[cap-talk] Palladium, er, NGSCB

Ka-Ping Yee cap-talk@mail.eros-os.org
Sat, 1 Mar 2003 15:09:06 -0600 (CST) 

Hi, David.

On Sat, 1 Mar 2003, David Chizmadia wrote:
[...]
> disrespect that isn't backed up by evidence brings
> one to the same level of arrogance as Microsoft.

I admit I neglected to explain our conversation as well
as I might have.  I wrote down what I could remember clearly.
I couldn't really understand how John was backing up his
position, so I couldn't explain it to you in my message.
My explanation was necessarily subjective.

> You wrote:
> > John Manferdelli disagreed with me; he felt that Palladium
> > did not shift any power balances at all, and stated that my
> > arguments were simply wrong.
>
>     In this message you have laid out a well reasoned argument
> with reasonably defined axioms and a logical progression from
> the axioms to the conclusions. First, I presume you made the
> same argument to John. Second, I'm wondering if John's
> disagreement has been misconveyed and that he actually meant
> that "your *conclusions* were simply wrong".

In our conversation, I found it very difficult to complete the
statement of my argument to John.  I think I can say with some
objectivity that he interrupted me frequently, stating things
that I didn't consider relevant, and that made it hard for me
to finish stating my case.  By the time I got to the end of it,
all I could really see that we were in tremendous disagreement.

Here are some of the other things I remember him saying:

    - NGSCB is like a lawyer.  You can hire it to work for
      you if you want.  It simply makes it very hard to lie.

    - NGSCB gives Microsoft no special control.  Anybody
      can use its features.  It has no policy settings
      for which Microsoft will set defaults.

    - NGSCB will not change your access to any content or
      programs you already have.  You will still be able to
      use them.

    - You can always turn NGSCB off.

He did state that I was "simply wrong", but I am sorry that I
can't really explain why he thought that, or whether he was
referring to the arguments or the conclusions.

However -- I had the opportunity to talk to John Manferdelli
again today, to try to better understand his position.

This time I presented him the following summary (on paper):

    In order for a music distributor to send me a
    song while preventing me from sharing it:

    1. the distributor must select music players
       that are assured to enforce copy restriction
    2. the distributor must request an attestation
       that I am running an approved music player
    3. I must install and run and approved
       music player.

    In order for me to send my personal information
    to an online store while preventing them from
    distributing it:

    1. I must select a set of database systems
       that are assured to enforce copy protection
    2. I must request an attestation that the
       online store is using an approved database
    3. the online store must install and use
       an approved database.

He looked at this and agreed that the statements were
correct.  So our disagreement is not here: we agree
that the two scenarios are technically in parallel.

Our disagreement is that I believe there is a big
difference in *practice*: I think the first three steps
are quite likely to be achievable, while the last three
are likely to be very difficult.  John disagrees.

To argue my case, I pointed out that it's relatively easy
for Real or Microsoft to get large numbers of customers
to upgrade to a new version of RealPlayer or Windows
Media Player, yet very hard for customers to get companies
to change the software they are using.

John said that NGSCB will actually make it more difficult
for Microsoft for push an upgrade of Media Player on its
customers, since the new version would have to be approved
and new attestations would have to become acceptable to
content distributors before the new version would work.

John believes that customers really can use NGSCB to exert
market pressure on companies to use privacy-respecting
software.  He described a scenario enabled by NGSCB in
which certifying bodies can place their stamp of approval
on certain brands of software and customers can then use
NGSCB to exert their preference for approved software
upon the companies they deal with.

He said he had actually the opposite worry: that this
force exerted by the customers would be too great, thus
reducing the market for acceptable privacy-respecting
software to a small number of brands (because typical
users tend to stick with brands they know), making it
hard or new competitors to enter that market.

I argued that the market doesn't really let the customer
exert any useful pressure on privacy policies: for example,
Amazon can say "take it or leave it" and customers don't
have the option of forcing Amazon to improve their privacy
policy.  John agreed: today customers have no such influence.

But he held to his position that there is no shift in the
balance of power.  He just thinks it will make things
"more muddled".

                        *       *       *

Prior to talking to John, I also got to talk to Brian again.

He told me that both he and John believe that the second,
privacy-enhancing, scenario is realistic.  (I do not.)

As other examples of ways NGSCB could be used to benefit
the PC user, he suggested fair online gaming and auctions.
The end user could use NGSCB to establish that other
participants in the transaction were running well-behaved
software.

He also suggested that NGSCB could be used to protect
privacy by enabling transactions without giving away
personal information in the first place: in his scenario,
a customer could by a book from Amazon without giving to
Amazon any credit card or address information.  The
customer could run a bank-approved NCA to engage in a
transaction with his bank to obtain a credit token,
similarly transact with UPS to obtain a shipping token,
and give these things to Amazon to fulfill the order.

(I objected that this wasn't relevant because you could
build this scheme without NGSCB.)

When I made the force-multiplier argument, Brian also
acknowledged that there could be a temporary increase in
the disparity of power.  But he thinks that consumers would
soon catch up in their ability to wield power to compel
companies to use privacy-respecting software, and that the
problem would be mitigated by the long time it might take
to deploy all the NGSCB hardware.

                        *       *       *

In a brief chat with Ed Felten, I clarified his opinions
on a few things.  He believes that NGSCB is no worse than
any other DRM scheme one might think of.  This leads one
to the interesting question of whether DRM *in general*
has an overall positive or negative effect.  (Imagine the
most benign possible DRM system, within the constraint
that it must actually perform DRM.  What is the effect
on society?)

He tends to believe that it would make us worse off, and
I agree.


-- ?!ng