Former National Security Agency cryptanalyst Mark Stamp offers his opinions on the current state of digital rights management (DRM).
Editors Note: Mark Stamp has spent well over a decade working in computer security. He can neither confirm nor deny that for seven years he was a cryptanalyst at the National Security Agency. However, he can confirm that he recently spent two years designing and developing a DRM product at MediaSnap, Inc., a small Silicon Valley startup company. Currently, Dr. Stamp is enjoying life as a college professor and occasional security consultant. His current research interests are security, networks, algorithms and DRM.
Digital rights management, or DRM, is an attempt to
maintain "remote control" over digital content.
For example, Stephen King might
like to sell a new book online
(though this is doubtful given his previous
But he might only make one sale,
since any purchaser can, with the
click of a button, redistribute
a perfect digital copy to a large percentage
of the population of the earth.
To prevent this, Mr. King might like to retain
some control--remote control--over
what a purchaser can do with his
digital book after
Standard cryptographic techniques enable
secure delivery of the bits, but provide no
restriction on their use after delivery.
DRM requirements beyond secure delivery are
collectively known as "persistent protection",
that is, protection that stays with the digital
content wherever it goes. In contrast to
cryptography, the primary purpose of
persistent protection is to protect the
the intended recipient.
What can it do for (or to) me?
If the remote control/persistent protection
problem can be solved effectively,
the implications are enormous. Of course,
copyright holders would be ecstatic since they
might be able to stem the tide of online
for the Hollywood viewpoint. However, its
difficult to conceive of any computerized
system that could distinguish
from "security hole" and consequently, many fear
that DRM could tilt the scales in favor
of copyright holders at the expense
There are, however, other less-well-known
applications of DRM technology. For example,
armed with strong DRM, I could put my personal
information online and yet retain my privacy
by limiting who can access the information
and, more to the DRM point, by restricting
what people can do with my information after
A privacy example of considerable
current interest is medical records.
This highly-sensitive information is rapidly
moving online in order to satisfy the need
for quick and reliable access. It is clearly
necessary to protect such information from
intentional or accidental disclosure. In fact,
the legal penalties for unauthorized disclosure
are draconian, which has led to much DRM interest
in certain corporate circles.
DRM is, therefore, (at least) a two-headed beast.
On the one head, the technology can be
privacy-enhancing, while on the other
it can be copyright-enforcing.