Microsoft unveils "Information Rights Management" in Office 2003

EVER SINCE MICROSOFT integrated product activation into OfficeXP the company has been slowly creeping towards an increasingly-draconion—excuse me, secure, operating environment.

From the bugged product activation in OfficeXP we hopped over to product activation in WindowsXP, which at least doesn't seem to randomly deactivate itself, and, from there, to some interesting rights-management controls in Windows Media Player.

Now, with the upcoming release of Office 11 (note—this is the first time the number of Office releases has surpassed the number of Star Trek movies—with arguably the same dips in quality), Microsoft is preparing to gift the consumer market with their most wonderful invention yet—Information Rights Management.

Although details are limited, we're told that IRM will be a persistent, file-level control system which will allow the administrator / authorized user in question to set detailed permissions about who can and can't view information. These permissions will then remain in effect regardless of where the files are sent. MS is planning to implement this technology in a variety of products, including Internet Explorer, Office, and throughout its server releases.

While we could spend all day discussing the problems such a technology raises over privacy, freedom of information, and just plain day-to-day work, there's an even bigger question that needs to be considered—namely, can Microsoft possibly make this work?

Even if we disregard the company's decidedly checkered past when it comes to security, there's a basic problem with Microsoft's IRM. IRM is obviously intended to protect important, sensitive, or private data from the eyes of those who aren't supposed to see it. That's all well and good, save for one little fact— the more important, sensitive, or private the data, the more interested other groups are going to be in gaining access to it through any means necessary.

The reason Microsoft's original .NET initiative was such a colossally bad idea is because it would've focused a huge amount of personal data in one place—Microsoft's servers. All .NET users would've handed a certain amount of personal information over to one company, who then would've been responsible for safeguarding it.

Did Microsoft want to steal credit card numbers or commit financial fraud against its customers? Of course not. But concentrating such a gold mine of information all in one place is like putting a giant sign above one's house that reads: "WELCOME THIEVES AND HACKERS!"

For all the fuss that was raised over Microsoft's copy protection systems in OfficeXP and WindowsXP, the number of users that found ways around the situation is staggering. How many of you out there have an OfficeXP activation code that starts with "FM9FY"? Do the letters "FCKGW" mean anything to any of you? The fact is there were tools available to crack Microsoft's copy protection schemes before the products themselves had even hit the shelves. The products themselves weren't even considered all that important. To many people, WindowsXP is nothing but Windows 2000 + stupid eye candy, and what exactly was OfficeXP supposed to improve anyway?

How much more valuable, how much more lucrative would technology be that can slip past Microsoft's IRM system and allow users to open data they aren't meant to see? Just as there are corporate CD-keys that shut down WindowsXP's product activation, there will be codes and combinations hard-wired into IRM systems to allow the data to be unlocked. A system without such codes would be crippled by simple human error and misunderstanding.

Even if such a system can be implemented in theory, is Microsoft the company to do it?

A security system must balance the need to offer effective protection while interfering with as little of a user's day-to-day work as possible. Operating paradigms that force users to jump through hoop after hoop just to gain access to minimal functionality are unacceptable from a productivity standpoint. Microsoft's history of producing software that gets out of the user's way and lets them do their work is hardly the best. MS software may be functional, but its design is hardly a model of elegance and simplicity.

Even if we trust Microsoft to make such a system functional, can they secure it? Even accepting the need for security-compromising features in the name of usability, once again, Microsoft's record isn't so great in the security arena. True, Bill's "Trusted Computing" initiative is now a full year old, but I'm not sure anyone trusts Microsoft any more than they did 12 months ago.

When Office Unnecessary launches a few months from now, Microsoft's work will just be beginning. First you've got to get people to buy it, then they've got to trust it—and finally, of course, you've got to keep the thing hack proof and secure. Undoubtedly Redmond will have some success with #1 and #2—but #3?

Don't hold your breath. µ