DRM Talk for Hewlett-Packard Research
Corvalis, Oregon
Cory Doctorow
European Affairs Coordinator, Electronic Frontier Foundation
www.eff.org
[email protected]
9/28/5
—
This text is dedicated to the public domain, using a Creative
Commons public domain dedication:
> Copyright-Only Dedication (based on United States law)
>
> The person or persons who have associated their work with this
> document (the “Dedicator”) hereby dedicate the entire copyright
> in the work of authorship identified below (the “Work”) to the
> public domain.
>
> Dedicator makes this dedication for the benefit of the public at
> large and to the detriment of Dedicator’s heirs and successors.
> Dedicator intends this dedication to be an overt act of
> relinquishment in perpetuity of all present and future rights
> under copyright law, whether vested or contingent, in the Work.
> Dedicator understands that such relinquishment of all rights
> includes the relinquishment of all rights to enforce (by lawsuit
> or otherwise) those copyrights in the Work.
>
> Dedicator recognizes that, once placed in the public domain, the
> Work may be freely reproduced, distributed, transmitted, used,
> modified, built upon, or otherwise exploited by anyone for any
> purpose, commercial or non-commercial, and in any way, including
> by methods that have not yet been invented or conceived.
—
Note: this essay is derived from notes for an invited talk to HP
Research on DRM. The talk was not delivered verbatim, nevertheless,
this is a good feel for what I said that day. For the text of an
earlier talk on this subject delivered to Microsoft Research, see
http://craphound.com/msftdrm.txt .
The canonical version of this talk live at
http://craphound.com/hpdrm.txt .
Alternate html version here (thanks, Branko Collin!):
http://www.xs4all.nl/~collin/test/hpdrm.html
—
I work for the Electronic Frontier Foundation, a member-supported
charitable organization that works to uphold the public interest in
technology law, policy and standards. For nearly four years, I’ve
spent my time attending DRM standards meetings, consortia, and treaty
meetings at the United Nations. In that time, again and again, I’ve
seen tech giants like HP take suicidal measures to voluntarily cripple
their products to make them more palatable to a few entertainment
companies, even though this measure makes them less palatable to
virtually all of your paying customers.
Nothing epitomized this more than Carly Florina’s inaugural CES
address in which she promised to put DRM in every HP product. Reading
that in my office in San Francisco (I live in London now), I thought,
well, hell, I guess I’m not buying any more HP products. I’m pretty
sure I’m not the only one.
I’ve had innumerable conversations with engineers, lawyers and execs
about DRM, but it’s rare that I get the chance to systematically
explain how DRM fails as a technology, as a moral proposition, and as
a commercial initiative. I’m grateful that HP has given me that chance
today. I’m looking forward to your questions after my talk.
Now, onto the talk, in which I will try to address the security, moral
and commercial aspects of DRM.
THREAT MODELS
There is no such thing as “security” in the abstract. You can’t be
made “secure.” You can only be made “secure” *against a specific
attack*. All security discussions must begin with an analysis of a
threat and a proceed to address that threat with countermeasures.
In discussions of DRM, radically different threat-models are usually
conflated to sow confusion and to disguise the implausibility of DRM.
In the paper at hand (as in many other cases), privacy-protection is
conflated with use-restriction. But these have totally different
threat-models:
* Privacy
In privacy scenarios, there is a sender, a receiver and an attacker.
For example, you want to send your credit-card to an online store. An
attacker wants to capture the number. Your security here concerns
itself with protecting the integrity and secrecy of a message in
transit. It makes no attempt to restrict the disposition of your
credit-card number after it is received by the store.
* Use-restriction
In DRM use-restriction scenarios, there is only a sender and an
attacker, *who is also the intended recipient of the message*. I
transmit a song to you so that you can listen to it, but try to stop
you from copying it. This requires that your terminal obey my
commands, even when you want it to obey *your* commands.
Understood this way, use-restriction and privacy are antithetical. As
is often the case in security, increasing the security on one axis
weakens the security on another. A terminal that is capable of being
remotely controlled by a third party who is adversarial to its owner
is a terminal that is capable of betraying its owner’s privacy in
numerous ways without the owner’s consent or knowledge. A terminal
that can *never* be used to override its owner’s wishes is by
definition a terminal that is better at protecting its owner’s
privacy.
THE DRM THREAT MODEL
The threat model for DRM is that an unscrupulous user will be able to
download an asset for free from the Internet instead of going through
a conditional access billing gateway. Additionally, DRM seeks to give
rightsholders the ability to restrict the use of assets after receipt
to enforce restrictions that are not related to copyright (e.g. remote
viewing, region-control).
A service operator can ensure that 100 percent of the assets behind
her conditional access system are wrapped with DRM, which means that
everyone who uses the system will receive media that is locked with
DRM. The system fails not when the DRM is cracked, but when a user
gains access to a non-DRM file, or when a user does not pay for
access.
Every file that is locked with DRM inside a conditional access system
is also available on the public Internet without DRM. In order for DRM
to be effective, a user must first freely choose to acquire the DRM
version over the non-DRM version.
The presence of DRM *cannot* entice a user to make use of the
conditional access system to acquire his media. Indeed, DRM acts as a
disincentive (there is no user who woke up this morning crying out for
a way to do less with her music). Where users buy DRM-locked files, it
is *in spite of* the DRM, or in ignorance of the DRM, but never
*because* of the DRM.
A familiar refrain from rightsholders is that “you can’t compete with
free.” It is certainly true that when your costly product is inferior
(because of use-restrictions) to the free alternative, it will be hard
to compete with free.
In the DRM world, security is breached so long as there is any person
with the wherewithal to make a cleartext copy of an asset and put it
on the Internet. In practice, this happens with amazing swiftness. Big
Champagne, a company that monitors P2P networks, says that iTunes-only
tracks (e.g. assets that are only released within DRM wrappers)
typically appear on P2P networks less than three minutes after they
are released to the iTunes Music Store.
To succeed in an attack against a DRM system, a user need not know how
to break DRM, she only needs to know how to search Google or another
general-purpose search tool for a copy that someone else has already
rendered in the clear.
THE DRM FOR PRIVACY THREAT MODEL
The privacy threat model generally revolves around accidental
disclosure and subsequent publicity. A common example of privacy
breach is an unscrupulous hospital worker who discloses the identities
of HIV-positive patients.
It is suggested that an iTunes Music Store-like model could defend
against this attack: a conditional access system restricts access to a
health record unless a valid credential (e.g. a password or smartcard)
is presented. A DRM system allows for later revocation of access once
it has been granted. However, as Don Marti points out, this is poor
security indeed:
“Deploy DRM and you can keep employees from forwarding
embarrassing email to the media. That sounds like the answer to
network-illiterate managers’ prayers, but if it’s juicy enough to
leak, it’s juicy enough to write down and retype…. Bill Gates
pitch[ed] DRM using the example of an HIV test result, which is
literally one bit of information. If you hired someone
untrustworthy enough to leak that but unable to remember it, you
don’t need DRM, you need to fix your hiring process.”
Don Marti, editor in chief, Linux Journal
Privacy almost always includes an element of personal/political power.
Children want to be private from their parents. Employees want privacy
from their bosses. Political dissidents want privacy from the Chinese
secret police.
For “privacy DRM” to work, the defender needs to be in a position to
dictate to the attacker the terms on which he may receive access to
sensitive information. For example, the IRS is supposed to destroy
your tax-records after seven years. In order for you to use DRM to
accomplish the automatic deletion of your records after seven years,
you need to convince the IRS to accept your tax records inside your
own DRM wrapper.
But the main reason to use technology to auto-erase your tax-records
from the IRS’s files is that you don’t trust them to honor their
promise to delete the records on their own. You are already
adversarial to the IRS, and you are already subject to the IRS’s
authority and in no position to order it to change its practices. The
presence or absence of DRM can’t change that essential fact.
This is a classic “who will bell the cat?” problem. Inventing new and
better-functioning bells doesn’t make getting them attached to the
cat’s collar any easier.
DRM AND NON-COPYRIGHT POLICY ENFORCEMENT
Many of the restrictions that DRM is used to enforce are unrelated to
copyright, and no DRM system can accurately model copyright, which is
highly fact-specific.
Copyright is a limited monopoly over the public copying, performance,
display and adaptation of original works. Copyright governs the
ability of commercial entities and a few noncommercial entities to
make copies, display them, etc.
Copyright does *not* confer the right to control “remote viewing” —
the ability to store a show in one place and watch it in another. It
does *not* confer the right to control timeshifting. It doesn’t confer
the right to control regional playback, as with DVDs that can only be
viewed on a US player or a European players. Copyright does *not*
confer the right to control re-sale or lending of lawfully acquired
works.
Copyright is used to extend the creator’s monopoly into all kinds of
realms, though. Take the so-called “Authorized Domain”, a trendy DRM
concept that confers on rightsholders the right to define valid
familial arrangements, something so far remote from copyright as to be
in an entirely different universe. In venues where the Authorized
Domain is being planned, designers are torn between two different
potential implementation models, both of which are totally
unacceptable:
* Hard limits on domain size
Only so many devices may join the domain (as with Apple’s five-device
authorization limit for iTunes). This has many unacceptable failure
modes, including the inability to deactivate lost, stolen or damaged
devices, as well as arbitrary limits on family size.
* Multi-test limits on domain size
In this model, a series of tests are applied, including tests for
proximity, tests for existing domain size, strategies for
re-accumulating domain credits, and proprietary tests. These tests are
logically represented on flowcharts that no end-user or retailer can
possibly understand (especially given the presence of proprietary
tests). Any customer who asks a retailer, “Will this device be able to
join my domain?” will inevitably get the answer: “maybe.”
Most unacceptable is the presence of “corner cases” like divorced
families with joint custody arrangements among several children, whose
devices may be restricted from belonging to more than one domain, or
blended households created in extremis (your father being sent to an
old folks’ home, your daughter moving into a student house), that are
surely households, even if they are not traditional families, and that
may fail the tests on domain size.
DRM AS A NEGOTIATION
DRM is often characterized as the outcome of a negotiation: “You may
have access to my song if you accept my restrictions.” But DRM always
gives rightsholders the ability to unilaterally renegotiate the terms
of the deal to take away rights you acquired when you got your device
and media.
For example, many updates to iTunes contain new restrictions on the
music you purchase. In the past 18 months, iTunes has instituted the
following new restrictions:
* Music can no longer be streamed to your computers wherever they are
— now they can only be streamed to computers on your LAN (no more
listening to your home music server while you’re at the office)
* Music can no longer be streamed to any number of people on your LAN
— now you can only stream music to a maximum of five people per 24
hours. If your friends tune in for ten seconds of music and then tune
away, that eats up one of your 24-hour slots.
* Playlists can no longer be burned 10 times — now they can only be
burned seven times.
* The iTunes API will no longer respond to all the apps you download
to increase iTunes’ functionality — now iTunes contains a blacklist
of apps whose API calls are silently discarded, as punishment for
adding functionality that Apple doesn’t care for.
You buy a song on day one and can do ten things with it. A few weeks
later, you can only do nine things with it. Then eight. Then seven.
Last week, many TiVo owners discovered that several of the free-to-air
and cable shows they received with their PVRs could not be saved
indefinitely, and would be automatically deleted after a set period.
Last year, Comcast PVR owners discovered that all their stored
episodes of Six Feet Under were deleted a few weeks before the DVD
came out.
The right to store your music and movies, the right to watch your
movies in any country you find yourself in, the right to timeshift and
space-shift, the right to re-sell, the right to loan, the right to
share your media with your family regardless of your familial
arrangements — these rights all belong to the public. Copyright law
reserves these rights from control by rightsholders.
DRM is a mechanism for unbalancing copyright, for betraying the
statutory limitations on copyright, for undermining the law itself. By
granting rightsholders the ability to unilaterally confiscate public
rights under copyright, DRM takes value out of the public’s pocket and
delivers it to rightsholders.
When you acquire a car, you acquire the right to charge your phone off
its cigarette lighter. No car owner has to assign that right to you.
Even if the car manufacturer thinks it can make big bucks by selling
the exclusive right to charge phones in its car to Nokia, nothing
prevents you from charging your Motorola phone from the lighter.
More complex are the rights reserved to the public under the banner of
fair use. Fair use is the copyright doctrine that allows users to make
uses *even if the rightsholder objects*. For example, critics,
parodists, educators, archivists and disabled people all have certain
rights to use copyrighted works without the permission from
rightsholders. In order for a DRM system to permit you to extract some
video for the purposes of making a parody, but stop you from doing
this for the purposes of burning the movie to a CD and selling it on
eBay, the DRM system has to be capable of reading your mind and
determining why you want to make your use.
The gradual tightening of DRM screws will alienate ever-larger groups
of customers. There are some who believe that if you turn the heat up
gradually enough, the customer will never notice that she has been
boiled. History suggests otherwise. The repeated disastrous attempts
to introduce DRMed CDs into the marketplace tells us once a customer
is accustomed to a use, she is unlikely to accept a product that
restricts it.
WHAT HP SHOULD DO
HP is under no obligation to play by the entertainment industry’s
rules in order to gain access to content. Format-shifting,
time-shifting and space-shifting are legal practices with long and
honorable traditions (indeed, Apple’s own iTunes software contains a
mechanism to format- and space-shift your CDs by ripping them to MP3,
as does Microsoft’s Media Player).
However, when tech companies seek a closer relationship with the
entrainment industry, they find themselves in the position of having
to offer means for restricting the use of their products in ways that
the market generally rejects — no end-user buys products because of
their DRM.
The worst-case scenario is to end up in a situation like the
Blu-Ray/DVD-HD wars. The two consortia responsible for these competing
formats are competing to please the entertainment industry by adding
more and more onerous restrictions to their technologies, restrictions
that raise the manufacturing costs while reducing the commercial
viability of their products.
HP need not follow this disastrous strategy. Practically every device
in the field has one or more analog outputs. It is both possible and
legal to connect digital recording devices to these outputs and make
legal near-perfect digital copies that can be played back and
manipulated on devices without Hollywood’s blessing. Devices such as
the Slingbox, the Orb, and Mythtv all do this today.
These devices play perfectly to the core strengths of the tech and
telecoms industry. PC vendors who provide flexible set-top boxes that
ease the pain of recording and librarying AV material will create
markets for ever-more-capable set-top boxes that have larger and
larger storage capacities, as well as backup solutions, service and
troubleshooting, etc.
A WORD ON TRUSTED COMPUTING
Current models for trusted computing conflate many features that are
useful to the user with many that undermine user privacy, investment
in content, and data-integrity.
On the positive side, trusted computing allows for superior
countermeasures against spyware and other malicious software. It
contains crypto accelerators that safeguard communications integrity
and secrecy. It eases the pain of managing end-to-end crypto for
private communications.
On the negative side, trusted computing can enforce policies against a
user’s wishes. Trusted computing can be used to block the use of
interoperable products (e.g., to force a user to use Internet Explorer
instead of Mozilla by allowing remote parties to reliably distinguish
among the two), and to block or complicate the backing up or migration
of user data. Additionally, trusted computing can be used as a
superior enforcement mechanism for DRM restrictions, particularly
those that seek to unilaterally renegotiate the terms under which
content is acquired.
This need not be. “Owner override” is a conceptual model for modifying
trusted computing hardware to retain all of its user benefits while
eliminating the dangers posed by allowing a device to enforce policy
against its owner’s wishes.
For more information on “owner override” please see Electronic
Frontier Foundation Staff Technologist Seth Schoen’s excellent paper
on the subject:
http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php
Owner Override works by empowering a computer owner, when
physically present at the computer in question, deliberately to
choose to generate an attestation which does not reflect the
actual state of the software environment — to present the
picture of her choice of her computer’s operating system,
application software or drivers. Since such an attestation can
only be generated by the computer owner’s conscious choice, the
value of attestation for detecting unauthorized changes is
preserved. But the PC owner has regained fine-grained control,
even in a network environment, and the PC can no longer be
expected to enforce policies against its owner. Owner Override
removes the toolbox that allows the trusted computing
architecture to be abused for anti-interoperability and
anti-competitive purposes. It restores the important ability to
reverse engineer computer programs to promote interoperability
between them. Broadly, it fixes trusted computing so that it
protects the computer owner and authorized users against attacks,
without limiting the computer owner’s authority to decide
precisely which policies should be enforced. It does so without
undermining any benefit claimed for the TCG architecture or
showcased in Microsoft’s public NGSCB demonstration. And it is
consistent with TCG’s and most vendors’ statements about the
goals of trusted computing.
CONCLUSIONS
I can hardly fault HP for embracing the received wisdom on DRM.
However, the received wisdom is rarely a path to commercial success.
In the global marketplace, HP has numerous competitors, from giants to
smaller, nimbler firms — and if any company has an appreciation of
the potential of two guys in a garage, it should be this one.
The question isn’t *whether* one of these companies will defect from
the DRM game, but *when*. The first to market with better, more
powerful, more capable devices will emerge the clear winner.
I don’t believe HP can afford to sit tight and hope that the unspoken
agreement not to anger Hollywood will hold.
eof