Designing a More User-Friendly DRM

onethumb writes: "As one of the core engineers on MightyWords' (now-defunct) DRM for digital documents, I was impressed by Dmitry Skylarov's great analysis of our work the other day. Planet eBook is now running my reply as their feature article explaining our design goals and decisions for our decidedly user-friendly DRM solution."

Naive or DMCA dependant?

[autopr0n]

An analogy we used often during development was that of car door locks. A determined thief would be able to get into any car door through numerous means. All car door locks really do is prevent your average everyday person from violating your car's security and stealing your sunglasses. But it doesn't get in the way of your use of the car.

I'm not exactly sure what you were going for here. I mean sure, a determined car thief might be able to steal the car in the real world, but they can't create a simple, easy to use tool to do so and distribute it to every single person in the world (who could possibly be interested in cars).

They also can't distribute the stolen car to every single person who could want a car on earth either.

But they can do those things with e-books. Were you guys just a victim of your own analogy, or were you hoping on the DMCA to keep people from distributing cracking tools?

Security is never free

[Russ+Nelson]

The whole point behind DRM is to restrict copying. That is, the specific intention is to make some uses of the information completely impossible. There is No Way to make this completely transparent. Security is never free. So, really, it's an oxymoron to call any DRM "user-friendly". DRM is inherently user-unfriendly, because it exists to prevent the user from doing some things.
-russ

Great but broken analogy

[MarkusQ]

An analogy we used often during development was that of car door locks. A determined thief would be able to get into any car door through numerous means. All car door locks really do is prevent your average everyday person from violating your car's security and stealing your sunglasses. But it doesn't get in the way of your use of the car.

I love the analogy he uses, but there's a major flaw in it. On the car-door-lock side you have the owner, the car, the lock, and the thief. On the digital rights management side you have the copyright holder, the document, the DRM, and the consumer. It's easy to see that the car owner maps to the copyright holder, the document maps to the car, and the DRM maps to the lock.

So, who's the thief? When selling this technology to their customers (the copyright holders) the thief doubtlessly maps to the consumers, or at least some subset of them.

But when describing it to consumers, there is a tendency for the consumer to project themselves onto the car-owner (making, I suppose, the copyright holder map to the manufacturer), especially since it is their ease-of-use that's being considered. "After all," most consumers would think "I'm not a thief." This leaves them with the totaly false impression that they are somehow the ones being protected.

So it may not be perfect as an analogy, but it is fantastic> as a sales pitch.

-- MarkusQ

Re:Great but broken analogy

[Stiletto]

A better analogie is: People don't normally steal a pack of gum, since it is pretty cheap and easy to just walk into the store and buy one.

Today's DRM gum would make you have to sign license documents when buying the gum, agree to pay royalties on the gum if you resell it, and a device physically attached to the gum that reports back to the store every time a piece is removed to chew.

It's a pain in the butt, thwarts customers, and in the end it's easier to steal than buy.

Sklyarov has a point

[JanneM]

One way to handle this better would be to not restrict copying at all; instead, embed the identity of the original buyer into the content. Note that that does _not_ require the company or anybody else to register who bought the book, movie or whatever, just that the buyer can be identified from the content itself.

As long as you only do whatever you are allowed to do with your content anyway (quote it, show excerpts, give copies to friends), nobody will care - and are not _able_ to care. If it finds its way out on file-sharing places, it can be picked up, and the original buyer can be contacted.

Now the original buyer might well not be the one streading the content, but he or she could give information about who else had access to it, and thus the content holders could track down whoever did the deed. Even if there is no legal way to force the buyer to reveal anything (and I don't think there is), the possibility of being implicated in a mess like this is enough for the majority of people to stay away from spreading stuff beyond what they're allowed to.

And that's exactly what this _should be about (and what the car analogy is about as well): people determined to break the law by selling counterfeit copies (or that have an overriding political urge to spread others' content far and wide) will find ways to do so, just like no 'real' car thief is stopped by locks and alarms (even alarms only work because not every car has them; it's easier to steal a car without it).

What you want to stop is incidental spreading, by people that should know better. By having onerous protection systems that force people to break them just to use the content in ways they have a right to do - and expect to be able to - the barrier is gone to then just spread it as far and wide as they want. By locking down too tight, the providers actually increase the amount of copyright violations. It's like warning lights for seatbelts. Some people got so tired of hearing that buzzer whenever they put their briefcase on the passenger seat, they clicked the seatbelt permanently in place - and prevented it from being used when there _was _ a passenger in the car.

/Janne

Most telling statement.

[Rogerborg]

• Legitimate users were able to get authorization as many times as necessary (before company closure on January 12, 2002). Now MightyWords does not perform authorization anymore, so it would seem that legitimate users of MightyWords eMatter are now out of luck, unless they have access to a "backdoor" to restore access to the purchased titles.

MightyWords is due kudos for implementing a system that was easier to use then to crack, but their withdrawal from the market highlights the fundamental flaw in any DRM system.

The best analogy I've come up with for DRM content (any DRM including DVD) is that the content is in a safe with a little window in the side. Both the safe and the window have combination locks on them. If you have the right window code, you (personally) can peer through the window and view the content in a limited way. eMatter has a pretty big window, but you still have to go to them to get the combination. When the copyright on the content expires, or if you want to make fair use copies of parts of it, you are allowed to open the safe, take out the content, and manipulate it directly.

Only, you aren't. When the inevitable happens and the code holder goes titsup, you are boned. Specifically, if you want to make use of the content in any way - even perfectly legal uses - you are absolutely required to break the law.

As we've seen in the DeCSS case, the DMCA trumps fair use. You're still allowed to use fair use as a post facto defence for the act of copying the content, but not as a pre facto justification for obtaining the tools that let you do it. In other words, obtaining or possessing a safe cracking kit is illegal regardless of the use you put it to. Cracking the safe is actually legal, but obtaining (or creating) the tool to do it is not. Astonishing, but that's exactly what the DMCA says.

The SSSCA will just make this worse, as it will mandate hardware that will only look through the little window. Even if you break the law to obtain tools to open the safe and get at the content (quite legally if the copyright is expired), you won't (legally) be able to obtain hardware that will touch that content.

Again, eMatter is one of the best attempts at DRM I've seen, but it still demonstrates how fundamentally flawed DRM is, because it requires you to prove your innocence while giving no guarantees that you will be able to continue to do so. It illustrates the vital distinction that you are not buying content, you are licensing a limited and revokable right to access content. There's a big difference, both in theory, and as the collapse of MightyWords now shows, in practice.

DRM A Broken Approach to An Already Solved Problem

[FreeUser]

The software industry confronted the unpleasant reality that their product could be perfectly copied, against their will and in violation of their copyright, without limit. Naturally, the software industry feared the potential loss of revinues.

The industry tried copy protection, and even before the recent mathematical proof proving that secure copy protection, or DRM, was impossible the industry learned from its own experience that copy restrictive technologies were both ineffective in stopping copyright violation, and harmful to their legitimate customers and, therefor, to their product.

The industry learned, however, that even a modicum of personal accountability suffices to stop most forms of copyright violation, and that nothing short of a depopulated world will ever stop it all. The solution was quite simple: serialize the product and/or stamp the user's identity onto each piece of software sold. We don't know if there is a mechanism in place to trace serial number N of product P to the credit card number used to purchase it, and hence to the purchaser, but we as consumers do know it is certainly possible, and that alone makes the vast majority of people reluctant to share software illegally, even with their close friends.

Not everyone, mind you, as warez sites obviously demonstrate, but the vast majority. So much so that the software industry thrives, despite a complete lack of copy restriction technologies, or DRM, whatsoever, and despite a much greater vulnerability to such copying than eBooks, music, or film will ever be. Software has no equivelent alternative revinue streams like live concerts or cinemas, yet it has learned to thrive and prosper in an environment that copyright-obsessed yet technology-naive control freaks, like the sort currently lobbying congress to gut, even outlaw, technologies fundamental to the internet and personal computing, would assume to be inimical.

The problem of copyright violation and the "threat" the ability to make unlimited, perfect copies of a product has already been confronted, addressed, and successfully solved by the software industry, without DRM, without laws like the SSSCA, and finally without, and prior to, the DMCA.

eBook authors, musicians, and movie producers need to learn this, and need to seriously look at the motives their publishers, recording companies, and studios have for persuing technological restrictions on a problem for which an elegant social and legal solution stressing personal accountability have already solved. That motive, of course, is to secure their parasitical place as dominant middleman, with power over both the artists and their fans, at the expense of both and at the expense of the art they have usurped "ownership" over.