March 19, 2024

DRM Wars: The Next Generation

Last week at the Usenix Security Symposium, I gave an invited talk, with the same title as this post. The gist of the talk was that the debate about DRM (copy protection) technologies, which has been stalemated for years now, will soon enter a new phase. I’ll spend this post, and one or two more, explaining this.

Public policy about DRM offers a spectrum of choices. On one end of the spectrum are policies that bolster DRM, by requiring or subsidizing it, or by giving legal advantages to companies that use it. On the other end of the spectrum are policies that hinder DRM, by banning or regulating it. In the middle is the hands-off policy, where the law doesn’t mention DRM, companies are free to develop DRM if they want, and other companies and individuals are free to work around the DRM for lawful purposes. In the U.S. and most other developed countries, the move has been toward DRM-bolstering laws, such as the U.S. DMCA.

The usual argument in favor of bolstering DRM is that DRM retards peer-to-peer copyright infringement. This argument has always been bunk – every worthwhile song, movie, and TV show is available via P2P, and there is no convincing practical or theoretical evidence that DRM can stop P2P infringement. Policymakers have either believed naively that the next generation of DRM would be different, or accepted vague talk about speedbumps and keeping honest people honest.

At last, this is starting to change. Policymakers, and music and movie companies, are starting to realize that DRM won’t solve their P2P infringement problems. And so the usual argument for DRM-bolstering laws is losing its force.

You might expect the response to be a move away from DRM-bolstering laws. Instead, advocates of DRM-bolstering laws have switched to two new arguments. First, they argue that DRM enables price discrimination – business models that charge different customers different prices for a product – and that price discrimination benefits society, at least sometimes. Second, they argue that DRM helps platform developers lock in their customers, as Apple has done with its iPod/iTunes products, and that lock-in increases the incentive to develop platforms. I won’t address the merits or limitations of these arguments here – I’m just observing that they’re replacing the P2P piracy bogeyman in the rhetoric of DMCA boosters.

Interestingly, these new arguments have little or nothing to do with copyright. The maker of almost any product would like to price discriminate, or to lock customers in to its product. Accordingly, we can expect the debate over DRM policy to come unmoored from copyright, with people on both sides making arguments unrelated to copyright and its goals. The implications of this change are pretty interesting. They’ll be the topic of my next post.

Comments

  1. i ned help i would like to sell my dvd that i have made copys of at a flea market can o do this or do i need some kind of licens to do it if so where would i get one at

  2. excuse consumers for not wanting to be locked in. freedom is such an unnatural desire, isn’t it?

  3. In English, please; it’s the defacto lingua franca on this blog.

  4. I’ll not sit and debate either side.

    I’m an actual consumer. I don’t like having my movies on recordable DVD’s. I much prefer originals. But – since the technology exists, why should I not be able to make a copy of a DVD I like, so I can watch the copy and leave the original untouched.

    I buy original DVD’s for a reason – and that reason is so I have a copy of the movie long-term. I like the original cases, they look nice on my entertainment center. Movies I watch rarely aren’t a big issue, but there’s a few I like to watch more often. Those, I’d prefer to play a copy of, rather than scratch up the original. Plus, I have kids – and it takes them very little time to scratch up DVD’s.

    So – for me, DRM on DVD’s kills the ‘value’ of the DVD for me. I buy one for the kids – a few weeks later it’s scracthed and not usable – sometimes. So what logic was there in ever buying the DVD at all?

    In my opinion – none.

    I don’t care to download and burn DVDs, I think the copys are cheap and just not what I want. I do like to originals. But I feel like I’m not really ‘buying’ the DVD, I’m more or less using their crap on paid loan. So why bother? I’ll just use on-demand and not mess around with it. Downloading is a hassle, finding cracks to copy DVD’s is a hassle, putting files up for download by others is a hassle and uses hard disk space I’d rather keep free. On-demand is not a hassle. I got enough hassles in life, until I can simply copy a DVD, I’ll not bother to buy it.

    Even if I don’t want to copy the DVD, I don’t like people selling me a product and then trying to tell me what I can and cannot do with it. They say, “Here, buy our DVD!” – but it’s more expensive and LESS value to me than just paying for starz on demand.

    They can add all the DRM they want, I’ll buy movies without DRM. If it’s got DRM, I just won’t buy it – sorry, I don’t tell the movie industry what to do with the cash I give them after trading it for the DVD, until they are fair about it on my side as a paying consumer, I’ll keep my cash and they can keep their ‘product’.

    So go hang the pirates – just remember, many of us paying consumers are ‘collateral damage’. Don’t matter how you spin it or what you say about ‘their rights’ – my right as a consumer is to buy what I think is a good value and DRM = Hassle and Hassle = No value for me.

    Long as the industry tried to tell me what to do with the product, I’ll not buy it.

  5. Gray Ghost says

    DRM is total bull. The only thing it does it plug up peoples computers and increases the cost of equipment. Anyone, with or without DRM can copy and share music and videos. Unless the copyright cops make everybody have there eyes and ears cut out that is. All music and video has to come out as analog for us lowly consumers to see and hear, at the point there is no D#$M# DRM. Then all you need is a good video camera and stereo mic’s.

  6. Hal,

    Congress is currently debating at least 3 bills that would further enshrine DRM into law, the Perform Act, “broadcast flag” mandates, and plugging the “analog hole.” It remains to be seen whether any of those will pass, but they certainly have more momentum than HR1201 the leading bill that would relax legal restrictions on technological devices.

  7. Ned Ulbricht says

    DMCA-like laws have been adopted more recently in other countries, often at the behest of U.S. trade negotiators.

    For an Australian perspective on this, just take a look at Kim Weatherall’s post from last Wednesday, OzDMCA – update.

  8. Hal,

    DMCA-like laws have been adopted more recently in other countries, often at the behest of U.S. trade negotiators.

    The DMCA is DRM-bolstering because it give companies additional legal rights (e.g. the right to sue the developers of interoperable products) if their products have DRM. If copyright protection went to novels only if they were written in French, that would be a French-bolstering law.

  9. “In the U.S. and most other developed countries, the move has been toward DRM-bolstering laws, such as the U.S. DMCA.”

    You kind of lost me here. The DMCA was passed in 1998. If that is the best example you can come up with, an 8 year old law, you are hardly identifying a present day trend. I think the truth is that in the U.S. at least there has not been much legislative action on this issue. DRM is neither being mandated nor forbidden. For the most part, recent DRM trends have been market driven.

  10. Alexander Wehr says

    to Neo.

    at least in canada they have yet to outlaw circumvention devices, which means people are free to form companies to provide solutions to individual’s drm woes.

    I’m not saying it’s a perfect system or what their doing is right, but it is allowing the free market to correct the worst and most unpopular of injustices, if not all of them.

  11. It could be a brave, new world.
    How about GRM (Gasoline Rights Management)?:

    Your new car will only accept Chevron gasoline–the filler cap of your new car can only be opened by an authorized Chevron dealer, and only an authorized Chevron dealer’s nozzle will fit the tank.

    An adapter to get around this system is considered a burglary too. It has no legal use. Possession of such a device is fraught with criminal penalties. Likewise modifying a vehicle to avoid GRM.

    ADM already has promising efforts in Food Rights Management.

  12. DRM is enabling this business model in Canada, too.

  13. Frank:
    “DirecTv’s first few generations of conditional access smart cards were miserable security failures. Their newest generations have been secure for more than two years.”

    Several weeks ago I was in a latin american country where I witnessed hacked satellite TV boxes used in residential settings. Typically, a customer buys ‘service’ from a local enterpreneur who provides recievers and hacked smartcards. Periodically (approximately monthly) the encryption is changed – when that happens, the enterpreneur hand-delivers a new card to the customer within a day or so.

    Not an ideal situation, but it works for them. DRM is clearly enabling innovative business models in the developing world. Unfortunately, these businesses probably aren’t providing incremental revenue for the content owners and network operators.

  14. In my attempt to think of any effective DRM technology, I was drawing a blank. Then I thought of DirecTv. DirecTv’s service and conditional access system is not entirely analogous to DVD/PC content and their respective DRM technologies, but some comparisons can be made:

    DirecTv employs encryption and key obscurification as does DVD DRM and PC DRM.

    DirecTv’s hardware and software is a closed system, like DVD DRM, but unlike PC DRM.

    DirectTv’s conditional access system has renewable security features as does some PC DRM. DVD DRM does not have any renewable DRM features but HD-DVD DRM does.

    DirecTv’s content is continually broadcast. Some streaming PC content employing DRM is somewhat similar. DVD is not.

    DirecTv’s first few generations of conditional access smart cards were miserable security failures. Their newest generations have been secure for more than two years.

    There are probably a few more similarities and many more differences.

  15. > Perhaps they believe that DRM customer lock-in and price discrimination business models etc. give them a significant boost in revenues.

    Possibly, but I think the content industry cartels at least as interested in maintaining their relative position of social and economic power as they are in maximizing revenues.

  16. If we accept that DRM doesn’t work in the sense of preventing ripping and distribution of content, and if we accept this is obvious (e.g. all the references given by Ed) then perhaps we should consider why the entertainment industry keeps on with this theme – after all they are not really stupid.

    Perhaps they believe that DRM customer lock-in and price discrimination business models etc. give them a significant boost in revenues. Intuitively I’d say they are probably correct since I see a lot of not ignorant people using things iTunes and other severlyDRM controlled content even though they are familiar with all the consequences of DRM .
    I would also imagine that these businesses have a lot of careful market research to backup this position but I guess they are unlikely to put it in the public domain.

    I think if we could quantify what the business benefits really are we would be a lot wiser.

  17. Alexander Wehr says

    “That is why I tried to be careful in hypothesizing that there may be an impact on the file consuming side “by reducing the ability to participate in distributing infringing copies” ”

    the problem is most people distribute copies which are already free of DRM, so releasing products with trivial DRM does not impact the ability to participate in distribution, it just impacts legitimate use by the non-tech-savvy.

    Personally I consider this offensive, like taking advantage of a mentally challenged individual or trading some “primitive” natives a few beads or guns for their land.

    You also ignored the most modern example I offered, the xbox360 platform which has every dirty trusted computing trick MSFT could put into it, but which not 6 months out has been hacked enough to rip and propogate games. (but which still prevents legitimate use running homebrew apps)

    That particular example is the most perfect one I can think of in demonstrating the travesty that is DRM. (both consumer and MSFT have lost so far)

  18. Bruce Boyden says

    Alexander, good point, I remember those games too. I discounted them subconsciously because while several developers tried a variety of methods, the technology was relatively primitive and no single technique was put into widespread use. CSS was one of the first attempts to at sophisticated (although flawed, and not even as sophisticated as technology permitted in 1996) DRM put into widespread use on media sold at retail to consumers. But if you want to count the attempts of the early 80s, that’s fine. BTW, I’d take Steam over looking up words in the manual (e.g., Elite) any day.

    Tim, you’re right that DRM has its only direct impact on someone attempting to copy and/or widely distribute the content from a legitimate source; that’s an important distinction that is easy to lose sight of. That is why I tried to be careful in hypothesizing that there may be an impact on the file consuming side “by reducing the ability to participate in distributing infringing copies” — i.e., DRM may have social significance in the same way easily pickable locks do. Since locks do in fact have social significance, in addition to their physical locking function (think of the difference between claiming someone opened a door to someone else’s room, and that they opened a *locked* door), I think that hypothesis is plausible. However, there’s a further step, which is that the social significance attaches to the content that is behind the locked door. Perhaps that’s true and perhaps it isn’t; but it doesn’t seem like a non-starter. The locked house analogy begins to break down at that point and I need to think of a different one.

    Also, on propagation, what you are saying is certainly true for very popular files. But it is not infinitely fast, so a reduction in the number of source files available may have some impact in some circumstances, e.g., older or less popular files where the rate of spread falls below some threshold, or if some new enforcement means is invented thus raising the threshold necessary to propagate fully. Of course, popular files are where the money is.

    BTW, I’ve found this discussion very helpful, so thank you all and especially Ed for starting it.

  19. On the file consuming side, I am not sure we can say that even CSS is having no impact — although the Grokster decision may over-determine this issue. Circumvention devices may have a greater taint than infringing files, or at least circumvention may be easier to identify as wrongful behavior. If so, then DRM schemes may serve as a deterrent to downloading by reducing the ability to participate in distributing infringing copies.

    I think you’re missing the point of the Darknet critique. The people who download a file from a peer-to-peer network almost always get the file with the DRM already stripped out. Hence, they have no use for circumvention tools, and laws like the DMCA have absolutely no impact on their ability to re-distribute the content to other users. DRM and the DMCA can only act on the initial uploader, who is the only one who might have gotten the file via circumvention. Once a single unencrypted copy of the file has been uploaded, DRM has precisely zero impact on the subsequent propagation of the file.

    It’s also important to keep in mind that a file on a peer-to-peer network spreads exponentially, and the doubling rate is on the order of hours, if not minutes. Hence, it tends to take a few days, at most, for a new file to spread across the network until everyone who wants a copy has one.

    So I think your distinction between file-contributing and file-consuming is an important one. The point you seem to be missing is that DRM only works on the file-contributing side. DRM has absolutely no effect on the file-consuming side, since those people get the file sans DRM in the first place.

  20. Alexander Wehr says

    I don’t want to wade too deeply into this, but to bruce:

    DRM has been around much much longer than a decade.

    The early pc software industry went through countless iterations of DRM, one particular example my friend had was a mac game which would not allow you to go forward without the manual mapping images to words.

    there were dongles, visual queues, encryption, serial numbers… and on and on, and they all failed.

    The most recent iteration of drm in the most ideal conditions (where the vendor completely controls the hardware/software configuration) was the xbox 360. Already enough of the many overlapping systems there have been cracked to allow people to rip, share, and play xbox 360 games. All but the most pessimistic hackers predict full circumvention of it’s many systems, which include cpu-embedded trusted computing style cryptographic signing, within the next year or two.

    Either way it’s irrelevant, the main concern of people ripping and sharing games was the first security measure circumvented, which means it’s already failed, the only uses of the 360 it prevents now are legitimate use of third party software.

  21. Bruce:

    Do you really believe your admitted speculations rise anywhere near the level of credible practical or theoretical evidence? The lock analogy is especially sad – completely ignoring the non-rivalrous nature of digital information goods. Do you really believe there is any meaningful correlation between the number of legitimate digital copies of a digital good that are cracked, and how easily illegit copies of said good are are available on the darknets? Think of how quickly leaked copies of preleased movies and albums – all almost certainly created from a SINGLE legit copy – permeate the darknets. As Bruce Schneier says, making digital information not copyable is like making water not wet.

    You appear to be unwilling to accept the repeated (and, to me, virtually unassailable) logical arguments of experts like Felten, Schneier and the darknet paper authors. Probably this is because you know that the policies you espouse are specifically designed to screw technical experts over, to promote the interests of the media oligarchs that paid your fat salary at Proskauer (have you left that practice for good? I doubt it.), and hence you suspect bias in their work, just as I suspect bias in yours. Some of the speculations you make MIGHT be testable through well-designed experiments, though, and I wonder whether you would be willing to wager your faith a bit on the outcome of such experiments?

  22. Bruce Boyden says

    Thanks Ed. I’ve read the Darknet paper, and I’m not persuaded by it because it ignores how the perceived illegitimacy of the Darknet may lessen its capacity to undermine content protection. I’ll check out the other papers.

  23. Bruce Boyden says

    Do you accept at least that current DRM systems are failing utterly to prevent P2P infringement?

    Well, no, and that goes back to the discussion you, me, and Tim were having above. But I think there’s a couple of different issues that need separating here. One is whether DRM can effectively (however we define that — put a pin in it for now) prevent content from being obtained and distributed in the clear. You might think of that as the “file contributing” side of infringement. Another is whether DRM can effectively prevent infringing content from reaching a sufficiently (more mushy words — insert another pin) large number of consumers. You might think of that as the “file consuming” side of infringement. Laws protecting circumvention devices may help prevent the collapse of file consumers onto file contributors, so that every file consumer is capable of being a file contributor without any trips to a black market.

    On the file contributing side, I suspect DRM schemes such as CSS are having an impact in reducing the number of files available, but that it may not be enough to create any meaningful level of scarcity or difficulty in finding any particular file. (That raises another issue, by the way, which is the fact that any given file is available somewhere at some time does not necessarily mean that it is always easy to obtain; that’s going to depend on the rate of uploads vs. removal and the power of the relevant search engines or indexes. But I assume that, e.g., recent DVD releases are a simple matter to find and download, and many or most of those copies were made by decrypting the DVD and copying the files in the clear, rather than by a non-circumventing method such as capturing and compressing copies made through unprotected analog outputs.) The question to be answered with respect to file contribution, however, is whether we can necessarily expect future protection methods will suffer from a permanent, easily implementable, and widely distributed crack in a similarly short period of time after release. That was the question I had about what the literature says.

    On the file consuming side, I am not sure we can say that even CSS is having no impact — although the Grokster decision may over-determine this issue. Circumvention devices may have a greater taint than infringing files, or at least circumvention may be easier to identify as wrongful behavior. If so, then DRM schemes may serve as a deterrent to downloading by reducing the ability to participate in distributing infringing copies.

    To go back to the locks analogy, CSS is like an ordinary house lock that, as the Dutch video I linked to shows, may be easily circumvented. However, locks do keep unskilled and/or unequipped burglars, as well as simply nosy people, out of my house. And anti-lockpick-device laws reduce the percentage of well equipped burglars. This should reduce the rate of burglaries, although perhaps not by itself enough to be worth the expense of the lock. But locks also strengthen the clarity of the signal that entry has legal consequences. Sure, all it takes is one thief, and then my goods are on the black market. But that market may gain added taint if it is comprised of objects that not merely “fell off the back of a truck,” but can with certainty have been said to have been taken from a locked house.

    All this is speculation of course; but I think it’s reasonable, given the way that laws and norms typically operate. And in any event, I don’t believe it can be dismissed out of hand as incorrect.

  24. Here some references that I could dig up in a few minutes. I’m excluding all of my own papers, and all of the papers that explain the failures of specific DRM systems.

    Peter Biddle, Paul England, Marcus Peinado, and Bryan Willman. The Darknet and the Future of Content Protection. 2002 ACM Workshop on DRM. link (Word format)

    Stuart Haber, Bill Horne, Joe Pato, Tomas Sander, and Robert E. Tarjan. If Piracy is the Problem, Is DRM the Answer? HP Labs Report, 2003. link

    Bruce Schneier. The Futility of Digital Copy Protection. link

    Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil Vadhan, and Ke Yang. On the (Im)possibility of Obfuscating Programs. CRYPTO 2001. link

  25. For example, the claim in your blog post seems to depend on the assertion that “the client software can *always* be modified or reverse-engineered to produce a cracking method.” (Emphasis mine.) The “always” there seems a little strong.

    If the client software is running on a general-purpose computer (i.e. every Mac and PC currently in existence), this is an indisputable fact. Software is just a string of 1s and 0s, and in a general purpose computer, it’s always possible to access that string of 1s and 0s. Once you’ve accessed it, you can make a copy and (if you have the necessary skills) reverse-engineer it to figure out how the locking mechanism works.

    Now, it’s conceivable you could build a closed, special-purpose device like a DVD player that would prevent anyone from getting access to the software. But even if you could do that (and that’s extremely difficult, given the constraints of mass manufacturing), that would mean that the media could only be played on those special-purpose devices. No playing the media on your desktop or laptop PC, and probably not even on semi-open gaming platforms like XBox and PlayStation.

  26. Bruce,

    Do you accept at least that current DRM systems are failing utterly to prevent P2P infringement?

  27. Bruce Boyden says

    Obviously I meant “what an odd question to ask in this context,” not generally.

  28. Bruce Boyden says

    “One of the first rules of security analysis is that the burden of proof is on those who claim security…. So where’s your evidence?”

    Ed, what an odd question to ask. I am curious about the basis for the (implied) statement you made above that the belief that “the next generation of DRM would be different” is naive, that not one respected computer security expert believes otherwise, and Tim’s statement that the security community is “unanimous” that DRM cannot achieve what I described as “bank-vault-like” security. I am curious what claims actually have a good body of support in the literature. I am also curious whether what’s been demonstrated in the literature is that such schemes inherently have no value in securing content, or whether it’s just that they are not foolproof. To respond to my question that the burden of proof is on me to come up with some articles in response to my own question seems kind of weird. If that’s the only way I can get an answer, I guess I’ll have to go looking for it myself, but I was hoping someone around here could save me a little time in the library.

    As for the appeal to authority, I assumed we could put you in the “no it’s not feasible” column. But one researcher does not a consensus make. I’m curious what others think, and have published.

  29. Bruce,

    One of the first rules of security analysis is that the burden of proof is on those who claim security. (Here, “secure” means effective in reducing P2P infringement.) So where’s your evidence?

    Keeping circumvention devices out of the hands of most users doesn’t stop P2P piracy. Illegal P2P users don’t want circumvention devices. What they want is the result of circumvention: content with the DRM removed. Even though circumvention devices are illegal today, every worthwhile song, movie, and TV show is available on the P2P nets.

    Regarding the appeal-to-authority argument, I think it’s fair to say that I am one of the leading authorities on this topic. I have published extensively in the computer security research literature, and I just gave an invited talk on DRM policy at one of the leading computer security research symposia. I’m co-author of (arguably) two of the three best-known technical research papers on DRM. I know the security research community well, and I can’t think of anybody respected in that community who thinks DRM can stop P2P infringement. Nor can I think of any respected paper that makes that argument. Can you point to any counterexamples?

  30. Bruce:

    If you’ve given up representing content owners in DRM-related cases for good, I salute you.

    My comment about your insistence on maintaining faith in DRM in the face of a complete lack of evidence for its ability to prevent P2P piracy is not ad hominem, though it may constitute baiting.

  31. Bruce Boyden says

    Doug, you are correct that I believe there are competing interests that need to be balanced. As for the rest of your comment, it seems to be comprised of an ad hominem argument (Bruce used to represent content owners therefore Bruce’s arguments are false), followed by a string of colorful adjectives designed to bait me.

    John, good point, but of course the proof is in the pudding and we haven’t had any of that kind of pudding yet.

  32. john s erickson says

    A minor correction in an otherwise excellent discussion: the “break once” notion of DRM is pretty old-skool, although it is still may be a fair criticism for some or even most deployed DRM, because most still implement ancient techniques…

    To combat the “break once” vulnerability — “letting the cow out of the barn” — most new DRM are fortified by some kind of individualization, whereby certain critical components in the decryption stack are crypto- customized and generated for the individual client machine, AND the media streams are encrypted on-demand, in part based on this customization.

    This concept of individualization is the basis for Microsoft’s “Black Box” DRM patent (issued May 23, 2006), and has also been discussed throughout the Microsoft DRM web and elsewhere consistently for several years.

    Disclaimer: I make no assertions as to the validity of the above-mentioned patent and only cite it as an apparently-applicable published example!

  33. Nice attempt at a climbdown, Boyden. I don’t even know where to start. You only want to point out that “there is a plausible argument” to be made for anti-circumvention laws? Come on – we all know your attachment runs just a little deeper than that:

    “Bruce’s practice is primarily focused on Internet law and copyright issues arising from digital media. He has represented entertainment industry clients in developing and enforcing content protection technologies…”

    http://www.nyls.edu/pages/1775.asp

    Somewhat glad to see you think DRM-protective laws are “a difficult issue.” Solveig Singleton at PFF has favored the d-word for some time when defending the DMCA. I’ve always interpreted it to mean “yes, we know some folks (technologists and consumers) are getting screwed, but the interests we’re defending are just more important.” Am I wrong?

    Finally, your latest feeble attempt to counter Ed’s original claim. Ed pointed out that: “there is no convincing practical or theoretical evidence that DRM can stop P2P infringement.” Your response, rather than directly countering this claim (because you can’t) is to state, essentially:

    “If I choose, purely on faith and without any evidence whatsoever, to believe that a DRM system will be developed that CAN stop P2P infringement, can you PROVE me wrong?”

    What do you think of creationism, Bruce? Your faith-based views on DRM remind me somehwat of the creationists.

  34. Bruce Boyden says

    Uh, OK Doug, I’ll see your use of cut and paste and raise you by repeating what I said. We haven’t moved the ball very much, have we? In any event it’s not that I think anticircumvention laws are things of beauty — for now, my point is only that there is a plausible argument to be made for them. Also, I think you took offense at my reference to the “whole debate,” but I didn’t mean *this* debate, I meant the debate over the legality of peer-to-peer filesharing services — which I think is accurately described as concerning the amount of taint that should adhere to services where the vast majority of traffic is infringing. I take everyone here at their word as to what they are concerned about, and for the record, I think it’s a difficult issue.

    Tim, good point re: infringement laws. You are correct that it’s not that anticircumvention laws make black markets *for content* black — or if they do, it’s just that they’re adding to an existing stigma. But they do make the market for circumvention devices black. That in turn means that most individuals are unlikely to circumvent themselves, but will have to rely on content ripped by others. I.e., they cannot create their own source for such content, but rather must visit the black market for content. This is still analogous to bump keys. Sure, I could get my own bump key if I knew someone with a key-cutter. But (let’s assume) making and using a bump key is illegal, so I can’t just buy one at the store. If it wasn’t illegal, I could buy one anywhere, and I wouldn’t need to depend on the shady pawnshop in order to buy stolen goods, I could go get them myself, particularly if burglary wasn’t illegal either.

    Finally, you and others have appealed in a general way to authority in claiming that not only have DRM schemes not been successful in creating a high level of security, but that they’ll *never* be successful. I don’t doubt that such claims have been made by experts, but if you or others could provide citations to reviews of the literature published in reputable journals, that would be helpful. Frankly, I suspect this is an “everyone knows” type of argument, but I’m willing to be convinced otherwise. For example, the claim in your blog post seems to depend on the assertion that “the client software can *always* be modified or reverse-engineered to produce a cracking method.” (Emphasis mine.) The “always” there seems a little strong. And, given that media formats change every couple of decades or so, a DRM scheme that held off cracking methods for 10 or 20 years would achieve all the success it needs to. So really, the claim that needs to be proved is that no protection scheme will be able to resist cracking for more than 10 years, no matter how it is designed or implemented, as long as it is widely distributed in media and devices distributed to consumers. Has the literature conclusively demonstrated that proposition?

  35. Bruce Boyden said:

    “Of course, if the black market gets re-defined so that ordinary people feel it’s not so bad, then that effect might dissipate, but then, that’s what the whole debate is about, really.”

    Utter hogwash. Look at the name of this site to see what the debate is about. Your beloved “DRM-protective laws” deny independent technologists the right to innovate and create across a widening swath of the technology landscape. Laws like the DMCA anti-circumvention provision and the Broadcast Flag enforce a centrallly-planned model of technological development, where advancements must be pre-approved by the incumbent content cartels that pay Bruce Boyden’s slary. Geez, central planning has such a great economic track record, compared to decentralized innovation in a free market.

    Oh, you have also utterly failed to credibly challenge the quote by Ed Felten that you called out in the first place. I’ll repeat it:

    “This argument has always been bunk — every worthwhile song, movie, and TV show is available via P2P, and there is no convincing practical or theoretical evidence that DRM can stop P2P infringement.”

    Damn right.

  36. Bruce, you don’t need the DMCA to stigmatize black markets in copyrighted materials. Trading copyrighted files was already illegal before the DMCA was put on the books, and it would continue to be illegal if you repealed the DMCA.

    And I don’t think any computer security expert considers it an open question whether DRM will be able to achieve “bank vault like” security. They’re unanimous that it won’t. I explain why here:

    http://www.techliberation.com/archives/037844.php

    DRM is “security through obscurity,” which by definition is only secure until someone with programming skills examines it in enough detail to figure out how it works. Prof. Felten has done this with a couple of DRM schemes himself, and someone has done it to every commercially important DRM scheme on the market within a few months of release.

  37. “DRM helps platform developers lock in their customers”

    Thus should be almost illegal IMHO. Certainly is anti-competitive.

    Hi to Alex Wehr (haven’t seen you in a while!)

    Ed, we posted this article at DMusic and Boycott Riaa for ya! Feel free to add a link to Boycott Riaa somewhere on your blog. We already have Freedom to Tinker in our Friends and Partners list.

  38. There’s nothing wrong with DRM.

    If it is mathematically possible to control someone’s access to digital information whilst providing access to the highest quality analogue information, well, that’s brilliant. Anyone who can achieve this deserves everything they can get.

    Anyone who purchases a product so ‘protected’ (clearly labelled as grievously fettered compared to normal digital media) gets what they deserve.

    The wrong is in the law passing the DMCA to make it a crime to remove or bypass such ‘technical protection measures’.

  39. enigma_foundry says

    Second, they argue that DRM helps platform developers lock in their customers, as Apple has done with its iPod/iTunes products, and that lock-in increases the incentive to develop platforms.

    Setting aside the anti-trust issues here, this actually makes the argument against giving DRM the special legal protections it now has.

    Furthermore,the enabling of tiered service argument is interesting, because it shows how much consumers do not want DRM. And despite what all the apologists for the consolidated huge media companies may say, we still live in a consumer-driven economy and short of implementing some kind of a fascist locked-down internet control scheme, consumers will get what they want.

    Now, for a real world example. The website http://www.allofmp3.com has every song you could possibly want, available for download, for a cost of about 9 or 10 cents per song (OK some really good stuff tops out at about 20 or 21 cents.) The website appears to be based in Russia. The competition from gray markets like this will eventually force the white markets to adjust their price structure.

    The owners of the IP that is being sold can wail and gnash their teeth as they will, but the market will no longer support their business model because: the publics perception of the value of pre-recorded music has been altered.

    Now, if the MPAA takes note of the failure of the RIAA to implement a regime of controlled prices (which are much higher then the marginal cost of production BTW) for IP, it should try a new price structure (called get there the firstist with the mostest) That is get to the price point the public will accept with the most IP. I would say this should be at about 5 or 6 dollars for a movie download (that would be a usable file, without any DRM scheme imposed), and the additional market share would make up for the lower price.

    They will probably be too stupid to see this in their own best interest, but hey I am giving this advice free.

  40. Before DRM actually existed the problem of piracy was usually described as the need to stop organisations which systematically rip content and run a business by selling the results at a low price. I’ve not seen this “need” voiced recently, DRM is now all focussed on extracting more money from end-users who buy through appoved commercial channels – I guess theres much more money to be gained from this than money lost due to ripped content.

  41. Bruce Boyden says

    Well, it’s true that every burglar must circumvent locks themselves — although that video makes it look pretty easy (kind of like a downloadable utility, almost). But it’s not true that every recipient of stolen property must pick locks themselves. All it takes is one burglar and all of my stuff has been removed from my house. You can then head on down to your local shady pawnshop or black market and buy my stuff. I still lock my doors.

    There’s two levels here at which DRM might be effective. It might be effective, bank-vault-like, in keeping out even professional thieves with sophisticated tools. The evidence so far doesn’t support the notion that DRM will be able to achieve that level of security, but the evidence so far is thin; DRM schemes on media widely distributed to consumers have only been around a decade or so. Most stuff available right now was released either completely unprotected, or with a cracked encryption scheme, CSS.

    But there’s another level at which DRM and DRM-protective laws might be effective, the level at which door locks and burglary laws operate — they make theft somewhat harder, forcing stolen goods onto the black market. People generally don’t like black markets and stay away from them. That doesn’t make the locks any harder to pick, but it does allow room for legitimate sales to continue, since if I want a new couch, I’m not going to risk getting it from the back of a truck, I’m going to go to a local retail store to get it. Of course, if the black market gets re-defined so that ordinary people feel it’s not so bad, then that effect might dissipate, but then, that’s what the whole debate is about, really.

  42. Bruce:

    There’s plenty of evidence that locks prevent burglaries. What is different about door locks is that every burglar has to pick a lock himself. With DRM, all it takes is one person to pick that digital lock, and the door swings open for everybody.

    If DRM stopped P2P piracy, wouldn’t there be at least one popular movie, song, or TV show that wasn’t available in DRM-free form on the P2P systems? Wouldn’t there be at least one respected computer security expert claiming that DRM can stop P2P piracy?

  43. You neglect to point out that locks protect your physical goods, privacy, and safety. DRM doesn’t protect anything but customer-hostile business models.

  44. Bryan Feir says

    @Bruce, regarding the DRM/lock analogy…

    There’s one fundamental difference, though. With DRM files, it only takes one person breaking the protection and the file can be available to everybody on the peer-to-peer networks. So the file will be broken by the best programmer who is willing to take the risk. And worse, once a DRM method is broken, a tool can be written that will break it automatically on any file with little further effort.

    Unlike houses, where the chances that the best thieves won’t be anywhere near your house; and your neighbour’s house being broken into doesn’t make everybody else in the city have to re-key their locks to be safe again.

    Besides, breaking DRM can be done in the safety of your own home, and with very little in the way of fingerprints left behind.

  45. Bruce Boyden says

    “This argument has always been bunk — every worthwhile song, movie, and TV show is available via P2P, and there is no convincing practical or theoretical evidence that DRM can stop P2P infringement.” I’m not convinced by this counter-argument. Is there convincing practical or theoretical evidence that locks on houses stop burglaries? Take a look at this video, showing how easy it is to make and use a key that will unlock many locks. Yet house locks perform a function, and stuff in houses is safer because of them. I’m guessing Ed that you lock your house every day when you go to work, or at least when you go on vacation.

  46. Ed, along the same lines as Alexander’s comment, can you point to a source where a vendor has made this lock-in argument publicly. I’d be pretty surprised to see it considering the potential anti-trust problems. I’m envisioning Elliot Spitzer warming up his subpoena mill.

  47. Alexander Wehr says

    I’m interested in how exactly in the EU and US companies and lobbying firms could possibly gain any traction by making the case that it is used for platform lockin.

    While simply implementing DRM is not a violation of antitrust law, the end result of doing so under regimes such as the DMCA provide the exact same results.

    I can’t see how any congresscritter would not see this. Many demonstrate a completely lack of technical knowledge, but this particular point is fairly clear cut and transparent to anyone with backgrounds commonly seen in capital hill.

  48. Ed,

    Could you comment on the increasing desire of large enterprises to use DRM internally as internal data protection? The arguments are parallel to the publishing space, but subtly different and, I should think from your vantage, interesting. [Disclaimer — my day job is in the data protection space, but is not DRM in any sense.]

    –dan