Panic spreads over Windows Vista 'back door' that never was
MS caught not evildoing again...
Who'd be a Microsoft? There you are, strolling along minding your own business and the next thing you know you're in a top level conspiracy with the UK security forces to put a back door into Windows Vista. Or so, anyway, the web bush telegraph would have us believe. But disorientating as we find it to be leaping to Microsoft's defence twice in one day, we at The Register feel compelled to point out that the story is somewhat exaggerated, going on entirely untrue.
The Vista back door story originated at (tut) the BBC, with a report claiming that Professor Ross Anderson was urging the government "to look at establishing 'back door' ways of getting around encryptions", and quoting a Home Office spokesman as saying: "The Home Office has already been in touch with Microsoft concerning this matter and is working closely with them." Which we do accept sounds a bit suspicious - particularly if you haven't checked what it was that Prof Anderson originally said, and why.
Anderson was giving evidence to the Home Affairs Committee's enquiry on terrorism detention powers earlier this week, and was covering the challenge posed to police forensic investigations by hard disk encryption. He pointed out that "from later this year the encryption landscape is going to change with the release of Microsoft Vista, the next generation of Windows operating system which will support the use of a chip called a TPM which manufacturers are putting on PC motherboards. What this means is that by default your hard disc will be encrypted using a key that you cannot physically get at... An unfortunate side effect of this from the point of view of law enforcement is that it is going to be technically fairly seriously difficult to dig encrypted material out of systems if people have set it up competently. One issue that was in fact discussed at IPEC here a couple of weeks ago is whether there might in the medium term be some kind of obligation placed on computer vendors, hardware vendors like Intel or software vendors like Microsoft, to see to it that 'back door' keys be made available. Certainly if I were running the appropriate department in the Home Office I would be getting into conversations with Microsoft about this issue now rather than in November when the product is shipped."
The notion of Ross Anderson, more commonly found on the other side of the barricades, running a Home Office department is pleasantly surreal, but it's fairly clear that he was talking about a general issue here, and it becomes clearer within the context of the rest of his evidence. Essentially Anderson is pointing out that encryption poses a growing challenge to law enforcement, that the arrival of widespread hardware-based encryption will make the problem far greater, and that under the circumstances sensible governments should be talking to the industry about what to do about it. Which you might reckon is possible not big news, given that governments have been talking to industry about issues of this kind for decades - key escrow, anyone?
Anderson, incidentally, seems to view the problem for law enforcement as being considerably broader than just encryption. In the future, he says, encryption will be pretty much an either/or in the sense that if you've got the key, you get in, and if you haven't, you give up. Most effort is therefore likely to go into analysing the vast amount of data within which evidence might be found: "I would think that in ten years' time when the police raid someone's home they might find dozens or perhaps hundreds of computing gadgets on which data can be stored. It is common nowadays, for example, for people to back up their data on devices like an iPod and so in future when you raid somebody's house you will seize their iPod and see if there are data files on it" ('Police to seize iPods' stories are imminent, we predict).
What, then, might Microsoft have been talking to the Home Office about? Most assuredly not about putting back doors in Vista: "We are committed to working with law enforcement to help them understand Vista security features and will continue to partner with governments, law enforcement and industry to help make the Internet a safer place", a spokeswoman told The Register. "Windows Vista is engineered to be the most secure version of Windows yet. It is our goal to ensure enterprise users have full control over information on their PCs Microsoft has not and will not put 'backdoors' into Windows, its BitLocker feature, or any other Microsoft Products."
She declined, as one might expect, to be specific about the security-related discussions Microsoft may or may not have had with the Home Office, but the areas Microsoft (and other major IT companies) are likely to be covering are fairly obvious, and in some senses (obviously not all) we can perhaps consider Microsoft as being on the side of the forces of light here. Consider, for example, hardware encryption that is intended to be beyond the control of the user, in order to stop the user stealing videos and music - the notion of this being legislated at the behest of the entertainment industry is by no means incredible, and it's clearly something the IT industry will want to have an input on. Or, consider how legislators react when (as so often happens) they discover that encryption that is controlled by the user effectively cannot be cracked by the security services. So they consider placing legal limits on the strength of encryption, and their thoughts turn, yes, to back doors, to whether "some kind of obligation placed on computer vendors" could allow the security forces to read encrypted data.
To some extent Microsoft and TPM face both ways here. TPM will certainly be used as a mechanism for restricting users rights, to some extent by the music industry in order to protect its content, and by businesses (the "enterprise users" Microsoft refers to) wishing to protect their data from both intruders and employee abuse. It will be generally available in Vista and in future generations of hardware, but legislation aside people will not be compelled to use it. It's in Microsoft's interests for it to be available for people to use, but it's most certainly not in Microsoft's interests for Vista to either be or to be seen as the OS that restricts your rights. Nor is it in Microsoft's interests for legislators to restrict the strength of encryption, or for legislators to require back doors. It wouldn't work anyway, because lawbreakers and terrorists by definition do not obey the law, so whenever legislators start talking about such things, one of the things Microsoft will be doing is quietly trying to talk them out of it. Not because it's a nice company or anything, but because commercial suicide lies along this road. What, Microsoft is going to sell an OS as 'slightly weakened by design' or 'rock - solid security for your stuff... up to a point'? Yeah, right... ®
Sponsored: Customer Identity and Access Management