| Introduction to DRM |
| In 2005, Sony sold millions of "special" music CDs to consumers who thought they were getting regular old compact discs. When people played these CDs on their computer, what happened in many cases was the equivalent of a spyware nightmare: Programs froze up, applications slowed and a series of hidden files that were the source of the problem proved to be nearly impossible to uninstall. Why would Sony do this to its customers? |
| The answer is "to protect its copyright." The digital revolution that has empowered consumers to use digital content in new and innovative ways has also made it nearly impossible for copyright holders to control the distribution of their property. Enter "digital rights management," or DRM. In this article, we'll find out what DRM is, how copyright holders are implementing the concept and what the future holds for digital content control. |
| DRM Basics |
| Digital rights management is a far-reaching term. It encompasses any scheme to control access to copyrighted material using technological means. In essence, DRM removes usage control from the person in possession of digital content and puts it in the hands of a computer program. The applications and methods are endless -- here are just a few examples of digital rights management: |
 |
| • A company sets its servers to block the forwarding of sensitive e-mail. • An e-book server restricts access to, copying and printing of material based on constraints set by the copyright holder of the content. • A movie studio includes software on its DVDs that limits the number of copies a user can make to two. • A music label releases titles on a type of CD that includes bits of information intended to confuse ripping software. |
| While many consumers see DRM methods as overly restrictive -- especially those methods employed by the movie and music industries -- digital rights management is nonetheless trying to solve a legitimate problem. The distribution of digital content over the Internet via file-sharing networks has made traditional copyright law obsolete in practice. Every time someone downloads an MP3 file of a copyrighted song from a free file-sharing network instead of buying the CD, the music label that owns the copyright and the artist who created the song lose money. In the case of the movie industry, some estimates place revenue losses from illegal distribution of DVD content at around $5 billion a year. The nature of the Internet makes it impractical to try to sue every person who breaks the law in this way, so companies are trying to regain control of distribution by making it technologically impossible for consumers to make digital copies. |
| The problem is that when you buy a DVD, it's perfectly legal for you to make a copy of it for your own use. This is the gist of the fair use doctrine in copyright law -- there are certain situations that negate copyright protection in favor of the content user, including copying protected material for personal use and copying anything in the public domain for any use. Most digital rights management schemes cannot take fair use into account, because a computer program cannot make subjective decisions. In 2005, a French court ruled that DRM-encoded DVDs that make copying impossible violate fair use laws because the rightful owner of that DVD cannot make a copy for his own use. |
| Before we get further into the DRM controversy, let's take a step back and find out what a DRM scheme entails from a programming standpoint. |
| DRM Framework |
| The ideal DRM system is flexible, entirely transparent to the user and pretty complex stuff for a computer program to handle. First-generation DRM software sought merely to control copying. Second-generation DRM schemes are in their infancy right now and seek to control viewing, copying, printing, altering and everything else you can possibly do with digital content. |
| A digital rights management scheme operates on three levels: establishing a copyright for a piece of content, managing the distribution of that copyrighted content and controlling what a consumer can do with that content once it has been distributed. To accomplish this level of control, a DRM program has to effectively define and describe three entities -- the user, the content and the usage rights -- and the relationship between them. |
| Let's take the example of a simple DRM scheme for an MP3-download site. Rani logs on to a site she subscribes to in order to download EBIZ.com’s "Everything is Everything." Rani's subscription level entitles her to five downloads per month. In this case, the user is Rani , and the content is EBIZ.com’s "Everything is Everything." Identifying the user and the content are fairly simple tasks. Rani probably has a customer ID number, and each MP3 file on the site probably has a product number associated with it. The harder part is identifying the rights -- the ways in which Rani is and is not allowed the use "Everything is Everything." Can she download it, or has she already downloaded her five files for the month? Can she copy it, or is she downloading an encrypted file and a corresponding key? Can she excerpt a piece of the song to use in her own audio-mixing software, or is the file locked? Usage rights include not only permissions and constraints, but also any obligations related to the transaction -- for example, s Rani need to pay extra for this download? Has Rani been promised a savings pass if she downloads this song? This would be included in the relationship between Rani, the song and the rights. |
| Let's say Rani has only downloaded three files so far this month, so this download is within her subscription rights. And let's say she received a promotional offer for Rs. 1 off next month's subscription fee if she downloads this song. Rani should be able to copy the file under fair use, but maybe she can only make three copies. And let's say the copyright holder denies anyone the right to excerpt its digital content. The DRM structure for this download might look something like this: |
| DRM Protection |
 |
| Keep in mind that while the user entity stays the same each time Rani logs on to the site, the relationship between the user, the content and the rights can change. The DRM scheme must be able to adapt to changing conditions. If Rani increases her subscription level to one that allows unlimited downloads instead of only five downloads per month, the DRM software has to adjust to that new relationship. The DRM scheme has to be tied in to the Web site's back-end infrastructure so it can adjust the relationship on the fly. This is one reason why seamless DRM setups are difficult to implement: With no standards to go on and a set of commands not found in any other type of computer program (see "Rights Expression Language" sidebar), digital rights management software sn't easily blend in with existing e-commerce architecture. Still, arguably the easiest transaction to control is a download from a Web site. The hard part is controlling what a user s with digital content once it's in her possession. How is the download site going to enforce Rani usage rights? How do they know she's only going to make two copies of the file? This is where DRM can get sticky. |
| DRM Reality |
| It's a pretty simple thing to allow Ravish to copy "Everything is Everything" only twice. Computers understand "2." What they don't understand is, "I've already copied it to my MP3 player and my laptop, but I got a new desktop computer and I need to transfer it again!" |
 |
| "Fair use" is not something that's easily digitized. Many companies have taken desperate measures to "plug the hole" of digital content flowing over the Internet, eliminating any right on the part of the consumer to make decisions regarding the content he's purchased. DRM is not a new thing -- many of those old floppy disks were copy-protected. Manufacturers wrote them using special drives that a typical consumer drive couldn't mimic. Some required that a piece of hardware be connected to an I/O port on the computer for the software to run at all. But to many, more recent DRM schemes have crossed the line from copy protection to hog-tying the user. |
| The limited-use encryption method used in Intuit's Quicken TurboTax 2002 caused a consumer brouhaha. When the user installed the encrypted software, the process installed a key on the user's computer. That's a standard practice. But this particular key would only unencrypt the software once. To use the software more than once, the user had to call Intuit and get the company to supply additional access rights. When users installed the software on a second machine after they'd already used the key, they found that they could prepare a tax return but could neither print the return nor file it electronically with the IRS. |
| A more common DRM encryption scheme provides a key that works forever. In this case, the key must be tied to the ID number of the user's machine. The key will only decode the file when it's accessed from the computer it was originally installed on. Otherwise, the user could simply forward the key along with the encrypted software to everyone he knows. |
| Some products, like those protected by Macrovision SafeCast or Microsoft Product Activation, use a Web-based permission scheme to prevent illegal use of the content. When a user installs the software, his computer contacts a license-verification server to get permission (the access key) to install and run a program. If the user's computer is the first to request permission to install this particular piece of software, the server returns the key. If the user gives the software to his friend and the friend tries to install it, the server will deny access. In this type of scheme, a user typically has to contact the content provider to get permission to install the software on another machine. |
| A less common DRM method is the digital watermark. If you've heard about the FCC's proposed broadcast flag and Philips' corresponding Video Content Protection System (VCPS) encoding, you've been introduced to the digital watermark setup. The FCC is trying to require a "broadcast flag" that lets a digital video recorder know if it's allowed to record a program or not. The flag is a piece of code sent out with a digital video signal. If the broadcast flag says a program is protected, a DVR or DVD recorder won't be able to record it. This DRM proposal is one of more disruptive ones out there, because it requires media and equipment that can read the broadcast flag. This is where Philips' VCPS format comes in. The Video Content Protection System reads the FCC broadcast flag and determines whether or not a device can record a program. With the broadcast flag in effect, only VCPS-capable recorders will record digital TV data, only VCPS-capable DVD-RWs will accept digital TV data and only VCPS-cable players will play VCPS-capable DVDs. The system would render current DVD systems obsolete for any consumer who wants to record DTV. The flag/VCPS setup is on hold since May 2005 when a U.S. court ruled that the FCC doesn't have the right to determine what a consumer device can do with a digital signal once it has reached its destination. |
| The DRM-provider Macrovision used an interesting approach in one of its recent DVD-protection products. Instead of making a DVD uncopyable, Macrovision RipGuard exploits glitches in DVD ripping software to prevent copying. It's a piece of code in the software on a DVD, and it's purpose is to confuse the DeCSS code that most ripping software is based on. Macrovision programmers studied DeCSS to discover its flaws and then built RipGuard to trigger those flaws and shut down the copying process. DVD consumers have already found ways around RipGuard, though, mostly by using ripping software that doesn't employ DeCSS or by tweaking the code in DeCSS-based rippers. The Digital Millennium Copyright Act of 1998 makes disabling a DRM system illegal in the United States, but tons of people actively seek and publish methods to bypass DRM restrictions. |
| Recent DRM schemes have set up an adversarial relationship between digital-content providers and digital-content consumers, and it's not only the consumers who are employing sneaky techniques to get the upper hand. The reason most of us are suddenly aware of DRM systems is because Sony-BMG released millions of CDs containing DRM software that crossed the line from managing rights to spying on consumers and harming their equipment. |
| DRM Controversy |
| The Sony-BMG Debacle |
| In 2005, Sony-BMG distributed select CDs (one estimate puts the number of titles at 20) that led to lawsuits, backtracking and a public-relations nightmare. The problem stemmed from two pieces of software on the CDs: SunnComm's MediaMax and First4Internet's Extended Copy Protection (XCP). The incident has raised questions regarding just how far copyright holders are allowed to go to protect their content. In this case, copy protection was the least of people's concerns. |
| In the first place, the MediaMax software doesn't protect a copyright at all. It tracks users' activities. Every time someone plays the "special" CD on his PC, MediaMax sends a message to the SunnComm server. Sony-BMG can find out who's listening to the CD and how often they listen to it. And this is all happening behind the scenes -- there are no obvious signs of the activity or disclaimers on the CD. To make matters worse, there's no easy way to uninstall it. |
| The other problem is a bigger one. First4Internet's Extended Copy Protection limits the number of copies a person can make of the CD to three -- this might be annoying, but it's arguably within the "copyright protection" realm. The XCP uproar is primarily about the software's other activities. First, it hides in the user's machine so the user doesn't know it's there and probably can't find it if she looks. It creates a hidden area (sometimes called a rootkit) in the Windows operating system that could potentially pose a security risk once virus writers find out it's there. A virus could live there undetected indefinitely. Virus scanners typically can't see the files in a rootkit. XCP also slows computing processes and automatically connects to the Sony-BMG server to install copy-protection updates. And there's no easy way to uninstall it. Some users had to reformat their hard drive to get rid of the files and their negative effects. |
| Sony recalled the millions of discs with this DRM software combination built in and has agreed to issue tools that make the hidden files visible. Lawyers have filed several class-action lawsuits on the basis that the CDs invade users' privacy and violate anti-spyware legislation. The Sony-BMG mistake is easily the most visible example of DRM gone awry, but digital rights management in general -- even the kind that doesn't invade a user's privacy and cripple her computer -- poses some serious conflicts. |
| DRM Standards |
 |
| There are no industry-wide standards for DRM. At this point, many companies in the digital entertainment sector are opting for the crude, "because I said so" approach in which users can't copy, print, alter or transfer material, period. The area of most concern to activists regarding DRM has to do with the fact that current DRM trends surpass the protections afforded under traditional copyright law. For example, when you play a DVD that won't let you skip the trailers, that has nothing to do with protecting a copyright. Even more than consumers, though, libraries and educational institutions that archive and lend digital content have a lot to lose if highly restrictive DRM software becomes the norm. A library can't archive a piece of software with a time-limited encryption key, and it can't lend out a machine-specific license for viewing content using its traditional lending structure. |
| The arguments against digital rights management discuss issues like user privacy, technological innovation and fair use. Under copyright law, the fair use doctrine gives a consumer the right to make copies of copyrighted content for their own use. Other doctrines like "first sale," the right of a content purchaser to resell or give away the content he's purchased, and "limited term," the expiration of a copyright after a certain period of time, also afford consumers rights that fall by the wayside in DRM implementation. As we saw in the Sony-BMG error in judgement, secretly tracking consumer activities and hiding files on a user's computer invade user privacy -- they're the methods of a spyware application, not a legitimate rights management scheme. DRM systems can also affect technological innovation as it limits the use and form of digital content. Third-party vendors can't develop software-specific products and plug-ins if the computer code in that software is indefinitely protected by DRM, and consumers can't legally tinker with their own hardware if it's protected by a DRM scheme that prohibits alteration. |
| As Princeton University professor Ed Felten discovered, DRM affects not only technological freedom of development, but also freedom of speech. When Felten tried to publish an article on a faulty DRM system in 2001, members of the music industry threatened him with lawsuits. Several companies said that his research would assist people in bypassing DRM schemes, which is illegal in the United States. The Digital Millennium Copyright Act of 1998 ensures the protection of a DRM scheme regardless of whether or not it respects the fair use doctrine. It's not only illegal to get around DRM, but it's also illegal to create, purchase or download any product that enables you to bypass DRM restrictions. Consumer rights' groups are lobbying Congress to amend the section of the Digital Millennium Copyright Act that makes disabling a DRM system against the law, claiming that it gives an improper advantage to copyright holders by not placing limits on the type of DRM schemes they can employ. |
| In the increasingly embattled realm of digital content, we're left to wonder whether any DRM system can satisfy both copyright holders and consumers. As DRM becomes standardized across industries, the result will be what experts call "trusted computing." In this setup, DRM methods will ensure the protection of copyrighted content along each step of the way, from the production or upload process to the purchase or download to the use of the digital content once it's in the user's hands. Computers will know automatically what a user is legally allowed to do with a piece of content and will act accordingly. With the adoption of standards, consumers will be better off at least in part, because DRM-encoded media will play on all types of equipment. As far as user rights go, however, it doesn't look good for consumers. Their best bet is the chance that programmers will somehow quantify "fair use" so that computers can understand the concept. |