How DRM Makes Us All Less Safe

from the you're-in-danger-thanks-to-bad-copyright-laws dept

May 6th is the official Day Against DRM. I'm a bit late writing anything about it, but I wanted to highlight this great post by Parker Higgins about an aspect of DRM that is rarely discussed: how DRM makes us less safe. We've talked a lot lately about how the NSA and its surveillance efforts have made us all less safe, but that's also true for DRM.

DRM on its own is bad, but DRM backed by the force of law is even worse. Legitimate, useful, and otherwise lawful speech falls by the wayside in the name of enforcing DRM—and one area hit the hardest is security research.

Section 1201 of the Digital Millennium Copyright Act (DMCA) is the U.S. law that prohibits circumventing "technical measures," even if the purpose of that circumvention is otherwise lawful. The law contains exceptions for encryption research and security testing, but the exceptions are narrow and don’t help researchers and testers in most real-world circumstances. It's risky and expensive to find the limits of those safe harbors.

As a result, we've seen chilling effects on research about media and devices that contain DRM. Over the years, we've collected dozens of examples of the DMCA chilling free expression and scientific research. That makes the community less likely to identify and fix threats to our infrastructure and devices before they can be exploited.

That post also reminds us of Cory Doctorow's powerful speech about how DRM is the first battle in the war on general computing. The point there is that, effectively, DRM is based on the faulty belief that we can take a key aspect of computing out of computing, and that, inherently weakens security as well. Part of this is the nature of DRM, in that it's a form of weak security -- in that it's intended purpose is to stop you from doing something you might want to do. But that only serves to open up vulnerabilities (sometimes lots of them), by forcing your computer to (1) do something in secret (otherwise it wouldn't be able to stop you) and (2) to try to stop a computer from doing basic computing. And that combination makes it quite dangerous -- as we've seen a few times in the past.

DRM serves a business purpose for the companies who insist on it, but it does nothing valuable for the end user and, worse, it makes their computers less safe.

Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, May 6th, 2014 @ 8:57pm

    So that's why we haven't made any real progress since the 1990s. If only the people in charge didn't hate any technology that isn't a military weapon or spy device.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      That One Guy (profile), May 6th, 2014 @ 9:05pm

      Re:

      A large chunk of that is due to the parasitic 'patent trolls', and the ever-so-accommodating legal system that supports them.

      When start-up companies have to deal with a swarm of parasites at the first sign of success, then the number that can make it out intact and grow is going to be pretty slim.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    That One Guy (profile), May 6th, 2014 @ 9:02pm

    A piece of malicious code by any other name...

    The first step I'd think is to change how it's seen and treated. DRM is completely and utterly useless at it's stated purpose of 'stopping piracy', so treating it as useful(for anyone not involved in selling it anyway) is out the window. However, it can, as noted, cause problems, sometimes very serious ones(Sony rootkit anyone?).

    As such, with essentially no upsides, and plenty of downsides, DRM should be seen, and treated, as what it is: malware. Crap that, if you're lucky, 'only' takes up some system resources, and if you're not so lucky, can cause you no end of headaches.

    If people start treating DRM as what it is, and change their purchasing habits to reflect that(Would you intentionally buy a program infested with malware? No? Then why buy one infested with DRM?), then I imagine companies would start paying attention pretty quick, though I suppose they'd have to fight their urge to maintain as much control as possible, which is the reason they added DRM in the first place. Still, if the impact in sales were big enough, I imagine greed would win out.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, May 7th, 2014 @ 2:05am

      Re: A piece of malicious code by any other name...

      Let's go one better - make any attempt to install intrusive Digital Restriction Mmanagement software as a violation of the laws governing hacking.

      Or give any person affected by DRM the right to demand that DRM be removed from their copy of software, or their device that they own. Refusal allows the owner to sue the developer with damages equivalent to DMCA violations.

      Exceptions can be put in place for commercial softwares like Photoshop etc.

      Add in DMCA exceptions for non-commerical infringement/DRM stripping and call it the "Digital Millennium Consumer Rights Act".

      It's well beyond time that the maximalists get a well-deserved taste of what they claim is medicine.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        WDS (profile), May 7th, 2014 @ 7:33am

        Re: Re: A piece of malicious code by any other name...

        Why an exception for "commercial softwares like Photoshop etc."?

        I assume that by "commercial software" you mean business software because I'm sure EA considered there games as commercial software. Still, if DRM is bad (and it is) then it is bad on commercial software as well.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        Mason Wheeler (profile), May 7th, 2014 @ 12:14pm

        Re: Re: A piece of malicious code by any other name...

        Yes, thank you. It's good to see someone other than me finally saying this. Though I can't help but wonder, what "exceptions ... for commercial softwares like Photoshop etc." are you referring to, and why would they be desirable?

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, May 7th, 2014 @ 1:15pm

          Re: Re: Re: A piece of malicious code by any other name...

          Replying to you and WDS - I meant business software. No real reason, just thought it could still fall under "commercial" infringement.

          Good point though - I shouldn't have made the distinction. Though to be fair, would any of the maximalists on Techdirt support such a sensible law?

           

          reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, May 7th, 2014 @ 8:16am

      Re: A piece of malicious code by any other name...

      http://www.consumer.ftc.gov/articles/0011-malware

      From the Federal Trade Commission, the definition of malware:

      "Malware is short for “malicious software." It includes viruses and spyware that get installed on your computer, phone, or mobile device without your consent. These programs can cause your device to crash and can be used to monitor and control your online activity. Criminals use malware to steal personal information, send spam, and commit fraud."

      DRM ticks a lot of those boxes.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), May 7th, 2014 @ 8:29am

      Re: A piece of malicious code by any other name...

      You mean that people don't already recognize that most modern forms of DRM is malware? Bizarre.

      In fairness, not all forms of DRM are malware. Those old code lookups in the earlier days of gaming, dongles, damaged disks & CDs, and the like are not malware by any means. Most modern forms, however, 100% qualify.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Mason Wheeler (profile), May 7th, 2014 @ 12:17pm

        Re: Re: A piece of malicious code by any other name...

        Those old code lookups in the earlier days of gaming, dongles, damaged disks & CDs, and the like are not malware by any means.

        Why not? They operate by the same principle: you are assumed to be illegitimate until you prove otherwise, to the satisfaction of the program, and if the program is mistaken, tough luck for you, you're still locked out. IMO that's as mal as it gets. The standard of proof should always be "innocent until proven guilty in a court of law," and putting the decision-making in the hands of (potentially buggy) software is never legitimate. Period.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          John Fenderson (profile), May 7th, 2014 @ 1:12pm

          Re: Re: Re: A piece of malicious code by any other name...

          Because "malware" is malicious software -- meaning software that is intended to interfere with the normal operation of the computer. None of those things are that.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            Mason Wheeler (profile), May 7th, 2014 @ 1:45pm

            Re: Re: Re: Re: A piece of malicious code by any other name...

            The normal operation of the computer, by default, is "program/file is on the computer, because I chose to put it there. I run/open it, and it runs/opens, just like I told it to." Anything that is designed to interfere with that normal operation, in any way, is interfering with the normal operation of my computer.

            And yes, I say "because I chose to put it there" for a good reason. Sometimes you have to be pedantic so no smart-aleck comes along and says you want to have antivirus software declared as illegal malware.

             

            reply to this | link to this | view in chronology ]

            •  
              icon
              John Fenderson (profile), May 7th, 2014 @ 3:24pm

              Re: Re: Re: Re: Re: A piece of malicious code by any other name...

              "Anything that is designed to interfere with that normal operation, in any way, is interfering with the normal operation of my computer."

              Yes, I believe that is what I said. So we agree. This is also why things like code lookups are not malware, since they aren't software at all, let alone software designed to interfere with the operation of your computer.

              Malware must be software that executes. It's an essential part of the definition. Other forms of DRM are bad -- sometimes just as bad -- but are not malware.

               

              reply to this | link to this | view in chronology ]

              •  
                icon
                Mason Wheeler (profile), May 7th, 2014 @ 4:19pm

                Re: Re: Re: Re: Re: Re: A piece of malicious code by any other name...

                You must be thinking of something other than what I'm thinking of, then. What do you mean when you say "code lookups"? Because what I have in mind is the thing that certain old games used to do where, when you launch them, you have to look up the key word printed on page XYZ of the manual and input it at some sort of prompt or the program won't start. And that is definitely software that executes, even if the code word is located somewhere other than inside the software. If it wasn't software executing, it couldn't lock you out of the rest of the program.

                 

                reply to this | link to this | view in chronology ]

    •  
      identicon
      gnudist, May 7th, 2014 @ 9:53am

      Re: A piece of malicious code by any other name...

      this is why I switched to Linux and FLOSS. the lack of arbitrary install limits, activation annoyances and the like more than made up for the downsides of the move.

      There's other reasons I stuck with it, but that started me down the path

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    zip, May 6th, 2014 @ 9:41pm

    consumer protection from DRM - how much longer?

    I'm still waiting for the DRM Consumer Protection Act. The law that would greatly restrict how companies can apply DRM. So rootkits and other devious hacks would be outlawed. All installations of DRM-infected software would be 100% uninstallable, and technical details provided in full. No backdoors and no forced upgrades. And of course, banning companies from ever pulling the plug on their DRM authorization servers unless they give all customers full refunds.

    Of course I hate DRM as much as anyone, I actively boycott DRM-containing products whenever possible, and would like to someday see its eventual and complete demise, but I try to be realistic about it. As the continued existence of DRM is in all probability going to remain as certain as death and taxes, why not at least have legal protections against DRM's worst abuses?

    If our lawmakers had looked after the welfare of the people even a tiny fraction as much as the interests their copyright-cartel paymasters, we would have had consumer protections like that many years ago.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), May 7th, 2014 @ 8:31am

      Re: consumer protection from DRM - how much longer?

      "banning companies from ever pulling the plug on their DRM authorization servers unless they give all customers full refunds. "

      Alternatively, requiring software manufacturers to issue a patch that removes the DRM when they retire a product would be acceptable.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Mason Wheeler (profile), May 7th, 2014 @ 12:19pm

        Re: Re: consumer protection from DRM - how much longer?

        No it wouldn't, because that means it's acceptable to put DRM on in the first place is acceptable. It isn't, and it never will be. It has exactly the same moral status as installing a virus on my computer, and ought to have exactly the same legal status.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          John Fenderson (profile), May 7th, 2014 @ 1:14pm

          Re: Re: Re: consumer protection from DRM - how much longer?

          Well, I agree with you in the big picture. What I meant was if we have to have DRM foisted on us, then this would mitigate some of the problems with it.

           

          reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, May 8th, 2014 @ 5:42am

        Re: Re: consumer protection from DRM - how much longer?

        That doesn't help if the company goes bankrupt (or if they're doing the same shell games as hollywood), leaving no-one to implement or release the patch.

        If you want to go down that route, they should be required to demonstrate that the patch works (and still works after each update) and then place it in some kind of third-party escrow in which, if they stop paying without establishing a new escrow, then holder is required to openly publish the patch.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 7th, 2014 @ 4:10am

    Legislation is needed to properly place DRM as a tool for publishers. DRM should be an opt out from copyright as it's use seeks to grab rights that are not part of copyright, so let's legislate it to be an either/or scenario. Rely on copyright and have the remedies available under that legislation or use drm and give up that protection in favour of the DRM protection. I know it would be hilariously funny watching them drop DRM faster than a lighting strike because when faced with the choice; the fact that DRM doesn't work would have to be acknowledged.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Ninja (profile), May 7th, 2014 @ 4:20am

    Indeed. Even if you don't want to use it there is the framework implemented to allow it (except maybe if you are using Linux). So even if I want to opt-out I'm still vulnerable because the goddamn industry makes developers install such backdoors to their systems. See html5.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    stock-footage (profile), May 7th, 2014 @ 4:33am

    DRM has never been properly implemented or understood. No business I know understands it or even how to use, consumers are also largely ignorant when it comes to implications around DRM and content they download.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      That Anonymous Coward (profile), May 7th, 2014 @ 8:11am

      Re:

      "consumers are also largely ignorant when it comes to implications around DRM and content they download"

      Until they want to load the movie they purchased on the kids tablet to keep them quiet on the long trip to Grandmas, but it need a special player that needs a constant connection to a sever to authorize every 15 frames.

      Or their hard drive fails and like most people they don't have a backup and oh sorry you've installed the game to many times.

      Consumers know about DRM, they just think they can't make it stop.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        thomas, May 7th, 2014 @ 9:21am

        Re: Re:

        consumers are addicted to the commercial crap, all we need is for consumers to not buy any entertainment crap for 1 month and the industry would change

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Rob, May 7th, 2014 @ 5:05am

    More and more companies will no doubt move towards hosting everything on their own servers and therefore can make users believe they are not using DRM and charge for the liberty of using their servers.

    A lot of applications and games don't actually need to be on a server, it just gives companies more control and users less control over products they are using.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Richard (profile), May 7th, 2014 @ 5:17am

    Hardware

    DRM has become a technique to create a cartel/monopoly in the hardware market. It doesn't prevent copyright infringement (except the technical/casual kind which probably shouldn't be stopped anyway). Witness the availability of Torrents of just about anything.

    However by mandating its use in hardware devices - and creating private standards bodies with a high cost of entry the incumbent players have locked out future competiton from start ups - especially software based ones where the cost of entry would otherwise have been low.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    LAB (profile), May 7th, 2014 @ 10:29am

    "It doesn't prevent copyright infringement (except the technical/casual kind which probably shouldn't be stopped anyway)"

    But doesn't it by the casual user? I am not a computer guy by any means but as much as a pain it is I would love to hear the alternative. What are the options to protect investment? If company (A) has invested $$ into creating a program/product and wants to sell it to make back its investment, to say they shouldn't use some form of DRM seems unrealistic.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), May 7th, 2014 @ 10:52am

      Re:

      "to say they shouldn't use some form of DRM seems unrealistic."

      I disagree 100%. I've produced a lot of software over the decades, most of which has been widely pirated, and I've never used DRM. I've also made a lot of money doing so -- well beyond simply recouping my investment.

      DRM is not an attempt to protect an investment, it's an attempt to squeeze every possible nickel out of something at the cost of reducing the usefulness of the software and with the side affect of abusing your customers.

      It's a weak move for a whole ton of reason beyond that. Not only does it make a product worse, but it is well up on the curve of diminished returns. People who pirate, casually or otherwise, are unlikely to fork over cash regardless of whether or not DRM is effective. The people who casually pirate but are willing to pay you will end up paying you anyway if they find your product useful.

      DRM is idiotic and expresses contempt for the very people who want to pay you money.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, May 7th, 2014 @ 12:10pm

      Re:

      When your DRM goes wrong, it will only affect those who paid you for your product. They will not be sympathetic, they will feel ripped off and declare your *entire* product a failure, not just the part that failed.

      You are adding a vector for problems for paying customers as well as yourself and your company, a problem that will affect your reputation and bottom line far worse than any pirate.

       

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.