Jump on the serialized bandwagon

How about that? Intel Corp. on Jan. 20 announced that it will put readable serial numbers in all of its forthcoming Pentium III processors. Each chip will have a serial number “burned in” that can be read by applications. Not surprisingly, a furor has blown up over the plan.

What’s all the angst about? Privacy. I talked to Barry Steinhardt, associate director of the American Civil Liberties Union, who believes serial numbers might become “the computer equivalent of Social Security numbers” and could be used to track people’s on-line activities. But Steinhardt also says: “The point I’ve been trying to make is that this isn’t a privacy Armageddon.”

Steinhardt sees the Intel serial numbers as a potential problem rather than a de facto threat, and he’s right. Without a lot more engineering aimed at taking advantage of the serial numbers, their mere existence is not particularly relevant. Steinhardt’s concern is that the issue be addressed before it becomes a threat.

Aha! The voice of reason. Steinhardt obviously understands that we have a long way to go to make the feature truly equivalent to a Social Security number.

But Intel’s initiative has aroused the ire of many and, unfortunately, the shrill voices of the pop pundits know no bounds. The Electronic Privacy Information Center (www.epic.org), Junkbusters Inc. (www.junkbusters.com), and Privacy International (www.privacyinternational.org) have banded together to boycott Intel products under the sobriquet of “Big Brother Inside” (www.privacy.org/bigbrotherinside).

While I applaud their enthusiasm in protecting our interests, I think these organizations are so premature in their desire to jump on a bandwagon that they look rather like rank publicity seekers. Frankly, I’m surprised that microprocessor vendors haven’t implemented serialization sooner. In the mainframe, minicomputer and workstation worlds this is an old idea.

Lots of vendors have offered processor serial-number detection, and many application vendors have used it for software copy control.

But before we discuss the good, the bad and the self-serving, let’s just take a quick look at how the system apparently works. As I said, the serial number is written into the chip during manufacturing so it can’t be changed. It appears that to get the number, you’ll access some kind of input/output port and read the 64-bit serial number value.

According to Chuck Mulloy, an Intel spokesperson I interrogated recently, whether the port can be read depends on a “sticky bit.” This sticky bit is a device on board the processor that, when set, disables access. To reset the bit requires that the processor itself be reset. On reboot, an Intel software utility has to be run to switch the feature off.

My concern has nothing to do with privacy. Rather, there are a lot of very clever engineers and programmers out there who like nothing more than the opportunity to hack systems. If you don’t think they’ll come up with a piece of hardware or software that will allow your computer to lie about its serial number, then you really haven’t been around the industry for long.

And then there’s the fun to be had when a virus randomly switches off the feature. Then when some application tied to the serial number can’t find it…

I haven’t had time to think through all the pitfalls, but I bet that you, gentle reader, have an even more devious mind than I.

I think the serial number is a feature that is as dangerous as, say, the embedded and easily read Ethernet address on your PC. And who worries about that as a way of tracking people?