The 2nd annual workshop on "Economics and Information Security" will be held May 29-30 at the University of Maryland. Unfortunately the website at http://www.cpppe.umd.edu/rhsmith3/index.html is woefully out of date. At least two of the papers will focus on Trusted Computing as exemplified in the TCG (formerly TCPA) and NGSCB (former Palladium) proposals. Ross Anderson himself, co-chair and founder of the conference, has a new paper at http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tcpa.pdf. Another one, by Stuart Schechter et al, is discussed at an EWeek article, http://www.eweek.com/article2/0,3959,1053555,00.asp. The Schechter paper is online at http://www.eecs.harvard.edu/~stuart/papers/eis03.pdf. EWeek talks about the role of TC in limiting which applications get access to protected content: "This kind of protection is seen as central to the types of advanced digital rights management systems sought by content owners as a countermeasure against piracy. However, this chain of trust can be turned around and used by the people doing the illegal copying and distribution, according to the paper's authors." The authors are quoted, "Though this technology was envisioned to thwart pirates, it is exactly what a peer-to-peer system needs to ensure that no client application can enter the network unless that application, and the hardware and operating system it is running on, has been certified by an authority trusted by the existing clients..." A similar point was made here last summer during our extensive debate about the potential threat of Trusted Computing. It would be fair to say that it was not well received, however. Perhaps now that the ideas are being aired in an academic environment, people will take a closer look at TC and gain a fuller understanding of the technology. Even Ross Anderson recognizes that TC can help the pirates as well as the protectors: "There is also a significant risk - that if TC machines become pervasive, they can be used by the other side just as easily. Users can create `blacknets' for swapping prohibited material of various kinds, and it will become easier to create peer-to-peer systems like gnutella or mojonation but which are very much more resistant to attack by the music industry - as only genuine clients will be able to participate. The current methods used to attack such systems, involving service denial attacks undertaken by Trojanned clients, will not work any more [23]. So when TC is implemented, the law of unintended consequences could well make the music industry a victim rather than a beneficiary." Anderson's paper is a significant improvement on his bizarrely paranoid and error-filled FAQ. He's had to back down on a number of his claims. For example, Windows Server 2003 implements some DRM and document-locking features which he attributed to Palladium. He also seems to back away from claims that Microsoft will censor your data. He has to squirm to deal with the work on TC Linux and try to explain how this fits into his model of the monopolizing influence of these technologies. Anderson now has to admit that his claims of a software blacklist are mistaken as well: "Among early TCPA developers, there was an assumption that blacklist mechanisms would extend as far as disabling all documents created using a machine whose software licence fees weren't paid. Having strong mechanisms that embedded machine identifiers in all files they had created or modified would create huge leverage. Following the initial public outcry, Microsoft now denies that such blacklist mechanisms will be introduced - at least at the NGSCB level [18]." Notice the claim that Microsoft has perhaps removed this feature based on public outcry - an outcry for which Ross Anderson can no doubt take credit. This fulfils a prediction made here last year, that when their apocalyptic scenarios failed to arrive, the critics would take credit for having prevented them! What a racket - if you're right, you're right, and if you're wrong, you're even more right. While this newer paper is better than the abysmal FAQ (which unfortunately is still spreading its lies and misinformation, even though Anderson now admits that he knows it is wrong), it has significant flaws as well. All the analysis is presented from the perspective that businesses can do whatever they like and consumers have no choice but to go along helplessly. Not once does he consider that the discipline of the marketplace applies to sellers as well as buyers. Any paper claiming to be relevant to the topic of "Economics and Information Security" should not be content with such a one-sided view. All too often the text degenerates into the kind of anti-Microsoft conspiracy theories which can be found in the sleaziest corners of the net. He never really explains why Intel, IBM and HP are going along with these nefarious schemes. Intel, we are told is behaving "strategically". What is the strategy? Why will TC help Intel? Anderson mumbles something about "lock-in" but that doesn't apply to the hardware vendors. He doesn't want to admit the obvious, that Intel thinks this will sell more computers, because people will like their computers better when they can access more content. This is what happens when you ignore the demand side in your analysis. Anderson also presents a number of scenarios of Microsoft dominance in the application demain as if they are new. Why, law firms might feel obligated to buy Microsoft Office in order to communicate with their clients! Imagine that. Who could conceive of such a twisted, backwards, upside down world as one in which companies felt stuck with buying Microsoft for compatibility? If he really thinks this is a new threat, I'd suggest Anderson visit the real world occasionally. I dunno, maybe things are different over there in the Unreal Kingdom. Despite these problems, I do want to emphasize that Anderson's paper is a step forward. And the paper by Schechter is also encouraging in that it is willing to reject the anti-TC paranoia and take a clear-eyed look at the technology. Still, both of these papers express their results in somewhat negative terms: look, you guys at the RIAA and MPAA, you better not push for TC because it might benefit the pirates too. None of these authors has quite been able to take accept the logical conclusion of their analysis, which is that this is a technology which can enable a whole host of powerful new applications, many of which have probably not even been invented yet. Then it should be up to the marketplace to decide which will succeed and which will fail. Everyone wants to short-circuit that messy final step and decide for themselves which are the "good" applications and which are evil. I suggest that we not reject out of hand the principle of allowing people to make decisions for themselves about what they want to do with their computers, and that includes utilizing TC technology.