Digital rights management

Digital rights management (DRM) refers to the laws and technologies which provide intellectual property owners control over the distribution and use of their material by controlling consumers' use of it. The claimed goals are to prevent copying of digital media and to restrict access and content use to what is allowed by copyright law. . Critics claim that the "rights" enforced by DRM routinely go beyond those granted by law.

Legal Background
The copyright since its formal creation in 1710 by the British Statute of Anne and its inclusion in the U.S. Constitution has been the main protection scheme for intellectual property rights for creative information goods and services.

Article I, Section 8, Clause 8 of the U.S. Constitution: "To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries."

Copyright law grants exclusive legal ownership of information under specific conditions and terms. Through two major revisions of U.S. copyright law in 1909 and 1976, the range of content and media forms covered by legislation were expanded.

During the pre-digital era, large-scale copying was expensive and usually resulted in degraded content. The development of electronic and digital media transformed the production and distribution of information goods and services. In digital form, the content could be copied perfectly or easily converted to another form or format, and thus lifted the physical constraints of copying. The rise of digital media and networks made sharing and copying not only easier for traditional information "pirates", but also made it easier for individuals. Unlike the "pirates" whose unauthorized copies were for commercial gain, individual copying stems from behavioral norms from traditions of fair use and first-sale rights.

The rise of unlicensed and illegal copying and distribution of intellectual property cast doubts on whether a copyright provided enough protection in the wake of continued digital innovations. Copyright owners responded by developing technological copyright protection mechanisms (CPM) in order to make copying more costly and difficult. For CPM to succeed, legal enforcement was needed to ensure the uniform adoption of technologies and that any attempt to circumvent them would be criminalized. The U.S. 1998 Digital Millennium Copyright Act (DMCA) provided for enforcement of copyright protection mechanisms. The development of schemes that were capable of not only preventing or limiting copying, but also controlling the distribution and uses of digital media eventually became collectively known as digital rights management.

Music: The first to be hit
Initially, writing and written works were the primary focus of this legislation: technology, or lack of it, protected other art forms, such as film and music, from being easily copied or distributed in a way that required heavy enforcement.

The Conditions
However, as technology improved exponentially in the past half century, the copying of these art forms became more and more an issue. Eventually, a tipping point was reached, and music was the form of media that was hit head on with the problem of copying becoming so easy, that copyright violation became an unenforceable law. Although there are many theories as to why music was first, several factors are credited:


 * Digitized Format: The digital Compact Disc format, first published in 1988 by Philips and Sony, was the primary medium for music storage and sale by the early 1990's. As music was already distributed mainly via this digital medium, it made it easy to make digital copies with minimal effort and a home computer.  This is in stark contrast to other media, such as books, which were still widely sold on a physical, non digital medium, and would take more then a computer and quite a bit of effort to fully copy digitally.


 * The format of Albums: For decades the common format of music sale has been the Album, a collection of music tracks typically related in some way and produced by the same artist. A album typically has between 10 and 20 tracks on it, and each track is typically 3 to 5 minutes long. Although the album itself is considered extremely important to the format of music, each track is easily enjoyed by most of the general public outside the context of the album as a whole. Therefore, sharing a single track off an album is extremely common, and a single track is small and easy to share. An album's segmentation therefore makes sharing it easier. This is in contrast to a film, where no such segmentation exists; Most people get very little utility out of just part of a film, rather than the film as a whole.


 * The consumer base: Although people of all ages enjoy music, most music is marketed (and sold) to adolescents and people in their 20's. As it so happens, these young people are the people most adapt to new technology, and the quickest to adapt it to save them money and time.


 * Previously Unenforced Conditions: Some copying of music via tapes was technically illegal before, but rarely enforced. Other copying, such as making a cassette to play in the car, was not; the record companies had argued that all the way to the US Supreme court and lost. As a result, the average consumer did not perceive copying music to be illegal.


 * The MP3 format: The MPEG Audio Layer 3 format, released in the early 1990's, is considered one of the leading reasons as to why music was so quickly hit with the copyright problems leading to DRM. As the Cotton Gin is often blamed for the boom in the institution of slavery, so is the miracle of the MP3 format often blamed for blindsiding the music industry.  Music and sound formats, such as Microsoft's WAVE format, were available long before the MP3 format.  However, the compression of a high quality music track into a media file with an average length of 4 megabytes, allowed for the ease of transmission needed for widespread copying.


 * Wide Internet Adoption: The exponential adoption of internet access into the average American household in the early 1990's allowed for a ubiquitous, cheap, and quickly growing medium to transmit data distances that were previously unheard of. Without the internet, music would only be able to be shared as far as you could walk it.


 * Limited Record Company Adoption: With previous improved formats, such as cassette tapes and CD's, the music industry has been fast to adapt, develop, and switch to these new forms of media to satisfy the demand. However for digital music this was not the case. Although computers with CD burners and MP3 player sales were skyrocketing in the early 90's, from 1999 (the release of Napster) to 2003 (the opening of the Itunes Store), there was no digital music service offering any of the music produced by the big 4 record companies (Warner, Sony BMG, EMI, Universal). As a result, the lack of service drove people to acquire their music via illegal copying.

The Reaction
As a result of these conditions, starting with the release of the Napster sharing service in 1999, the music industry began to react to the growing amount of file sharing that was occurring via various services. The music industry, through the RIAA, decided on three primary avenues of advance to thwart this growing problem:


 * Shut down the services: Napster was the first to be sued by the RIAA, and shut down (as a free service) in July 2001 .  Subsequent services, such as Kazaa have been sued but have reacted by moving offshore, outside the jurisdiction of the RIAA.


 * Offer services to consumers: The record companies began to give licenses to digital distributers, allowing them to sell their music. Under almost every circumstance, some sort of DRM clause was in the contract initially.  In recent months however, record companies have begun to bow to demand and allow DRM free services to start.


 * Make Examples of Sharers: In order to drive up the perceived "cost" of sharing music illegally, the RIAA began to sue people who were sharing large libraries of music online . Although most of these cases were settled out of court, the settlements stretched into tens of thousands of dollars and cost much more due to legal fees.

Consumer Backlash to the RIAA
In purely economic terms, the record companies were executing textbook strategy: Lower the cost of purchasing a track online, raise the cost of sharing or downloading one, and eventually your consumer base will switch to the cheaper option.

However, the RIAA failed to consider the nightmare they could produce by suing their consumers, many of whom were children. As a result, there was a backlash towards the RIAA and big music in general, and although sales of digital music rose quickly, the PR of the music industry took a heavy hit.

Additionally, the introduction of DRM was not as well received as the industry would have liked. The fact that DRM soiled a product that consumers were used to purchasing without strings drove many away from the services offered by the record companies.

Recovery: The movement away from DRM
Responding to consumer demand and the practicality of the changing industry, a host of music services have recently begun to sell music that is DRM free. Although the record companies are slow to accept this reality, it is beginning to become an industry trend.

Some services to recently offer DRM-Free services are:


 * Apple iTunes music store
 * Rhapsody
 * Amazon
 * Sky

Film: Learning from Music's Mistakes
Trying to not make the same mistakes as their music counterparts, the film and TV industry is attempting to be faster in the adaptation of digital distribution.

Forms of DRM were introduced in both the DVD and Blu-Ray formats. The DVD format was cracked in the 90's, and weaknesses in Blu-Ray were found within months of release.

However, the industry as a whole is beginning to accept the idea that fewer and fewer consumers are accessing their content via physical media, and more and more are switching to digital or streaming services.

Rather then fighting the tide of digitization as the music industry did, the film and TV industry is trying to move faster to offer reasonable services to consumers that match the demand:


 * In order to have immediate access to shows and movies, most cable services are now offering On-Demand services via digital cable. These services differ from traditional pay-per-view services in that they typically have a much wider selection, and often have a wide selection of free films and TV shows that come with the package.


 * In order to counter services such as DailyMotion and YouTube, distribution networks are beginning to offer TV shows and Movies streaming online with commercials and / or banner advertisements. Such services include
 * ABC.com
 * Hulu
 * SouthParkStudios.com

Encryption
Early DRM relied on encryption, using a content encoding system and then limiting access to the decoding technology. All control over future use was lost once the content was decoded, and any protection against illegal copying still relied on copyright law.

CSS
An example is the DVD Forum's Contents Scrambling System (CSS) which provided a common means of encoding for all movies on DVD. Any firm producing players or software to view the encoded movies was supposed to license the decoding system from the forum. Despite industry claims, this scheme was not designed to prevent copying &mdash; a bit-for-bit copy of a DVD would play on any player that the original would.

What it did attempt was to control usage of the DVDs. CSS includes a system of region codes such that, for example, a DVD sold in North America (region 1) will not play on a player sold in Europe (region 2).This allows the movie companies more control over their markets, for example charging higher prices in some regions or holding back DVD release for a region until after the cinema release there. There are other controls as well; for example the fast-forward control is locked out during the opening section of the disk so that a user cannot bypass the advertising or movie previews there.

Not all vendors follow the Forum's rules; there are many "region-free" DVD players on the market; see for example, this site. Also, some players that normally implement region codes can be set to ignore them, either in software or by replacing a chip; there are guides on the net for that as well. In some markets, such as China, nearly all players are region-free. In others, such as Europe, buyers tend to prefer them. One of Britain's largest retailers, Tesco found massive demand for such players and asked the movie industry to drop region codes altogether . NASA sent Sony players, modified to be region-free, to the International Space Station ; Sony were not entirely happy about this.

There is a later variant called RCE or "regional coding enhancement" intended to block play of new discs on region-free players.

DeCSS
For playing DVDs on a computer, the CSS scheme is easily bypassed using the open source decoder known as DeCSS. There was a great deal of controversy on the net and in the courts over this. There are archives of documents from both cases at Harvard and EFF. Harvard also has a FAQ document covering both legal and technical issues.
 * The Motion Picture Association of America (MPAA) took the position that DeCSS was a "circumvention device" under the US Digital Millennium Copyright Act and sued many people, including web sites who only linked to the code. These suits succeeded and court orders were issued to take down some copies of the code and links. Of course, copies are still readily available from places outside US jurisdiction.
 * The DVD Content Control Association (DVD-CCA) argued that breaking CSS involved misuse of trade secrets and sued on those grounds. These suits failed.

One issue was whether the DeCSS code qualifies as protected speech under the First Amendment of the U.S. Constitution. A earlier court ruling in the Bernstein case over export restrictions on cryptography had set a precedent that those protections sometimes apply to code. However, in the MPAA case, the judge ruled that they did not apply to DeCSS. So some code is protected, other code is not. Computer science professor David Touretzky has a Gallery of CSS Descramblers exploring where the border might lie.

CSS analysis
CSS is obviously a flawed cryptosystem. It is weak in theory &mdash; David Wagner testified in one case that he asks his Berkeley students to break it as a homework assignment &mdash; and weak in practice since DeCSS (a reasonably short, simple and fast program) defeats it completely. What went wrong?

First, CSS was designed to be weak; it used a stream cipher for the bulk data encryption, and some additional things for key management The system as a whole used only a 40-bit key, to comply with cryptography export laws of the time (mid-90s). For why a short key makes any cipher inherently weak see brute force attack. For discussion of debate about those laws see politics of cryptography. In this case, it may not have been US law that imposed bad cryptography. CSS was designed by Mitsubishi engineers and at the time, Japan also had strict export laws.

Second, CSS was designed and even standardized in secret, without a public review that might have caught various design weaknesses. In some court cases DVD-CCA even claimed its inner workings were trade secrets. This violates Kerckhoffs'_Principle; no cipher should be trusted until it is published and reviewed. See cryptography is difficult for discussion of this common problem.

For a full paper cryptanalysing CSS, see Cryptanalysis of Contents Scrambling System. It indicates that CSS did not even achieve 40-bit security, more like 25; this is so weak it can conveniently be broken on demand.

Later DVD encryption
Later DVD products such as DVD audio use a block cipher called Cryptomeria or C2. It is a Feistel cipher which uses S-boxes. It has ten rounds, 64-bit blocks, and a 56-bit key.

C2 is used in Content Protection for Recordable Media and Content Protection for Pre-Recorded Media, collectively known as CPRM/CPPM. The cipher itself has been published, but the S-boxes are secret and different for each application.

There has been some published crpytanalysis of the cipher.

Marking
This DRM approach entails the encoding of markers into the digital content that can be used for description, identification, protection, monitoring, tracking, and limiting uses of that content. Combining this approach with the technology to read the markers and abide by the markers allows for even greater control over management of digital content than the encryption approach.

It may also provide ways of tracking down copiers. For example, if a "pirate" DVD version of a film appears when the movie has only been legally released in theaters or as video-on-demand over cable, it maybe possible to find markings in the DVD version that show which theater or which cable customer provided the material.

Examples of the marking approach to DRM can be found in downloaded music from content providers such as Apple, Microsoft, RealNetworks, and Sony. A future example is the broadcast flag system which is being proposed for U.S. digital television which would allow cable networks to limit the copying or distribution of their programming.

Some marking methods hide the markings using techniques from steganography. In other cases, the markings are quite visible; for example photographs on the web often have the photographer's name or the website URL printed across them to discourage copying.

NEC have announced an advanced marking system, to be included in the MPEG 7 standard, that puts a mark on every frame of a video.

Rights Locker
The "rights locker" approach drastically changes the way in which digital content can be used. Instead of owning copies of the digital media, the consumer owns a set of rights to access the content from a central digital network using a specified range of devices. Examples of this approach include On-demand TV content and Netflix's watch instantly service where users are allowed temporary local copies while viewing the programming.

Consumer attitudes
Many people find DRM systems to be a hindrance to the use of the media they have purchased, and some consumers actively boycott companies and products that use DRM. Many consumers express a preference for material that is not 'hindered' with DRM protections. The attitude of companies that use DRM is widely perceived as "the customer is always wrong".

DRM also seems to be doing very little to stop copyright infringement: "today, infringement is more widespread than ever".

Access and Usage Concerns
Consumers have many concerns in regards to access and usage of various content due to DRM systems/restrictions. Consumer opinions are to keep the rights of the consumer from the analogue realm to be the same in the digital realm. Some rights that users are concerned about losing are their abilities to create private backup copies, excerpt, transition data from one device to another, record for future use, and editing content for personal use.

More explicitly, consumers worry about the loss of data because of restrictions on transferring from one format to another. This may force consumer into repurchasing digital data in another format, when they can easily have the capability of transitioning the format themselves. Another outside concern consumers ask is how do DRM Systems handle the expiration of copyright terms. Do DRM systems release their restrictions when the copyright term expires?

Privacy Concerns
The main user concern in regards to privacy is the ability for the DRM systems to record and transmit consumer usage of particular products and digital data. This becomes a double edged sword. Some users enjoy this feature; for instance, recommended music/videos/books appeals to some users when trying to find something new to experience. Other users complain about this claiming they are being targeted more easily by data/media providers. There are also concerns in passing private information over the internet such as credit card information to make purchases. These are difficult concerns to balance for DRM systems.

Consumers recommend the following: DRM Systems should store "no more data than necessary" and store data for "no longer than necessary". These systems should also be complex enough to inform consumers of all data that is shared about them. Consumers should have the opportunity to regulate how much the DRM system can/can't report or share.

Interoperability Concerns
Interoperability is a difficult concern to deal with because it tries to balance users being able to use their media on many machines/programs without any problems, but the industry must also worry about how to protect against the distribution to unauthorized users. Some recommendations are to allow for portability and compatibility with multiple devices, an open standard for the various devices, and no platform restrictions for consumers. Consumers should not have to re-purchase media for use on another device.

Security Concerns
There is a concern that some DRM systems will require an internet connection and opening up vulnerabilities to the consumers' computers or limit the ability of current software on their computers. This concern falls mostly with "trusted computing" which in order to work, according to consumers, "trusted computing" providers must be a certified provider and must allow the consumer to set the level of security.

Business Concerns
Consumers do not like where some of the business concepts are going such as all post purchase control, inability to share across multiple devices used by the consumer, usage tracking, and file expiration. Some other concerns are the advantages bigger companies have over smaller/medium sized companies in regards to DRM licensing costs, the price control of online products versus conventional counterparts, and technology advances that will be held back by embedded players/devices.

Legal problems
There are a number of legal issues around DRM.

Fair use
There is a basic principle of copyright law, called fair use in US law. Other legal systems have the same principle, but may use a different name. For example, copyright does not prevent quoting a work in a review or analysis, or using it in education. Nor does it prohibit a blind user from using software that will read an e-book aloud for him. However, some DRM systems block those. The principle is clear, but the border is by no means sharply delineated. Between the black of copyright infringement and the white of perfectly legal fair use, there is a large grey area. This is being narrowed down by various court rulings and sometimes altered by new legislation, but will likely never go away entirely.

That principle greatly complicates the design of DRM systems. Copyright law has exceptions for fair use; can you build those into DRM software? What do you do about the grey areas? If you ignore fair use, or just misjudge some grey areas, you will infringe on the users' legal rights; what are the market or legal consequences of that? How will your DRM system adapt to changes in the law?

Fair use arguably includes the right to time shifting, for example using a VCR to record a TV program to watch later. In one case that was fought all the way to the US Supreme Court, the court ruled that recording TV programs for home use did not violate copyright, so Sony could not be held to be contributing to copyright infringement by selling VCRs. A similar issue is space shifting, for example copying music from a record or CD to cassette tape for listening in the car or copying a DVD to videotape to watch in another room. In another case, the court ruled that the Rio, "a portable digital audio device which allows a user to download MP3 audio files from a computer and to listen to them elsewhere.", is also legal fair use. Those decisions appear to mean that it is legal fair use for users to copy music from their CDs, or movies from DVD, onto their hard drives and/or into a portable player.

However, if the DRM allows those applications, how can it prevent the users from sharing the files? If it does not allow such things, can users legally break the DRM to enforce their rights? Will they just avoid DRM-protected products?

Other issues
All copyrights expire; they are only created "for limited Times", to quote the US law. Both legal and technical questions come up when copyright on a DRM-protected work expires.

Another issue is the legal doctrine of first sale, essentially that once a company sells a product they no longer control it. Critics of DRM argue that, for example, movie companies simply do not have the right to prevent a user from fast-forwarding past advertising or buying a DVD in the US and playing it in Europe. It would be illegal to copy the DVD and give someone else the copy, but once you have bought it you have the right to use it as you please. The legal argument on the other side is basically that their copyright on the content plus the license agreements for the equipment and content give them those rights.

To the critics, DRM systems that restrict users in ways that have nothing to do with copyright law &mdash; such as not playing a region 1 disk in Europe or blocking fast-forwarding past a commercial &mdash; are best described as BAD, for Broken As Designed. There is no technical reason for such "features"; a system without them would actually be simpler. Therefore there is no reason to imagine that users ought to put up with them.

Privacy laws may be an issue if a system with DRM "phones home" to provide usage information to a vendor. What information is provided? How is it used? How is it protected? Is the user informed, or asked for permission? This becomes more complex if the information crosses international boundaries in the process.

Illegal DRM?
Some DRM may itself violate laws. For example, the "region codes" on DVDs are intended to segment the market, preventing for example a European (region 2) or Australian (region 4) customer from buying cheaper DVDs from US (region 1) vendors. Film companies insist that this is necessary, but nothing in copyright law grants them that sort of control over their market. Arguably, the whole business of region codes is a conspiracy by a cartel of film companies, violating the competition and price-fixing laws of many countries and the WTO restrictions on Technical Barriers to Trade. Such arguments appear to carry little weight; no media company has ever been prosecuted for such actions.

Similar arguments apply to DRM on video games. In at least one case the Australian Competition Commission intervened on the side of someone being sued by Sony for "chipping" a game console, arguing that region codes exist not to prevent copying but to make certain games unplayable.

The Sony rootkit
Then there was Sony's DRM "rootkit", of which the chairman of the US Federal Trade Commission said "Installations of secret software that create security risks are intrusive and unlawful". This was software on music CDs that secretly, and without asking permission, installed various things on any Windows computer that played the CD, and hid them from the user with "cloaking" techniques that are commonly used by trojan horse programs to hide their activites. The person who discovered it was testing a tool for finding rootkits; the things an attacker leaves behind after acquiring root (administrator) privileges on a system. Imagine his surprise when he found one, installed by Sony!

Sony took a great deal of media flak BBC, CNET USA Today over that. There was also a consumer class action suit, settled out of court. Bruce Schneier's analysis is interesting: "While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be." and "What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? ... This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home."

DRM that violates copyright
Media companies may be quite interested in protecting their own "intellectual property", but in some cases they may not have much respect for other people's.

Sony's rootkit -- designed to stop copyright infringement -- itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation of that library's license agreement.

In 2010, a German firm sued Warner Brothers, accusing them of using pirated anti-piracy technology.

"We disclosed our anti-piracy technology to Warner Bros. in 2003 at their request, under strict confidentiality, expecting to be treated fairly," the company said in a statement. "Instead, they started using our technology extensively without our permission and without any accounting to us."

Technical problems
DRM is attempting a fundamentally difficult task. Security author Bruce Schneier states of DRM: "Trying to make digital files uncopyable is like trying to make water not wet."

In particular cases, the costs may be quite high. Another well-known security expert, Peter Gutmann, wrote of Microsoft DRM efforts: "The Vista Content Protection specification could very well constitute the longest suicide note in history".

Why is this so difficult? Assume you are a totally legal user of the material protected by DRM, and all the security tests for your music, or your software, are successful. To hear the music, it has to be put into a form the speakers will reproduce. At some point between the DRM-protected recording and the speaker, the signal has to be put into a useful form. Once it is in that form, how does the DRM enforcer prevent it from being copied?

One of the great problems with encryption is hiding decrypted content. In order to hide it from user applications, DRM-enabled players decrypt content in kernel mode and check for unsigned drivers. Some DRM developers suggest using a TPM chip to ensure that the operating system is genuine and only signed drivers can be loaded. In such systems DRM drivers can control computer completely and perfectly hide the decryption process.

The problem of protecting material on a DVD or other physical storage device are simple when compared to delivering content across the Internet. Think of pay-per-view television. Even in encrypted form, it has to pass through intermediate distribution points on the Internet; the general distribution problem here is part of inter-domain multicast routing (IDMR). How do the legal users get the decryption key for the program for which they have paid, and only for that program? Can anyone along the path from content user to content buyer intercept that key and use it? If so, will the legitimate user still be able to use it? Alternatively, can the stolen key be distributed?

The ACM run an annual workshop on DRM.

DRM Implementations
Several music sellers and distributors over the years have tried a number of DRM implementations:

Apple iTunes
Apple was the first company to capitalize on the digital music market by being the first acquire music selling licenses from the big 4 record companies. Apple's Music Service, iTunes Store, has infamously used DRM since it's inception. Although their DRM is easily cracked, recently iTunes has introduced a new iTunes Plus service which offers DRM-free music, and Apple is toying with the idea of removing DRM from it's services altogether.

Rhapsody
Rhapsody, the digital music service started by RealNetworks, is one of the most popular online music services with 2.25 million paid subscribers. Rhapsody offers streaming music and DRM music downloads for a monthly subscription fee

Napster 2.0
Napster 2.0 or the Napster Pay Service, is a DRM-enabled (specically Microsoft's Playsforsure-protected) music licensing service offering unlimited licensed MP3's for a monthly fee. As of April 2007, Napster 2.0 is reported to have 830,000 subscribers. Napster also has a DRM free version of it's music store, which was opened in mid-2008

imeem
imeem is a streaming music social network. Until recently, imeem only offered music via DRM, but has recently removed DRM from it's services, reflecting an industry trend