Standards and specs: Digital rights management: When a standard isn't
http://www-128.ibm.com/developerworks/power/library/pa-spec11/?ca=dgr-lnxw06 StandardDRM 01 Nov 2005 Whether you're a buyer or a seller of a product, the essential goal of standardization is to make interoperability possible, allowing communication with anyone else using the same protocol and media. In some cases though, vendors have specific reasons for not being compatible -- and those vendors have developed a standard for incompatibility, digital rights management (DRM). The goal of DRM is to limit compatibility because things which are compatible can be copied and distributed freely. In this installment, Peter Seebach looks at a potential oxymoron -- standards designed to subvert and prevent interoperability. The essential goal of standardization is to make interoperability possible. Whether you're buying or selling a product, standardization makes your life easier -- a standard for media allows you the freedom to buy whatever media reader you like, confident that you can use the broad variety of compatible media. A standard protocol allows communication with anyone else using the same protocol. In some cases, vendors have specific reasons why they don't want to be "quite" compatible. The umbrella term is digital rights management (DRM). The goal of DRM technology is to simply limit compatibility because things that are compatible can be copied and distributed freely. The majority of DRM technology is aimed at ensuring that people pay for products they might otherwise just make copies of. However, some DRM technology has other goals. DVD region coding affects the playback of media rather than the copying of it; even the original media is restricted. Ironically, a number of standards have to do with DRM -- these standards exist to subvert and prevent interoperability. The tension between the inherent nature of standards and this particular usage of standards produces a variety of interesting counter-examples, technical curiosities, and other things worth closer examination. What is interoperability? Interoperability is one of the things people talk about when promoting standardization. The idea is that things which comply with a standard can be used together. If I have two devices with IEEE 1394 ports, they should be able to talk to each other. If I have two devices which advertise compatibility with the USB 2.0 spec, they should be able to communicate. Any drive which reads Compact Disc media should be able to read any Compact Disc. A device sold as an MP3 player should play MP3 files. Once for about six hours, I owned an RCA "Lyra" device, sold as an MP3 player, which could play only files in a special format that a proprietary program created; actual MP3 files came out as static. The company advertised the device as an MP3 player, but in fact, it wasn't compatible with the MP3 standard. The DRM technology they used to restrict playback to files generated by an "approved" program had the side-effect of making the device incompatible with my computer. Interoperability is such a benefit to everyone that it almost seems too obvious to mention the fact. Would you buy a CD containing music which you could listen to at home but not in the car? No. Would you buy a CD player which could play only some of the available music on CDs? No. Interoperability allows vendors to sell their products to a wider audience, making those products more desirable. It makes them more useful. On its face then, the notion of intentionally limiting interoperability seems crazy. However, the DVD standard has been carefully designed to do just that, by a mechanism called region coding. The idea is that the world is divided into regions. A DVD that will play in one region will not play in another. This contradicts the very idea of having a standard to begin with. Why even bother calling the incompatible devices by the same name? To be fair, a DVD need not be coded for a specific region. Interoperability is not outright forbidden by the specification. The specification merely allows for attempts to prevent interoperability. Back to top Reasons for control The idea of limiting interoperability like this did not appear out of thin air. People want to constrain interoperability for a number of reasons. This concept represents a battle between hardware vendors who generally like maximal interoperability and data dealers who have some reasons to limit it. DVD region coding is, as the name suggests, largely about controlling where movies are released. Another variety of DRM, copy protection, is based on the desire to keep more than a limited number of entities from interoperating with a given product at once. A program for an established platform can interoperate with -- run on -- millions of computers. Some vendors, however, prefer to get paid millions of times (once for each of those millions of copies) rather than getting paid once and having millions of copies made. Similarly, music vendors have expressed grave concerns about the potential for many users to interoperate with a single CD. The elaborate rules on DAT machines for keeping track of "allowed" copies and such were a great example of a feature which had the primary effect of adding substantial cost to a platform to no one's actual benefit. For an example (which isn't quite DRM, but is an excellent example of vendor control), look at the way cheaper inkjet printers control print cartridges. Some printers out there are physically identical but won't take each others' cartridges, or a cheaper printer takes only the more expensive cartridges. A large portion of the cost of building such print cartridges is the elaborate techniques used to keep you from using cheap generic ink, keep you from refilling cartridges, and so on. This is especially common on unusually cheap inkjet printers which might be sold at a loss in order to generate the more lucrative sales of ink cartridges -- in other words, give away the razor and sell the blades. (See Resources.) The fundamental justification for standardization is economic. Standards are driven by the economic goals of communities that realize that shared interoperability improves return on investment. DRM is driven by the economic goals of vendors who believe that limiting interoperability will in some way improve their return on investment, generally at the expense of everyone else's ROI. Back to top Making other companies cooperate A mystery remains. It is obvious why people selling movies might like to restrict access to those movies so they can control sales, engage in marketing campaigns, and do all the other things vendors love to do. What is not obvious is why the seller of a DVD player would want to provide for such limitations. Actually, the answer is simple -- there is licensing for the technology; a player that won't enforce these restrictions can't get licensed. Friction exists between DRM efforts and the work vendors often do on compatibility. High-end CD-ROM drives which do their best to accommodate defective media might not work with some copy-protection schemes which depend on the drives failing in predictable ways; the copy protection scheme might falsely identify an original disc as a copy. Ink and toner vendors, who want to sell cartridges for popular printers, fight fiercely against the efforts of printer vendors to monopolize sales of supplies for their printers. Back to top When to use DRM and similar technologies If you can avoid DRM and like technologies, do. DRM technologies are very inconvenient to regular users. The chance of a technique withstanding serious efforts at bypassing it is miniscule (Resources); the chance of it inconveniencing legitimate users is high. A famous example is a company selling music on CD-shaped things (Philips, it is said, denied them the use of the Compact Disc logo) which caused the firmware in some CD-ROM drives to crash, resulting in a drive that could only be opened by physical force. No one was impressed. (Actually, the editor of this article was impressed: She didn't realize that it was possible to create a piece of aluminum-in-plastic that could keep a CD-ROM drive from ejecting. Such a piece of sabotage is impressive!) Jim Baen of Baen Books explained his company's choice to distribute many books in completely unprotected formats: Because not only are our readers, in the main, not thieves, but because there is nothing there that is stealable. Baen's experience (and he has several years of experience, complete with records showing the results) has been that making an electronic copy of a book available for free does not hurt sales of that book (Resources). Lest people think this has been tried only with old titles that aren't selling, the company has at least twice put out hardcover, first-edition books with the entire book text on CD-ROM and blanket permission to copy and distribute that text non-commercially. (I bought both of them within a week or so of their release.) Curiously, many DRM advocates (and groups such as the RIAA) are quick to claim that unrestricted copying has deleterious effects, but supporting data is very slim. The people who have actually tried the experiment and made something easy to copy have, thus far, reported consistently positive outcomes. Don't think for a moment that DRM will have any real effect on organized attacks. The folks that send all that spam about complete suites of Adobe software for US$20 are not going to be deterred by any DRM system you ever see. Back to top What to do when you have to use DRM In some cases, economic considerations or licensing might require the use of DRM technologies. A number of considerations can minimize the harm this does to interoperability and the essential goals of standardization. The first and most important is full disclosure. If you are selling round silvery plastic things which do not fully conform to the Compact Disc standard, you have an ethical obligation to warn people (and for those of you who might be morally challenged, you might also have a more concrete legal obligation -- so you might as well be safe). Make sure that all retail packaging clearly warns potential users about known incompatibilities, whether they are intentional or not. (You know, like those application-software bugs that the company likes to call "features.") If you sell a thing which is intended to play in CD players but not to be readable on a computer, be sure to warn the consumer. Some consumers (myself included) haven't used an actual CD player to play an actual CD in years. Try to find ways to work within standards as much as possible. In some cases, a technological solution is not the best one at all. For instance, tying customer support to licensing may provide sufficient incentive for people to buy a product without any need for elaborate copy protection and hardware dongles. Restrictions on number of uses are a bad choice. Apple has gotten some fairly strongly worded negative feedback from a few early adopters whose habit of buying each slightly faster PowerBook ran them out of "authorizations" for some iTunes songs. Following are some other concerns to keep in mind if you just have to use DRM technology. Explore standard options Silly as a standard designed to limit interoperability might be, it's a lot better than no standard at all. For instance, though many users dislike region coding, at least you can generally predict it. (Not always, though. I once had some backups I burned to DVD that refused to mount because they allegedly had the wrong region code.) Investigate the existing options -- if there are any -- and see what people think about them. Check bulletin boards for complaints. A copy-protection scheme which causes a substantial number of legitimate users to learn to bypass it is not helping the vendor or the emptor. Be very careful to consider the impact of a DRM scheme on your standards compliance. The Compact Disc format is a real standard, designed to allow interoperability. Many attempts to subvert this with DRM have resulted in failure to comply with the CD standard -- and thus have disqualified the resulting media from being considered Compact Discs. (And if you think a few extra copies is damaging to your sales numbers, see what being branded "non-compatible" can do to your product campaign!) Failure to comply with a standard can hurt you badly since consumers quickly learn which round silvery things aren't really Compact Discs and might not work in their standard hardware. Cut your losses Whatever you are hoping to accomplish by adopting DRM, remember that it will only work some of the time (as in "you can only fool some of the people. . . "). Do not try to eliminate every possible hole in your system. It's impossible, and the marginal cost is huge. Worse yet, the marginal harm done to the legitimate users who are trying to use your product within the intended boundaries is even larger. I have been tasked to find workarounds for the copy-protection scheme of dozens of games (and even once of an operating system) when the copy-protection scheme didn't work correctly. I have determined that it's not worth it. Lots of your potential customers will come to the same conclusion. The fact is, a few DVD players out there shipped with a "factory testing" mode can play DVDs from any region. There are people out there who have bought a US$70 program with the sole intent of being able to burn copies of your copy-protected CD or just bypass the copy protection entirely. Don't sweat it. You can't beat everyone all the time. Trying to do so will just make things worse. Do not, under any circumstances, file silly lawsuits over this. Most of what the publicity will do is only end up hurting you -- as an effective deterrent, individual lawsuits are a bust. Everyone has heard the story of a student who realized that a company's elaborately researched scheme to prevent a CD from being ripped into MP3s could be defeated by holding down the shift key, and was promptly sued for US$10 million in damages (the suit was withdrawn the same day). This kind of behavior does not endear one to users. Legitimate users Don't forget that legitimate users are out there. If you try to keep them from doing something perfectly reasonable, your best hope is that they will simply bypass your copy protection. Your worst fear is that they find a competing technology (after all, if you weren't in competition with someone else, you wouldn't be worried about DRM now would you?), adopt it, and entice their friends to adopt it, too. My laptop has 17GB of CD-ROM and DVD-ROM image files on it, carefully constructed to allow me to run programs that think they need the original program CD to run. I travel a lot and I play a lot of video games -- I have no intention of carrying an extra twenty CDs around with me, many of which it would be impossible for me to buy replacements of today. So instead, I use CD image files mounted in virtual drives. For most games, that works. For the remainder, well, let's just say I have been known to chew up many hours of your technical support time getting a game debugged. And if you spend more money paying for the support than I paid you for the game, you lose. It might be that I am in some way offending the sensibilities of the developers whose games I bought (and which I now run using drive emulation). Remember, though: They got their money. They have no grounds for complaints. The copy protection is still inconveniencing me, but it's inconveniencing me a little less than it used to. If a program's copy protection is too annoying, I will generally find a workaround. And an important point to consider -- I'm still a legitimate user. I'm buying software retail (I even tend to buy things for full price when they're new). Likewise, I have four crates full of CDs, all carefully stored away in case I ever want to re-convert them into MP3s. If your poorly-designed DRM forces legitimate users to break your copy protection, consider it too intrusive and back off. In fact, one developer did disable the SecuROM copy protection because a new version of the protection algorithm prevented the game from running on many computers. This was a smart move, designed to ensure that they didn't lose a potential market for their product. Once again, when the people who pay you US$50 for your product have to download cracks from the Internet to avoid problems (in some cases, actual physical damage to machines!), it's a clear sign that you have taken things too far. Even DRM advocates run afoul of this. Michael Gartenberg, a DRM proponent, said in a personal blog entry: I finally took matters into my own hands. With a little help from a lovely free program, I was able to take all my MSFT .lit files and convert them to unprotected .PDF files for Tablet viewing and Word files that converted easily to eReader format. Feel no shame, Michael; that's just the reality of the situation. DRM which doesn't work perfectly for a legitimate user will be bypassed. Back to top Why it doesn't work Science fiction writer (and giver-awayer of many books) Cory Doctorow, in his presentation to Microsoft®, explained it very simply. Any DRM technology has to make it possible for the user to use your material. If it's based on encryption, you have to give them some way to decrypt the material to see it. And any system based on handing people the cipher algorithm and the key along with the ciphertext is not going to stay secure for long. That's why it doesn't work. The next question is whether we should try to make it work -- the answer is no. The fact is, this is all about trying to undo the economic benefits of standardization, and it's not worth it, even for those who support it with the most vigor. Every experiment has consistently shown that DRM technology is not achieving its users' goals. Publishers and authors who give away free books make more money; according to Baen Books, putting up a book for free on its Web site increased sales of that book, not just other books by the same author. Musicians who give away free music make more money (Janis Ian has talked about this a lot; see Resources). Work on DRM consumes a lot of time and a lot of money, trying to develop a technology that by its very definition can't actually sustain or achieve the goals for which it is designed. The more elaborate our attempts to enforce DRM by law or by technology, the more resources we're wasting trying to undo all the progress we've made towards interoperability and efficiency. Back to top Resources * Brad Wardell, who has made a living selling games without copy protection, argues that copy protection is useless or worse. (From JoeUser.com) * In this most excellent talk to the suits at Microsoft, Cory Doctorow, a published author who gives his books away online, discusses DRM technologies (more specifically, he concludes that they don't work, they're bad for business, bad for artists, bad for users, and to drive the point home, bad for Microsoft). * Of course, it could be worse; some DRM systems install a rootkit on your machine, permanently interfering with system maintenance and creating new security holes. * In FiringSquad (home of the hardcore gamer), Jakub Wojnarowicz points out that Brad Wardell's (see the first Resource) most famous and successful game, Galactic Civilizations, doesn't use any copy protection. * Welcome to the Baen Books Free Library -- Baen just gives books away, no copy protection, at all. It works great. * Speaking of which, many science fiction writers post complete stories online, for free. They don't seem to be the worse for wear. * Janis Ian writes about the ballyhoo over DRM raised by the music industry, how little she fears having people "steal" her music online, and how much sales of CDs increase every time they post new free downloads on her site. * After an amazing response to previous article, Janis Ian tells us some of the things she learned -- my favorite quotes Steven Levy in Newsweek: "Why are the record labels taking such a hard line? My guess is that it's all about protecting their internet-challenged business model." * Tim O'Reilly alerts us to Authors Guild plans to sue Google over its online library search technology -- it claims the search will hurt authors' rights. (From the New York Times) * Company uses lawsuit to outlaw "SHIFT" key. As the Daily Princetonian points out, this lawsuit disappeared as quickly as it was proposed. And, SunnComm's abrupt reversal of plans to sue for circumventing their copy protection scheme is a fascinating read. * A DRM advocate explains why he had to bypass some DRM. * Luckily for nearly everyone, courts have not upheld attempts to use copy-protection law to protect print cartridges from being replaced with functional equivalents. * If you can sell cartridges in one country for more than in another, why not use region coding (like HP in this example) to keep people from importing the cheaper cartridges? * Richard Stallman takes us to a terrifying future where they've outlawed book-sharing, making book-lenders outlaws. * Seems lots of different approaches exist to circumvent Apple's DRM FairPlay, including hymn and JHymn, Real Harmony, and PyMusique. * This BBC article notes that DRM efforts seem poised to have two effects: No guarantee that they'll prevent piracy and could mean more confusion for consumers with further fragmentation of file formats. * Of course, there's been plenty of talk about open source digital rights management delivery systems -- the EFF still thinks that no DRM is a good DRM. * Ken Kutaragi, president of Sony Computer Entertainment, said recently that Sony's earlier insistence on being overly proprietary about content caused the company to lose out on sales. In fact, according to this story, the company is now showing consumers how to get around its DRM. Back to top About the author Peter Seebach Peter Seebach is a perfect example of DRM -- he is usable in your system, but just try to replicate him! You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.