Every so often I come across a paper that actually deserves the adjective "seminal" in the sense of "Highly influential in an original way; constituting or providing a basis for further development" (The American Heritage® Dictionary of the English Language). Such is the case with Lessons from the Sony CD DRM Episode, by Princeton Computer Scientists J. Alex Halderman and Edward W. Felten.
The paper has an extensive analysis of the technologies used by two Sony-BMG copy protection systems, XCP (from First4Internet) and MediaMax (from SunnComm), including ways to defeat these and other (iTunes) copy protection technologies. This paper should be required reading for anyone interested in the technical details and in some related policy issues as well.
Halderman and Felton also address important policy and security issues as well.
- As others have pointed out, these technologies often incorporate techniques that make the consumer's computer more open to attack from third parties and do so without warning. As noted here previously, informed consent should be required and the Sony-BMG violations of this fundamental principal are out of bounds, indeed, some would say illegal.
- Halderman and Felton also point out that the copy protection technologies seem more directed towards preventing local reproduction--burning duplicate CDs--then in inhibiting online redistribution through P2P networks.
Their summary discussion includes the following important points:
First, the design of DRM systems is driven strongly by the incentives of the content distributor and the DRM vendor, but these incentives are not always aligned. Where they differ, the DRM design will not necessarily serve the interests of copyright owners, not to mention artists.
Second, DRM, even if backed by a major content distributor, can expose users to significant security and privacy risks. Incentives for aggressive platform building drive vendors toward spyware tactics that exacerbate these risks.
Third, there can be an inverse relation between the efficacy of DRM and the user’s ability to defend the computer from unrelated security and privacy risks. The user’s best defense is rooted in understanding and controlling which software is installed on the computer, but many DRM systems rely on undermining the user’s understanding and control.
Fourth, CD DRM systems are mostly ineffective at controlling uses of content. Major increases in complexity have not increased their effectiveness over that of early schemes, and may in fact have made things worse by creating more avenues for attack. We think it unlikely that future CD DRM systems will do better.
Fifth, the design of DRM systems is only weakly connected to the contours of copyright law. The systems make no pretense of enforcing copyright law as written, but instead seek to enforce rules dictated by the label’s and vendor’s business models. These rules, and the technologies that try to enforce them, implicate other public policy concerns, such as privacy and security.
Finally, the stakes are high. Bad DRM design choices can seriously harm users, create major liability for copyright owners and DRM vendors, and ultimately reduce artists’ incentive to create.