Is the National Security Agency using Microsoft's Trusted Computing initiative to spy on PC users?
That's what an article posted Tuesday (Aug. 20) on the website of the respected German newspaper Die Zeit seemed to say. But closer analysis reveals some holes in the story.
"Federal government warns about Windows 8" is the translation of the article's headline. The story goes on to say that an internal advisory memo, published by a German government standards board, suggests that the NSA may soon have access to all PCs running the latest version of Windows.
For that reason, Die Zeit states, the German federal government considers Windows 8 an "unacceptable security risk."
However, neither the newspaper, nor the memo it purports to have, offer any proof that the NSA is, or will be, spying on Windows users.
Wo ist der Beef?
Instead, Die Zeit simply uses speculation to connect the dots between the Microsoft-led Trusted Computing initiative and NSA spying.
The piece says the NSA could be using Trusted Platform Modules (TPMs) — stand-alone encryption chips plugged into motherboards and built into many modern PCs — to spy on PC users. But it doesn't know for certain.
Why is Windows 8 a concern, but not Windows 7? Because Trusted Computing and the use of TPMs have been optional until now, and many PC makers don't include the chips.
But proposed new specifications for Trusted Computing would mandate the use of Trusted Platform Modules on every PC designed to run Windows. The idea is that the TPMs will control which executables run, greatly cutting down on malware and other security issues.
From a security perspective, that sounds great. Yet Die Zeit noted that the NSA has been quietly involved in the Trusted Computing initiative — and that the surveillance agency does not seem to have raised any objections to any part of it.
To some Germans with memories of intrusive surveillance by Nazi and socialist secret police, that might imply that the NSA is putting "backdoors" — secret entryways — into every TPM, and that in a few years all new machines running Windows could be controlled by the NSA.
Something to it
Would such a view be paranoid? Perhaps. But if Edward Snowden's leaks of NSA documents have taught us anything, it's that nearly everything that we thought the NSA could possibly be doing has turned out to be true.
The NSA's silent acceptance of Trusted Computing does suggest an agreement with Microsoft and the other companies — Intel, AMD, Cisco, IBM, Hewlett-Packard and others — may exist.
The surveillance agency's acquiescence stands in sharp contrast to the "crypto wars" of the 1990s, when the U.S. government tried to stop strong encryption from being used by the general public, and to the Justice Department's current request for new rules mandating law-enforcement backdoors in instant-messaging software and other forms of encrypted Internet communications.
Spying on computer users isn't what Trusted Computing was meant to enable when it began in the middle of the last decade. Instead, it was a Microsoft-led industry effort to build standardized verification hardware into PCs.
The Trusted Platform Modules serve as gatekeepers for software, letting "trusted" programs run and while denying untrusted ones.
Microsoft touts Trusted Computing as an essential security measure. Skeptics have seen it as a sneaky form of digital rights management that could bar pirated movies and music, not to mention pirated copies of Windows, from running.
Out of control
Other critics of Trusted Computing decry the amount of control the user cedes to Microsoft.
For years, you've been able to run anything you want on a Windows machine. But with Trusted Computing and the related Secure Boot initiative, which lets only Microsoft-approved operating systems boot up a PC, Microsoft is moving toward an Apple-like "walled garden" model, in which the hardware and software makers, not the users, decide what runs.
That loss of control seems to have been what truly irked the German government. In a polite but firm rebuttal to the Die Zeit story, the German Federal Office for Security in Information Technology (BSI in its German acronym), stressed that lack of control, not NSA spying, was the internal memo's main concern.
"For certain groups of users," the rebuttal states, "the use of Windows 8 in combination with a TPM can mean an increase in safety."
But, the rebuttal goes on to say, such a combination results in "a loss of control over the operating system and hardware," which in turn leads to greater risk of software and hardware errors.
For that reason, the BSI says, its office would like to see an opt-out built into Trusted Computing, and is in contact with operating-system and hardware manufacturers "to find appropriate solutions."