1. The Economics of Trusted Computing Ross Anderson Cambridge University and FIPR

2. Outline of Talk l Economics of networks l Economics of information security l Why information security seemed to be awful l What may be changing l Issues for business l Public policy issues

3. Basic Economics Demand Curve D(p) Price p Quantity Supply Curve S(p) p*

4. Cost Curves Price p Quantity Price p Quantity “General Motors” “”Microsoft”

5. Price Competition l If the marginal cost is zero, why doesn’t price competition drive the price down to nothing? – Example: CD Phone books 1986 Nynex $10,000 per disk 1990 Digital Directory Assistance $300/disk Now $19.95 or free on the Web l “Information wants to be free” (FSF) l Monopoly – IPR: Copyright, patent

6. Lock-in l Buying a product often commits you to buying more – Services – Complementary products l Examples: – MS vs Mac (or now Linux) – Phone companies - switchgear l Fundamental theorem of network economics: Net Present Value of your customer base = total cost of switching

7. Lock-in 2 l Example: – Suppose you are an ISP, and it costs £25 to set up a new customer; suppose it costs a customer £50 in hassle to switch – If the NPV of a customer is £100, offer them £60 cash back to switch; they are £10 ahead, you are £40- £25=£15 ahead. l Asymmetric switching costs make things more complex – e.g. switching from cable to satellite is expensive, as it means supplying a set-top box – However, the incumbent can bribe cheaply, for example by supplying free channels

8. Lock-in 3 l Incumbent tries to maximise switching cost; competitor to minimise it – Loyalty programs – Hassle: e.g. email address change – Promote complementary goods and services, and find ways to lock customers into them l Accessory control mechanisms that lock customers into complements – Sony game cartridges – Printer toner cartridges – Phone batteries

9. Network Externalities l The more users, the valuable the network is to each user – Examples: Telephone late 19 th Century – Fax 1985-8 – Email 1995-9 l “Metcalfe’s Law”: The value of a network is proportional to the square of the number of users l An approximation, as the value to each user is non-linear, but good heuristic

10. Network Effects Utility Users Almost nobody uses it Almost everybody uses it who ever will

11. Virtual Networks l Example: PC and Software – Virtuous circle: – People buy PCs because lots of software available – Developers write software because lots of customers l Many other examples – Credit cards and merchants – VCR/DVD standards and media content l `Winner takes all’

12. Network effects and security l “Combination of high fixed costs/low marginal costs, high switching costs and network externalities, leads to a dominant firm model” – One sentence summary of information economics l Huge first-mover advantages l Hence Microsoft’s traditional philosophy of `We ship it Tuesday and get it right by version 3’

13. Network effects and security (continued) l While building and entrenching a monopoly, you need to create a bandwagon effect with makers of complementary products l Hence philosophy of making security easy for developers to ignore or bypass l Hence also attraction of technologies like PKI that dump maintenance costs, complexity, configuration effort on user

14. Economics and security (more) l Controlling the API is valuable – remember value = switching costs. So keep API proprietary, obscure and extensible (i.e., buggy) l Remember the `market for lemons’ – when customers can’t tell the difference, bad products will drive out good ones l Expect lots of scaremongering – most of the people who talk about security talk up the threats

15. Security for whom? l Security tends to benefit the principal who pays for it l Example – GSM security, designed by the phone companies, enabled them to cut phone cloning but at expense of mobiles bought with stolen credit cards or stolen in street robberies l Costs of fraud shifted from phone companies to banks and customers l Phone companies keep half the loot

16. TCPA / Palladium l Intel project started 1996 to build crypto in main processor for DRM l After P3 serial number row, TCPA set up with MS, IBM, Compaq, HP l Bill: `we started with music, then realised that email etc was much more interesting’ l Subsidiary goals: fix the software theft problem, deal with free software, and satisfy NSA/FBI l Economic logic: control compatibility

17. Original TCPA design l `Fritz’ chip secures boot process, ensures a valid operating system, checks hardware control list l Approved operating system them checks that applications are approved (and paid for) l Applications enforce policies such as DRM under control of policy servers l No `break once run anywhere’ attacks (stolen/illegal content can be blacklisted)

18. `Nirvana’ l Sell/rent music/videos/software online l Ensure that company emails evaporate after 30 days, and are not printable l Hunt down and kill pirated movies and leaked emails l Prevent people exporting files to unauthorised applications (e.g., your competitors’ applications) l Various details need attention, e.g. can a secretary who downloads a pirate movie cause your data center to crash?

19. Policy issues l Will the Fishman affidavit go on the Office 2004 blacklist? If so, will this cost us the Gutenberg inheritance? l Will the government of China allow TCPA / Palladium into the country? l What about the GPL – if you need a machine-specific cert to run TCPA/Linux, does it matter if the software itself is free? l Will lockdown of data by incumbent application vendors freeze out innovation and harm small firms?

20. A big question for business l How will application data lockdown affect the business environment? l In the past, software vendors locked in customers using breakable mechanisms such as proprietary file formats l If future mechanisms are unbreakable (due to combination of Palladium and EUCD ), what happens to prices? l If switching costs double, so should prices!

21. Summary – why Bill didn’t care about security l In winner-takes-all markets, security gets in the way – especially when building a monopoly by appealing to complementers l So make it easy to circumvent (let all apps run as administrator) l Use mechanisms that dump support costs on the end users l End users can’t identify good security products anyway so won’t pay for them l Security as built by application vendors will often screw the end users anyway

22. And now … why Bill may be changing his mind l Switching costs are critical to a platform owner – company value should be NPV of future customer revenue = total switching costs l Crypto and tamper resistance can really lock down the application interfaces (experience of Sony, Motorola, … ) l Security is an escape hatch in anti-trust (see US DoJ decree) – laws like DMCA, EUCD help the monopolist l `Hollywood made us do it’

23. Political effects l During the 1990s, Hollywood pushed for tighter controls on the Internet l So did police, spooks l Computer industry plus liberties groups pushed back l Realignment destroys the equilibrium – we find Microsoft too pushing for greater criminalization of copyright offences l Where will the new equilibrium lie, and what will the side-effects be?

24. `Trusted Platform’? Be very glad that your PC is insecure – it means that after you buy it, you can break into it and install whatever software you want. What YOU want, not what Sony or Warner or AOL wants. - John Gilmore

25. Implications for EU (1) l Clash between anti-circumvention rule in EUCD and competition policy l Monopoly granted to copyright extends to trade, e.g. via accessory control l Remedies may vary widely according to national law l More specific tension with software directive l Situation will need close monitoring, review with EUCD in 2004

26. Implications for EU (2) l TCPA / Palladium poses existential threat to EU smartcard industry l Microsoft view: `If a technology’s useful, it eventually finds its way into the platform’ l Fritz chip, trusted apps will take over many of the functions targeted by card vendors l Main card industry players have recently joined TCPA - as a defensive move l Control still vested in four founders

27. Implications for EU (3) l Main threat to personal privacy is now the drive for monopolies and oligopolies to charge differentiated prices l TCPA / Palladium facilitates the creation of monopolies in information goods and services markets l TCPA claim that privacy is protected by pseudonym mechanism is specious on both technical and business grounds l Will create privacy-unfriendly infosphere under largely US jurisdiction

28. Implications for EU (4) l TCPA undermines the General Public Licence (GPL) l If free / open source software can be made into property, the incentive to work on it is cut l GNU/Linux is an essential part of the information ecology, especially for the public sector; Apache is important l Implications not just for software costs but for education

29. Implications for EU (5) l DRM applications will introduce document revocation functions l Idea: `pirate’ content can be blacklisted everywhere l Side-effect: so can documents like the Fishman affidavit (contraband in the USA, legal in the Netherlands) l Whose law will prevail? l And what about the ability to revoke machines, software packages … ?

30. Implications for EU (6) l TCPA / Palladium will increase market entry costs, so it will favour incumbents over market entrants l It will tend to favour big firms over small and hinder employment growth l It will accelerate the process whereby the IT sector becomes a `normal’ industry l But in the process it will favour US firms over European ones, locking in the US lead and setting the scene for US firms to leverage this into other sectors

31. Summary l TCPA / Palladium appears to promise a revolution in security l But: security for whom? l Very wide range of policy issues raised! l More: see the Economics and Security Resource Page and the TCPA / Palladium FAQ http://www.ross-anderson.com