There’s a disturbing little press release floating around where the Sun-backed Open Media Commons announces it’s release of a new DRM specification to be implemented using free software. That people are creating DRM systems under open source and free software licenses is not surprising; much of the encryption technology on which DRM is based has been free and open for a long time. What is disturbing is that it contains what appears to be an endorsement by Lawrence Lessig:
Lawrence Lessig, Chairman of the Board of Directors of Creative Commons and Professor of Law at Stanford Law School: "In a world where DRM has become ubiquitous, we need to ensure that the ecology for creativity is bolstered, not stifled, by technology. We applaud Sun’s efforts to rally the community around the development of open-source, royalty-free DRM standards that support "fair use" and that don’t block the development of Creative Commons ideals."
Lessig’s position seems to be that DRM is bad and should not exist. But in a world where it does exist, he thinks that not-quite-so-bad DRM is better than the alternatives. Is that the sort of message we want to be sending?
The fact that the software is "open source" is hardly good enough if the purpose of the software is to take away users freedom — in precisely the way that DRM does.
It doesn’t help that EFF has already spoken out against this project.
Lessig is on the board of directors of both EFF and FSF. I think it is smart for members of either organization who are opposed to DRM, even when it’s sweetened up, to contact those organizations and let them know how you feel.
On the OMC website, there is a photo of two young attractive people listening to a single pair of headphones. Apparently, the people in the picture need to share a single pair of headphones because the Open Media Commons rights management system won’t allow them to share the digital media itself.
Oh God, that pic says it all.
For that matter, I seriously doubt this DRM system will have any more success remaining enforcable than any previous system did. Quite a bit less, actually, since you can just recompile the DRM system sans the part that says you can’t do something, rather than having to patch a binary for the same purpose. DRM has always had this fundamental flaw: you expect to give a client access to data without letting them do whatever they want with it. Either they have the data or they don’t; no middle ground exists.
Could two people listening to the same music not constitute a public broadcast?
A closed source DRM is ofcourse based on a secret, and any “security” that’s based on a secret isn’t real security. If the security works, however, then it’s ok to tell everyone how it works because it works. With DRM, this is very difficult.
The secret might be a key, not a process or a chunk of code. GPG is free software but can be used to keep things secret. It is based on secrets of course but those secrets are encryption keys. There’s no reason that free software DRM couldn’t work in the same way. The reason it would not be free is that it is designed to take away users freedom which is precisely what free software is trying to prevent. It’s a philosophical crisis that open source DRM introduces — not a technical one.
For arguments sake it seems to be that F/OSS is about freedom of expression. Now of course if an artist wanted to express themselves they could easily make a bunch of MP3s and put up a torrent. For practical purposes though this doesnt work especially if theyre serious about this. Well it can for a few but I’m willing to bet not for most people who need to generate an income.
Anyway without getting too off-topic, maybe SUN’s new open DRM is about satisfying both the consumer and the label so that the artist can express themselves freely and without being limited to say just an iPod.
I’d recommend to anyone on the point of expressing an opinion about Open Media Commons, to come to grips with what the project really entails.
To begin with it is not first an open source software project. It is an architectural specification that defines the interface contract of about a dozen separate components, only two of which end up in the hands of the user. The whole point of interface contracts is that any developer with “a better idea” can offer a pin-for-pin compatible replacement of an existing component. All but two of the OMC components are on the server side, so if a cracker gains access it is the fault of the server owner, not the DRM framework specification.
Of the two client side components, the viewer and the disintermediation agent, only the former needs to be cryptographic. The latter merely serves the role of directing the viewer to the correct licensing back end services. The software of the viewer may or may not be a closed source property. The actually coding may be a subclass of the reference model component, or something developed from scratch. The role of the viewer is to present to the licensee those parts of the proprietary content that the license allows to be decrypted. If the content is encrypted (with TEA for example) for once only viewing, then delivery of the TEA decryption key is coordinated by the disintermediation component but ultimately supplied by the backend license manager and the content delivery service.
As for objections such as “The reason it would not be free is that it is designed to take away users freedom which is precisely what free software is trying to prevent. It’s a philosophical crisis that open source DRM introduces — not a technical one.”, you should think about the following. How much freedom do you want your competitors to have with the information in your tax returns? Somewhere within the IRS there are electronic versions of your tax data. Do you want that stuff to be copied, printed, emailed, or otherwise published willy-nilly, by your competitor’s wife who happens to be a typist in the IRS? We hope and expect that authentication, authorization and access controls are strong in the IRS, but once a document is beyond the reach of those controls, it is completely naked. With a DRM system, access control to content travels with the content and permissions can be sufficiently fined grained that only very specific roles IRS officials can gain access even if the data is already in their memory stick.
DRM has much broader implications than spoiling the fun of those who want to cheat the artists they love out of the benefits of their talent.
I have no interest in supporting, “the fun of those who want to cheat the artists they love out of the benefits of their talent.” Your example and tone is patronizing and disingenuous.
The effect of this software is to fundamentally change the power relationship between users and their software. The effect is to disempower users and to turn their computer against. The effect is give the keys to users computers, quite literally, to Sun and other powerful companies.
That may be a good deal for Sun and for their customers but it’s not a good deal for users and their freedom, even if it makes our tax returns a little bit safer.
Physical and network security systems has stood up to attacks much better DRM systems.
“your example and tone is patronizing and disingenuous.” My apologies. I was referring not so much to your original text and atteched comments, as to pages and pages of ill-informed opinion in other blogs I’d read at the same time.
“The effect of this software is to fundamentally change the power relationship between users and their software.” This is not the case. It changes the relationship between users and content. The client side software permits the existence of a wide variety of different viewers for different purposes while otherwise leaving the rest of the user’s machine completely unaltered. What it DOES do is solve some serious infrastructural problems with PKI. The ordinary user can’t be expected to learn PKI, and phishing has shown up the “browser and certificate authority” model of PKI usage as a fraud that addressed the wrong threat model. In effect DRM is a PKI delivery vector.
“The effect is give the keys to users computers, quite literally, to Sun and other powerful companies.” Also wrong for the same reasons. It delivers keys to content only, not the machine at all, and the content keys are not of powerful companies alone, but of anyone with digital value they need to protect.
“That may be a good deal for Sun and for their customers but it’s not a good deal for users and their freedom, even if it makes our tax returns a little bit safer.” As I say, DReaM serves a far wider audience than Sun and its customers, it offers the possibility of users becoming content creators. I suggest you read “Four Arguments for the Elimination of Television” by Gerry Mander, to see the issue from a different angle. There IS a serious problem with corporate monopolization of content, as the book shows, but there are also very solid reasons for some content needing to be placed under limited access.
“Physical and network security systems has stood up to attacks much better DRM systems.” I think you ought to read up on the growth of kiddie-kits for phishing and for what I think is called the “browser script DNS attack” to be sure you are so comfy with existing security. Also, you have ignored the point about content, especially privacy issue content, being stark naked outside the supposedly secure perimeter. Finally, it is deceptive to line up existing security beside “DRM systems” without specifying whether those DRM systems are based on symmetric or asymmetric encryption.