San Francisco (CA) – In a public session of a mobile communications industry trade show, a group of leading engineers led by representatives of Nokia and VeriSign announced an initiative to produce standards for digital rights management and secure platform for mobile devices, such as cell phones.
The new initiative will build on the work of the Trusted Computing Group (TCG), to create a specification for a mobile version of its Trusted Platform Module (TPM) for publication in the first half of 2006. Implementations of the TPM chip in brand-name PC hardware is expected to be rolled out that same year. TPM technology essentially provides cryptography functions in hardware, which can be used for both system and user authentication, as well as to store licensing keys and other information for installed software. Besides aiding in the protection of systems against unauthorized use, one of TPM’s stated goals is to ensure that applications are only used for their intended purposes.
One corollary of this principle is that documents stored in specific formats may not be interpreted by applications other than those which originated them. Although Microsoft was the principal architect, and the current patent holder, for technologies currently managed by the TCG, many of that company’s current software strategies – most prominently, its embrace of XML throughout Office 12 and Windows Vista – appear to contradict the notion that it would secure its applications’ formats through hardware-based encryption. But for mobile platforms, the idea that some content being exchanged over a public communications system may be secured through unbreakable, hardware-based crypto keys, has begun to raise some red flags.
In material presented at the CTIA Wireless I.T. and Entertainment conference, and presented by the TCG to Tom’s Hardware Guide, representatives of TCG’s Mobile Phone Work Group introduced a concept called SIMLock/Device Personalization, which is described as a way to use TCG’s application security features to “ensure that a mobile device remains locked to a particular network until it is unlocked in an authorized manner.”
Today, cell phone customers worldwide are accustomed to using phones that are exclusively locked to particular service providers, so the concept sounds like nothing new on the surface. The technology to which the name refers, Subscriber Information Module (SIM), is a small card which, naturally, became popular first in Europe, before moving to Asia and then, finally, North America. It enables a user to store personal information, including her address book but also her service provider information, on a small card that slips into a supporting cell phone, generally beneath the battery case. The purpose of this technology was originally to encode the cell phone user’s service data on a portable card that can be transferred between phones. SIMLock technology, however, would place limits on how such a device is used. According to the MPWG’s presentation, “Subsidizing entities need to be assured that end users cannot move their device to another network provider or service provider without authorization.”
In a statement released last Thursday, Seth Schoen, staff technologist with the Electronic Frontier Foundation, said that the MPWG’s proposals, including specifically SIMLock, “aim to help your cell phone company decide who can publish software or media for your phone, whether you can load your own documents, and even whether you can switch carriers or resell your phone. These are not innovations that consumers will applaud.”
The statement goes on to say that TCG’s security initiatives aren’t necessarily aimed at the end user, adding, “The cell phone industry hasn’t yet realized that cell phones are little computers, and that users expect the same amount of choice about how to use their phones as they enjoy with their PCs and PDAs.”
However, glancing at the initial technical specifications for TCG’s newest set of mobile proposals, one might get the opposite impression. Mobile devices are described therein as platforms with operating systems and boot devices. The actual problem facing the TCG currently, it seems, is that their understanding of both usage models and technology implementations is so rooted in the PC that they’re having a difficult time finding a form factor in which to launch this very specific mobile platform. Many mobile devices are single-chip entities, using embedded architectures; meanwhile, TPM is generally a chip that might not find its way into a mobile device, simply because there’s no room. For a TPM implementation to be possible on such a small scale, ironically, it would find itself asking to be trusted by cellular system architects.
Tacitly acknowledging their predicament, a TCG document includes this statement: “Trusted platforms are sometimes based on Trusted Platform Modules (TPM), a security chip specified by TCG which functions as the basis of trust within a device. However, due to the small size of mobile devices, TPM technology needs to be adapted for use in hand-held products. TCG’s mobile specification will build on TPM security and the TCG trust model, and is subject to the TCG security specification requirements.”
So while the EFF begins extending its public battle against the TCG on the grounds that it doesn’t understand the role of communications devices as little PCs, the TCG begins the first stage of its own battle for recognition amid a field of communications interests that may perceive it as too PC-oriented to apply to phones. Meanwhile, the very real possibility looms that, in the not-too-distant future, certain kinds of content and services necessary to achieve communication between parties, may require direct authorization from not only service providers, but also content providers. The same issues that face us with regard to the future of digital video discs, will face us in our everyday communications as well.