of any lower layer of the stack implies theoretical control of higher layers. Thus TPM ownership of music requires TPM ownership of the operating system.
At this point we have deviated from the established principles of ownership. Of course operating system vendors' copyrights imply ownership of their software. The requirements of TPM controlled music go beyond the rights granted copyright holders. Non-TPM operating systems grant their users full autonomy except in narrowly defined situations (such as unauthorized copying of the operating system itself). A full-stack TPM-enabled operating system introduces an extensible system by which consumers' activities can be directly controlled by a network of third parties. Regardless of the legal and ethical validity of such controls' end purposes, TPM implies a transition from general autonomy and specific controls to general controls.
William "Spike" Gronim (firstname.lastname@example.org) is a software developer and alumnus of the Carnegie Mellon University Data Privacy Lab.
 http://www.apple.com/support/itunes/legal/terms.html §13 (a)
 Bajika, Sundeep. Trusted Platform Module (TPM) based Security on Notebook PCs - White Paper. June 20, 2002. Accessed at http://developer.intel.com/design/mobile/platform/downloads/Trusted_Platform_Module_White_Paper.pdf on June 18, 2006.
 Ibid. p. 7.
 RSA can be used to encrypt/decrypt and sign messages. Suppose Alice wishes to send Bob a confidential message. Bob generates two long numbers with certain mathematical properties, a public key and a private key. The public key is made available to everyone, while only Bob knows his private key. Alice can use Bob's public key to transform her message such that it is only meaningful to someone in possession of Bob's private key. If Bob wants to prove his identity he can sign his message by creating a short number (the signature) based on his private key and the message. Alice can use the signature, the message, and Bob's public key to determine whether someone with knowledge of Bob's private key created the signature. See http://en.wikipedia.org/wiki/RSA for a more complete description.
 Bajika 2002, p. 8.
 This software is called FairPlay. See http://en.wikipedia.org/wiki/FairPlay.
 Bajika 2002, p. 19.
Thanks for the thoughtful post, Spike. I wonder: If you're right, could we say that there's a danger of consumers being defrauded through TPM use? Consumers pay for ownership of content, but, thanks to the TPM, they never really get it.
Posted by: David Matheson at June 22, 2006 05:42 PM