The underlying point you should be calling out if you want to present this argument is that "User freedom should prevail over companies' freedom". The only thing attestation enables is companies enacting their own policies along the lines of "I only want users who are willing to let their device attest x level of security". The user is not required to use that service, they're not required to run W11 or to enable the fTPM in their BIOS.
Asking for widespread change and the death of TPM attestation is like saying that companies should be forced to serve all customers even if it degrades the services they provide, if it requires x orders of magnitude more personnel for fraud/risk/etc management, or if it degrades the experience of other users on the service willing to perform attestation. Maybe this is the right approach, maybe we just need some good regulation that won't deepen the moat of existing players, but this is the crux of the argument being made.
> We are here to remind you that the TPM requirement of Windows 11 furthers the agenda to protect the PC against you, its owner.
No. It's to protect third party services that your PC makes network requests to. Your PC in itself doesn't need any protection from you.
Ok, so instead of Microsoft turning my PC into an Xbox, it's banks asking Microsoft to turn my PC into a credit card reader. This is not materially different.
We already know how this works on Android. Attestation requirements and DRM tend to creep beyond their initial scope if implementing them is easy. And those requirements will include not having owner-level control over your machine[0]. If you root Android, you basically forefeit access to all banking apps, most gaming apps, and a whole bunch of things that you wouldn't even think should require secure attestation.
On the web, we all thought that EME DRM was going to lock down web video and cascade into audio and text. This didn't come to pass primarily because DRM vendors charge money that free web video platforms don't have. If EME had made DRM ubiquitous, the best case would have been one distro vendor offering "blessed" kernel builds that can still "go online", and anyone wanting to be online with their own Linux kernel potentially violating DMCA 1201 or being limited to an increasingly shrinking "clearweb".
There's three types of companies here:
- People that absolutely need user-hostile attestation: banks, competitive multiplayer games, and streaming services
- People that would never demand attestation on principle: normal websites, blogs, web forums, the Fediverse, and YouTube[1]
- People who would implement attestation if it were available regardless of the impact on their user base: Facebook/Meta, Twitter, basically any social media network.
That third group is arguably the largest. They will tolerate unattested users, but they wish they didn't have to. Making attestation easier makes it way more likely for them to demand it.
[0] This could be made less onerous with per-partition boot policies, but only Apple Macs do this AFAIK.
[1] YouTube's stance on DRM is very very weird. Google has the capability to DRM all their content, but they don't. And they've used YouTube as a trojan horse to push open standards like VP8/9 and AV1. On the other hand, they do try to obfuscate video download in ways that the RIAA thinks is DRM.
As a truly absurd example of "if you give developers the option, they will abuse it" : I am not allowed to check the train schedules for the Slovenian national rail service on phone with a custom ROM (not even rooted).
Turns out, the company that got the tender to build it encrypted all traffic to the API with a custom encryption scheme and added three layers of obfuscation/anti-tampering (presumably) in order to make it basically impossible for another company to take over the app, guaranteeing all subsequent tenders go to them. The only even remotely sensitive thing - buying a ticket - happens in a WebView anyways, 90% of the app is just timetable data.
I don't really understand why I can't also force my device to _lie_ to any app that demands that. Is it somehow checking the exact combination of my firmware against a database of allowed root certs?
More or less, yes. The exact details vary from system to system: TPMs were built for PCs where firmware and OSes are diverse, so TPM works off boot measurements and hash functions. On phones all the attestation stuff runs on a separate processor with only one kind of firmware and it gets told by the main processor whether or not the user installed a custom ROM (in which case, no attestation for you).
This is because the people in the "need attestation yesterday" camp specifically do not want a system in which device owners can lie about their attestation status, because:
- For streaming video platforms, the whole point of trusting attestation is to prevent owner tampering, because they want to ensure that you aren't retaining any video past your subscription end date
- For banks, they want to protect you from hackers, rather than themselves from you, so an owner override "should" be tolerable. However, banks also work entirely off of risk assessments and probabilities. And the number of owners genuinely overriding their own attestations so they can run custom ROMs is lower than the number of hackers who would attack the override so they can steal credit card numbers. So in practice the attestation is a fraud signal[0], and allowing overrides at all is like allowing hackers to falsify your fraud data.
[0] Specifically a signal that something is NOT fraudulent, since all the correct, unmodified software was run
To lie you need to have control of the TPM or trick it somehow - otherwise the remote service will know you are a liar.
This is still possible on Android for instance but it gets more and more difficult - I have a health tacking app that complains daily about the fact that my device is rooted - I will have to see what setting i have to block from it so it stops doing that.
My understanding is that there is something like a system call that a program can use to query the TPM for the current system state. The TPM will then reply with some sort of hash representing the state and also a signature for that hash using a private key stored inside the TPM.
The program (i.e. the netflix app or a browser) can then pass on that data structure to netflix' servers, which will then decide if they permit 4K content or not.
To circumvent this, you'd have to know two things:
1) what kind of hash for a "non-rooted" system netflix is expecting in the first place.
2) the private key to sign the hash with.
To get the former, you'd have to eavesdrop on a connection on a non-rooted device. To get the letter you'd have to extract the key from a TPM, which is likely specifically built to make this hard.
> The underlying point you should be calling out if you want to present this argument is that "User freedom should prevail over companies' freedom".
I'm still baffled by the DMCA's anti-circumvention clause in that regard. While users are given some rights in the DMCA, companies seem to be perfectly free to trample over those rights using technological restrictions. If users then try to circumvent those restrictions, suddenly they are in violation of the law.
Asking for widespread change and the death of TPM attestation is like saying that companies should be forced to serve all customers even if it degrades the services they provide, if it requires x orders of magnitude more personnel for fraud/risk/etc management, or if it degrades the experience of other users on the service willing to perform attestation. Maybe this is the right approach, maybe we just need some good regulation that won't deepen the moat of existing players, but this is the crux of the argument being made.
> We are here to remind you that the TPM requirement of Windows 11 furthers the agenda to protect the PC against you, its owner.
No. It's to protect third party services that your PC makes network requests to. Your PC in itself doesn't need any protection from you.