Standards and specs: Digital rights management: When a standard isn't

    
http://www-128.ibm.com/developerworks/power/library/pa-spec11/?ca=dgr-lnxw06
StandardDRM

01 Nov 2005

    Whether you're a buyer or a seller of a product, the essential goal of
standardization is to make interoperability possible, allowing communication
with anyone else using the same protocol and media. In some cases though,
vendors have specific reasons for not being compatible -- and those vendors
have developed a standard for incompatibility, digital rights management
(DRM). The goal of DRM is to limit compatibility because things which are
compatible can be copied and distributed freely. In this installment, Peter
Seebach looks at a potential oxymoron -- standards designed to subvert and
prevent interoperability.

The essential goal of standardization is to make interoperability possible.
Whether you're buying or selling a product, standardization makes your life
easier -- a standard for media allows you the freedom to buy whatever media
reader you like, confident that you can use the broad variety of compatible
media. A standard protocol allows communication with anyone else using the
same protocol.

In some cases, vendors have specific reasons why they don't want to be
"quite" compatible. The umbrella term is digital rights management (DRM).
The goal of DRM technology is to simply limit compatibility because things
that are compatible can be copied and distributed freely. The majority of
DRM technology is aimed at ensuring that people pay for products they might
otherwise just make copies of.

However, some DRM technology has other goals. DVD region coding affects the
playback of media rather than the copying of it; even the original media is
restricted.

Ironically, a number of standards have to do with DRM -- these standards
exist to subvert and prevent interoperability. The tension between the
inherent nature of standards and this particular usage of standards produces
a variety of interesting counter-examples, technical curiosities, and other
things worth closer examination.

What is interoperability?

Interoperability is one of the things people talk about when promoting
standardization. The idea is that things which comply with a standard can be
used together. If I have two devices with IEEE 1394 ports, they should be
able to talk to each other. If I have two devices which advertise
compatibility with the USB 2.0 spec, they should be able to communicate. Any
drive which reads Compact Disc media should be able to read any Compact
Disc. A device sold as an MP3 player should play MP3 files.

Once for about six hours, I owned an RCA "Lyra" device, sold as an MP3
player, which could play only files in a special format that a proprietary
program created; actual MP3 files came out as static. The company advertised
the device as an MP3 player, but in fact, it wasn't compatible with the MP3
standard. The DRM technology they used to restrict playback to files
generated by an "approved" program had the side-effect of making the device
incompatible with my computer.

Interoperability is such a benefit to everyone that it almost seems too
obvious to mention the fact. Would you buy a CD containing music which you
could listen to at home but not in the car? No. Would you buy a CD player
which could play only some of the available music on CDs? No.
Interoperability allows vendors to sell their products to a wider audience,
making those products more desirable. It makes them more useful.

On its face then, the notion of intentionally limiting interoperability
seems crazy. However, the DVD standard has been carefully designed to do
just that, by a mechanism called region coding. The idea is that the world
is divided into regions. A DVD that will play in one region will not play in
another. This contradicts the very idea of having a standard to begin with.
Why even bother calling the incompatible devices by the same name?

To be fair, a DVD need not be coded for a specific region. Interoperability
is not outright forbidden by the specification. The specification merely
allows for attempts to prevent interoperability.


    Back to top


Reasons for control

The idea of limiting interoperability like this did not appear out of thin
air. People want to constrain interoperability for a number of reasons. This
concept represents a battle between hardware vendors who generally like
maximal interoperability and data dealers who have some reasons to limit it.
DVD region coding is, as the name suggests, largely about controlling where
movies are released.

Another variety of DRM, copy protection, is based on the desire to keep more
than a limited number of entities from interoperating with a given product
at once. A program for an established platform can interoperate with -- run
on -- millions of computers. Some vendors, however, prefer to get paid
millions of times (once for each of those millions of copies) rather than
getting paid once and having millions of copies made.

Similarly, music vendors have expressed grave concerns about the potential
for many users to interoperate with a single CD. The elaborate rules on DAT
machines for keeping track of "allowed" copies and such were a great example
of a feature which had the primary effect of adding substantial cost to a
platform to no one's actual benefit.

For an example (which isn't quite DRM, but is an excellent example of vendor
control), look at the way cheaper inkjet printers control print cartridges.
Some printers out there are physically identical but won't take each others'
cartridges, or a cheaper printer takes only the more expensive cartridges. A
large portion of the cost of building such print cartridges is the elaborate
techniques used to keep you from using cheap generic ink, keep you from
refilling cartridges, and so on. This is especially common on unusually
cheap inkjet printers which might be sold at a loss in order to generate the
more lucrative sales of ink cartridges -- in other words, give away the
razor and sell the blades. (See Resources.)

The fundamental justification for standardization is economic. Standards are
driven by the economic goals of communities that realize that shared
interoperability improves return on investment. DRM is driven by the
economic goals of vendors who believe that limiting interoperability will in
some way improve their return on investment, generally at the expense of
everyone else's ROI.


    Back to top


Making other companies cooperate

A mystery remains. It is obvious why people selling movies might like to
restrict access to those movies so they can control sales, engage in
marketing campaigns, and do all the other things vendors love to do. What is
not obvious is why the seller of a DVD player would want to provide for such
limitations.

Actually, the answer is simple -- there is licensing for the technology; a
player that won't enforce these restrictions can't get licensed.

Friction exists between DRM efforts and the work vendors often do on
compatibility. High-end CD-ROM drives which do their best to accommodate
defective media might not work with some copy-protection schemes which
depend on the drives failing in predictable ways; the copy protection scheme
might falsely identify an original disc as a copy. Ink and toner vendors,
who want to sell cartridges for popular printers, fight fiercely against the
efforts of printer vendors to monopolize sales of supplies for their
printers.


    Back to top


When to use DRM and similar technologies

If you can avoid DRM and like technologies, do. DRM technologies are very
inconvenient to regular users. The chance of a technique withstanding
serious efforts at bypassing it is miniscule (Resources); the chance of it
inconveniencing legitimate users is high. A famous example is a company
selling music on CD-shaped things (Philips, it is said, denied them the use
of the Compact Disc logo) which caused the firmware in some CD-ROM drives to
crash, resulting in a drive that could only be opened by physical force. No
one was impressed. (Actually, the editor of this article was impressed: She
didn't realize that it was possible to create a piece of aluminum-in-plastic
that could keep a CD-ROM drive from ejecting. Such a piece of sabotage is
impressive!)

Jim Baen of Baen Books explained his company's choice to distribute many
books in completely unprotected formats:

    Because not only are our readers, in the main, not thieves, but because
there is nothing there that is stealable.

Baen's experience (and he has several years of experience, complete with
records showing the results) has been that making an electronic copy of a
book available for free does not hurt sales of that book (Resources). Lest
people think this has been tried only with old titles that aren't selling,
the company has at least twice put out hardcover, first-edition books with
the entire book text on CD-ROM and blanket permission to copy and distribute
that text non-commercially. (I bought both of them within a week or so of
their release.)

Curiously, many DRM advocates (and groups such as the RIAA) are quick to
claim that unrestricted copying has deleterious effects, but supporting data
is very slim. The people who have actually tried the experiment and made
something easy to copy have, thus far, reported consistently positive
outcomes.

Don't think for a moment that DRM will have any real effect on organized
attacks. The folks that send all that spam about complete suites of Adobe
software for US$20 are not going to be deterred by any DRM system you ever
see.


    Back to top


What to do when you have to use DRM

In some cases, economic considerations or licensing might require the use of
DRM technologies. A number of considerations can minimize the harm this does
to interoperability and the essential goals of standardization.

The first and most important is full disclosure. If you are selling round
silvery plastic things which do not fully conform to the Compact Disc
standard, you have an ethical obligation to warn people (and for those of
you who might be morally challenged, you might also have a more concrete
legal obligation -- so you might as well be safe). Make sure that all retail
packaging clearly warns potential users about known incompatibilities,
whether they are intentional or not. (You know, like those
application-software bugs that the company likes to call "features.") If you
sell a thing which is intended to play in CD players but not to be readable
on a computer, be sure to warn the consumer. Some consumers (myself
included) haven't used an actual CD player to play an actual CD in years.

Try to find ways to work within standards as much as possible. In some
cases, a technological solution is not the best one at all. For instance,
tying customer support to licensing may provide sufficient incentive for
people to buy a product without any need for elaborate copy protection and
hardware dongles.

Restrictions on number of uses are a bad choice. Apple has gotten some
fairly strongly worded negative feedback from a few early adopters whose
habit of buying each slightly faster PowerBook ran them out of
"authorizations" for some iTunes songs.

Following are some other concerns to keep in mind if you just have to use
DRM technology.

Explore standard options

Silly as a standard designed to limit interoperability might be, it's a lot
better than no standard at all. For instance, though many users dislike
region coding, at least you can generally predict it. (Not always, though. I
once had some backups I burned to DVD that refused to mount because they
allegedly had the wrong region code.)

Investigate the existing options -- if there are any -- and see what people
think about them. Check bulletin boards for complaints. A copy-protection
scheme which causes a substantial number of legitimate users to learn to
bypass it is not helping the vendor or the emptor.

Be very careful to consider the impact of a DRM scheme on your standards
compliance. The Compact Disc format is a real standard, designed to allow
interoperability. Many attempts to subvert this with DRM have resulted in
failure to comply with the CD standard -- and thus have disqualified the
resulting media from being considered Compact Discs. (And if you think a few
extra copies is damaging to your sales numbers, see what being branded
"non-compatible" can do to your product campaign!)

Failure to comply with a standard can hurt you badly since consumers quickly
learn which round silvery things aren't really Compact Discs and might not
work in their standard hardware.

Cut your losses

Whatever you are hoping to accomplish by adopting DRM, remember that it will
only work some of the time (as in "you can only fool some of the people. . .
"). Do not try to eliminate every possible hole in your system. It's
impossible, and the marginal cost is huge. Worse yet, the marginal harm done
to the legitimate users who are trying to use your product within the
intended boundaries is even larger. I have been tasked to find workarounds
for the copy-protection scheme of dozens of games (and even once of an
operating system) when the copy-protection scheme didn't work correctly. I
have determined that it's not worth it. Lots of your potential customers
will come to the same conclusion.

The fact is, a few DVD players out there shipped with a "factory testing"
mode can play DVDs from any region. There are people out there who have
bought a US$70 program with the sole intent of being able to burn copies of
your copy-protected CD or just bypass the copy protection entirely.

Don't sweat it. You can't beat everyone all the time. Trying to do so will
just make things worse.

Do not, under any circumstances, file silly lawsuits over this. Most of what
the publicity will do is only end up hurting you -- as an effective
deterrent, individual lawsuits are a bust. Everyone has heard the story of a
student who realized that a company's elaborately researched scheme to
prevent a CD from being ripped into MP3s could be defeated by holding down
the shift key, and was promptly sued for US$10 million in damages (the suit
was withdrawn the same day). This kind of behavior does not endear one to
users.

Legitimate users

Don't forget that legitimate users are out there. If you try to keep them
from doing something perfectly reasonable, your best hope is that they will
simply bypass your copy protection. Your worst fear is that they find a
competing technology (after all, if you weren't in competition with someone
else, you wouldn't be worried about DRM now would you?), adopt it, and
entice their friends to adopt it, too.

My laptop has 17GB of CD-ROM and DVD-ROM image files on it, carefully
constructed to allow me to run programs that think they need the original
program CD to run. I travel a lot and I play a lot of video games -- I have
no intention of carrying an extra twenty CDs around with me, many of which
it would be impossible for me to buy replacements of today. So instead, I
use CD image files mounted in virtual drives. For most games, that works.
For the remainder, well, let's just say I have been known to chew up many
hours of your technical support time getting a game debugged. And if you
spend more money paying for the support than I paid you for the game, you
lose.

It might be that I am in some way offending the sensibilities of the
developers whose games I bought (and which I now run using drive emulation).
Remember, though: They got their money. They have no grounds for complaints.
The copy protection is still inconveniencing me, but it's inconveniencing me
a little less than it used to. If a program's copy protection is too
annoying, I will generally find a workaround.

And an important point to consider -- I'm still a legitimate user. I'm
buying software retail (I even tend to buy things for full price when
they're new). Likewise, I have four crates full of CDs, all carefully stored
away in case I ever want to re-convert them into MP3s.

If your poorly-designed DRM forces legitimate users to break your copy
protection, consider it too intrusive and back off. In fact, one developer
did disable the SecuROM copy protection because a new version of the
protection algorithm prevented the game from running on many computers. This
was a smart move, designed to ensure that they didn't lose a potential
market for their product. Once again, when the people who pay you US$50 for
your product have to download cracks from the Internet to avoid problems (in
some cases, actual physical damage to machines!), it's a clear sign that you
have taken things too far.

Even DRM advocates run afoul of this. Michael Gartenberg, a DRM proponent,
said in a personal blog entry:

    I finally took matters into my own hands. With a little help from a
lovely free program, I was able to take all my MSFT .lit files and convert
them to unprotected .PDF files for Tablet viewing and Word files that
converted easily to eReader format.

Feel no shame, Michael; that's just the reality of the situation. DRM which
doesn't work perfectly for a legitimate user will be bypassed.


    Back to top


Why it doesn't work

Science fiction writer (and giver-awayer of many books) Cory Doctorow, in
his presentation to Microsoft®, explained it very simply. Any DRM technology
has to make it possible for the user to use your material. If it's based on
encryption, you have to give them some way to decrypt the material to see
it. And any system based on handing people the cipher algorithm and the key
along with the ciphertext is not going to stay secure for long.

That's why it doesn't work. The next question is whether we should try to
make it work -- the answer is no. The fact is, this is all about trying to
undo the economic benefits of standardization, and it's not worth it, even
for those who support it with the most vigor.

Every experiment has consistently shown that DRM technology is not achieving
its users' goals. Publishers and authors who give away free books make more
money; according to Baen Books, putting up a book for free on its Web site
increased sales of that book, not just other books by the same author.
Musicians who give away free music make more money (Janis Ian has talked
about this a lot; see Resources).

Work on DRM consumes a lot of time and a lot of money, trying to develop a
technology that by its very definition can't actually sustain or achieve the
goals for which it is designed. The more elaborate our attempts to enforce
DRM by law or by technology, the more resources we're wasting trying to undo
all the progress we've made towards interoperability and efficiency.


    Back to top


Resources

    * Brad Wardell, who has made a living selling games without copy
protection, argues that copy protection is useless or worse. (From
JoeUser.com)

    * In this most excellent talk to the suits at Microsoft, Cory Doctorow,
a published author who gives his books away online, discusses DRM
technologies (more specifically, he concludes that they don't work, they're
bad for business, bad for artists, bad for users, and to drive the point
home, bad for Microsoft).

    * Of course, it could be worse; some DRM systems install a rootkit on
your machine, permanently interfering with system maintenance and creating
new security holes.

    * In FiringSquad (home of the hardcore gamer), Jakub Wojnarowicz points
out that Brad Wardell's (see the first Resource) most famous and successful
game, Galactic Civilizations, doesn't use any copy protection.

    * Welcome to the Baen Books Free Library -- Baen just gives books away,
no copy protection, at all. It works great.

    * Speaking of which, many science fiction writers post complete stories
online, for free. They don't seem to be the worse for wear.

    * Janis Ian writes about the ballyhoo over DRM raised by the music
industry, how little she fears having people "steal" her music online, and
how much sales of CDs increase every time they post new free downloads on
her site.

    * After an amazing response to previous article, Janis Ian tells us some
of the things she learned -- my favorite quotes Steven Levy in Newsweek:
"Why are the record labels taking such a hard line? My guess is that it's
all about protecting their internet-challenged business model."

    * Tim O'Reilly alerts us to Authors Guild plans to sue Google over its
online library search technology -- it claims the search will hurt authors'
rights. (From the New York Times)

    * Company uses lawsuit to outlaw "SHIFT" key. As the Daily Princetonian
points out, this lawsuit disappeared as quickly as it was proposed. And,
SunnComm's abrupt reversal of plans to sue for circumventing their copy
protection scheme is a fascinating read.

    * A DRM advocate explains why he had to bypass some DRM.

    * Luckily for nearly everyone, courts have not upheld attempts to use
copy-protection law to protect print cartridges from being replaced with
functional equivalents.

    * If you can sell cartridges in one country for more than in another,
why not use region coding (like HP in this example) to keep people from
importing the cheaper cartridges?

    * Richard Stallman takes us to a terrifying future where they've
outlawed book-sharing, making book-lenders outlaws.

    * Seems lots of different approaches exist to circumvent Apple's DRM
FairPlay, including hymn and JHymn, Real Harmony, and PyMusique.

    * This BBC article notes that DRM efforts seem poised to have two
effects: No guarantee that they'll prevent piracy and could mean more
confusion for consumers with further fragmentation of file formats.

    * Of course, there's been plenty of talk about open source digital
rights management delivery systems -- the EFF still thinks that no DRM is a
good DRM.

    * Ken Kutaragi, president of Sony Computer Entertainment, said recently
that Sony's earlier insistence on being overly proprietary about content
caused the company to lose out on sales. In fact, according to this story,
the company is now showing consumers how to get around its DRM.



    Back to top


About the author

Peter Seebach
    

Peter Seebach is a perfect example of DRM -- he is usable in your system,
but just try to replicate him!



You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.

Reply via email to