'Open DRM' Is Snake-oil

from the oxymoron dept

A Pioneer spin-off called SyncTV has launched. Consumers will apparently be able to subscribe to "channels" of content, and eventually you'll be able to play those channels on a variety of devices around the home, as well as portable devices. So far, it looks like little more than vaporware, as their public website doesn't have any real details about pricing, supported devices, etc. What really irritates me about the coverage of the launch is the description of Marlin as an "open-source DRM system." This phrase is a contradiction in terms, and anyone who claims their DRM scheme is open source, or based on open standards, is either confused or trying to mislead. For a product to be considered open source, not only must the source code be publicly available, but there can't be any legal restrictions on the modification and re-distribution of the product. On the other hand, DRM works by ensuring that approved devices won't perform certain operations, such as converting content to an unencrypted format. The two sets of requirements obviously can't be reconciled. SyncTV's site phrases things slightly differently, describing its platform as "completely based on open standards." But this, too, is deceptive. An open standard is one that anyone is free to implement without asking for permission. HTML is an open standard: you don't need a license from the W3C to create a new web browser. On the other hand, a DRM scheme requires a licensing authority to verify that each new device to verify that it complies with the rules of the DRM scheme. And we've seen incumbents use this approval process (and the DMCA, which gives it the force of law) to squash innovative competitors that threaten their business models. Marlin could turn out to be marginally better than some existing DRM schemes if it employs less restrictive licensing terms. But it's still a DRM scheme, and that means there's nothing "open" about it.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: drm, open drm
Companies: pioneer, synctv


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Chris Maresca, 19 Nov 2007 @ 3:39pm

    Open Source DRM

    ... is in fact possible, although possibly not advisable.

    "For a product to be considered open source, not only must the source code be publicly available, but there can't be any legal restrictions on the modification and re-distribution of the product"

    That is actually wrong. There are a large number of open source licenses that prohibit certain types of modifications (such as the CPAL license). And if the code is owned by one copyright holder, there is the possibility of dual licensing.

    Also, from a technology standpoint, it's perfectly possible to use open source to protect content. If that were not the case, SSL, SSH, encrypted filesystems, encrypted archives and other content protection would be basically impossible. In fact, it's a basic tenet of cryptography that the best encryption schemes are open.

    Now, whether open source DRM is in keeping with open source principles is another story. There are, however, a number of instances where DRM is actually useful, like limiting the distribution of contracts, for example, or making sure that electronic tests are not tampered with. So whether or not open source DRM is a contradiction of open source principles largely depends on how it's applied, not the actually technology implementation.

    Chris.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 19 Nov 2007 @ 3:45pm

    Not so fast.

    For a product to be considered open source, not only must the source code be publicly available, but there can't be any legal restrictions on the modification and re-distribution of the product.
    That statement isn't correct. That might be true for the OSI but plenty of others have different ideas about what "open source" means.

    link to this | view in thread ]

  3. identicon
    Tim Lee, 19 Nov 2007 @ 3:54pm

    Re: Open Source DRM

    If a license doesn't give people the freedom to modify and redistribute a product, then in my view it's not an open source license. Otherwise, "open source" becomes a meaningless term.

    Also, from a technology standpoint, it's perfectly possible to use open source to protect content. If that were not the case, SSL, SSH, encrypted filesystems, encrypted archives and other content protection would be basically impossible. In fact, it's a basic tenet of cryptography that the best encryption schemes are open.

    This is an apples-to-oranges comparison. While most DRM schemes include some crypto, DRM and crypto are different technologies with different purposes. The fact that secure crypto is often open doesn't mean that DRM can be open.

    link to this | view in thread ]

  4. identicon
    Tim Lee, 19 Nov 2007 @ 3:56pm

    Re: Not so fast.

    I agree with the OSI that any license that doesn't include the freedom to modify and redistribute the product can't be considered an open source license, and I think that's what most people expect when they hear the term "open source." Obviously, "open source" is now a trendy enough concept that various people want to label more-restrictive licenses "open source," but that doesn't mean they are, in fact, open source in the sense the term is normally used.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 19 Nov 2007 @ 4:51pm

    Re: Re: Not so fast.

    I agree with the OSI that any license that doesn't include the freedom to modify and redistribute the product can't be considered an open source license, and I think that's what most people expect when they hear the term "open source."
    What then would be the difference between "open source" and "free software"?

    link to this | view in thread ]

  6. identicon
    Kyros, 19 Nov 2007 @ 5:00pm

    You spelled to as ot... but good point otherwise.

    link to this | view in thread ]

  7. identicon
    Chris Maresca, 19 Nov 2007 @ 7:41pm

    Re: Re: Open Source DRM

    Crypto is the core of DRM. There is no DRM without it.

    It's very, very easy to make content which can only be viewed with the correct key or certificate with things like OpenSSL. There is no magic here, all the technologies already exist, in open source. Just because the rights management engine is open source doesn't mean you have a the correct certificate to view the content. GNUpg and Enigmail are example of this in action, both implement a form of DRM.

    That was my point. Perhaps a bit technical, but it can (and has) been done entirely with open source technologies without violating any license clauses.

    Chris.

    link to this | view in thread ]

  8. identicon
    Chris Maresca, 19 Nov 2007 @ 7:49pm

    Re: Re: Not so fast.

    Open source doesn't preclude the generation of non-open source content. I think you are making a fundamental mistake in understanding this.

    You can use Open Office to write a novel you sell, or you can use gcc to generate a proprietary binary. Just because the tools are open doesn't mean that the content generated or managed by it is as well. If that were true, then open source PDF encryption projects like Apache FOP would a waste of time as you'd have to give anyone who asked the key to decrypt your encrypted PDF....

    The FSF's position on DRM, while admirable, is a political position against the entire concept. It's been discussed at length in the community and not all open source leaders (Linus Torvalds most notably) agree with FSF's position. See http://lwn.net/Articles/30048/

    Chris.

    link to this | view in thread ]

  9. identicon
    Tim Lee, 19 Nov 2007 @ 8:42pm

    Re: Re: Re: Open Source DRM

    I discuss the difference between DRM and crypto in considerably more detail here. In a nutshell, the distinction is this: With traditional crypto, you're trying to stop third parties from intercepting your message. This can be done with standard crypto techniques. With DRM, you're effectively trying to stop the recipient from intercepting the message. That's not a problem that's solved by crypto. It's a problem that's solved by obfuscation and "security by obscurity." This is also why every important DRM scheme in history has been cracked in a matter of months.

    GNUpg and Enigmail are traditional crypto programs, not DRM programs. They focus on protecting your emails from third parties, whereas DRM schemes focus on "protecting" content from the legitimate recipient.

    link to this | view in thread ]

  10. identicon
    bummer Han, 20 Nov 2007 @ 6:25am

    as claimed

    to me the term open source (at face value) just means source available and modifiable.

    but an 'open source' claimed and published, it must be assumed it is one that meets the OSI-approved mark.

    It must be transparent and not craftily put to mislead, esp by proprietary vendors trying to associate their products with the 'open-source' term.

    also, generally OS licencing address the binaries/programs not the content or cryptos themselves.
    qed.bummer.

    link to this | view in thread ]

  11. identicon
    Kent Yoder, 20 Nov 2007 @ 11:46am

    Re: Re: Re: Re: Open Source DRM

    OSS can certainly implement DRM.

    DRM is effective when the correct subset of users has access to the keys used to provide confidentiality for the data. This is completely independent of whether the source code of the programs implementing the DRM is OSS, is modifiable or redistributable by the terms of the license, etc.

    This is what people were so up in arms about with the introduction of the GPLv3. Originally the GPLv3 mandated that in addition to the software being distributed with the source, the *encryption keys* had to be distributed too, to prevent DRM from being implemented using a GPLv3 program.

    This was also one of the first misconceptions that came around when trusted computing support for Linux was being implemented.

    Kent

    link to this | view in thread ]

  12. identicon
    Tim Lee, 20 Nov 2007 @ 12:18pm

    Re: Re: Re: Re: Re: Open Source DRM

    If DRM software is open source, and the software has access to the encryption keys, then what's to stop the end user from modifying the software to reveal the encryption key? And if the user isn't allowed to modify the software, then in what sense is it open source?

    link to this | view in thread ]

  13. identicon
    Kent Yoder, 20 Nov 2007 @ 12:54pm

    Re: Re: Re: Re: Re: Re: Open Source DRM

    If DRM software is open source, and the software has access to the encryption keys, then what's to stop the end user from modifying the software to reveal the encryption key?

    There's nothing that would require keeping the user from doing what you describe. The DRM might be broken, but its both a DRM system and OSS, and being OSS isn't what broke this system. Being OSS only makes the hacker's job easier in this case.

    If you want effective DRM with any software, closed source or open source, you'll need secure hardware such as a TPM or in the case of Tivo, hardware that checks the signature of the binary before it runs. In the Tivo case the binary that's run is GPL and is modifiable by the end user, but the system won't run it if its signature doesn't match one embedded in the Tivo firmware.

    BTW I've got no real experience with Tivo, I'm just working off my understanding based on reading the internets.

    Kent

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 20 Nov 2007 @ 10:03pm

    Re: Re: Re: Re: Re: Re: Re: Open Source DRM

    In the Tivo case the binary that's run is GPL and is modifiable by the end user, but the system won't run it if its signature doesn't match one embedded in the Tivo firmware.
    Notice that the firmware that does this bit of "security" checking isn't open source.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.