'Open DRM' Is Snake-oil
from the oxymoron dept
A Pioneer spin-off called SyncTV has launched. Consumers will apparently be able to subscribe to "channels" of content, and eventually you'll be able to play those channels on a variety of devices around the home, as well as portable devices. So far, it looks like little more than vaporware, as their public website doesn't have any real details about pricing, supported devices, etc. What really irritates me about the coverage of the launch is the description of Marlin as an "open-source DRM system." This phrase is a contradiction in terms, and anyone who claims their DRM scheme is open source, or based on open standards, is either confused or trying to mislead. For a product to be considered open source, not only must the source code be publicly available, but there can't be any legal restrictions on the modification and re-distribution of the product. On the other hand, DRM works by ensuring that approved devices won't perform certain operations, such as converting content to an unencrypted format. The two sets of requirements obviously can't be reconciled. SyncTV's site phrases things slightly differently, describing its platform as "completely based on open standards." But this, too, is deceptive. An open standard is one that anyone is free to implement without asking for permission. HTML is an open standard: you don't need a license from the W3C to create a new web browser. On the other hand, a DRM scheme requires a licensing authority to verify that each new device to verify that it complies with the rules of the DRM scheme. And we've seen incumbents use this approval process (and the DMCA, which gives it the force of law) to squash innovative competitors that threaten their business models. Marlin could turn out to be marginally better than some existing DRM schemes if it employs less restrictive licensing terms. But it's still a DRM scheme, and that means there's nothing "open" about it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Open Source DRM
"For a product to be considered open source, not only must the source code be publicly available, but there can't be any legal restrictions on the modification and re-distribution of the product"
That is actually wrong. There are a large number of open source licenses that prohibit certain types of modifications (such as the CPAL license). And if the code is owned by one copyright holder, there is the possibility of dual licensing.
Also, from a technology standpoint, it's perfectly possible to use open source to protect content. If that were not the case, SSL, SSH, encrypted filesystems, encrypted archives and other content protection would be basically impossible. In fact, it's a basic tenet of cryptography that the best encryption schemes are open.
Now, whether open source DRM is in keeping with open source principles is another story. There are, however, a number of instances where DRM is actually useful, like limiting the distribution of contracts, for example, or making sure that electronic tests are not tampered with. So whether or not open source DRM is a contradiction of open source principles largely depends on how it's applied, not the actually technology implementation.
Chris.
[ link to this | view in chronology ]
Re: Open Source DRM
Also, from a technology standpoint, it's perfectly possible to use open source to protect content. If that were not the case, SSL, SSH, encrypted filesystems, encrypted archives and other content protection would be basically impossible. In fact, it's a basic tenet of cryptography that the best encryption schemes are open.
This is an apples-to-oranges comparison. While most DRM schemes include some crypto, DRM and crypto are different technologies with different purposes. The fact that secure crypto is often open doesn't mean that DRM can be open.
[ link to this | view in chronology ]
Re: Re: Open Source DRM
It's very, very easy to make content which can only be viewed with the correct key or certificate with things like OpenSSL. There is no magic here, all the technologies already exist, in open source. Just because the rights management engine is open source doesn't mean you have a the correct certificate to view the content. GNUpg and Enigmail are example of this in action, both implement a form of DRM.
That was my point. Perhaps a bit technical, but it can (and has) been done entirely with open source technologies without violating any license clauses.
Chris.
[ link to this | view in chronology ]
Re: Re: Re: Open Source DRM
GNUpg and Enigmail are traditional crypto programs, not DRM programs. They focus on protecting your emails from third parties, whereas DRM schemes focus on "protecting" content from the legitimate recipient.
[ link to this | view in chronology ]
Re: Re: Re: Re: Open Source DRM
DRM is effective when the correct subset of users has access to the keys used to provide confidentiality for the data. This is completely independent of whether the source code of the programs implementing the DRM is OSS, is modifiable or redistributable by the terms of the license, etc.
This is what people were so up in arms about with the introduction of the GPLv3. Originally the GPLv3 mandated that in addition to the software being distributed with the source, the *encryption keys* had to be distributed too, to prevent DRM from being implemented using a GPLv3 program.
This was also one of the first misconceptions that came around when trusted computing support for Linux was being implemented.
Kent
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Open Source DRM
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Open Source DRM
There's nothing that would require keeping the user from doing what you describe. The DRM might be broken, but its both a DRM system and OSS, and being OSS isn't what broke this system. Being OSS only makes the hacker's job easier in this case.
If you want effective DRM with any software, closed source or open source, you'll need secure hardware such as a TPM or in the case of Tivo, hardware that checks the signature of the binary before it runs. In the Tivo case the binary that's run is GPL and is modifiable by the end user, but the system won't run it if its signature doesn't match one embedded in the Tivo firmware.
BTW I've got no real experience with Tivo, I'm just working off my understanding based on reading the internets.
Kent
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Open Source DRM
[ link to this | view in chronology ]
Not so fast.
[ link to this | view in chronology ]
Re: Not so fast.
[ link to this | view in chronology ]
Re: Re: Not so fast.
[ link to this | view in chronology ]
Re: Re: Not so fast.
You can use Open Office to write a novel you sell, or you can use gcc to generate a proprietary binary. Just because the tools are open doesn't mean that the content generated or managed by it is as well. If that were true, then open source PDF encryption projects like Apache FOP would a waste of time as you'd have to give anyone who asked the key to decrypt your encrypted PDF....
The FSF's position on DRM, while admirable, is a political position against the entire concept. It's been discussed at length in the community and not all open source leaders (Linus Torvalds most notably) agree with FSF's position. See http://lwn.net/Articles/30048/
Chris.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
as claimed
but an 'open source' claimed and published, it must be assumed it is one that meets the OSI-approved mark.
It must be transparent and not craftily put to mislead, esp by proprietary vendors trying to associate their products with the 'open-source' term.
also, generally OS licencing address the binaries/programs not the content or cryptos themselves.
qed.bummer.
[ link to this | view in chronology ]