Wednesday, December 07, 2005

The DRM Pandemic

Unless you’ve spent the last few weeks housesitting Saddam Hussein’s “spider hole,” you’ve heard about Sony’s software that silently installed itself on listeners’ PCs in an attempt to keep its CDs from being ripped. Instead, the listeners got ripped, thanks to a just plain ugly job of programming that opened a massive security hole in their computers.

I bring up this issue because last night, I tried to play some music stored on my PC that’s protected with Microsoft’s Windows Media Digital Rights Management (DRM) system. I purchased the songs months ago from Napster’s (legal) music store. I’ve got one copy on my PC and one on my music player, so I’m not even close to the limit on the number of copies of each song that I’m allowed to make by the DRM.

When I tried to play one of the Napster-sourced songs on my PC, instead of music I got a dialog box that said “License Acquisition Project page to upgrade to Premium.” After being unable to translate that message with my Captain Midnight Decoder Ring, I thought that the problem might be with Napster, so I launched it only to be told that I had to upgrade to a new version. After downloading and installing the upgrade, I tried to play a couple of the songs through Napster, only to learn that I no longer had a valid license for the music, Napster no longer had the right to sell the song, or both.

This is the second time in the last two months that I’ve had a similar problem. The first time, I got an error message from Microsoft’s Windows Media Player that said that my licenses were corrupt and had to be replaced with a backup (which of course I didn’t have.) Napster walked me through getting around that problem, and I’m now waiting for them to reply to my customer service email and help me fix the latest problem.

I’m a fairly sophisticated user, yet I’ve lost control of content that I purchased months ago and I need help from tech support. If this is a problem for me, it’s going to be at least an order of magnitude bigger problem for most consumers. The only reason why the DRM piñata hasn’t spewed over the entire media and consumer electronics landscape is that there still aren’t a lot of actual DRM consumer users…but that’s about to change.

Today’s DVD players use a security system called CSS (Content Scrambling System,) which encrypts the content on manufactured DVDs. The problem is that once an enterprising programmer named Jon Lech Johansen figured out how to derive the encryption keys for each movie, anyone with a personal computer and DVD drive could remove the encryption and make their own perfect copies. Because CSS is hard-wired into all DVD players, and because every new disc has to play on the entire installed base of hundred of millions of DVD players, the movie studios are stuck.

Enter Blu-Ray. This almost-here, super-duper high definition replacement for DVDs uses three security systems: Advanced Access Content System (AACS,) which is the next-generation version of CSS, BD+, which enables content providers to update DRM on already-installed Blu-Ray players, and ROM-Mark, which is a defense against bootlegging. AACS allows content providers to limit access to their content through an Internet connection to the viewer’s player. For example, a vendor could specify that a disc can only be watched for a maximum of 72 hours following the first time that it’s played. BD+ enables content providers to completely disable the ability of a Blu-Ray player to play discs, in the event that the current DRM system is compromised. Consumers would be required to install a DRM upgrade before they could play any more discs. Sounds great! What could go wrong?

Well, let’s see…you get a disc from Netflix in the mail, and when you put it into the player, the disc tries to “call home” over the Internet. What if your Internet connection is down or the content provider’s server has crapped out—will the disc play or not? What if a BD+ “upgrade” that’s hidden on the Blu-Ray disc you just bought manages to trash your player’s ability to play anything? How will that get fixed? Or what if someone who’s less then scrupulous manages to distribute a BD+ upgrade that will only allow certain movies to play?

According to the Digital Entertainment Group (DEG,) more than 147 million DVD players and more than 5 billion DVDs have been sold to customers in the U.S. since 1997. A hot DVD can sell several million copies in its first week. If something goes wrong with the AACS or BD+ code for an equivalent Blu-Ray disc, the carnage will be massive. If the disc won’t play, are video retailers and rentailers going to be willing (or able) to support customers? If the players themselves are damaged, who’s responsible for fixing the problem—the content provider or the player manufacturer?

DRM, by its very nature, is an accident waiting to happen. DRM systems create a game of cat & mouse between DRM developers and hackers: A new DRM system is released, hackers figure out how to break it, the DRM vendor works around the hack, the hackers work around the fix, and so on. Sooner or later, something is going to go wrong with either a hack or a fix, and when it does, lots of people are going to hear about it. One guy who got ripped off by an Internet camera store posted the story on digg and turned the name PriceRitePhoto into a synonym for sleaze. Imagine what will happen when a few million people find out they can’t play that shiny new Blu-Ray disc they just bought.

Content providers, consumer electronics and computer companies have to start looking beyond DRM to come up with better market-based ways to limit piracy. If version 1 of a DRM system doesn’t stop piracy, release a more powerful (and onerous) version 2; repeat indefinitely. However, there’s always a point past which it doesn’t make sense to protect content. We could have bank vault doors on our homes and apartments to make them burglar-proof, but they’d be massive overkill. Instead, we live with wood or metal doors with cylinder locks and deadbolts, even though we know that they won’t stop a determined burglar.

There is no practical DRM system that will stop a determined pirate. Sooner or later, someone will find a way around the DRM. Rather than engineering DRM systems for “worst-case scenarios,” we need legal, pricing, packaging and distribution strategies, along with content protection, that discourage pirating and encourage purchase of legitimate copies. The sooner we focus on the carrot rather than the stick, the better.
Post a Comment