SiS Logo

My Digital Identity

Sharp Perspectives on Identity, Security, and Privacy

Security and feudalism: Own or be pwned

Cory Doctorow explains how the Electronic Frontier Foundation (EFF) is battling the perfect storm of bad security, abusive business practices, and threats to the very nature of property itself. In the emerging Internet of Things (IoT) there is a need to take action to avoid a dystopian future. Cory identifies the disastrous consequences of DRM being left unchecked and how we need to be fighting for a future where our devices can be configured to do our bidding and where security researchers are always free to tell us what they’ve learned. Find out what you can do to fight for what is right.

Who Owns your PC?

This may seem to be obvious but when you really think about it the answer may not be so obvious.

You bought the personal computer and presumably installed the software that runs on it but are you really in control of what it is used for?

If your PC isn’t secured it can fall prey to malware that takes control of your computer and turns it into a zombie that is remotely controlled at least in part by some criminal. This takeover is sometimes referred to as the criminal owning your computer since they are making use of the asset you have purchased for their own purposes.

But you protest this is the exception to the rule – a special case that with proper precautions won’t happen to you.

However this question of ownership becomes murky even without a bad guy taking over your computer with some trickery.

What about software that has some hidden features to “phone” home and report information about you to the mothership? Sometimes this is advertised as a customization feature but is it a feature you control and have a choice about? If not, its human counterpart with these characteristics might be called a traitor or informant. Your computer is at least partly owned by the software supplier to do its bidding whether you like it or not. There are many examples of software companies who have been caught including these types of features. Their claims that this was just to provide better services seem suspicious without open disclosure. This is where software to catch and allow you to make a decision about software initiated outbound requests can be important.

A lot of decisions about the use of “your” computer resources like memory, disk space, and CPU cycles are often made on your behalf by the Operating System and other software. What seems to be missing is what in privacy circles is called informed consent. Granted it is a challenge to make computers simpler to use and not every computer user wants to tune their computer for optimum performance but have we gone too far in the direction of uncontrollable software defaults and not done enough to inform and empower the computer owner to control how it is used? Even with the tremendous advances in disk, memory, and CPU technology these still can be considered scarce resources that computer owners might not want to be used up by services that we aren’t aware of and probably don’t need.

Web sites do exist that provide information on operating system options can be turned off but at the present time this can be considered a black art to be done at your own risk without the support of the suppliers. What is needed is capabilities to allow owners to intelligently decide what they want to run on their computers and maybe even some artificial intelligence to allow them from a user perspective to provide input on desired performance tradeoffs between programs. Improved owner consent and control could have big benefits both on computer performance and security since systems could move more towards default off rather than default on.

A common example are software vendors that include features that reserve memory even when the software isn’t being used so it will load faster. Are computer owners informed about the tradeoffs of these features and the impact of this on their system? While operating systems generally include a task manager or activity monitor just how informative and useful are these capabilities for the average computer owner? Most don’t even identify the resource hogs with names that relate back to the software name an owner would recognize. Processes can be killed but owner beware about the consequences of trying to control how much of their computer is used by various nefarious unrecognized programs or program components.

Things get even more complicated where Digital Rights Management (DRM) is introduced since this software puts restrictions on computer use to benefit content suppliers and not necessarily to the benefit of computer owners and content purchasers. Do computer owners have sufficient options that there is competition on what restrictions are acceptable? Could this also be considered another example where an outside party is owning your computer for their purposes?

Trusted computing technology also has the capability to control what software can run on “your” computer. Will computer owners have informed consent on how these capabilities will be implemented to their benefit? Who will decide how these technologies will be used to control “your” computer?