The following text is copyright 1999 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Identify the user not the processor

by Scott Bradner

Intel claimed they were just trying to enable e-commerce. But what they did was only marginally useful for e-commerce, scared the begesus out of privacy advocates, and got Intel headlined dead center on the top of the front page of the New York Times.

Intel thought it would be a good thing to be able to tell one computer from another so they added a unique serial number to each of its new Pentium III processors. There are a number of reasons that this might be useful. Intel suggested that the serial number could be used to tell e-commerce users apart on the Internet. It also could be used to track down stolen processor chips and stolen computers. In a throwback to some mainframe software it could let vendors tie software licenses to individual machines. Since these seem like reasonable goals Intel must have been shocked by the reaction to its announcement.

Privacy groups reacted quickly and very negatively to the news. Here was something that could become the Internet equivalent of a Social Security number that could be used to identify a user wandering around the web. At the minimum this could spawn unwanted sales email and calls; at worst it could be used to build dossiers of Internet users. The vehement denunciation was quickly picked up by the press and it was not long before Intel announced that the serial number feature would be disabled by default and the user would have to actively turn it on. This did not satisfy the privacy groups since browsers and other software could surreptitiously re-enable the feature at any time. The privacy groups have now asked the Federal Trade Commission to force Intel to recall any Pentium III chips that have already been shipped and prohibit Intel from shipping any more with the feature.

Ironically while a serial number is a legitimate worry to people who would like to preserve what little privacy we have left it is not reliable enough to be used in electronic commerce. E-commerce requires the identification of an individual but a processor serial number identififies the wrong thing for e-commerce.

It would have been far more useful if Intel had worked instead on a cheap reliable smart card and reader. If PCs came equipped with such readers users could plug in a card to identify themselves when they were engaging in e-commerce and not at other times. Users could anonymously buy packs of these smart cards to use in different activities or with different vendors.

disclaimer: Education via e-commerce is a new topic at Harvard and it has expressed no opinion on the above.