Skip to content.
|Networking government in New Zealand.

Annex 1

Examples that Illustrate Risks to the Integrity of Government Information from Trusted Computing

Note: These examples are presented only to illustrate the scale and range of potential risks from implementation of trusted computing technologies. They reflect worst case, but legitimate, scenarios. The extent to which they eventuate will be dependent on how the behaviour of individuals, businesses and governments change as a result of the technology.

These risks may be mitigated through development of appropriate government policies and practices, combined with some (limited) opportunity to influence the way these technologies may be designed and deployed by software and hardware companies.

Access to Data

If DRM were to be permitted in emails or other documents - without adoption of appropriate policies and practices - the myriad of interactions and vulnerabilities may result in a loss of certainty as to what content can be accessed through what software, on what terms it may be accessed, by whom it may be accessed, and for how long it can be accessed.

The complexity of these issues can be illustrated by the following example:

  • An agency receives an email from an outside party. It has two attachments. The first is a Word document from an outside party and the second is a PDF document from yet another party
  • The email and the documents were all created with DRM enabled but with open permissions for guests
  • Continuing access is limited with each document having different controls by time, by the number of accesses and the number of times copies are made from the document
  • Recipients are unaware of the permissions, as the guest access and the limitations are 'silent'
  • The email is forwarded on to many. Additional comments are provided. The email and its attachments become evidentially important
  • The guest permissions expire with varying effect (some users have saved one or more of the attachments). The originator of the email dies. The PDF is authored outside the jurisdiction and the author cannot be contacted. The author of the word document is not co-operative
  • The DRM permissions mean that it is not possible for anyone to obtain access to the email or either of the attachments.

Privacy

Trusted computing will work by assigning a unique identity to each computer, and each computer will report its configuration to a remote system in a reliable and trustworthy fashion. However, this will also provide the potential for breaches of user privacy. Concerns have been expressed about the fact that information about the configuration of a user's computer, and work being done on it, may be communicated to a software owner (or others) without the user's permission or knowledge.

Examples of these concerns include:

  • externally held registers of information about a user's machine or software, with potential for abuse (data matching)
  • external monitoring of a user's computer to determine what software and data is held there.

Although software developers may be encouraged to build applications that use personally identifiable information in ways that inform users of what is being shared and how it will be used - there is no guarantee that this will happen. These aspects of the technology, therefore, increase the significance (for the end user) of:

  • the risk that a user may grant such permission (to enable disclosure of personal identity and information) without realising that they have done so (e.g., by clicking on "I agree" to a complex end user licence agreement), or without understanding the implications of doing so
  • the future potential for software companies to collect and report on a user's personal information without even seeking permission from the user, and without the user's knowledge.

In response to concerns about privacy, "trusted third parties" may be established and used for the purpose of associating particular communications with any specific computer. The reliance on a trusted third party, however, will introduce its own privacy risks, as that party could disclose its knowledge of a user's identity and communications. Thus, the independence, reliability and integrity of any trusted third parties that may be established would become critically important to the integrity of government-held information.

Long term management

Software enabled to work with trusted computing will have its security policy administered remotely by a server. Such remote policy enforcement could lead to "remote control" of software running on a user's trusted computing system.

For example, if a program were to be written to receive a "revocation list" of banned documents it is no longer permitted to display, this would be downloaded from time to time and used to screen all files that the application opens. Files could be revoked by content, by the serial number of the application that created them, and by a number of other criteria - and would be impossible for the user to override.

In that case, a remote authority could revoke documents already resident on computers around the world; those computers would, despite the wishes of their owners, comply with the revocation policy.

A foreign organisation (or government), with access to the TC certification master keys, could prevent the New Zealand government from having access to its own information when that information is held electronically.


[ Previous | Next ]