January 4, 2011 Revisit Old Thoughts - Intel's PSN 1999

    I was going through old backups and came across a composition I wrote a little over 11 years ago. 1999, the real start of the Dot Com explosion and the onset of laptops in every person's home and office. Intel's new chip at the time introduced the Processor Serial Numbers. I remember the uproar and privacy violation discussions that were going on that this feature would have.

    It's scary that in today's world, time has changed challenges into conformity. It's now accepted that you have no privacy anymore. Our cell phones spill our more personally identifiable information every day than a PSN on your PC's chip did. 

   Take slow swipes at Liberties and Rights and pretty soon you have changed the foundation... you just have to be patient enough for the transition.  

    As I re-read this for the first time in a decade, I don't think we as an IT world or as a country followed through with my last paragraph.

================================

Written - December, 1999.

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. “ 

      As Article IV from the United States Bill of Rights says, we are protected from illegal search and seizure.  As with everything in the law, this can be taken in several ways depending on how one looks at it.  The basic interpretation is that the Constitution clearly defines physical searches, physical presence, and face to face confrontations.  What about searches that can be done miles away without ever seeing the individual suspect or victim?  As the world dives headfirst in the Information Age, there is a new theoretical presence in a place known as cyberspace.

     Cyberspace as computer gurus and the media know it is nothing more than a theoretical idea.  One can not enter a door and be in cyberspace.  No one can see it, but more than 35% of Americans are browsing through it everyday.  Two hundred twenty-five years ago when the framers were creating the law for the land of the free had no way to imagine freeing the slaves let alone the creation of computers. 

     As our society grows, changes, and becomes more dependent on technology to guide us through life, we need to change the interpretation of our laws to accommodate.  Freedom of personal integrity, privacy, and anonymity is a right that must be protected and ensured at everything we do and everywhere we do it, whether in the physical or digital world.  Today someone can walk down the street and listen to any conversation he/she wants to, it would be considered impolite, that’s all.  The same person can be arrested for theft if he/she takes a wallet from an unsuspecting person’s pocket. 

     In the online world there are no rules that protects us from predators like that.  With technological development becoming cheaper, smaller, faster, and more efficient corporations have marketing pushes for great new products.  Behind the scenes these new innovations have great potentials for hidden agendas.

       New technologies currently allow massive invasions of privacy that were never possible in the days of the framers, sealed envelopes, and locked file cabinets.  Government, businesses, and the everyday computer user take advantage of this new easy way to collect and maintain data, and neither are doing anything to guarantee the privacy rights of the public.  A new commitment to providing protection is sadly needed among software developers and information providers.  The government also must play the biggest role by guaranteeing the rights of individuals and organizations to communicate and use computers without the risk of unwittingly disclosing information to unknown parties.

      Protection of privacy is best achieved through cooperation between businesses, software developers, and governments.  Anonymity is a critical goal, every user should be able to move freely through cyberspace without the knowledge of uninvolved parties and without the risk of having these activities logged for unrelated purposes and future use.

            Accomplishing this goal, however, is a very complex technical and social matter.  It will require an industry-wide effort that the government should help coordinate but not interfere.  With the risks that are involved is slowly becoming apparent, at the present the steps are being taken to prevent them.  Yet large dominating corporations still push for products that can destroy individuality through online computing.

             “Big Brother is watching you.”  That phrase is well known in the world of computers.  In 1949 an author by the name of George Orwell released a book titled 1984.  Fifteen years ago the story line in that book was fiction.  Who is Big Brother?  As Orwell describes it, the government is Big Brother.

            Big Brother is the breakdown of all privacy by the government secretly watching everything you do, say, and trying controlling the way you think.  That anything illegal would be defined as what ever the government doesn’t like.  In the documentation, the media, web reports, you will hear the phrase “Big Brother”.  Intel’s PSN is making the fiction of the post WWII era a reality. 

            In the United States the government is for the people and by the people. We run the government not the other way around.  We are supposed to control how much power the government has.  We are the one who says what the government can and can not do.  That is what the framers had in mind.  Presently that idea is not so.  American society is a victim.  A unsuspecting group of numbers to the government.  Constantly watched with more detailed information begin discovered and archived for reasons unknown. 

            On January 20, 1999 Intel Corporation announced at the RSA Data Security Conference and Expo ’99 that they will be adding a unique Processor Serial Number (PSN) to all their new Pentium® III chips.  According to Intel, the PSN will be used to identify users in electronic commerce and other net-based applications.  Intel’s VP Patrick Gelsinger told the RSA Conference, “unless you’re able to deliver the processor serial number, you’re not able to enter the protected chat room.”  Also, Intel stated that the technology would be used for authentication in e-commerce, which will attach the PSN to a person’s real-world identity.   

            The PSN would likely be collected by many web sites, indexed, and accumulated in databases.  Unlike cookies, which are usually different for each web site, the PSN will remain the same and cannot be deleted or easily changed.  With corporate cooperation, the PSN records could be sold and shared between companies without the user’s knowledge or consent.  The only solution to this is to change the processor or the computer. 

           Intel currently dominates 75 percent of the microprocessor market.  The PSN will be placed in nearly every consumer’s computer.  Other identifiers such as IP addresses, Ethernet IDs, software registration codes that can change at each online session never raised a concern for breach of privacy because of the random and hard to track characteristics.  Now the PSN, which is a permanent installment to the processor, can not be changed and will always be the same every time you turn on the computer.  The aspect that makes the PSN a risk to privacy is that a company that sells computers with the Pentium ® PIII chip installed, you give all your personal information to the vendor.  That vendor can then sell to Intel all the information of who bought what and what PSN they have.  Intel now has all your information and can track everywhere a person goes and does from their accumulated database.

            Slowly mainstream society is becoming aware of the risks that can come with the new Intel PSN and the breach of personal privacy.  Junkbusters Corp. of Green Brook, NJ and the Washington D.C.-based Electronic Privacy Information Center, sent letters to privacy groups and consumer groups, encouraging them to get the Federal Trade Commission (FTC) involved.

       In a letter to the FTC from eight national privacy groups the stated,

“ The Processor Serial Number (PSN) is likely to cause substantial harm to consumer privacy and consequently reduce consumer’s participation in ecommerce.  The PSN will become a de facto standard Global User Identifier (GUID).  The GUID will be used by companies in information practices that are unfair.  Such practices will become known to consumers, some of whom will avoid participation in ecommerce because they apprehend that their privacy is at risk by doing so.”

      A hasty response to this, Intel announced that they would ship all new Pentium® III chips with the PSN disabled and defaulted to the off position.  The consumer will use Intel’s control software to turn this function on at his/her discretion each time the computer is turned on or rebooted.  Intel also released detailed information about the PSN on how it is hardwired to the chip and that using the control software designed for the processor is the only way to access the PSN.

     That was until C’T Magazine announced in the May ’99 issue, their technical experts were able to bypass Intel’s security mechanism and turn the PSN function on without needing to reboot the system, known as soft switchable.  This would walk around the Intel security patch and secretly obtain the user’s PSN.  A security breach like this can get the users information, what they are doing, where they have been, and turn the PSN back to the off position when the unknown party obtains the information.  All this can be done without the user noticing that anything has happened.

     After this public announcement that Intel’s PSN was not secure, Intel came out and stated that there is no way to make the PSN secure, but the possibility of unauthorized accessing the PSN is only theoretical.  Zero-Knowledge Systems (ZDK) later proved that the PSN still could be accessed remotely without a user’s knowledge showing it is more than theoretical.  The program can be accessed at http://www.zeroknowledge.com/p3/home.asp. 

      What the web site does is has the user click on a button which launches an ActiveX application.  The user’s system will freeze forcing a system reboot.  At that time whether the PSN is on or off, when the reboot is completed the PSN will be displayed on the screen.  Simple, easy, and done in one click of the mouse.

      The PSN is a computer’s social security number.  Every number is unique and can be identified, traced, and monitored.  Every email sent, web page visited, every step made online could be getting this PSN and stored for several uses.  This is very similar to the scenario of walking through a mall and leaving your driver’s license at every store you go into.

            You personal information can then be stored, sold, and/or used maliciously.  This scenario is exactly what Intel is proposing and beginning to implement.  Corporations, governments, and information collectors are slowly beginning to support and implement PSN grabbing software.  However, the groups and individuals against the feature are out numbering the ones who support and currently us the feature.  The PSN is the best way to track to see where people go and what they do online.  Even though a user my never leave the sanctity of his/her home, everything about that person can be found out.  The aspect that is making privacy groups very concerned is that the PSN can be taken and now activated without the user’s knowledge or consent.  You have your computer’s pocket picked, information removed, and a user will never know what happened.  All because of a unique, almost permanent, identifier.

            Almost permanent is a loose term in itself.  A noted and respected cryptographer Bruce Schneier, author of Applied Cryptography, recently wrote in his ZDNet column:

“ The software that queries the processor is not trusted.  If a remote Web site queries a processor ID, it has no way of knowing whether the number it gets back is a real ID or a forged ID.  Likewise, if a piece of software queries its processor’s ID, it has no way of knowing whether the number it gets back is the real ID or whether a patch in the operating system trapped the call and responded with a fake ID.  Because Intel didn’t bother creating a secure way to query the ID, it will be easy to break the security.”

            This hole in the design of the PSN can defeat the whole purpose behind it if forged ID numbers can be generated and transmitted.  If a software package or a web site requires that a PSN be sent before the user can access it, who would send the real one if they could send a generated one?  Someone who cherishes his or her privacy and does not any more personal information sent through cyberspace than has to be would definitely send the forged ID. 

 Kim Schmitz, CEO, Data Protect GmbH stated,

“Intel’s latest innovation is little more than a marketing gimmick.  The only real-world value the PSN might possibly have is a hardware-based, OS-independent way of creating profiles of and tracking unsuspecting users."

     The majority feelings toward Intel’s idea of secure e-commerce and Internet security are not in favor of it at all.  As noted earlier, Intel’s new technology prompted privacy groups to initiate an Intel boycott.

            Organized by the Electronic Privacy Information Center, JunkBusters and Privacy International, they believe that an Intel boycott is a plausible means of stopping the harm to Internet privacy that would be caused by the inclusion of the PSN in the next generation of Pentium® III microprocessor chips. 

            These groups are urging organizations, individuals, and the media to raise awareness of the risks of the feature, and why it is worth persuading Intel to disable it.  The boycott will end when Intel disables the PSN in one of two ways:

-          Intel can ship chips with no PSN at all.

-          Intel can ship chips with the PSN set to all zeros.

      Presently Intel is the only company the boycott is directed act because they are the only company that is implementing a processor serial number.  If any other companies decide to implement a similar feature, the boycott will expand to include those companies. 

     The boycott plan that the Electronic Privacy Information Center is distributing is as follows:

-          Do not buy Intel products until Intel removes the PSN function from their hardware. Instead buy from AMD, National Semiconductor, Apple, or other manufacturers.

-          Contact Intel and tell them you are not buying any Intel products until the PSN feature is removed.

-          Contact your local politician and tell them your concern. 

     Individuality is what sets humans apart from the rest of the animal world.  Everyone has a unique look, personality, attitude, likes, and dislikes all that are personal and makes us who we are.  The more society becomes dependent on technology and we integrate it more and more into out daily lives we lose a part of our individuality.  Instead of begin Bob, Frank, and Sally we turn ourselves in 1’s and 0’s.  Instead of knowing what we like, there are companies and now governments that are finding out and telling us what we like and how much to have.  That is not individualism that is slowly becoming totalitarian.  The change is so subtle that is goes unnoticed to the majority.  The voices against it, trying to alert of the dangers, are drowned out of the dependents of technology. 

     10 years ago, there was interoffice mail, telephone calls, memos.  Now there are emails, online meetings, and pagers.  Take those luxuries away and people won’t know what to do.  The same people who 10 years ago did not have the technology in the first place. 

As uneducated people scramble to embrace the new ideas and products that make life easier and lazier, the more personal information is getting released.  Corporations prey off the unknowing and uneducated to take advantage of the situation to benefit themselves and make profit.  There is nothing that anyone can do at this time.  If there was spam and web cookies would be non-existent or cut down considerably.

     In order to keep intact everyone privacy and personal information the word has to be sent out on exactly what is going on and what can happen.  The FTC, Federal Bureau of Investigation, National Security Agency, and other government agencies needs to become actively involved to make sure that these companies who are using the PSN technology are not violating the 4^th Amendment.  Being illegally searched is wrong no matter if it is a licensed law enforcement agency or a private company.  When you have your information stolen and used against your knowledge and you permission that is wrong.  The person may not be losing anything physical or tangible, but they are still having something personal and private stolen from them. 

     We control our government.  The threat is fairly new and as technology grows so does the threat of privacy infringement.  Encourage others to be aware and avoid products that have the possibility to give away your identity.  Communicate to the lawmakers and congressmen to push for more of a regulation on privacy risks.  Regulate the technology.

===========================

The beginning of the end started in 1999.

End of Line.

Posted in: Internet,Technology