How DRM Makes Us All Less Safe
from the you're-in-danger-thanks-to-bad-copyright-laws dept
May 6th is the official Day Against DRM. I'm a bit late writing anything about it, but I wanted to highlight this great post by Parker Higgins about an aspect of DRM that is rarely discussed: how DRM makes us less safe. We've talked a lot lately about how the NSA and its surveillance efforts have made us all less safe, but that's also true for DRM.That post also reminds us of Cory Doctorow's powerful speech about how DRM is the first battle in the war on general computing. The point there is that, effectively, DRM is based on the faulty belief that we can take a key aspect of computing out of computing, and that, inherently weakens security as well. Part of this is the nature of DRM, in that it's a form of weak security -- in that it's intended purpose is to stop you from doing something you might want to do. But that only serves to open up vulnerabilities (sometimes lots of them), by forcing your computer to (1) do something in secret (otherwise it wouldn't be able to stop you) and (2) to try to stop a computer from doing basic computing. And that combination makes it quite dangerous -- as we've seen a few times in the past.DRM on its own is bad, but DRM backed by the force of law is even worse. Legitimate, useful, and otherwise lawful speech falls by the wayside in the name of enforcing DRM—and one area hit the hardest is security research.
Section 1201 of the Digital Millennium Copyright Act (DMCA) is the U.S. law that prohibits circumventing "technical measures," even if the purpose of that circumvention is otherwise lawful. The law contains exceptions for encryption research and security testing, but the exceptions are narrow and don’t help researchers and testers in most real-world circumstances. It's risky and expensive to find the limits of those safe harbors.
As a result, we've seen chilling effects on research about media and devices that contain DRM. Over the years, we've collected dozens of examples of the DMCA chilling free expression and scientific research. That makes the community less likely to identify and fix threats to our infrastructure and devices before they can be exploited.
DRM serves a business purpose for the companies who insist on it, but it does nothing valuable for the end user and, worse, it makes their computers less safe.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
The First Word
“A piece of malicious code by any other name...
The first step I'd think is to change how it's seen and treated. DRM is completely and utterly useless at it's stated purpose of 'stopping piracy', so treating it as useful(for anyone not involved in selling it anyway) is out the window. However, it can, as noted, cause problems, sometimes very serious ones(Sony rootkit anyone?).As such, with essentially no upsides, and plenty of downsides, DRM should be seen, and treated, as what it is: malware. Crap that, if you're lucky, 'only' takes up some system resources, and if you're not so lucky, can cause you no end of headaches.
If people start treating DRM as what it is, and change their purchasing habits to reflect that(Would you intentionally buy a program infested with malware? No? Then why buy one infested with DRM?), then I imagine companies would start paying attention pretty quick, though I suppose they'd have to fight their urge to maintain as much control as possible, which is the reason they added DRM in the first place. Still, if the impact in sales were big enough, I imagine greed would win out.
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
When start-up companies have to deal with a swarm of parasites at the first sign of success, then the number that can make it out intact and grow is going to be pretty slim.
[ link to this | view in chronology ]
A piece of malicious code by any other name...
As such, with essentially no upsides, and plenty of downsides, DRM should be seen, and treated, as what it is: malware. Crap that, if you're lucky, 'only' takes up some system resources, and if you're not so lucky, can cause you no end of headaches.
If people start treating DRM as what it is, and change their purchasing habits to reflect that(Would you intentionally buy a program infested with malware? No? Then why buy one infested with DRM?), then I imagine companies would start paying attention pretty quick, though I suppose they'd have to fight their urge to maintain as much control as possible, which is the reason they added DRM in the first place. Still, if the impact in sales were big enough, I imagine greed would win out.
[ link to this | view in chronology ]
Re: A piece of malicious code by any other name...
Or give any person affected by DRM the right to demand that DRM be removed from their copy of software, or their device that they own. Refusal allows the owner to sue the developer with damages equivalent to DMCA violations.
Exceptions can be put in place for commercial softwares like Photoshop etc.
Add in DMCA exceptions for non-commerical infringement/DRM stripping and call it the "Digital Millennium Consumer Rights Act".
It's well beyond time that the maximalists get a well-deserved taste of what they claim is medicine.
[ link to this | view in chronology ]
Re: Re: A piece of malicious code by any other name...
I assume that by "commercial software" you mean business software because I'm sure EA considered there games as commercial software. Still, if DRM is bad (and it is) then it is bad on commercial software as well.
[ link to this | view in chronology ]
Re: Re: Re: A piece of malicious code by any other name...
[ link to this | view in chronology ]
Re: Re: A piece of malicious code by any other name...
[ link to this | view in chronology ]
Re: Re: Re: A piece of malicious code by any other name...
Good point though - I shouldn't have made the distinction. Though to be fair, would any of the maximalists on Techdirt support such a sensible law?
[ link to this | view in chronology ]
Re: A piece of malicious code by any other name...
From the Federal Trade Commission, the definition of malware:
"Malware is short for “malicious software." It includes viruses and spyware that get installed on your computer, phone, or mobile device without your consent. These programs can cause your device to crash and can be used to monitor and control your online activity. Criminals use malware to steal personal information, send spam, and commit fraud."
DRM ticks a lot of those boxes.
[ link to this | view in chronology ]
Re: A piece of malicious code by any other name...
In fairness, not all forms of DRM are malware. Those old code lookups in the earlier days of gaming, dongles, damaged disks & CDs, and the like are not malware by any means. Most modern forms, however, 100% qualify.
[ link to this | view in chronology ]
Re: Re: A piece of malicious code by any other name...
Why not? They operate by the same principle: you are assumed to be illegitimate until you prove otherwise, to the satisfaction of the program, and if the program is mistaken, tough luck for you, you're still locked out. IMO that's as mal as it gets. The standard of proof should always be "innocent until proven guilty in a court of law," and putting the decision-making in the hands of (potentially buggy) software is never legitimate. Period.
[ link to this | view in chronology ]
Re: Re: Re: A piece of malicious code by any other name...
[ link to this | view in chronology ]
Re: Re: Re: Re: A piece of malicious code by any other name...
And yes, I say "because I chose to put it there" for a good reason. Sometimes you have to be pedantic so no smart-aleck comes along and says you want to have antivirus software declared as illegal malware.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: A piece of malicious code by any other name...
Yes, I believe that is what I said. So we agree. This is also why things like code lookups are not malware, since they aren't software at all, let alone software designed to interfere with the operation of your computer.
Malware must be software that executes. It's an essential part of the definition. Other forms of DRM are bad -- sometimes just as bad -- but are not malware.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: A piece of malicious code by any other name...
[ link to this | view in chronology ]
Re: A piece of malicious code by any other name...
There's other reasons I stuck with it, but that started me down the path
[ link to this | view in chronology ]
consumer protection from DRM - how much longer?
Of course I hate DRM as much as anyone, I actively boycott DRM-containing products whenever possible, and would like to someday see its eventual and complete demise, but I try to be realistic about it. As the continued existence of DRM is in all probability going to remain as certain as death and taxes, why not at least have legal protections against DRM's worst abuses?
If our lawmakers had looked after the welfare of the people even a tiny fraction as much as the interests their copyright-cartel paymasters, we would have had consumer protections like that many years ago.
[ link to this | view in chronology ]
Re: consumer protection from DRM - how much longer?
Alternatively, requiring software manufacturers to issue a patch that removes the DRM when they retire a product would be acceptable.
[ link to this | view in chronology ]
Re: Re: consumer protection from DRM - how much longer?
[ link to this | view in chronology ]
Re: Re: Re: consumer protection from DRM - how much longer?
[ link to this | view in chronology ]
Re: Re: consumer protection from DRM - how much longer?
If you want to go down that route, they should be required to demonstrate that the patch works (and still works after each update) and then place it in some kind of third-party escrow in which, if they stop paying without establishing a new escrow, then holder is required to openly publish the patch.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Until they want to load the movie they purchased on the kids tablet to keep them quiet on the long trip to Grandmas, but it need a special player that needs a constant connection to a sever to authorize every 15 frames.
Or their hard drive fails and like most people they don't have a backup and oh sorry you've installed the game to many times.
Consumers know about DRM, they just think they can't make it stop.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
A lot of applications and games don't actually need to be on a server, it just gives companies more control and users less control over products they are using.
[ link to this | view in chronology ]
Hardware
However by mandating its use in hardware devices - and creating private standards bodies with a high cost of entry the incumbent players have locked out future competiton from start ups - especially software based ones where the cost of entry would otherwise have been low.
[ link to this | view in chronology ]
But doesn't it by the casual user? I am not a computer guy by any means but as much as a pain it is I would love to hear the alternative. What are the options to protect investment? If company (A) has invested $$ into creating a program/product and wants to sell it to make back its investment, to say they shouldn't use some form of DRM seems unrealistic.
[ link to this | view in chronology ]
Re:
I disagree 100%. I've produced a lot of software over the decades, most of which has been widely pirated, and I've never used DRM. I've also made a lot of money doing so -- well beyond simply recouping my investment.
DRM is not an attempt to protect an investment, it's an attempt to squeeze every possible nickel out of something at the cost of reducing the usefulness of the software and with the side affect of abusing your customers.
It's a weak move for a whole ton of reason beyond that. Not only does it make a product worse, but it is well up on the curve of diminished returns. People who pirate, casually or otherwise, are unlikely to fork over cash regardless of whether or not DRM is effective. The people who casually pirate but are willing to pay you will end up paying you anyway if they find your product useful.
DRM is idiotic and expresses contempt for the very people who want to pay you money.
[ link to this | view in chronology ]
Re:
You are adding a vector for problems for paying customers as well as yourself and your company, a problem that will affect your reputation and bottom line far worse than any pirate.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]