Lala Invents Network DRM

An anonymous reader writes in with a CNet story about the record label-backed music company Lala, which claims to have invented "Network DRM." Lala has filed for a patent on moving DRM from a file wrapper, like Windows Media and FairPlay, to the server. Digital music veteran Michael Robertson has quotes from the patent application on his blog. (Here is the application.) Lala describes an invention that monitors every access, allows only authorized devices (so far there are none), blocks downloads, and can revoke content at the labels' request.

I've thought about this at length.

[Rene+S.+Hollan]

The basic idea is that content is encrypted with a per-user public key, where the private key is held ("securely", for some definition of "securely") in display and playback devices that the user owns. When a private key is issued to a user, it is delivered in a secure (again, for some definition of "secure" key store, from which a limited number of copies can be imported to "authorized" (using some PKI mechanism) display and playback devices.

This has the benefit that content can (a) be copied for backup and archival purposes, (b) played on a "reasonable" number of devices a user owns, (c) played on other devices via temporary "secure" key export and import functions (so you can watch your movies at your friend's house, but not on your TV at the same time, unless on an "extra" TV -- within the limits of key copies), (d) lent to a small number of friends to access your library, and (e) allow anyone to make content for your display and playback devices (remember, the encryption key is public).

This is not rocket science, and to "someone practiced in the art" of PKI, strikes me as sufficiently obvious as to invalidate any patent claims.

It suffers from two problems:

First, the concept of someone having possession of a decryption key and not access to it are at odds. Like I said, "for some definition of 'secure'" Tamper-proof crypto chips are not cheap. Of course, the cost of extracting a key to allow access to one person's licensed media probably makes it sufficiently impractical: if media are watermarked as well as encrypted on a per-licencee basis, tracking back to who's key was used to crack some content would be easy, as well as an individual who licenses excessive amounts of content (to crack, and illegally redistribute in plain form, or encrypted with others' public keys).

Second, and more troubling, is that it does not allow for arguably fair uses: mashup videos, for example, because one can't extract some of the content, and how much could be extracted as a fair use would depend on the use. Some arguably legal fair uses could be prevented, and others abused by a group of indivuduals to reproduce the whole from the sum of arbitrarily small parts.

The issue of what happens when one loses a device holding private keys to one's media also deserves consideration. Of course, content providers could form a consortium that provide key escrow services so that lost keys could be recovered.

Re:Revoke content?

[orclevegam]

It's annoying to do so, but with iTunes you can burn to CDs which removes any DRM imposed by the store. As for Steam, you can make a backup copy on a DVD (or other media), but I'm not sure if you still need Steam running in order to install/play the games. I know you can mark a game for offline play after it's been installed and authenticated, but I still think you have to have Steam itself running and perform the initial authentication on a new machine, so your point on Steam still stands.

Re:Claim 7 Has Your Number

[theworldgoesaway]

This really isn't at all accurate. It doesn't do *anything* to your local content. It uploads a list/files for your music to a central server, which you can then stream (but not download) through their (quite nice) web-based media player. It's basically a way to access your music away from home. I use it all day long at the office to listen to music - and I can get my whole collection (not just what fits on my iPhone) and I don't need to set up Orb or something like that. Again, it does NOTHING to your local music.

In addition to that, they will sell you streaming-only songs (available through the same web player) for 10c a pop. No, you can't download them, etc, but they're 10c. So I can check out an album I like for $1, and if I decide to get the mp3 version (no DRM), they sell that for a standard price and apply the 10c you already paid to the price.

Really, there's NOTHING sinister going on here. It's actually a really great service. I have no affiliation with them, but I'm a very pleased customer. I listen to music via Lala all day at work, and I buy a lot of music for streaming through them. It's an excellent, well-designed store and media platform. I lose no control over my own media, and I'm happy to pay an extremely discounted rate for *access* to other music, with the option to pay for DRM-free MP3s. It's a valuable service, and I lose no control whatsoever. I do wish they'd give me the option to re-download music I'd uploaded (so it could serve as a backup, not just an alternative form of access), but I imagine that's as much a bandwidth issue as anything else.

In short, this is a highly misleading and biased article. There's nothing sneaky or underhanded going on here, this is Michael Robertson bashing a competitor who has a far superior and really quite excellent product.

Safety, published late 1990s, can do this

The program "Safety" published by Glenn Everhart back in the mid to late 1990s (first implementation was done by 1993), published with full source code, supports access controls based on what software is used to access files, who is accessing, where they access from, and a variety of other things. If the file protected is some video and the access is a streaming-sending program, access can be different from access granted to some player and so on. This all runs on VMS, but does the kind of access control described if you want it to. Since it was published long ago, with complete sources and documents, the code to do this and the notion of discriminating in access control this way can hardly be called novel. Also the Safety program allowed a non-permitted access to be given access to something else; in this kind of case the something else might be an advertising video or trailer. But the technology has been in the public domain now for over a dozen years.

Re:Finally!

[zenslug]

As a Lala employee, I recommend you try the site out. Michael Robertson likes to mischaracterize our product because his competing product isn't doing too well. This network DRM thing is what it is, but basically it means that we don't make it easy to just download the mp3 that gets streamed. If it weren't called DRM you wouldn't thing of it that way. You'd probably just think of it as trying to prevent leechers. We sell mp3s, and those are just plain mp3s, nothing special, no DRM. It's just the streaming part of it where we put in some safeguards. We know (and the labels, too) that people who don't want to pay for music won't pay. But it's a snap to build a tool that will let you grab any stream. The point, again, is to make it annoying enough to try to grab the stream that it isn't worth trying to get it from us.

Re:Finally!

[hob42]

Uh... The service creates an index of all your music files and lets you stream that list of music for free. Then, you can pay $0.10/song to add songs you don't own into the playlist. That's the DRM part - you are restricted from saving the streaming-only songs to your PC or PMP.

Or you can "buy" and download DRM-free MP3s for a couple bucks, like an ordinary music store.

Where's the cumbersome and painful part again?

Re:Claim 7 Has Your Number

[Binestar]

The parent poster has a lower UID than you do.

Re:Lala - Hilarious Clowns

[zenslug]

As an employee of Lala I can tell you that we're definitely not evil. At least I don't think so.

Yes, we have a scanner. Downloading it and running it is completely optional. The only thing we do with it is to grant access to allow you to stream the music you already own. It's not a conspiracy, seriously. It ties in directly to the concept of putting your music collection online. If we can get people to use Lala like some people use iTunes (which requires all your music to have people use it regularly), then we'll have more opportunities to sell them DRM-free mp3s.

But we also have a 10-cent price-point for unlimited streaming of a song. You pay 10 cents and you can then stream that song on the website as much as you want. It goes into your online collection. That is there to help us cover our licensing costs that we pay to the labels. Will it work? Some people like it. Are they fools to buy it? Depends on your perspective, but there is always the risk that Lala goes out of business, sure.

So you combine the 10-cent "web song" which lives in your online collection with the music you already own (we don't care where you got the files), and now there is only one place to go to access your music, and that is Lala. That's the concept, at least.

Yeah, we got investment from a music label. They are not a controlling interest, and they have never approached us with any evil demand for info on what people upload. They agreed to this feature (after having sued others over the same concept years earlier) because they have learned lessons of the past. They have a long way to go, though. They're slowing learning.