No Safe Harbor: The DRM Sausage Factory

From United States Pirate Party
Revision as of 02:19, 31 October 2012 by Sacha (talk | contribs) (Created page with "CORY DOCTOROW Otto von Bismarck quipped, "Laws are like sausages, it is better not to see them being made." I've seen sausages made. I've seen laws made. Both pale in compar...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

CORY DOCTOROW


Otto von Bismarck quipped, "Laws are like sausages, it is better not to see them being made." I've seen sausages made. I've seen laws made. Both pale in comparison to the process by which anti-copying technology agreements are made.

This technology, usually called "Digital Rights Management" (DRM) proposes to make your computer worse at copying some of the files on its hard-drive or on other media. Since all computer operations involve copying, this is a daunting task -- as security expert Bruce Schneier has said, "Making bits harder to copy is like making water that's less wet."

At root, DRMs are technologies that treat the owner of a computer or other device as an attacker, someone against whom the system must be armored. Like the electrical meter on the side of your house, a DRM is a technology that you possess, but that you are never supposed to be able to manipulate or modify. Unlike your meter, though, a DRM that is defeated in one place is defeated in all places, nearly simultaneously. That is to say, once someone takes the DRM off a song or movie or ebook, that freed collection of bits can be sent to anyone else, anywhere the network reaches, in an eyeblink. DRM crackers need cunning: those who receive the fruits of their labor need only know how to download files from the Internet.

Why manufacture a device that attacks its owner? A priori, one would assume that such a device would cost more to make than a friendlier one, and that customers would prefer not to buy devices that treat them as presumptive criminals. DRM technologies limit more than copying: they limit ranges of uses, such as viewing a movie in a different country, copying a song to a different manufacturer's player, or even pausing a movie for too long. Surely, this stuff hurts sales: who goes into a store and asks, "Do you have any music that's locked to just one company's player? I'm in the market for some lock-in."

So why do manufacturers do it? As with many strange behaviors, there's a carrot at play here, and a stick.

The carrot is the entertainment industries' promise of access to their copyrighted works. Add DRM to your iPhone and we'll supply music for it. Add DRM to your TiVo and we'll let you plug it into our satellite receivers. Add DRM to your Zune and we'll let you retail our music in your Zune store.

The stick is the entertainment industries' threat of lawsuits for companies that don't comply. In the last century, entertainment companies fought over the creation of records, radios, jukeboxes, cable TV, VCRs, MP3 players and other technologies that made it possible to experience a copyrighted work in a new way without permission. There's one battle that serves as the archetype for the rest: the fight over the VCR.

The film studios were outraged by Sony's creation of the VCR. They had found a DRM supplier they preferred, a company called Discovision that made non-recordable optical discs. Discovision was the only company authorized to play back movies in your living room. The only way to get a copyrighted work onto a VCR cassette was to record it off the TV, without permission. The studios argued that Sony -- whose Betamax was the canary in this legal coalmine -- was breaking the law by unjustly endangering their revenue from Discovision royalties. Sure, they could just sell pre-recorded Betamax tapes, but Betamax was a read-write medium: they could be copied. Moreover, your personal library of Betamax recordings of the Sunday night movie would eat into the market for Discovision discs: why would anyone buy a pre-recorded video cassette when they could amass all the video they needed with a home recorder and a set of rabbit-ears?

The Supreme Court threw out these arguments in a 1984 5-4 decision, the "Betamax Decision." This decision held that the VCR was legal because it was "capable of sustaining a substantially non-infringing use." That means that if you make a technology that your customers can use legally, you're not on the hook for the illegal stuff they do.

This principle guided the creation of virtually every piece of IT invented since: the Web, search engines, YouTube, Blogger, Skype, ICQ, AOL, MySpace... You name it, if it's possible to violate copyright with it, the thing that made it possible is the Betamax principle.

Unfortunately, the Supremes shot the Betamax principle in the gut two years ago [ed: 2005], with the Grokster decision. This decision says that a company can be found liable for its customers' bad acts if they can be shown to have "induced" copyright infringement. So, if your company advertises your product for an infringing use, or if it can be shown that you had infringement in mind at the design stage, you can be found liable for your customers' copying. The studios and record labels and broadcasters love this ruling, and they like to think that it's even broader than what the courts set out. For example, Viacom is suing Google for inducing copyright infringement by allowing YouTube users to flag some of their videos as private. Private videos can't be found by Viacom's copyright-enforcement bots, so Viacom says that privacy should be illegal, and that companies that give you the option of privacy should be sued for anything you do behind closed doors.

The gutshot Betamax doctrine will bleed out all over the industry for decades (or until the courts or Congress restore it to health), providing a grisly reminder of what happens to companies that try to pour the entertainment companies' old wine into new digital bottles without permission. The tape-recorder was legal, but the digital tape-recorder is an inducement to infringement, and must be stopped.

The promise of access to content and the threat of legal execution for non-compliance is enough to lure technology's biggest players to the DRM table.

I started attending DRM meetings in March, 2002, on behalf of my former employers, the Electronic Frontier Foundation. My first meeting was the one where Broadcast Flag was born. The Broadcast Flag was weird even by DRM standards. Broadcasters are required, by law, to deliver TV and radio without DRM, so that any standards-compliant receiver can receive them. The airwaves belong to the public, and are loaned to broadcasters who have to promise to serve the public interest in exchange. But the MPAA and the broadcasters wanted to add DRM to digital TV, and so they proposed that a law should be passed that would make all manufacturers promise to pretend that there was DRM on broadcast signals, receiving them and immediately squirreling them away in encrypted form.

The Broadcast Flag was hammered out in a group called the Broadcast Protection Discussion Group (BPDG) a sub-group from the MPAA's "Content Protection Technology Working Group," which also included reps from all the big IT companies (Microsoft, Apple, Intel, and so on), consumer electronics companies (Panasonic, Philips, Zenith), cable companies, satellite companies, and anyone else who wanted to pay $100 to attend the "public" meetings, held every six weeks or so (you can attend these meetings yourself if you find yourself near LAX on one of the upcoming dates).

CPTWG (pronounced Cee-Pee-Twig) is a venerable presence in the DRM world. It was at CPTWG that the DRM for DVDs was hammered out. CPTWG meetings open with a "benediction," delivered by a lawyer, who reminds everyone there that what they say might be quoted "on the front page of the New York Times," (though journalists are barred from attending CPTWG meetings and no minutes are published by the organization) and reminding all present not to do anything that would raise eyebrows at the FTC's anti-trust division (I could swear I've seen the Microsoft people giggling during this part, though that may have been my imagination).

The first part of the meeting is usually taken up with administrative business and presentations from DRM vendors, who come out to promise that this time they've really, really figured out how to make computers worse at copying. The real meat comes after the lunch, when the group splits into a series of smaller meetings, many of them closed-door and private (the representatives of the organizations responsible for managing DRM on DVDs splinter off at this point).

Then comes the working group meetings, like the BPDG. The BPDG was nominally set up to set up the rules for the Broadcast Flag. Under the Flag, manufacturers would be required to limit their "outputs and recording methods" to a set of "approved technologies." Naturally, every manufacturer in the room showed up with a technology to add to the list of approved technologies -- and the sneakier ones showed up with reasons why their competitors' technologies shouldn't be approved. If the Broadcast Flag became law, a spot on the "approved technologies" list would be a license to print money: everyone who built a next-gen digital TV would be required, by law, to buy only approved technologies for their gear.

The CPTWG determined that there would be three "chairmen" of the meetings: A representative from the broadcasters, a representative from the studios, and a representative from the IT industry (note that no "consumer rights" chair was contemplated -- we proposed one and got laughed off the agenda). The IT chair was filled by an Intel representative, who seemed pleased that the MPAA chair, Fox Studios' Andy Setos, began the process by proposing that the approved technologies should include only two technologies, both of which Intel partially owned.

Intel's presence on the committee was both reassurance and threat: reassurance because Intel signaled the fundamental reasonableness of the MPAA's requirements -- why would a company with a bigger turnover than the whole movie industry show up if the negotiations weren't worth having? Threat because Intel was poised to gain an advantage that might be denied to its competitors.

We settled in for a long negotiation. The discussions were drawn out and heated. At regular intervals, the MPAA reps told us that we were wasting time -- if we didn't hurry things along, the world would move on and consumers would grow accustomed to un-crippled digital TVs. Moreover, Rep Billy Tauzin, the lawmaker who'd evidently promised to enact the Broadcast Flag into law, was growing impatient. The warnings were delivered in quackspeak, urgent and crackling, whenever the discussions dragged, like the crack of the commissars' pistols, urging us forward.

You'd think that a "technology working group" would concern itself with technology, but there was precious little discussion of bits and bytes, ciphers and keys. Instead, we focused on what amounted to contractual terms: If your technology got approved as a DTV "output," what obligations would you have to assume? If a TiVo could serve as an "output" for a receiver, what outputs would the TiVo be allowed to have?

The longer we sat there, the more snarled these contractual terms became: Winning a coveted spot on the "approved technology" list would be quite a burden! Once you were in the club, there were all sorts of rules about whom you could associate with, how you had to comport yourself and so on.

One of these rules of conduct was "robustness." As a condition of approval, manufacturers would have to harden their technologies so that their customers wouldn't be able to modify, improve upon, or even understand their workings. As you might imagine, the people who made open source TV tuners were not thrilled about this, as "open source" and "non-user-modifiable" are polar opposites.

Another was "renewability:" the ability of the studios to revoke outputs that had been compromised in the field. The studios expected the manufacturers to make products with remote "kill switches" that could be used to shut down part or all of their device if someone, somewhere had figured out how to do something naughty with it. They promised that we'd establish criteria for renewability later, and that it would all be "fair."

But we soldiered on. The MPAA had a gift for resolving the worst snarls: When shouting failed, they'd lead any recalcitrant player out of the room and negotiate in secret with them, leaving the rest of us to cool our heels. Once, they took the Microsoft team out of the room for six hours, then came back and announced that digital video would be allowed to output on non-DRM monitors at a greatly reduced resolution (this "feature" appears in Vista as "fuzzing").

The further we went, the more nervous everyone became. We were headed for the real meat of the negotiations: The criteria by which approved technology would be evaluated: How many bits of crypto would you need? Which ciphers would be permissible? Which features would and wouldn't be allowed?

Then the MPAA dropped the other shoe: The sole criteria for inclusion on the list would be the approval of one of its member-companies, or a quorum of broadcasters. In other words, the Broadcast Flag wouldn't be an "objective standard," describing the technical means by which video would be locked away -- it would be purely subjective, up to the whim of the studios. You could have the best product in the world, and they wouldn't approve it if your business-development guys hadn't bought enough drinks for their business-development guys at a CES party.

To add insult to injury, the only technologies that the MPAA were willing to consider for initial inclusion as "approved" were the two that Intel was involved with. The Intel co-chairman had a hard time hiding his grin. He'd acted as Judas goat, luring in Apple, Microsoft, and the rest, to legitimize a process that would force them to license Intel's patents for every TV technology they shipped until the end of time.

Why did the MPAA give Intel such a sweetheart deal? At the time, I figured that this was just straight quid pro quo, like Hannibal said to Clarice. But over the years, I started to see a larger pattern: Hollywood likes DRM consortia, and they hate individual DRM vendors. (I've written an entire article about this, but here's the gist: A single vendor who succeeds can name their price and terms -- think of Apple or Macrovision -- while a consortium is a more easily divided rabble, susceptible to co-option in order to produce ever-worsening technologies -- think of Blu-Ray and HD-DVD). Intel's technologies were held through two consortia, the 5C and 4C groups.

The single-vendor manufacturers were livid at being locked out of the digital TV market. The final report of the consortium reflected this -- a few sheets written by the chairmen describing the "consensus" and hundreds of pages of angry invective from manufacturers and consumer groups decrying it as a sham.

Tauzin washed his hands of the process: A canny, sleazy Hill operator, he had the political instincts to get his name off any proposal that could be shown to be a plot to break voters' televisions (Tauzin found a better industry to shill for, the pharmaceutical firms, who rewarded him with a $2,000,000/year job as chief of PHARMA, the pharmaceutical lobby).

Even Representative Ernest "Fritz" Hollings (“The Senator from Disney,” who once proposed a bill requiring entertainment industry oversight of all technologies capable of copying) backed away from proposing a bill that would turn the Broadcast Flag into law. Instead, Hollings sent a memo to Michael Powell, then-head of the FCC, telling him that the FCC already had jurisdiction to enact a Broadcast Flag regulation, without Congressional oversight.

Powell's staff put Hollings' letter online, as they are required to do by federal sunshine laws. The memo arrived as a Microsoft Word file -- which EFF then downloaded and analyzed. Word stashes the identity of a document's author in the file metadata, which is how EFF discovered that the document had been written by a staffer at the MPAA.

This was truly remarkable. Hollings was a powerful committee chairman, one who had taken immense sums of money from the industries he was supposed to be regulating. It's easy to be cynical about this kind of thing, but it's genuinely unforgivable: Politicians draw a public salary to sit in public office and work for the public good. They're supposed to be working for us, not their donors.

But we all know that this isn't true. Politicians are happy to give special favors to their pals in industry. However, the Hollings memo was beyond the pale. Staffers for the MPAA were writing Hollings' memos, memos that Hollings then signed and mailed off to the heads of major governmental agencies.

The best part was that the legal eagles at the MPAA were wrong. The FCC took "Hollings'" advice and enacted a Broadcast Flag regulation that was almost identical to the proposal from the BPDG, turning themselves into America's "device czars," able to burden any digital technology with "robustness," "compliance," and "revocation rules." The rule lasted just long enough for the DC Circuit Court of Appeals to strike it down and slap the FCC for grabbing unprecedented jurisdiction over the devices in our living rooms.

So ended the saga of the Broadcast Flag. More or less. In the years since the Flag was proposed, there have been several attempts to reintroduce it through legislation, all failed. And as more and more innovative, open devices like the Neuros OSD enter the market, it gets harder and harder to imagine that Americans will accept a mandate that takes away all that functionality.

But the spirit of the Broadcast Flag lives on. DRM consortia are all the rage now -- outfits like AACS LA, the folks who control the DRM in Blu-Ray and HD-DVD, are thriving and making headlines by issuing fatwas against people who publish their secret integers. In Europe, a DRM consortium working under the auspices of the Digital Video Broadcasters Forum (DVB) has just shipped a proposed standard for digital TV DRM that makes the Broadcast Flag look like the work of patchouli-scented infohippies. The DVB proposal would give DRM consortium the ability to define what is and isn't a valid "household" for the purposes of sharing your video within your "household's devices." It limits how long you're allowed to pause a video for, and allows for restrictions to be put in place for hundreds of years, longer than any copyright system in the world would protect any work for.

If all this stuff seems a little sneaky, underhanded, and even illegal to you, you're not alone. When representatives of nearly all the world's entertainment, technology, broadcast, satellite, and cable companies gather in a room to collude to cripple their offerings, limit their innovation, and restrict the market, regulators take notice.

That's why the EU is taking a hard look at HD-DVD and Blu-Ray. These systems aren't designed: They're governed, and the governors are shadowy group of offshore giants who answer to no one -- not even their own members! I once called the DVD-Copy Control Association (DVD-CCA) on behalf of a Time-Warner magazine, Popular Science, for a comment about their DRM. Not only wouldn't they allow me to speak to a spokesman, the person who denied my request also refused to be identified.

The sausage factory grinds away, but today, more activists than ever are finding ways to participate in the negotiations, slowing them up, making them account for themselves to the public. And so long as you, the technology-buying public, pay attention to what's going on, the activists will continue to hold back the tide. $$$$ ORIGINALLY PUBLISHED AS "A BEHIND-THE-SCENES LOOK AT HOW DRM BECOMES LAW," INFORMATIONWEEK, JULY 11, 2007