Δαφνη Ευτυχια Αρθουρος

"Let's enforce the consumer's rights and make DRM that gets in the way illegal. When that's clear we can address the piracy issue." -- "Latesigner", 2006-01-11

I woke too soon after falling asleep, and decided to read while waiting to see whether I'd get sleepy again. This resulted in my finding a handful of DRM-related quotes to add to my quote-of-the-day queue. It also got me thinking about different aspects of DRM, and how most of what I read only addressed one side of it.

"DRM" covers a fair bit of ground, and some aspects of it are positive or neutral; it's not all about shortsighted greed and long-range monopoly planning or control-freak attitudes toward customers. Those are the bits most of the quotes are about, of course, but I wanted to speak a bit about what those quotes (scattered across the next couple of months in the schedule) don't address. I'll describe three broad categories of DRM systems; there may be additional categories I haven't thought of, and for different types of discussions of DRM a different taxonomy may be more useful, but these categories will work to illustrate that DRM is more than the kind of thing Sony tried to do.

The label "Digital Rights Management" applies to merely-advisory solutions, which attempt to keep rights/licensing/ownership documentation attached to the data it covers and easy for users to remember to look at. This can include making it easy to look up where an image used in a back issue of the magazine you publish came from and whom to contact to license it again for that best-of coffee table book you're now working on. It can also include information about what licenses you've already paid for on that image. Just making it easier to keep track of the ownership and licenses for works you've got copies of constitutes a DRM system.

It also applies to systems that attempt to enforce policies on the distribution of proprietary and/or sensitive business information. Again, this is DRM software that is paid for and intentionally installed by the folks who own the machines it runs on, so solve their problems. If it's poorly implemented it causes more problems, of course, and some individual users may find it annoying regardless, but there's no inherent evil to the idea. When you consider that such systems may be in place to prevent the accidental release of confidential medical information by a hospital or an insurer, it's easy to see that good can come from it.

And then there's what most of us think of first when we hear the phrase "Digital Rights Management" these days: the Digital Rights Enforcement (or Digital Rights Restriction or Digital Restrictions Management -- pick a name; I just made up two and saw the other suggested by someone elsewhere) systems that have been the subject of discussion recently. Even these don't have to be evil, though the folks most inclined to propogate them are the folks with the greatest temptation to use them in rather unfortunate ways ... and the greatest incentive to enforce the use of their enforcers, which itself is part of the problems we're seeing with them. In this last category are copy protection schemes and modern rights-crippling systems. These amount to, "We're going to attempt to make it impossible for you to do anything illegal with the copy we sold you (and by the way, make it impossible to do many otherwise legal things with it at the same time)." In theory, these could be designed with the intent to only enforce the ordinary legal restrictions of copyright. In practice, there are reasons that doesn't quite work. And in recent real-world examples, they've been used to enforce greater control over uses of content than makes sense in any "sell a copy" type of transaction. (I'd say the restrictions make little sense even in a "rent a license" transaction, from the point of view of the consumer, but at least I can see the contract-nature of licensing making such control meaningful.) It is at this point that the evil comes in.

It is very important to note that in the first two categories I've described, the DRM software is installed willingly by the consumer to solve a problem for the consumer. (I'd say "user", but there's some muddiness there -- here the users may be the consumer's employees or contractors or even other businesses they trade with, rather than the software purchaser himself/herself/itself. And in the third category it's not clear whether "user" is the right word for the consumer, or "victim" would be more appropriate.) Even if the DRM software a magazine publisher installs has enforcement features, it's still installed to solve their problem. And in these first two categories, unless you treat your employees as thieves^[1], enforcement of use of the enforcing software needn't be strongly implemented within the software itself -- in the first case it makes everyone's job easier (assuming they give a damn about not causing their employer to be liable for infringement penalties), and in both cases it can be mandated as corporate policy and violations dealt with accordingly. If the DRM system is implemented sanely and doesn't make everything four times as difficult as it ought to be, and if everyone understands why it should be there, most employees will have little incentive to find a way to disable it.

But in the third category, where it solves the content seller's problem and not the consumer's, where it was not asked for, and where it may (in recent real-world examples, read that as "will") interfere with uses that would be legal if the DRM system were not there, the system itself must somehow enforce its own installation and use! And here's where the evil brings in the dirty tricks.

For simple software copy protection, dirty tricks aren't needed, only some clever (or even not-so-clever) hacks: on a floppy disk, intentionally throw in a sector with bad formatting that most copy programs can't duplicate; periodically query the serial port to see whether a "dongle" is plugged in; things like that. Note that just as with all other third-category DRM systems, these will not deter the determined violator (and if the policies they enforce are too onerous^[2], they'll make more folks determined who wouldn't have cared enough to defeat the copy protection otherwise). But there's very little that can be done about determined violators other than sue them when you catch them after the fact. All of these systems are aimed at stopping casual (or in some cases, accidental) violations. Anyhow, the dirty tricks come in when you try to lock down "content" instead of code, or when you try to control how something (code or data) is used instead of merely whether it can be easily copied.

With simple copy protection on a software package, enforcing use of the copy protection is straightforward: the software simply fails to run otherwise. But if you want to say, "You can only run this program on Tuesdays," or, "You can only watch this movie in Asia," or, "You can only listen to this music on an approved player," how do you convince folks to install the system that enforces these rules? These rules which almost certainly seem arbitrary, silly, unfair, or all three, to the consumer? The DRM system is very much Not For The Consumer's Benefit; the problem it solves is the publisher's problem (and the problem it "solves" may be paranoia or greed). The answer is that you lock down the content with a proprietary format or encryption that only your devices will read, you trick the consumer into installing your DRM software and make it difficult to find and remove (which means you're solving the same problem worm and virus writers have to solve, so it's no surprise that systems such as the ones Sony was caught using resemble virus code), you legislate (okay, okay, lobby legislators or bribe them) restrictions against non-DRM-compliant systems (and even make reverse-engineering the DRM system a criminal offense), or you convince manufacturers and the publishers of operating sytems to get into bed with you and build DRM features into enough computers that consumers have little choice but to buy systems that already have DRM incorporated.

The first of those is merely annoying (and isn't suitable for a mass-market music CD). The other three are dirty tricks. Again, the point is that the aim is to use deception or coercion to make the consumer install something he or she doesn't want. And once you've got that kind of control, why not also make it impossible (again -- for the casual user but not, of course, the determined crackers) to exercise their fair-use rights, if you think you can squeeze another few bucks out of them or if you're opposed to those rights in the first place and suddenly noticed you don't need to get the law changed if you can make them impossible to exercise?

So. There's the evil. Well, part of the evil. There's a lot more to be said. Many people are saying it, and I'll get around to saying more of it later. For now, I'll just point out where the evil is -- in DRM software that the consumer doesn't want (and even then, it doesn't have to be but it winds up creeping in in practice) -- and that DRM as a whole encompasses a lot more than just that one category. Go ahead and say, "DRM is evil," as a shorthand if you like, but remember to think, "imposed DRM that the consumer doesn't want is evil." Consider calling it "Digital Restrictions Enforcement" or something to distinguish it from helpful DRM, or even from (perhaps hypothetical) enforcement-DRM that only enforces the same restrictions that copyright law already imposes, without preventing or limiting actions that the law would consider allowable if the DRM were not present^[3].

And keep that distinction in mind when the quotes from this mornings reading start popping up in my quote of the day.

[1] Admittedly, "insider" computer crime is a big issue, and some degree of security to protect you from your own employees is a good idea for most companies of significant size, but "treat them like they're all crooks" tends to have negative consequences. There's a balance to be struck that is beyond the scope of this essay, and probably beyond the scope of my expertise as well. But I can tell a pathological case when I run into it.

[2] For certain types of software, a price that is not merely high but perceived as absurdly out of line with the products (perceived) value (either because the price is outrageous or because the product is perceived by consumers as trivial regardless of the actual economics of producing it), that too will convert some number of otherwise casual violators into determined ones ... especially once the "cracks" are well enough known that the major effort involved is typing the right phrase into Google.

[3] The DMCA, as I understand it, makes it illegal to circumvent DRM if present, even if one is doing so only to be able to make copies that would be legal if there were no DRM in place. There is much to be disgusted by in the DMCA.

(And as long as I'm on this subject, I'll suggest yet again that y'all take the time to read Free Culture: How Big Media Uses Technology and the Law to Lock Down Culture and Control Creativity, by Lawrence Lessig.)

Earworm after earworm after earworm, mostly inexplicable.

Last night: "Who Put The Bop In The Bop-She-Bop-She-Bop" (or whatever the title of that song is), followed by what I think is one of the various reels to bear the title "Tam Lin", then as I was falling asleep, the early 19th C. dance tune "The Waterloo".

Today: there were three or four earlier that I noted at the time, but at the moment they've all been chased out by "Vanhaa Valssia". That one is kinda ... "loud in the brain", if that makes any sense. I'm pretty sure one of this afternoon's melodies was by Jeff Beck, but I can't remember what it was.

Briefly overnight I had "Rolling Down To Old Maui" in my head, but I understand why that one was there ... and it didn't stick around anywhere near as long as it usually does.

Here, y'all can have 'em for awhile. There are enough to go around. Enjoy.

Whoops! Mentioning Beck, for some reason I don't quite get, somehow triggered a Focus tune ("Hocus Pocus", of course) to replace "Vanhaa Valssia". I wonder how long this one will hang around. (Same general part of the world more or less, eh?)

There's nearly always music in my head if there's none actually in my ears; I only grant tunes 'earworm' status when they get distracting, or are so "loud" that any verbal thought comes out in that melody, or when the same tune sticks around for a long time.

Edit: Okay, "Hocus Pocus" didn't last long enough to count. Now I'm hearing The Eurythmics...