There’s a lot going on in the world of Digital Rights Management (DRM) these days and I realized not everyone understands exactly what DRM is, how it works, and what the implications are. This has popped up a few times recently among friends and family as (being the alpha geek) I’ve been asked to explain why certain music or movie files don’t work on various players. Before digging into some of the security issues around DRM I thought it would be good to post a (relatively) brief overview.

I’ll be honest – as objective as I try to be, the title of this post alone should indicate that I have some serious concerns with the current direction of consumer DRM. While one of the better parts of having a personal blog is being able to throw objectivity off a very tall bridge to a very messy landing, tossing all objectivity to the wind often seriously undermines core arguments. Thus I’ll try and keep this a relatively (but not perfectly) impartial overview of the technology. In future posts I’ll dig into the security issues of DRM and make specific recommendations on security requirements for any consumer DRM system.

If you’ve ever wondered why you can’t just copy a DVD, why a song you downloaded from iTunes only plays on an iPod, why a song downloaded from Napster won’t play on an iPod, or why you can print some .pdf files but not others… keep reading. If you wonder why it’s so hard to get HDTV on a TiVo or computer… keep reading. If you want to know what that new expensive HDMI cable for your XBox 360 or flat panel really is… keep reading.

(and if you know all this stuff you might want to skip this post and wait for the big DRM security analysis in the coming weeks)

DRM Defined

Digital Rights Management (DRM) is a collection of technologies used to control the use of digital media like music, movies, television, and text. DRM decides and controls who is allowed to read or play a file, copy it, print it, email it, download it to a portable player, burn it to CD, and so on. We broadly divide the market into two halves- the consumer world, and the enterprise world (businesses). While some of the technologies overlap, this is pretty much a hard split and the use and implications of enterprise DRM are very different than consumer DRM.

I’m going to simplify a bit here, but DRM essentially works by encrypting a file and tagging it with rules on how that file is allowed to be used (the rules are also protected). Whatever reads that file must be able to both decrypt it and understand (and be able to enforce) those rules. A DRM system has two technical goals:

  1. Control/protect content by restricting what software and devices can read it.
  2. Control/protect content by restricting what that software/device (and thus the user) can do with it.

On the user side, this leads to two major implications:

  1. Users are restricted in how they can use content (copying, saving, etc.).
  2. Content (and thus users) are locked into using specific players/readers.

Thus content publishers and technology companies use DRM as a tool to protect their content (mostly from copying, but there are other implications), and to force you to use their devices. There’s also no single standard technology for DRM, creating a bit of confusion among us consumers. Consumer DRM is actually really hard, since we’re talking about an environment where the user can hack away at both the protected content and the players (devices and software) privately, which tends to give them an advantage over time.

Rather than boring you with all sorts of technical jargon I’ll explain a little bit of how this works by comparing two kinds of shiny plastic disks- CDs and DVDs.

Compact Discs- Living a Life of Freedom

CDs were one of the first (maybe the first, we skipped that in my college history classes) formats for digital distribution. Before music CDs all music distributed to consumers was analog, and one of the characteristics of analog is it tends to degrade over time, and as we make copies, noise sneaks into the signal. CDs changed all that by distributing music in digital form. Not that anyone was playing these things on computers in the 80s, but CDs barged into our lives with the promise of crystal-pure digital music- no scratchy records or stretchy tape. Back then all most of us knew was “it’s digital”, and beyond that we really didn’t think about it. Until CD drives started turning up in computers, that is.

Most anyone who has ripped a CD into iTunes now knows that a CD is really just a collection of bits. CDs are totally unprotected unless the music label adds some sort of DRM (which rarely works, since it’s not part of the Compact Disk Digital Audio standard, and our players don’t understand it). As soon as we started putting CD drives in computers we were able to pull perfect copies off CDs onto our computers. Once CD writers and discs became cheap enough we could make perfect copies of these commercial CDs. Then we learned about file compression (to squeeze those big music files into something easier to store and trade) and combined that with the Internet and broadband and all of a sudden anyone, anywhere, could trade nearly-perfect digital music with anyone else in the world without a cent going to the music labels (or artists).

They really didn’t like this. It really pissed them off.

Their response? Sue the hell out of everyone and write some laws.

You see, there’s a huge disparity in perception between content companies and consumers when we buy those CDs. Historically we think of it as “buying music”. We paid money, we own the CD, thus don’t we own the music? Not really- the copyright holder always owns the music, we’re just allowed to use it. When we buy a CD the music companies think we’ve only bought a license to use that music on particular devices, in a particular format, under specific conditions (e.g. no commercial use). The CD is just their convenient way to loan us that music. In other words- no copies (for personal use or friends). No mixes, No trading. No playing in public. And so on. While the law may give us some rights (like making backups, or mixes for personal use) the Recording Industry Association of America keeps muddling the waters and very few users, including your Congressional representatives and judges, know exactly what we’re allowed to do and not do with our digital content. Why? Copyright laws written initially in the 1700s never could have predicted the implications of technology. And technology moves like the Starship Enterprise while the laws move like… lichen in the Antarctic.

Thus public perceptions, legal reality, and industry desire all shoot off in different directions like tattered limbs of the careless consumer being drawn and quartered by four horses named R, I, A, and his other brother A.

But without DRM it’s really hard to enforce.

The Life and Death of DVDs

In the 90s we saw the emergence of a new digital standard- this time for movies (managed by the Motion Picture Association of America). DVDs are very different than CDs. Not just because they store more (a LOT more) but because the MPAA and the movie studios learned from the pain of the RIAA and decided to include some DRM on DVDs. Now all this happened long before Napster, but what a lot of us didn’t know before the Internet was that copying has a long and cherished international history. There are entire countries that culturally don’t really recognize much of a concept of intellectual property.

Thus DVDs include a rudimentary DRM known as CSS.

Movies on DVD are encrypted using CSS and every DVD player out there has to pay a license fee to include the software to read commercial DVDs. CSS only enforces a couple of rules:

  1. You can’t copy protected DVDs
  2. Embedding a region code so a DVD only plays on players authorized for that region (e.g. North America vs. Asia).

The region code is supposed to reduce bulk pirating of DVDs- if bad guys make a perfect copy of the DVD it should include the region code, and thus the big pirates of Asia can’t pass off these copies in the US. It also restricts films to certain regions to address differences in copyright laws and non-global distribution rights (a studio typically produces a film or TV show, then licenses separate distribution companies to release them in various regions). Most important to the studios, region codes support theatrical and DVD release schedules, and differential pricing. They can release a DVD in the US while Europeans and Asians must still go to the theater to see ‘new’ movies, and sell DVDs cheaper in certain parts of the world, without worrying that US consumers will buy them at the reduced price.

CSS is a clear case of using DRM to enforce a business policy, not only hamper copying. The irony, of course, is that CSS really has nothing to do with copying – a duplicate of a DVD has exactly the same CSS status as the original. It’s really about extracting digital content from DVDs, and restricing players (to support region codes).

Some of you might remember having to buy separate DVD player software (or a codec) to watch a movie on your PC- that’s because somewhere, someone, has to pay the license fee to read commercial DVDs and this cost isn’t always included in your new system (it’s not included in Windows by default).

Of course no good DRM goes unpunished, and eventually someone released software to crack CSS (called DeCSS) and strip the protections. The MPAA wasn’t overly thrilled with this development and went to, you guessed it, their lawyers. They didn’t only attack the software, they attacked anyone on the web that even linked to it. This lead to amusing developments such as the printing of the source code onto t-shirts (it was only a few lines). It also lead to less amusing developments due to violating the Digital Millennium Copyright Act (DMCA).

The DMCA is an ugly law far beyond what we’re here to talk about today. The important element for our discussion is that the DMCA, for the first time ever, criminalized circumvention of copy protection technology (and the creation and distribution of circumvention technology). It’s a law to protect DRM.

The implications are complex. Although, per fair use, consumers have the right to make backups, the creation of the tools to make those backups is illegal. Yeah, I think it’s weird too. And no law really covers ripping movies to play on your iPod or PSP, but it’s probably okay under fair use, even though the tools are probably illegal. Maybe. Probably. You can find out if you can pay the lawyers- well, Bill could.

So back to our story of the shiny plastic discs. On one side we have CDs- a totally unprotected format. Consumers can easily backup, copy, and transfer music for both illegal and totally legal activities. iTunes, Windows Media Player, and other software can easily and (legally, in most places) rip music onto our hard drives and transfer files to our iPods and other music players. And yes- pirates can make and distribute illegal copies just as easily.

On the other side we have DVDs- technically legal to copy, but all the software to do it is illegal thanks to DRM. None of the major media programs support ripping of DVDs to backup or store on our video iPods and Sony PSPs. Consumers have to turn to technically illegal software to support their legal use rights. The effect on piracy? None. Nada. Zip. Why?

The essential problem of consumer DRM (one I outlined years ago in a conference presentation on consumer security) is that if you can see something or hear it, you can copy it. If you can crack the DRM just once, you can make and distribute an infinite number of copies. We’ll get back to these problems a little later.

DRM Examples Today- iTunes and Windows Media Player

Most consumer DRM today focuses (for obvious reasons) on audio and video files. In the computer world we have two main formats- iTunes (a DRM scheme called FairPlay) and Windows Media Player (Microsoft DRM). Yes, there are lot of other formats, but when it comes to DRM these are, by far, the most widely used.

Apple was one of the first to offer legal music downloads (actually I think they were the first) from major music labels via the iTunes Music Store. Music distributed through the store is protected with FairPlay, and comes with certain limitations. You can’t just copy a FairPlay protected song- when you download the song you also download a license that lets you play it on up to 5 computers at the same time, and an unlimited number of iPods (and only iPods) attached to those 5 authorized computers. You can burn songs to CD in an unprotected format, but any particular playlist can only be burned a total of 7 times. What are the implications? Well, when you download a song from Apple you can’t use any device other than an iPod to play it. Own a non-Apple MP3 player? You’re out of luck unless you want to burn it to CD and re-rip it (dropping the quality somewhat). You can’t stream protected songs from your computer to your stereo or TV unless you use a specific Apple device. That nice Sonos whole-home music system can’t play Apple files, because Apple doesn’t license FairPlay.

FairPlay not only protects the content, it locks you into using only Apple equipment. It protects both the content and Apple’s business model.

Microsoft follows a different business model with a DRM scheme it licenses more widely. Other companies can license the Windows DRM to include in their software as long as they meet certain requirements. Napster, Rhapsody, and numerous other audio and video download services use Microsoft DRM. Many companies make compatible players, all under a logo called “PlaysForSure”.

But each content partner can set different rights. Some allow limited CD burning, but most don’t. Some limit the number of players. Some let you subscribe to downloaded content for a monthly rate, but the content disappears if you stop paying your bill. Lot’s of rights. Lot’s of different enforcement. Lot’s of players and software. Lot’s of confusion.

So Microsoft recently announced “Zune”, their end to end player and distribution system, like iPods and iTunes, to simplify the process for consumers and offer a more seamless experience. Of course rumor is it won’t be compatible with PlaysForSure. Of course. This has to be confusing and worrying all those partners who licensed Windows Media / PlaysForSure for their devices.

And the upcoming update of Windows Media Player may apply rights restrictions to content ripped from CDs without asking you, and you might not be able to transfer content between computers. Heck, it may even violate copyright licenses that allow digital distribution (DRM that violates copyright? Wow.)

As with Apple content is restricted far more than if you bought the CD- there are limits on transferring it, what devices you can play it on, backing it up, and any of this can change at any time without notice with just a software update. And when your computer crashes or hard drive dies you might lose it all. And with all these options your fair use is restricted, and none of this seems to stop the content pirates.

Your rights are definitely managed.

Safe Computing: Protected Paths and Analog Holes

As I mentioned earlier one of the vulnerabilities of any DRM scheme is we have to eventually see or hear the content. If the quality is good enough, this lets the bad guy copy the content. The copy might not be perfect, but many of us don’t demand perfect quality (I personally rip all my music as 192k MP3 files- definitely not as good as the original CD, but good enough for my tone deaf ears).

Back a few years ago when I presented on consumer security I had a slide showing how easy it was to take the analog output and make near perfect digital copies. I stated, “the only way to prevent this is if we get rid of analog and force every TV, DVR, stereo, and other playback device to include a computer chip to digitally enforce rights from start to finish”.

I thought I was joking. I was wrong.

The high-quality-analog-to-digital copy path I mentioned above is called the “analog hole”; and as we move into a world of high definition video the content owners are doing their darndest to plug it up.

To plug the analog hole the media companies have a concept known as the “protected path”. Content is encrypted from start to display, with no analog hole, and no way to intercept an unencrypted digital signal. If you’ve bought a high-definition TV lately it probably included an HDMI cable. HDMI provides a digital signal and enforces this protected path. If you have an older TV without HDMI it probably uses high definition component input- 3 cables for video, and the standard 2 for audio. But component can’t enforce DRM, so media companies are pushing manufacturers to only use HDMI for high definition. These days there’s almost no DRM enforcement on high def content sent over satellite or cable, but after everyone is running HDMI they can start enforcing rights restrictions.

Examples include blocking recording with your TiVo, or only allowing you to watch a recorded show once. Or making you watch that recorded show without fast forwarding through commercials. Or maybe automatically erasing the show after 24 hours. And definitely stopping you from recording a show and downloading it to your laptop or iPod to watch on that long international flight.

Copying is limited, at least until the bad guys crack it, and your legal rights are managed, unless you want to break the law.

Don’t think you can avoid the protected path by using your PC as a media player- no PC will be authorized to play either of the new high definition DVD formats (HD-DVD and Blu-ray) without a completely protected path. This means you’ll have to upgrade everything, including your monitor to play downloaded, recorded, or DVD high definition content.

Today we still have a lot of freedom with this content and the analog hole exists in most devices. But once everyone has HDMI there’s nothing to stop content companies from placing use restrictions on all video content.


DRM is a complicated technology and a complicated issue due to the legal implications. Consumer DRM protects content from illegal copying and copyright infringement, but also limits consumer choice and consumers’ legal content use rights.

I’m not against DRM; it’s a valid tool for the protection of intellectual property. But current DRM systems are more effective at restricting consumers’ rights than they are at preventing illegal distribution and copyright infringement. I’m also worried about the security implications for consumers, which I’ll cover in an upcoming post.

Personally I’m reducing my use of any protected content until I know my rights as a consumer are protected. While I do sometimes acquire restricted content (legally), I also convert that content to a format that protects my rights.

We’re probably only in round 2 or 3 of a 15 round super heavyweight battle for content control, copyright enforcement, and consumer rights. The next few years will be interesting legally and culturally as we work through these issues. But as citizens it’s our duty to make smart decisions, and know and demand our rights. Or we’ll lose them.