"Palladium" and TCPA

Ross Anderson Ross.Anderson at cl.cam.ac.uk
Sat, 29 Jun 2002 21:18:01 +0100 

I've been in Stanford the last few days for a conference and a number of
people have been giving me more information on TCPA/ Palladium. It is
clear that it was from the start a DRM project (Bill admits this) and
there also appear to have been plans from the start to include the
`document revocation list' idea. However, this does not neet TCPA to work.
Now that modern versions of Windows phone home regularly for updates, it
is simple to roll out the ability to look for and disable a specific 
piece of pirate software. Suppose that everyone in China starts using
Office, copy no. 234567; it makes sense (at least from teh short-term
viewpoint of Microsoft shareholders) to have a mechanism to revoke this
and cause it it not work.

If you're going to roll out such a mechanism, how do you engineer it? My
sources suggest that files will be revocable by application ID, machine ID,
content and a number of other criteria.

I'm not impressed by arguments that TCPA's mechanisms will be insufficiently
strong, and that some people will defeat them. Even if they work only 25% 
of the time, they will make a huge difference to Microsoft's bottom line,
and the holes can be closed down gradually.

The mere existence of a mechanism that can be used for remote censorship is
sufficiently bad that we should do what we can to stop it. Markus says that
this is a matter for legislators; I fully agree. The EU copyright directive
should mandate continuing access to protected content for legal deposit
libraries, and we should see this reflected in the copyright regulations
due to be published any time now. That's a useful limit on the potential
harm done by TCPA/ Palladium, but is nto enough. The temptation for software
vendors to roll out revocation mechanisms, and the potential for these to
be abused for censorship, are such that we will probably need legislative
controls on document revocation. These are going to be messy. For example,
the Fishman affidavit is forbidden in the USA, but published on websites in
Holland and Germany. Will a US court be able to order its removal from PCs
in Germany?

Ross