Digital Rights Management

Back in the late 1980’s, I worked as a volunteer on a running race. Because I had a background in computer science, one of my tasks was to set up a database of all the race entrants and then to enter their finishing positions after the race so that we could publish the results in the local paper. A friend of mine had an Apple II computer with a database management program on it. I think the database program was AppleWorks. In any case, the database management program had a primitive copy protection mechanism, a scheme for ensuring that users of the software did not give copies of it to their friends. Each time I started the program, I had to answer a question from the user manual. The question might be something like: On page 37 of the manual, what is the fourth word in the third paragraph? This was in the days before copy machines were widely available so the thinking was that the software would not be very useful if you didn’t also have a copy of the user manual. It was a very primitive way of trying to prevent users from giving the software to all of their friends, of trying to protect what the software developers felt was their right to limit the copying of their software. Of course, this mechanism would not work today since it’s extremely easy to copy user manuals. But even back then, the critique of this protection mechanism was that it was easy to circumvent if you were determined to do so but it was simply an inconvenience for legitimate users. What if you lost your user manual, for example?

Since that time, digital rights management has come of age. DRM is a hot topic with owners of digital content claiming that their rights cover all sorts of things, allowing them to do all sorts of things to our computers without our consent. And yet, it is virtually impossible to use technology to prevent the copying of software and other digital content. So DRM is typically criticized for not actually protecting against illegitimate copying while making the lives of legitimate users very difficult. A number of stories about DRM have been in the news recently.

What is digital rights management? According to Wikipedia, it is a generic term that refers to any scheme that a hardware manufacturer or copyright holder implements to prevent illegimate use of their hardware or copyrighted materials. In 1998, the United States passed the Digital Millenium Copyright Act (DMCA) which among other things, made the circumvention of any digital right management mechanism a crime. In other words, if a company used the DRM mechanism that I described above (asking users to answer questions from a user manual), then copying the manual and giving it to a friend would violate the DMCA. But the situation for users of digital content is even more dire than that. DRM mechanisms today are wide-ranging, claiming all kinds of rights for the owners of digital copyrights, at the expense of your right to control what happens on your own computer.

I have been thinking about the DMCA since its passage because of its immediate impact on the research of computer scientists. Soon after the passage of the DMCA, the Secure Digital Music Initiative (SDMI) ran a contest that challenged researchers to break their latest digital watermarking scheme. Edward Felten, a computer scientist at Princeton, chose not to sign any of the confidentiality agreements that would qualify him for the monetary prize of the contest. Within three weeks, he and his team had broken the watermarking scheme and wrote a scientific paper that described the techniques they used. When the SDMI and the Recording Industry Association of America (RIAA) found out that the team was planning to present this paper at a conference, they threatened to sue, citing violation of the DMCA, specifically the portion of the act that makes it illegal to circumvent DRM schemes (of which the digital watermarking scheme was one). Felten withdrew the paper but also sued the SDMI and the RIAA and sought a ruling that presenting the original paper should actually have been allowed. Because Felten had not actually been sued and therefore had not been harmed, his case against the SDMI and the RIAA was dismissed on the grounds that he lacked standing to sue. Since then, the Justice Department has said that any threatened legal action against researchers such as Felten under the DMCA is invalid. But this judgment has not yet been tested in a court of law. And in the meantime, content providers have gotten bolder in their uses of DRM technologies.

In early 2007, Sony BMG Music Entertainment agreed to settle with the Federal Trade Commission after it was discovered that music CDs from the company contained software that was secretly installed on any computer on which the CDs were played. This software “limited the devices on which the music could be played, restricted the number of copies that could be made, and contained technology that monitored their listening habits to send them marketing messages.” Because the software gave access to users’ computers to Sony BMG, it also opened up holes on those computers to any intruder who knew about them. In addition, the software, once discovered, was unreasonably difficult to remove. The Federal Trade Commission said that this secret installation of software violated federal law. The settlement was a financial and public relations disaster for Sony BMG and should have put that kind of DRM technology out of business forever.

But the long-awaited release of Will Wright’s new game, Spore, from Electronic Arts earlier this month shows that DRM is alive and kicking. The reviews on Amazon are overwhelmingly negative due to the existence of SecuROM, a particularly nasty implementation of DRM. This software was developed by Sony DADC, does not announce that it is installing itself, limits the user to 3 installations of the game (even if it has been uninstalled), and is very difficult to uninstall, even if the game is uninstalled. It remains to be seen what kinds of security risks are opened up on the computers that have SecuROM on them. The biggest complaint seems to be about the limit of three installations because of how strict this limit is. Apparently, changes in hardware make the software believe that a new installation has occurred. So if a user upgrades her video card, she may use up one of her Spore installations. This software sounds very similar to the software that Sony BMG got slapped down for using so I can only imagine what is going to happen as these thousands of disgruntled gamers make their dissatisfaction known. Of course, the developers of Spore claim they are just trying to stop piracy. The problem with this argument is that the DRM scheme was broken before the game was released so anyone intent on pirating the game will be able to do so. Only legitimate users of the game will be harmed by SecuROM.

Legitimate users of Yahoo Music recently learned the lesson that purchasing DRM-protected content is actually like renting, rather than purchasing, that content. Yahoo Music Store will close its virtual doors at the end of this month. If you are one of the unlucky legitimate customers who bought your music through this store, you will no longer have access to your music because of Yahoo’s DRM scheme. When the store closes, the DRM license key servers will shut down. If you can’t get a DRM license key, you can no longer listen to music that you legitimately purchased. Meanwhile, those who pirated that same music will continue to enjoy what they pirated.

Content providers need to stop creating roadblocks for their legitimate users. These roadblocks do nothing to protect content.