Jesper’s recent frustration with a bug in the DRM support on his Windows Media Center Edition (MCE) system demonstrates a couple of basic truths in system reliability:
- Complexity negatively impacts reliability.
- DRM contributes to complexity.
Clearly, this means that DRM makes systems less reliable than they would be without DRM.
So, why can’t Jesper simply kill the DRM component in his MCE system and have a more reliable system, without the worry of DRM? Because there’s two kinds of DRM, and this is the bad kind.
First of all, let’s review a basic tenet of client-server security. If the server is owned by someone who wants to secure data, all security decisions must be made at the server – client-side security is no security for the server’s owner, unless the server can guarantee that the client is owned by the same individual.
So, with DRM, the content provider wishes to protect his material, and make it available to content consumers – this means that either the content provider needs to not rely on the client for security, or must expect that his security will be broken.
As I’ve mentioned time and again before, this means that DRM is broken in the consumer marketplace – although it works very well for business, because there is an ownership of the client environment. To those willing to break contract with the content provider, or to alter the client or the content, DRM is a barrier to overcome.
Now to the two kinds of DRM.
I haven’t found any documentation that talks about the two kinds of DRM, so I’ll give them names here – Passive DRM and Active DRM. Please accept my apologies if there are other terms for these that I should be using – and correct me, if you can.
Passive DRM protects its content from onlookers who do not have a DRM-enabled client. Encryption is generally used for Passive DRM, so that the content is meaningless garbage unless you have the right bits in your client. I consider this "passive" protection, because the data is inaccessible by default, and only becomes accessible if you have the right kind of client, with the right key.
Active DRM, then, would be a scheme where protection is only provided if the client in use is one that is correctly coded to block access where it has not been specifically granted. This is a scheme in which the data is readily accessible to most normal viewers / players, but has a special code that tells a DRM-enabled viewer/player to hide the content from people who haven’t been approved.
Passive DRM offers a choice to consumers between these two options:
- Drop all DRM features and support, so that you can’t view the protected content, but you also don’t have the added complexity.
- Include DRM features and support, so that you can view the protected content, at the cost of increased complexity.
An example of Passive DRM is that of a DVD’s protection, where the content is encrypted, and can be decrypted by any device that has an appropriate CSS key.
Active DRM, by comparison offers the following non-choice:
- Install the DRM client, adding to complexity, and be blocked from seeing some ‘protected’ content.
- Don’t install the DRM client, keeping complexity low, and allowing you to see all content, including that which is protected.
Sony’s DRM for CDs is an example of Active DRM, and a great example of why Active DRM is bad. Put the CD in an ordinary player, and there’s no DRM, because the CD player can’t load the attached software. Put the CD into a PC, and you’re blocked from making copies of the CD, plus you’ve installed an extra root-kit that makes your computer more vulnerable to attack.
Both of these DRM examples have, of course, been cracked. In the first case, that of DVDs, the CSS keys are provided on DVDs, and can be decrypted if you can get just one key by attacking a DVD player. In the second case, of course, you simply play dumb and say "I don’t run non-music content from music CDs" (or you disable AutoPlay).
But there’s a difference to the consumer. Because Active DRM requires all clients to be made compliant, or its ‘protected’ content has no protection, there is an imperative on the content providers to force compliance from all clients.
You see this in Jesper’s MCE example, in that he is unable to use his MCE system to view content that he could happily have viewed with a cheap TV. That’s right – a high-priced personal video recorder is beaten in capabilities by a cheap TV. All because his MCE system was forced to have the Active DRM client software installed – and cannot have it uninstalled even when it is shown to be the cause of a catastrophic failure in the system.
If Passive DRM had been in place – if the output of the Comcast OnDemand signal had been encrypted, then it would not have displayed on an ordinary TV, and maybe Jesper’s MCE would still have crashed when it tried to display it, but Jesper could have removed the DRM component, abandoned his ability to watch Comcast OnDemand, but gained a reliable system from his MCE box by doing so.
For a system like MCE, that’s marketed as an appliance, reliability is of paramount importance.
Only Passive DRM gives the consumer the choice to improve their own reliability. Only Passive DRM is appropriate and ethical; Active DRM requires that content producers assert that they have some form of ownership or control over devices that, by rights, belong entirely to the content consumers.
To paraphrase an old sore, if you think that DRM will solve your problem, you now have two problems. If you think that Active DRM is the solution, you have three.