Music Industry Security Sings the Blues

Opinion: The industry must plan for the long term by listening to customer demands and removing the incentives for piracy.

Why cant the music industry get security right? Why cant the industry that whimpers about billions of dollars in losses via peer-to-peer services find an effective security mechanism to protect its intellectual property from piracy? With its deep pockets and the abundance of security products, the industry should be able to protect itself.

The reason every effort made to fight piracy has failed miserably is that the music industry, embodied in the Recording Industry Association of America, has applied short-term countermeasures instead of a long-term vision.

The industry, in which an artists career may be measured in months, tends to think only of the short term. If you were to tell music industry officials that you have developed a cryptographic algorithm to protect digital assets that will theoretically remain strong for the next thousand years, they would be greatly impressed. But a cryptographer who lives in the world of Moores Law knows that a thousand years is not as long as it seems.

/zimages/4/28571.gifThe EU warns of a DRM privacy threat. Click here to read more.

Prosecuting college students for piracy will do no more to solve the problem than buy-and-bust operations have done to stop illegal drugs. Attacking the symptom rather than the problem, as the U.S. Drug Enforcement Administration has done, will succeed no better in the music industry than in the world of narcotics trafficking.

Carter Laren, senior security architect at Cryptography Research, a San Francisco-based company that specializes in solving complex data security problems, told me that "from a pure cryptographic perspective, piracy is an unsolvable problem."

"To have any hope of combating it long term, the content industry needs to spend less time worrying about how to lock the front door. Instead, the industry should assume that the front door will be kicked open some day, and behind it they will need a dynamic infrastructure that lets them recover and respond to attacks," Laren said.

One way to accomplish this is to place security codes on disks along with music. This would allow studios to respond to attacks by updating security for new titles. It would not stop piracy, but it would give content owners a fighting chance.

/zimages/4/28571.gifClick here to read about the lawsuit against Apple and Sony over European music stores.

The way any industry succeeds against problems such as piracy is to align economic risk with control. Parties that suffer from piracy must control the security of anti-piracy systems. The music industry must also attack the incentives for piracy by answering user demand for alternative distribution and consumption channels.

The music industry seems stuck in a trap that often ensnares the military: preparing to fight the last war. Security in any field—particularly in music—is worthless unless it is designed to address tomorrows needs, not yesterdays.

Ben Rothke, CISSP, is a New York-based security consultant with ThruPoint Inc. and the author of "Computer Security: 20 Things Every Employee Should Know." He can be reached at Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.