By now, most readers have probably heard about the six newly minted exemptions to the anti-circumvention measures of the Digital Millennium Copyright Act (DMCA), announced last week by the Librarian of Congress. For the uninitiated, Ars Technica has an excellent overview of the exemptions, which provide much-needed legal cover for a variety of activities including jailbreaking and unlocking cell phones, decrypting DVDs for non-commercial remixes, and several others.

Of particular interest to folks in the security community is the exemption granted for security research on video game digital rights management (DRM) systems, stemming from both realized and potential security holes in systems like Safedisc and SecuROM.

(More below the fold.)

In today's New York Times, we read that Hollywood is working on a grand unified video DRM scheme intended to allow for video portability, such as, for example, when you visit a hotel room, you'd like to have your videos with you.

What's sad, of course, is that you can have all of this today with very little fuss. I use iTiVo to extract videos from my TiVo, transcoding them to an iPhone-compatible format. I similarly use Fairmount to rip DVDs to my hard drive, making them easy to play later without worrying about the physical media getting damaged or lost. But if I want to download video, I have no easy mechanism to download non-DRM content. BitTorrent gives access to many things, including my favorite Top Gear, which I cannot get through any other channel, but many things I'd like aren't available, and of course, there's the whole legality issue.

I recently bought a copy of Disney/Pixar's Up (Blu-ray), which includes a "Digital Copy" of some sort that's rippable, but the other ones are rippable as well (even the Bluray), so I haven't bothered to sort out how the "Digital Copy" works.

(UPDATE: the disc contains Windows and Mac executables which will ask the user for an "activation code" which is then sent to a Disney server which responds with some sort of decryption key. The resulting file is then installed in iTunes or Windows Media Player with their native DRM restrictions. The Disney server, of course, wants you to set up an account, and they're working up some sort of YouTube-ish streaming experiences for movies where you've entered an activation code.)

So what exactly are the Hollywood types cooking up? There are no technical details in the article, but the broad idea seems to be that you authenticate as yourself from any device, anywhere, and then the central server will let you at "your" content. It's unclear the extent to which they have an offline viewing story, such as you might want to do on your computer on an airplane. One would imagine they would download an encrypted file, perhaps customized for you, along with a dedicated video player that keeps the key material hidden away through easily broken, poorly conceived mechanisms.

It's not like we haven't been here before. I just wonder if we'll have a repeat of the ill-fated SDMI challenge.

Sunday's New York Times had an article, Studios' Quest for Life After DVDs. To nobody's surprise, consumers want to have convenient access to "their" media, wherever they happen to be, without all the annoying restrictions that come into play when you add DRM to the picture. To many people's surprise, sales of DVDs (much less Blu-ray) are in trouble.

In the third quarter, studios’ home entertainment divisions generated about $4 billion, down 3.2 percent from a year ago, according to the Digital Entertainment Group, a trade consortium. But digital distribution contributed just $420 million, an increase of 18 percent.

Given that DVDs are really a luxury good (versus, say, food or electricity), the 3.2 percent drop seems like Hollywood is getting off easy. The growth in digital distribution is clearly getting attention, though. What's going on here? I imagine several things. People sometimes miss their shows. Maybe the cable went out. Maybe the TiVo crashed. Maybe they're on the road. Drop $2 at the iTunes Store and you're good to go. That's attractive and it's real money.

Still, the article goes on to talk about... yet more DRM.

Standing in the way are technology hurdles — how to let consumers play a video on various devices without letting them share it with 10,000 close friends on a pirate site — and the reluctance of studios to cooperate too closely with rivals for reasons of antitrust scrutiny and sheer competitiveness.
...
And piracy, at least conceptually, would be less of a worry. The technology [Disney's Keychest] rests on cloud computing, in which huge troves of data are stored on remote servers so users have access from anywhere. Movies would be streamed from the cloud and never downloaded, making them harder to pirate.

Of course, this is baloney. If it's going to work on my iPhone while I'm sitting in an airplane, the entire video needs to be stored there in advance. Furthermore, if the video is supposed to be "high definition," that's a bare minimum of 5 megabits/sec. (Broadcast HD is 20 megabits/sec and Blu-ray is 48 megabits/sec.) Most home DSL or cable modem connections either will never go that fast, or certainly cannot maintain those speeds without hiccups, particularly when sharing the line with other users. To do high quality video, you either have to have a real broadcast medium (cable, over-the-air, or satellite) or you have to download in advance and store on a hard drive.

And, of course, once you've stored the video, it's just not that hard to extract it. And it always will be. The challenge for Hollywood is to change the incentives of the game. Maybe sell me a flat-rate subscription. Maybe bundle it with my DSL provider. But make the experience compelling enough and cheap enough, and I'll do it. I regularly extract video from my TiVo and copy it to my iPhone via third-party software. It's practically painless and it happens to yield files that I could share with the world, but I don't. Why? Because there's real downside (I'd rather not get sued, thanks), and no particular upside.

So, dearest Hollywood executive, consider that selling your content for a reduced price, with no DRM, is not the same thing as "giving it away." If you allow third-parties to license your content and distribute it without DRM, you can still go after the "pirates", yet you'll allow normal people to enjoy your work without making them suffer for it. Yes, you may have kids copying content from one to the next, just like we used to do dubbing cassette tapes, but those incremental losses can and will be offset by the incremental gains of people enjoying your work and hitting the "buy" button.

Last week the Associated Press announced it would be developing some kind of online news registry to control use of news content. From AP's press release:

The registry will employ a microformat for news developed by AP and which was endorsed two weeks ago by the Media Standards Trust, a London-based nonprofit research and development organization that has called on news organizations to adopt consistent news formats for online content. The microformat will essentially encapsulate AP and member content in an informational “wrapper” that includes a digital permissions framework that lets publishers specify how their content is to be used online and which also supplies the critical information needed to track and monitor its usage.

The registry also will enable content owners and publishers to more effectively manage and control digital use of their content, by providing detailed metrics on content consumption, payment services and enforcement support. It will support a variety of payment models, including pay walls.

It was hard to make sense of this, so I went looking for more information. AP posted a diagram of the system, which only adds to the confusion -- your satisfaction with the diagram will be inversely proportional to your knowledge of the technology.

As far as I can tell, the underlying technology is based on hNews, a microformat for news, shown in the AP diagram, that was announced by AP and the Media Standards Trust two weeks before the recent AP announcement.

Unfortunately for AP, the hNews spec bears little resemblance to AP's claims about it. hNews is a handy way of annotating news stories with information about the author, dateline, and so on. But it doesn't "encapsulate" anything in a "wrapper", nor does it do much of anything to facilitate metering, monitoring, or paywalls.

AP also says that hNews " includes a digital permissions framework that lets publishers specify how their content is to be used online". This may sound like a restrictive DRM scheme, aimed at clawing back the rights copyright grants to users. But read the fine print. hNews does include a "rights" field that can be attached to an article, but the rights field uses ccREL, the Creative Commons Rights Expression Language, whose definition states unequivocally that it does not limit users' rights already granted by copyright and can only convey further rights to the user. Here's the ccREL definition, page 9:

Here are the License properties defined as part of ccREL:

• cc:permits -- permits a particular use of the Work above and beyond what default copyright law allows.
• cc:prohibits -- prohibits a particular use of the Work, specifically affecting the scope of the permissions provided by cc:permits (but not reducing rights granted under copyright).
• ...

It seems that there is much less to the AP's announcement than meets the eye. If there's a story here, it's in the mismatch between the modest and reasonable underlying technology, and AP's grandiose claims for it.

Amazon got some well-deserved criticism for yanking copies of Orwell's 1984 from customers' Kindles last week. Let me spare you the copycat criticism of Amazon -- and the obvious 1984-themed jokes -- and jump right to the most interesting question: What does this incident teach us?

Human error was clearly part of the problem. Somebody at Amazon decided that repossessing purchased copies of 1984 would be a good idea. They were wrong about this, as both the public reaction and the company's later backtracking confirm. But the fault lies not just with the decision-maker, but also with the factors that made the decision more likely, including some aspects of the technology itself.

Some put the blame on DRM, but that's not the problem here. Even if the Kindle used open formats and let you export and back up your books, Amazon could still have made 1984 disappear from your Kindle. Yes, some users might have had backups of 1984 stored elsewhere, but most users would have lost their only copy.

Some blame cloud computing, but that's not precisely right either. The Kindle isn't really a cloud device -- the primary storage, computing and user interface for your purchased books are provided by your own local Kindle device, not by some server at Amazon. You can disconnect your Kindle from the network forever (by flipping off the wireless network switch on the back), and it will work just fine.

Some blame the fact that Amazon controls everything about the Kindle's software, which is a better argument but still not quite right. Most PCs are controlled by a single company, in the sense that that company (Microsoft or Apple) can make arbitrary changes to the software on the PC, including (in principle) deleting files or forcibly removing software programs.

The problem, more than anything else, is a lack of transparency. If customers had known that this sort of thing were possible, they would have spoken up against it -- but Amazon had not disclosed it and generally does offer clear descriptions of how the product works or what kinds of control the company retains over users' devices.

Why has Amazon been less transparent than other vendors? I'm not sure, but let me offer two conjectures. It might be because Amazon controls the whole system. Systems that can run third-party software have to be more open, in the sense that they have to tell the third-party developers how the system works, and they face some pressure to avoid gratuitous changes that might conflict with third-party applications. Alternatively, the lack of transparency might be because the Kindle offers less functionality than (say) a PC. Less functionality means fewer security risks, so customers don't need as much information to protect themselves.

Going forward, Amazon will face more pressure to be transparent about the Kindle technology and the company's relationship with Kindle buyers. It seems that e-books really are more complicated than dead-tree books.

Obligatory disclaimer: I'm a student clinician in the Glushko-Samuelson Technology Law and Policy Clinic at the University of Colorado School of Law, and am, under the supervision of several law professors, representing Alex Halderman in the ongoing DMCA Anti-Circumvention Triennial Review. My opinions here are my own and not related to our representation of Alex, and don't necessarily reflect the opinions of the TLPC, CU, my professors, Alex, or anyone else. Finally, as Prof. Ohm likes to point out, I'm not a lawyer, and this isn't legal advice.

--

Reading Prof. Felten's post on "DRM in Retreat" earlier this year might have led one to believe that DRM was getting ready to take a long walk off a short pier wearing concrete shoes. However, the DRM town hall meeting hosted by the Federal Trade Commission this week in Seattle quickly disabused all in attendance of such a notion. While the anti-DRM pitchfork-and-torch set certainly made their voices heard, the repeated characterization by content providers of DRM as a necessary business model-enabler echoed through the courtroom nigh unchallenged.

Regardless of whether that characterization rings true, it's clear that some content providers are dead-set on encumbering their products with DRM, at least within the context of time- or functionality-limited models such as digital rentals, subscriptions, and streams. Furthermore, one need only look to the line-drawing problems faced by would-be software patent reformers to see that wholesale proscription or heavy-handed regulation of DRM might be impossible without causing undesirable side effects for applications such as document security, e-mail encryption, or even something as simple as file system permissions. Whether one views the continued presence of DRM as a survival instinct for content providers, the occupation of regulatory no-man's-land, or some combination of both, it seems that DRM is here to stay, at least for the foreseeable future.

DRM Harms

However, acquiescence to the potential presence of DRM in the digital ecosystem doesn't obviate the need for close scrutiny of DRM and its providers. DRM may expose consumers to surreptitious (and perhaps malicious) security, privacy, and technological risks. Further, content providers may combine DRM with impenetrably long EULAs and Terms of Service forms to hide key details of transactions, rendering seemingly unhindered and unlimited access to content revocable on a whim - or more frighteningly and irreparably, on the heels of provider bankruptcy.

Of course, the most serious cases may trigger legal action, such as false advertising investigation by the FTC. Mary Engle, the Acting Deputy Director of the FTC's Bureau of Consumer Protection, succinctly put it this way:

If your advertising giveth and your EULA taketh away, expect the FTC to come calling.

Novel legal theories suggested by panelists at the town hall, such as digital fraud and an implied warranty of code safety, may come to supplement traditional class action remedies in other egregious cases. However, these remedies are likely to remain out of reach for most consumers. What, then, is the solution?

"Transparency" vs. Transparency

I argue that the key is technological and transactional transparency. Of course, I don't mean transparency in the Orwellian sense put forth by many of the content providers at the town hall, who consistently touted "transparency" as DRM not alerting a user to its presence (or perhaps more insidiously, as a bargain not alerting a user to undesirable terms). Indeed, the problems caused by many DRM security and privacy flaws are exacerbated by the fact that the flaws are hidden and thus fail to provide any warning until the consequences have become dire; similarly, hidden terms may create false expectations for the consumer, expectations that will shatter the moment the terms come out of hiding. Of course, it's positive when DRM stays out of a user's way, but that's not really transparency; it might more accurately be termed "seamlessness," as a lunch companion suggested today - a complement to, not a substitute for, real transparency.

Real transparency in this context is knowledge about how DRM works and all the terms of the corresponding bargain. Of course, transparency needs to happen on two levels to be effective: one for average consumers, and one for advanced consumers and consumer advocates that can act as effective proxies for average consumers (such as media outlets, security researchers, and so on). Thus, transparency maps onto the following quadrants:

Of course, some high-level disclosures may be appropriate for consumers, but lack the necessary detail to be of use to sophisticated advocates; conversely, extensive disclosures may give advocates the information they need to know, but be overwhelming for consumers. The answer is not to use one or the other, but rather to use both. Conspicuous, standardized labeling and icons placed on packaging and online storefronts can alert consumers to the presence of DRM, key time and functionality restrictions, and high-level terms of the bargain, while extensive disclosures and operational details can be reviewed by consumer advocates to look for serious, unusual problems.

Transparency Sources

The primary source of disclosures, for better or for worse, is likely to be content providers themselves. Though it's naive to assume that providers will be able and willing to provide complete disclosure, existing examples such as the ESRB and the MPAA rating system show that the industry will be willing to play ball, at least to some extent, given the "raised eyebrow" of the FTC illustrated through proceedings such as the DRM town hall.

However, there are many disclosures that providers may simply remain unwilling or unable to make, particularly in the realm of security, where vulnerabilities may continue to come to light throughout the lifecycle of DRM technology. Except in limited circumstances, regulatory bodies like the FTC lack the ability to mandate disclosure, and Congress may be disinterested on weighing in on a debate with minimal political payoff.

Accordingly, consumer advocates must be able to engage in self-help to find the information in the disclosures themselves. While lawyers may be able to review EULAs for hidden terms, computer security experts may be unable to research the operation of DRM for security-related flaws for fear of liability under the DMCA. Accordingly, legal cover for security researchers (such as the DMCA exemption proposed by Alex) may be necessary to fill in gaps in DRM transparency.

(edited 3/28/09 at 2:25pm MT)

Last week's agreement between Apple and the major record companies to eliminate DRM (copy protection) in iTunes songs marks the effective end of DRM for recorded music. The major online music stores are now all DRM-free, and CDs still lack DRM, so consumers who acquire music will now expect it without DRM. That's a sensible result, given the incompatibility and other problems caused by DRM, and it's a good sign that the record companies are ready to retreat from DRM and get on with the job of reinventing themselves for the digital world.

In the movie world, DRM for stored content may also be in trouble. On DVDs, the CSS DRM scheme has long been a dead letter, technologically speaking. The Blu-ray scheme is better, but if Blu-ray doesn't catch on, this doesn't matter.

Interestingly, DRM is not retreating as quickly in systems that stream content on demand. This makes sense because the drawbacks of DRM are less salient in a streaming context: there is no need to maintain compatibility with old content; users can be assumed to be online so software can be updated whenever necessary; and users worry less about preserving access when they know they can stream the content again later. I'm not saying that DRM causes no problems with streaming, but I do think the problems are less serious than in a stored-content setting.

In some cases, streaming uses good old fashioned incompatibility in place of DRM. For example, a stream might use a proprietary format and the most convenient software for watching streams might lack a "save this video" button.

It remains to be seen how far DRM will retreat. Will it wither away entirely, or will it hang on in some applications?

Meanwhile, it's interesting to see traditional DRM supporters back away from it. RIAA chief Mitch Bainwol now says that the RIAA is agnostic on DRM. And DRM cheerleader Bill Rosenblatt has relaunched his "DRM Watch" blog under the new title "Copyright and Technology". The new blog's first entry: iTunes going DRM-free.

People have been heaping blame on Yahoo after it announced plans to shut down its Yahoo Music Store DRM servers on September 30. The practical effect of the shutdown is to make music purchased at the store unusable after a while.

Though savvy customers tended to avoid buying music in forms like this, where a company had to keep some distant servers running to keep the purchased music alive, those customers who did buy – taking reassurances from Yahoo and music industry at face value – are rightly angry. In the face of similar anger, Microsoft backtracked on plans to shutter its DRM servers. It looks like Yahoo will stay the course.

Yahoo deserves blame here, but let's not forget who else contributed to this mess. Start with the record companies for pushing this kind of DRM, and the DRM agenda generally, despite the ample evidence that it would inconvenience paying customers without stopping infringement.

Even leaving aside past mistakes, copyright owners could step in now to help users, either by enticing Yahoo to keep its servers running, or by helping Yahoo create and distribute software that translates the music into a usable form. If I were a Yahoo Music customer, I would be complaining to the copyright owners now, and asking them to step in and stand behind their product.

Finally, let's not forget the role of Congress. The knowledge of how to jailbreak Yahoo Music tracks and transform them into a stable, usable form exists and could easily be packaged in software form. But Congress made it illegal to circumvent Yahoo's DRM, even to enable noninfringing use of a legitimately purchased song. And they made it illegal to distribute certain software tools to enable those uses. If Congress had paid more attention to consumer interests in drafting the Digital Millennium Copyright Act, or if it had passed any of the remedial legislation offered since the DMCA took effect, then the market could solve this Yahoo problem all on its own. If I were a Yahoo Music customer, I would be complaining to Congress now, and asking them to stop blocking consumer-friendly technologies.

And needless to say, I wouldn't be buying DRM-encumbered songs any more.

UPDATE (July 29, 2008): Yahoo has now done the right thing, offering to give refunds or unencumbered MP3s to the stranded customers. I wonder how much this is costing Yahoo.

The RIAA's head technology guy says that the move away from DRM (anti-copying) technology by record labels is just a phase, according to a Greg Sandoval story at News.com:

"(Recently) I made a list of the 22 ways to sell music, and 20 of them still require DRM," said David Hughes, who heads up the RIAA's technology unit, during a panel discussion at the Digital Hollywood conference. "Any form of subscription service or limited play-per-view or advertising offer still requires DRM. So DRM is not dead."

...

Last January, when Sony BMG became the last major recording company to sell DRM-free tracks at Amazon, plenty of observers considered the technology buried. Since then, a growing number of online stores have begun offering at least some open MP3s, including Walmart.com, Zune's Marketplace, Amazon, as well as iTunes.

Not so fast, said Hughes, who predicted that DRM would reemerge in a big way. "I think there is going to be a shift," he told the audience. "I think there will be a movement towards subscription services, and (that) will eventually mean the return of DRM."

The imminent success of subscription services with DRM is more or less what the record industry was predicting several years ago. It didn't happen, mostly because customers found the services clunky and inflexible – DRM at its worst. Nothing has changed to make DRMed subscription services more attractive. If anything, these services look even worse in light of the trend toward selling DRM-free tracks.

I can see the argument for selling large bundles of music rather than selling one track at a time. Bundling makes economic sense, given the huge storage capacity of today's devices. The iPod of the future won't be filled one track at a time.

But clunky DRM-based subscription services aren't the only way to sell bundles of songs, and there are probably good ways to sell subscriptions without DRM. If you're worried that a customer will subscribe for one month, download a zillion songs, cancel the subscription and keep the songs,then you can limit the number of downloads per month, or require a longer subscription period. If you can sell songs without DRM – and we know now that you can – there ought to be a way to sell a friendly subscription service too.

On this issue, the RIAA's members may be ahead of the RIAA itself. There are encouraging signs that some of the major record companies are recognizing the need to rebuild their business strategy for the Internet era.

Warner Music will sell music through Amazon's online store without DRM (copy protection) technology, according to a New York Times story by Jeff Leeds. This is a big step for Warner, given that earlier this year Warner CEO Edgar Bronfman said that selling MP3s would be "completely without logic or merit."

The next question is whether Warner will make a deal with Apple to sell MP3s on iTunes too. The NYT article says Warner plans to do so, but the LA Times implies the opposite. The two other majors that sell MP3s are split on this point, with EMI selling MP3s through multiple stores including iTunes, and Universal Music selling MP3s through other online stores but refusing to do so through iTunes. Is Warner willing to inconvenience its customers in order to undercut Apple?

By the way, the Times article makes a simple but common mistake, in saying that "the industry faces increasing pressure to bolster digital music sales as its traditional business — selling CDs — suffers a sharp decline." CDs are digital too, and they lack DRM (attempts to add DRM to CDs failed disastrously), but news stories and commentary often ignore these facts. I guess "Warner to adopt another DRM-free digital format" wouldn't seem quite so newsworthy.

Three of the four majors (all but SonyBMG) now sell MP3s. It's only a matter of time before the last domino falls, and the industry can move on to the next stage in its evolution.