Governments see problems with 'trusted computing'

Conflict is looming between the legal obligations of government agencies and the emerging “trusted computing” initiative sponsored by international IT firms such as Microsoft.

Late last year the e-government unit issued a warning to government agencies not to enable the Information Rights Management capability in Microsoft Server 2003 and Office 2003. The issue is still unresolved, says the unit's chief, Laurence Millar. IRM, an early form of digital rights management that controls the use of digital material, is one of the earliest implementations of software developed as part of the trusted computing alliance. The Trusted Computing Platform Alliance, or TCPA, was formed by Compaq, HP, IBM, Intel and Microsoft in April of 2003.

“Using IRM may negatively impact on agencies' ability to meet their obligations under legislation such as the Official Information Act, the Archives Act, the Privacy Act, and impede the working of other legislation such as the Protected Disclosures Act and the National Library of New Zealand Act,” the warning says.

It warns of uncertainty about the backwards and cross-product compatibility of IRM. Depending on this technology to increasingly do the work of manual security policies, protocols and practices may create new vulnerabilities, it says. “Individual agency decisions to implement IRM could have longer-run implications for the collective interest of government."

IRM capability is turned off by default in Server 2003 and Office 2003 and requires some effort to enable, the unit's note points out; so there is no problem in government agencies simply using the two software products.

The unit is still discussing the perceived problems of IRM with Microsoft, Millar says. Some resolution might be expected in the next two months, but the advice not to turn on IRM stays in place.

The Microsoft system, however, is only one facet of a broad and complex problem in use of trusted computing elements in a government environment, Millar emphasises. Other governments are wrestling with the question, he says, and the New Zealand e-government unit has been in contact with UK, Canadian and Australian government counterparts.

Jay Garden of the GCSB-run Centre for Critical Infrastructure Protection has written a report on the specific IRM issue. While identifying particular drawbacks of that system, such as its reliance on a Microsoft root digital-certificate server rather than a server within the user organisation, the report flags general potential problems with all such technologies. “Before an organisation implements a technology or product that is designed to restrict access to their resources they should assess the risk of them losing access to the resources themselves or being tied into a solution that could restrict their future options to one technology or vendor,” it says.

Furthermore, says Garden's report, "[IRM] documentation suggests Microsoft has moved away from the rights management standards negotiated by the international initiatives in this area, producing proprietary technologies that are unlikely to be compatible with non-Microsoft platforms and applications for some time to come."

A Microsoft NZ representative said the company was unable to prepare a comment on the question before our deadline.