[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confinement (even with TPMs) and DRM are not mutually exclusive

From: Bas Wijnen
Subject: Re: Confinement (even with TPMs) and DRM are not mutually exclusive
Date: Wed, 7 Jun 2006 20:44:33 +0200
User-agent: Mutt/1.5.11+cvs20060403

On Wed, Jun 07, 2006 at 01:32:22PM -0400, Jonathan S. Shapiro wrote:
> > > The problem here is liability and lawsuits: if something goes wrong,
> > > there is no evidence to decide later whether the program was executing
> > > legitimately or not. Neither the developer nor the user is adequately
> > > assured that a robust determination of whether liability might exist
> > > under contract is possible.
> > 
> > Liability is a legal subject matter, not a technical.  In this case,
> > it is not the developer who needs the attest that the developers
> > software has been run, but the user.
> Correct. What the developer wants to be able to do is eliminate
> *possibility* that their software was improperly executed. It eliminates
> a very large nuisance factor.

You do agree that this severely limits the user's freedom, right?  Do you
seriously believe that allowing developers to accept liability (which in
practice I'm sure none of the important ones actually will) is worth such a
large sacrifice?

> > Thus, I think you got the benefits backwards.  The developer can only be
> > hurt by an attestation, because it potentially increases the developers
> > liability.
> This is untrue. In the absence of attestation, liability will be based
> on what a jury *believes*. The jury will almost always act in favor of
> an injured plaintiff.

If you have a broken judicial system where people win cases on other bases
than the truth, that is a good reason not to accept liability.  I wouldn't
think it's a reason to take away freedom.

So if you want accountability, according to this statement I'd think you have
to start reforming your courts.

> > However, if TC technology were to be used, a user should desparately try
> > not to have the developer receive the attestation, but a third agent whose
> > interests side with the user.
> But an even better approach -- and the one that I am arguing for -- is that
> the software simply shouldn't run at all in an improper environment. This
> doesn't require disclosing anything to the developer.

So how will the developer transfer the code?  If it's done on a CD or the
like, it will not work.  That can be read by anyone, and thus executed in a
user-friendly (as opposed to user-hostile, which the developer demands in the
contract) environment.  So it must be done over the network, with feedback (in
particular, attestation).  How does this not send the information to the


I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]