Home

Program

Registration
Directions/Venue
Committee
 
Trusted Platforms -- Whom Do They Protect?

Panel Proposal

 

Interdisciplinary Research in Platform Security

Early information systems only provided assurances to their owners and users. Other parties had no basis for trust in these early platforms. Every aspect of the behavior of the system was under the control of the owner. Gradually, systems appeared that provided assurances of one sort or another to parties other than their owner. The odometer in an automobile is an example. It provides some level of assurance to parties other than the owner of the automobile. The car dealership trusts the odometer to indicate whether the car is still under warranty. Prospective buyers of a used car trust the odometer as an indication of the amount of wear on the car. Cars do not include controls for interfering with the faithful operation of the odometer. It can be circumvented technically, but for the average user it is out of their control. The odometer is faithful to the truth, the dealership, and the prospective buyer more than it is loyal to the wishes of the owner.

The loyalty of a platform to one party cannot be increased without decreasing its loyalty to another party. A platform that assigns a significant amount of loyalty to an external entity and has mechanisms in place that prevent circumvention can be trusted by the external entity, and is therefore called a trusted platform. We saw a steady increase in the sophistication of assurances that can be provided by trusted platforms to external entities, and an increase in the strength of the assurances with regard to resisting circumvention. The typical application is digital rights management (DRM), where the platform provides assurance to the content owner that the content owner's use policies will be honored by the platform, even if those policies conflict with the wishes of the owner of the platform.

DRM systems have been criticized for disregarding copyright exceptions such as the fair use doctrine, for violating privacy rights and hampering security research. Trusted computing platforms have been criticized due to their implications for privacy protection. Increasingly, platform security systems are being used in anti-competitive ways. The move towards closed platforms may have broad implications for innovation on the Internet and in mobile networks. The policy and legal communities have identified and debated some of these issues in depth. Today, we find ourselves in the position of trying to determine the best direction for trusted platforms research. The question is no longer whether we can provide assurance, but rather what kinds of assurance should be provided. Time seems ripe to reflect on future research strategies that must take into account the nuances of the interaction between information systems and privacy, law, public policy and economics among other things. The panel will focus on some of the following issues:
  1. How can policy and legal discussions be better integrated into platform security research? Are there ways to include them at the design stage by, e.g., designing security protocols and languages in close cooperation between computer scientists and social scientists?
  2. To what extent current social science research methods should be applied to security questions. What role should “economics of security” and “behavioral economics of security” play on platform security research?
  3. To what extent is a research approach towards platform security, which integrates technology, economics, psychology and law, feasible?
  4. What are other applications of trusted platforms beyond DRM?

By focusing on these issues, the panel will explore the possibilities and limitations of interdisciplinary IT security research.