How Vista Lets Microsoft Lock Users In

Technology called "Information Rights Management," combined with copyright law and Windows Vista, give Microsoft the tools to hold users' data hostage in Office, says Cory Doctorow.
This has been a purely theoretical problem until recently -- but the advent of Vista and Trusted Computing should put it front-and-square on your radar.

Microsoft has an industrial-strength answer to the problem of figuring out whether a remote client is authorized to request keys. Trusted Computing. For years now, most PC manufacturers have been shipping machines with an inactive "Trusted Computing Module" on the motherboard. These modules can be used to sign the BIOS, bootloader, operating system, and application, producing an "attestation" about the precise configuration of a PC. If your PC doesn't pass muster -- because you're running a third-party document reader, or a modified OS, or an OS inside a virtual machine -- then you don't get any keys.

What this means is that Apple can make Pages, Google can make its Doc-converter, and can make its interoperable products, but none of these will be able to get the keys necessary to read "protected" documents unless they're on the white-list of "trusted" clients.

What's more, adding crypto to the mix takes us into another realm: the realm of copyright law. The same copyright law that prohibits competing head on with Apple also prohibits competing head-on with IRM. EDI and other middleware companies built their fortunes on writing software that unlocks your data from Vendor A's format so you can use it with Vendor B's product. But once Vendor A's data-store is encrypted, you run afoul of the law merely by figuring out how to read it without permission.

Vista is the first operating system to begin to use the features of the Trusted Computing Module, though for now, Microsoft is eschewing the use of "Remote Attestation" where software is verified over a network (they've made no promise about doing this forever, of course). No company has spent more time and money on preventing its competitors from reading its documents: remember the fight at the Massachusetts state-house over the proposal to require that government documents be kept in open file-formats?

The deck is stacked against open file formats. Risk-averse enterprises love the idea of revocable documents -- HIPPA compliance, for example, is made infinitely simpler if any health record that leaks out of the hospital can simply have its "read privileges" revoked. This won't keep patients safer. As Don Marti says, "Bill Gates pitch[ed] DRM using the example of an HIV test result, which is literally one bit of information. If you hired someone untrustworthy enough to leak that but unable to remember it, you don't need DRM, you need to fix your hiring process." But it will go a long way towards satisfying picky compliance officers. Look for mail-server advertising that implies that unless you buy some fancy product that auto-converts plain Office documents to "revocable" ones, you're being negligent.

No one ever opts for "less security." Naive users will pull the "security" slider in Office all the way over the right. It's an attractive nuisance, begging to be abused.

The Trusted Computing Module has sat silently on the motherboard for years now. Adding Vista and IRM to it is takes it from egg to larva, and turning on remote attestation in a year or two, once everyone is on next-generation Office, will bring the larva to adulthood, complete with venomous stinger.

Cory Doctorow is co-editor of the Boing Boing blog, as well as a journalist, Internet activist, and science-fiction writer.