Should We Be Afraid of TPM Chips?

AcidArrow asks: "I was looking to buy a new laptop and since I wanted to be on the bleeding edge, I thought one with the new core duo chips would be just what I need. Among the features on the laptops I was looking was 'Trusted Platform Module chip for the safety of your data'. Now, I don't know of any real uses for a TPM chip yet, but is this something that should worry me, or keep me from buying a laptop with said 'feature'? I don't intend to use it and I would like to disable it, if possible, but I don't want to make it easier for anyone to track down what I'm doing on my laptop."

Be afraid only if you can't use it ..

[torpor]

.. yourself, personally, for your own uses. If the TPM 'feature' is only something that a mfr, or software vendor, can exploit to protect data, then its something that you definitely don't want to use.

But if there were uses for TPM which directly translated into a user feature - like being able to save .DOC files to your USB stick, encrypted to your own TPM serial, for example - then I would say yeah, its something that can be used.

But frankly, TPM isn't there for you. Its there for software vendors and 'media suppliers' to use in branding content to your machine. Whether thats good or not, is entirely up to whether or not the end user wants less control over where the data can travel .. so far, the only use for it appears to be in keeping MP3 and other Media files, which you did not author, local to your own machine.

I'd be interested to hear cases where TPM-stamps can be used to actually protect user-author'ed data, though. Would be handy for studio-type people .. like, if I could get my Cubase/Protools session files stamped specifically to my machine, and they can't be used anywhere else, under certain circumstances that could be very handy ..

But that sort of protection is just as easily provided by tools like GPG and such, and still would depend on the software vendor exploiting that feature, so .. yeah .. it just goes round and round.

Nothing to fear

[dotslash]

Firstly you can disable the chip from BIOS or driver software

Secondly there are some good uses for it: I use it to store web site passwords, keys and certificates. On my laptop (Thinkpad T43) it is connected to the fingerprint scanner so I can enforce two-factor auth. (finger swipe AND passphrase). I also store the keys for encrypted disk volumes in the TPM (also part of the software IBM/Lenovo offers for the TPM).

No software can access the TPM without my consent, because it requires finger and password.

Just about every new laptop

[linguae]

...seems to have a TPM chip. Thinkpads, MacBook Pros, some Gateway machines, just about every major new laptop manufacturer that I know of has already installed TPM chips in their laptops.

The important thing to remember, though, is that a TPM chip means nothing if you don't use an OS or software that utilizes the chip for nefarious purposes. If you stick to Windows XP, current versions of OS X (they only use the TPM chip to see if it is a genuine Macintosh), or a free OS (like Linux or BSD), then they won't utilize the TPM chip to restrict your moves. However, you might want to check out any upgrades to the proprietary OSes or proprietary software before you upgrade. You might also want to avoid DRM'd media as well and find alternatives before it is too late.

Now, if you really don't want a TPM chip in your machine, just buy the last model of the machine that you want that doesn't have a TPM chip. Apple, for example, still sells their G4 line of PowerBooks and iBooks. You'll have to weigh the advantages/disadvantages; do you want to sacrifice performance over a trusted computing chip that has little control depending on your software choices?