Digital rights management: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
mNo edit summary
 
(65 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{subpages}}
{{PropDel}}<br><br>{{subpages}}
{{TOC|right}}
{{TOC|right}}
'''Digital rights management (DRM)''' refers to the laws and technologies which provide intellectual property owners control over the distribution and use of their material by controlling consumers' use of it. The claimed goals are to prevent copying of digital media and to restrict access and content use to what is allowed by [[copyright]] law.<ref name=Bates>Bates, BJ. (2008) 'Commentary: Value and Digital Rights Management-A Social Economics Approach', Journal of Media Economics, 21:1, 53-77</ref>. Critics claim that the "rights" enforced by DRM routinely go beyond those granted by law.
'''Digital rights management (DRM)''' refers to the laws and technologies which provide intellectual property owners control over the distribution and use of their material by controlling consumers' use of it. The claimed goals are to prevent copying of digital media and to restrict access and content use to what is allowed by [[copyright]] law.<ref name=Bates>Bates, BJ. (2008) 'Commentary: Value and Digital Rights Management-A Social Economics Approach', Journal of Media Economics, 21:1, 53-77</ref>
 
Critics refer to it as "Digital ''Restrictions'' Management", and argue that many of the restrictions it enforces go well beyond the rights granted by law.


==History==
==History==
Copyright law is the earliest form of [[intellectual property]] protection.  This area of law developed for print media, long before copying machines and digital media, and has not necessarily kept pace with technology.
=== Legal Background ===
=== Legal Background ===
The [[Copyright|copyright]] since its formal creation in 1710 by the British [[Statute of Anne]] and its inclusion in the [[U.S. Constitution]]<ref name=Bennett>Bennett, S. (1999) 'Authors' Rights', Journal of Electronic Publishing, vol. 5, no. 2, Dec., 1999</ref> has been the main protection scheme for intellectual property rights for creative information goods and services.
The [[Copyright|copyright]] since its formal creation in 1710 by the British [[Statute of Anne]] and its inclusion in the [[U.S. Constitution]]<ref name=Bennett>Bennett, S. (1999) 'Authors' Rights', Journal of Electronic Publishing, vol. 5, no. 2, Dec., 1999</ref> has been the main protection scheme for intellectual property rights for creative information goods and services.
Line 42: Line 45:
* <b>Limited Record Company Adoption</b>: With previous improved formats, such as cassette tapes and CD's, the music industry has been fast to adapt, develop, and switch to these new forms of media to satisfy the demand. However for digital music this was not the case. Although computers with CD burners and MP3 player sales were skyrocketing in the early 90's, from 1999 (the release of Napster) to 2003 (the opening of the Itunes Store), there was no digital music service offering any of the music produced by the big 4 record companies (Warner, Sony BMG, EMI, Universal). As a result, the lack of service drove people to acquire their music via illegal copying.
* <b>Limited Record Company Adoption</b>: With previous improved formats, such as cassette tapes and CD's, the music industry has been fast to adapt, develop, and switch to these new forms of media to satisfy the demand. However for digital music this was not the case. Although computers with CD burners and MP3 player sales were skyrocketing in the early 90's, from 1999 (the release of Napster) to 2003 (the opening of the Itunes Store), there was no digital music service offering any of the music produced by the big 4 record companies (Warner, Sony BMG, EMI, Universal). As a result, the lack of service drove people to acquire their music via illegal copying.


* <b>Development of [[Content delivery and distributed file sharing networks|distributed file sharing]]</b>: Internet-based technologies grew to encompass distributed file sharing, with no central distribution point at which unauthorized distribution could be stopped.
==== The Reaction ====
==== The Reaction ====


Line 98: Line 102:
What it did attempt was to control usage of the DVDs. CSS includes a system of region codes such that, for example, a DVD sold in North America (region 1) will not play on a player sold in Europe (region 2).This allows the movie companies more control over their markets, for example charging higher prices in some regions or holding back DVD release for a region until after the cinema release there. There are other controls as well; for example the fast-forward control is locked out during the opening section of the disk so that a user cannot bypass the advertising or movie previews there.
What it did attempt was to control usage of the DVDs. CSS includes a system of region codes such that, for example, a DVD sold in North America (region 1) will not play on a player sold in Europe (region 2).This allows the movie companies more control over their markets, for example charging higher prices in some regions or holding back DVD release for a region until after the cinema release there. There are other controls as well; for example the fast-forward control is locked out during the opening section of the disk so that a user cannot bypass the advertising or movie previews there.


Not all vendors follow the Forum's rules; there are many "region-free" DVD players on the market; see for example, this [http://www.dvdbuyingguide.com/ review site].  Also, some players that normally implement region codes can be set to ignore them, either in software or by replacing a chip; there are guides on the net for that as well. In some markets, such as China, nearly all players are region-free. In others, such as Europe, buyers tend to prefer them. One of Britain's largest retailers, [[Tesco]] found massive demand for such players and asked the movie industry to drop region codes altogether [http://www.theregister.co.uk/2000/02/21/tesco_slams_unnecessary_dvd_zoning/]. [[NASA]] sent [[Sony]] players, modified to be region-free, to the [[International Space Station]] [http://www.faqs.org/abstracts/Telecommunications-industry/NASA-USING-REGION-FREE-DVD-ZENITH-LOSS-GROWS.html]; Sony were not entirely happy about this.
Not all vendors follow the Forum's rules; there are many "region-free" DVD players on the market; see for example, this [http://www.dvdexploder.com/ site].  Also, some players that normally implement region codes can be set to ignore them, either in software or by replacing a chip; there are guides on the net for that as well. In some markets, such as China, nearly all players are region-free. In others, such as Europe, buyers tend to prefer them. One of Britain's largest retailers, [[Tesco]] found massive demand for such players and asked the movie industry to drop region codes altogether
<ref>{{citation
| author = Linda Harrison & Tony Smith
| url = http://www.theregister.co.uk/2000/02/21/tesco_slams_unnecessary_dvd_zoning/
| title = Tesco slams ‘unnecessary’ DVD zoning
| date = February 2000
}}</ref>. [[NASA]] sent [[Sony]] players, modified to be region-free, to the [[International Space Station]] [http://www.faqs.org/abstracts/Telecommunications-industry/NASA-USING-REGION-FREE-DVD-ZENITH-LOSS-GROWS.html]; Sony were not entirely happy about this.


There is a later variant called RCE or "regional coding enhancement" [http://www.dvdtalk.com/rce.html] intended to block play of new discs on region-free players.
There is a later variant called RCE or "regional coding enhancement" [http://www.dvdtalk.com/rce.html] intended to block play of new discs on region-free players.


==== DeCSS ====
==== DeCSS ====
For playing DVDs on a computer, the CSS scheme is easily bypassed using the open source decoder known as DeCSS.<ref name=Bates /> There was a great deal of controversy on the net and in the courts over this.
For playing DVDs on a computer, the CSS scheme is easily bypassed; there are a number of programs which do this. The first one to become widespread was a decoder for Windows known as DeCSS.<ref name=Bates /> There was a great deal of controversy on the net and in the courts over this.
* The [[Motion Picture Association of America]] (MPAA) took the position that DeCSS was a "circumvention device" under the US [[Digital Millennium Copyright Act]] and sued many people, including web sites who only linked to the code. These suits succeeded and court orders were issued to take down some copies of the code and links. Of course, copies are still readily available from places outside US jurisdiction.
* The [[Motion Picture Association of America]] (MPAA) took the position that DeCSS was a "circumvention device" under the US [[Digital Millennium Copyright Act]] and sued many people, including web sites who only linked to the code. These suits succeeded and court orders were issued to take down some copies of the code and links. Of course, copies are still readily available from places outside US jurisdiction.
* The [[DVD Content Control Association]] (DVD-CCA) argued that breaking CSS involved misuse of trade secrets and sued on those grounds. These suits failed.
* The [[DVD Content Control Association]] (DVD-CCA) argued that breaking CSS involved misuse of trade secrets and sued on those grounds. These suits failed.
There are archives of documents from both cases at [http://cyber.law.harvard.edu/openlaw/DVD/DeCSS/ Harvard] and [http://w2.eff.org/IP/Video/ EFF]. Harvard also has a [http://cyber.law.harvard.edu/openlaw/DVD/dvd-discuss-faq.html FAQ] document covering both legal and technical issues.
There are archives of documents from both cases at [http://cyber.law.harvard.edu/openlaw/DVD/DeCSS/ Harvard] and [http://w2.eff.org/IP/Video/ EFF]. Harvard also has a [http://cyber.law.harvard.edu/openlaw/DVD/dvd-discuss-faq.html FAQ] document covering both legal and technical issues.


One issue was whether the DeCSS code qualifies as protected speech under the [[First Amendment of the U.S. Constitution]]. A earlier court ruling in the [[Cryptography_controversy#Bernstein_case|Bernstein case]] over export restrictions on cryptography had set a precedent that those protections sometimes apply to code. However, in the MPAA case, the judge ruled that they did not apply to DeCSS. So some code is protected, other code is not. Computer science professor [[David Touretzky]] has a [http://www.cs.cmu.edu/~dst/DeCSS/Gallery/ Gallery of CSS Descramblers] exploring where the border might lie.
One issue was whether the DeCSS code qualifies as protected speech under the First Amendment of the [[U.S. Constitution]]. A earlier court ruling in the [[Cryptography_controversy#Bernstein_case|Bernstein case]] over export restrictions on cryptography had set a precedent that those protections sometimes apply to code. However, in the MPAA case, the judge ruled that they did not apply to DeCSS. So some code is protected, other code is not. Computer science professor [[David Touretzky]] has a [http://www.cs.cmu.edu/~dst/DeCSS/Gallery/ Gallery of CSS Descramblers] exploring where the border might lie.


==== CSS analysis ====
==== CSS analysis ====
CSS is obviously a flawed cryptosystem. It is weak in theory &mdash; [[David Wagner]] testified in one case that he asks his Berkeley students to break it as a homework assignment &mdash; and weak in practice since DeCSS (a reasonably short, simple and fast program) defeats it completely. What went wrong?
CSS is obviously a flawed cryptosystem. It is weak in theory &mdash; [[David Wagner]] testified in one case that he asks his Berkeley students to break it as a homework assignment &mdash; and weak in practice since DeCSS (a reasonably short, simple and fast program) defeats it completely. What went wrong?


First, CSS was designed to be weak; it used a [[stream cipher]] for the bulk data encryption, and some additional things for [[key management]] The system as a whole used only a 40-bit key, to comply with cryptography export laws of the time (mid-90s). For why a short key makes any cipher inherently weak see [[Brute_force#Choosing_key_sizes|brute force attack]]. For discussion of debate about those laws see [[Cryptography_controversy#Export_Controls|cryptography controversy]]. In this case, it may not have been US law that imposed bad crypto. CSS was designed by [[Mitsubishi]] engineers and at the time, Japan also had strict export laws.
First, CSS was designed to be weak; it used a [[stream cipher]] for the bulk data encryption, and some additional things for [[key management]] The system as a whole used only a 40-bit key, to comply with cryptography export laws of the time (mid-90s). For why a short key makes any cipher inherently weak see [[Brute_force#Choosing_key_sizes|brute force attack]]. For discussion of debate about those laws see [[politics of cryptography]]. In this case, it may not have been US law that imposed bad cryptography. CSS was designed by [[Mitsubishi]] engineers and at the time, Japan also had strict export laws.


Second, CSS was designed ''and even standardized'' in secret, without a public review that might have caught various design weaknesses. In some court cases DVD-CCA even claimed its inner workings were trade secrets. This violates [[Kerckhoffs'_Principle]]; no cipher should be trusted until it is published and reviewed. See [[Cryptography#Cryptography_is_difficult|cryptography is difficult]] for discussion of this common problem.
Second, CSS was designed ''and even standardized'' in secret, without a public review that might have caught various design weaknesses. In some court cases DVD-CCA even claimed its inner workings were trade secrets. This violates [[Kerckhoffs'_Principle]]; no cipher should be trusted until it is published and reviewed. See [[Cryptography#Cryptography_is_difficult|cryptography is difficult]] for discussion of this common problem.
Line 125: Line 135:
C2 is used in [[Content Protection for Recordable Media]] and [[Content Protection for Pre-Recorded Media]], collectively known as CPRM/CPPM. The cipher itself has been published, but the S-boxes are secret and different for each application.  
C2 is used in [[Content Protection for Recordable Media]] and [[Content Protection for Pre-Recorded Media]], collectively known as CPRM/CPPM. The cipher itself has been published, but the S-boxes are secret and different for each application.  


There has been some published [[crpytanalysis]] of the cipher <ref name=borghoff-et-al>{{cite paper |date= |author=Julia Borghoff, [[Lars Knudsen]], Gregor Leander, Krystian Matusiewicz |title=Cryptanalysis of C2 |work=Extended Abstract |publisher=[[Technical University of Denmark]] |url=http://events.iaik.tugraz.at/weworc09/9aa510c7c7aab1/abstracts/04.pdf }}</ref> <ref name=algebraic-attacks>{{cite paper |author=Ralf-Philipp Weimann |date=2008-03-01 |title=Algebraic Methods in Block Cipher Cryptanalysis |publisher=[[Darmstadt University of Technology]] |url=http://tuprints.ulb.tu-darmstadt.de/1362/1/rpwphd.pdf }} (Abstract is in German, paper itself is in English)</ref>.
There has been some published [[cryptanalysis]] of the cipher <ref name=borghoff-et-al>{{cite paper |date= |author=Julia Borghoff, [[Lars Knudsen]], Gregor Leander, Krystian Matusiewicz |title=Cryptanalysis of C2 |work=Extended Abstract |publisher=[[Technical University of Denmark]] |url=http://events.iaik.tugraz.at/weworc09/9aa510c7c7aab1/abstracts/04.pdf }}</ref> <ref name=algebraic-attacks>{{cite paper |author=Ralf-Philipp Weimann |date=2008-03-01 |title=Algebraic Methods in Block Cipher Cryptanalysis |publisher=[[Darmstadt University of Technology]] |url=http://tuprints.ulb.tu-darmstadt.de/1362/1/rpwphd.pdf }} (Abstract is in German, paper itself is in English)</ref>.
 
==== Blu-ray disks ====
 
For the new higher-density [[Blu-ray]] disks, [[Intel]] designed a new DRM system called [[High Definition Content Protection]]; this is administered by [[Digital Content Protection LLP]]. It has been [http://www.pcmag.com/article2/0,2817,2369280,00.asp broken].
 
<blockquote>AACS took years to develop, and it has been broken in weeks. The developers spent billions, the hackers spent pennies.</blockquote>
 
<blockquote> There is no future in which bits will get harder to copy. Instead of spending billions on technologies that attack paying customers, the studios should be confronting that reality and figuring out how to make a living in a world where copying will get easier and easier. They're like blacksmiths meeting to figure out how to protect the horseshoe racket by sabotaging railroads.
 
The railroad is coming. The tracks have been laid right through the studio gates. It's time to get out of the horseshoe business.[http://boingboing.net/2007/02/13/bluray-and-hddvd-bro.html]</blockquote>
 
Some have argued that DRM is a major reason Blu-ray is not doing as well as expected in the market<ref>{{citation
| author = Ganesh T S
| url = http://www.anandtech.com/show/5693/cinavia-drm-how-i-learned-to-stop-worrying-and-love-blurays-selfdestruction
| title = Cinavia DRM: How I Learned to Stop Worrying and Love Blu-ray’s Self-Destruction
| date = Mar 2012
}}</ref>.


===Marking===
===Marking===
Line 142: Line 169:


== Difficulties of DRM ==
== Difficulties of DRM ==
{{quotation|Digital rights management, or DRM, is based on the idea that we should design computers that consult an internal policy document written by a third party to check if anything the owner might want to do is a permitted task. If you hit control S or control C to save the work or copy the work, your computer would be able to stop you. I think your computer should never say no, it should always obey you.<ref>{{citation
| author = Jessica Griggs
| date = June 2010
| title = Cory Doctorow: My computer says no
| journal = New Scientist
| url = http://www.newscientist.com/article/mg20627635.700-cory-doctorow-my-computer-says-no.html?full=true&print=true
}}</ref>}}


=== Consumer attitudes ===
=== Consumer attitudes ===
Line 148: Line 183:


DRM also seems to be doing very little to stop copyright infringement: "today, infringement is more widespread than ever"<ref>[[Cory Doctorow]], [http://craphound.com/complexecosystems.txt All Complex Ecosystems Have Parasites], [[O'Reilly Emerging Technology Conference]], 16 March 2005.</ref>.
DRM also seems to be doing very little to stop copyright infringement: "today, infringement is more widespread than ever"<ref>[[Cory Doctorow]], [http://craphound.com/complexecosystems.txt All Complex Ecosystems Have Parasites], [[O'Reilly Emerging Technology Conference]], 16 March 2005.</ref>.
One online joke collection includes "Copy Protection: A clever method of preventing incompetent pirates from stealing software and legitimate customers from using it."[http://ftp3.ie.freebsd.org/pub/www.gnu.org/fun/jokes/software.terms.html]


==== Access and Usage Concerns ====
==== Access and Usage Concerns ====
Line 153: Line 190:


More explicitly, consumers worry about the loss of data because of restrictions on transferring from one format to another. This may force consumer into repurchasing digital data in another format, when they can easily have the capability of transitioning the format themselves. Another outside concern consumers ask is how do DRM Systems handle the expiration of copyright terms. Do DRM systems release their restrictions when the copyright term expires?<ref name=Helberger>Helberger, Natali. (2004) ‘ Digital Rights Management and Consumer Acceptability: A Multi-Disciplinary Discussion of Consumer Concerns and Expectations’, MPRA Paper No. 6641, posted 08. January 2008 </ref>
More explicitly, consumers worry about the loss of data because of restrictions on transferring from one format to another. This may force consumer into repurchasing digital data in another format, when they can easily have the capability of transitioning the format themselves. Another outside concern consumers ask is how do DRM Systems handle the expiration of copyright terms. Do DRM systems release their restrictions when the copyright term expires?<ref name=Helberger>Helberger, Natali. (2004) ‘ Digital Rights Management and Consumer Acceptability: A Multi-Disciplinary Discussion of Consumer Concerns and Expectations’, MPRA Paper No. 6641, posted 08. January 2008 </ref>
In an interesting development, one company removed DRM from their product about a week after releasing it:
<blockquote>
Our approach to countering piracy is to incorporate superior value in the legal version, This means it has to be superior in every respect: less troublesome to use and install, with full support, and with access to additional content and services. So, we felt keeping the DRM would mainly hurt our legitimate users. This is completely in line with what we said before the release .... We felt DRM was necessary to prevent the game being pirated and leaked before release. This purpose has been served, so we are pleased to let our users enjoy the full freedom of game usage they deserve.[http://arstechnica.com/gaming/news/2011/05/the-witcher-2-patch-removes-drm-improves-framerate.ars]</blockquote>


==== Privacy Concerns ====
==== Privacy Concerns ====
Line 169: Line 211:


=== Legal problems ===
=== Legal problems ===
There are a number of legal issues around DRM.
There are a number of legal issues around DRM. Similar issues turn up in all jurisdictions, but any of them may play out differently in different legal systems. This makes dealing with them immensely complex, especially in designing a DRM system to be used in many countries.


==== Fair use ====
==== Fair use ====
There is a basic principle of [[copyright]] law, called '''fair use''' <ref>Electronic Frontier Foundation 'Fair Use Frequently Asked Questions (and Answers)', 2002 [http://w2.eff.org/IP/eff_fair_use_faq.php]</ref> in US law. For example, copyright does not prevent quoting a work in a review or analysis, or using it in education. Nor does it prohibit a blind user from using software that will read an e-book aloud for him. However, some DRM systems block those. The principle is clear, but the border is by no means sharply delineated. Between the black of copyright infringement and the white of perfectly legal fair use, there is a large grey area. This is being narrowed down by various court rulings and sometimes altered by new legislation, but will likely never go away entirely.
There is a basic principle of [[copyright]] law, called '''fair use''' <ref>Electronic Frontier Foundation 'Fair Use Frequently Asked Questions (and Answers)', 2002 [http://w2.eff.org/IP/eff_fair_use_faq.php]</ref> in US law. For example, copyright does not prevent quoting a work in a review or analysis, or using it in education. Nor does it prohibit a blind user from using software that will read an e-book aloud for him. Other legal systems have the same principle, but the name and the details vary from country to country. British and Canadian law call it "fair dealing".


That principle greatly complicates the design of DRM systems. Copyright law has exceptions for fair use; can you build those into DRM software? What do you do about the grey areas? If you ignore fair use, or just misjudge some grey areas, you will  infringe on the users' legal rights; what are the market or legal consequences of that? How will your DRM system adapt to changes in the law?
The principle is clear, but the border is by no means sharply delineated. Between the black of copyright infringement and the white of perfectly legal fair use, there is a large grey area. This is being narrowed down by various court rulings and sometimes altered by new legislation, but will likely never go away entirely.
 
That principle greatly complicates the design of DRM systems. Copyright law allows fair use; how can DRM software manage that? What do you do about the grey areas? If you ignore fair use, or just misjudge some grey areas, you will  infringe on the users' legal rights; what are the market or legal consequences of that? Some current DRM software blocks legitimate fair use; for example some DRM systems will prevent a blind use from having software read a book aloud and, if it worked as designed, CSS on DVDs would prevent a reviewer from using an excerpt in a review. Beyond that, how can a DRM system adapt to changes in the law?


Fair use arguably includes the right to '''time shifting''', for example using a VCR to record a TV program to watch later. In [http://caselaw.lp.findlaw.com/scripts/getcase.pl?navby=CASE&court=US&vol=464&page=417 one case] that was fought all the way to the US Supreme Court, the court ruled that recording TV programs for home use did not violate copyright, so Sony could not be held to be contributing to copyright infringement by selling [[VCR]]s. A similar issue is '''space shifting''', for example copying music from a record or CD to cassette tape for listening in the car or copying a DVD to videotape to watch in another room. In [http://cyber.law.harvard.edu/property00/MP3/rio.html another case,] the court ruled that the Rio, "a portable digital audio device which allows a user to download MP3 audio files from a computer and to listen to them elsewhere.", is also legal fair use. Those decisions appear to mean that it is legal fair use for users to copy music from their CDs, or movies from DVD, onto their hard drives and/or into a portable player.
Fair use arguably includes the right to '''time shifting''', for example using a VCR to record a TV program to watch later. In [http://caselaw.lp.findlaw.com/scripts/getcase.pl?navby=CASE&court=US&vol=464&page=417 one case] that was fought all the way to the US Supreme Court, the court ruled that recording TV programs for home use did not violate copyright, so Sony could not be held to be contributing to copyright infringement by selling [[VCR]]s. A similar issue is '''space shifting''', for example copying music from a record or CD to cassette tape for listening in the car or copying a DVD to videotape to watch in another room. In [http://cyber.law.harvard.edu/property00/MP3/rio.html another case,] the court ruled that the Rio, "a portable digital audio device which allows a user to download MP3 audio files from a computer and to listen to them elsewhere.", is also legal fair use. Those decisions appear to mean that it is legal fair use for users to copy music from their CDs, or movies from DVD, onto their hard drives and/or into a portable player.


However, if the DRM allows those applications, how can it prevent the users from sharing the files? If it does not allow such things, can users legally break the DRM to enforce their rights? Will they just avoid DRM-protected products?
However, if the DRM allows those applications, how can it prevent the users from sharing the files? If it does not allow such things, can users legally break the DRM to enforce their rights? Will they just avoid DRM-protected products?
See also our article on [[Fair use]].
====First sale doctrine====
Another issue is the legal doctrine of '''first sale''', essentially that once a company sells a product they no longer control it.
The doctrine applies when a company sells to a distributor; the contract may restrict what the distributor then does with the product, but copyright law imposes no restrictions.
The law on this is somewhat complex. In the US, it goes back to a 1908 Supreme Court decision that a publisher (Bobbs-Merrill) could not prevent a department store (Macy's) from offering books at a discount, even though they had printed right on the flyleaf a statement that no-one was authorised to sell the book below their set price. Later, the first sale principle was explicitly written into the 1976 revision of the Copyright Act [http://www.copyright.gov/title17/92chap1.html#109]. Since then, there have been rulings both ways. In a 1998 case [http://www.law.cornell.edu/supct/html/96-1470.ZO.html] involving American-made hair care products that in the US were marketed at premium prices through salons but were sold more cheaply in Europe, the Court made a unanimous decision that the manufacturer had no right to prevent a New york discounter from buying the products from a European distributor and selling them cheaply in the US. However, in a more recent case [http://www.wired.com/threatlevel/2010/12/scotus-first-sale/] the Court upheld a lower court ruling that a retailer (Costco) violated copyright in importing watches made abroad and selling them without authorisation from the manufacturer (Omega). In yet another case, the court ruled that a Thai student who was importing cheap editions of university textbooks from Thailand to the US and selling them on Ebay was not violating the publisher's copyright [http://www.salon.com/2013/03/19/court_sides_with_student_in_case_over_textbooks/singleton/].
The first sale idea also applies to the consumer. For example, it would be illegal to copy the DVD and give someone else the copy, but once you have bought it you have the right to use it as you please.
Critics of DRM argue that, for example, movie companies simply do not have the right to prevent a user from fast-forwarding past advertising or buying a DVD in the US and playing it in Europe. To the critics, DRM systems that restrict users in such ways are best described as '''BAD''', for '''Broken As Designed'''. There is no technical reason for such "features"; a system without them would actually be simpler; therefore there is no reason to imagine that users ought to put up with them. One anti-DRM website is called [http://www.defectivebydesign.org/ Defective by Design].
The argument on the other side is basically that the copyright on the content plus the license agreements for the equipment and content give the companies those rights. Some sort of licensing restrictions (or perhaps some other legal mechanism) seem obviously essential &mdash; for example, buying a ticket to a concert should not give the right to record it and sell CDs, and movie companies definitely do not want to give anyone who buys a DVD the right to show it in a theater. The movie and record companies believe that various other restrictions are important as well, and that their licenses give them the right to impose those; this notion is quite controversial.


====Other issues====
====Other issues====
Line 184: Line 244:
All '''copyrights expire'''; they are only created "for limited Times", to quote the US law. Both legal and technical questions come up when copyright on a DRM-protected work expires.
All '''copyrights expire'''; they are only created "for limited Times", to quote the US law. Both legal and technical questions come up when copyright on a DRM-protected work expires.


Another issue is the legal doctrine of '''first sale''', essentially that once a company sells a product they no longer control it. Critics of DRM argue that, for example, movie companies simply do not have the right to prevent a user from fast-forwarding past advertising or buying a DVD in the US and playing it in Europe. It would be illegal to copy the DVD and give someone else the copy, but once you have bought it you have the right to use it as you please. The legal argument on the other side is basically that their copyright on the content plus the license agreements for the equipment and content give them those rights.
'''Privacy laws''' may be an issue if a system with DRM "phones home" to provide usage information to a vendor. What information is provided? How is it used? How is it protected? Is the user informed, or asked for permission? This becomes more complex if the information crosses international boundaries in the process.


'''Privacy laws''' may be an issue if a system with DRM "phones home" to provide usage information to a vendor. What information is provided? How is it used? How is it protected? This becomes more complex if the information crosses international boundaries in the process.
==== Illegal DRM? ====


==== Illegal DRM? ====
Some DRM may itself violate laws. For example, the "region codes" on DVDs are intended to segment the market, preventing for example a European (region 2) or Australian (region 4) customer from buying cheaper DVDs from US (region 1) vendors. Film companies insist that this is necessary, but nothing in copyright law grants them that sort of control over their market. Critics argue that the whole business of region codes is a conspiracy by a cartel of film companies, violating the competition and price-fixing laws of many countries and the [[WTO]] restrictions on [http://www.adb.org/Documents/Others/OGC-Toolkits/WTO/wto0400c2.asp Technical Barriers to Trade].


Some DRM may itself violate laws. For example, the "region codes" on DVDs are intended to segment the market, preventing for example a European (region 2) or Australian (region 4) customer from buying cheaper DVDs from US (region 1) vendors. Film companies insist that this is necessary, but nothing in copyright law grants them that sort of control over their market. Arguably, the whole business of region codes is a conspiracy by a cartel of film companies, violating the competition and price-fixing laws of many countries and the [[WTO]] restrictions on [http://www.adb.org/Documents/Others/OGC-Toolkits/WTO/wto0400c2.asp Technical Barriers to Trade]. Such arguments appear to carry little weight; no media company has ever been prosecuted for such actions.
Such arguments appear to carry little weight with governments; no media company has ever been prosecuted for such actions. However, Australia and New Zealand have banned the sale of DVD players unless they are either region-free or come with instructions for disabling region code enforcement. The US government, on the other hand, has passed the [[DMCA]] making it illegal to provide a "circumvention device" which bypasses "technological protection measures". That is, in the US it may be illegal to defeat region codes, while in Australia it may be illegal to implement them.


Similar arguments apply to DRM on video games. In at least one case
Similar arguments apply to DRM on video games. In at least one case
Line 201: Line 261:


==== The Sony rootkit ====
==== The Sony rootkit ====
Then there was Sony's DRM "rootkit", of which the chairman of the US [[Federal Trade Commission]] said "Installations of secret software that create security risks are intrusive and unlawful" [http://news.cnet.com/2100-1027_3-6154655.html]. This was software on music CDs that secretly, and without asking permission, installed various things on any Windows computer that played the CD, and hid them from the user with "cloaking" techniques that are commonly used by [[Trojan_(computers)|trojan horse]] programs to hide their activites. The person who discovered it [http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx] was testing a tool for finding [[Rootkit_(computers)|rootkits]]; the things an attacker leaves behind after acquiring root (administrator) privileges on a system. Imagine his surprise when he found one, installed by Sony!
Then there was Sony's DRM "rootkit", of which the chairman of the US [[Federal Trade Commission]] said "Installations of secret software that create security risks are intrusive and unlawful" [http://news.cnet.com/2100-1027_3-6154655.html]. This was software on music CDs that secretly, and without asking permission, installed various things on any Windows computer that played the CD, and hid them from the user with "cloaking" techniques that are commonly used by [[Trojan_(computers)|trojan horse]] programs to hide their activites.
 
Mark Russinovich discovered it
<ref>{{citation
| url = http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx
| title = Sony, Rootkits and Digital Rights Management Gone Too Far
| author = Mark Russinovich
| date = October 2005
}}</ref>
while testing a tool designed to find [[Rootkit_(computers)|rootkits]]; the things an attacker leaves behind after breaking into a computer and acquiring root (administrator) privileges. Imagine his surprise when he found one, installed by Sony!
 
Sony took a great deal of media flak [http://news.bbc.co.uk/2/hi/technology/4456970.stm BBC], [http://news.cnet.com/FAQ-Sonys-rootkit-CDs/2100-1029_3-5946760.html CNET] [http://www.usatoday.com/tech/columnist/andrewkantor/2005-11-17-sony-rootkit_x.htm USA Today] over that. There was also a consumer class action suit, [http://www.eff.org/cases/sony-bmg-litigation-info settled] out of court.  [[Bruce Schneier]]'s analysis is interesting: "While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be." and "What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? ... This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home."
<ref name=schneierblog>{{citation
| author = Bruce Schneier
| url = http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html
| title = Sony's DRM Rootkit: The Real Story
| date = November 2005
}}</ref>
 
==== Ubisoft DRM rootkit ====
 
In 2012, the DRM system for one edition of the game [[Assasin's Creed]] was found to install a backdoor that allowed remote control of the victim PC. [http://www.geek.com/articles/games/ubisoft-uplay-drm-found-to-include-a-rootkit-20120730/]
 
==== DRM that violates copyright ====
 
Media companies may be quite interested in protecting their own "intellectual property", but in some cases they may not have much respect for other people's.
 
{{cquote|Sony's rootkit -- designed to stop copyright infringement -- itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation  of that library's license agreement. <ref name=schneierblog/>}}
 
In 2010, a German firm sued Warner Brothers, accusing them of using pirated anti-piracy technology.


Sony took a great deal of media flak [http://news.bbc.co.uk/2/hi/technology/4456970.stm BBC], [http://news.cnet.com/FAQ-Sonys-rootkit-CDs/2100-1029_3-5946760.html CNET] [http://www.usatoday.com/tech/columnist/andrewkantor/2005-11-17-sony-rootkit_x.htm USA Today] over that. There was also a consumer class action suit, [http://www.eff.org/cases/sony-bmg-litigation-info settled] out of court.  [[Bruce Schneier]]'s [http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html analysis] is interesting: "While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be." and "What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? ... This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home."
{{cquote|"We disclosed our anti-piracy technology to Warner Bros. in 2003 at their request, under strict confidentiality, expecting to be treated fairly," the company said in a statement. "Instead, they started using our technology extensively without our permission and without any accounting to us." <ref name=escapist>{{citation
| author = Andy Chalk
| title = Warner Bros. Sued for Pirating Anti-Piracy Technology
| url = http://www.escapistmagazine.com/news/view/100937-Warner-Bros-Sued-for-Pirating-Anti-Piracy-Technology
|date = May 2010
}}</ref>}}


=== Technical problems ===
=== Technical problems ===
DRM is attempting a fundamentally difficult task. Security author [[Bruce Schneier]] states of DRM: "Trying to make digital files uncopyable is like trying to make water not wet."<ref>Bruce Schneier 'Quickest Patch Ever' [http://www.schneier.com/essay-126.html]</ref>
DRM is attempting a fundamentally difficult task. Security author [[Bruce Schneier]] states of DRM: "Trying to make digital files uncopyable is like trying to make water not wet."
<ref>{{citation
| author =Bruce Schneier
| title = Quickest Patch Ever
| url = http://www.schneier.com/essay-126.html
| date = September 2006
}}</ref>


In particular cases, the costs may be quite high. Another well-known security expert, Peter Gutmann, wrote of Microsoft DRM efforts: "The Vista Content Protection specification could very well constitute the longest suicide note in history"<ref>Peter Gutmann 'A Cost Analysis of Windows Vista Content Protection' [http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html]</ref>.
In particular cases, the costs may be quite high. Another well-known security expert, [[Peter Gutmann]], wrote of Microsoft DRM efforts: "The Vista Content Protection specification could very well constitute the longest suicide note in history"<ref>Peter Gutmann 'A Cost Analysis of Windows Vista Content Protection' [http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html]</ref>.


Why is this so difficult? Assume you are a totally legal user of the material protected by DRM, and all the security tests for your music, or your software, are successful. To hear the music, it has to be put into a form the speakers will reproduce. At some point between the DRM-protected recording and the speaker, the signal has to be put into a useful form. Once it is in that form, how does the DRM enforcer prevent it from being copied?
Why is this so difficult? Assume you are a totally legal user of the material protected by DRM, and all the security tests for your music, or your software, are successful. To hear the music, it has to be put into a form the speakers will reproduce. At some point between the DRM-protected recording and the speaker, the signal has to be put into a useful form. Once it is in that form, how does the DRM enforcer prevent it from being copied?


One of the great problems with encryption is hiding decrypted content. In order to hide it from user applications, DRM-enabled players decrypt content in kernel mode and check for unsigned drivers. Some DRM developers suggest using TPM chip to insure that operation system is genuine and only signed drivers can be loaded. In such systems DRM drivers can control computer completely and perfectly hide the decryption process.
One of the great problems with encryption is hiding decrypted content. In order to hide it from user applications, DRM-enabled players decrypt content in kernel mode and check for unsigned drivers. Some DRM developers suggest using a [[TPM]] chip to ensure that the operating system is genuine and only signed drivers can be loaded. In such systems DRM drivers can control computer completely and perfectly hide the decryption process.


The problem of protecting material on a DVD or other physical storage device are simple when compared to delivering content across the Internet. Think of pay-per-view television. Even in [[encryption|encrypted]] form, it has to pass through intermediate distribution points on the Internet; the general distribution problem here is part of [[inter-domain multicast routing]] (IDMR). How do the legal users get the [[cryptographic key|decryption key]] for the program for which they have paid, and only for that program? Can anyone along the path from content user to content buyer intercept that key and use it? If so, will the legitimate user still be able to use it? Alternatively, can the stolen key be distributed?
The problem of protecting material on a DVD or other physical storage device are simple when compared to delivering content across the Internet. Think of pay-per-view television. Even in [[encryption|encrypted]] form, it has to pass through intermediate distribution points on the Internet; the general distribution problem here is part of [[inter-domain multicast routing]] (IDMR). How do the legal users get the [[cryptographic key|decryption key]] for the program for which they have paid, and only for that program? Can anyone along the path from content user to content buyer intercept that key and use it? If so, will the legitimate user still be able to use it? Alternatively, can the stolen key be distributed?
Line 240: Line 340:


==References==
==References==
{{reflist|2}}
{{reflist|2}}[[Category:Suggestion Bot Tag]]

Latest revision as of 12:00, 7 August 2024

This article may be deleted soon.
To oppose or discuss a nomination, please go to CZ:Proposed for deletion and follow the instructions.

For the monthly nomination lists, see
Category:Articles for deletion.


This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

Digital rights management (DRM) refers to the laws and technologies which provide intellectual property owners control over the distribution and use of their material by controlling consumers' use of it. The claimed goals are to prevent copying of digital media and to restrict access and content use to what is allowed by copyright law.[1]

Critics refer to it as "Digital Restrictions Management", and argue that many of the restrictions it enforces go well beyond the rights granted by law.

History

Copyright law is the earliest form of intellectual property protection. This area of law developed for print media, long before copying machines and digital media, and has not necessarily kept pace with technology.

Legal Background

The copyright since its formal creation in 1710 by the British Statute of Anne and its inclusion in the U.S. Constitution[2] has been the main protection scheme for intellectual property rights for creative information goods and services.

Article I, Section 8, Clause 8 of the U.S. Constitution: "To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries."

Copyright law grants exclusive legal ownership of information under specific conditions and terms. Through two major revisions of U.S. copyright law in 1909 and 1976,[3] the range of content and media forms covered by legislation were expanded.

During the pre-digital era, large-scale copying was expensive and usually resulted in degraded content. The development of electronic and digital media transformed the production and distribution of information goods and services. In digital form, the content could be copied perfectly or easily converted to another form or format, and thus lifted the physical constraints of copying. The rise of digital media and networks made sharing and copying not only easier for traditional information "pirates", but also made it easier for individuals. Unlike the "pirates" whose unauthorized copies were for commercial gain, individual copying stems from behavioral norms from traditions of fair use and first-sale rights.

The rise of unlicensed and illegal copying and distribution of intellectual property cast doubts on whether a copyright provided enough protection in the wake of continued digital innovations. Copyright owners responded by developing technological copyright protection mechanisms (CPM) in order to make copying more costly and difficult. For CPM to succeed, legal enforcement was needed to ensure the uniform adoption of technologies and that any attempt to circumvent them would be criminalized. The U.S. 1998 Digital Millennium Copyright Act (DMCA) provided for enforcement of copyright protection mechanisms. The development of schemes that were capable of not only preventing or limiting copying, but also controlling the distribution and uses of digital media eventually became collectively known as digital rights management[1].

Music: The first to be hit

Initially, writing and written works were the primary focus of this legislation: technology, or lack of it, protected other art forms, such as film and music, from being easily copied or distributed in a way that required heavy enforcement.

The Conditions

However, as technology improved exponentially in the past half century, the copying of these art forms became more and more an issue. Eventually, a tipping point was reached, and music was the form of media that was hit head on with the problem of copying becoming so easy, that copyright violation became an unenforceable law. Although there are many theories as to why music was first, several factors are credited:

  • Digitized Format: The digital Compact Disc format, first published in 1988 by Philips and Sony, was the primary medium for music storage and sale by the early 1990's. As music was already distributed mainly via this digital medium, it made it easy to make digital copies with minimal effort and a home computer. This is in stark contrast to other media, such as books, which were still widely sold on a physical, non digital medium, and would take more then a computer and quite a bit of effort to fully copy digitally.
  • The format of Albums: For decades the common format of music sale has been the Album, a collection of music tracks typically related in some way and produced by the same artist. A album typically has between 10 and 20 tracks on it, and each track is typically 3 to 5 minutes long. Although the album itself is considered extremely important to the format of music, each track is easily enjoyed by most of the general public outside the context of the album as a whole. Therefore, sharing a single track off an album is extremely common, and a single track is small and easy to share. An album's segmentation therefore makes sharing it easier. This is in contrast to a film, where no such segmentation exists; Most people get very little utility out of just part of a film, rather than the film as a whole.
  • The consumer base: Although people of all ages enjoy music, most music is marketed (and sold) to adolescents and people in their 20's. As it so happens, these young people are the people most adapt to new technology, and the quickest to adapt it to save them money and time.
  • Previously Unenforced Conditions: Some copying of music via tapes was technically illegal before, but rarely enforced. Other copying, such as making a cassette to play in the car, was not; the record companies had argued that all the way to the US Supreme court and lost. As a result, the average consumer did not perceive copying music to be illegal.
  • The MP3 format: The MPEG Audio Layer 3 format, released in the early 1990's, is considered one of the leading reasons as to why music was so quickly hit with the copyright problems leading to DRM. As the Cotton Gin is often blamed for the boom in the institution of slavery[4], so is the miracle of the MP3 format often blamed for blindsiding the music industry. Music and sound formats, such as Microsoft's WAVE format, were available long before the MP3 format. However, the compression of a high quality music track into a media file with an average length of 4 megabytes, allowed for the ease of transmission needed for widespread copying.
  • Wide Internet Adoption: The exponential adoption of internet access into the average American household in the early 1990's allowed for a ubiquitous, cheap, and quickly growing medium to transmit data distances that were previously unheard of. Without the internet, music would only be able to be shared as far as you could walk it[5].
  • Limited Record Company Adoption: With previous improved formats, such as cassette tapes and CD's, the music industry has been fast to adapt, develop, and switch to these new forms of media to satisfy the demand. However for digital music this was not the case. Although computers with CD burners and MP3 player sales were skyrocketing in the early 90's, from 1999 (the release of Napster) to 2003 (the opening of the Itunes Store), there was no digital music service offering any of the music produced by the big 4 record companies (Warner, Sony BMG, EMI, Universal). As a result, the lack of service drove people to acquire their music via illegal copying.
  • Development of distributed file sharing: Internet-based technologies grew to encompass distributed file sharing, with no central distribution point at which unauthorized distribution could be stopped.

The Reaction

As a result of these conditions, starting with the release of the Napster sharing service in 1999, the music industry began to react to the growing amount of file sharing that was occurring via various services. The music industry, through the RIAA, decided on three primary avenues of advance to thwart this growing problem:

  • Shut down the services: Napster was the first to be sued by the RIAA, and shut down (as a free service) in July 2001[6]. Subsequent services, such as Kazaa have been sued but have reacted by moving offshore, outside the jurisdiction of the RIAA.
  • Offer services to consumers: The record companies began to give licenses to digital distributers, allowing them to sell their music. Under almost every circumstance, some sort of DRM clause was in the contract initially. In recent months however, record companies have begun to bow to demand and allow DRM free services to start.
  • Make Examples of Sharers: In order to drive up the perceived "cost" of sharing music illegally, the RIAA began to sue people who were sharing large libraries of music online[7]. Although most of these cases were settled out of court, the settlements stretched into tens of thousands of dollars and cost much more due to legal fees.

Consumer Backlash to the RIAA

In purely economic terms, the record companies were executing textbook strategy: Lower the cost of purchasing a track online, raise the cost of sharing or downloading one, and eventually your consumer base will switch to the cheaper option.

However, the RIAA failed to consider the nightmare they could produce by suing their consumers, many of whom were children[8]. As a result, there was a backlash towards the RIAA and big music in general[9], and although sales of digital music rose quickly, the PR of the music industry took a heavy hit.

Additionally, the introduction of DRM was not as well received as the industry would have liked. The fact that DRM soiled a product that consumers were used to purchasing without strings drove many away from the services offered by the record companies.

Recovery: The movement away from DRM

Responding to consumer demand and the practicality of the changing industry, a host of music services have recently begun to sell music that is DRM free. Although the record companies are slow to accept this reality, it is beginning to become an industry trend. [10]

Some services to recently offer DRM-Free services are:

Film: Learning from Music's Mistakes

Trying to not make the same mistakes as their music counterparts, the film and TV industry is attempting to be faster in the adaptation of digital distribution.

Forms of DRM were introduced in both the DVD and Blu-Ray formats. The DVD format was cracked in the 90's, and weaknesses in Blu-Ray were found within months of release. [13] [14]

However, the industry as a whole is beginning to accept the idea that fewer and fewer consumers are accessing their content via physical media, and more and more are switching to digital or streaming services.

Rather then fighting the tide of digitization as the music industry did, the film and TV industry is trying to move faster to offer reasonable services to consumers that match the demand:

  • In order to have immediate access to shows and movies, most cable services are now offering On-Demand services via digital cable. These services differ from traditional pay-per-view services in that they typically have a much wider selection, and often have a wide selection of free films and TV shows that come with the package.[15]
  • In order to counter services such as DailyMotion and YouTube, distribution networks are beginning to offer TV shows and Movies streaming online with commercials and / or banner advertisements. Such services include
    • ABC.com
    • Hulu [16]
    • SouthParkStudios.com [17]

DRM Approaches

Encryption

Early DRM relied on encryption, using a content encoding system and then limiting access to the decoding technology. All control over future use was lost once the content was decoded, and any protection against illegal copying still relied on copyright law.

CSS

An example is the DVD Forum's Contents Scrambling System (CSS) which provided a common means of encoding for all movies on DVD. Any firm producing players or software to view the encoded movies was supposed to license the decoding system from the forum. Despite industry claims, this scheme was not designed to prevent copying — a bit-for-bit copy of a DVD would play on any player that the original would.

What it did attempt was to control usage of the DVDs. CSS includes a system of region codes such that, for example, a DVD sold in North America (region 1) will not play on a player sold in Europe (region 2).This allows the movie companies more control over their markets, for example charging higher prices in some regions or holding back DVD release for a region until after the cinema release there. There are other controls as well; for example the fast-forward control is locked out during the opening section of the disk so that a user cannot bypass the advertising or movie previews there.

Not all vendors follow the Forum's rules; there are many "region-free" DVD players on the market; see for example, this site. Also, some players that normally implement region codes can be set to ignore them, either in software or by replacing a chip; there are guides on the net for that as well. In some markets, such as China, nearly all players are region-free. In others, such as Europe, buyers tend to prefer them. One of Britain's largest retailers, Tesco found massive demand for such players and asked the movie industry to drop region codes altogether [18]. NASA sent Sony players, modified to be region-free, to the International Space Station [23]; Sony were not entirely happy about this.

There is a later variant called RCE or "regional coding enhancement" [24] intended to block play of new discs on region-free players.

DeCSS

For playing DVDs on a computer, the CSS scheme is easily bypassed; there are a number of programs which do this. The first one to become widespread was a decoder for Windows known as DeCSS.[1] There was a great deal of controversy on the net and in the courts over this.

  • The Motion Picture Association of America (MPAA) took the position that DeCSS was a "circumvention device" under the US Digital Millennium Copyright Act and sued many people, including web sites who only linked to the code. These suits succeeded and court orders were issued to take down some copies of the code and links. Of course, copies are still readily available from places outside US jurisdiction.
  • The DVD Content Control Association (DVD-CCA) argued that breaking CSS involved misuse of trade secrets and sued on those grounds. These suits failed.

There are archives of documents from both cases at Harvard and EFF. Harvard also has a FAQ document covering both legal and technical issues.

One issue was whether the DeCSS code qualifies as protected speech under the First Amendment of the U.S. Constitution. A earlier court ruling in the Bernstein case over export restrictions on cryptography had set a precedent that those protections sometimes apply to code. However, in the MPAA case, the judge ruled that they did not apply to DeCSS. So some code is protected, other code is not. Computer science professor David Touretzky has a Gallery of CSS Descramblers exploring where the border might lie.

CSS analysis

CSS is obviously a flawed cryptosystem. It is weak in theory — David Wagner testified in one case that he asks his Berkeley students to break it as a homework assignment — and weak in practice since DeCSS (a reasonably short, simple and fast program) defeats it completely. What went wrong?

First, CSS was designed to be weak; it used a stream cipher for the bulk data encryption, and some additional things for key management The system as a whole used only a 40-bit key, to comply with cryptography export laws of the time (mid-90s). For why a short key makes any cipher inherently weak see brute force attack. For discussion of debate about those laws see politics of cryptography. In this case, it may not have been US law that imposed bad cryptography. CSS was designed by Mitsubishi engineers and at the time, Japan also had strict export laws.

Second, CSS was designed and even standardized in secret, without a public review that might have caught various design weaknesses. In some court cases DVD-CCA even claimed its inner workings were trade secrets. This violates Kerckhoffs'_Principle; no cipher should be trusted until it is published and reviewed. See cryptography is difficult for discussion of this common problem.

For a full paper cryptanalysing CSS, see Cryptanalysis of Contents Scrambling System. It indicates that CSS did not even achieve 40-bit security, more like 25; this is so weak it can conveniently be broken on demand.

Later DVD encryption

Later DVD products such as DVD audio use a block cipher called Cryptomeria or C2. It is a Feistel cipher which uses S-boxes. It has ten rounds, 64-bit blocks, and a 56-bit key.

C2 is used in Content Protection for Recordable Media and Content Protection for Pre-Recorded Media, collectively known as CPRM/CPPM. The cipher itself has been published, but the S-boxes are secret and different for each application.

There has been some published cryptanalysis of the cipher [19] [20].

Blu-ray disks

For the new higher-density Blu-ray disks, Intel designed a new DRM system called High Definition Content Protection; this is administered by Digital Content Protection LLP. It has been broken.

AACS took years to develop, and it has been broken in weeks. The developers spent billions, the hackers spent pennies.

There is no future in which bits will get harder to copy. Instead of spending billions on technologies that attack paying customers, the studios should be confronting that reality and figuring out how to make a living in a world where copying will get easier and easier. They're like blacksmiths meeting to figure out how to protect the horseshoe racket by sabotaging railroads. The railroad is coming. The tracks have been laid right through the studio gates. It's time to get out of the horseshoe business.[25]

Some have argued that DRM is a major reason Blu-ray is not doing as well as expected in the market[21].

Marking

This DRM approach entails the encoding of markers into the digital content that can be used for description, identification, protection, monitoring, tracking, and limiting uses of that content. Combining this approach with the technology to read the markers and abide by the markers allows for even greater control over management of digital content than the encryption approach.

It may also provide ways of tracking down copiers. For example, if a "pirate" DVD version of a film appears when the movie has only been legally released in theaters or as video-on-demand over cable, it maybe possible to find markings in the DVD version that show which theater or which cable customer provided the material.

Examples of the marking approach to DRM can be found in downloaded music from content providers such as Apple, Microsoft, RealNetworks, and Sony. A future example is the broadcast flag system which is being proposed for U.S. digital television which would allow cable networks to limit the copying or distribution of their programming.[1]

Some marking methods hide the markings using techniques from steganography. In other cases, the markings are quite visible; for example photographs on the web often have the photographer's name or the website URL printed across them to discourage copying.

NEC have announced [26] an advanced marking system, to be included in the MPEG 7 standard, that puts a mark on every frame of a video.

Rights Locker

The "rights locker" approach drastically changes the way in which digital content can be used. Instead of owning copies of the digital media, the consumer owns a set of rights to access the content from a central digital network using a specified range of devices.[1] Examples of this approach include On-demand TV content and Netflix's watch instantly service where users are allowed temporary local copies while viewing the programming.

Difficulties of DRM

Digital rights management, or DRM, is based on the idea that we should design computers that consult an internal policy document written by a third party to check if anything the owner might want to do is a permitted task. If you hit control S or control C to save the work or copy the work, your computer would be able to stop you. I think your computer should never say no, it should always obey you.[22]

Consumer attitudes

Many people find DRM systems to be a hindrance to the use of the media they have purchased, and some consumers actively boycott companies and products that use DRM. Many consumers express a preference for material that is not 'hindered' with DRM protections. The attitude of companies that use DRM is widely perceived as "the customer is always wrong".

DRM also seems to be doing very little to stop copyright infringement: "today, infringement is more widespread than ever"[23].

One online joke collection includes "Copy Protection: A clever method of preventing incompetent pirates from stealing software and legitimate customers from using it."[27]

Access and Usage Concerns

Consumers have many concerns in regards to access and usage of various content due to DRM systems/restrictions. Consumer opinions are to keep the rights of the consumer from the analogue realm to be the same in the digital realm. Some rights that users are concerned about losing are their abilities to create private backup copies, excerpt, transition data from one device to another, record for future use, and editing content for personal use.

More explicitly, consumers worry about the loss of data because of restrictions on transferring from one format to another. This may force consumer into repurchasing digital data in another format, when they can easily have the capability of transitioning the format themselves. Another outside concern consumers ask is how do DRM Systems handle the expiration of copyright terms. Do DRM systems release their restrictions when the copyright term expires?[24]

In an interesting development, one company removed DRM from their product about a week after releasing it:

Our approach to countering piracy is to incorporate superior value in the legal version, This means it has to be superior in every respect: less troublesome to use and install, with full support, and with access to additional content and services. So, we felt keeping the DRM would mainly hurt our legitimate users. This is completely in line with what we said before the release .... We felt DRM was necessary to prevent the game being pirated and leaked before release. This purpose has been served, so we are pleased to let our users enjoy the full freedom of game usage they deserve.[28]

Privacy Concerns

The main user concern in regards to privacy is the ability for the DRM systems to record and transmit consumer usage of particular products and digital data. This becomes a double edged sword. Some users enjoy this feature; for instance, recommended music/videos/books appeals to some users when trying to find something new to experience. Other users complain about this claiming they are being targeted more easily by data/media providers. There are also concerns in passing private information over the internet such as credit card information to make purchases. These are difficult concerns to balance for DRM systems.

Consumers recommend the following: DRM Systems should store "no more data than necessary" and store data for "no longer than necessary". These systems should also be complex enough to inform consumers of all data that is shared about them. Consumers should have the opportunity to regulate how much the DRM system can/can't report or share.[24]

Interoperability Concerns

Interoperability is a difficult concern to deal with because it tries to balance users being able to use their media on many machines/programs without any problems, but the industry must also worry about how to protect against the distribution to unauthorized users. Some recommendations are to allow for portability and compatibility with multiple devices, an open standard for the various devices, and no platform restrictions for consumers. Consumers should not have to re-purchase media for use on another device.[24]

Security Concerns

There is a concern that some DRM systems will require an internet connection and opening up vulnerabilities to the consumers' computers or limit the ability of current software on their computers. This concern falls mostly with "trusted computing" which in order to work, according to consumers, "trusted computing" providers must be a certified provider and must allow the consumer to set the level of security.[24]

Business Concerns

Consumers do not like where some of the business concepts are going such as all post purchase control, inability to share across multiple devices used by the consumer, usage tracking, and file expiration. Some other concerns are the advantages bigger companies have over smaller/medium sized companies in regards to DRM licensing costs, the price control of online products versus conventional counterparts, and technology advances that will be held back by embedded players/devices. [24]

Legal problems

There are a number of legal issues around DRM. Similar issues turn up in all jurisdictions, but any of them may play out differently in different legal systems. This makes dealing with them immensely complex, especially in designing a DRM system to be used in many countries.

Fair use

There is a basic principle of copyright law, called fair use [25] in US law. For example, copyright does not prevent quoting a work in a review or analysis, or using it in education. Nor does it prohibit a blind user from using software that will read an e-book aloud for him. Other legal systems have the same principle, but the name and the details vary from country to country. British and Canadian law call it "fair dealing".

The principle is clear, but the border is by no means sharply delineated. Between the black of copyright infringement and the white of perfectly legal fair use, there is a large grey area. This is being narrowed down by various court rulings and sometimes altered by new legislation, but will likely never go away entirely.

That principle greatly complicates the design of DRM systems. Copyright law allows fair use; how can DRM software manage that? What do you do about the grey areas? If you ignore fair use, or just misjudge some grey areas, you will infringe on the users' legal rights; what are the market or legal consequences of that? Some current DRM software blocks legitimate fair use; for example some DRM systems will prevent a blind use from having software read a book aloud and, if it worked as designed, CSS on DVDs would prevent a reviewer from using an excerpt in a review. Beyond that, how can a DRM system adapt to changes in the law?

Fair use arguably includes the right to time shifting, for example using a VCR to record a TV program to watch later. In one case that was fought all the way to the US Supreme Court, the court ruled that recording TV programs for home use did not violate copyright, so Sony could not be held to be contributing to copyright infringement by selling VCRs. A similar issue is space shifting, for example copying music from a record or CD to cassette tape for listening in the car or copying a DVD to videotape to watch in another room. In another case, the court ruled that the Rio, "a portable digital audio device which allows a user to download MP3 audio files from a computer and to listen to them elsewhere.", is also legal fair use. Those decisions appear to mean that it is legal fair use for users to copy music from their CDs, or movies from DVD, onto their hard drives and/or into a portable player.

However, if the DRM allows those applications, how can it prevent the users from sharing the files? If it does not allow such things, can users legally break the DRM to enforce their rights? Will they just avoid DRM-protected products?

See also our article on Fair use.

First sale doctrine

Another issue is the legal doctrine of first sale, essentially that once a company sells a product they no longer control it.

The doctrine applies when a company sells to a distributor; the contract may restrict what the distributor then does with the product, but copyright law imposes no restrictions.

The law on this is somewhat complex. In the US, it goes back to a 1908 Supreme Court decision that a publisher (Bobbs-Merrill) could not prevent a department store (Macy's) from offering books at a discount, even though they had printed right on the flyleaf a statement that no-one was authorised to sell the book below their set price. Later, the first sale principle was explicitly written into the 1976 revision of the Copyright Act [29]. Since then, there have been rulings both ways. In a 1998 case [30] involving American-made hair care products that in the US were marketed at premium prices through salons but were sold more cheaply in Europe, the Court made a unanimous decision that the manufacturer had no right to prevent a New york discounter from buying the products from a European distributor and selling them cheaply in the US. However, in a more recent case [31] the Court upheld a lower court ruling that a retailer (Costco) violated copyright in importing watches made abroad and selling them without authorisation from the manufacturer (Omega). In yet another case, the court ruled that a Thai student who was importing cheap editions of university textbooks from Thailand to the US and selling them on Ebay was not violating the publisher's copyright [32].

The first sale idea also applies to the consumer. For example, it would be illegal to copy the DVD and give someone else the copy, but once you have bought it you have the right to use it as you please.

Critics of DRM argue that, for example, movie companies simply do not have the right to prevent a user from fast-forwarding past advertising or buying a DVD in the US and playing it in Europe. To the critics, DRM systems that restrict users in such ways are best described as BAD, for Broken As Designed. There is no technical reason for such "features"; a system without them would actually be simpler; therefore there is no reason to imagine that users ought to put up with them. One anti-DRM website is called Defective by Design.

The argument on the other side is basically that the copyright on the content plus the license agreements for the equipment and content give the companies those rights. Some sort of licensing restrictions (or perhaps some other legal mechanism) seem obviously essential — for example, buying a ticket to a concert should not give the right to record it and sell CDs, and movie companies definitely do not want to give anyone who buys a DVD the right to show it in a theater. The movie and record companies believe that various other restrictions are important as well, and that their licenses give them the right to impose those; this notion is quite controversial.

Other issues

All copyrights expire; they are only created "for limited Times", to quote the US law. Both legal and technical questions come up when copyright on a DRM-protected work expires.

Privacy laws may be an issue if a system with DRM "phones home" to provide usage information to a vendor. What information is provided? How is it used? How is it protected? Is the user informed, or asked for permission? This becomes more complex if the information crosses international boundaries in the process.

Illegal DRM?

Some DRM may itself violate laws. For example, the "region codes" on DVDs are intended to segment the market, preventing for example a European (region 2) or Australian (region 4) customer from buying cheaper DVDs from US (region 1) vendors. Film companies insist that this is necessary, but nothing in copyright law grants them that sort of control over their market. Critics argue that the whole business of region codes is a conspiracy by a cartel of film companies, violating the competition and price-fixing laws of many countries and the WTO restrictions on Technical Barriers to Trade.

Such arguments appear to carry little weight with governments; no media company has ever been prosecuted for such actions. However, Australia and New Zealand have banned the sale of DVD players unless they are either region-free or come with instructions for disabling region code enforcement. The US government, on the other hand, has passed the DMCA making it illegal to provide a "circumvention device" which bypasses "technological protection measures". That is, in the US it may be illegal to defeat region codes, while in Australia it may be illegal to implement them.

Similar arguments apply to DRM on video games. In at least one case [26] the Australian Competition Commission intervened on the side of someone being sued by Sony for "chipping" a game console, arguing that region codes exist not to prevent copying but to make certain games unplayable.

The Sony rootkit

Then there was Sony's DRM "rootkit", of which the chairman of the US Federal Trade Commission said "Installations of secret software that create security risks are intrusive and unlawful" [33]. This was software on music CDs that secretly, and without asking permission, installed various things on any Windows computer that played the CD, and hid them from the user with "cloaking" techniques that are commonly used by trojan horse programs to hide their activites.

Mark Russinovich discovered it [27] while testing a tool designed to find rootkits; the things an attacker leaves behind after breaking into a computer and acquiring root (administrator) privileges. Imagine his surprise when he found one, installed by Sony!

Sony took a great deal of media flak BBC, CNET USA Today over that. There was also a consumer class action suit, settled out of court. Bruce Schneier's analysis is interesting: "While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be." and "What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? ... This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home." [28]

Ubisoft DRM rootkit

In 2012, the DRM system for one edition of the game Assasin's Creed was found to install a backdoor that allowed remote control of the victim PC. [34]

DRM that violates copyright

Media companies may be quite interested in protecting their own "intellectual property", but in some cases they may not have much respect for other people's.

Sony's rootkit -- designed to stop copyright infringement -- itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation of that library's license agreement. [28]

In 2010, a German firm sued Warner Brothers, accusing them of using pirated anti-piracy technology.

"We disclosed our anti-piracy technology to Warner Bros. in 2003 at their request, under strict confidentiality, expecting to be treated fairly," the company said in a statement. "Instead, they started using our technology extensively without our permission and without any accounting to us." [29]

Technical problems

DRM is attempting a fundamentally difficult task. Security author Bruce Schneier states of DRM: "Trying to make digital files uncopyable is like trying to make water not wet." [30]

In particular cases, the costs may be quite high. Another well-known security expert, Peter Gutmann, wrote of Microsoft DRM efforts: "The Vista Content Protection specification could very well constitute the longest suicide note in history"[31].

Why is this so difficult? Assume you are a totally legal user of the material protected by DRM, and all the security tests for your music, or your software, are successful. To hear the music, it has to be put into a form the speakers will reproduce. At some point between the DRM-protected recording and the speaker, the signal has to be put into a useful form. Once it is in that form, how does the DRM enforcer prevent it from being copied?

One of the great problems with encryption is hiding decrypted content. In order to hide it from user applications, DRM-enabled players decrypt content in kernel mode and check for unsigned drivers. Some DRM developers suggest using a TPM chip to ensure that the operating system is genuine and only signed drivers can be loaded. In such systems DRM drivers can control computer completely and perfectly hide the decryption process.

The problem of protecting material on a DVD or other physical storage device are simple when compared to delivering content across the Internet. Think of pay-per-view television. Even in encrypted form, it has to pass through intermediate distribution points on the Internet; the general distribution problem here is part of inter-domain multicast routing (IDMR). How do the legal users get the decryption key for the program for which they have paid, and only for that program? Can anyone along the path from content user to content buyer intercept that key and use it? If so, will the legitimate user still be able to use it? Alternatively, can the stolen key be distributed?

The ACM run an annual workshop on DRM.

DRM Implementations

Several music sellers and distributors over the years have tried a number of DRM implementations:

Apple iTunes

Apple was the first company to capitalize on the digital music market by being the first acquire music selling licenses from the big 4 record companies. Apple's Music Service, iTunes Store, has infamously used DRM since it's inception. Although their DRM is easily cracked[32], recently iTunes has introduced a new iTunes Plus service which offers DRM-free music, and Apple is toying with the idea of removing DRM from it's services altogether[33].

Rhapsody

Rhapsody, the digital music service started by RealNetworks, is one of the most popular online music services with 2.25 million paid subscribers[34]. Rhapsody offers streaming music and DRM music downloads for a monthly subscription fee[35]

Napster 2.0

Napster 2.0 or the Napster Pay Service, is a DRM-enabled (specically Microsoft's Playsforsure-protected) music licensing service offering unlimited licensed MP3's for a monthly fee. As of April 2007, Napster 2.0 is reported to have 830,000 subscribers[36]. Napster also has a DRM free version of it's music store, which was opened in mid-2008 [37]

imeem

imeem is a streaming music social network. Until recently, imeem only offered music via DRM, but has recently removed DRM from it's services, reflecting an industry trend[38]

References

  1. 1.0 1.1 1.2 1.3 1.4 Bates, BJ. (2008) 'Commentary: Value and Digital Rights Management-A Social Economics Approach', Journal of Media Economics, 21:1, 53-77
  2. Bennett, S. (1999) 'Authors' Rights', Journal of Electronic Publishing, vol. 5, no. 2, Dec., 1999
  3. Tysver, Daniel A., Copyright Act (17 U.S.C.) Index
  4. The Eli Whitney Museum 'Cotton Gin: A History' [1]
  5. John Hannafin 'How the world is adopting technology' [2]
  6. 'Napster Shut Down'[3]
  7. David Kravets 'RIAAs Lawsuit Strategy in the Balance at Jammie Thomas Hearing Monday'[4]
  8. Eliot Van Buskirk 'Victim of Dropped RIAA Lawsuit Sues RIAA, Alleges Illegal Investigation of US Citizens' [5]
  9. Raymond Hoffman 'RIAA Lawsuit Backlash Continues' [6]
  10. Thomas Ricker 'Sony BMG launching (DRM-free?) Service'[7]
  11. Jon C. Ogg 'Amazon.com DRM-Free Service Won't Kill Apple (AMZN, AAPL)' [8]
  12. Techradar.com 'Sky launches DRM-free music download service: More cracks appear in music DRM' [9]
  13. Cory Doctorow 'Blu-Ray AND HD-DVD broken - processing keys extracted'[10]
  14. Gerry Block (Jan 2007) HD-DVD, Blu-ray AACS Copy Protection Broken
  15. Scott M. Fulton, III 'Comcast to announce all-on-demand service this morning' [11]
  16. 'NBC/Fox Video Site Hulu Open to Public'[12]
  17. Stan Schroeder 'Watch All South Park Episodes Online for Free' [13]
  18. Linda Harrison & Tony Smith (February 2000), Tesco slams ‘unnecessary’ DVD zoning
  19. Julia Borghoff, Lars Knudsen, Gregor Leander, Krystian Matusiewicz. Cryptanalysis of C2. Technical University of Denmark.
  20. Ralf-Philipp Weimann (2008-03-01). Algebraic Methods in Block Cipher Cryptanalysis. Darmstadt University of Technology. (Abstract is in German, paper itself is in English)
  21. Ganesh T S (Mar 2012), Cinavia DRM: How I Learned to Stop Worrying and Love Blu-ray’s Self-Destruction
  22. Jessica Griggs (June 2010), "Cory Doctorow: My computer says no", New Scientist
  23. Cory Doctorow, All Complex Ecosystems Have Parasites, O'Reilly Emerging Technology Conference, 16 March 2005.
  24. 24.0 24.1 24.2 24.3 24.4 Helberger, Natali. (2004) ‘ Digital Rights Management and Consumer Acceptability: A Multi-Disciplinary Discussion of Consumer Concerns and Expectations’, MPRA Paper No. 6641, posted 08. January 2008
  25. Electronic Frontier Foundation 'Fair Use Frequently Asked Questions (and Answers)', 2002 [14]
  26. (July 2002). ACCC chips away at region coding. Australian Competition & Consumer Commission.
  27. Mark Russinovich (October 2005), Sony, Rootkits and Digital Rights Management Gone Too Far
  28. 28.0 28.1 Bruce Schneier (November 2005), Sony's DRM Rootkit: The Real Story
  29. Andy Chalk (May 2010), Warner Bros. Sued for Pirating Anti-Piracy Technology
  30. Bruce Schneier (September 2006), Quickest Patch Ever
  31. Peter Gutmann 'A Cost Analysis of Windows Vista Content Protection' [15]
  32. Mostly Saving Money 'How To Break iTunes DRM'[16]
  33. Steve Jobs 'Thoughts on Music'[17]
  34. RealNetworks 'Press Release'[18]
  35. Rhapsody 'Rhapsody: About'[19]
  36. Napster 'Napster Press Release'[20]
  37. Eliot Van Buskirk 'Napster Launches DRM-Free Music Store: Over 6 Million MP3s'[21]
  38. Fred von Lohmann 'DRM for Streaming Music Dies a Quiet Death' [22]