The chip 'Fritz'

The "Fritz" chip and TCPA standards

August 21, 2005

The article that follows, by Ross Anderson (boxed), although highly documented, is quite long. What do all these obscure terms mean, in a few words, for someone unfamiliar with the subject?

• Machines will be equipped with a "resident Trojan horse," a chip nicknamed "Fritz," capable of continuously scanning your entire machine and reporting back without your knowledge as soon as you connect to the Internet. This will constitute a "legal Trojan horse," justified under the guise of security concerns and software and content ownership issues.

• This chip already exists on current modern machines, but it is not "active." It will become active once TCPA standards are adopted by various countries. Fritz will then be able to, legally, explore the contents of your machine. If it detects pirated software, it will erase it. If it finds on your hard drive files you've received that at some point used software components not properly licensed, it will erase them without even notifying you.

• This system is designed to increase monopolistic power and combat free software movements. Microsoft dreams of a world where users are charged even a tiny fee every time they use software. In practice, the system could control all exchanges between individuals. If Big Brother ever moves into your home, his first residence will be... your computer. The term used by the system's designers is "trusted computer." One argument advanced will be the elimination of spam and viruses. But this is false, because spammers and virus creators will also adopt TCPA platforms.

• Beyond this, a philosophical question emerges: Who owns computing? It seems as if the computer industry's trusts are trying to completely monopolize and profit from every single use of the tool, like Gutenberg claiming royalties every time you read a book or the Lumière brothers demanding fees every time you go to see a movie. Microsoft is immensely wealthy. But it appears its global appetites are fundamentally insatiable—Bill Gates dreams of "making the Chinese pay." In the coming years, two radically opposed positions will clash: those who believe everything must be paid for, and those who believe talented individuals should contribute part of their knowledge and skill to society selflessly.

• How will people react? The trusts count on complete user submission, on their passive and unconditional acceptance of the system "because of the benefits it will bring." But it's possible that resistance movements, already active, will grow stronger—users may prefer to stay "at home," using less powerful tools, rather than feel constantly watched and controlled in every action.

To be continued.

1. What is TCPA and Palladium?

TCPA, meaning "Trusted Computing Platform Alliance" in English, is a project developed by Intel. "A new computing platform for the next century that will improve trust in the PC world," is Intel's stated goal. Palladium is a software Microsoft claims it will incorporate into future versions of Windows; it will be installed on TCPA machines and add some extra functionalities.

2. In concrete terms, what are TCPA and Palladium for?

They provide a computing platform where you cannot tamper with software, and where software can securely communicate with its publisher. The most obvious application is "digital rights management" (DRM): Disney could sell DVDs that are decrypted and played only on a Palladium platform, but which you cannot copy. Record companies could sell online music you cannot exchange. They could sell CDs you can only listen to three times, or only on your birthday. All sorts of new marketing variants become possible.

It will be much harder with TCPA/Palladium to use unlicensed software.

Pirated software could be detected and erased remotely.

In addition to sales, software rental will be facilitated; and in case of payment default, not only will the software stop working, but perhaps also the files it created.

For years, Bill Gates dreamed of finding a way to make the Chinese pay for software: Palladium could be the answer to his prayer.

There are many other applications.

Governments could ensure that Word documents created by civil servants are automatically classified "Defense Secret" and that electronic leaks to journalists become impossible.

Auction sites could force you to use accredited intermediary software for bidding, so you cannot engage in tactical bidding. It could become harder to cheat in computer games.

There is also a downside: online censorship. The mechanisms designed to remotely erase pirated music could be used to erase documents deemed defamatory by a court (or a software company); this could apply to pornography as well as critical articles about political leaders.

Software publishers could also make it harder to switch to competitors' products; for example, Word could lock all your documents using keys accessible only to Microsoft products; meaning you could only read them using Microsoft products, and not with any competing word processor.

3. So I won't be able to play MP3s on my computer anymore?

With current MP3s, you might still be able to do so for some time. Microsoft claims nothing will suddenly stop working with Palladium. Yet a recent update to Windows Media Player sparked controversy because it asked users to accept future anti-piracy measures, which could go as far as erasing pirated content found on your computer.

Moreover, it's likely that some software offering users better control over their PCs—like VMware and Total Recorder—won't work with TCPA. You'll probably be forced to use a different player. And although your player might play pirated MP3s, it's unlikely you'll be allowed to play new tracks, which will be protected.

It will be up to the software to define the security rules for its files, using an online dedicated server. Media Player will thus determine what kinds of restrictions are attached to protected tracks, and I expect Microsoft to strike various deals with content providers, who will experiment with all sorts of commercial practices. You might receive CDs at a third of the normal price but only be able to play them three times; if you pay the remaining two-thirds, you get full rights. You might be allowed to lend a digital copy of a music track to a friend, but you couldn't listen to your own copy until your friend returns the copy. In fact, you probably won't be able to lend music at all anymore. These rules will make life difficult for some people; a zoning policy could prevent you from watching the Polish version of a movie if your PC was bought outside Europe.

All of this could already be done today; Microsoft would only need to download a patch for your media player! But once TCPA/Palladium prevents users from altering the playback software and facilitates Microsoft's control over updates and patches, it will be much harder to avoid, and it will be a much more pleasant way to do business!

4. How does it work?

TCPA provides a monitoring and alert component to be embedded in future PCs.

The preferred implementation in the first phase of TCPA is a "Fritz" chip: a chip similar to a smart card or a dongle soldered onto the motherboard.

When you boot your PC, Fritz takes control. It checks that the boot ROM is compliant, executes it, checks the machine's state; then it checks the first part of the operating system, loads and executes it, checks the machine's state, and so on.

The trusted perimeter, encompassing hardware and software considered known and verified, is regularly expanded. A table of hardware (audio card, video card, etc.) and software (operating system, drivers, etc.) is kept updated; Fritz checks that hardware components are on the "TCPA-approved" list, that software components have been signed, and that none of them has a serial number that has been revoked. If the PC's configuration has undergone significant changes, the machine must reconnect online to be certified. In the end, the PC boots in a well-defined state, with a combination of hardware and software (whose licenses have not expired) duly approved. Authority is then transferred to a system monitoring software; this will be Palladium if you're using Windows.

Once the machine is in this state, Fritz can certify it to third parties: for example, it will run an authentication protocol with Disney to demonstrate that this machine is fit to receive "Snow White." That is, certify that the PC is currently using an authorized software: MediaPlayer, DisneyPlayer, or another. Disney's server then sends encrypted data and a key that Fritz will use to decrypt it. Fritz only provides the key to authorized software and only as long as the environment remains "trusted." This notion of "trust" is determined by the security policy downloaded from a server where the software publisher has full authority. This means Disney can decide to provide its latest releases for a multimedia player in exchange for a contract stipulating that the software won't make unauthorized copies, and that certain conditions must be met (including the definition of the TCPA security level). These could also be financial conditions: Disney could, for example, require that the software charge a dollar every time you watch the movie.

In fact, the software itself could be rented, and this is a particularly interesting aspect for software publishers. The possibilities seem limited only by marketers' imagination.

5. What else can TCPA and Palladium be used for?

TCPA can also be used to impose stricter access conditions on confidential documents.

For example, an army might decide that its soldiers create only Word documents labeled "confidential" or higher, and that only a TCPA PC with a certificate issued by its intelligence agency can read them. This is called "mandatory access control," and governments are particularly interested in it. The announcement of Palladium suggests this will be a feature of Microsoft products: you could configure Word to encrypt all documents produced in a specific compartment of your machine, and share them only with users in a defined group.

Large companies could have the same capabilities, making it difficult to report illegal practices. They could ensure that all company documents are readable only on their own PCs, unless a duly authorized person lifts the restriction.

They could also create expiration dates: they could ensure, for example, that all emails disappear after 90 days, unless explicitly decided otherwise. (Think how useful this would have been for Enron, or Arthur Andersen, or even Microsoft during their antitrust trial.) The mafia could use the same facilities: they could ensure that spreadsheets detailing the latest drug deliveries can only be read by mafia-accredited PCs, and disappear at the end of the month. This could make the FBI's job harder; although Microsoft is discussing with governments whether police and spies will have access to the master keys.

But in any case, for an employee to email a document to a journalist will be largely ineffective, since the journalist's Fritz chip won't provide the necessary key for decryption.

TCPA/Palladium also seems intended for use in electronic payment systems. One of Microsoft's visions is that most features currently developed around bank cards could migrate into software once those are made tamper-proof.

This is necessary if we are to live in a future where we pay for the books we read and the music we listen to, by the cent per page or minute.

Even if these business models cannot work—and there are strong arguments against it—this is clearly a major issue for online payment systems, and it could have repercussions for users. If in ten years, online shopping with a bank card becomes unpleasant unless you use a TCPA or Palladium platform, this will push a large number of people toward this system.

6. Okay, so there will be winners and losers; Disney could gain a lot and smart card manufacturers might go bankrupt. But it's certain that Microsoft and Intel aren't investing billions out of pure generosity! How do they expect to make money?

My spies at Intel say it's purely a defensive posture. Since they make most of their money selling PC microprocessors, and their market share is nearly maximal, they can only grow their business by expanding the market size. They are determined that the PC become the center of the future home electronic network. If electronic entertainment is the golden goose, and digital rights management (DRM) becomes the technology enabling it, then the PC must adopt DRM or risk being replaced in the consumer market.

Microsoft was also motivated by the desire to annex the entire entertainment industry into its empire. But they stand to gain big if TCPA or Palladium becomes widespread, since they could use it to drastically eliminate software copying. "Making the Chinese pay for software" is a very important matter for Bill; with Palladium, he can link each PC to its individual, legal copy of Office, and with TCPA he can link each motherboard to its individual, legal copy of Windows. TCPA will also maintain a global blacklist of serial numbers of all pirated Office copies.

Finally, Microsoft would like to make it more costly to abandon its products (like Office) and switch to competitors' products (like OpenOffice). It could increase update prices without causing user flight.

7. Where did this idea come from?

It first appeared in an article by Bill Arbaugh, Dave Farber, and Jonathan Smith, "A Secure and Reliable Bootstrap Architecture" (a secure and reliable boot architecture), in the proceedings of the "IEEE Symposium on Security and Privacy" (1997), pages 65-71. A patent was filed in the USA: "Secure and Reliable Bootstrap Architecture," U.S. Patent No. 6,185,678, filed on February 6, 2001. Bill developed his ideas during a project he worked on for the NSA in 1994 on code signing. Microsoft people also filed a patent application on the operating system part. (The patent texts are available here and there.)

There are certainly many earlier works. Markus Kuhn wrote the TrustNo1 Processor years ago, and the basic ideas—“a specialized trusted controller for security functions”—date back at least to an article written by James Anderson for the USAF in 1972. Since then, it has been a subject of reflection for secure systems in the U.S. military.

8. How is it connected to the Pentium 3's serial number?

Intel started in the mid-1990s a program that could have installed the Fritz chip functionality within the PC's main processor, or in 2000 within the cache control chip. The Pentium's serial number was an initial step in this direction. Public backlash apparently forced them to pause, then form a consortium with Microsoft and others to gain numerical advantage.

9. Why is the monitoring chip called "Fritz"?

In honor of Senator Fritz Hollings of South Carolina, who has been tirelessly working in the U.S. Congress to make TCPA a mandatory component in all consumer electronics.

10. Okay, so TCPA prevents kids from burning music and helps companies keep confidential data secure. It could also help the mafia, unless the FBI gets a secret backdoor—which I consider inevitable. But besides pirates, industrial spies, and activists, who else does this bother?

Many companies could lose out. The European smart card industry, for example, would be hit, since functions currently provided by their products would move into the Fritz chips in laptops, PDAs, and third-generation mobile phones. In fact, most of the computer security technology industry could be affected if TCPA takes off. Microsoft claims Palladium will eliminate spam, viruses, and all other defects of cyberspace; if this were true, then antivirus companies, spam advertisers, spam filter sellers, firewall vendors, and intrusion detection system providers would lose their livelihood.

There are serious concerns about the effects on intangible assets and the service economy, particularly on innovation, the number of new startups, and the likelihood that successful companies will maintain their monopoly. These effects on innovation are very well explained in a recent New York Times column by eminent economist Hal Varian.

But there are deeper problems.

The main issue is that whoever controls the Fritz chips gains immense power. This singular point of control is like forcing everyone to have the same bank, the same accountant, and the same lawyer. This power can be misused in multiple ways.

11. How can TCPA be misused?

Censorship is one concern. TCPA was designed from the start to allow centralized removal of pirated content. Pirated software will be detected and disabled by Fritz during loading attempts, but what about songs and videos? And how will you transfer a song or video you own from one PC to another, unless you can erase it from the first machine? The proposed solution is that a remote server administers the security policy for software using TCPA, like a media player or word processor, and maintains an updated list of bad files. This list will be downloaded periodically and used to check all files the software opens. Files can be erased based on content, the serial number of the application that created them, and other criteria. The intended use of this technique is that if everyone in China uses the same copy of Office, you don't just prevent that copy from running on all TCPA-compatible machines; you simply encourage the Chinese to use standard PCs instead of TCPA PCs to avoid checks. You also prevent all TCPA-compatible PCs worldwide from reading files created by that pirated software.

This is already terrible,

but the potential for misuse extends to political censorship, far beyond commercial intimidation or economic guerrilla warfare. I think this will happen gradually. First, well-meaning police forces will receive orders to fight child pornography or a sabotage manual for railway signals. All TCPA-compatible PCs will erase these bad documents, and perhaps report them. Then, a plaintiff in a copyright or defamation lawsuit will obtain a court order against an injurious document; perhaps the Scientologists will try to suppress the famous Fishman Affidavit. Once lawyers and government censors understand all the possibilities, we'll soon be overwhelmed by a myriad of consequences.

The modern world began only when Gutenberg invented printing in Europe, enabling ideas to be preserved and spread even when princes and bishops wanted to suppress them. When Wycliffe translated the Bible into English in 1380-1381, the Lollard movement he founded was easily dismantled; but when Tyndale translated the New Testament in 1524-1525, he managed to print over 50,000 copies before being caught and burned alive.

The old regime in Europe collapsed, and the modern world began. Societies that tried to control information became less competitive, and with the collapse of the Soviet Union, it seems liberal capitalism and democracy have won. But today, TCPA and Palladium threaten the priceless legacy Gutenberg left us. E-books, once published, will be vulnerable; courts could order them banned, and the TCPA infrastructure will do the dirty work.

After the Soviet Union's attempts to register and control all typewriters and fax machines, TCPA tries to register and control all computers. The implications for freedom, democracy, and justice are alarming.

12. A frightening prospect. But can't you just disable it?

Of course, unless your system administrator configures your machine so that TCPA is mandatory, you can still disable it. You can then run your PC with administrator privileges and use non-secure software.

However, there is one area where you cannot disable Fritz. You cannot force it to ignore pirated software. Even if it's informed that the PC isn't booting in "trusted mode," it still checks whether the operating system is on the list of revoked serial numbers. This has implications for national sovereignty. If Saddam is foolish enough to equip his PCs with TCPA, then the U.S. government will be able to compile a list of his Windows licenses, and thus shut down his PCs the next time there's a war. Booting while disabling Fritz won't help. He'll have to resort to old copies of Windows 2000, switch to GNU/Linux, or find a way to isolate the Fritz chips without damaging the motherboards.

If you're not someone the U.S. president personally dislikes, it might not be a problem.

But if you disable TCPA, then software designed for TCPA won't work, or won't work as well.

It will be comparable to switching from Windows to Linux today—you might have more freedom, but you'll end up with fewer choices. If software using TCPA/Palladium is more attractive to the majority of people, you might eventually be forced to use it; just as many people are forced to use Microsoft Word because their friends and colleagues send them Microsoft Word documents.

Microsoft claims that Palladium, unlike TCPA alone, will be able to run trusted software and other software simultaneously in different windows; this will likely make its adoption easier.

13. So the economic aspect is important?

Exactly. In the market for computer goods and services, the biggest profits come from companies that can establish platforms (like Windows or Word) and control their interoperability, thereby locking in the market for complementary products. For example, some mobile phone vendors use a challenge-response authentication method to verify that the phone's battery is original, not a clone; if it's a clone, the phone refuses to charge, or drains it as fast as possible.

Some printers electronically verify their ink cartridges; if you use a cheap substitute, the printer silently drops its resolution from 1200 DPI to 300 DPI. Sony's PlayStation 2 console uses a similar identification system to ensure that memory cards were made by Sony, not by a low-cost competitor.

TCPA appears designed to maximize the effect, and thus the economic weight, of such behaviors. And I believe Palladium will fit perfectly into Microsoft's well-known pattern of unfair competition.

If you're a TCPA software publisher, your security server can enforce your policy on how other software uses files created by your application. These files can be protected using strong cryptography, with keys managed by the Fritz chips on all machines. This means a successful TCPA-designed software will bring the publisher much more money, since access to its interfaces can be rented for whatever the market invents. There will thus be strong pressure on software developers to add TCPA compatibility to their software; and if Palladium is the first operating system to use TCPA, it will give it a competitive advantage over developers on GNU/Linux and MacOS.

14. But wait, isn't the right to reverse-engineer for interoperability purposes protected by law?

Yes, and this is very important for the proper functioning of the computer goods and services market; see Samuelson and Scotchmer, "The Law and Economics of Reverse Engineering" (The Law and Economics of Reverse Engineering), Yale Law Journal, May 2002, 1575-1663. But in most cases, the law only gives you the right to try, not to succeed. When interoperability meant tinkering with file formats—when Word and WordPerfect were battling for dominance, each trying to read the other's files and working to make their own incomprehensible—this was a real issue. But with TCPA, these games are over; without access to the keys, or without a way to break the chip's protection, the case is closed.

Preventing competitors from accessing software file formats was one of TCPA's motivations: see Lucky Green's intervention, or his talk at the Def Con conference for more details.

This tactic is spreading beyond the computer world. The U.S. Congress has been irritated by car manufacturers blocking access to their data formats to prevent consumers from getting repairs from independent garages.

Yet Microsoft people say they want to install Palladium everywhere—even in your watch!

The economic consequences for all independent commerce could be significant.

15. Can TCPA be broken?

The first versions will be vulnerable to anyone with the tools and patience to break the hardware (i.e., read data in clear on the bus between the processor and the Fritz chip). However, starting from phase 2, the Fritz chip will disappear inside the main processor, let's call it "Hexium," and things will become much harder. Highly motivated and very wealthy opponents will still be able to break it. Nevertheless, it's likely to become increasingly difficult and expensive.

Moreover, in many countries, breaking Fritz will be illegal. This is already the case in the United States under the "Digital Millennium Copyright Act," while in the European Union the situation varies from country to country, depending on how national laws implement the EU copyright directive.

Furthermore, for