Will Big Brother Be Watching?

Intel recently proposed that its next generation Pentium III chipset include a serial number technology that could be used to identify every machine containing one of its chips. Howls of protest went off when Intel suggested that it could be used to identify users on the Internet -- a way to avoid cumbersome username and password combinations. It's alarming that Intel thinks we're that naive.

Software manufacturers have asked for workstation identifiers for years. They envisage a piece of software that queries the motherboard for its unique serial number, attaches it to the serial number of the software and then waits for an Internet connection. Once the Internet connection is available, the software passes a single transaction to the manufacturer's database and voila! Instant software registration. The software would automate this process on behalf of the customer with no user intervention.

There's profound benefit for software manufacturers in this scheme. Considering how few of us -- corporate or individual -- actually register software, it would be a way to improve the information software companies get about their users. It's easy to imagine a database collected by software manufacturers that contained workstation identifier, software serial number and any other information the software could glean from the machine on which it was running. Companies that entered into cooperative arrangements could merge their databases, secure in the knowledge that the workstation identifier was unique.

The idea that software companies could build such databases should come as no surprise to any of us. But the fact that Intel thought the time was right to deliver the technology is nothing less than amazing. Sensitivity to online privacy is at an all-time high. When Intel backtracked and suggested that the identification was meant as a technology to improve upon Internet cookies, it became obvious that Intel officials had messed up their timing.

The original Intel proposal provided a unique identifier for every Pentium III workstation. The difference between workstation identifiers and browser-based cookies is enormous. Cookies, a much-maligned Web technology, allows Web sites to place a small amount of information on the hard disk of those browsing a Web site. Cookies were not designed as tools to identify users or computers. Instead, they were built to extend the functionality of Web sites by making it possible to save information about users' preferences.

The fundamental difference between Intel's initial workstation identifier proposal and browser-based cookies is control. Users can surf the Web without ever using cookies; Intel's first Pentium III announcement would have given workstation users no choice. No wonder there was an immediate firestorm of protest.

Intel immediately backtracked and tried to spin the workstation identifier as an improvement on Internet cookies. The company even promised a switch that would allow users to turn off the workstation identifier. As consumers of Internet-enabled hardware and software we should remain skeptical.

Privacy on the Internet is difficult enough to manage without workstation identifiers. In 1999, we've already seen industry-leading browsers subject to attack on Web caches. This means if you have a browser without the most recent security patches, a rogue site could gain access to pages you've viewed in the past. Worse yet, it might be possible to retrieve information you've entered into forms on previous pages.

If we've learned anything in the past two years it is that the user should control privacy. Schemes attempting to make things more "convenient" for the user always seem to have an alternative agenda or, worse, defects that malcontents can exploit. Even with a way to turn off Intel's workstation identifier, who among us doesn't suspect that someone will find a way to write downloadable code to surreptitiously turn it on, execute a few commands, and then turn it off again without the user ever knowing?

Intel's plan for the Pentium III is bad enough, but to pretend that it's an improvement for people using the Web is an abomination. If there's a silver lining in this cloud it is that people will begin to reflect on the issue of security on the Internet. The success of electronic commerce during the last holiday season obscures the fact that we have yet to deploy tools and policies that ensure everyone is in control of his or her privacy. Perhaps the Intel announcement will help refocus public policy and consumer interest on security: a crucial issue for the success of the Internet. --Mark McFadden is a consultant and is communications director for the Commercial Internet eXchange (Washington). Contact him at mcfadden@cix.org.