Who should know what's happening in your computer? Who should control it?

My latest Locus column is "What’s Inside the Box," a discussion of whether owners, users or third parties should be able to know and/or control what their computers are doing:

The answer to this that most of the experts I speak to come up with is this:

The owner (or user) of a device should be able to know (or control) which software is running on her devices.

This is really four answers, and I’ll go over them in turn, using three different scenarios: a computer in an Internet cafe, a car, and a cochlear implant. That is, a computer you sit in front of, a computer you put your body into, and a computer you put in your body.

Cory Doctorow: What’s Inside the Box Read the rest

Insurer offers discounts to customers running in-car GPS telemetry

Writing in PC Pro, Stewart Mitchell describes a partnership between GPS vendor TomTom and Fair Pay insurance, an auto insurer, to offer discounts to people whose GPS devices report low incidences of sudden stops and unsafe turns. I rather like this idea, the idea that your device could offer testimony on your behalf, but a lot depends on how it is implemented.

On the one hand, TomTom could generate trustworthy readings by completely locking its device so that users can't inspect or modify their operations, which would open up the possibility that your device was recording and transmitting information about your location and movements without your knowledge or permission. On the other hand, TomTom could produce a stats-gathering app whose workings were publicly disclosed, but which used a TPM-style module to verify that it hadn't been modified for the purposes of gathering and signing information that you can pass on to the insurer.

This would give TomTom owners the choice of booting their device into a known, publicly verifiable state that respected their privacy, but also produced statistics that third parties could trust. It would also give TomTom owners the choice of booting into alternative environments that did different things.

"We've dispensed with generalisations and said to our customers, if you believe you're a good driver, we'll believe you and we'll even give you the benefit up front," said Nigel Lombard of Fair Pay Insurance.

“If you think of your insurance as your car's MPG - the better you drive, the longer your fuel will last.

Read the rest

Anti-malware hardware has the potential to make it illegal and impossible to choose to run Linux

It's been years since the idea of "trusted computing" was first mooted -- a hardware layer for PCs that can verify that your OS matches the version the vendor created. At the time, TC advocates proposed that this would be most useful for thwarting malicious software, like rootkits, that compromise user privacy and security.

But from the start, civil liberties people have worried that there was a danger that TC could be used to lock hardware to specific vendors' operating systems, and prevent you from, for example, tossing out Windows and installing GNU/Linux on your PC.

The latest iteration of Trusted Computing is called "UEFI," and boards are starting to ship with UEFI hardware that can prevent the machine from loading altered operating systems. This would be a great boon to users -- if the PC vendors supplied the keys necessary to unlock the UEFI module and load your own OS. That way, UEFI could verify the integrity of any OS you chose to run.

But PC vendors -- either out of laziness or some more sinister motive -- may choose not to release those keys, and as a result, PC hardware could enter the market that is technically capable of running GNU/Linux, but which will not allow you to run any OS other than Windows.

What's more, UEFI may fall into the category of "effective access control for a copyrighted work," which means that breaking it would be illegal under the DMCA -- in other words, it could be illegal to choose to run any OS other than the one that the hardware vendor supplied. Read the rest