Category Archives: Security

Why Digital Rights Management Is Bad

One issue in current debate about computer software is something called “Digital Rights Management” or DRM. What this is about, is that copyright holders (people who publish books, music, and video), especially if they publish for profit, want people to have computers which don’t enable them to easily copy and play copyrighted files.

And I contend that this is a reasonable impulse, but it is flatly impossible to implement it in a way that allows people to have general purpose computers that they can create software for. Therefore it is a misguided impulse, because any attempt to do it will necessarily be harmful. And the reasons why it is harmful have little to do with copyright itself.

As I said at UCSD last year, “yes you can completely secure a computer for DRM purposes. But then it’s not a computer anymore.”

I don’t care about DRM as such; I’m pretty much uninterested in mass-market entertainment. There’s approximately nothing out there that I’d even bother to steal. I would cheerfully abandon everything I might ever gain by breaking copyright, and would STILL remain a hardcore opponent of anything that could be used to enforce DRM, because copyright has nothing to do with why DRM is unacceptable.

What I care about is non-encrypted data which, nevertheless, can’t be used in a general purpose way. At the bottom level, there is nothing different about playing media and doing any other set of operations on digital data. Provide me the logic and math functions I need to write a decent spreadsheet, and I can use them to modulate digital information for output over a speaker. Provide me the disk drive I need to read and write backups on my computer, and I can use it to read and write media files as well. Binary data is binary data and operations on data are operations on data.

In order to implement DRM, then, somebody has to interfere with my ability to do math and logic I’d need to implement spreadsheets, or my ability to use the disk drive I’d need to read backups. Suddenly I can’t be trusted to write code that uses these facilities anymore, or I might write a media player.

I don’t really give much of a crap about media players, but if someone’s FEAR of them interferes with me using my machine as a general purpose computer, that is an unacceptable outcome.

If you want your media to be opaque to general-purpose computers, then distribute it in encrypted form and put the decryption key in tamper-resistant hardware in your dedicated media players. I’m fine with that. You can even put one of your dedicated media players in the same case with my computer and leave them completely separate so the computer has absolutely no access to the media player or to the data it decrypts. That’s fine too, as long as the media player also has no access to the computer. I really don’t care if you try to prevent people from playing your media on general-purpose computers.

But if you intend to interfere with my ability to use the CPU’s math and logic functionality, or read or write the screen pixels or the audio stream or the disk drive, then you’re talking about banning general purpose computers. That’s a whole different thing, and if that’s what you want then we’re going to have a fight.

Incidentally, DRM no matter how well or completely it’s implemented always fails. Whatever can be played can be recorded. People mod speakers to record the electrical activity of the drivers, and point thirty-megapixel cameras that record sixty-four-bit color at every one-megapixel area of a screen that displays thirty-two-bit color, and rip your protected media then distribute it all over the planet. The so-called “analog hole” is sufficient to recover every last digital bit of current formats, and enough bits that no human will be able to tell the difference of any future format. If something is doomed to failure, it is not worthwhile to make any sacrifice for it, let alone the sacrifice of such a tremendously valuable resource as general purpose computers.

So what it comes down to is that if you depend on copyright for your income, you need a business model that treats the goodwill of your customers as a thing of primary importance. If your fans actually like you, and not just the media you produce, then they decide you’re worthy of payment for the media. It’s already working for a bunch of artists like Jonathan Coulton. Bands are making money by selling CDs at concerts, by crowdfunding album projects, and a million other ways, as long as their customers actually like them. But if they don’t like you, then they won’t feel the least bit guilty about stealing your stuff. The business of copyright is now dependent on the customers’ goodwill.

And did you notice that DRM pisses the customers off?