• On MP3.com: Free music videos
advertisementAT&T Tech Support 360
September 10, 2007 5:01 AM PDT

The future of DRM

Posted by Peter Glaskowsky

If ever a technology was introduced prematurely, it was digital rights management (DRM). From the DVD Content Scramble System (CSS) to the Advanced Access Content System (AACS) in HD DVD and Blu-ray systems, millions of dollars have been invested in failed attempts to prevent piracy of digital content.

Security is difficult to do right. CSS failed because virtually every element of the system was poorly designed. It used weak 40-bit encryption and was vulnerable to break-once, break-everywhere attacks. CSS continues to be used because it's better than nothing, but it isn't much better than nothing.

AACS solved many of the problems of CSS, but was quickly compromised because the AACS administrators allowed AACS to be implemented in purely software-based systems for PCs. Without hardware security, there was no way to stop ordinary software-debugging tools from extracting the cryptographic key values used to decrypt AACS-protected movies.

But the weaknesses of these systems shouldn't be taken to mean that effective DRM is impossible, as some have claimed.

There's a closely related claim that I can agree with: perfect DRM is impossible. It's inherently impossible to plug the "analog hole," for example. Anything a person can hear or see, a microphone or camera can record.

Nevertheless, DRM can be effective in the commercial sense--protecting the commercial distribution of copyrighted works against unfair and illegal competition from pirates. The full details of an effective DRM solution are beyond the scope of a single blog post, but making DRM work requires at least four factors that aren't present in current systems--and probably aren't even practical right now.

1. The DRM system must use secure hardware components integrated into the playback devices (e.g., displays and speakers) so there is no accessible digital pathway carrying decrypted data. Playback devices must be able to communicate with an authentication server the first time it sees each protected work.

2. Playback devices must not be able to play full-quality unprotected content.

3. All copies of a given work must not be identical. When practical--with downloaded content, especially--each copy should be separately encrypted. When this can't be done--as with pre-recorded optical media--critical portions of the content should be distributed separately at the time of authentication. Even then, the number of copies sharing the same decryption keys should be limited as much as possible.

4. The authentication process must use a secure communication channel between the DRM hardware and the authentication server, and transfer only the information necessary to play that specific copy of the work on that specific presentation device.

With all of these requirements in place, even the most sophisticated pirate attack can only compromise one copy at a time. That's plenty bad, but without access to the authentication servers, the pirates can't create a new version that can be played on the protected players.

This point brings us to the key difference between perfect DRM and commercially practical DRM--a commercial solution merely requires that pirated content is clearly distinguishable from authorized content by ordinary users. Although many people are willing to play pirated content, most aren't.

But none of these technical requirements address the social drawbacks of DRM. No matter how well implemented, DRM will always annoy some people, and will always present one more potential source of problems. I think we'll find that some--and perhaps most--kinds of digital content can be profitable even without effective DRM. Just because something's possible doesn't mean it's necessary...but if DRM is necessary, at least it's possible.

Originally posted at Speeds and feeds
Peter N. Glaskowsky is a technology analyst for The Envisioneering Group. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
Topics:

Security

Tags:

DRM,

CSS,

AACS,

HD DVD,

Blu-Ray,

copyright

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from News Blog
EA Mobile, Eidos Interactive sign agreement
Sprint first to offer HTC Touch Pro
Flipping out: RIM BlackBerry Pearl Flip 8220 debuts
Sprint HTC Touch Diamond outed early
Woman to virtual ex: 'I won't be ignored!'
Add a Comment (Log in or register) 35 comments (Showing first 20 comments)
DRM is practically worthless.
by Penguinisto September 10, 2007 7:11 AM PDT
Nor is it "premature" in a time sense.

Cable and Satellite companies have been hashing through this
for years. Even with full control of hardware and software,
anyone who wants unfettered access to TV channels w/o paying
through the nose usually can find 'that guy' who modifies boxes
and/or smart cards to allow you to take in as many channels as
you desire, all w/o paying for it.

DRM in computer tech fares little better... for every new
algorithm, there is a swift crack for it if there is any consumer
demand (which works a lot like illicit drugs, come to think of
it...) You just have to know where to look.

Even full-control setups like the XBox are routinely cracked (or
"modded").

IMHO, I see DRM as a failure. It fails to even slow down the ones
who want the content illicitly, while at the same time becoming
an inconvenience and a bother to those of us who get their
content legitimately.

Perhaps it's time to look for a more holistic means of protecting
content?

/P
Reply to this comment View reply
Re: The Future of DRM
by vvvlad81 September 10, 2007 11:33 AM PDT
I like this part 1:
"Playback devices must be able to communicate with an authentication server the first time it sees each protected work."

It scares me and sounds a bit big brother-ish. Why should a commercial entity receive a callback when I use their product for the first time, or anytime for that matter? If I buy anything, including protected work I'd like the relationship with the entity I am buying it from to be restricted to the purchase. I gave them money, they gave me a product we both should be happy. Why should their product call home when I used it and from where I use it?

Next thing you're going to tell me is that all companies are trustworthy angels and all that stored information will not be tracked, leaked and won't come back biting me in the rear...
Reply to this comment
So in other words...
by kingskippus September 10, 2007 11:35 AM PDT
So in other words, in order to make DRM practical, we'll need to get past all of the following hurdles:

1. Consumers will have to buy all new equipment that has the hardware-locking capability built-in. You can't just buy a new television, a new tuner, a new set of speakers, etc., EVERYTHING must be new.

2. Worse, EVERYTHING must be proprietary. As we've seen with the Blu-ray vs. HD-DVD war, Apple vs. everyone else war, and so on, getting companies to agree on a standard for something as simple as a format is impossible. Trying to get companies to agree on some hardware device to use for DRM would be even harder than impossible.

3. Even worse, consumers would have to operate under the assumption that if they buy some media content such as a television show, it will ONLY be viewable in one place. No more transferring shows to your iPod without paying for it again. No more taking it on a trip to watch on the player in your car without paying for it again.

4. For all this money, consumers are getting absolutely nothing in return. In fact, it's less than nothing that they're getting, they're actually LOSING functionality that they would and should otherwise have. That makes it a very, very tough sell.

5. Consumers MUST have a connection to an authentication server--i.e. access to the Internet--for what you're talking about. While market penetration is high, believe it or not, it's not ubiquitous yet. And, of course, this totally neglects portable devices such as players in minivans and such. If a consumer buys a movie while on vacation, would they really be willing to wait until they get back home and can register it before being able to watch it?

6. You say, "With all of these requirements in place, even the most sophisticated pirate attack can only compromise one copy at a time." I know this may be shocking, but one copy is all that a sophisticated pirate needs. Once it's ripped, it will be unencrypted and converted into a format that is playable on any device. I know you're proposing that basically all devices being locked so that they won't play unencrypted media, but that's not really practical. It totally ignores that there are things out there that people will WANT to be unencrypted, such as little Timmy's soccer game or cousin Bob's wedding video.

7. Every media that is even remotely popular, without exception, has been cracked by pirates. Seriously. You say, "millions of dollars have been invested in failed attempts to prevent piracy of digital content," and you're right. The fact that the industries have tried so hard for so many years to lock media down and failed so utterly miserably says to me that it's not a technology that's premature, and it's not a technology that's broken. It's a technology that has something fundamentally wrong with it on a level that transcends mere hardware and software and that strikes right at the core of the whole idea of DRM. We are an ownership society. We want to watch our movies how, where, and when we want to. We don't like the idea of someone else having control over our stuff after we pay the cashier and carry it out of the store. Until that changes, I don't see DRM going very far.

8. Speaking of millions of dollars, the real shame in it is that after all that money and all these years, the ONLY thing DRM has accomplished is keeping legitimate customers from enjoying the media they paid for in legitimate ways. The pirates have not been slowed down one iota. Zip. Zilch. Imagine how much better the media industries' relationship with its customers would be if they had spent all of that time and money on researching new, better, and innovative ways to provide a better customer experience instead of ways to prevent pirates, who again, have not been slowed down one iota by its efforts, from having some freebie copies of movies? In other words, imagine where we would be today if media companies had invested money into making consumers WANT to buy their stuff instead of making everyone so frustrated and mad?

I could go on. Believe me, I could. There is no reason whatsoever I shouldn't be able to buy a copy of (insert your favorite movie title here), transfer it to my iPod, burn a copy to watch in my minivan, (gasp!) share a copy with a friend, who might want to go buy his own copy for the stuff that comes with it and to support the movie with sales revenue, extract a clip for a school assignment video report, copy it to my hard drive so that if my disc gets lost I'm not SOL, copy it to my media server so that I can watch it with a few button pushes and keep the disc in storage, etc. Technologically, its easy, and THAT is what media companies need to be working on instead of yet another future DRM implementation failure.
Reply to this comment View reply
the perfect solution already exists
by jac10l September 10, 2007 11:38 AM PDT
Mr. Glaskowsky,
what you describe already exists for the entertainment industry.
It's called a movie theater.
think about it, the patrons pay for the one time experience only
and the theater controls all of the media presentation
technology.

The problem is the industry is trying to compete for marketshare
in a end user driven economy, which, like myself, revolts at the
prospect of the clamped down media experience you describe.

I want the creative souls responsible for the content I enjoy to
be well paid, but I balk at what I see as the overlord mentality
of the middle men and distributors infecting my technology and
reducing my choices.

One company seems to be doing a very good job of balancing
the responsibility to the artist and to the audience. Apple and
the ITMS seem to actually have a clue to how real people enjoy
entertainment. I pay for what I play, and I don't generally feel
any 'big Brotherish' hands on my shoulder as I do.
No, it's not perfect, but it beats the hell out of your DMR infused
crippled technology/server solution.
Remember the point:
If you want us to buy your wares outside of the theater,

you'd better make the experience damned attractive.



jrl
Reply to this comment View reply
DRM is Draconian - and forever?
by TomPhilo September 10, 2007 11:54 AM PDT
Everything you wrote about is for the "now" - what happens when the COPYRIGHT EXPIRES?
If DRM is built INTO everything - that means you could NEVER play it at all - since your premise is that ALL hardware cannot play non DRM controlled media! That means you have to THEN buy a 'NON' DRM enbabled version to show that the version is non DRM'd!
Do you think manufactures will send to everyone who had bought a DRM enbabled version a DRM free one at THEIR cost when the copyright expires?
When "Steamboat Willie" becomes public domain in 2016 will Disney send everyone a copy at their expense who has a version now on DVD?
Trying to force a technological solution onto a SOCIAL problem - stealing - will NEVER work.
Tom Philo
www.taphilo.com
Reply to this comment View reply
It is old as time itself
by bjwhaw September 10, 2007 12:17 PM PDT
I remember back when copy protection was being used to stem the tide of software piracy, using dongles and what not. The old adage still applies. Whatever can be done in hardware can be done/undone in software. Whatever can be done in software can be done/undone in hardware. Perfect DRM? Never! DRM that uncle joe won't mess with, AACS is pretty much it.
Reply to this comment
regarding point number 2
by herkamur September 10, 2007 1:47 PM PDT
> 2. Playback devices must not be able to play full-quality unprotected content.

This point alone makes such a DRM system commercially useless. Such an implementation would disallow all user created "full-quality" content (eg. home videos of the kids). People aren't about to waste their money on a "full-quality" video camera if they can't play it back at "full-quality". Likewise, people won't buy a separate kit just to play their home video and another for crippled video.

DRM just hurts the honest folk.
Reply to this comment View all 2 replies
Wrong premise: DRM does not have a future
by ajaquith September 10, 2007 4:41 PM PDT
Peter --

Your post on DRM advances the wrong premise: that somehow, DRM technologies can be
made to work in spite of the overwhelming evidence that curious minds and determined
reverse engineers will do whatever it takes to break them. Perfect DRM isn't possible, mostly
because it assumes that miracles will happen. Those miracles include making sure that every
hardware and software technology that produces, processes, or emits what movie studios and
record labels blithely call "content" use some hypothetical, unbreakable system that is
simultaneously waterproof yet not so noxious that consumers and businesses refuse to use it.
Even the ultimate DRM would be bypassed soon enough. (A modest proposal: why not forcibly
implant crypto chips in every infant's retinas and eardrums at birth, and combine it with a
micropayment system that remits money to Disney whenever some toddler thinks "Mickey
Mouse"?)

That's not to say that all aspects of content control are impractical. For example, the satellite
TV industry has shown that by using appropriate hardware, good security design and lots of
crypto you can make gaining free access to movies or satellite channels hard enough that
most people won't try. Solving the "conditional access problem" -- making it very hard to
obtain content unless you pay for it -- is feasible but not cheap, especially on systems where
one vendor controls the whole stack from top to bottom. But controlling what consumers can
do with that content AFTER they get it -- that is the part that is impossible. It is "impossible"
in the sense that it is totally incompatible with media portability. It is guaranteed to **** off
customers who want to take their entertainment with them, on whatever device and in
whatever format they choose.

At Yankee Group, two colleagues (Mike Goodman and Josh Martin) and I wrote a research
report called "Kill DRM, Vol. I: EMI's Move Underscores the Power of the Anywhere Consumer."
In it, we talk about why DRM is fatally flawed, and how it alienates customers. We suggest
ways of re-thinking business models so that they don't assume watertight control over
content. I highly recommend that you read it. Naturally, the report is available for free and
without DRM restrictions of any kind.
(http://yankeegroup.com/research/downloads/KillDRMVol1.pdf)

Let's stop pretending that DRM can ever work; not even the "commercially effective" kind you
propose. Consumers don't want it, and any victories will be Pyrrhic and short-lived.

Andrew Jaquith
Senior Analyst
Yankee Group
Reply to this comment View reply
DRM is unfair
by weavercs September 10, 2007 5:31 PM PDT
No matter how well designed it is, DRM is unfair because eventually people lose their rights to the music they buy and can no longer make use of what they paid far. The poor little companies that make their livings off the unsuspecting consumer don't ever talk about that but just try to get them to restore your digital rights if you lost them. I have bough my last protected file.
Reply to this comment
content cartel's dream is consumer's nightmare
by dklay September 11, 2007 6:02 AM PDT
So for DRM to work, you admit that (1) all playback devices will have to be crippled so they cannot play unprotected content (presumably this would be enforced by some broadcast-flag-type law) and (2) every viewing of content will require approval from an online authentication server.

Requirement (1) is completely incompatible with any sort of open-source development model and I would argue is an unconstiutional abridgement of free speech. Requirement (2) sounds like a recipe for turning expensive equipment into a paperweight whenever any sort of glitch occurs in the network.

An effective DRM regime is a pipe dream, and a poisonous one at that. You'd be well-advised to drop it.
Reply to this comment View reply
DRM should not exsist
by Bojeebees September 11, 2007 12:46 PM PDT
Once I purchase a copy of a CD or movie, I should be allowed to make back-up copies, play the material anywhere I want (excluding public places of course) without the worry that the system may not be authorized/capable of playing the source material. This is the right of every consumer. Once we purchase that item, we own it and the industry that sold it to us should not have any right to dictate any aspect of its use. DRM is also the reason why I will never purchase DRM music from iTunes (I'd rather buy the CD and rip it).
Reply to this comment View reply
DRM is dead
by wizardb September 12, 2007 6:06 AM PDT
and no longer a real issue the record RIAA has realized it and the movie industry soon will,you can't lock down content in this day and age also people even my 70+ year old parents will not stand having their personal equipment monitored in case they try to play an encrypted movie!
Reply to this comment
This Guy just Doesn't get it
by Jordon Berkove September 12, 2007 7:19 AM PDT
If these companies reasonably priced their music and Videos, there wouldn't be much of a problem. Most people think cracking or hacking is a bit of a hassle and would pay givin a fair deal. That would be the ability to make a copy for backup or the road, something not permited in DVDs, Blue Rays use of flags is in flagrant disreguard of precedents set by VCR users as far as copying shows off of cable. The whole thing arose because of 9-11 and paranoia let the people be blindsided by the ******** that the government and their business cronies wanted to spoon feed us.....
Reply to this comment View reply
DRM Is Pointless
by johnb6597 September 15, 2007 8:19 AM PDT
If I buy a CD or DVD and decide to burn 10 copies of it for my own use or my family's use, then that's my business. If I make 10 copies and start selling them on the street corner, then that's the copyright holder's business and they should prosecute me for my infringement. Incorporating technology into the product that denies me the ability to protect my investment against defect or damage is not the moral choice for a consumer-reliant industry. Go after the wrongdoers, by all means...but don't cast your suspicious net so far and wide that you snare good, hard-working people who aren't ripping you off. We're the ones paying your outrageous prices! Oh, and for the record...I enter into no covenant with anyone whereby I agree not to copy purchased material for my own personal use when I buy an original CD or DVD...my signature is on no such agreement.
Reply to this comment
Keeping up appearances
by midfingr September 15, 2007 11:12 AM PDT
I think it's a 'where money is involved situation'. What I mean is that if a particular DRM is no longer feasible, then a company will drop the encryption and leave the end users to fend for themselves. That appears to be the trend--the investors don't care how you sell a product, they just want to see a profit.

As a consumer, I feel like a test lab rat in that DRM is beta tested on me, be it from Microsoft's WGA or Sony's implementation of XCP software. To have a universal DRM would involve so many factors, that it would surely fall apart. There's different countries, government at multiple levels, consumer activist groups, stockmarkets, investors, insurance companies, litigation considerations, and so on.

I remember when TV was free, and by some accounts at it's best. Yes, we had lawyers back then, but the difference was that movie houses, recording, and TV studios were owned by the originating companies. Now, they've all been bought out by soda, sportsware, and other maximum profit corporations. In other words, whatever they can sell for a quick profit/turnover is in their best interests, not the audience or consumer. There's no investment in the actual art of entertainment anymore, just companies out to make a quick buck.

Protect what? The garbage being turned out by today's media? If so, then help yourself to happiness. I could careless about reality TV shows, or some whinny brat's movie/music/dance production.
Reply to this comment
 See all 35 Comments >>
Powered by Jive Software
advertisement

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

News Blog topics

Featured blogs

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET