Pentium III: How bad is privacy threat?

(continued from previous page)

Even if the disabling utility is cracked, it would still be extremely difficult to do anything with the serial number, analysts maintain. For instance, if a hacker wanted to get into private accounts, they would likely need more information, they say.

Most Web sites, especially e-commerce sites, which use the Processor Serial Number, require other forms of identity verification, not only to reassure visitors, but also to protect their own interests, Glaskowsky said.

"Any Web site that is intelligent is going to ask you for some kind of password," he said. "It's inevitable that responsible online businesses will have a two-stage verification process. One of those might be the serial number."

Many hacks required
Pulling this off is no small feat either, technologically speaking. A hacker couldn't just issue the PSN to a distant server. The hashed number through which the distant server knows the user would have to be determined, which involves breaking into the distant server's database as well.

Then, even if that number could be determined, the additional layer of encryption would have to be hacked so that the hacker can send a confirming transactional number that the distant server will accept.

"It's extremely difficult to [use the serial number] to impersonate another person--not impossible, but difficult," Glaskowsky explained. "It's far more straightforward for a Web site operator to steal your serial number than for a hacker to trick them."

The pervasiveness of the encryption layer dents the other theory of danger: unscrupulous sharing. Although there may be a financial incentive for Web sites to sell or share this number with other sites, there is no way to connect the encrypted number to an individual user, according to George Alfs, an Intel spokesman.

"It can't be compared to other Web site serial numbers," he said. "If sites are using the tamper-resistant tools, the numbers won't match."

Assurances fall on deaf ears
Many users, though realistic about the risks of using the Internet, are not assuaged by analyst and Intel reassurances. Web sites "knowing who you are...is pretty much available through many sources, so don't sweat the small stuff," wrote reader Randy Dickson, who raised concerns about serial number thieves impersonating PC users in chat rooms and newsgroups.

"While I think Intel had their heart in the right place, they seriously misunderstood how this information could be misused...Some of us don't mind the fact that Big Brother may be watching, as long as he can't be misled," Dickson wrote.

Others, like Norman Thorsen, are more concerned about Web sites gathering yet more personal information about visitors, regardless of whether these sites then sell or share the data. "Given this opportunity, marketers and, quite possibly government agencies, will collect as much information as possible," Thorsen wrote. "No one asked the customer about collecting this information--Intel decided to provide it without prior notification. By definition, that is an invasion of privacy."

Dickson and other readers are concerned about Web sites that will only allow surfers to visit if the personal serial number is enabled.

"Web sites will develop content that requires the PSN, so that personal privacy must be compromised in order to use the Internet," one reader wrote. "Intel's technology is fundamentally un-American. It is equivalent to installing video cameras on every street corner."

Many companies include serial numbers with their products, including software and hard drive manufacturers but do not share or sell that type of customer information. This is not necessarily out of any noble respect for the privacy of its customers, but because it would be against their own strategic interests, said Greg Blatnik, vice president of Zona Research.

"That type of information tends to have more value to the company that provided the product," Blatnik said, adding that many companies use customer lists generated with the help of serial numbers to sell more products. "Companies guard that information fiercely."

Privacy advocates concede many of these points. What has them mostly worried is the future.

Future shock?
"What's the damage that could be done from a hacker grabbing your PSN? Not much right now," said Jason Catlett, president of Junkbusters, an advocacy group supporting a boycott of Intel until the company removes the serial number, in an email interview. "But if Intel's plans of turning the PSN into an e-commerce identifier pan out in the next few years, it will be used for theft of identity."

Catlett predicts it will be several years before the total privacy implications of the serial code are known. And by that time, he fears, such serial codes will likely have become a de facto standard in identity authentication.

"Every time you move forward with technology, this happens," Brookwood said. "Before they created credit cards, there was no credit card fraud."