The terms "security" and "trust" are commonly used in the advertising of manufacturers and service providers in the IT industry. Despite their highly positive tone, these expressions, unless precisely defined, have little tangible content and this rather impairs their effect.
For years, a large number of the most important manufacturers of hardware and operating system software for PCs, under the name TCPA, have been pushing ahead with a project whose precise goal does not appear entirely clear, at least at first sight. The various aspects of the project, and the fact that in addition to the aforementioned manufacturers in the first place, the music and film branches of the entertainment industry are also interested in TCPA leads to the conclusion that a primary aim of the plan is to increase the technical means for protecting copyrighted works against unauthorised reproduction. At first sight, there is no major data protection element involved in the project, but a closer look reveals that data protection could be seriously affected by these developments. We cannot go into the potentially enormous consequences for monitoring that would be created by the so-called Digital Rights Management that is crucial to TCPA. We must however point out that, according to all the information made available so far on TCPA, users should in future be sold an infrastructure whose security functions they will neither be able to control nor to understand in any detail. This will not only create a situation that lacks transparency, but will ultimately make it impossible for users to determine their own informational needs. Accordingly, the German data protection commissioners at federal and regional levels, in a resolution passed at their 57th Conference, have called for the managers of information and communications technology to develop and produce their hardware and software in such a way that users and independent third parties can check on the effectiveness of security precautions at any time. We would very much echo this demand.
In one of the earliest and most detailed of the analyses so far of TCPA / Palladium (the TCPA version from Microsoft), Ross Anderson - a world-renowned expert on security technology - struck at the heart of one of the key issues: he posed the rhetorical question of whether increased security for PC is indeed a good thing. As an "answer", he then asked the real central question "Security for whom?". Some elements of Anderson's reply can be explained as follows: neither virus problems nor an inundation with unsolicited advertising by mail (Spam) will be solved by TCPA. And nor does the technology limit violations of rights of privacy or of data protection. The security interests that are first and foremost protected by TCPA are not those of PC users, but those of PC manufacturers and sellers, software providers and the so-called content industry (music, films, games).
[July 2003]