How DRM Makes Us All Less Safe
from the you're-in-danger-thanks-to-bad-copyright-laws dept
May 6th is the official Day Against DRM. I’m a bit late writing anything about it, but I wanted to highlight this great post by Parker Higgins about an aspect of DRM that is rarely discussed: how DRM makes us less safe. We’ve talked a lot lately about how the NSA and its surveillance efforts have made us all less safe, but that’s also true for DRM.
DRM on its own is bad, but DRM backed by the force of law is even worse. Legitimate, useful, and otherwise lawful speech falls by the wayside in the name of enforcing DRM—and one area hit the hardest is security research.
Section 1201 of the Digital Millennium Copyright Act (DMCA) is the U.S. law that prohibits circumventing “technical measures,” even if the purpose of that circumvention is otherwise lawful. The law contains exceptions for encryption research and security testing, but the exceptions are narrow and don’t help researchers and testers in most real-world circumstances. It’s risky and expensive to find the limits of those safe harbors.
As a result, we’ve seen chilling effects on research about media and devices that contain DRM. Over the years, we’ve collected dozens of examples of the DMCA chilling free expression and scientific research. That makes the community less likely to identify and fix threats to our infrastructure and devices before they can be exploited.
That post also reminds us of Cory Doctorow’s powerful speech about how DRM is the first battle in the war on general computing. The point there is that, effectively, DRM is based on the faulty belief that we can take a key aspect of computing out of computing, and that, inherently weakens security as well. Part of this is the nature of DRM, in that it’s a form of weak security — in that it’s intended purpose is to stop you from doing something you might want to do. But that only serves to open up vulnerabilities (sometimes lots of them), by forcing your computer to (1) do something in secret (otherwise it wouldn’t be able to stop you) and (2) to try to stop a computer from doing basic computing. And that combination makes it quite dangerous — as we’ve seen a few times in the past.
DRM serves a business purpose for the companies who insist on it, but it does nothing valuable for the end user and, worse, it makes their computers less safe.
Comments on “How DRM Makes Us All Less Safe”
So that’s why we haven’t made any real progress since the 1990s. If only the people in charge didn’t hate any technology that isn’t a military weapon or spy device.
Re: Re:
A large chunk of that is due to the parasitic ‘patent trolls’, and the ever-so-accommodating legal system that supports them.
When start-up companies have to deal with a swarm of parasites at the first sign of success, then the number that can make it out intact and grow is going to be pretty slim.
A piece of malicious code by any other name...
The first step I’d think is to change how it’s seen and treated. DRM is completely and utterly useless at it’s stated purpose of ‘stopping piracy’, so treating it as useful(for anyone not involved in selling it anyway) is out the window. However, it can, as noted, cause problems, sometimes very serious ones(Sony rootkit anyone?).
As such, with essentially no upsides, and plenty of downsides, DRM should be seen, and treated, as what it is: malware. Crap that, if you’re lucky, ‘only’ takes up some system resources, and if you’re not so lucky, can cause you no end of headaches.
If people start treating DRM as what it is, and change their purchasing habits to reflect that(Would you intentionally buy a program infested with malware? No? Then why buy one infested with DRM?), then I imagine companies would start paying attention pretty quick, though I suppose they’d have to fight their urge to maintain as much control as possible, which is the reason they added DRM in the first place. Still, if the impact in sales were big enough, I imagine greed would win out.
Re: A piece of malicious code by any other name...
Let’s go one better – make any attempt to install intrusive Digital Restriction Mmanagement software as a violation of the laws governing hacking.
Or give any person affected by DRM the right to demand that DRM be removed from their copy of software, or their device that they own. Refusal allows the owner to sue the developer with damages equivalent to DMCA violations.
Exceptions can be put in place for commercial softwares like Photoshop etc.
Add in DMCA exceptions for non-commerical infringement/DRM stripping and call it the “Digital Millennium Consumer Rights Act”.
It’s well beyond time that the maximalists get a well-deserved taste of what they claim is medicine.
Re: Re: A piece of malicious code by any other name...
Why an exception for “commercial softwares like Photoshop etc.”?
I assume that by “commercial software” you mean business software because I’m sure EA considered there games as commercial software. Still, if DRM is bad (and it is) then it is bad on commercial software as well.
Re: Re: Re: A piece of malicious code by any other name...
Yes I know the difference between there and their. Apparently my fingers don’t.
Re: Re: A piece of malicious code by any other name...
Yes, thank you. It’s good to see someone other than me finally saying this. Though I can’t help but wonder, what “exceptions … for commercial softwares like Photoshop etc.” are you referring to, and why would they be desirable?
Re: Re: Re: A piece of malicious code by any other name...
Replying to you and WDS – I meant business software. No real reason, just thought it could still fall under “commercial” infringement.
Good point though – I shouldn’t have made the distinction. Though to be fair, would any of the maximalists on Techdirt support such a sensible law?
Re: A piece of malicious code by any other name...
http://www.consumer.ftc.gov/articles/0011-malware
From the Federal Trade Commission, the definition of malware:
“Malware is short for ?malicious software.” It includes viruses and spyware that get installed on your computer, phone, or mobile device without your consent. These programs can cause your device to crash and can be used to monitor and control your online activity. Criminals use malware to steal personal information, send spam, and commit fraud.”
DRM ticks a lot of those boxes.
Re: A piece of malicious code by any other name...
You mean that people don’t already recognize that most modern forms of DRM is malware? Bizarre.
In fairness, not all forms of DRM are malware. Those old code lookups in the earlier days of gaming, dongles, damaged disks & CDs, and the like are not malware by any means. Most modern forms, however, 100% qualify.
Re: Re: A piece of malicious code by any other name...
Why not? They operate by the same principle: you are assumed to be illegitimate until you prove otherwise, to the satisfaction of the program, and if the program is mistaken, tough luck for you, you’re still locked out. IMO that’s as mal as it gets. The standard of proof should always be “innocent until proven guilty in a court of law,” and putting the decision-making in the hands of (potentially buggy) software is never legitimate. Period.
Re: Re: Re: A piece of malicious code by any other name...
Because “malware” is malicious software — meaning software that is intended to interfere with the normal operation of the computer. None of those things are that.
Re: Re: Re:2 A piece of malicious code by any other name...
The normal operation of the computer, by default, is “program/file is on the computer, because I chose to put it there. I run/open it, and it runs/opens, just like I told it to.” Anything that is designed to interfere with that normal operation, in any way, is interfering with the normal operation of my computer.
And yes, I say “because I chose to put it there” for a good reason. Sometimes you have to be pedantic so no smart-aleck comes along and says you want to have antivirus software declared as illegal malware.
Re: Re: Re:3 A piece of malicious code by any other name...
“Anything that is designed to interfere with that normal operation, in any way, is interfering with the normal operation of my computer.”
Yes, I believe that is what I said. So we agree. This is also why things like code lookups are not malware, since they aren’t software at all, let alone software designed to interfere with the operation of your computer.
Malware must be software that executes. It’s an essential part of the definition. Other forms of DRM are bad — sometimes just as bad — but are not malware.
Re: Re: Re:4 A piece of malicious code by any other name...
You must be thinking of something other than what I’m thinking of, then. What do you mean when you say “code lookups”? Because what I have in mind is the thing that certain old games used to do where, when you launch them, you have to look up the key word printed on page XYZ of the manual and input it at some sort of prompt or the program won’t start. And that is definitely software that executes, even if the code word is located somewhere other than inside the software. If it wasn’t software executing, it couldn’t lock you out of the rest of the program.
Re: A piece of malicious code by any other name...
this is why I switched to Linux and FLOSS. the lack of arbitrary install limits, activation annoyances and the like more than made up for the downsides of the move.
There’s other reasons I stuck with it, but that started me down the path
consumer protection from DRM - how much longer?
I’m still waiting for the DRM Consumer Protection Act. The law that would greatly restrict how companies can apply DRM. So rootkits and other devious hacks would be outlawed. All installations of DRM-infected software would be 100% uninstallable, and technical details provided in full. No backdoors and no forced upgrades. And of course, banning companies from ever pulling the plug on their DRM authorization servers unless they give all customers full refunds.
Of course I hate DRM as much as anyone, I actively boycott DRM-containing products whenever possible, and would like to someday see its eventual and complete demise, but I try to be realistic about it. As the continued existence of DRM is in all probability going to remain as certain as death and taxes, why not at least have legal protections against DRM’s worst abuses?
If our lawmakers had looked after the welfare of the people even a tiny fraction as much as the interests their copyright-cartel paymasters, we would have had consumer protections like that many years ago.
Re: consumer protection from DRM - how much longer?
“banning companies from ever pulling the plug on their DRM authorization servers unless they give all customers full refunds. “
Alternatively, requiring software manufacturers to issue a patch that removes the DRM when they retire a product would be acceptable.
Re: Re: consumer protection from DRM - how much longer?
No it wouldn’t, because that means it’s acceptable to put DRM on in the first place is acceptable. It isn’t, and it never will be. It has exactly the same moral status as installing a virus on my computer, and ought to have exactly the same legal status.
Re: Re: Re: consumer protection from DRM - how much longer?
Well, I agree with you in the big picture. What I meant was if we have to have DRM foisted on us, then this would mitigate some of the problems with it.
Re: Re: consumer protection from DRM - how much longer?
That doesn’t help if the company goes bankrupt (or if they’re doing the same shell games as hollywood), leaving no-one to implement or release the patch.
If you want to go down that route, they should be required to demonstrate that the patch works (and still works after each update) and then place it in some kind of third-party escrow in which, if they stop paying without establishing a new escrow, then holder is required to openly publish the patch.
Legislation is needed to properly place DRM as a tool for publishers. DRM should be an opt out from copyright as it’s use seeks to grab rights that are not part of copyright, so let’s legislate it to be an either/or scenario. Rely on copyright and have the remedies available under that legislation or use drm and give up that protection in favour of the DRM protection. I know it would be hilariously funny watching them drop DRM faster than a lighting strike because when faced with the choice; the fact that DRM doesn’t work would have to be acknowledged.
Indeed. Even if you don’t want to use it there is the framework implemented to allow it (except maybe if you are using Linux). So even if I want to opt-out I’m still vulnerable because the goddamn industry makes developers install such backdoors to their systems. See html5.
DRM has never been properly implemented or understood. No business I know understands it or even how to use, consumers are also largely ignorant when it comes to implications around DRM and content they download.
Re: Re:
“consumers are also largely ignorant when it comes to implications around DRM and content they download”
Until they want to load the movie they purchased on the kids tablet to keep them quiet on the long trip to Grandmas, but it need a special player that needs a constant connection to a sever to authorize every 15 frames.
Or their hard drive fails and like most people they don’t have a backup and oh sorry you’ve installed the game to many times.
Consumers know about DRM, they just think they can’t make it stop.
Re: Re: Re:
consumers are addicted to the commercial crap, all we need is for consumers to not buy any entertainment crap for 1 month and the industry would change
More and more companies will no doubt move towards hosting everything on their own servers and therefore can make users believe they are not using DRM and charge for the liberty of using their servers.
A lot of applications and games don’t actually need to be on a server, it just gives companies more control and users less control over products they are using.
Hardware
DRM has become a technique to create a cartel/monopoly in the hardware market. It doesn’t prevent copyright infringement (except the technical/casual kind which probably shouldn’t be stopped anyway). Witness the availability of Torrents of just about anything.
However by mandating its use in hardware devices – and creating private standards bodies with a high cost of entry the incumbent players have locked out future competiton from start ups – especially software based ones where the cost of entry would otherwise have been low.
“It doesn’t prevent copyright infringement (except the technical/casual kind which probably shouldn’t be stopped anyway)”
But doesn’t it by the casual user? I am not a computer guy by any means but as much as a pain it is I would love to hear the alternative. What are the options to protect investment? If company (A) has invested $$ into creating a program/product and wants to sell it to make back its investment, to say they shouldn’t use some form of DRM seems unrealistic.
Re: Re:
“to say they shouldn’t use some form of DRM seems unrealistic.”
I disagree 100%. I’ve produced a lot of software over the decades, most of which has been widely pirated, and I’ve never used DRM. I’ve also made a lot of money doing so — well beyond simply recouping my investment.
DRM is not an attempt to protect an investment, it’s an attempt to squeeze every possible nickel out of something at the cost of reducing the usefulness of the software and with the side affect of abusing your customers.
It’s a weak move for a whole ton of reason beyond that. Not only does it make a product worse, but it is well up on the curve of diminished returns. People who pirate, casually or otherwise, are unlikely to fork over cash regardless of whether or not DRM is effective. The people who casually pirate but are willing to pay you will end up paying you anyway if they find your product useful.
DRM is idiotic and expresses contempt for the very people who want to pay you money.
Re: Re:
When your DRM goes wrong, it will only affect those who paid you for your product. They will not be sympathetic, they will feel ripped off and declare your entire product a failure, not just the part that failed.
You are adding a vector for problems for paying customers as well as yourself and your company, a problem that will affect your reputation and bottom line far worse than any pirate.
Re: Re: Re:
Hell, this is all true even if the DRM never goes wrong.