Schneier on Security
A blog covering security and security technology.
« SURLYSPAWN: NSA Exploit of the Day |
| DROPOUTJEEP: NSA Exploit of the Day »
February 12, 2014
DRM and the Law
Cory Doctorow gives a good history of the intersection of Digital Rights Management (DRM) software and the law, describes how DRM software is antithetical to end-user security, and speculates how we might convince the law to recognize that.
Every security system relies on reports of newly discovered vulnerabilities as a means of continuously improving. The forces that work against security systems -- scripts that automate attacks, theoretical advances, easy-to-follow guides that can be readily googled -- are always improving so any system that does not benefit from its own continuous improvement becomes less effective over time. That is, the pool of adversaries capable of defeating the system goes up over time, and the energy they must expend to do so goes down over time, unless vulnerabilities are continuously reported and repaired.
Here is where DRM and your security work at cross-purposes. The DMCA's injunction against publishing weaknesses in DRM means that its vulnerabilities remain unpatched for longer than in comparable systems that are not covered by the DMCA. That means that any system with DRM will on average be more dangerous for its users than one without DRM.
Posted on February 12, 2014 at 7:15 AM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
DRM may be a backward step but Bitcoin demonstrates that private ownership can usefully exist alongside an open system.
That in my opinion is a much more interesting discussion.
The problem with DRM and user security is that the two are not compatable at any level.
DRM implicitly distrusts the user, and thus to work has to set the system the user owns against them and remove all other choice.
User Security is based on giving the user choice on how they protect themselves.
Worse as has been seen DRM using organisations beleive and try to enforce the right to change terms and conditions of the contract of sale post sale without compensation to those who have purchased a good or service.
Amongst other things the DRM using organisations want to deny certain basic rights (doctorin of first sale etc) that have existed for hundreds of years. One consiquence of this is that history will nolonger work the way it has in the past, because in effect it blocks inheritance, thus when you die any works you have die with you. The only thing that will have perminance is misapropriated rights to others work by which those misapropriating obtain benifit.
You're quite right to point out the implications of DRM for inheritance, but the implications go much farther than that.
Also blocked are resale (threatening an entire class of businesses), legitimate fair-use exceptions to copyright law (criticism, commentary, education, remix), and even creating a new class of "illegal numbers"
since a piece of DRM-circumventing code represented in binary can also be expressed as a very large integer.
This is eerily reminiscent of the Greek junta which, in the 1960's made the letter "Z" illegal, since, when pronounced, it echoed the slogan of a protest movement.
Also untested in a legal sense (under the Digital Millenium Copyright Act) is whether it is "fair game" to disable DRM suspected of harming a user's computer. Case in point would be the rootkit Sony implanted on audio CD's as a form of DRM:
This is eerily reminiscent of the Greek junta which, in the 1960's made the letter "Z" illegal, since, when pronounced, it echoed the slogan of a protest movement.
That junta is, by the way, a good example of what information gathered about individuals can be used for. Gathering information about individuals is now what NSA has been doing for probably a decade.
"The coup leaders placed tanks in strategic positions in Athens, effectively gaining complete control of the city. At the same time, a large number of small mobile units were dispatched to arrest leading politicians, authority figures, and ordinary citizens suspected of left-wing sympathies, according to lists prepared in advance."
It would only be fair if the companies that ask you to put their DRM software on your devices were legally obligated to pay for harm or damage. including false negatives. Let's put the risk solely on the DRM software creators. If a company was legally obligated to pay me US$100,000 each and every time I report that their DRM came up with a false negative, or every time _in_my_opinion_ their DRM system interfered with normal operating of my system (even after it was removed, until they were able to prove that no trace of it remained on my particular system, and such an inspection would of course be a case of interference), then I'd let a company place DRM on one of my systems. Such payments would have to be through a neutral third party, with the company having to prove in court that I was not entitled to them, after the payments were made, in order to get them back.
Sounds reasonable to me.
I agree DRM is pointless. Authenticated SaaS or having authenticated online based functionality actually works better than something like a binary obfuscator..
Even if it's cracked by patching in stolen credentials, you just revoke licenses when you see fluctuations in your management system. If they hack they system and bypass authentication, then server load exposes the threat and an audit and mandatory updates are done.
With embedded systems you might still need something like a chain of trust and encryption, but mostly for security and protection of carrier users. Android handled this well I think as far as a model goes, it's still working out software design issues though..
Indeed. The Greek junta received backing from the US, albeit indirectly. The fascist LOK Mountain Divisions were incorporated into NATO's clandestine, anti-communist "stay-behind" force, called GLADIO in Italy.
This would have been part of the Truman Doctrine.
Keep in mind in this connection that the Greek opposition candidate Grigoris Lambrakis was assassinated within just a few years of JFK, RFK, MLK, and Malcolm X. At that time, right-wing elements were murdering their opposition all over the planet.
The GLADIO network operated without the knowledge of the European Parliaments, and has been implicated in a series of right-wing terror attacks in Europe, including the assassination of Aldo Moro, the Prime Minister of Italy
The tactics used by GLADIO are quite similar to the tactics uncovered by the Church Committee
Incidentally, the Church Committee investigated CIA involvement GLADIO, though this was done in closed session. GLADIO didn't become public knowledge in Europe until the 90's. It would seem that a conspiracy can very much be kept secret, if enough is at stake.
The European Parliaments resolution on GLADIO is telling:
A. having regard to the revelation by several European governments of the existence for 40 years of a clandestine parallel intelligence and armed operations organization in several Member States of the Community,
B. whereas for over 40 years this organization has escaped all democratic controls and has been run by the secret services of the states concerned in collaboration with NATO,
C. fearing the danger that such clandestine network may have interfered illegally in the internal political affairs of Member States or may still do so,
D. whereas in certain Member States military secret services (or uncontrolled branches thereof) were involved in serious cases of terrorism and crime as evidenced by, various judicial inquiries,
E. whereas these organizations operated and continue to operate completely outside the law since they are not subject to any parliamentary control and frequently those holding the highest government and constitutional posts are kept in the dark as to these matters,
F. whereas the various 'Gladio' organizations have at their disposal independent arsenals and military ressources which give them an unknown strike potential, thereby jeopardizing the democratic structures of the countries in which they are operating or have been operating,
The best argument against DRM is the one that has been made continuously by the founders over at GOG.com: that DRM is pointless because DRM has no impact on the average consumer's decision to get a copy illegally or legally. To phrase it differently, unless the price point is completely out of wack with market demand, what motivates piracy is not dollars but ethics. DRM is not "keeping honest people honest" it is annoying and a waste of resources for everyone except the hackers who get a kick out of breaking it.
I've posted this link here in the past but I'll post it again. It is a must read for those who take the issue of DRM seriously because GOG.com has hard data to back up their assertions, not conceptual arguments.
Is there a DRM system (excluding SaaS) that hasn't been cracked? It accomplishes nothing, and it hurts user experience, and it persists only because of a misplaced desire for control companies have over their customers. As it stands, you can make simple, unintrusive DRM that secures against anyone who isn't willing to download cracking tools and it will be about as effective for a fraction of the cost.
The only thing you can do is work to give users less and less control over their software, which is the model that phone and tablet manufacturers are taking; I suspect before too long, you will see phones with hardware that prevents unsigned software from running, and making even it harder to jailbreak. I also suspect that a niche market will form where people who are interested in jailbreaking just buy phones that aren't locked down, making the whole effort a net loss.
For the legal standpoint, the DMCA was the solution; the solution to what, I don't know. It might work if US law applied to everyone, but it doesn't. It hasn't stopped cracking tools from being created, it hasn't stopped people from stripping DRM from DVDs and BluRays, it hasn't stopped people from pirating, it hasn't stopped people from being able to find pirated software, music, movies, or even books online. It's been completely ineffective.
The most effective tool at reducing the pirating of music has not been DRM, it's been making individual songs available online for a low cost. Netflix is a great tool for stopping pirating of movies and TV shows, but the film industry is fighting the change; they still haven't figured out that downloadable content is incompatible with the movie theater model, and pirating will still be widespread.
The reason the music industry has been able to make money off of the cheap download model is twofold: they aren't trying to make a profit off of every single song, and music is significantly less expensive to produce than films have become.
If the film industry wants to succeed in a digital marketplace, it won't be through DRM, instead it needs to treat the markets differently and it needs to stop focusing on the hundred-million dollar blockbuster to make money at the box office, and start focusing on the smaller budget, original films with character actors instead of big names. They need to look to make profit on the whole portfolio of films, not necessarily each individual film. Put out ten, $10 million films for $0.99-$1.99 to buy online at release instead of one $100 million dollar film for $10-$15 to see it once, and it can be just as successful, if not more successful. Then they can sell their portfolio to Netflix once sales slow.
DRM is mostly about trying to sell the same thing to the same person over and over.
I buy quite a lot of CDs and DVDs - mostly for my children, recently. The quality of the disks being sold is rapidly deteriorating - often after a handful of views the movie starts freezing, skipping, showing random noise or simply stops playing, dropping to the main menu. Disney ones are most irritating - sometimes a fresh disk just out of the case has problems. Several Disney disks stopped playing at all (having only a few light scratches, which is inevitable), and I had to buy the same disk again to stop children moaning...
I started copying my whole collection to a home NAS box (disks are cheap today), so I could serve them directly over Etherent to the new TV (which is firewalled, of course!). CDs are a piece of cake, but ripping those DVDs is an endless frustration. Damn, I have paid for these movies an music to watch and listen to them whenever I want and how much I want! At least over here copying for my own purpose is legal.
@Peter A. Are you familiar with a program named DVDShrink (widely available for download)? It's purpose is to allow backup copies to be made of copy-protected DVD content. It has worked for me in the past. It would be interesting to find out if it fixed that out-of-the-box corruption you mentioned.
DRM is shorthand for: easily bypassed by anyone with a computer and a web browser. I've only had one commercial DVD I couldn't copy with free tools. If I were a Windows user, I probably could have copied that one. DRMs for downloaded music are a joke. Those are bypassed easily. The same with electronic books. Breaking MOBI DRM is a snap.
The film industry may or may not "succeed in a digital marketplace", but they're all in.
Read the business pages and you constantly read about small theaters or small theater chains (including a lot of the surviving drive-ins) shutting down because they can't afford to buy the equipment for digital projection.
There has been a lot of money sunk into film reproduction and distribution over the years, and Hollywood is well on its way to saving a bundle by going to an all-digital environment.
Here's one short version:
Worth reading the links, for anyone interested in this business.
Right now the studios are probably shipping DVDs (hopefully higher quality ones than some of the commenters have bought) to the theaters. They'd eventually like to distribute their wares over the web.
In that model, they're almost trolling for pirates. So the motivation for DRM technology and laws is clear.
On an unrelated note, the White House announced a new Cybersecurity Framework today:
A solution to unemployment, perhaps.
@ Milo M.
While I've yet to read the entirety of the "Improving Critical Infrastructure Cybersecurity" executive order, the first sentence of the first section was found to be quite intriguing by me.
Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.
This seems to suggest that the executive branch is now willing to accept their abject failure in securing American 'cyberspace'...
In combination with justice Scalia's subtle suggestion that the judicial branch has been thoroughly compromised:
Well of course Korematsu was wrong. And I think we have repudiated in a later case. But you are kidding yourself if you think the same thing will not happen again
It would now appear that the legislative will be the latest to arrive at the same scene...
OT but on a related note, has anyone noticed how the anti-spam filter/s can be tuned to stifle speech? Some time a few years ago I was making a comment on Tor.com, about L. Frank Baum's book The Wonderful Wizard of Oz. I had seen a connection between its tone and an American folk song, The Big Rock Candy Mountain, and Tor.com's anti-spam filter killed my comment dead. Last year I was attempting to comment on an article at Tor.com and since the discussion mentioned codpieces of all things amongst what people imagined was a discussion on fiction covering cultural differences, I thought I'd reference a culture I know where they do wear codpieces. The West Papuan koteko.
Too much reality for Tor.com. Much too much too much too much too much ... The filter software deleted half the post and made me look stupid; then it deleted a correction I posted; then when I complained to the web people at Tor.com, I was effectively locked out for I don't know how long. That's when I stopped taking them seriously.
SF in the US taking risky stances on cultural differences and developments? Nah! It's distinctly Tea Partyish, with any number of people fancying themselves the Mad Hatter.
I'm not really talking about theaters; ticket sales are on the decline, and they are what the film industry needs to forget about in the coming decades. Theaters are great and all, but making that the primary focus is what is resulting in so many generic films, with remakes and sequels being so common. You have a limited number of films that can be shown, making the risk so high that the industry focuses on safe bets.
The marketplace is beginning to shift from people going to the theaters to people watching at home on their bigscreen TV, for significantly lower costs (except for the cost of the bigscreen). The future is going to be for people to download and stream movies at home, and the film industry is worried about people copying their films for digital distribution, which is where the DRM comes in. Their goal is going to be to try and prevent people from downloading films, they want to make you stream everything because they (naively) think that this will help them stop piracy. They are even trying to put DRM in HTML5. The thing is that the reason people are pirating so much is because the film industry isn't giving consumers what they want.
The film industry is unwilling to adapt to a new market, they instead want the market to adapt to them, and they see DRM as the key to doing this. I wouldn't be surprised if they made every movie pay per view. The problem is that if you don't give consumers what they want, movies they can download and watch on any device they own, without hassel, even when their internet connection is down (because watching movies is something people do when they lose their internet connection), then piracy will be much more widespread, and it will end up costing both the film industry and the consumers.
Digital distribution could be a huge oppurtunity for the film industry to go beyond the limits of the theater, but only if they focus on the consumers. Make movies that are risky, that might not making it in theaters, because if people can download films for a small cost, many many more people will be able watch them. You have a much larger oppurtunity to profit by focusing on smaller-budger films that have a smaller fan base, because you don't have to get all of those fans in the theaters while directly compteting with other titles.
I don't know that theater grosses are down. See the 2012 statistics in the MPAA link below. Granted, higher prices may be the reason, while seats occupied may have decreased.
It's clear that the movie studios or distributors need to protect their content in some way. A more user-friendly way would definitely be preferable. I avoided buying an HDMI cable for years due to the Intel-proprietary HDCP embedded in the devices on either end. Accepted more cables instead. Finally bought a few HDMI cables, and haven't experienced any dropouts due to authentication failures, so may have been overly influenced by some bad press.
Still find it annoying to sit through the WARNING at the start of each DVD. Then to repeat it in other languages is even more annoying. It's like TSA was running your home theater. Short of an organized pushback by the majority of customers who aren't pirates and resent the idiot treatment, it will continue. Of course, that's part of what you imply by "focus on the consumers". If only they, and so many other businesses, would.
More on digital film distribution:
" . . . (as of July 2013) 35,712 screens (out of a total of 39,838 screens) in the United States have been converted to digital (14,430 of which are 3D capable) . . . 'It appears that a perfect storm of events may bring about the end film around the end of 2014 due to either a worldwide lack of film stock and/or the closing of processing labs. Studios are weighing carefully the cost to make and distribute film vs. the revenue from those limited prints,' reports NATO."
[ National Association of Theater Owners, not the military alliance. http://natoonline.org/ ]
"Theaters large and small have converted with and without the virtual print fee (VPF) assisting in their theater new equipment purchase. The VPF was the studios kicking back a portion of the enormous savings they realize between the cost of providing a digital print on a reusable hard drive for +/- 100.00 compared to the immediately declining quality and value of a 35 mm print for +/- 1500.00. With all that money they saved, they chipped in with a VPF to help pay a portion of the digital equipment costs for theaters. "
Screen numbers are corroborated by MPAA:
"In 2012, the number of digital screens in the U.S. increased by 31%, accounting for 84% of all U.S. screens. More than 6,500 non-3D digital screens were added in the U.S. in 2012, increasing by 54% from 2011. These screens [non-3D digital] now account for 50% of all screens."
Totals: Digital 3D - 13,559
Digital non-3D - 19,972
Analog - 6,387
Total screens - 39,918
" . . . over two-thirds of the world’s screens are now digital. 2012 marked the first year that digital screens surpassed analog screens in international market share."
Another source that agrees on the per-print costs:
"It costs about $1,500 to print one copy of a movie on 35 mm film and ship it to theaters in its heavy metal canister. Multiply that by 4,000 copies — one for each movie on each screen in each multiplex around the country — and the numbers start to get ugly. By comparison, putting out a digital copy costs a mere $150.
'Distributing movies digitally into theaters has been the holy grail of the studios,' former Universal Pictures chairman Tom Pollock told Variety back in 2010. 'They stand to eliminate billions of dollars in costs in coming years without spending very much.' "
Speaking of the law and royalty payments (which is what DRM is about) it Appears there is a war brewing in the law courts betweem the Internet Radio Station Pandora and the various royalty agencies.
As I understand it the royalty agencies keep over 50% payments received thus are starving the artists etc. Sony apparently whole hartedly sick of this witdrew "digital rights' from the agencies and aproached Pandor dirrectly and struck a mutually benificial arangment.
Further Pandora has launched suit against recent rises the agencies lobbied for and got. Basicaly claiming that it is discriminatory against digital broadcasters as terestrial and satellite broadcasters have significantly better deals.
Pandora then went and purchased a terestrial radio station and on Pandora anouncing this one of the rights agencies has taken legal action against Pandora.
This series of law suits may well overtern quite dramaticaly the century old royalties system in the US etc. Many would say it was not soon enough. Which ever way it goes I can not see either the consumers or artists gaining out of it unless the rights agencies are thoroughly emasculated which with their current lobbying power is very unlikely to happen.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.