A look at the digital world’s newest bitter truth-DRM
Nimish Chandiramani
Digital Rights Management is a good thing. That’s what Theykeep telling us. It “protects the creators,” fights piracy, and mostimportantly, gets Them the money They’ve been crying about while the worldwantonly shares Their content over the P2P networks. The debate overDRM-specifically for music and movies-now rivals in proportion such favouritesas Paid versus Open Source software and “Does No really mean No?” As the waragainst piracy gets more frustrating, content creators get fiercer in themeasures they take to protect their work, and it seems that whether we like itor not, DRM is going to be one of those inconvenient realities we have to dealwith.
The definition, of course, is as harmless as can be-defininglimitations to media to ensure the artists’ / creators’ intellectual propertyisn’t misused. In theory, then, DRM is basically an implementation of theCopyright Act of the country
-instead of telling people they can’t do something and thenhoping they won’t breach the law, why not ensure that the media prevents itsown misuse? All this makes complete sense, too-at least while companies aren’tthinking up newer and more boneheaded schemes to implement it (remember theSony rootkit incident?). Before we jump to any conclusions about the goods,bads and uglies, let’s spend a while understanding how this whole system works.
Brass Tacks
At the heart of every DRM technology is cryptography. Themedia (music, videos, software, even documents) is encrypted until unlockedwith a “key”-a string of data that enables reversing the encryption (for moreon cryptography, see box Cryptography). You should find this familiar-we’ve allused software that asked us for a serial key to run it. If you find thatfamiliar, you’ll also recall how easy it was to crack those systems. TheRequest Code-Authorisation Code system came soon, where the software would”phone home” with a request code, which would then be verified by theirservers, and return you a final authorisation code that would unlock thesoftware. This works better, but it’s been bypassed too-just like every systemthat involved actually giving the key to the user.
When Windows XP was launched, it not only activated itselfover the Internet, it also locked itself to your hardware-so your hardware IDnumbers now became the key to use it. The scheme was dropped soon, because asimple hardware upgrade could put your XP out of commission. Still, the conceptof using a key that users couldn’t control (and therefore couldn’t alter)remained, and is still evolving in the DRM techniques we see today. WindowsVista, for example, will allow you five upgrades before it recognises your PCas invalid.
While it started out as simple copy-protection, DRM has nowevolved into a much more complex beast, not only defining what you can do withsoftware and media-in an End User License Agreement, for example-but makingsure that those guidelines are followed as well.
Designing a DRM scheme where both users and content creatorsare happy, has, and will continue to, give companies sleepless nights in comingyears. At the highest level, they have three aspects to consider (the jargonrefers to all content-software, media, etc.-as assets, so we’ll do the same forconvenience):
1. Creation: This deals with creating protected assets anddefining the rights users have over them. This is basically defining theaspects of the law under which the content is protected. Once this is done,assets are ready to be sold.
2. Management: This deals with managing assetsales-assigning licenses to users, making sure that royalties get to thecreators, and so on.
3. Usage: Once you’ve got a DRM-ed asset, it needs to verifya lot of things. Most importantly, it needs to check whether you’re authorisedto use it. This aspect also involves keeping tabs on how the asset is beingused-if there’s a three-copy restriction, for example, this is validated everytime the file is copied.
All this, of course, is a very high-level look at things.Managing protected content involves a whole bucketful of e-business models, forexample, and as we’ll see next, creating protected content isn’t exactly apiece of cake, either.
In the creation of protected content, we need to considerthree entities-users, their rights, and the content itself. All three entities,their attributes and the relationships between them need to be expressed interms that can eventually be translated into software. Some legal jargonfollows, you have been warned.
Content is modelled as a hierarchy, starting at Work, whichis the creation. The Idea for this article, while it evolved in the writer’shead, is an example. The Work is then translated to Expression-the manner inwhich the idea takes form-in this case, the text of this article. TheExpression is then dished out to the world as one or more Manifestations, whichis a physical (or digital) realisation of the content.
Taking the example of the article, the original Worddocument, the print version you’re reading now, and the PDF version you’ll getin our Special Issue are all Manifestations. Finally, the Item is an actualcopy of the Manifestation.
Next up, the rights-there are four aspects to consider. Firstly,the Permissions-what you’re allowed to do with the content. For example, you’reallowed to read this article, but not copy any content from it. Closely tied toPermissions are Constraints, which put limits on your Permissions. In similarvein-you may use some content from the article (permission), but you must quotethe source of this content (constraint). Then there are Obligations, which youmust fulfil before getting access to your Permissions. You’ve paid for thismagazine, so your most important Obligation is out of the way. Finally, allthese are mapped to a Rights Holder. Different persons have different rightsover media-while you don’t have the permission to reproduce this article,Jasubhai Digital Media is free to do so.
All right, so we’ve made the pretty diagrams-time to turn itinto reality. Note that all the information we talked about in the models ismetadata-it isn’t actual content, just information to supplement it. The job ofthe DRM implementation (effectively just code embedded into the file) has thefollowing things to do:
1. Verify that all the Obligations have been fulfilled-thatthe content has been paid for and being used by the buyer,
2. Decrypt the content for use, and
3. Track the use and see that it conforms to thePermissions.
In real terms, metadata is expressed inside a special XMLdocument, which conforms to a specific structure called a Rights ExpressionLanguage (REL). The structure of XML permits the easy realisation of the modelswe discussed earlier; moreover, its plain-text nature makes it light andcompressible to miniscule degrees.
One REL that hopes to become a universal open standard isthe W3C’s Open Digital Rights Language (ODRL)-read about it at http://odrl.net. An open DRM standard will enable protected content to run on any systemwithout problems-something we don’t see in the crowd of DRM technologies wehave to deal with today.
To understand what the DRM fuss is all about, you need tounderstand one aspect of copyright law in particular-fair use. It’s one ofthose vague, infinitely exploitable loopholes that every Copyright Act isplagued with.
To dumb it down considerably, every restriction specified inthe act is forgiven, as long as it constitutes a “fair use” of the content. Inthe early days of the videocassette, courts in the US ruled that taping a TVprogramme for later viewing constituted fair use-the consumer has paid hissubscription amount and is thus entitled to the content. Copyright law, on theother hand, expressly states that the content may not be reproduced at all.What makes fair use even more of a mess is that every country has a differentdefinition of it. Ripping music off a CD has widely been accepted as fair use,but giving that ripped music to your friend is a no-no. Letting your friendborrow the original CD is fine, however. Go figure! And yet, some countrieswon’t even accept the act of ripping as legal.
Still, fair use clauses are essential-imagine being chargeda “performance royalty” for whistling your favourite tune in public. Even morecomplications arise because the definition of fair use is constantly evolving:in 1980, for example, nobody would have imagined that you could record live TVto your PC, so the definition had to be expanded to include that.
If you’re worried about whether your usage counts as “fair”,fear not. Here are questions you need to ask yourself:
1. What is the purpose of this use? Personal use is oftencounted as fair, but the second you enter the realm of distribution andcommercial gain, you’re breaching copyright law. For example, you can use asong from your music collection to make a remix, but you can’t sell it.
2. What is the nature of the work you’re using? Creativework-movies, music, articles, etc.-are more fiercely protected than factualwork like chemical equations or statistics.
3. How much of the work are you using? Taking the example ofpoint 1, using an entire song or movie is likely to get you into more troublethan using a couple of snippets.
4. Finally, what effect will this have on the market? In theearly days, even P2P passed off as fair use-what’s a couple of songs betweenfriends, right?-and look at what happened. If you’re depriving people of moneythey should be getting (or think they should be getting), you’re in fortrouble.
One of the things that fair use allows you to do is make asmany copies of media as you want, as long as it’s for personal use. DRM-edcontent today, however, puts restrictions on the number of copies you can make,so if you go through one hard disk upgrade too many, the song will expire, andyou’ll have to buy it again. So much for fair use…
We’ve been talking about how DRM is the implementation of acopyright act-what we failed to mention is that that is how DRM should work. Inreality, all DRM technology you see today is geared towards one thing-money. Wehave it, They want it, and They’ll go to any length to ensure that we can’t getcontent without paying for it, even if we’re within our fair use rights to doso-Hollywood even admits this internally!
Does this mean that we don’t have our rights any more? Ofcourse not-unless the laws are changed. What it does mean is that DRM,depending on the way it’s implemented, may well prevent you from exercisingthose rights. In the long term, DRM will also hinder the evolution of your fairuse rights-if TV serials aired with a “do not tape” flag that prevented yourVCR from recording it back in the 80s, the question of it becoming a fair usedoesn’t even arise. Ditto the ability to rip CDs to your hard drive.Effectively, DRM and copyright acts are in stark contrast-copyright law saysthat if it’s not restricted, it’s permissible, but DRM says that if it isn’texplicitly permitted, it’s off limits. Now you know why it’s also been calledDigital Restrictions Management.
It’s an obscure fact, but did you know that music cassettesand blank tapes you bought so many years ago came with their own “piracy tax”?Record companies assumed that these cassettes would be copied and shared withfriends, so they added a little bit to the prices to compensate for any lossesthey might face. There is talk that this may stage a comeback, and we mighteven be rid of DRM in the next three years. If you haven’t already, flip backto page 29 and read the talk about the “Collective License” under OpposingForces in Power 2 The People. The fee you’ll pay for the freedom to downloadall music is basically the cost of content plus a little piracy tax-and no DRM!
Peter Jenner, Pink Floyd’s first manager, sums up thesituation quite eloquently: “Big record labels are f***ed”, he says, and”digital music pricing has been a scam where the consumer pays formanufacturing, distribution, and does all the work-and still has to pay more.The DRM era is nearly over-and within two or three years, most countries in theworld will have a blanket licensing regime where
we exchange music freely, for a couple of quid a month.”
It’s a tad idealistic to pessimists like us, but optimism ishealthy. In the meanwhile, brace yourself for an inconvenient couple ofyears-at least.
nimish_chandramani@thinkdigit.com
Suppose you wanted to send the number 50 to your friend, butwant to ensure that nobody who intercepts the message on the way knows whatnumber you’re sending. You could multiply it by 6, add 4, divide by 3 andsubtract 9. Anyone who sees the message now will think you sent 92.33333. Theprocess is called encryption, and performs a whole host of mathematicaloperations on data to make it unrecognisable. In decryption, these mathematicaloperations are just reversed to recover the original data. Of course, thesystem fails if anyone figures out the encryption algorithm. The next secureway for encryption is the use of a “key”-a number that is used for thesemathematical operations. Without the key, decryption isn’t possible, so as longas nobody has the key, your message remains secure.
The most popular method for secure encryption is the PublicKey-Private Key system. Think of it as a box with two keys-anyone with thepublic key can lock it, but only the person with the private key can unlock it.When you register yourself at an online music store, for example, it gives yourmedia player a public and private key-unique to you. When you request a song,your media player sends over the public key, which is then used to encrypt thesong you requested. Only your private key can decrypt this song, sounauthorised media players (ones without your private key) can’t decrypt it.
DRM technologies that we encounter most often:
The Perpetrator: Apple
The Terms: Works on five “authorised” copies of iTunes,unlimited iPods, can be burned to an unlimited number of audio CDs.
Find it on: Music bought from the iTunes Music Store
Works with: Any player with the QuickTime plugin (PC), iPod(portable)
The Perpetrator: Microsoft
The Terms: Licenses and media are distributed separately,and locked to a computer and portable player
Find it on: Music bought on Napster, URGE and Wal-Mart, toname a few
Works with: Windows Media Player 10 (PC), any portableplayer with the PlaysForSure logo
Zune DRM (not the official name)
The Culprit: Microsoft
The Terms: Incompatible with PlaysForSure devices, expiresafter three days or three plays if “beamed” from another Zune
Find it on: Music bought on the Zune marketplace
Works with: Windows Media Player 10 (PC), Zune (portable)
The Perpetrator: Protection Technologies
The Terms: Wraps around DLLs and allows access only throughits own virtual machine
Find it on: Games published by CDV (pre-May 2006), Ubisoft(except North American releases), Digital Jesters, JoWooD (except NorthAmerican releases), Egosoft, and Codemasters. Also the free game TrackManiaNations-to ensure that nobody tampers with ESWC ranking system
The Perpetrator: Sony DADC
The Terms: Resists copy attempts by optical drives
Find it on: Newer games published by Ubisoft, Sony
The Perpetrator: Macrovision
The Terms: Resists copy attempts by optical drives,blacklists all SCSI drives (mass replicators use SCSI drives)
Find it on: Games published by EA, Activision, id Software