Originally created 06/26/02

Microsoft discloses ambitious new security effort



WASHINGTON -- Microsoft Corp. has disclosed an ambitious new project to improve security by creating within its Windows software a virtual "vault" where customers would conduct electronic transactions and store sensitive information.

The effort, called "Palladium," would require consumers to buy new computers and other devices equipped with ultra-secure computer chips from Intel Corp. and Advanced Micro Devices Inc., which already are involved in the project, or other companies.

The project's success also depends on broad consumer adoption of such devices, since these highly secure computers could safely exchange information only among themselves.

Microsoft said the technology, which stemmed from early work by its engineers to deliver digital movies that couldn't be pirated, won't be available for at least 18 months. Company officials have told other executives in private briefings they do not expect to see mainstream products for at least five years.

"We're so early in the process, we're really just drawing the road map," said Mario Juarez, who is running the project for Microsoft. "This won't happen tomorrow or next year."

The project was first reported by Newsweek, although Microsoft officials have discussed their efforts privately for months in meetings with technology and civil liberties groups in Washington and elsewhere.

Some industry experts were skeptical of Microsoft's chance for success.

"If this works, it will be the first time in the history of computing that it works," said Bruce Schneier, a cryptography expert and author of "Secrets & Lies, Digital Security in a Networked World."

"Lots and lots of encryption is broken all the time because it's done wrong," Schneier said. "The odds are actually zero this will be secure."

David Farber, the Federal Communications Commission's former chief technologist, said he was "somewhat satisfied" with Microsoft's plans, but he will watch closely to ensure the company doesn't try to use Palladium to control the world's software markets.

"One has to keep their feet to the fire on how they use it," said Farber, who testified against Microsoft during its antitrust trial. "Right now, I don't see any signs there's any devious plot."

Supporters said the technology, to be offered as an option in an upcoming version of Windows, would be able to distinguish safe software from data containing viruses or other malicious computer code. The technology could be turned on and turned off. Customers could store within this part of Windows personal details, such as financial or medical records, that is encrypted and otherwise inaccessible even from other software running on the computer.

"Users can be assured that your intentions are properly carried out," Juarez said. "No one can masquerade as you. They're not on your computer."

Microsoft's efforts are similar to those of the Trusted Computing Platform Alliance, an industry group also working on new hardware technology to let computers distinguish "trustworthy" software. IBM has already shipped new laptop computers featuring such security chips.

Under Palladium, Intel and AMD, the world's largest chipmakers, will redesign computer processors to include cryptography features. Palladium also will require changes to video and keyboard technologies to ensure that a customer's typed information is displayed without changes on the screen. That would require billions of dollars in new equipment upgrades by consumers, corporations and governments.

Further, since a consumer's personal information will be scrambled within a vault and tied to a specific computer chip, that information could not readily be stored elsewhere in case of disaster or if the computer fails.

Microsoft also acknowledged that it hasn't resolved sensitive issues of permitting access by government with a court order to a person's encrypted data. The FBI has indicated it rarely encounters scrambled information during investigations, but making such technology as ubiquitous as Windows could invite use by criminals or terrorists.

"We recognize that something like this needs to be done responsibly," Juarez said.

Microsoft's name for its efforts, Palladium, comes from the statue of Pallas Athena, which was believed to protect the ancient city of Troy from invaders. In modern parlance, a palladium is considered a guarantee of integrity.