Schneier on Security
A blog covering security and security technology.
« The Doghouse: Sniffex |
| Sky Marshals in Australia »
March 7, 2007
Understanding Apple's DRM
Very interesting article about Apple's DRM system, which they call "FairPlay."
Posted on March 7, 2007 at 7:57 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I can see an interesting outcome here. The EU orders Apple to open up FairPlay, or be barred from doing business in Europe. The labels then get an injunction in US courts barring Apple from opening up FairPlay.
The discussion of the technology is interesting. The resulting conclusions are Apple-apologist nonsense. It features logic like suggesting that if download sales cratered it would hurt labels but not hurt Apple, but if they go up it will help Apple. They buy into Jobs' unsupportable claim that there is no lock in.
My full complaint on Jobs' unsupportable claim that he's against DRM, with a bit of ranting about Roughly Drafted's take: http://alan-de-smet.livejournal.com/62381.html
They just need to change the sales paradigm and throw out DRM. Sell five tunes at twenty cents each, rather than one for a dollar. Most all illegitimate copying goes away. We musicians at the tail end don't make anything off music sales anyway (so don't let them lay that guilt trip on you.)
What this guy missed is that, while Apple really doesn't make much money directly from iTunes, it makes tons of money from iPods. Without the iTunes monopoly, there's nothing special about iPods. With it, iPods are the only music players that work with iTunes, which is by far the largest seller of online music.
Correct me if i'm wrong.
Since the content is scrambled on the users computer, wouldn't we be able to get the raw data by intercepting it when it's downloading from the website?
It seems likely that the "raw data" is encrypted as it's transmitted to the user's computer -- or at least already contains the DRM tech.
Of course, you can always burn it to a CD, then rip the CD and get a DRM-free version of the music.
This is precisely why DRM is so pointless. The music is only protected in the narrowest of senses. I mean, if your encrypted data could be broken simply by making a copy, and then another copy, you'd not even think it was encrypted.
You're mistaking the stick for the carrot. The reason the iTunes store got so popular to begin with was thanks to the success of the iPod.
If each iPod sold really has less than 3% of its music from the iTunes store, as Jobs claims, that's hardly a reason to make iPods "special".
The iPod is successful because even techno-phobes like my mom can figure them out. Not because of purported lock-in that MIGHT happen after the fact.
That said, in spite of there being 1.3 iPods per person in my immediate family, not a single one of them has any Fairplay-protected music on them.
Nothing special about iPods, without iTunes?
They're easy to use (particularly for novices). They're cool. They've got brand recognition. Far more people want to have "an iPod" than want to have "an MP3 player". They've got shelf space everywhere. If there wasn't a way to get music on one other than to load it from CDs (where most of the music on most of the world's iPods comes from), it would still sell very, very well.
This means that Apple is best off making the iPod experience as good as it possibly can, without worrying about possible loss of market share. If MP3 players in general become more useful, that's increased business, and Apple picks up most of it. Even if they lose a bit of market share, they make it up in overall sales. (There isn't much lock-in anyway. There isn't that much iTunes-sold music out there compared to the storage on the iPods out there, and it's always possible to copy the music to a CD. There's doubtless a loss of quality, but I assure you that my iPod already doesn't deliver concert-quality sound.)
I do suspect that there's another reason why the iTunes store doesn't sell DRM-free music: the labels don't want to invite the close-up comparison. If you were selling something limited, would you want it on the shelf next to what looks like essentially the same thing, but without the limitations?
"Without the iTunes monopoly, there's nothing special about iPods."
Remember that the iPod predates the iTunes music store. The music store launched with the third generation iPod.
I don't want to get into a flame war about this, but it is my opinion that the UI on the iPod is much better than most competing devices. I've worked professionally doing UI design, and I think that Apple did a very good job. I also think that many of their competitors do very bad jobs.
There are also other issues that come in to play. Apple got mindshare very early on. People still often seem to consider the iPod to be the original and others to be copies.
At least in my experience, many iPods are gifts. If the iPod is perceived as the original, and the others are considered copies - inexpensive, with more features, but perhaps not of the same quality - you can't really buy a gift and explain that you didn't get what the person wanted because this other one is more cost-effective.
The bottom line, IMHO, is that there are many factors beyond the iTunes music store, and I don't think people see the store as all that important.
"Without the iTunes monopoly, there's nothing special about iPods. With it, iPods are the only music players that work with iTunes, which is by far the largest seller of online music."
That might be true, of course iPods came out way before iTunes Music store opened, and they dominated the market then. Itunes the program is not the iTunes Music Store. Based on Jobs letter, < 5% of the music on ipods is from iTunes Music Store now. So I don't really think what you are implying is true. I do think if Apple's agreement with the labels is so fragile that the labels would revoke Apple's license because they could not stop other companies problems with Fairplay, then Apple is in trouble there anyway, and they might as well license. In fact if the labels want to put pressure on Apple they sould just publicly relax this and say they wouldn't hold Apple responsible if they licensed Fairplay.
I thought that Jobs' tirade against DRM was because he wanted to make it easier to transfer content between the iPod and the upcoming Apple TV, without having to worry about key management.
I repeat what I said: the tying of iPods to iTunes is a key part of Apple's advantage. Yes, iPods are well-designed, but they aren't perfect, and any technical lead can be surpassed by others. The combination package of iTunes and iPod is a key part of what keeps Apple ahead.
Very nice explanation. My only problem is with his conclusions concerning the option to add non-DRM music to iTunes.
1. He is wrong and misleading in the fact that it would require an update to iPods and the sync mechanism, simply since non-DRM music is currently being synced, when it is introduced to iTunes in any way other than the iTunes Store.
2. He is wrong in the fact it implies changes in the DRM, since they can just add the logic side by side with the current one. It isn't that hard.
Furthermore, as mentioned before, Jobs is the largest single shareholder in Disney, so he does have a say on the side of the labels.
In Israel there is no iTunes Store; The local agent is horrible, never advertises, and sells the iPods for twice the price in the US; The Hebrew support varies from none to bad (after applying the agent supported patch, which was created by some hackers).
Nevertheless, iPod is extremely popular, though it is mostly either privately imported or bought through importers other than the official agent.
So you give far too much credit to the iTunes Store.
There is always new music coming out. The music industry will just start tagging files with ads, like Google does with other content. More downloads, more ad revenues and more selection. The problem then becomes ad scraping as opposed to DRM scraping. Enough people will take the ads in exchange for free music to make it an easy money maker. DRM is DUMB.
In previous versions of iTunes, the encryption was done on the user's computer. Jon Lech Johansen wrote an alternative client ('PyMusique') which didn't do this. Apple then changed the protocol (and again, and again...)
From the article:
"Apple would have to update the iTunes software so it could download songs and skip encryption and key storage for non-DRM tracks."
I call "bogus".
All Apple would have to do is use a well-known constant public key to encrypt "non-DRM" tracks. Anything would work, as long as it was constant, well-known, and "registered" for every ITS user.
If this key were commonly known and shared by all users, or even if it were known to AAC-playing software on other platforms, then the "encrypted" content would play just fine.
In other words, content would be encrypted, but it wouldn't be a secret, because everyone and anyone who wanted the key would be able to use it. After all, it's just a constant, like pi.
There's another thing the article fails to mention as a possible reason why Apple isn't interested in selling mixed DRM and non-DRM tracks.
They may have agreed not to.
The labels may have demanded that the iTunes store only sell DRM'ed tracks. They could have been fearful that if the servers could be hacked AT ALL, it might be easier to hack them by tricking them into selling a restricted track as non-DRM'ed.
I'm not saying this IS the reason, just that it's as plausible a reason as any of the others the article discusses.
Apple are the only company who cared enough about music consumers to knock the record companies on the head and say "look, downloads are here to stay; we can make it simple for consumers to buy by the song so at least you get some cash out of this new distribution model." Before this, the record companies were either coming up with their own individual DRM flavours and crappy on-line services or doing nothing at all but whining "nobody buys our crappy CDs anymore."
DRM was forced by the record companies, not by Apple. This is the way it was in the DVD consortium too: it is ALWAYS the content owners that want content protection, not the technologists. That Apple managed to get by with an implementation of DRM so lax that it allows you to burn to a completely unprotected medium like CD is clear indication whose side they play for.
I can understand that Apple have no interest in licensing FairPlay. They don't like it: its the crap the record companies forced down THEIR throats, and it just fills up their support lines with consumers bitching about "activations" and such. They DO want to get rid of it, and they have said as much. Take it on FACE VALUE. This ain't Microsoft folks!
The whole smokescreen about "why can't some songs be FairPlay and others not." Well technically you can do this, but Apple would have to ENGINEER it and SUPPORT it. That would cost Apple $$$, but in the end it doesn't help Apple sell any more Pods. And this all assumes that their contract with the big bad record companies even allows DRM-free songs from iTMS. Face it- it's a losing proposition on all counts.
However, getting rid of FairPlay altogether: you'd have to ENGINEER that, but its a darn sight easier to engineer a DRM system away entirely than it is to selectively impose it. And then you could say "hey ma, no DRM," and that would sell more Pods!
You know it makes sense. Unfortunately it is the record companies (i.e. content owners) holding us all up, as usual. Kicking Apple to the curb ain't gonna help anyone.
I think you're putting way too much importance on the iTunes Music Store. I bought my first iPod within a month of the product announcement. There was _no_ iTMS then. It was funny reading online comments in the first days: "You can put your entire music collection on a 5 GB iPod". My thought at the time was "no, I can only put on one song from each of my CDs before I fill the drive". I saw several similar comments after a week or two as people who liked to buy lots of music started hearing about iPods.
I'm on my second iPod now, having worn out the first after replacing the battery. I have never bought anything from iTMS and don't plan to. Until today, my iPod has only had MP3s ripped from CDs or vinyl I own or downloads from artists who give their stuff away. When I find someone I like, I then buy their music, even if I already downloaded it. Most of the time I can find CDs for sale at the same price or even less than on iTMS.
I wrote "until today" because finally a European site I've been watching that sells DRM free MP3s opened up their system to those outside the EU. I bought my first 5 Euros worth of music that I haven't been able to find in the US or anywhere else online.
"Of course, you can always burn it to a CD, then rip the CD and get a DRM-free version of the music."
This is true. When using this technique, it should be noted that converting audio between lossy compression formats can cause a loss of quality. See http://digitalmedia.oreilly.com/2006/02/08/...
On another issue, instances of the Sony XCP DRM software were found to include a mechanism for converting digital audio data into DRM-encumbered iTunes songs. This feature was not enabled, and there were issues about the reuse of certain third-party code that was licensed as free (as in "freedom") software. See http://www.freedom-to-tinker.com/?p=940
Apple can get away with selling 'protected' music only because 99% of ipod users would rather pay than take 10 minutes to learn how to 'steal' music.
Yep. Thats why the biggest online music store is run by a *hardware* company. Because the labels havn't worked it out yet.
In fact most people would get legal music if it was easier. And most do. Piracy is much smaller that the RIAA claims.
Example: One contry that was accused of having lacks laws concerning copyright, claimed they were lossing $1000 per person: yea right.
Yep. I know guys with degrees in computing that have barely even heard of bittorrent
It may "seem likely" that the content is already scrambled when it's downloaded, but it's not the case. PyMusique was one FairPlay workaround, which was just an iTMS client that didn't bother applying DRM to purchased songs.
They've since changed the iTMS interface a number of times to make PyMusique incompatible with it, but the fundamental design - files are downloaded in the clear, and then individually encrypted at the receiving end - is the same.
If they did it the other way around, they'd have to transmit the key along with the scrambled data, so it would come out the same anyway. This way they move some processing onto the user's computer, and save on their server budget.
It's the fundamental problem with DRM - the person who's meant to receive the encrypted message, is simultaneously the person you're trying to prevent from receiving the encrypted message. You can't win for losing...
"In other words, content would be encrypted, but it wouldn't be a secret, because everyone and anyone who wanted the key would be able to use it. After all, it's just a constant, like pi."
Not the best analogy - Pi would be a *really* bad encryption key :)
Interesting explanation of how FairPlay works. It's strange that Steve Jobs would say they're willing to give up DRM at the same time Apple is being more restrictive about Apple hardware/software products. All the new computers need 10.4, and 10.4 makes you agree to let Apple take any info they want at any time off your computer and attached equipment. Sounds like even music is included. Eulascan has info and links: http://www.eulascan.com/product.aspx?pid=22
hah hah! Remember the difference between the original 1984 Macintosh commercial and the remake? See the little iPod at her waist? Give you free music and you'll bow down to Apple's little screens instead of to Big Brother's big ones.OS 10.4 is just the start. Today their ears and eyes....tomorrow the world!!! You'll all be too busy twitching to your toons to think about Apple=BB coming to take your other stuff and put you away.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.