TPM and Positive ID


There's an article at MSNBC about how Trusted Computing Platform (TCP) chips, already installed in many computers, could be used to provide "positive ID" on the Internet and end anonymity. I find articles dealing with Internet identity in the mainstream media usually scare me--and this one is no exception.

What scares me is the willingness people have to sweep aside technical hurdles, privacy concerns, and practicality in wide-eyed optimism about how technology will eventually solve all our Identity problems.

With a TPM onboard, each time your computer starts, you prove your identity to the machine using something as simple as a PIN number or, preferably, a more secure system such as a fingerprint reader. Then if your bank has TPM software, when you log into their Web site, the bank's site also "reads" the TPM chip in your computer to determine that it's really you. Thus, even if someone steals your username and password, they won't be able to get into your account unless they also use your computer and log in with your fingerprint. (In fact, with TPM, your bank wouldn't even need to ask for your username and password -- it would know you simply by the identification on your machine.)

The same would go for online merchants -- once you'd registered yourself and your computer with an Amazon or an e-Bay, they'd simply look for the TPM on your machine to confirm it's you at the other end. (Of course you could always "fool" the system by starting your computer with your unique PIN or fingerprint and then letting another person use it, but that's a choice similar to giving someone else your credit card.)

Another plus for the TPM is that your computer will be able to make sure that it's really a legitimate e-commerce site you're connected to, and not some phishing-style fraud. There would still, of course, be ways that you could access your bank or e-commerce accounts from other computers when you were traveling, but the connection wouldn't be as secure as using your own computer. Plans are already underway to put TPMs into smartphones and other portable devices as well.
From Let's see some ID, please - The Practical Futurist - MSNBC.com
Referenced Thu Dec 15 2005 09:51:22 GMT-0700 (MST)
MasterCard paypass advertisement
MasterCard paypass advertisement

The first question that comes to mind is why do I want to use a 30lb desktop as a security fob. Wouldn't it make more sense to just use security fobs if that's the problem we're trying to solve. Oh, I remember why: people don't like them.

Ironically, as I read the article an ad for MasterCard's paypass token based payment system was shown to me (see right). So while the industry is trying to sneak heavyweight DRM into our living rooms under the guide of "making us safer," MasterCard is giving us RFID based payment solutions with, as far as I can tell, single factor authenticate (if you have it, you can use it). I believe people will almost always opt for convenience over security and privacy. This is an example of that.

The article gives a nod to fears that TPM could be used in draconian ways, but then blithely states:

And should a media or software company come up with overly Draconian restrictions on how its movies or music or programs can be used, consumers will go elsewhere. (Or worse: Sony overstepped with the DRM on its music CDs recently and is now the target of a dozen or so lawsuits, including ones filed by California and New York.)
From Let's see some ID, please - The Practical Futurist - MSNBC.com
Referenced Thu Dec 15 2005 09:56:08 GMT-0700 (MST)

I'm not sure it's that easy. With TPM as part of the landscape, there may not be much recourse. TPM is like the Sony rootkit installed in the hardware. When you buy it and the OS that activates it, you'll be implicitly stating that you accept the controls it places on you.

I think we're in great danger of changing the nature of not only the Internet, but computing itself. With only a few mainstream processor manufacturers, we're at their mercy. We could easily see a world where only the applications Microsoft or Apple has "approved" would run on your machine. That scares me.