DRMs and free software

Background for debatting this issue in the context of the French DADVSI law and the GNU GPL version 3 drafting process

DRM stands for Digital Rights Management. Within the free software and open information communities, some have proposed to interpret the acronym as standing for Digital Restrictions Management, as to better highlight the corresponding functionality. Issues linked to the relation between DRM systems and free software have popped up at the occasion of debates in France on the DADVSI (Author Rights and Neighbouring Rights in the Information Society) law [transposing in French law the European homonym directive, which is our variety of DMCA with some elements differing]. It also hit the news at the occasion of the undergoing process of revising the GNU General Public License, the fundamental constitution of free software. These debates are complex and important. They have a triple dimension: philosophical or political, technical and legal. The present text tries to clarify their nature and stakes. Sorry for its length, but the subject is not fit for approximative shortcuts.

1. A brief history : from technical protection measures (TPM) to digital rights management (DRM) systems

In December 1996, WIPO adopted after a relatively brief preparation its Copyright treaty and its Performances and Phonograms Treaty, that are the first texts to impose a legal “protection” against circumvention of “effective technological protection measures” “used by authors” (and performers and producers for sound recordings) “to restrict acts” “which are not authorized by the authors concerned or permitted by law”. See article 11 of the first treaty and article 18 of the second treaty for the exact texts, that did not define “effective”. The predominant distribution mode for digital information was then its distribution on carriers, even if on-line distribution was common for text-based information, databases, software and photographs. Public debate and NGO watch had not caught up with WIPO at the time, and it was working in a peaceful remoteness to promote and extend property mechanisms in all domains of the intellectual sphere. Though as a UN agency it is governed by the general assembly of its Member States, it had long forgotten the mission statement definition in the agreement it had signed in 1973 with the UN when it became one of its agencies, and focussed on serving its “customers” (such as the International Intellectual Property Alliance) and on implementing a narrowly defined mission. In addition, WIPO was trying to come back to grips with a subject on which she had partially lost control with the signature of the TRIPS agreement at the time of the creation of WTO (1994). The TRIPS agreement contains many disputable and debated provisions, but has nothing regarding the circumvention of technical protection measures. The 1996 treaties are thus the first TRIPS+ texts (going beyond what is required by TRIPS in terms of toughening the execution of property rights).

Few people paid attention to the importance of this transformation at the time. TPM were mostly seen as access control devices (preventing the unauthorized access to a given work) integrated onto its carrier or possibly running on the server giving access to it. TPM were not perceived as resting upon the detailed control of what’s happening in a user machine. In the next few years, the reference universe drastically changed. It started with the US Digital Millenium Copyright Act of October 1998, though it remains quite close to the wording of the 1996 treaties regarding the prohibition of circumventing TPMs (Title 1201 : No person shall circumvent a technological measure that effectively controls access to a work protected under this title.). One can truly measure the change with this sentence of art. 6.3 of directive 2001/29/CE “Copyright and Related Rights in the Information Society” : Technological measures shall be deemed “effective” where the use of a protected work or other subject-matter is controlled by the right holders through application of an access control or protection process, such as encryption, scrambling or other transformation of the work or other subject-matter or a copy control mechanism, which achieves the protection objective. A fundamental concept appears that will transform TPMs in DRMs : usage control.

Why such a transformation, that will expand to much more than this issue of vocabulary ? A whirlwind of panic develops within the large content production / publishing / distribution corporations. The Internet imposes itself as a major channel for the distribution of works, which means that the content industries must invest it or accept a decline of their commerce. But they can develop Internet-based commerce only if they are able to impose upon it what they see as the key characteristics of their business : the concentration of supply and even more of promotion on a limited number of titles whose performances are more or less predictible. “More or less predictible” means here uncertain in terms of individual performance but predictible when averaged on a limited number of titles (around ten for major feature films, hundreds for music recordings, a few tens of thousands for photographs, etc.). This revolution occurs just at the time when after the success of the CD, the DVD has initiated a strong growth of their revenues, and vertical as well horizontal concentration develops. However, just as the Internet becomes a compulsory path for them, it evades them radically. First, it appears that distribution can be done by users themselves, and that new prescription mechanisms develop outside the (principally broadcast) non-Internet media. This means a need for ever stronger promotion in order to maintain the concentration of demand on best-selling titles (thus the increasing share of promotion in the expenses of the content corporations). Second, it becomes more and more evident that in a context of possible (re)distribution by users, TPMs in their former meaning are totally inefficient. Incapable or unwilling to reinvent themselves for this new context, the large content corporations, lead by the MPA and the IFPI are going to give flesh to the total usage control model. For a while the computer, telecom and consumer electronics industry will oppose this idea, knowing that its full realization would be disastrous for the continuation of the extraordinary growth of their industry. However, a number of them start to see the DRM deployment process as an escape path from the hard game of competition (or a way to remain outside of its grasp for Microsoft). Microsoft, Philips, Nokia, Sony and Apple (though in a more subtile manner) all hope to conquer a dominant position -or a participation ticket in an oligopoly- in what they see as the key to control of the markets: usage control systems. IBM and Sun cannot abstain from joining in the dance, though their communication stresses more open approaches.

The driving players quickly realize that usage control can not be done halfways. As early as 8 January 1999, Microsoft applies for a key patent for implementing a total control on all software that runs on a computer, and in particular the operating system (US 6,327,652 granted on 4 December 2001). Ironically, the main researcher involved, Paul England, who has now applied for more than 15 patents on related techniques, was previously known for some nice research work within Bellcore to assist user access to information. Such a trajectory that led a number of information access researchers to switch to access restriction research is not exceptional. From then on, the nature of the debate surrounding the regulation arenas will change. An opposition is staged between a scenario supported by the content industries (Disney, MPA, Vivendi-Universal) that would make totalitarian DRMs (for which TPM are no longer but a conventional legal appellation) compulsory in any device, and a scenario supported by the technology suppliers that would leave it to the market to decide which is the best massive destruction weapon against freedom of use. In reality, the technology suppliers are afraid for a debate on a compulsory DRM legislation to lead to an obligation for DRM to make legal use possible in practice. The few consulted groups that stand for the rights of users or the public (blind union, library and information centres associations, consumers) are marginalized in processes such as the DRM working groups put in place by the European Commission. In this exercice just as in other co-regulation arenas such as the French Copyright Council (CSPLA), the view points stressing more general cultural or civilization objectives are simply ommitted in public reports.

The compulsory DRM model appears in the various bill proposals by Senator Hollings in particular CBDTPA, and more recently in the Digital Content Transition Security Act and the French Vivendi-Universal / CSPLA proposed amendment to the DADVSI law under discussion. One will note that the CBDPTA (March 2002) planned for compulsory DRMs to be implemented as open source software. This was meant to preempt critics based on market control risks. At the time, this idea was rejected by both the proprietary technology suppliers and free / open source software advocates.

From 2000, critics perceive the true nature of DRM and denounce it. US copyright specialist Julie Cohen from Georgetown University identified the key reversal associated with DRM protected against circumvention : the judgement on the legitimacy of usage is transferred from judges to usage control devices. She shows that such a transfer breaks with the core tradition of intellectual rights and freedoms. I wrote in 2000 : “The public space is endangered not so much by explicit attempts at restricting it, than by the indirect effects of restrictive management of intellectual property. The development of “protection” technology, its embedding in access devices and telecommunication technology are a major risk in that respect. In many cases, the exigence of keeping the public space free is not included in the requirements for the design of these devices and technology. The history of DVD player technology is a good illustration of this point. So the principle stated above is not only of a declarative nature, it must be binding in future decisions on technology implementation, and such decisions must also include the consideration of the limited duration of property exceptions. Finally, the public space is centered around the access of all to the public domain, but also around the access for some usage to all entities. Provision should also be made for this to turn into reality: protection technology must not block the possibility of quotation for the sake of criticism for instance, or access by the disabled” (one will note that I could not give a truly representative example of DRM at the time). More recently, Cory Doctorow wraps up the critical analysis of DRM in his Microsoft Reseearch DRM talk, a true work of art that was translated into 13 languages and many open formats.

The traditional institutional inertia, the security frenzy after September 11, and the successful strategy of a few content multinational corporations depicting non-commercial sharing of information as an advanced form of terrorism will help DRMization to continue. It will even intensify with the generalization of attempts to make it compulsory and criminalize more severely its circumvention … or even publicly stated disagreement.

2. Yes but what are exactly DRMs and why talk about them and free software?

The detailed Wikipedia article on DRMs provides much useful information, but, it my opinion, does not truly throw light on the strategic issues raised by DRMs. Thus, let’s have a go at it.
A DRM system is a set of software and hardware, some within your personal machine, other running on servers, that does its best to control as specified by rights owners and the system builders what you can and can’t do with a digital representation of a work covered by copyright and related rights. A key difficulty of this discussion is that no currently deployed system represents the full model. That’s partly because some promoters of DRMS wait for all the legal locks to be available before deploying more complete systems, partly because of baiting strategies (installing the usage of services that are associated with weak DRM easily circumvented, prior to toughening it), and partly because of the technical absurdity of DRMs whose accomplished model can only function in a totalitarian society. What is this accomplished model?

More than on anything else, it rests upon the detailed control of any piece of software that can be run on the user’s machine and that can interact with the use of a file or an on-line service. That means first and foremost the basic components of the operating system. One of the scenarios for such a control (presently being deployed) uses TCPA (Trusted Computing Platform Alliance) chips to implement cryptographic checks in order to verify that any component, and in particular the operating system boot is associated with keys testifying that it is “safe” for the DRM. See Ross Anderson’s TCPA FAQ for details. Other models will no doubt appear (there are already some using biometric identification of authorized users) but they will all try to transfer to the DRM suppliers and their content industry customers the ability to check and authorize what can be run on the user’s machine. Why? Because without that a DRM is easily circumvented (see Cory Doctorow’s above-referenced talk).

Oh, by the way, even with such a transfer of control, DRM will be in effect massively circumvented, for a reason that surprinsingly escapes most commentators. For DRM to be massively circumvented for a given work, there is no need for a great number of users to circumvent it (which of course is not easily done by an ordinary layman). It is enough for one person or group, anywhere in the world, to be able of such circumvention and to put in circulation a DRM-free version of the corresponding work. DRMS play a billion games against the whole planet, and it is enough for one game to be lost to ensure that all are. Note that those who can later access the work are not directly circumventing (in the legal sense) anything, they are only in possession of an open format representation of a copyrighted work. If the reader believes that watermarking can change this situation in any way, would s/he please read S. Craver, N. Memon, B. L. Yeo, and M. Yeung, “Can Invisible Watermarks resolve Rightful Ownerships?,” IBM Research Report RC 2050, republished in Storage and Retrieval for Image and Video Databases, SPIE, 1997, pp. 310-321.

Does this mean that I am happy for DRM (total or inaccomplished) to be possible to circumvent, and that I am thus making myself guilty (if the 12 July 2005 criminal sanctions plan proposed by the European Commission is adopted as it stands) of the future crime of inciting or encouraging infringements of IP. It depends. I am not particularly keen on seeing a massive sharing of works whose creators and producers have been stupid enough to make them public while at the same time using extreme means to stop them from becoming public. Imagine however a person who needs to practive some legal usage on a work and is stopped from doing so because the law has not made provisions for DRMs to make this usage possible in practice. Then, I am very keen for this person to be able to circumvent the DRM. The legal protection of TPMs -if it is extended to DRMs- results in a paradox: it is inefficient against what it claims to stop (“piracy”) and potentially efficient against legal usage. The planet-wide circumvention will of course be quicker for best-sellers than for rare contents and it will difficult to order it “on demand”, for instance to practice a legal usage. As Cory Doctorow’s has stressed, there will also be quick dissemination of circumvention means, but their users can be prosecuted if the law creates a legal protection against circumvention even when it is needed for legal usage, contractually authorized usage, or in cases where the user was not properly informed of the limitations of the DRM.

That’s only the beginning. The true prize paid for the fiction of a continued scarcity of information lies in the destruction of the freedom of action for non-specialist users. This is of course the true desired benefit of DRM. French readers can see by reading the article by Ulhume on the Mechanical Sheep site that even those DRMs that are presently used (implementing only part of the model) already present a danger for the constitutive freedoms of everyone’s ability to be a contributor to an information society.

A specific point to rember for later discussions of the relation with free software: it is easy for DRM promoters to claim that the obligation to disseminate them as open source software (Fritz Hollings’ proposal) or to provide free / open source software developers who wish to implement them with the necessart information will ease the planet-wide circumvention.

3. Free software in the context of the DADVSI law

One needs to distinguish carefully between 3 questions (they are not thought experiments but refer to existing cases):

  1. Is it relevant to ask for TPMs to no longer be protected against circumvention when interfering with the functioning of the user machine operating system or the freedom of each user to run software of his/her choice?
  2. Is it relevant to ask for information needed to implement TPMs that are legally protected against circumvention to be made accessible for those who wish to implement these TPMs as free software.
  3. Is it relevant to implement free software-based DRMs ?

The third question is of a different nature: it is not about demands regarding the law, but about what developers should be incited or adviced to do. My answers to these questions are as follows: a clear yes to the first one, a clear no to the last one, a nuanced no to the second one. Let’s see why:

  • The first proposal has the great benefit to force to clarify the definition and perimeter of protection measures that are granted a legal protection regime (further than already done by the 134=136=144 amendment voted last December). Note that it is equally important to obtain a positive vote on amendment 92 that precises that circumvention of technical measures can not be prohibited when it is necessary for the sole purpose of a legal usage or a contractually authorized usage, or when information about restrictions was not provided. 2 good provisions are better than one.
  • After reading the previous section, the reasons that lead me to reject the idea of implementing free software DRMs should be clear. I consider such an idea to manifest a deep misunderstanding, since DRMs consist precisely in depriving users from the freedom to control software running on their machine, freedom that is the essence of free software. I know that -Fritz Hollings excepted- those who imagine doing such an implementation have no desire to deprive users from such a freedom. Their intentions are laudable, since they wish -if DRM undergo a wide deployment- to avoid the situation where free software usage would be marginalized in a small ghetto because its users would be incapable to access widely disseminated contents. But they can only believe that it would be a useful move if they are mistaken on what DRMs are. They mistake them for TPMs of the 1996 era, for little isolable and confinable components. Of course it is relevant to implement DeCSS as free software, and to obtain for this implementation to remain legal. But not as a TPM, simply as a piece of software needed to practice a legal action. And it is even less relevant to implement free software DRMs.
  • Finally the second question is very tricky. To propose for the specs of TPMs that are legally protected against circumvention to be accessible to free software developers (which means disseminable) would of course have the advantage of forcing proprietary DRM providers to make their refusal explicit. However, it seems to me that in a more significant manner, such a demand would legitimate the DRM model (at least if one does not obtain satisfaction on the first issue) and risks legitimating a compulsory DRM scenario. One would exchange a fiction (avaibility of what proprietary technology providers consider as their absolute weapon to free software developers) for a well real risk: legitimating the one model that represents the highest risk for an information society in which all can be contributors.

4. DRMs in the context of the GPL revision process

Past 16-17 January, MIT hosted the launch event of the a revision process for the General Public License, the most used free software license and, in my opinion, a fundamental component of the free information ecosystem. Version 2 of the GPL dates from 1991, and there exists a consensus of most players who adopt a wide vision that a revision is desirable. The aim is to: adapt to new conditions created by the explosive growth of free / open source software development and usage ; find solutions to some compatibility problems with other F/OSS software licenses; solve issues connected to the present lack of avaibility of official linguistic versions in languages other than English; and include provisions that can be made necessary by the evolution of the legal framework such as software patents in countries that are in the unlucky situation of recognizing them or the legal protection of TPM in copyright law. The revision process will last at least a year and is one of the most ambitious global governance exercises for the information commons ever done (though of course some will question the specifics of its organization).
On 16 January a draft proposal for version 3 of the GPL was issued and it is since open for comments. This draftincludes in the preamble and in section 3 a number of provisions regarding DRMs. This is by far the aspect that has triggered most debate. Linus Torvalds reacted against the proposal that he comments as if it was the final version and has declared that he would not apply the GPLv3 to the Linux kernel (everyone will be free to switch to the version 3 or keep the present version for one’s software). Some French libre software players have also commented against these DRM provisions on the escape_l discussion list and in comments on the GPLv3 site. Even those who think that it is necessary to include DRM provisions in teh GPLv3 are far from enthousiast about some aspects of the present drafting, judged to be confusing and risking to have undesired side effects on DRM-unrelated cryptography for instance. Can one clarify the present debate by using my analysis in the previous sections? The debate is too recent and heated for me to submit more than a tentative position.

The presently proposed text contains one sentence that seems clear to me: no covered work constitutes part of an effective technological protection measure. When read with some introductory context, this sentence does not limit the nature of systems that can be realized under the GPL, but precises that these systems are not “effective technical protection measures legally protected against circumvention” in the specific field of copyright and related rights. It does not create any obligation for developers or users of cryptography systems to make their private keys public, nor does it make legal software or practices that can be illegal in some countries. It only guarantees the beneficiary of the license against accusations of having circumvented a technical protection measure when modifying the covered software. This clause of course makes visible for all that the GPL is not a meanningful choice for creating DRMs or TPMs that are protected by law against circumvention. Is it a good idea? For DRMs I claim that yes (see previous section, question 3). For TPMs as conventionnally defined by law, the DeCSS software presents us with a concrete example of what happens when one accepts to prohibit circumvention of TPMs without excluding from this prohibition acts that are needed to legal use such as playing a DVD under GNU/Linux. The example demonstrates that the resulting situation is disastrous from a legal view point as well as from a practical perspective, but of course does not stop real usage. There are widely used free software that work only when one adds DeCSS or an equivalent, and proprietary software players, of which some have been suspected of including GPL-ed code in a way that would constitute an infringement of the copyright of the licensor. Would things be better if it was possible to write an approved DVD reader under GNU/Linux under the GPL? But it IS possible under GPLv2! Why doesn’t it happen 8 years after DMCA (four and a half years if one start from the MPAA vs. 2600 decision)? Because the content multinational corporations do not want it, and because the F/OSS developers are conscious that it is impossible.

The remaining part of the DRM provisions in the GPLv3 draft seem to be confusing at best, including the sentence that is supposed to explain the one that I have just commented. Some parts of section 3 describe intents, and if they belong somewhere, it can only be in the preamble. Other parts have triggered concerns within the cryptographic community. Let’s say so, let’s argue it, and I don’t see any reason for the committees that are supposed to synthetize comments into issues submitted for decision and for Richard Stallman who has the responsibility of making the corresponding decisions to ignore these comments.

Finally, Rishab Ghosh signalled that the draft stated intention of preventing free riding on F/OSS by players whose deployment of DRMs goes against the aims that F/OSS intends to serve could only be met by including in section 7 a DRM-retaliation clause that would withdraw the benefit of the license to any party initiating a legal case based on circumvention of a TPM. Such a clause would be only an option (not included in the basic license but deemed compatible with it). This merits an open debate.

This post is also available in: French

No Comments

Leave a Reply

Your email is never shared.Required fields are marked *