Are “Trusted Systems” Useful for Privacy Protection? Joan Feigenbaum http://www.cs.yale.edu/~jf PORTIA Workshop Stanford Univ., July 8-9, 2004 1 General Problem: It is Hard to Exercise “Remote Control” over Sensitive Data Many machine-readable permissions systems – Rights-management languages – Privacy policies – Software licenses None is now technologically enforceable. – All software-only permissions systems can be circumvented. – Once data are transferred, control is lost. 2 Proposed Solution: “Trusted Systems” We need definition(s) of “trusted systems.” Key feature: hardware-based, cryptographic support for proofs that remote machines are running approved software stacks Useful feature – Leads to interesting theory? – Feasible to build and deploy? Solves practical problems? 3 Trusted Systems for the Distribution of Entertainment Content Content providers’ problem is piracy. Approved software stacks would implement “draconian DRM.” – No unauthorized use of content – No unauthorized access to or transfer of content Unclear whether these goals, especially the second, can be achieved. See, e.g., – Biddle et al. 2002: “Darknet” creates unauthorized access and transfer. – Haber et al. 2003: Technological weaknesses If these goals were achieved, the piracy problem would be (at least partly) solved. 4 Dan Geer at YLS: “DRM ≡ Privacy” This claim is made often and disputed often in the trusted-system context. Is it true? What (and whose) privacy problem is being addressed? What is the approved software stack required to do? Are these technical requirements achievable? If they were achieved, would the privacy problem be solved? 5 Example: Privacy of Medical Data Whose problem? Individual data subject – Often, he or she is not the entity that creates the data or the one that must demand proof from a potential data recipient. – Different from DRM for entertainment content. Institution Hospital, drs’ office, insurance co., etc. 6 Privacy of Medical Data, cont. What problem? Example: Compliance with HIPAA rules about when personal medical data may be disclosed. Targeted attack on specific data subject. Trusted systems won’t prevent this disclosure! – Small data objects (some only one bit) abound. Attacker can disclose them without computers. General fact about trusted systems (but not applicable to DRM for entertainment) – Data objects obtainable by other means. General fact (sometimes applicable to DRM for entertainment, as in “Darknet” ) General disregard for or misunderstanding of rules 7 General (Untargeted) HIPAA-Compliant Privacy Medical-privacy logic is incomplete. Complying with it requires good human judgment. – “Life-threatening situation” – “Public-health emergency” – “Poses a threat to himself or others” Trusted systems can’t fully solve this problem! This is a general fact about trusted systems; they can’t solve problems that are inherently unsolvable by computers. – Not necessarily relevant to draconian DRM – Relevant to the more general problem of copyright compliance, which includes fair use 8 Conclusion: Trusted Systems Cannot Ensure Privacy of Personal Medical Data Circumvention of privacy-protection mechanisms is not the most pressing threat to medical-data privacy. More generally, trusted systems will be ineffective when – There are alternative ways to obtain the sensitive data (or accomplish the attacker’s goals). – The relevant policy is not conveniently expressible as a program. When will trusted systems be effective? 9 Policy-Enforcement Mechanisms in MS Products (BAL/cs155/03-25-03) MS DRM for eBooks MS DRM for Windows Media Windows Rights Management Services Office 2003 Information Rights Management License servers for Ultimate TV/eHome (digital Terminal Services, File & Print Services, etc. Xbox (anti-repurposing) storage of video) File system ACLs Enterprise policy management Group policy in domains Partially trusted code policies (.NET Framework) NGSCB 10 Which Attributes are Relevant? Number of data sources? Number of data recipients? Need to retransmit data? Stability of policies? Third-party certifiers? ••• When could trusted systems help? 11 Whenever “The Program is the Policy?” Organizations mandate the use of particular software environments for a variety of reasons, some objectionable. Are there benign reasons to do so? – Absence of particular serious flaws – Mission-critical properties, e.g., • Maintains audit trails • Does not maintain audit trails – Protection against subversion and misrepresentation (analogy with copy-left licenses) What else are trusted systems good for? 12