You are here: Resources > FIDIS Deliverables > HighTechID > D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management > 

D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management

Controversial and Legal aspects of Trusted Computing  Title:
 Trusted Computing, Identity and Identity Management


Legal aspects in TC in general

The legal aspects related to TC can be categorized in three parts: 

  1. The legal implications of content control and the possible abuse of TC by software vendors by means of technologies such as Digital Rights Management. 

  2. The privacy issues stemming from the TC protocols and specifications defined by the TCG, such as the protocol for certifying the AIK by a Privacy CA. 

  3. The legal liability of failure of TC. 

TC, digital content control and privacy issues

The ability of TC to enforce some control on digital content has been widely discussed and researched [106] which has raised a number of controversial opinions regarding the legal implications of TC aspects. Namely, DRM technologies which are heavily based on TC seem to be of great concern to IT lawyers but also for computer scientists. 

DRM includes a certain number of technological mechanisms that can together allow a content provider to define rights over his distributed content. The main aim is to reduce unauthorized access, copying and distribution of digital content. One important application of this technology is to control the illegal distribution of media files since enforcement of legal rules and intellectual property legislations such as the Copyright Act seem to have failed so far due to effective piracy. 

DRM starts to appear dangerous for consumers when considering the ability of a content provider to “abuse” this technology in a way to impose restrictions on the access and use of the content by consumers and consequently increasing the costs. While content providers have rights to limit illegal distribution of their content, consumers also have current rights on use of certain digital content which should still be preserved. Such a “fair” DRM can only be achieved if the use of the technology is subject to specific legislations addressing technical aspects of DRM, drawing the line between the rights to control and the rights to consume the digital content. 

On the other hand, some other TC functionalities such as “Remote Attestation” might be abused by software vendors in a way to force consumers to run their particular software and to perform regular updates in order to be able to open certain files or have access to a certain service. This would limit the compatibility of software from different vendors, and can be abused by making the consumer pay much more for the software and upgrades he was forced to commit to. This means that TC might be incompatible with the Competition Act which regulates “anticompetitive acts” and “abuse of dominant position” in a market by a supplier or group of suppliers. In fact, strong software vendors in the market would be able to impose on the consumer to run certain kind of software in order for his platform to be considered as “trusted” to be able to access the digital content. The software is said to be “locked-in”. 

TC raises some privacy issues related to some specifications of the TCG, namely the Privacy CA (cf. 8.6.2). The Privacy CA has to be fully trusted in order for a platform to grant it private identification information. In fact, as will be explained later, the Privacy CA, who is responsible for pseudonym management, would have to obtain credentials from the “attesting” platform revealing some identifiers of the platform. This would enable the Privacy CA to link pseudonyms to the common, identifying machine credential. The DAA protocol has been introduce in TPM version 1.2.

TC and liability of failure

The issue of legal liability of failure of TC infrastructures is still not thoroughly researched. In [122] the author stresses the point that this particular legal aspect of TC is still not addressed so far as are the content control and privacy issues. However, both academic and commercial researchers seem to agree on its importance. One problem with addressing this perspective is the lack of consensus among academic and industrial partners around the meaning of a “Trusted System”. 



Controversial and Legal aspects of Trusted Computing  fidis-wp3-del3.9_Study_on_the_Impact_of_Trusted_Computing_on_Identity_and_Identity_Management_v1.1.sxw  Trusted Computing, Identity and Identity Management
22 / 38