The future of DRM

If ever a technology was introduced prematurely, it was digital rights management (DRM). From the DVD Content Scramble System (CSS) to the Advanced Access Content System (AACS) in HD DVD and Blu-ray systems, millions of dollars have been invested in failed attempts to prevent piracy of digital content.

Security is difficult to do right. CSS failed because virtually every element of the system was poorly designed. It used weak 40-bit encryption and was vulnerable to break-once, break-everywhere attacks. CSS continues to be used because it's better than nothing, but it isn't much better than nothing.

AACS solved many of the problems of CSS, but was quickly compromised because the AACS administrators allowed AACS to be implemented in purely software-based systems for PCs. Without hardware security, there was no way to stop ordinary software-debugging tools from extracting the cryptographic key values used to decrypt AACS-protected movies.

But the weaknesses of these systems shouldn't be taken to mean that effective DRM is impossible, as some have claimed.

There's a closely related claim that I can agree with: perfect DRM is impossible. It's inherently impossible to plug the "analog hole," for example. Anything a person can hear or see, a microphone or camera can record.

Nevertheless, DRM can be effective in the commercial sense--protecting the commercial distribution of copyrighted works against unfair and illegal competition from pirates. The full details of an effective DRM solution are beyond the scope of a single blog post, but making DRM work requires at least four factors that aren't present in current systems--and probably aren't even practical right now.

1. The DRM system must use secure hardware components integrated into the playback devices (e.g., displays and speakers) so there is no accessible digital pathway carrying decrypted data. Playback devices must be able to communicate with an authentication server the first time it sees each protected work.

2. Playback devices must not be able to play full-quality unprotected content.

3. All copies of a given work must not be identical. When practical--with downloaded content, especially--each copy should be separately encrypted. When this can't be done--as with pre-recorded optical media--critical portions of the content should be distributed separately at the time of authentication. Even then, the number of copies sharing the same decryption keys should be limited as much as possible.

4. The authentication process must use a secure communication channel between the DRM hardware and the authentication server, and transfer only the information necessary to play that specific copy of the work on that specific presentation device.

With all of these requirements in place, even the most sophisticated pirate attack can only compromise one copy at a time. That's plenty bad, but without access to the authentication servers, the pirates can't create a new version that can be played on the protected players.

This point brings us to the key difference between perfect DRM and commercially practical DRM--a commercial solution merely requires that pirated content is clearly distinguishable from authorized content by ordinary users. Although many people are willing to play pirated content, most aren't.

But none of these technical requirements address the social drawbacks of DRM. No matter how well implemented, DRM will always annoy some people, and will always present one more potential source of problems. I think we'll find that some--and perhaps most--kinds of digital content can be profitable even without effective DRM. Just because something's possible doesn't mean it's necessary...but if DRM is necessary, at least it's possible.

[R.Jefferson]

I love this line....

"Although many people are willing to play pirated content, most aren't."

Maybe im chillin in my own reality but I think you should reverse the use of many and most in that statement. Since both statements would be generalizations.

[Peter N. Glaskowsky]

You may be right

That's just my opinion, and I can't point to surveys or any other source of factual support.

. png

[p40tomahawk]

Two Words: Air Gap

OK, this only applies to music, but that's a significant part of what DRM has attempted to build for up until now. Equipment required: a Line Out cable, $2.99. And once it's been re-digitized, all those copies are in the open and the DRM is gone. It's possible that platforms could be designed which have hardware to guarantee that ONLY licensed files are playable; how successful do you think a non-MP3 hardware player would be in the open market???

[Peter N. Glaskowsky]

Reasonable points...

As I said, the analog hole can't be closed. If there's no Line Out jack, a pirate just puts a microphone up next to the speaker.

But as long as ordinary users can't make full-quality copies, I think that's sufficient to protect the work in the ordinary course of commerce. As I said, I think most people will pay for legitimate content.

. png

[Axiomatic13]

DRM=I will not buy the product

I think people are going to vote with their wallets. The cat is already out of the bag. PEOPLE HATE DRM. Little old ladies are being made aware of DRM by their kids (or someone else) and since it provides no use/benefit to the consumer it will always be pointed out as crippleware and appropriately shunned.

I wont buy it, and when I find out I have, I return the product.

It boils down to this. Nobody wants software loaded on their PC's which they did not intend to put there. If there is a Windows service, or resident application, or system tray applet... IT'S EATING UP RESOURCES!

DO NOT WANT DRM!!!

[Peter N. Glaskowsky]

You live a sheltered life

Sheltered from Windows, Macs, iPods, DVD, HDTV, HD-DVD, Blu-Ray, cable and satellite TV. Basically your entertainment is provided entirely by Linux and CDs.

Hey, that's a perfectly moral choice. I can't criticize it at all. It just isn't MY choice. I like a lot of that stuff.

. png

[growldrm]

I took the bait and got bit. Spiralfrog has left me with 12 Gig of stuff I cannot use in 2 months' I should have read your blog over a year ago. Is this the future of DRM - a company goes under and leaves its' subscribers hi and dry. At least they could have told us where we could "purchase" the music they allowed us to have. They even had a "broken link" to where you could not have to re-register "for life". hee hee hee, fooled the hell out of 1,000,000 subscribers....Can there be a system to fight DRM???? no, then what would be the purpose of DRM???? Thsnks spiralfrog. You just freed up 12G of hard drive space for me

growldrm

[Leria]

DRM=Unnecessary and Counterproductive

DRM is something that was never necessary and never will be necessary, ever. The only thing that it does is aggravate people who legitimately buy the product in question, and makes those who absolutely DESPISE it avoid the product like the plague and look for ways to remove the DRM from their purchased product.