Last modified: March 26, 1999 11:45 AM PST
Pentium III: How bad is privacy threat?
Technology experts say recent reports of software programs capable of "grabbing" PC users' Pentium III serial numbers without their knowledge or consent shouldn't alarm PC users. On the other hand, those on all sides of the debate agree that no one should be overly confident about the level of security these microprocessors can ensure.
Nathan Brookwood, an analyst at Insight 64, reflects that conflict. "I'm not a good person at anticipating all the evil things people can do. But in my view, the whole role of the PSN [processor serial number] has been somewhat overstated," he said.
Yet he was quick to add: "When you have a transaction and a user at one end of the network and a machine where the transaction is being handled at the other end, and a big network in between, there are lots of ways to compromise a machine or break into a site."
Even privacy advocates concede that it is technically difficult for a hacker to do much harm if armed only with a purloined processor serial number. But these groups are concerned that future technologies and uses of the Internet could allow grave abuse of this information in ways not envisioned today.
Regardless of the actual risk, the debate has become something of a battle royal between privacy advocates and corporate interests. The emotions arising from the issue seem to transcend the mundane machinations of digital technology, introducing Orwellian rhetoric often reserved for such constitutional powder kegs as gun control.
"Individuals should be able to control their identity and other forms of authentication," said Ari Schwartz, senior policy analyst for the Center for Democracy and Technology, which has filed a complaint with the Federal Trade Commission, requesting that Intel be precluded from manufacturing the Pentium III with the serial code.
Intel's recently released Pentium III processor contains a 96-bit serial number hardwired into the chip. The number was designed to add another layer of protection for e-commerce transactions and to aid organizations in tracking assets.
Independent chip analysts say the framework in which the serial number will be exchanged makes it difficult for any third party to use a nabbed number nefariously. These experts acknowledge that hackers or marketers will be able to steal it--but a number is likely all they will get, they say, not the key to your life.
"All they have at that point is a serial number, and that doesn't really help a lot," said Peter Glaskowsky, an analyst at MicroDesign Resources. To take advantage of someone, he added, "you need a combination of an unethical Web site developer and a stupid Web site developer."
At the same time, Glaskowsky said, the serial number offers little in the way of added security. And companies looking for better ways to manage technology across large networks are not sold on the Pentium III either.
"Asset management now is not done easily--it's either done physically or through personnel," said Pete Jackson, president of Intraware, a systems integration firm. "It's a major problem throughout the enterprise, but I don't think a lot of people are going to switch to the Pentium III to solve the problem."
Security concerns have dogged the high-tech industry relentlessly, particular with the wild proliferation of Internet use. On the software side, Microsoft has faced its own share of privacy issues, acknowledging earlier this month that Windows 98 collects information on users PCs through the operating system's registration process and that documents created with Office 97 applications include information related to document authors. Microsoft halted the practice and issued patches for the security holes.
Against this backdrop, it comes as no surprise that the Pentium III serial number has enjoyed a short but tortured life. Intel revealed the serial number system in February, stating that the number was a third form of identification.
In Intel's view, those who want to gain access to number-protected sites will provide their user names and passwords, as well as let distant Web servers send down an applet to confirm the processor serial numbers, said Pat Gelsinger, corporate vice president at Intel.
Although the serial number never changes, the confirming applet "hashes" it so that sites only get a placebo of the real number--and no two Web sites get the same placebo.
In other words, if your processor serial number is X, one Web site will know you as Y, while another might know you as Z. Another layer of encryption disguises Y or Z for the confirming transaction. During the exchange, processor numbers are further disguised to minimize the possibility that the true serial number will be intercepted.
Therein lies the problem to privacy advocates, who note that this encryption technology is an option for Web sites but that there is no guarantee that all of them will use it. "We're not confident about [widespread encryption], no," Schwartz said, understatedly.
Turning it back "on"
The plan was to have computer makers leave the serial number "on," or accessible and open to confirming software agents. After privacy groups protested, Intel changed the software utility so that the PSN would be disabled by default shortly after a PC boots up.
Even before the chip was available in computers, a German technology magazine claimed that it had developed a method of circumventing the Intel-developed software utility. A Canadian software firm Zero-Knowledge Systems then followed with an ActiveX control which grabs the serial number before the software utility is activated, and after tricking a user into restarting their system.
But while these groups may have succeeded if their intent was embarrassing the world's largest chipmaker, analysts say that a stolen serial code does not present much of an actual threat to a typical Pentium III user.