I was yesterday at the Guardian's Changing Media conference, at which our very own Dr Ian Brown spoke on DRM. These are my notes, cross-posted from my own blog, Strange Attractor.
Can digital rights management achieve its security goals?
Chair: Nick Higham
Dr Ian Brown, UCL (and also ORG)
ONe of the things that alarms content owners is what this new technology means for their copyright, their intellectual property, their security. Dr Ian Brown is a computer security researcher at UCL.
Ian Brown, UCL
I want to limit myself today to "will DRM do everything that they are sold as doing?". There are much wider issues to do with DRM, but I want to focus on this specific area.
DRM is an umbrella term for quite a wide range of technologies that give content owners some control over their content. Some control, not full control - you certainly can't expect to put your new Britney Spears CD out and not see it online within five minutes.
DRM is also not about copyright, because it goes further than copyright law. Copyright law also varies from area to area, for example there is no right to private copy in the UK, but yet people do it anyway. DRM goes further than trying to prevent this, but can control the way people access, print, and copy ebooks, for example.
DRM is present in Windows Media Player, Adobe e-books, RealPlayer, iTunes, etc.
French law which is saying that DRM has to be interoperable between platforms, e.g. can't put iTunes music on a third party media player.
The basic tech behind DRM is simple - you encrypt the data in a way that is impossible to unscramble directly, even people with the computing power of major western governments. You give the encryption keys to the user via the medium of the media player, e.g. your DVD player has decryption keys so that it can decrypt DVDs. This controls access to the data of the files.
The other type of tech is digital watermarking, which allows people to embed information in audio and video files in a way that is invisible to the user, and hard to remove. Can embed information that controls when the media can be used, e.g. can only be played on computer with xyz ID. Also allows the media owners to track who copies stuff.
DRM is actually very difficult to do. Making it work overall as a system in the way that content owners would like, is a very difficult problem. Some of the underlying reasons for that:
- data is encrypted, but has to be decrypted at some point so you can use it. So at some point your tech has to decrypt it and create an unprotected version of that content.
- watermarks can be removed. All of the watermarks that have been created are fairly primitive and have been a failure. People trying to break these technologies find it easy, and there are fundamental reasons why this is easy - if you distribute a file which is on the one hand the same - all Britney Spears CDs that are the same - but have individual bits that are different, can compare and find the watermark.
- DRM tries to reduce the functionality of your computer as regards specific streams of data, but old equipment doesn't have the DRM on it, so legacy computers are going to be more functional than new ones.
Previous DRM solutions:
- secure digital music initiative: was tested against world's hackers, and the hackers won. One research team in Princeton broke all of the proposed technologies. Most sensible companies would have rethought it, but instead STMI tried to sue the academics that had done this work, the conference organisers, etc. The researchers gave a press conference saying that they weren't going to publish the research because their houses are at risk. STMI said they had broken the DMCA. Researchers got support and published the research anyway.
- CD protection: several record labels have released CDs that play on your hifi but not your computer. Most of these techs are trivially circumvented - one you hold down the shift key as you put the CD in, or draw a black line round your CD. Would have been illegal to tell you this 2 years ago - now it's only illegal to tell you how to break software DRM.
- CSS: broken by a Norwegian teenager who was arrested under trespass law, so the courts threw it out.
- Sony BMG (XCP and MediaMax): big news over last few months. Sony BMG installed two DRM technologies, XCP from a UK company and used virus-like technology to embed itself deep in Windows. Very difficult to remove. After a lot of consumer protest, they released an uninstaller, which made things worse, and eventually they released something that did allow you to remove it. MediaMax installed even if you said no you didn't want to install it, and reported back to MediaMax what audio files you use. Sony have had to settle a number of class action cases already. The US govt's said don't install it. Lots of gov't computers infected, so the US gov't not impressed.
So DRM is crap. But supposedly it will improve soon. Intel, IBM, HP etc. want to put this stuff into hardware. Trusted Computing.
Thinking about all sort of problems of getting round. MS want it everywhere - your computer, phone, PDA, even your watch.
- The analog hole is a big problem: No way not to turn digital bits into an analogue version for human consumption. Lots of 'anti-piracy' ads in cinemas because they can't do anything about it.
- Break One Play Anywhere: Even if only one person in the world can break it, they'll share it and you really can't stop P2P. Napster originally weren't designed with lawsuits in mind, but now they are and they are very difficult to shut down. Lots of networking technology that will stop this.
Some business models that DRM could support:
- Live events: you don't care if it's shared the next day, it's live that counts.
- Highly select, time-sensitivie audiences, customised information provided to individual recipients, e.g. Oscar judges. Last year for the first time it was found that an Oscar screener was leaked, and the judge who leaked it was fined. Customised data that only needs protecting for a short time.
- Highly interactive systems, such as games. Even if someone breaks it, it doesn't matter, because they can't keep breaking it.
Very polarised debate.
Nick: So DRM is not workable?
Ian: Content companies have been mis-sold on this. Software companies have sold DRM as solving problems it can't solve. As people come to understand the technology they see that it's the business models that need to change.
Q: I agree that DRM is not unbreakable. But we don't need it to be unbreakable. Can DRM be useful? I would say yes.
Ian: Yes, I think your good point is moot, because no one has produced a system that prevents low-quality copies. But it's an anti-consumer technology. There aren't many consumers who have an understanding of UK copyright law.
Nick: Consumers are happy to buy low quality. It's not a disincentive.
Ian: Early Napster files were very low quality but they didn't put people off.
Q: An observations, it's a bit like the war against drugs. Entrenched position. What is stopping people exploring the possibility of radically new business models, and what might thos be?
Ian: The problem is that the big rights holders have expended a lot of energy in lobbying to get the law changed, global copyright law has changed, treaties have changed. They got the DMCA passed. The EUCD. US didn't need to pass those laws to fit the treaties, but the copyright holders lobbied for it.
There are alternatives, there are indie labels that use non-DRM materials, and the market should be able to decide.
Nick: But the trouble is that sometimes the market can't decide.
Ian: Well, that's
Q: Consumer associations have expressed concerns about the rights of the citizens. Do you think their concerns are misplaced?
Ian: No. It doesn't stop at deterring copyright infringers, it also makes life difficult for say, visually impaired people. RNIB gave evidence at APIG and said they have problems with ebooks.
Q (me): DRM lobbiests more into supporting vertical niche markets than protecting copyright.
Ian: Damaging to copyright law and public's respect for it, this 'newspeak' that goes on around DRM. Industry make blood-curdling pronouncements, conflating opening up standards with protecting copyright which is very damaging.
I believe in copyright, but I don't think DRM is the way to enforce it.
Q: What about revenue sharing?
Ian: I can't talk about it in detail, but it's a positive move. If you have legitimate P2P services, then yes, that might work.
This has always been the flip side to DRM - how do you make a business model not from scarce goods, but from abundance. Grateful Dead, for e.g., or U2 find their music is a loss-leader, and they make their money from merchandise.