A look at the digital world's newest bitter truth-DRM
Digital Rights Management is a good thing. That's what They keep telling us. It "protects the creators," fights piracy, and most importantly, gets Them the money They've been crying about while the world wantonly shares Their content over the P2P networks. The debate over DRM-specifically for music and movies-now rivals in proportion such favourites as Paid versus Open Source software and "Does No really mean No?" As the war against piracy gets more frustrating, content creators get fiercer in the measures they take to protect their work, and it seems that whether we like it or not, DRM is going to be one of those inconvenient realities we have to deal with.
The definition, of course, is as harmless as can be-defining limitations to media to ensure the artists' / creators' intellectual property isn't misused. In theory, then, DRM is basically an implementation of the Copyright Act of the country
-instead of telling people they can't do something and then hoping they won't breach the law, why not ensure that the media prevents its own misuse? All this makes complete sense, too-at least while companies aren't thinking up newer and more boneheaded schemes to implement it (remember the Sony rootkit incident?). Before we jump to any conclusions about the goods, bads and uglies, let's spend a while understanding how this whole system works.
At the heart of every DRM technology is cryptography. The media (music, videos, software, even documents) is encrypted until unlocked with a "key"-a string of data that enables reversing the encryption (for more on cryptography, see box Cryptography). You should find this familiar-we've all used software that asked us for a serial key to run it. If you find that familiar, you'll also recall how easy it was to crack those systems. The Request Code-Authorisation Code system came soon, where the software would "phone home" with a request code, which would then be verified by their servers, and return you a final authorisation code that would unlock the software. This works better, but it's been bypassed too-just like every system that involved actually giving the key to the user.
When Windows XP was launched, it not only activated itself over the Internet, it also locked itself to your hardware-so your hardware ID numbers now became the key to use it. The scheme was dropped soon, because a simple hardware upgrade could put your XP out of commission. Still, the concept of using a key that users couldn't control (and therefore couldn't alter) remained, and is still evolving in the DRM techniques we see today. Windows Vista, for example, will allow you five upgrades before it recognises your PC as invalid.
While it started out as simple copy-protection, DRM has now evolved into a much more complex beast, not only defining what you can do with software and media-in an End User License Agreement, for example-but making sure that those guidelines are followed as well.
The DRM Model
Designing a DRM scheme where both users and content creators are happy, has, and will continue to, give companies sleepless nights in coming years. At the highest level, they have three aspects to consider (the jargon refers to all content-software, media, etc.-as assets, so we'll do the same for convenience):
1. Creation: This deals with creating protected assets and defining the rights users have over them. This is basically defining the aspects of the law under which the content is protected. Once this is done, assets are ready to be sold.
2. Management: This deals with managing asset sales-assigning licenses to users, making sure that royalties get to the creators, and so on.
3. Usage: Once you've got a DRM-ed asset, it needs to verify a lot of things. Most importantly, it needs to check whether you're authorised to use it. This aspect also involves keeping tabs on how the asset is being used-if there's a three-copy restriction, for example, this is validated every time the file is copied.
All this, of course, is a very high-level look at things. Managing protected content involves a whole bucketful of e-business models, for example, and as we'll see next, creating protected content isn't exactly a piece of cake, either.
The DRM Trinity
In the creation of protected content, we need to consider three entities-users, their rights, and the content itself. All three entities, their attributes and the relationships between them need to be expressed in terms that can eventually be translated into software. Some legal jargon follows, you have been warned.
Content is modelled as a hierarchy, starting at Work, which is the creation. The Idea for this article, while it evolved in the writer's head, is an example. The Work is then translated to Expression-the manner in which the idea takes form-in this case, the text of this article. The Expression is then dished out to the world as one or more Manifestations, which is a physical (or digital) realisation of the content.
Taking the example of the article, the original Word document, the print version you're reading now, and the PDF version you'll get in our Special Issue are all Manifestations. Finally, the Item is an actual copy of the Manifestation.
Next up, the rights-there are four aspects to consider. Firstly, the Permissions-what you're allowed to do with the content. For example, you're allowed to read this article, but not copy any content from it. Closely tied to Permissions are Constraints, which put limits on your Permissions. In similar vein-you may use some content from the article (permission), but you must quote the source of this content (constraint). Then there are Obligations, which you must fulfil before getting access to your Permissions. You've paid for this magazine, so your most important Obligation is out of the way. Finally, all these are mapped to a Rights Holder. Different persons have different rights over media-while you don't have the permission to reproduce this article, Jasubhai Digital Media is free to do so.
All right, so we've made the pretty diagrams-time to turn it into reality. Note that all the information we talked about in the models is metadata-it isn't actual content, just information to supplement it. The job of the DRM implementation (effectively just code embedded into the file) has the following things to do:
1. Verify that all the Obligations have been fulfilled-that the content has been paid for and being used by the buyer,
2. Decrypt the content for use, and
3. Track the use and see that it conforms to the Permissions.
In real terms, metadata is expressed inside a special XML document, which conforms to a specific structure called a Rights Expression Language (REL). The structure of XML permits the easy realisation of the models we discussed earlier; moreover, its plain-text nature makes it light and compressible to miniscule degrees.
One REL that hopes to become a universal open standard is the W3C's Open Digital Rights Language (ODRL)-read about it at http://odrl. net. An open DRM standard will enable protected content to run on any system without problems-something we don't see in the crowd of DRM technologies we have to deal with today.
Fair Use And Other Stories
To understand what the DRM fuss is all about, you need to understand one aspect of copyright law in particular-fair use. It's one of those vague, infinitely exploitable loopholes that every Copyright Act is plagued with.
To dumb it down considerably, every restriction specified in the act is forgiven, as long as it constitutes a "fair use" of the content. In the early days of the videocassette, courts in the US ruled that taping a TV programme for later viewing constituted fair use-the consumer has paid his subscription amount and is thus entitled to the content. Copyright law, on the other hand, expressly states that the content may not be reproduced at all. What makes fair use even more of a mess is that every country has a different definition of it. Ripping music off a CD has widely been accepted as fair use, but giving that ripped music to your friend is a no-no. Letting your friend borrow the original CD is fine, however. Go figure! And yet, some countries won't even accept the act of ripping as legal.
Still, fair use clauses are essential-imagine being charged a "performance royalty" for whistling your favourite tune in public. Even more complications arise because the definition of fair use is constantly evolving: in 1980, for example, nobody would have imagined that you could record live TV to your PC, so the definition had to be expanded to include that.
If you're worried about whether your usage counts as "fair", fear not. Here are questions you need to ask yourself:
1. What is the purpose of this use? Personal use is often counted as fair, but the second you enter the realm of distribution and commercial gain, you're breaching copyright law. For example, you can use a song from your music collection to make a remix, but you can't sell it.
2. What is the nature of the work you're using? Creative work-movies, music, articles, etc.-are more fiercely protected than factual work like chemical equations or statistics.
3. How much of the work are you using? Taking the example of point 1, using an entire song or movie is likely to get you into more trouble than using a couple of snippets.
4. Finally, what effect will this have on the market? In the early days, even P2P passed off as fair use-what's a couple of songs between friends, right?-and look at what happened. If you're depriving people of money they should be getting (or think they should be getting), you're in for trouble.
The Trouble With DRM
One of the things that fair use allows you to do is make as many copies of media as you want, as long as it's for personal use. DRM-ed content today, however, puts restrictions on the number of copies you can make, so if you go through one hard disk upgrade too many, the song will expire, and you'll have to buy it again. So much for fair use...
We've been talking about how DRM is the implementation of a copyright act-what we failed to mention is that that is how DRM should work. In reality, all DRM technology you see today is geared towards one thing-money. We have it, They want it, and They'll go to any length to ensure that we can't get content without paying for it, even if we're within our fair use rights to do so-Hollywood even admits this internally!
Does this mean that we don't have our rights any more? Of course not-unless the laws are changed. What it does mean is that DRM, depending on the way it's implemented, may well prevent you from exercising those rights. In the long term, DRM will also hinder the evolution of your fair use rights-if TV serials aired with a "do not tape" flag that prevented your VCR from recording it back in the 80s, the question of it becoming a fair use doesn't even arise. Ditto the ability to rip CDs to your hard drive. Effectively, DRM and copyright acts are in stark contrast-copyright law says that if it's not restricted, it's permissible, but DRM says that if it isn't explicitly permitted, it's off limits. Now you know why it's also been called Digital Restrictions Management.
DRM And You
It's an obscure fact, but did you know that music cassettes and blank tapes you bought so many years ago came with their own "piracy tax"? Record companies assumed that these cassettes would be copied and shared with friends, so they added a little bit to the prices to compensate for any losses they might face. There is talk that this may stage a comeback, and we might even be rid of DRM in the next three years. If you haven't already, flip back to page 29 and read the talk about the "Collective License" under Opposing Forces in Power 2 The People. The fee you'll pay for the freedom to download all music is basically the cost of content plus a little piracy tax-and no DRM!
Peter Jenner, Pink Floyd's first manager, sums up the situation quite eloquently: "Big record labels are f***ed", he says, and "digital music pricing has been a scam where the consumer pays for manufacturing, distribution, and does all the work-and still has to pay more. The DRM era is nearly over-and within two or three years, most countries in the world will have a blanket licensing regime where
we exchange music freely, for a couple of quid a month."
It's a tad idealistic to pessimists like us, but optimism is healthy. In the meanwhile, brace yourself for an inconvenient couple of years-at least.
Our Top 5 DRM Boo-boo List
- RealNetworks' Harmony vs. Apple: They made their Harmony DRM system work with the iPod; Apple disabled it in the next firmware update. They made it work again, and Apple disabled it again. Then they gave up.
- 4. Owner Exclusive e-Books in Microsoft Reader: They even put restrictions on text-to-speech!
- 3. StarForce deemed malware: It installed without warning, didn't uninstall, and took a toll on IDE performance.
- 2. The Sony rootkit incident: Shame if you haven't heard of this before, do a quick Google or visit http://snipurl.com/17uk1
- 1. The Zune dumbness: Music bought from the Zune marketplace doesn't work on PlaysForSure devices, and PlaysForSure doesn't play on the Zune, despite both technologies being from Microsoft! Talk about shooting yourself in the foot.
Suppose you wanted to send the number 50 to your friend, but want to ensure that nobody who intercepts the message on the way knows what number you're sending. You could multiply it by 6, add 4, divide by 3 and subtract 9. Anyone who sees the message now will think you sent 92.33333. The process is called encryption, and performs a whole host of mathematical operations on data to make it unrecognisable. In decryption, these mathematical operations are just reversed to recover the original data. Of course, the system fails if anyone figures out the encryption algorithm. The next secure way for encryption is the use of a "key"-a number that is used for these mathematical operations. Without the key, decryption isn't possible, so as long as nobody has the key, your message remains secure.
The most popular method for secure encryption is the Public Key-Private Key system. Think of it as a box with two keys-anyone with the public key can lock it, but only the person with the private key can unlock it. When you register yourself at an online music store, for example, it gives your media player a public and private key-unique to you. When you request a song, your media player sends over the public key, which is then used to encrypt the song you requested. Only your private key can decrypt this song, so unauthorised media players (ones without your private key) can't decrypt it.
Names We Love And Hate
DRM technologies that we encounter most often:
The Perpetrator: Apple
The Terms: Works on five "authorised" copies of iTunes, unlimited iPods, can be burned to an unlimited number of audio CDs.
Find it on: Music bought from the iTunes Music Store
Works with: Any player with the QuickTime plugin (PC), iPod (portable)
Windows Media DRM
The Perpetrator: Microsoft
The Terms: Licenses and media are distributed separately, and locked to a computer and portable player
Find it on: Music bought on Napster, URGE and Wal-Mart, to name a few
Works with: Windows Media Player 10 (PC), any portable player with the PlaysForSure logo
Zune DRM (not the official name)
The Culprit: Microsoft
The Terms: Incompatible with PlaysForSure devices, expires after three days or three plays if "beamed" from another Zune
Find it on: Music bought on the Zune marketplace
Works with: Windows Media Player 10 (PC), Zune (portable)
And there's game DRM to tangle with, too: StarForce
The Perpetrator: Protection Technologies
The Terms: Wraps around DLLs and allows access only through its own virtual machine
Find it on: Games published by CDV (pre-May 2006), Ubisoft (except North American releases), Digital Jesters, JoWooD (except North American releases), Egosoft, and Codemasters. Also the free game TrackMania Nations-to ensure that nobody tampers with ESWC ranking system
The Perpetrator: Sony DADC
The Terms: Resists copy attempts by optical drives
Find it on: Newer games published by Ubisoft, Sony
The Perpetrator: Macrovision
The Terms: Resists copy attempts by optical drives, blacklists all SCSI drives (mass replicators use SCSI drives)
Find it on: Games published by EA, Activision, id Software