Digital Rights Management: For Better Or For Worse?

Former National Security Agency cryptanalyst Mark Stamp offers his opinions on the current state of digital rights management (DRM).

Editors Note: Mark Stamp has spent well over a decade working in computer security. He can neither confirm nor deny that for seven years he was a cryptanalyst at the National Security Agency. However, he can confirm that he recently spent two years designing and developing a DRM product at MediaSnap, Inc., a small Silicon Valley startup company. Currently, Dr. Stamp is enjoying life as a college professor and occasional security consultant. His current research interests are security, networks, algorithms and DRM.

Digital rights management, or DRM, is an attempt to maintain "remote control" over digital content. For example, Stephen King might like to sell a new book online (though this is doubtful given his previous online publishing experience). But he might only make one sale, since any purchaser can, with the click of a button, redistribute a perfect digital copy to a large percentage of the population of the earth. To prevent this, Mr. King might like to retain some control--remote control--over what a purchaser can do with his digital book after purchasing it.

Standard cryptographic techniques enable secure delivery of the bits, but provide no restriction on their use after delivery. The additional DRM requirements beyond secure delivery are collectively known as "persistent protection", that is, protection that stays with the digital content wherever it goes. In contrast to cryptography, the primary purpose of persistent protection is to protect the content from the intended recipient.

What can it do for (or to) me?

If the remote control/persistent protection problem can be solved effectively, the implications are enormous. Of course, copyright holders would be ecstatic since they might be able to stem the tide of online piracy---see RIAA or MPAA for the Hollywood viewpoint. However, its difficult to conceive of any computerized system that could distinguish "fair use" from "security hole" and consequently, many fear that DRM could tilt the scales in favor of copyright holders at the expense of consumers.

There are, however, other less-well-known applications of DRM technology. For example, armed with strong DRM, I could put my personal information online and yet retain my privacy by limiting who can access the information and, more to the DRM point, by restricting what people can do with my information after accessing it.

A privacy example of considerable current interest is medical records. This highly-sensitive information is rapidly moving online in order to satisfy the need for quick and reliable access. It is clearly necessary to protect such information from intentional or accidental disclosure. In fact, the legal penalties for unauthorized disclosure (see HIPPA) are draconian, which has led to much DRM interest in certain corporate circles.

DRM is, therefore, (at least) a two-headed beast. On the one head, the technology can be privacy-enhancing, while on the other it can be copyright-enforcing.