Latest news

best drug lawyer laredo

What are the privacy
problems with the
security systems west palm beach

What about the benefits
for Internet security?

What about using the PSN to prevent chip theft and overclocking?

cbd

tattoo removal in nyc

What about other software fixes?

What are other chip
companies doing?

micro surgical instruments

Why a boycott?

robo call service

Who is behind the
boycott?

How can individuals
and groups participate in the boycott?

700r4 transmission

Questions?

Editorials

photo contest

 

 

 

 

 

 

Latest News (April 28, 2000)

Intel to Drop PSN in New Chips! Intel has decided not to include the PSN in its forthcoming 1.5 GHz Willamette chip. Wired quotes an anonymous Intel engineer as saying "The gains that it could give us for the proposed line of security features were not sufficient to overcome the bad rep it would give us."



Older News

Chinese Government Restricts Sale of Pentium III because of Security Concerns. Chinese government officials have restricted the sale and distribution of Pentium III microprocessors out of concern for national security. The Chinese government has ordered domestic manufacturers to turn off the PSN, and has ordered government agencies not to connect Pentium IIIs to the Internet.

Zero-Knowledge Systems Finds Another Hole in Intel PSN Patch. After Intel asked Symantec to create software that dealt with the ZKS hack, ZKS claims that the PSN can still be exposed without resetting the computer.

Some of Intel's Pentium II and Celeron processors have Processor Serial Number switched on. Intel admitted March 10 that some Pentium II chips contain the Pentium Serial Number, not just Pentium IIIs as previously announced. Certain mobile Pentium IIs with on-board cache are also badged under Intel's Celeron label.

Zero-Knowledge Systems Finds Intel Fix Lacking. Even after Intel declared that it fixed the security hole pointed out by C'T magazine, ZKS proved that the PSN can still be accessed remotely without a user's knowledge. Intel admits that there is no way to make the PSN secure, but has said that the possibility of unauthorized accessing the PSN is only theoretical. ZKS's program shows that possibility is more than theoretical.

Privacy Groups Call on PC Manufacturers to Suspend Shipment of Pentium III Systems. Following the C'T Magazine PIII hack, privacy groups wrote to PC manufacturers asking them "to order an immediate suspension of all your company's products that contain the Intel Pentium III. We believe that OEMs have a duty to properly inform their customers about the privacy risks of a PC containing a PSN. Shipping the Pentium with an assurance that the end user can control the functionality of the PSN would seem premature in light of recent reports to the contrary, such as the article published by the German computer magazine C'T on February 22. We believe that such a claim made under current circumstances could constitute a material misrepresentation of the sort prohibited by federal consumer protection laws and regulations."

PIII Security Cracked. C'T Magazine is reporting that their technical experts were able to bypass the Pentium III security mechanism and turn on the PSN without needing to reboot after it was turned off with the Intel control program. This would undermine the Intel privacy patch and make it possible to secretly obtain users PSNs.

Groups Ask FTC to Investigate. Privacy and consumer groups have asked the Federal Trade Commission to investigate the Pentium III and Intel's claims that it had resolved the privacy problems with the software program it is now offering.

Groups Ask Manufacturers for Plans on Pentium III. Privacy and consumer groups have written to all the major PC manufacturers asking for the plans on putting the Pentium III in their machines.


Take Action!  

  • Print out the "No Way Out" flyer (PDF version) and put it where people will see it.
  • Put a line like this one in the signature block of your emails and Usenet postings

    • Protect privacy, boycott Intel: http://www.bigbrotherinside.org
  • Write PC makers saying you're not buying a PC with Big Brother Inside [Draft letters for Compaq, Dell, Gateway, HP, and IBM].
  • Put copies of the banner ad above and graphics from the flyer on your web site
  • Learn why software copyright protection mechanisms that will demand the PSN mean that you will be forced to have the number turned on whether you like it or not


Previous News

EPIC Asks US Government Agencies For Information on Their Role in PSN. The Electronic Privacy Information Center has submitted Freedom of Information Act requests to 15 federal agencies including the National Security Agency and the FBI asking for information on their role in the creation of the PSN.

Intel Begins Announcements, Consumers ask FTC to Investigate. As Intel begins its $300 million advertising campaign to promote the PIII chip, consumer groups have drafted a letter to the Federal Trade Commission asking the FTC to investigate Intel and the PSN.

38 Percent of CIOs Oppose Intel PSN. A poll conducted by IDG's CIO magazine found that 38 percent of Chief Information Officers side with privacy advocates on the problems of the Intel PSN. 12 percent support the boycott.

  


What are the privacy problems with the proposal?

Intel announced on January 20 that it was planning to include a unique Processor Serial Number (PSN) in every one of its new Pentium III chips. According to Intel, the PSN will be used to identify users in electronic commerce and other net-based applications.

We believe that providing a unique PSN which can be read remotely by web sites and other programs in mass-market computers would significantly damage consumer privacy. This number is designed to be used to link users' activities on the Internet for marketing and other purposes.

According to Intel VP Patrick Gelsinger, the PSN will be used to identify users who access Internet web sites or chat rooms. He told the RSA conference, "unless you're able to deliver the processor serial number, you're not able to enter that protected chat room." According to Intel, the technology will also be used for authentication in e-commerce, which will attach the PSN to a person's real-world identity.

The PSN would likely be collected by many sites, indexed and accumulated in databases. Unlike cookies, which are usually different for each web site, the PSN will remain the same and cannot be deleted or easily changed. The advertising and marketing industries have been strongly advancing technical means of synchronizing cookies so that information about individual consumer behavior in cyberspace can be shared between companies. We believe that a hardware PSN used in the majority of computers would quickly be put to this purpose. The records of many different companies could be merged without the user's knowledge or consent to provide an intrusive profile of activity on the computer. The only solution would be to change the processor or computer. Because the US has few legal protections for online privacy, there are no practical limits on what can be collected or used. According to the San Jose Mercury News, Intel will rely on "the high-tech industry policing itself, upholding a voluntary code that restricts the amount of information computer companies, Internet service providers, Web sites and telecommunications companies can collect, and how they use it" to protect privacy.

With PSNs, any software running on a person's PC can obtain the PSN, and if the application is Internet-enabled, can transmit it anywhere. The user may be unaware this has happened. Given the widespread practice of downloading shareware, and the lack of legal protection over personal data and the economic incentives to collect and sell it, widespread abuse seems more than likely. Gelsinger also told the RSA conference that over 30 companies had already committed to Intel that they were planning to use the PSN.

We conclude that it is contrary to the public interest in privacy for chips with a PSN to proliferate widely into the consumer computer market. Given Intel's dominance of the processor market, this would happen within a few months unless sufficient pressure were applied to Intel to disable the feature in the Pentium III. Intel stated that it plans to start shipping the chips within a matter of weeks, so it was essential to begin a campaign as early as possible after assessing the risk based on Intel's own statements.


What About the Benefits to Internet Security?

According to Internet security experts, the PSN will not provide real security because it is poorly designed. Hackers will be able to forge PSNs, thus undercutting potential authentication uses. Noted cryptographer Bruce Schneier, author of Applied Cryptography, recently wrote in his ZDNet column:

The software that queries the processor is not trusted. If a remote Web site queries a processor ID, it has no way of knowing whether the number it gets back is a real ID or a forged ID. Likewise, if a piece of software queries its processor's ID, it has no way of knowing whether the number it gets back is the real ID or whether a patch in the operating system trapped the call and responded with a fake ID. Because Intel didn't bother creating a secure way to query the ID, it will be easy to break the security.

Comments from other security experts:

From Kim Schmitz, CEO, Data Protect GmbH [source]


Conclusion: It looks like Intel's latest innovation is little more than a marketing gimmick. The only real-world value that it might possibly have is a hardware-based, OS-independent way of creating profiles of and tracking unsuspecting users.

From Tom Pabst, Hardware Guru [source]


If we want to avoid that hackers abuse our information, then we should not jump on Intel's new bandwagon, we should give them a strong signal of disparagement instead.
 

From Austin Hill, President, Zero-Knowledge Systems [Red Herring]

I hear claims that it will wipe out computer theft. But if someone turns that identifier off because they want privacy, are all of our customers going to be assumed to be criminals?

 

What about using using the PSN to prevent chip theft and overclocking?

Chip theft is an important issue and thefts cost the industry and Intel millions of dollars each year. However, Intel states that the PSN is not designed to be used for either preventing chip theft or limiting overclocking.



Why is a PSN such a big problem, since there are other identifiers?

The Intel PSN is a unique identifier that will be placed in nearly every consumer's computer. Intel currently dominates the microprocessor market with over 75 percent of the market. Intel has stated that it plans for the PSN to be widely adopted for electronic commerce and authentication purposes on the Internet. Because of the possible wide adoption and Intel's plans for broad uses for the PSN, it raises privacy concerns may not arise with other identifiers.

Some expensive business computers, such as workstations sold by Sun Microsystems, do include a form of a PSN but they are not widely used by consumers. This small market share has prevented the adoption of their PSN as an identifier, except for limited software registration.

Internet Protocol (IP) addresses are not as permanent as the PSN. When users of the Internet visit a web page, their IP address may be revealed to the web page machine. Many users do not have a permanent (static) IP address that can be used to trace their movements. Users of America Online and many corporate networks use proxy servers which mask the identity of the users. Most Internet Service Providers (ISPs) provide a different IP number for each user session. Users can also change their IP addresses by asking their system administrators or changing ISPs. In addition, there are web-based services such as The Anonymizer that prevent the disclosure of their IP address.

Ethernet IDs are not widely available and are not intended for identification. Ethernet identities are used for routing computers connected to networks via Ethernet and are not collected or used for identification purposes. Currently, most users connect to the Internet via modems and serial ports so Ethernet IDs are not used or disclosed. Many computers simply do not include Ethernet cards. For those that do, users can also buy inexpensive new Ethernet cards without changing the processor or buying a new computer.

Other identifiers are not widespread. Other identifiers available include other hardware items, and software registration codes. But none of the hardware items are likely to be available on a majority of consumers' computers, and browser manufacturers are unlikely to transmit license numbers with every web page request, so these are not likely candidates to become the "social security number'' of a PC. The PSN was designed to be widely used as an identifier.




Why is the Intel announcement on disabling the PSN not sufficient?

Intel announced on January 25 that they were planning to release a software program that would turn the PSN function "off". This program will run automatically each time a computer is booted and turn the PSN off for that session. However, the PSN function will remain in the Pentium III chip and will be available if the program is disabled for any reason. Some of the problems are as follows:

  • This program does not exist yet. According to the Washington Post, the program will not become available until months after the first PIII-enabled machines are shipped and even then will only work for Windows users. Users will be required to access the Intel web page to obtain a copy of the program and install it themselves.

  • This approach relies on other companies to install the program for Intel. When the program does become available, Intel will have to ask every computer manufacturer and other computer companies, including Microsoft, to adopt this into their systems. Some of these companies, such as Microsoft, which have an interest in using the PSN for software verification, may refuse to install the program.

  • Users will be required to provide the PSN. It is likely that users will be required to disable the PSN privacy protections by many software programs and web sites as a condition for access. According to Intel VP Patrick Gelsinger, many software developers are already planning to use the PSN and would be likely to require that the patch be removed: "We're very happy and actually rather surprised by the amount of enthusiasm we've gotten from application developers for the processor serial number capability. We have some 30-plus applications today that have committed to take advantage of this. And that number is rising very rapidly." For web-based applications, many web sites already prohibit access if the user will not accept cookies. If the PSN becomes an industry standard, users will be required to provide their PSN as a condition for access. Gelsinger has already suggested that it be used for chat rooms "where unless you're able to deliver the processor serial number, you're not able to enter that protected chat room."

  • The software program can be tampered with or disabled. Because the privacy protection scheme relies on a software patch that must run each and every time that a user turns on the computer, it is susceptible to tampering by other software programs. Programs such as word processors or web browsers which must be installed onto systems could easily disable the patch in the installation process. Web-based Java applets could also be used for this purpose. A hardware solution is the only permanent option to this problem.


What about other software fixes?

Several companies such as Rainbow Technologies (the manufacturers of the origional Clipper Chip) have suggested that there are no privacy problems with the PSN because a software program can be written that would scramble the PSN, creating a unique ID for each web site visited. However, these approaches have the same problem as the proposed Intel patch (see above) because the PSN will still be physically located in hardware and can still be accessed by other programs. Additionally, the access software is not protected, and can be surreptitiously modified.


What are other chip companies doing?

Other major companies such as National Semiconductor and Advanced Micro Devices have called the plan "inflexible" and said that they do not plan to put serial numbers in their chips.


What is the Government Doing?

Privacy advocates met with staff members of the Federal Trade Commission on January 28, 1999 to discuss the privacy problems of the PSN. We are currently working on a formal request to the FTC asking them to investigate. We are also discussing the problem with state Attorney General's offices.

Vice President Gore was asked about the Intel controversy spoke to the San Jose Mercury News on January 25, 1999. He said:

We need to do more to protect privacy. When you have individuals filling a prescription at the drugstore, and the information is immediately downloaded into a computer network, and then sold to the marketers of other medicines, that patient's privacy has been ravaged. And it's not fair and it's not right.

 

Congressman Edward Markey (D-Mass) wrote a letter to Intel CEO Craig Barrett on January 22 saying

In my opinion, Intel's new product improves technology for online commerce in a way that compromises personal privacy. I believe that technology should be able to improve authentication and security functions without simultaneously undermining personal privacy. I hope that Intel will seek to design its products to improve the security of electronic commerce transactions without putting consumer privacy at risk. I encourage you to examine the privacy implications of the Pentium III and ascertain whether further improvements can be made to better balance both commercial and privacy objectives.

 

Arizona State Legislator Steve May is proposing a new law that would ban the production of the Pentium III in Arizona.


Why a boycott?

Intel's proposal to put a unique ID code inside of every computer it sells will significantly reduce the level of privacy available to computer users around the world. The unique code will make possible far more extensive tracking and profiling of individual activity, without either the knowledge or consent of the user. Intel's proposal to allow users to turn off the code each time they start their computers is unreasonable and impractical.

We see no other plausible means of stopping the irreparable harm to Internet privacy that would be caused by Intel's inclusion of a PSN in its next major chip.

When will the boycott end?

We plan to announce the boycott is over after Intel announces that it will disable the feature in the Pentium III hardware and other chips that it plans to ship. This can be done several ways:

  • Intel can ship chips with no PSN at all.
  • Intel can ship chips with the PSN set to all zeros.


Who is organizing this boycott?

This boycott is being organized by the Electronic Privacy Information Center, JunkBusters and Privacy International.


How is the boycott organized?

We and other interested parties are working with organizations, individuals and the media to raise awareness of the risks of the feature, and why it is worth persuading Intel to disable it. More details will be posted as this work progresses.


Is this boycott directed only at Intel?

At the moment the boycott is directed toward Intel because Intel is the only company that has announced plans to release a chip for mass-market computers with a Processor Serial Number. If any other companies that sell mass market systems announce a similar plan, we will expand the boycott to include those companies.


How can individuals and organizations participate in the boycott?

There are many ways.

  • Do not buy Intel products until Intel removes this function from their hardware. Instead buy from AMD, National Semiconductor, Apple Computer or other manufacturers.

  • Tell Intel you're not buying until they remove the feature. You can email the founder Andy Grove at andy_grove@intel.com. Other ways to contact Intel are listed on their Web site. Their headquarters are located at 2200 Mission College Blvd. Santa Clara, California, 95052-8119. The main phone number is 408-765-8080, and the fax number is 408-765-9904.

  • Contact your political representative and tell them your concern. Congressman Markey has already written to Intel CEO Craig Barrett asking him to reconsider the move.

  • Talk to people who are in the communications chain with Intel. For example you could tell a salesperson in a computer store that you're interested in a PC without an Intel chip because you have heard that they are hurting privacy. Information technology staff who are responsible for buying decisions at institutions have especially strong leverage.


How can organizations also help the boycott?

Any organization (and even some individuals) can post statements detailing their own positions on the boycott, and tell us the URL. It might also help to submit it to search engines or include it in newsletters and communications you normally send to people. Copy this small logo and use it to link to this page.


What if my question isn't on this list?

Please send us your unanswered questions.

 

What are the editorials saying?

USA Today " Anti-privacy virus", January 29, 1999.

Consumers crave the convenience technology offers, but compromising their privacy without their knowledge is a practice few would accept. Somehow, that message never penetrates, despite the occasional public relations snafu. Until these technological wizards are made to pay for their indifference, privacy will play second fiddle to their profits.

 

San Jose Mercury News - Intel: Big Brother's keeper?, January 27, 1999.

The furor over Intel's new chip shows why the interests of privacy and security on the Internet must be treated as one, not pitted against each other. Otherwise, privacy will lose.

 

Pittsburgh Post-Gazette - Intel Inside - Too Inside, January 28, 1999.

The issue, which won't just melt away, is one of many confronting and perplexing policy-makers in the brave, new, high-tech world in which we have come to live. Unlike most other questions legislators deal with, past experience is little guide on these. Caution is advisable, as is erring on the side of respect for individual liberty

 

The Seattle Times - Intel's Snooper Chip, January 28, 1999.

There was something creepy about the chip, which, when enabled, sent out a unique electronic "fingerprint" over the Internet based on a serial number embedded in the chip."

 

Sacramento Bee - Cyberspace Fingerprints, January 27, 1999.

The rules of the road in cyberspace are still being sorted out. It's not surprising that controversies such as the Intel chip identification are arising. Users will need to be vigilant in making their wishes known as the technology matures.

 

San Jose Mercury News - Dan Gillmor, Pentium III Threatens Privacy, January 27, 1999.

Intel's action doesn't end the debate. The Federal Trade Commission, which has been looking into online consumer privacy, should sink its teeth into what looks like a juicy new issue. If the tech industry insists on building Big Brother into its products, people with regulatory power need to keep looking over the industry's shoulder.



News Reports