Ditching DRM

Pile it on, Microsoft, but history's not on your side

You've got to feel a little sorry for the Zune team over at Microsoft. The notion of an "iPod killer" may be as tough to sell as a "Windows killer." They came late to a music player scene that's already shaken out the weak competitors. They're pushing Windows Media formats, but people demand MP3 über alles. With Apple's iPhone mobile media wunderkind announced just before the expected uptick in Zune sales, the timing couldn't have been worse. To top it all off, reviews of the Zune have mercilessly flogged the almost-cool features crippled by digital rights management (DRM).

DRM has been grabbing headlines of late, not only because of its hindrance to new products and technology such as the Zune -- with its three-day self-destruct for wirelessly transmitted music and the slow smothering of the PlaysForSure program -- but for DRM's increasingly apparent general futility. To wit: like every scheme before it, the AACS DRM built into the new Blu-ray DVD format was cracked a few days ago. This, only a month after its sibling HD-DVD fell to a similar technique that extracts encryption keys from the media. As one headline put it, "Blu-ray joins HD-DVD in pile marked 'owned.'"

The latest bit of DRM novelty, in the case of HD-DVD and Blu-ray, is that the manufacturers have the option of issuing new decoding keys and effectively disabling individual models of playback devices that have been compromised. This might work if the compromised player is hardware with little market penetration, or noncompliant software the studios don't like. However, there's real potential for market turmoil if a hacker cracks or emulates the keys used on a popular hardware device such as LG's spendy BH100 combination HD-DVD + Blu-ray player. Will the consortium revoke the keys used on a widely sold player? Will LG somehow provide every owner with a firmware update for the player? Will they do it every time a key is compromised, leaving consumers with an essentially "bricked" device between updates? 

The model for HDTV follows the same trend, like digital cable and satellite TV before it. When I purchased a combination HDTV tuner and DVD player, I quickly discovered that it wouldn't play DVDs unless it was connected to a display compliant with the high-bandwidth Digital Content Protection (HDCP) scheme.  Were I a more obedient consumer, I'd replace my new monitor with an "HD-Ready" model. For a few hundred dollars, I could purchase a small box that emulates -- ahem -- "switches," HDCP signals to display, but I would run the risk of the encryption keys in the emulator being invalidated in the same manner as encryption keys in home set-top boxes. (I replaced the tuner with a MythTV box instead.)

Key updates for set-top boxes involves physical shipment of smart cards at industry expense, but the new HD media model just invalidates compromised devices and puts the update burden on the consumer. An updatable key scheme provides theoretically functional DRM, but I'm not sure anyone without severe foresight-deficit-disorder would fork over a cool thousand for a media player that's good for only one step in a viciously paced arms race without being sent in for service or a firmware update disk in the mail.  

It's a Sisyphean undertaking. DRM has and always will be on the losing side of the battle for one simple reason: It only takes one flaw in the system, and the content becomes malleable. One copy, and a song shows up as a download. One rip, and a movie shows up as a torrent. One cracked player or reverse-engineered device and some Internet-based sharing, and DRM-defeating software tools begin to show up online. 

While a particular flavor of DRM might shore up business for while, eventually someone gets bored with cracking keys and just cracks the whole key-rotation and management scheme, sending Sisyphus' rock tumbling back down the hill and DRM wonks back to the drawing board. Even a good analog copy of a song or movie can inspire panic about an unknown 0day in DRM software. Either scenario may inspire media companies to pull the trigger on key invalidation or take some other equally ill-advised action, which in turn inconveniences consumers and keeps prices high.  

Therein lies the rub: The only possible consumer value of DRM -- the idea of reduced prices for media if and when other people pay their fair share -- is a fallacy. It will never happen. The music industry has been faced with decreasing returns for many years, a statistic often blamed on digital piracy. Others blithely dismiss the slump in commercial sales of music on a supposed dearth of good songwriters and performers.  

Neither is correct. When the band Koopa's "Blag, Steal & Borrow" single hit the middle of the U.K. Top 40 a week ago without any major media company backing, it's obvious what's happening. It's not the music or other media that's slumping -- it's the media companies.  With a business model obsessively fixated on copy protection and media control, the DRM itself has come to be recognized as a reason for flagging consumer appeal and sales. So much so that many smaller music and media companies are considering ditching the idea of DRM altogether.

Even my textile-obsessed octogenarian family members know this business model is dying. Grandma's fancy Pfaff embroidery-capable sewing machine has a slot for uploading designs on proprietary memory cards. Only they're not so proprietary, and their DRM easily circumvented. Tools for reformatting standard PC cards are available online, Pfaff and Bernina embroidery card copiers can be found on eBay, and a quick look at the biggest torrent search site shows almost a dozen bootleg collections of designs from Brother. When cow-country grandmothers are circumventing copy protection to bootleg intellectual property through AOL, the war is lost. 

This begs the question: What sort of nonsense fills the heads of people promoting this uphill rock-pushing DRM morass? Protectionism is a reaction to fear of the end -- when a supply of something is determined to be finite, and suddenly the urge to hoard and control takes over. But no one's going to run out of music, video or other content. 

What's running out is the supply of time for the content control business model, and the supply of content producers -- writers, music and film artists, designers and other creative agents --  willing to be limited by content aggregation and promotion companies whose skill and value have been superseded by technology. With their value diminished or gone, content middlemen are also running out of uninformed consumers willing to pay inflated prices to support them.  

Of course, content aggregation and promotion companies don't see it this way. They see a diminished supply of quantifiable items to sell. Digital music and video can no longer be reliably equated with a CD or other SKU-bearing inventory-able item. The reaction has been to try vainly to turn electronic content back into an emulated physical object through DRM.

The ever-upbeat Eric Schmidt, now CEO of Google, writes in the current yearly issue of The Economist: "The Internet['s]...success is built on technological superiority: protocols and standards that are ingenious in their simplicity. Time after time they have trounced rival telecommunications standards that made perfect commercial sense to companies but no practical sense to consumers. [...] But what's surprising is that so many companies are still betting against the Net. [B]usiness models based on controlling consumers or content don't work. Betting against the Net is foolish because you're betting against human ingenuity and creativity."  

One sharp-tongued commenter in a DRM discussion noted that there are always "those who will stand their armies before an irresistible force." With Blu-ray and HD-DVD, those companies based on controlling consumers and content have pushed Sisyphus' DRM key-revocation rock up a very big hill.  Here's hoping they get flattened next time it rolls down.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He is currently a senior security consultant in Seattle, where his advice has been ignored by CEOs, auditors and sysadmins alike.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon