Digital rights management (original) (raw)
Digital rights management or digital restrictions management, commonly abbreviated DRM, is an umbrella term for any of several arrangements by which the usage of a copyrighted digital work can be restricted by the owner of the rights to the work. The actual arrangements are called technical protection measures (although the distinction between the two terms is not particularly clear).
Although technical protection measures for software have been common since the 1980s, DRM is increasingly being used for creative works too. Some would like to use DRM mechanisms to protect other "proprietary information", particularly trade secrets and uncopyrightable facts in databases (see also database protection laws).
In contrast to existing legal restrictions which copyrighted status imposes on the owner of a copy of any such data, most DRM schemes would enforce additional restrictions to be imposed solely at the discretion of the copyright holder. In the extreme, such control is proposed within other's computers and computerized devices as a 'part' of the operating system. The Trusted Computing Platform Architecture scheme proposed by the Trusted Computing Platform Alliance is an example, as is the Palladium scheme proposed by Microsoft for its future operating systems. (See Professor Ross J Anderson's TCPA / Palladium FAQ for more information on both). This creates the prospect of a computer system which can't be trusted to protect the rights of its owner, because they can be remotely manipulated at any time, regardless of the legal merits of the change. Such concerns are among those which prompted China to make a strategic decision to switch from the Microsoft Windows operating system to something more assuredly trustworthy.
Several laws relating to DRM have been proposed or already enacted in various jurisidictions (State, Federal, non-US). Some of them will require _all_ computer systems to have mechanisms controlling the use of digital media. (See Professor Edward Felten's freedom-to-tinker Web site for information and pointers to the current debate on these matters).
An early example of a DRM system is the Content Scrambling System (CSS) employed by the DVD Consortium on movie DVD disks. It was originally developed by Matsushita in Japan. The data on the DVD is encrypted so that it can only be decoded and viewed using an encryption key, which the DVD Consortium kept secret. In order to gain access to the key, a DVD player manufacturer had to sign a license agreement with the DVD Consortium which restricted them from including certain features in their players such as a digital output which could be used to extract a high-quality digital copy of the movie. Since the only hardware capable of decoding the movie was controlled by the DVD Consortium in this way, they were able to impose whatever restrictions they chose on the playback of such movies. See also DIVX for a more draconian and less commercially successful variation which is no longer marketed. The name is also used (DivX), in ironic tribute to the defunct disk 'protection' scheme, for a video compression protocol, akin to MPEG-4.
To date, all DRM systems have failed to meet the challenge of protecting the rights of the rights holder while also allowing the use of the rights of the purchaser. None have succeeded in preventing criminal copyright infringement by organized, unlicensed commercial sellers. Flaws of some well known systems include:
- DIVX: Required a phone line, inhibiting mobile use. To take a work for which unlimited plays had been purchased (called DIVX Silver) to a friend's home, it was necessary to carry a 30lb DVD player as well as the light and compact disc; or to telephone the DIVX service and have the player of the friend transferred to the account of the purchaser of the work, then call again to have it switched back. Restricted fair use, such as creation of compilations, by the purchaser. Restricted sale or lending of purchased works, which had the account of the original purchaser permanently recorded on the DIVX Silver disk.
- CSS: Restricts the ability to buy in one country of residence and take to another country of residence, because CSS is used to enforce Region Coding. Restricts fair use and first purchaser rights, such as creation of compilations or full quality reproductions for the use of children or in cars. Restricted the ability to play works on any player of choice (notably Linux computers) until the advent of DeCSS and academic analysis of the quality of the encryption found to be flawed. Full quality digital copies can now be easily made, making fair use by normal consumers easier. Didn't prevent the very wide sale of physical and digital copies of works by criminal gangs, even before the system was found to be flawed.
Digital Millennium Copyright Act
The Digital Millennium Copyright Act was passed in the United States in an effort to make the circumvention of such systems illegal. It was passed without debate, and without even token opposition, Congress being apparently under the impression that it was a 'technical' enactment, without significant public policy implication. It has been widely imitated elsewhere by other governments.
Despite this law, which has since received substantial opposition on Constitutional grounds, it is still relatively easy to find DVD players which bypass the limitations the DVD Consortium sought to impose. John Hoy of the DVD Copy Control Association in testimony to the Library of Congress stated "furthermore, if a consumer in the United States desires to view a DVD disc that has been region coded only for Europe, then that consumer is free to purchase a DVD player (either hardware or software) that is coded to play European DVDs. No legal restrictions apply-either through the CSS license or otherwise-to the importation and use of non-U.S. region players in the United States." (reply comments, comment 28, page 4).
There has been a widely publicized arrest and arraignment of a Russian programmer, Dimitri Skylarov, for violation of the DMCA. He did the work cited for his employer, Elcomsoft, while in Russia, where it was and remains entirely legal. The product allowed those who were in possession of a password, presumably lawfully obtained along with the encrypted copy of the work, to make copies without encryption locking them to use on a single computer. Skylyrov was arrested on a criminal warrant during a lecture visit to the US, and spent several months in jail until a compromise was reached. The criminal case against Elcomsoft resulted in acquittal. See Professor Edward Felton's freedom-to-tinker Web site [1] for some observations on the DCMA, its proposed successors, and their consequences, intended and unintended hilarious.
The DMCA is also causing a chill in the activities of fully legitimate computer scientists. Professor Felten, at Princeton, has had difficulty publishing papers he and his students have written; they were related to a contest sponsored by a security software company inviting investigation into a product design (!). (See Internet postings in Felten v RIAA). Alan Cox, the Englishman who was Linus Torvalds chief deputy thoughout almost the entire first decade of the development of Linux, has resigned his position due to his concern that a criminal charge might be laid against him as a result of some code in the Linux kernel. He has even declined to post explanations of some changes made in the kernel (the changelog is fundamental to the project) because of his concern about the DMCA; such explanations might be seen as a DMCA 'disclosure'. And he has declined to attend US software conferences for the same reason. Neils Ferguson, a Dutch cryptography expert and security consultant, discovered a flaw in an Intel security protocol, told Intel about it and was told that Intel had no objection to his publishing a paper about the problem. He has nevertheless decided not to publish. He also is concerned about being arrested under the DMCA.
New DRM initiatives have been proposed in recent years which could prove more difficult to circumvent, including copy-prevention codes embedded in broadcast HDTV signals and the Palladium operating system. A wide variety of DRM systems have also been employed to restrict access to eBooks. See the TCPA/Palladium FAQ [1] maintained by Professor Ross J. Anderson for a clear discussion of two prominent proposals.
Opponents of DRM, as envisioned and as currently implemented, note that by delegating control of computer access (or control of the ability to execute some programs, or to execute programs only with certain data) to anyone except the user and the machine's administrator(s), there is a very considerable risk of problems caused by such third party interference which go well beyond any control of intellectual property rights issues.
For instance, due to a bug (or misdesign, or misadministration of an otherwise 'reasonable' design) the protecting software (eg, in a TCPA computer or in the Palladium DRM portion of an operating system) implementing the local part of a DRM scheme may prevent a computer user from using his computer at all, or from using programs (or using data as an input to a program) when such use is actually completely legitimate and not a violation of any copyright holders' rights. Or, for another instance, a legitimately purchased copy of might be blocked because it is being used on equipment which doesn't include the DRM function permitting access to it. Currently, DVDs legally purchased in some places are not playable in other places for exactly these reasons, although in this case it is marketing considerations and not 'security' which is the reason for the restriction. DRM provisions have already appeared in released versions of some Windows operating system subsystems (eg, Media Player) and are scheduled in more as Palladium is implemented in currently planned, not yet released, versions of Windows.
Security protocols, software implementing security protocols, and cryptography have historically proven extremely difficult to design without vulnerabilities due to bugs or design mistakes. This has been true of designs from experienced and well respected professionals; the record is abysmally poor for those inexperienced in cryptography and security protocols.
DRM advocates
Some DRM advocates have suggested (and some legislation has actually been introduced to authorize) that copyright owners be given the ability to remotely delete information from others' computers when, in the view of the copyright holder (or more accurately the copyright holder's software), it is not being legitimately held. One such suggestor is a senior US Senator, chairman of a committee with jurisdiction in this field.
The prospect of a bug or maldesign in the software implementing any such scheme is more than a little disturbing to many. They point out that we have demonstrated (by frequent and long extant virus infestations, by system software security errors, by misconfiguration of software of all kinds, and by software failure -- both system and application) that we don't currently know how to design software that does something just as intended and nothing else. How much less likely are we likely to get right software which must do something quite dangerous (ie, file or program deletion, interfering with system operation to prevent copyright infringement) in only _somewhat_ foreseeable circumstances? Pattern recognition software is not yet fully capable of even distinguishing the predictable (ie, has this <fingerprint, iris="" pattern,="" retinal="" face,="" ...=""> been seen before? It does not seem likely that any system we can currently design and implement it will be able to reliably distinguish between and others, perhaps including not yet existing documents, parodies, samplings, and so on, especially when the legitimacy of possession or use depends entirely on outside the computer facts such as purchaser identity, terms of purchase, details of license contracts applicable to this particular copy of the and this particular situation, and so on.</fingerprint,>
DRM advocates have taken the position, in essence, that DRM / security / cryptography design goals and operational contexts are sufficiently well understood, and software engineering is also sufficiently well understood and will be so practiced, that it is already possible to achieve the desired ends without causing unrelated problems for users, their computers, or those who depend on either. In essence, they claim that there is no technical, engineering competence, problem foreseeable with such software.
Thus far, neither side has compelled the other to agree, though there has been much heat and little enlightenment. Legislation to impose, by force majure, a DRM 'solution' on all is under consideration in many jurisdictions, including the US Congress. Some has already been enacted. DRM advocates are still having no little difficulty explaining why DRM software is more likely to be done right than software for
- NASA Mars landers (confusion between metric and British units by the programmer of a small part of the software associated with the landers caused their loss),
- Ariane rockets (software for an earlier version was reused without realizing that what had been an error condition would not be one in the new version),
- frequently discovered security flaws in widely distributed software from very large software companies (a relatively recent statement of commitment to bug reduction and to security by the Chairman of one such company has been followed by many more such breaches), and even
- assembly line robots (eg. welders, painters, assemblers) who have killed several persons so far (though in each case so far it has been argued that it was the unanticipated actions of the person, not bad programming, which lead to death. The implied engineering standard is, oddly, that unacceptable behavior (killing people) is unfortunate, but not evidence of bad programming, because the program design neglected to consider all cases, and that's OK).
All of these examples are of systems whose designers and implementors were highly motivated to get right, and had very substantial resources available to do so. Less intensively engineered software is more, rather than less, likely to have problems.
An early example of a DRM scheme is that currently protecting textbooks required in some US Dental Schools. The textbooks are available only on CD, and are readable in a computer only for a limited time, after which the CD 'expires' and the information in the 'CD book' becomes unavailable. Some of these books are not available on paper at all. Those who still have their college or graduate school texts might find this quite surprising. Dental students whose textbooks have evaporated may be expected to be somewhat different as dentists than their predecessors whose instructional materials were less evanescent.
Examples of existing "digital rights management" and "copy protection" systems:
- Serial copy management system (SCMS)
- Macrovision
- iTunes (which incorporates Apple's FairPlay DRM for content downloaded through the iTunes Music Store.
- Windows Media Player (using Windows Media Audio or Windows Media Video, which both support DRM)
DRM and document restriction technology
Opponents of DRM have noted that the proposed use of some DRM schemes to restrict the ability to copy and distribute documents can be used by criminals as a means of preventing enforcement of laws against fraud and other wrongdoing. Since DRM is unlikely to be so used by individual criminals, only organized (ie, corporate) skullduggery is likely to be concealed this way.
See also: copy protection XrML