How Vista Lets Microsoft Lock Users In - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

How Vista Lets Microsoft Lock Users In

Technology called "Information Rights Management," combined with copyright law and Windows Vista, give Microsoft the tools to hold users' data hostage in Office, says Cory Doctorow.

What if you could rig it so that competing with your flagship product was against the law? Under 1998's Digital Millennium Copyright Act, breaking an anti-copying system is illegal, even if you're breaking it for a legal reason. For example, it's against the law to compete head-on with the iPod by making a device that plays Apple's proprietary music, or by making an iPod add-on that plays your own proprietary music. Nice deal for Apple.

Microsoft gets the same deal, courtesy of something called "Information Rights Management," a use-restriction system for Office files, such as Word documents, PowerPoint presentations, and Excel spreadsheets.

We've had access control for documents for years, through traditional cryptography. Using PGP or a similar product, you can encrypt your files so that only people who have the keys can read them.

But Information Rights Management (IRM), first introduced in Office 2003, goes further -- it doesn't just control who can open the document, it also controls what they can do with it afterwards. Crypto is like an ATM that only lets you get money after you authenticate yourself with your card and PIN. IRM is like some kind of nefarious goon hired by the bank to follow you around after you get your money out, controlling how you spend it.

With IRM, an Office user can specify whether her documents can be printed, saved, edited, forwarded -- she can even revoke access to the documents after sending them out, blocking leaks after they occur. Documents travel with XML expressions explaining how they can and can't be used.

Now, if anyone was allowed to make a document reader, it would be simple to make a reader that ignores the rules. This is a perennial problem for Adobe's password-restricted PDFs -- the only thing that distinguishes them from normal PDFs is a bit that says, "I am a restricted PDF." Just make a PDF reader that ignores the bit and you've defeated the "security." It's about as secure as one of those bogus "Confidentiality notices" that your mail-server pastes in at the bottom of every email you send.

There are plenty of readers for Microsoft's Office formats these days. Apple makes at least two -- Pages and TextEditor. Google and RIM both have Office readers they use to convert Office documents to other formats. And there's also free readers like OpenOffice.org, which are open source and so can be modified by anyone with the interest to write or commission new code for them.

But now that the format is well understood, Microsoft needs another way to ensure that it only hands keys out to readers that can be trusted to follow the rules that accompany them. Pages or OpenOffice.org can request a set of document keys just as readily as Office can. Microsoft can try to create secret handshakes to make sure it only gives out the keys to authorized parties, but just as the document format can be cracked, so can the handshaking.

IRM has an answer. Unlike a crippled PDF, a restricted Word file is encrypted. Only authorized readers will get the keys. This technology will return Office users to the days before the file format had been reverse-engineered by competing products like WordPerfect, where reading an Office file meant licensing the file-format from Microsoft.

If anyone makes a client that listens to its owner instead of Microsoft, then the system collapses. No-print, no-forward, revoke and other flags for the document can simply be ignored. Once Microsoft sends a decryption key to an untrusted party, all bets are off -- Microsoft loses its lock-in and you lose any notional security benefits from IRM.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Slideshows
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Commentary
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
Register for InformationWeek Newsletters
Video
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll