The Economics of The Economics of Trusted ComputingTrusted Computing

Ross Anderson

Cambridge University and FIPR

Outline of TalkOutline of Talk

Economics of networks Economics of information security Why information security seemed to

be awful What may be changing Issues for business Public policy issues

Basic EconomicsBasic Economics

Demand Curve D(p)

Price p

Quantity

Supply Curve S(p)

p*

Cost CurvesCost Curves

Price p

Quantity

Price p

Quantity

“General Motors” “”Microsoft”

Price CompetitionPrice Competition

If the marginal cost is zero, why doesn’t price competition drive the price down to nothing?– Example: CD Phone books

• 1986 Nynex $10,000 per disk• 1990 Digital Directory Assistance $300/disk• Now $19.95 or free on the Web

“Information wants to be free” (FSF) Monopoly

– IPR: Copyright, patent

Lock-inLock-in

Buying a product often commits you to buying more– Services– Complementary products

Examples:– MS vs Mac (or now Linux)– Phone companies - switchgear

Fundamental theorem of network economics: Net Present Value of your customer base = total cost of switching

Lock-in 2Lock-in 2 Example:

– Suppose you are an ISP, and it costs £25 to set up a new customer; suppose it costs a customer £50 in hassle to switch

– If the NPV of a customer is £100, offer them £60 cash back to switch; they are £10 ahead, you are £40-£25=£15 ahead.

Asymmetric switching costs make things more complex– e.g. switching from cable to satellite is

expensive, as it means supplying a set-top box– However, the incumbent can bribe cheaply, for

example by supplying free channels

Lock-in 3Lock-in 3

Incumbent tries to maximise switching cost; competitor to minimise it– Loyalty programs– Hassle: e.g. email address change– Promote complementary goods and services,

and find ways to lock customers into them

Accessory control mechanisms that lock customers into complements – Sony game cartridges– Printer toner cartridges– Phone batteries

Network ExternalitiesNetwork Externalities

The more users, the valuable the network is to each user– Examples: Telephone late 19th Century– Fax 1985-8– Email 1995-9

“Metcalfe’s Law”: The value of a network is proportional to the square of the number of users

An approximation, as the value to each user is non-linear, but good heuristic

Network EffectsNetwork Effects

Utility

Users

Almost nobody uses it

Almost everybody

uses it who ever

will

Virtual NetworksVirtual Networks

Example: PC and Software– Virtuous circle:– People buy PCs because lots of software

available– Developers write software because lots of

customers

Many other examples– Credit cards and merchants– VCR/DVD standards and media content

`Winner takes all’

Network effects and Network effects and securitysecurity

“Combination of high fixed costs/low marginal costs, high switching costs and network externalities, leads to a dominant firm model” – One sentence summary of information

economics

Huge first-mover advantages Hence Microsoft’s traditional

philosophy of `We ship it Tuesday and get it right by version 3’

Network effects and Network effects and security (continued)security (continued)

While building and entrenching a monopoly, you need to create a bandwagon effect with makers of complementary products

Hence philosophy of making security easy for developers to ignore or bypass

Hence also attraction of technologies like PKI that dump maintenance costs, complexity, configuration effort on user

Economics and security Economics and security (more)(more)

Controlling the API is valuable – remember value = switching costs. So keep API proprietary, obscure and extensible (i.e., buggy)

Remember the `market for lemons’ – when customers can’t tell the difference, bad products will drive out good ones

Expect lots of scaremongering – most of the people who talk about security talk up the threats

Security for whom?Security for whom?

Security tends to benefit the principal who pays for it

Example – GSM security, designed by the phone companies, enabled them to cut phone cloning but at expense of mobiles bought with stolen credit cards or stolen in street robberies

Costs of fraud shifted from phone companies to banks and customers

Phone companies keep half the loot

TCPA / PalladiumTCPA / Palladium

Intel project started 1996 to build crypto in main processor for DRM

After P3 serial number row, TCPA set up with MS, IBM, Compaq, HP

Bill: `we started with music, then realised that email etc was much more interesting’

Subsidiary goals: fix the software theft problem, deal with free software, and satisfy NSA/FBI

Economic logic: control compatibility

Original TCPA designOriginal TCPA design

`Fritz’ chip secures boot process, ensures a valid operating system, checks hardware control list

Approved operating system them checks that applications are approved (and paid for)

Applications enforce policies such as DRM under control of policy servers

No `break once run anywhere’ attacks (stolen/illegal content can be blacklisted)

`Nirvana’`Nirvana’

Sell/rent music/videos/software online Ensure that company emails evaporate

after 30 days, and are not printable Hunt down and kill pirated movies and

leaked emails Prevent people exporting files to

unauthorised applications (e.g., your competitors’ applications)

Various details need attention, e.g. can a secretary who downloads a pirate movie cause your data center to crash?

Policy issuesPolicy issues

Will the Fishman affidavit go on the Office 2004 blacklist? If so, will this cost us the Gutenberg inheritance?

Will the government of China allow TCPA / Palladium into the country?

What about the GPL – if you need a machine-specific cert to run TCPA/Linux, does it matter if the software itself is free?

Will lockdown of data by incumbent application vendors freeze out innovation and harm small firms?

A big question for A big question for businessbusiness

How will application data lockdown affect the business environment?

In the past, software vendors locked in customers using breakable mechanisms such as proprietary file formats

If future mechanisms are unbreakable (due to combination of Palladium and EUCD ), what happens to prices?

If switching costs double, so should prices!

Summary – why Bill didn’t Summary – why Bill didn’t care about securitycare about security

In winner-takes-all markets, security gets in the way – especially when building a monopoly by appealing to complementers

So make it easy to circumvent (let all apps run as administrator)

Use mechanisms that dump support costs on the end users

End users can’t identify good security products anyway so won’t pay for them

Security as built by application vendors will often screw the end users anyway

And now … why Bill may And now … why Bill may be changing his mindbe changing his mind

Switching costs are critical to a platform owner – company value should be NPV of future customer revenue = total switching costs

Crypto and tamper resistance can really lock down the application interfaces (experience of Sony, Motorola, … )

Security is an escape hatch in anti-trust (see US DoJ decree) – laws like DMCA, EUCD help the monopolist

`Hollywood made us do it’

Political effectsPolitical effects

During the 1990s, Hollywood pushed for tighter controls on the Internet

So did police, spooks Computer industry plus liberties

groups pushed back Realignment destroys the equilibrium

– we find Microsoft too pushing for greater criminalization of copyright offences

Where will the new equilibrium lie, and what will the side-effects be?

`Trusted Platform’?`Trusted Platform’?

Be very glad that your PC is insecure – it means that after you buy it, you can break into it and install whatever software you want. What YOU want, not what Sony or Warner or AOL wants.

- John Gilmore

Implications for EU (1)Implications for EU (1)

Clash between anti-circumvention rule in EUCD and competition policy

Monopoly granted to copyright extends to trade, e.g. via accessory control

Remedies may vary widely according to national law

More specific tension with software directive

Situation will need close monitoring, review with EUCD in 2004

Implications for EU (2)Implications for EU (2)

TCPA / Palladium poses existential threat to EU smartcard industry

Microsoft view: `If a technology’s useful, it eventually finds its way into the platform’

Fritz chip, trusted apps will take over many of the functions targeted by card vendors

Main card industry players have recently joined TCPA - as a defensive move

Control still vested in four founders

Implications for EU (3)Implications for EU (3)

Main threat to personal privacy is now the drive for monopolies and oligopolies to charge differentiated prices

TCPA / Palladium facilitates the creation of monopolies in information goods and services markets

TCPA claim that privacy is protected by pseudonym mechanism is specious on both technical and business grounds

Will create privacy-unfriendly infosphere under largely US jurisdiction

Implications for EU (4)Implications for EU (4)

TCPA undermines the General Public Licence (GPL)

If free / open source software can be made into property, the incentive to work on it is cut

GNU/Linux is an essential part of the information ecology, especially for the public sector; Apache is important

Implications not just for software costs but for education

Implications for EU (5)Implications for EU (5)

DRM applications will introduce document revocation functions

Idea: `pirate’ content can be blacklisted everywhere

Side-effect: so can documents like the Fishman affidavit (contraband in the USA, legal in the Netherlands)

Whose law will prevail? And what about the ability to revoke

machines, software packages … ?

Implications for EU (6)Implications for EU (6)

TCPA / Palladium will increase market entry costs, so it will favour incumbents over market entrants

It will tend to favour big firms over small and hinder employment growth

It will accelerate the process whereby the IT sector becomes a `normal’ industry

But in the process it will favour US firms over European ones, locking in the US lead and setting the scene for US firms to leverage this into other sectors

SummarySummary

TCPA / Palladium appears to promise a revolution in security

But: security for whom? Very wide range of policy issues

raised! More: see the Economics and Security

Resource Page and the TCPA / Palladium FAQ

http://www.ross-anderson.com