Possible EU Embargo on Pentium III

A reader writes "The brand new and yet unreleased STOA report (European Union Technical Committee) recommends an inquiry of the possible roles of the NSA ^[?] and the FBI ^[?] in the creation of Pentium III serial number. Possible consequences could be an European Union ^[?] -wide embargo against Pentium III-powered equipment. Read the scoop here. The article is in German, use our beloved BabelFish. " Just a note: this potential embargo not in place - it's just a possibility. But given recent Echelon fears, this is interesting news.

Of course, there should be certain exceptions...

[Paul+Crowley]

If there's to be an embargo on the Pentium III, it should not cover systems preloaded with operating systems which disable the serial number on start up, and make it difficult for new software installations to arrange for it to be re-enabled on boot.

Now, that's not Windows, but another operating system close to all our hearts...

(Seriously, this is of course a silly suggestion. I'd sooner see a lot more attention paid to big databases than this sort of nonsense.)
--

the effect of FUD

[Basje]

The serial number in processors is presented to us in several different ways. Intel promotes it as a more secure way to do e-business. Privacy advocates label it as a tool for the devil.

The truth is that your computer is filled with unique numbers on hardware (HDD, BIOS, MAC-address on your network card, some graphics cards), all of which are much easier to check (they cannot be disabled), and much easier to use for privacy invasion or to secure e-business.

I think it's sad to hear that high officials now want to use the fear for another serial in hardware as excuse to boycot a company, their decisions based on pure FUD. Which is what it is.

----------------------------------------------

Re:Bad Euros.

[ajs]

[European countries pay] lip service to free trade, but are unwilling to let their people make decisions for themselves?

This is not a matter of free trade. If a device has privacy-fouling features which were inserted by the intellegence organizations of a foreign government, you probably don't want your country standardizing on its use no matter how popular it might be. This is truely a matter of national security. I don't know anything about the Intel/NSA/FBI connection, but if there were one, I would applaud the EU taking these steps. It's sort of scary just how hard our (US) government works to quash any shred of patriotism that we citizens might have once felt.

Re: Good euros

[MikeBabcock]

I don't mind being considered an intelligent consumer. I do mind you claiming that any of the people I've done consulting for in the last two years can think for themselves when it comes to processor choices. You do realize, of course, that most of them don't even know what a Pentium is ... as opposed to just being some chip thingy in a computer thingy that does Word faster, right? Anyway, I think maybe its a good idea for a government who feels that another is being bad to inform its consumers this way. You can't buy house paint with lead in it. Why not? Why not let consumers decide if they want lead in their paint? Why not let the market decide if mercury in your water is bad for you or not? Why not let people decide if they want to buy irradiated food or apples washed with deadly chemicals? Because consumers want experts to protect them against potentially dangerous practices of unscrupulous persons and corporations who are capable of anything given their mass wealth. Consider the US constitution; why does it allow for personal use of firearms? Specifically, there is provision for a rogue government and the need to protect one's self ... but there is encouragement to have militias so that this can be done by those trained to do so properly. If it comes down to it, I won't buy Pentiums with serial numbers, but I'd rather have my government (Canada) decide that the NSA or CIA involvement is a bad thing and protect consumers from those issues. I don't personally feel that processor serial numbers are anywhere near as serious as mercury in water -- the point is that a generalistic statement like yours needs to be considered in context!

- Michael T. Babcock <homepage>

This is fascinating!

[jd]

The Germans are a powerful group, in the EU, and they probably don't like that discussion of Echelon has been squished.

The P3 serial number clearly violates European Law on privacy. Never mind the "free trade" argument someone else gave, if someone breaks the law, they don't deserve absolute freedom of trade.

Also, the P3 serial number disabling software doesn't always work, from what I've heard. And who's to say that Intel don't have some kind of "back door", which would let the NSA or FBI get the serial number anyway? Back doors are easy!

No, this calls for a total ban, though the British will probably take it to the European Courts to try and get any ban overturned. (After all, the British are involved in the SIGINT project, and any loss of intelligence, which could be profitable to them, would not be good.)

The Germans, though, are a force to be reckoned with. They have the most influential bank, one of the strongest economies, and most of the top indstries, without which Europe would not survive. And most of those will be people all too happy to deprive US competitors of vital intelligence, such as contracts under negotiation, trade secrets, confidential reports, etc.

I think it's great if Europe can collectively stand up and tell Intel where to stick the P3, and the US intelligence community what it can do with it's unlawful spy network.

Re:Why does it matter? (PIII serial number)

[um...+Lucas]

With your Orwellian sig, I'd think you'd be more worried...

Say you plug said computer in, and sign up to an ISP. You probably need to pay via credit card, so there goes your complete anonymity. Then, though you'd have a different IP address everytime you dial in, if there were a function enabled in your browser to send the serial number back up stream, websites could collect a LOT of information on you, because they'ed all have the SN as a key to link it all back together.

It's not like you need so much to worry about Slashdot or anything. But companies like, my personal favorite, DoubleClick.net, who's ads appear across slews of websites, could learn for instance, what sites you like, what articles you read, when you sign on, when you sign off, etc...

Problem is, laws aren't in place that prevent the sharing of this information. Some information is protected, but other information isn't. And if one company abuses it's new found power, well then... I don't know about you, but i'd rather not have my complete psycholical profile stored in many computers across the internet.

Re:Bad Euros.

[Rombuu]

Puhleeze.. no one has ever proved that. There are a hell of a lot better ways that putting a CPU ID on a chip to track someone down.

Does this mean that the EU will be considering an emargo on Sun workstations as well, since they contain a similar feature? How about Ethernet cards? IPv6?

conflicts on the horizon

[aUser]

There are serious differences in how Americans view privacy versus how Europeans view it.

For example, the credit rating agencies that collect financial information in the US on individuals are absolutely illegal in Belgium.

Except for a well-regulated database maintained by the National Bank on individuals who are behind more than 3 consecutive instalments on a personal loan, there is not one single publicly available, or against payment, financial database on individuals, because that's against the law.

It's also against the law to share or sell databases with information on individuals.

I don't understand how you can justify the buying and selling of information on private individuals, without their explicit consent. As far as I am concerned, I strongly believe that my private information is my personal property, and no one is allowed to trade in it, or disclose it otherwise, without asking me first for permission. I alone hold the copyright on my personal information, and I can assure you that I will prosecute any company that dares to disclose personal information on me to the maximum extent possible under the law, and I am sure that the amount in fines and punitive damages would drive this kind of company out of business right away.

If Intel manages to associate its serial number to my name, and then this serial number to any other personal information ot transactions I do online, they will very soon have to say goodbye to doing business in Europe.

Privacy laws ...

[charlie]

The EU declaration on human rights -- a document about as fundamental to EU law as the US constitution -- explicitly enumerates a right to individual privacy.

No such right exists under US law, although a right to privacy has been inferred on the basis of, for example, the fourth amendment. One consequence of this is that Americans take for granted a degree of corporate -- as opposed to governmental -- intrusion in their private affairs that would cause outrage in most of Europe. (And the European position is that at least the government is democratically accountable ...)

A lot of US companies act in a manner that would be flat-out illegal in other parts of the world, in much the same way that it would be illegal for a European company to try to do business in the US in a manner that, for example, was calculated to blow away the first amendment rights of their customers.

Over the past year, the EU member states have been trying to tighten up on the observation of the right to privacy, making it illegal to export personal data to countries with weaker protection (among other things). This would appear to be a rather dumb attempt to clamp down on what are seen as technologies of privacy invasion. (I say "rather dumb" because of course no equivalent attempt is being made to clamp down on sales of eeevil ethernet boards with embedded 48-bit ID's!)

While I think this action is misdirected, I happen (as a European) to think that privact is valuable. In particular, there should be no invasion of privacy without accountability. Intel is just the latest company (remember RealNetworks, last week?) to get their fingers burned by dismissing privacy as an issue. It isn't a matter of personal preference; it's a fundamental right.

It isn't the numbers, it is the REASON they exist

[FreeUser]

If the NSA/Intel connection does in fact exist, or their is sufficient circumstantial evidence to suggest that it does, then the European Union is only acting to protect their own (inter)national security and economic interests in banning the product. Their concern isn't necessarilly that the numbers exist, but the reason they were put there. Remember, they have already had industrial secrets stolen from their companies and given to their US competitors by the NSA, costing them real money and real jobs. With no sign that the NSA is at all repentant about what they've done, but rather that to all appearances they are pushing forward with even more intrusive and draconian approaches to gathering information, their concern is entirely warrented and their reaction very reasonable, even (one might argue) quite muted.

Why would Intel serailize the CPU, with all these other "unique numbers on hardware" already present in every computer sold? Why on earth create yet another number for no (apparent) reason? The answer is obvious: serializing the CPU makes not just the computer, but the work that has ever been done on it, easilly traceable in ways MMAC addresses and HD serial numbers cannot. A word document written five years in the past can, on a serialized PII/PIII, be traced to a particular computer. It was this misfeature that led to the identification and arrest of the author of Melissa Virus. While I'm glad he was arrested, I must confess I am much more concerned about my own loss of privacy than I am in offsetting the terrible threat the Melissa idiot ever posed to me.

An MMAC address, BIOS or HD serial number, is at most only traceable while the machine is on-line. They do not get embedded into the aforementioned word document the way the intel CPU serialization did. This demonstrates that the "big brother" ramifications of CPU serialization are quite different (and apparently more significant) than those associated with unique MMAC or IP addresses, or BIOS serial numbers. And who is to say future generations of PIII hardware will even allow the OS to disable their serialization functions?

The Europeans are rightly concerned with respect to their privacy and attempts by our secret organizations to subvert it. They are also very lucky, in that, unlike us, they have governments which actively work to protect their rights and liberties.

Lead paint is nice

[Jon+Peterson]

>>"You can't buy house paint with lead in it. Why >>not? Why not let consumers decide if they want >>lead in their paint? "

>Why not? I mean, who would buy it in the first >place? Can you see the advertising campaign? Try >our new foo paint, now with extra lead! >Guaranteed to cause cancer or double your money >back!

For the youngsters out there, lead is was put in paint for any number of good reasons. Some colours are easier to achieve with it, and more importantly it results in a smoother finish on the coat of paint, with drips and brushstrokes less of a problem. I'm sure technology has moved on since lead was banned, but when it was first banned it represented something of a step back from the painters point of view.

Of course it's a bit on the poisonous side, too.

Re:Bad Euros.

[Hobbex]

This is a matter of individual vs national consquences though.

Individually, if you are worried about your privacy and the implications of the P3, go buy an Athlon or install an OS you can be sure isn't fucking with you. But the European governments ARE mandated in worrying that while individual loss is minimal, there is a national risk about having a feature that caters to foreign intelligence running the IT of the country.

From that perspective there is ampal reason for the governments to act acordingly and on a national level.

-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.

Thoughts on random numbers

[Otto]

Well, first off, if your encryption uses any built-in random number generator, toss it, it's crap.

Any good encryption program generates it's own random numbers from a random input source. PGP did this (still does, AFAIK) by getting keystrokes from the user, and using timings between them to generate a randomized sequence.

If a program uses the clock as the seed, it's probably not using a second, BTW, but the tick timer. There's a lot of ticks in a second.

Still, it's not an infinite number, and a good way to crack any encryption is to attack the random number generator. If you know the seed, you can generate the same key, and decrypt the message.

I recall that back on the C64, whenever I needed a good random number (the built in one was crap), I turned on one of the sound channels, set it to generate a lot of static, turned the volume off, and grabbed a number from the static. Worked pretty well, and didn't need a seed value. Still not truly random, but good enough.

---

technocracy in action

[jilles]

This is a clear symptom of technocracy & bureaucracy. Both America and europe are changing from democracies into technocracies. The difference being that in the latter form you can still vote but it does not really matter what you vote. I'm very worried about this trend, since it will ultimately limit our freedom.

This decision (or attempt to do so) is late, intel launched the PIII months ago, by the time the decision will be taken (if ever) intel will be busy producing its next generation of cpu's.

It's also a technocratic decision since nobody (as far as I know) is asking for this decision. The EU people decided on its own (most likely with the help of some lobbying, amd?) that it might be a good idea to do this.

BTW. I think the trend of both the EU and the US changing into technocracies is caused by free market. So I don't think it would be a good idea to just let the market decide.

The free market serves only one interest: making as much money as you can. Free speech, privacy and human right are not a free market concern. Early this century we had free market, the results were horrible: big companies stressing their employers to the limit. Then we got labour movements, socialism and communism. After communism collapsed, capitalism became a little more socialistic (at least where I live).

Pure communism and pure capitalism are both a bad thing since they both suffer from the same problem: people are greedy and will try to abuse the system to suit their own needs. In the case of communism this leads to a repressive regime. In the case of capitalism it also leads to a repressive regime (taiwan, singapore, south korea).

"If people are really in a tizzy about this, they won't buy the chips"

One problem: most people lack the technical skills to make a well founded technical judgement of what this chip has to offer. Most users are not aware of the differences between a PII, a PII and a K7.

Personally I'm not so worried about this ID thing, there are other, easier ways to identify somebody. So, I think the EU is overreacting a little.

I think it is very well posible that the NSA made a deal about this ID with intel. At least I can't think of a good technical reason to introduce it and I refuse to believe that those intel guys are that clueless. So seen in this light, the european reaction is not so stupid.

Hmm...

[Greyfox]

Good time to buy some AMD stock? I'm sure the folks over at AMD would love it if an embargo actually went into place...

That is not a logical conclusion--flawed thinking

[FallLine]

Credit agencies perform a valuable function in the economy, in that, they serve as a clearing house of information. Before you are extended credit, the creditor must have some idea as to how LIKELY you are to pay. How would you propose they do this, magic? They do it based on the 5 C's of credit: Conditions, Capacity, Collateral, Capital, Character. Your credit HISTORY goes along way towards illuminating many of these. Would you rather be judged on your ACTIONS, or on some artificial criterion (e.g., how you act, talk, dress, etc)? I don't know about you, but i'd rather have them judge me on WHAT i've done.
Though I concede that they make some mistakes, many wish are harsh on the individual, it works on the aggregate. The mere fact that you and others have been burnt, does not mean you or creditors would be better off without it. Nor does it even necessarily mean that the system could be further optimized.

One thing you must remember, is that creditors are in the business of making money. This means that they want to lend as much money as they can, and get paid back at the highest rates possible. They worry about the aggregate. If there are enough individuals such as yourself, with only few minor "cosmetic" blemishes (if you are to be believed), the odds are high that someone will look past it, as you represent potential profits. Though I readily concede that the system occasionally hurts the individual, it works on the aggregate. Lacking mindreading devices, you should know that banning of credit reporting in its entirity would cause immeasurable damage on the aggregate.