I've been writing about "digital rights management" (DRM) for years in this column, but here I am, about to write about it again. That's because DRM – sometimes called "copy protection software" or "digital restrictions management" – is one of the most salient, and least understood, facts about technology in the contemporary world.
When you get into a discussion about DRM, you often find yourself arguing about whether and when copying and sharing should be allowed. Forget that for now. It's beside the point, for reasons that will shortly be clear. Instead, let's talk about the cold, hard legal, technical, marketplace and normative realities of DRM. Let's talk about what happens with DRM in the real world.
In the real world, "bare" DRM doesn't really do much. Before governments enacted laws making compromising DRM illegal (even if no copyright infringement took place), DRM didn't survive contact with the market for long. That's because technologically, DRM doesn't make any sense. For DRM to work, you have to send a scrambled message (say, a movie) to your customer, then give your customer a program to unscramble it. Anyone who wants to can become your customer simply by downloading your player or buying your device – "anyone" in this case includes the most skilled technical people in the world. From there, your adversary's job is to figure out where in the player you've hidden the key that is used to unscramble the message (the movie, the ebook, song, etc). Once she does that, she can make her own player that unscrambles your files. And unless it's illegal to do this, she can sell her app or device, which will be better than yours, because it will do a bunch of things you don't want it to do: allow your customers to use the media they buy on whatever devices they own, allow them to share the media with friends, to play it in other countries, to sell it on as a used good, and so on.
The only reason to use DRM is because your customers want to do something and you don't want them to do it. If someone else can offer your customers a player that does the stuff you hate and they love, they'll buy it. So your DRM vanishes.
A good analogue to this is inkjet cartridges. Printer companies make a lot more money when you buy your ink from them, because they can mark it up like crazy (millilitre for millilitre, HP ink costs more than vintage Champagne). So they do a bunch of stuff to stop you from refilling your cartridges and putting them in your printer. Nevertheless, you can easily and legally buy cheap, refilled and third-party cartridges for your printer. Same for phone unlocking: obviously phone companies keep you as a customer longer and make more money if you have to throw away your phone when you change carriers, so they try to lock the phone you buy with your plan to their networks. But phone unlocking is legal in the
The technical and commercial forces that gave us phone unlocking and cartridge refilling are the same forces that would make DRM a total non-starter, except for a pesky law.
Enter the DMCA
Back in 1995,
Lehman submitted his paper to then-Vice President
Lehman's next stop was
The DMCA is a long and complex instrument, but what I'm talking about here is section 1201: the notorious "anti-circumvention" provisions. They make it illegal to circumvent an "effective means of access control" that restricts a copyrighted work. The companies that make DRM and the courts have interpreted this very broadly, enjoining people from publishing information about vulnerabilities in DRM, from publishing the secret keys hidden in the DRM, from publishing instructions for getting around the DRM – basically, anything that could conceivably give aid and comfort to someone who wanted to do something that the manufacturer or the copyright holder forbade.
Significantly, in 2000, a US appeals court found (in
In 1997's Bernstein v
Ever since Reimerdes, it's been clear that DRM isn't the right to prevent piracy: it's the right to make up your own copyright laws. The right to invent things that people aren't allowed to do – even though the law permits it -- and to embed these prohibitions in code that is illegal to violate. Reimerdes also showed us that DRM is the right to suppress speech: the right to stop people from uttering code or keys or other expressions if there is some chance that these utterances will interfere with your made-up copyright laws.
The entertainment industry calls DRM "security" software, because it makes them secure from their customers. Security is not a matter of abstract absolutes, it requires a context. You can't be "secure," generally -- you can only be secure from some risk. For example, having food makes you secure from hunger, but puts you at risk from obesity-related illness.
DRM is designed on the presumption that users don't want it, and if they could turn it off, they would. You only need DRM to stop users from doing things they're trying to do and want to do. If the thing the DRM restricts is something no one wants to do anyway, you don't need the DRM. You don't need a lock on a door that no one ever wants to open.
DRM assumes that the computer's owner is its adversary. For DRM to work, there has to be no obvious way to remove, interrupt or fool it. For DRM to work, it has to reside in a computer whose operating system is designed to obfuscate some of its files and processes: to deliberately hoodwink the computer's owner about what the computer is doing. If you ask your computer to list all the running programs, it has to hide the DRM program from you. If you ask it to show you the files, it has to hide the DRM files from you. Anything less and you, as the computer's owner, would kill the program and delete its associated files at the first sign of trouble.
An increase in the security of the companies you buy your media from means a decrease in your own security. When your computer is designed to treat you as an untrusted party, you are at serious risk: anyone who can put malicious software on your computer has only to take advantage of your computer's intentional capacity to disguise its operation from you in order to make it much harder for you to know when and how you've been compromised.
DRM in the era of mass surveillance
Here's another thing about security: it's a process, not a product (hat tip to
Every security system relies on reports of newly discovered vulnerabilities as a means of continuously improving. The forces that work against security systems – scripts that automate attacks, theoretical advances, easy-to-follow guides that can be readily googled – are always improving so any system that does not benefit from its own continuous improvement becomes less effective over time. That is, the pool of adversaries capable of defeating the system goes up over time, and the energy they must expend to do so goes down over time, unless vulnerabilities are continuously reported and repaired.
Here is where DRM and your security work at cross-purposes. The DMCA's injunction against publishing weaknesses in DRM means that its vulnerabilities remain unpatched for longer than in comparable systems that are not covered by the DMCA. That means that any system with DRM will on average be more dangerous for its users than one without DRM.
The DMCA has spread to other territories, thanks to those WIPO treaties. In the
For example, in 2005, Sony-BMG music shipped a DRM called the "Sony Rootkit" on 51m audio CDs. When one of these CDs was inserted into a PC, it automatically and undetectably changed the operating system so that it could no longer see files or programs that started with "$SYS$." The rootkit infected millions of computers, including over 200,000 US military and government networks, before its existence became public. However, various large and respected security organisations say they knew about the Sony Rootkit months before the disclosure, but did not publish because they feared punishment under the DMCA. Meanwhile, virus-writers immediately began renaming their programs to begin with $SYS$, because these files would be invisible to virus-checkers if they landed on a computer that had been compromised by
Snowden, DMCA and the Future of Security
The revelations of the NSA whistleblower
It's hard to overstate how remarkable this is (I devoted an entire column to it in December). For the entire history of the technology industry, there was no appreciable consumer demand for security and privacy. There was no reason to believe that spending money making a product more secure would translate into enough new users to pay for the extra engineering work it entailed.
With the shift in consciousness redounding from the Snowden files, we have, for the first time ever, the potential for commercial success based on claims of security. That's good news indeed – because computer security is never a matter of individual action. It doesn't matter how carefully you handle your email if the people you correspond with are sloppy with their copies of your messages. It's a bit like public health: it's important to make sure you have clean drinking water, but if your neighbours don't pay attention to their water and all get cholera, your own water supply's purity won't keep you safe.
But there can be no real security in a world where it is illegal to tell people when the computers in their lives are putting them in danger. In other words, there can be no real security in a world where the DMCA and its global cousins are still intact.
Party like it's 1997
Which brings us back to Bernstein. in 1997, a panel of American federal appeals court judges in the Ninth Circuit decided that code was expressive speech and that laws prohibiting its publication were unconstitutional. In 2000, the Reimerdes court found that this protection did not extend to code that violated the DMCA.
It's been a long time since anyone asked a judge to reconsider the questions raised in Reimerdes. In 2000, a judge decided that the issue wasn't about free speech, but rather a fight between companies who "invested huge sums" in movies and people who believed that "information should be available without charge to anyone clever enough to break into the computer systems." The judge was wrong then, and the wrongness has only become more glaring since.
No court case is ever a sure thing, but I believe that there's a good chance that a judge in 2014 might answer the DMCA/free speech question very differently. In 14 years, the case for code code as expressive speech has only strengthened, and the dangers of censoring code have only become more apparent.
If I was a canny entrepreneur with a high appetite for risk -- and a reasonable war-chest for litigation – I would be thinking very seriously about how to build a technology that adds legal features to a DRM-enfeebled system (say, Itunes/
And once anti-circumvention is a dead letter in America, it can't survive long in the rest of the world. For one thing, a product like a notional Itunes/Amazon/Netflix video unlocker would leak across national borders very easily, making non-US bans demonstrably pointless. For another, most countries that have anti-circumvention on the books got there due to pressure from the US Trade Representative; if the US drops anti-circumvention, the trading partners it armed-twisted into the same position won't be far behind.
I've talked to some lawyers who are intimate with all the relevant cases and none of them told me it was a lost cause (on the other hand, none of them said it was a sure thing, either). It's a risky proposition, but something must be done. You see, contrary to what the judge in Reimerdes said in 2000, this has nothing to do with whether information is free or not – it's all about whether people are free.
Most Popular Stories
- Chobani Counters Competition With Expanded Lineup
- Iran Denounces U.S. Ruling to Sell Property
- Confusion, Anger as Sunken Ferry's Relatives Wait
- Nevada Range Showdown Draws Armed Supporters
- Report: Iran VP Says Row Over Reactor Resolved
- Fiat Chrysler to Build 3 Jeeps in China
- Putin: No Blocks to Boosting Relations With West
- Ohio Couple Married 70 Years, Die 15 Hours Apart
- NASA's Space Station Robonaut Finally Getting Legs
- 'Beige Book' Federal Reserve Survey, April 2014: Full Text