Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management
Legal aspects in TC in general
The legal aspects related to TC can be categorized in three parts:
The legal implications of content control and the possible abuse of TC by software vendors by means of technologies such as Digital Rights Management.
The privacy issues stemming from the TC protocols and specifications defined by the TCG, such as the protocol for certifying the AIK by a Privacy CA.
The legal liability of failure of TC.
TC, digital content control and privacy issues
The ability of TC to enforce some control on digital content has been widely discussed and researched [106] which has raised a number of controversial opinions regarding the legal implications of TC aspects. Namely, DRM technologies which are heavily based on TC seem to be of great concern to IT lawyers but also for computer scientists.
DRM includes a certain number of technological mechanisms that can together allow a content provider to define rights over his distributed content. The main aim is to reduce unauthorized access, copying and distribution of digital content. One important application of this technology is to control the illegal distribution of media files since enforcement of legal rules and intellectual property legislations such as the Copyright Act seem to have failed so far due to effective piracy.
DRM starts to appear dangerous for consumers when considering the ability of a content provider to “abuse” this technology in a way to impose restrictions on the access and use of the content by consumers and consequently increasing the costs. While content providers have rights to limit illegal distribution of their content, consumers also have current rights on use of certain digital content which should still be preserved. Such a “fair” DRM can only be achieved if the use of the technology is subject to specific legislations addressing technical aspects of DRM, drawing the line between the rights to control and the rights to consume the digital content.
On the other hand, some other TC functionalities such as “Remote Attestation” might be abused by software vendors in a way to force consumers to run their particular software and to perform regular updates in order to be able to open certain files or have access to a certain service. This would limit the compatibility of software from different vendors, and can be abused by making the consumer pay much more for the software and upgrades he was forced to commit to. This means that TC might be incompatible with the Competition Act which regulates “anticompetitive acts” and “abuse of dominant position” in a market by a supplier or group of suppliers. In fact, strong software vendors in the market would be able to impose on the consumer to run certain kind of software in order for his platform to be considered as “trusted” to be able to access the digital content. The software is said to be “locked-in”.
TC raises some privacy issues related to some specifications of the TCG, namely the Privacy CA (cf. 8.6.2). The Privacy CA has to be fully trusted in order for a platform to grant it private identification information. In fact, as will be explained later, the Privacy CA, who is responsible for pseudonym management, would have to obtain credentials from the “attesting” platform revealing some identifiers of the platform. This would enable the Privacy CA to link pseudonyms to the common, identifying machine credential. The DAA protocol has been introduce in TPM version 1.2.
TC and liability of failure
The issue of legal liability of failure of TC infrastructures is still not thoroughly researched. In [122] the author stresses the point that this particular legal aspect of TC is still not addressed so far as are the content control and privacy issues. However, both academic and commercial researchers seem to agree on its importance. One problem with addressing this perspective is the lack of consensus among academic and industrial partners around the meaning of a “Trusted System”.
22 / 38 |