IT Security

Host: Chad Perrin Contact

DRM and unintended consequences

Date: April 1st, 2008
Author: Chad Perrin
Category: Encryption, Security
Tags: Digital-rights Management, Customer, Decryption, Content, AACS, Digital Rights Management (DRM), Digital Media, Security, Consumer Electronics, Personal Technology

100 comment(s)

Back in November 2007, I hinted at the inherent problems of DRM software in the article Radiohead knows more than Microsoft about security. I didn’t really address DRM itself in any detail, however. I’ll address it now.

Technical problems

As you might have gathered from the Radiohead article, DRM is essentially ineffective. Its only successes are in treating legitimate customers like criminals. A determined (and competent) security cracker can always find a way to circumvent DRM.

In April 2007, Ars Technica reported on the statements by one of the people involved in the Xbox-based AACS key crack that allowed them to circumvent the HD-DVD format’s DRM. Before that, any AACS cracks have been “fixed” by “expiring” compromised content decryption keys and issuing new keys with new content. This meant that already cracked and released keys could be used to circumvent DRM on older content, but not on anything released after the new keys were issued. Such solutions to the problem don’t address the real problem, though — that the new keys can be extracted as well, as demonstrated by the Xbox-based crack.

Ultimately, there’s no way to really protect content from its users without simply preventing the users from accessing it at all. DRM “protects” content by encrypting it and preventing the user from accessing it in unauthorized ways — including copying it. To be worth selling, though, it has to be accessible in authorized ways — including actually playing the content on an authorized player. This means there must be a way for the player to decrypt the content.

There are at least two different ways to leverage the necessity of decryption to circumvent DRM:

You can access the content after it is decrypted. AACS standards require specific characteristics for authorized players to make it difficult to capture content after decryption to make unauthorized copies, but ultimately the only reason this DRM circumvention technique is not used more often is because it is usually easier to get the decryption key than to capture the content between decryption and display.
You can access the decryption key, then use it to decrypt the content and capture it at your leisure. For the decryption key to be used in an authorized manner, it has to actually be used — which means it has to be accessible to the decryption software. If it’s available to the decryption software, it’s available for a security cracker to discover.

The entire AACS saga highlights the core weakness of DRM. The point of DRM is to simultaneously prevent the user from accessing content and allow the user to access the content. The way DRM like AACS does this is by encrypting content, then providing the decryption keys needed to access the content and trust that users are too stupid to access the keys in an unauthorized manner.

As long as you want your customers to access the content at all, you have to resign yourself to the harsh reality — that once you give the customers access, you can’t take it back. Any other approach to it just means you’re lying to yourself.

Social problems

Since DRM is ultimately ineffective at stopping the people the purveyors want to stop, it’s not really protection against copyright infringement. That leaves two things that DRM could be:

If you subscribe to the notion that information is and should be the property of the person first disseminating it, DRM is just an insult to your customers. It restricts the ability of end users to access the content in legitimate ways by treating them like criminals, interfering with fair use, and even preventing customers from doing something as simple as watching a movie without getting a new DVD player just to satisfy your paranoia. This, of course, assumes that your customers won’t just circumvent DRM.
If you subscribe to the notion that “information wants to be free”, or that the possessor of information should be able to do whatever he or she wants to do with it, or that copyright law is simply wrong, DRM is worse than an insult — it’s a violation of the rights of every single customer.

Either way, it’s just a bad way to do business.

People react negatively to the way content providers are treating their customers. People who would otherwise just buy content and use it the way the content providers would like them to are becoming irate, boycotting the worst offenders among content providers and even infringing copyright themselves in some cases. I’m sure Sony/BMG isn’t even aware of how much damage it has ultimately done to its own business by mistreating its customers.

Some groups are even making concerted efforts to make life difficult for DRM users by preventing them from effectively using resources that are generally accessible to everyone else. The third version of the GPL, for instance, requires DRM software licensed under its terms to make any “authorization keys” available with the source code:

“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source.

In the GNU Quick Guide to GPLv3, it says:

It’s always possible to use GPLed code to write software that implements DRM. However, if someone does that with code protected by GPLv3, section 3 says that the system will not count as an effective technological “protection” measure. This means that if you break the DRM, you’ll be free to distribute your own software that does that, and you won’t be threatened by the DMCA or similar laws.

Unintended consequences

As I’ve already pointed out, there are some negative consequences for saddling your customers with DRM. DRM isn’t the only problem here, though. Anything that attempts to restrict what people can do with what you’ve given them can have similar negative consequences. I need to be perfectly clear here: I’m talking about what you can do — not what you should do. When you try to restrict what people can do by applying rules across the board to anyone and everyone, you sometimes end up stopping people from doing what they should do.

The problem is unintended consequences — in trying to restrict what people can do, you may end up having the opposite of the intended effect. This is the problem behind Germany and England, and even parts of the United States, trying to outlaw network administration tools that could be used to crack security on others’ networks, because those tools are also used by people who secure our networks against malicious security crackers. By the same token, it is also the problem behind trying to prevent people from writing DRM software without destroying the effectiveness of the software at the same time.

By mandating that any “authorization keys” must be provided with the source code in the GPL, version 3, the GNU Project is effectively saying that certain types of software development using code distributed under terms of the GPL cannot be allowed to be as effective as its developers could otherwise make it. This discourages certain types of security software research with GPLed code, discourages greater adoption of open source software by commercial entities, and could easily have further unintended negative consequences that have not become as obvious as these.

April Fools?

This is probably where some of my readers expect me to say “April Fools!” It’s the first of April, after all. I just got done saying, first, that DRM used to “protect” content is bad, and second that we shouldn’t try to prevent anyone from creating DRM systems — which probably seems contradictory.

None of this is a joke, though. I guess I just can’t come up with a good one for April Fools’ Day this year. There’s no contradiction in what I said.

It’s all based on ideas like Kerckhoffs’ Principle and Shannon’s Maxim — a rephrasing of the basic concept in Kerckhoffs’ Principle that says “The enemy knows the system.” Ultimately, it all just means that trying to interfere with the way people use what they have by keeping its internal workings secret is doomed to failure. The common thread is that security cannot be bought with attempts to restrict how people might use what you’ve given them.

Someone who intends to circumvent your security measures will not be stopped by the attempt to convince them to ignore what’s already in plain view.

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools. Read his full bio and profile.

Print/View all Posts Comments on this blog

DRM and unintended consequences apotheon | 04/01/08

Excellent. Thanks for that... boxfiddler | 04/01/08

What would happen... JackOfAllTech | 04/01/08

Do you think that will ever happen? boxfiddler | 04/01/08

It already is happening. TripleII | 04/02/08

You should look into Dumphrey | 04/02/08

file formats apotheon | 04/02/08

Some of the compressed Dumphrey | 04/02/08

My library is primarily OGG TripleII | 04/02/08

If the sound quality is better then iAudio Dumphrey | 04/02/08

Cowon has more power output TripleII | 04/02/08

you can setup a FLAC file partition too if I read correctly Neon Samurai | 04/02/08

Meizu Dumphrey | 04/02/08

Where I got mine. TripleII | 04/02/08

On iAudio Dumphrey | 04/02/08

re: file server apotheon | 04/02/08

I love iAudio! JackOfAllTech | 04/02/08

I am interested as well Neon Dumphrey | 04/03/08

Linux.com I believe but I will search my PDF archive tonight Neon Samurai | 04/03/08

ethical vs. practical apotheon | 04/02/08

I do the same JackOfAllTech | 04/02/08

I've stopped buying... brian.mills@... | 04/02/08

I will have to say Dumphrey | 04/02/08

Quality brian.mills@... | 04/02/08

In your case I can see MP3 being a solution. Dumphrey | 04/02/08

Boycotting Plus dickdowning@... | 04/03/08

Good! apotheon | 04/03/08

It is a good plan. Dumphrey | 04/04/08

It's had the opposite intended effect on me. Locrian_Lyric | 04/02/08

same here. Jaqui | 04/02/08

People forget that when you steal from a company Dumphrey | 04/02/08

true Jaqui | 04/02/08

Yup Yup Dumphrey | 04/02/08

Stealing increased demand for a product jon_saxon@... | 04/03/08

Demand for a product Dumphrey | 04/03/08

. . . but it does affect revenue. apotheon | 04/03/08

Good Point Apotheon Dumphrey | 04/03/08

Apotheon, are you a musician Locrian_Lyric | 04/03/08

A musician . . . ? apotheon | 04/03/08

I remember TLC explaining the problems Locrian_Lyric | 04/03/08

"Demand" versus "Want" jon_saxon@... | 04/04/08

The economic deffinition of the word Demand Dumphrey | 04/04/08

john_saxon, re: demand apotheon | 04/04/08

RIAA DaemonSlayer | 04/21/08

Here's one for you Jon... JCitizen | 11/06/08

DRM is required smukherjee@... | 04/04/08

A good read for you might be Dumphrey | 04/04/08

still no win for DRM apotheon | 04/04/08

Edumacation a better answer. shardeth | 04/07/08

Unintended Consequences - Income for IT pros phil@... | 11/05/08

It's a parasitic existance though Neon Samurai | 11/05/08

RE: It's a parasitic existance though phil@... | 11/05/08

I'm trying to get a new Media Center rig working... JCitizen | 11/05/08

I was thinking more in terms of the cronic support areas Neon Samurai | 11/06/08

DRM and Anti-DRM Jaqui | 04/01/08

response to a few points apotheon | 04/02/08

well Jaqui | 04/02/08

Perhaps hollywood and the music industry will finally... JCitizen | 11/05/08

I enjoy watching them waste their money. TripleII | 04/02/08

Very Intersting point... Dumphrey | 04/02/08

How to make them increase their expenditures... Locrian_Lyric | 04/02/08

I will have to think about this Dumphrey | 04/02/08

Oh wow that would be funny Neon Samurai | 04/02/08

I think you nailed it on the head Dumphrey | 04/02/08

and the letter begins with... Locrian_Lyric | 04/02/08

It would also Dumphrey | 04/02/08

OR EVEN BETTER!!!! Locrian_Lyric | 04/02/08

OMG LL you are EVIL!!! Dumphrey | 04/02/08

crossword solved Neon Samurai | 04/03/08

Your Sophisticated Deviousness is Refreshing Neon NT Dumphrey | 04/03/08

Do it directly by holding their feet to the fire.... JCitizen | 11/05/08

Double Post [edit NT] Dumphrey | 04/02/08

Interesting to see The Scummy One | 04/02/08

They are betting on the "Parking Ticket" play Dumphrey | 04/03/08

Actually, I stumbled across something The Scummy One | 04/03/08

Unlike parking tickets, you have this option.... Locrian_Lyric | 04/03/08

Thank the Bits Dumphrey | 04/03/08

the counter sue The Scummy One | 04/03/08

interesting, that helps explain... shardeth | 04/07/08

This sounds like ... RFink | 04/03/08

Another interesting item The Scummy One | 04/03/08

Nice find. NT Dumphrey | 04/04/08

Encrypted videos? BALTHOR | 04/02/08

That is one of the best things I have Dumphrey | 04/03/08

Well said... :) boxfiddler | 04/03/08

I find this wrong! The Scummy One | 04/03/08

Look at it from a point of view that Dumphrey | 04/03/08

LOL The Scummy One | 04/03/08

I can forgive you anything except Dumphrey | 04/03/08

re: Buddhism apotheon | 04/03/08

Much, Much better The Scummy One | 04/03/08

valid point on your deffinition of Dumphrey | 04/04/08

Taoism and the mind apotheon | 04/04/08

Amazon usually has copies of it around Dumphrey | 04/04/08

Basics Altotus | 04/03/08

True, that. apotheon | 04/03/08

Yeah! Kind of like diamonds... JCitizen | 11/05/08

No, it isn't. apotheon | 11/06/08

RE: DRM and unintended consequences hlhowell@... | 04/04/08

I would like to "just say no" but I still want the content... JCitizen | 11/05/08

White Papers, Webcasts, and Downloads

Enterprise social software IBM Corp. In June 2009, IBM sponsored an interactive webinar to explore the ... Download Now
Recession Proofing Your Organization with Electronic Forms IBM Corp. The current economy is forcing organizations of all sizes to look more ... Download Now
Volume Activation Operations Guide Microsoft Microsoft? Volume Activation helps Volume Licensing customers automate and ... Download Now

Top Rated

How China exposed Google's hypocrisy+47 votes
Ransomware: Extortion via the Internet+39 votes
GoogleSharing: A way to prevent tracking by Google+31 votes
How antivirus software works: Is it worth it?+30 votes
Panopticlick: Your Web browsing is less anonymous than you think+23 votes
The enduring cipher: Unbreakable for nearly 100 years+15 votes
Are TSA policies a bad joke?+15 votes
American Express password policy takes the cake+12 votes

TechRepublic Blogs

500 Things Every Technology Professional Needs to Know: Did you know Microsoft's RegClean does not work with XP but you can use shareware to clean your registry? Did you know most wireless access points don't have encryption enabled by default? Did you know there are 500 tidbits of information contained in TechRepublic's 500 Things Every Technology Professional Needs to Know that will help you become a successful IT professional.; Buy Now

Quick Reference: Linux Commands: Reduce stress and speed up resolutions with the easiest command references right at your fingertips. You'll receive a PDF file covering Linux, packed with the most common commands you'll need and use daily.; Buy Now