Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Digital Rights Management: For Better Or For Worse?

    By
    Mark Stamp
    -
    May 1, 2003
    Share
    Facebook
    Twitter
    Linkedin

      Editors Note: Mark Stamp has spent well over a decade working in computer security. He can neither confirm nor deny that for seven years he was a cryptanalyst at the National Security Agency. However, he can confirm that he recently spent two years designing and developing a DRM product at MediaSnap, Inc., a small Silicon Valley startup company. Currently, Dr. Stamp is enjoying life as a college professor and occasional security consultant. His current research interests are security, networks, algorithms and DRM.

      Digital rights management, or DRM, is an attempt to maintain “remote control” over digital content. For example, Stephen King might like to sell a new book online (though this is doubtful given his previous online publishing experience). But he might only make one sale, since any purchaser can, with the click of a button, redistribute a perfect digital copy to a large percentage of the population of the earth. To prevent this, Mr. King might like to retain some control–remote control–over what a purchaser can do with his digital book after purchasing it.

      Standard cryptographic techniques enable secure delivery of the bits, but provide no restriction on their use after delivery. The additional DRM requirements beyond secure delivery are collectively known as “persistent protection”, that is, protection that stays with the digital content wherever it goes. In contrast to cryptography, the primary purpose of persistent protection is to protect the content from the intended recipient.

      What can it do for (or to) me?

      If the remote control/persistent protection problem can be solved effectively, the implications are enormous. Of course, copyright holders would be ecstatic since they might be able to stem the tide of online piracy—see RIAA or MPAA for the Hollywood viewpoint. However, its difficult to conceive of any computerized system that could distinguish “fair use” from “security hole” and consequently, many fear that DRM could tilt the scales in favor of copyright holders at the expense of consumers.

      There are, however, other less-well-known applications of DRM technology. For example, armed with strong DRM, I could put my personal information online and yet retain my privacy by limiting who can access the information and, more to the DRM point, by restricting what people can do with my information after accessing it.

      A privacy example of considerable current interest is medical records. This highly-sensitive information is rapidly moving online in order to satisfy the need for quick and reliable access. It is clearly necessary to protect such information from intentional or accidental disclosure. In fact, the legal penalties for unauthorized disclosure (see HIPPA) are draconian, which has led to much DRM interest in certain corporate circles.

      DRM is, therefore, (at least) a two-headed beast. On the one head, the technology can be privacy-enhancing, while on the other it can be copyright-enforcing.

      Technical State of the

      Art of DRM”>

      Unfortunately—or fortunately, depending on your perspective—the level of persistent protection provided by most DRM systems appears to lie somewhere between incredibly weak and really pathetic. DRM offerings from such high-tech luminaries as Microsoft (MS-DRM) and Adobe (eBooks) easily fell to attackers. In fact, there is a widely held belief that robust DRM can not be achieved via any software product. Ironically, this belief may have become a self-fulfilling prophecy.

      Based on the available evidence (i.e., broken DRM systems), the persistent protection methods employed to date have been extremely lame. Its difficult to know exactly what protection mechanisms are being employed by most unbroken DRM products, since companies are extremely tight-lipped when it comes to technical details. This secrecy is itself disturbing since one of the fundamental principles of security engineering (Kerckhoffs Principle) states that a system must be open to public scrutiny before it can be trusted. This basic principle is grossly violated by virtually all DRM purveyors today. As far as I am aware, MediaSnap, Inc., is the only DRM company that provides a reasonable technical overview of the security features in their product.

      This dearth of technical information should be viewed with considerable suspicion. The likely explanation is that DRM products rely on “security by obscurity“, which, in the eyes of most security experts, is equated with “no security at all.”

      Today, I would not entrust my valuable digital content (if I had any) to any well-known DRM product. Content providers obviously feel the same way, otherwise there would be far more non-pirated digital content available online. However, the current state of the DRM art is capable of providing useful protection in certain circumstances. One such example is proprietary corporate documents. In this scenario, a moderate level of persistent protection suffices since there are severe legal consequences for violators. But even here I see no reason to use a weak DRM system when it is possible to build a more robust—though not unbreakable—software-based system.

      The hardware solution

      The wildcard in the DRM game is the Trusted Computing Group (formerly, the Trusted Computing Platform Alliance, or TCPA), which includes the likes of Intel and Microsoft, and aims to build DRM protection into future generations of hardware. Though not unbreakable, a DRM approach based on tamper-resistant hardware is likely to offer a level of protection far beyond anything possible from software-only systems. Of course, this is appealing to copyright holders in about the same measure that it is unpalatable to those with a passion for fair use (or free use). To learn more about the potential consequences of this approach, see Ross Andersons excellent TCPA/Palladium FAQ.

      In any event, the Trusted Computing Group solution is not an option today. And even if comes to fruition, its not clear that consumers will accept it—recall the Pentium III serial number. But the progress of hardware-based DRM bears watching.

      The Titanic principle

      In 1912, a first-class one-way (part-way, as it turned out) passage on the Titanic cost the modern equivalent of more than $50,000. While it lasts, a round-trip flight across the Atlantic on the Concorde costs less that $6,000 and cheaper first-class rates are available on less prestigious aircraft. Whereas a flight across the Atlantic takes a few hours, the Titanic would have taken about a week. If the Titanic were around today, it would obviously need to set its first-class charge to a small fraction of its 1912 rate in order to compete.

      Today, record companies expect consumers to pay $14.95 for a CD that can be had for free online. The online version is of high quality and often more convenient to obtain—particularly for less popular items. Is it reasonable for record companies to demand Titanic rates for music in a technological era that includes the internet, peer-to-peer (P2P) networks and broadband? The record labels (and their lawyers) seem to think so.

      If the Titanic were around today and charged $50,000 for a ticket, I doubt that many people would mourn its inevitable financial demise. Of course, if the Titanic were to drastically cut its rates and offer something that the airlines could not (a relaxing week at sea, say), it might survive, or even thrive.

      Business Model Matters

      The record companies lack strong, watertight DRM. But its not even clear that such DRM would help all that much. No matter how good the DRM technology, The Beatles The White Album will never be DRM-ized—the bits have escaped into the wild, never to be domesticated again.

      One potential solution to this dilemma can be summed up as “if you cant beat em, join em.” This concept has been championed by, for example, Exploit Systems. Exploit Systems does not try to eliminate P2P file sharing. Instead, they attempt to gently coerce users to pay a small fee in order to receive a legal version of the content. The legal content is distributed over the same P2P network that distributes the pirated content. In return for paying protection money, a user has fewer hassles to deal with and also obtains extras that are not (yet) available with the free download. However, the freebies still exist, and a user with sufficient tolerance for hassles can obtain his music for free.

      Even a relatively weak form of DRM will suffice in the Exploit Systems model. The content obviously must be priced so that a significant fraction of users will deem it worthwhile to pay, even though free copies are available. Its doubtful that this business model supports $14.95 CDs. But assuming the price is right, the DRM system only needs to be more of a hassle to break than the hassle required to find the content for free. This level of DRM protection is clearly possible today.

      To date, the record companies dont see things this way. Apparently, they would rather dig in their heels and hope that they can bludgeon the world into accepting strong hardware-based DRM. Via this technical fix, they might hope to effectively roll back the clock to a pre-P2P era. Personally, Ill believe this is possible when I see the Titanic steaming across the Atlantic carrying passengers willing to pay $50,000 for a ticket.

      Avatar
      Mark Stamp

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×