EPIC logo

Digital Rights Management and Privacy

Major DRM Developments | News | Resources | DRM Defeating Technology | DRM Developers | Microsoft Palladium

Top News


Digital Rights Management (DRM) systems restrict the use of digital files in order to protect the interests of copyright holders. DRM technologies can control file access (number of views, length of views), altering, sharing, copying, printing, and saving. These technologies may be contained within the operating system, program software, or in the actual hardware of a device.

DRM systems take two approaches to securing content. The first is "containment," an approach where the content is encrypted in a shell so that it can only be accessed by authorized users. The second is "marking," the practice of placing a watermark, flag, or a XrML tag on content as a signal to a device that the media is copy protected. According to Professor Ed Felten, both approaches are vulnerable to cracking by individuals with "moderate" programming skills.

DRM technology and legislation requiring the inclusion of copy control systems pose serious threats to privacy, open source software development, and the fair use of copyrighted content.

Some DRM technologies have been developed with little regard for privacy protection. The systems usually require the user to reveal his or her identity and rights to access protected content. Upon authentication of identity and rights to the content, the user can access the content.

DRM systems can prevent the anonymous consumption of content. DRM systems could lead to a standard practice where content owners require all purchasers of media to identify themselves. In other areas where individuals can borrow or purchase media, such as video rental stores or libraries, statutory and ethical protections prevent the transfer of personal information linked to the content acquired. Such protections do not exist in the music and growing electronic book markets. In these unregulated areas, artists and authors may have more difficulty in finding an audience for their work because of the privacy risks associated with linking identity to content consumption.

In addition to preventing anonymity in access to digital information, DRM can be used to facilitate profiling of users' preferences or to limit access to certain content. This is done by assigning an identifier to content or to the content player, and attaching personal information to the identifier. For instance, Microsoft's Windows Media Player has an embedded globally-unique identifier (GUID) to track users. Similarly, Microsoft's eBook Reader requires the user to "activate" the software and link it to a Passport account. From there, Microsoft captures a unique hardware identifier of the user's computer. There is also an activation limit that can stop a user from transferring an eBook to other computers. This enables Microsoft to prevent users from sharing books or from reading a book on a different machine.

Also, Windows Media Player creates a log file of the content a user views, and "phones home" to a central server to obtain content titles. These technologies mark an important development in the use of copyright law: copyright can regulate duplication of works to protect content owners. Now, copyright is being used as a justification to both protect content and to profile the consumers of content.

Linking personally-identifiable information to content may result in "price discrimination." Price discrimination is the practice of selling an item at different costs to different consumers. It can be facilitated where the seller knows the consumer's identity, and can associate the identity with a profile that includes financial information on the consumer. DRM systems may enable content owners to control access to content, but also to adjust the price of content based on the consumer's identity.

Alternatives exist that would provide copy protection and at the same time protect privacy. For instance, token and password systems could be used to authorize a download of digital content. Alternative, non-privacy invasive solutions have not been explored adequately.

DRM systems that have been designed impinge on users' control and use of content. Many DRM systems will not allow a user to transfer content to portable devices, such as MP3 players. In addition, many DRM systems work only with Windows operating systems to the exclusion of Linux and Macintosh users.

DRM systems may also be designed to actually harm a user's system. One product in particular, InTether Point-to-Point, can impose "penalties" for "illegal" uses of files. The program can force a reboot of the user's computer or destroy the file that the user was attempting to access. A Celine Dion album released in 2002 by EPIC and Sony records can crash a user's computer if the disc is inserted in a CD-ROM drive.

DRM may also be referred to as "Content Management Systems" (CMS), "Content/Copy Protection for Removable Media" (CPRM) or sometimes as "technological measures."

The Digital Millennium Copyright Act (DMCA) can interfere with a user's ability to access content. The DMCA is a 1998 law designed to increase copyright holders' rights. The DMCA created civil and criminal penalties for the creation or distribution of DRM circumvention tools. As a result, a user attempting to circumvent copyright protection, even for legitimate reasons, may violate federal law. The DMCA was the American version of implementing legislation for a World Intellectual Property Organization treaty.

DRM is a Threat to Open Source Software

DRM schemes and laws that require embedding copy protection into devices endanger the development of open-source software. Open-source software developers rely on reverse engineering to write programs that can interact with hardware. This practice is illegal under the DMCA. Additionally, some industry standards must be "tamper-resistant." "Tamper-resistant" is defined in such a way that it makes open source implementations noncompliant.

DRM Systems Cannot Recognize Fair Use Rights

Statutory and Common Law interpretations of copyright law afford individuals "Fair Use" rights. Fair Use provides a defense to individuals who engage in an unauthorized use of protected content. It is impossible for DRM systems to incorporate Fair Use principles because they are difficult to define, and evolve over time. Fred von Lohmann of the Electronic Frontier Foundation has argued that for DRM to recognize Fair Use, engineers must be able to program a federal judge onto a computer chip.

Fair Use allows individuals to interact with content to promote cultural production, learning, innovation, and equity between content owners and consumers. Fair Use includes libraries' and educators' rights to provide content to users, the right to sell physical copies of certain content that one acquires lawfully (the "First Sale" doctrine), and the ability to make a backup copy of software and music. No DRM scheme developed affords users these rights.

A Media Consumption Culture Shift: Pay-Per-Use and the Marginalization of Content Sharing

DRM systems have been presented as a solution to unauthorized copying of digital content. However, the content industry may have other objectives with DRM technology. The technology can limit users' interaction with media. Through limiting interaction, over time, DRM technologies can change users' expectations about control and use of digital content.

Professor Peter Jaszi has argued that DRM developers may be attempting to acclimate consumers to a pay-per-use business model. Under such a system, a fee would be assessed each time digital media is accessed. This business model could be more lucrative for content controllers.

DRM could also acclimate users to a system where sharing of content is not permitted. In 1996, Richard Stallman, President of the Free Software Foundation, painted a picture of a society with stringent copy controls and a societal rejection of content sharing. In The Right to Read, Stallman envisioned a world where copy protection prevented the anonymous reading of books, lending books to others, or the mere possession of software tools that could be used to bypass copyright law:

This put Dan in a dilemma. He had to help her--but if he lent her his computer, she might read his books. Aside from the fact that you could go to prison for many years for letting someone else read your books, the very idea shocked him at first. Like everyone, he had been taught since elementary school that sharing books was nasty and wrong--something that only pirates would do.
--The Right to Read, Richard Stallman, 1996.

Major DRM Developments

The FCC Broadcast Flag

In August 2002, the FCC issued a notice of proposed rulemaking (NPRM) to consider whether digital television signals should incorporate a digital broadcast flag. Such a flag would mark digital content as "protected" and direct devices to limit individuals' use of the content.

Comments were due December 6, 2002. The Electronic Frontier Foundation runs a "blog" to share detailed information about the flag. You can view comments by visiting the FCC E-Filing Page and entering proceeding 02-230 in the first box.

H.R. 5211, Rep. Berman's P2P Anti-Piracy Bill

Representative Howard Berman (D-CA) introduced H.R. 5211 in July 2002. The bill would allow cybervigilantism in order to stem P2P piracy. The measure would actually permit copyright owners or their agents to engage in behavior currently illegal under a computer fraud act in order to interdict filetrading.

The bill authorizes copyright agents to block or otherwise disable file transfers where there is a reasonable basis to believe that the file traders are engaging in piracy. Copyright agents' techniques would be shielded from public view--they will have to notify the Department of Justice of their file blocking plans, but the techniques would be exempt from open government laws. Individuals whose file transfers are wrongly blocked would have almost no recourse. A wronged individual would first have to complain to the Department of Justice before bringing suit, and in order to prevail in court, the individual would have to show over $250 in monetary damages and that the copyright agent knowingly and intentionally blocked a legal file transfer.

The bill is extremely broad, and although it is written to target Napster or Kazaa-like systems, it could be read as authorization to interfere with e-mail and instant messaging systems.

Microsoft Palladium

In June 2002, Microsoft announced its Palladium project, a project that would embed DRM into software and hardware. For more information, see the EPIC Palladium Page.

The SSSCA and the CBDTPA

In September 2001, Senator Fritz Hollings (D-SC) announced plans to introduce the Security Systems Standards and Certification Act (SSSCA). The SSSCA would require equipment manufacturers to embed government-approved copy protection systems into all computer equipment.

In February 2002, Sen. Hollings scheduled hearings to examine the need for government imposition of standards for digital content protection. During the hearing, legislators declared that they would introduce legislation to mandate control requirements if the industry did not develop them. All of the hearing panelists represented large corporations and there was no testimony taken from consumer advocates.

In March 2002, Sen. Hollings introduced the Consumer Broadband and Digital Television Promotion Act (CBDTPA). This copyright control would force manufacturers to embed copy protection in all devices that can receive digital media. The Senate Judiciary Committee also held hearings, and is now accepting comments from the public on the implications of the CBDTPA. Opposition to the CBDTPA has been vigorous both from individual users and from business interests.

Dmitry Sklyarov and Adobe eBook Copy "Protection"

In June 2001, a Russian programmer named Dmitry Sklyarov published a program that can defeat a DRM technology used to secure Adobe eBooks. In July, at the behest of Adobe, the Department of Justice arrested Sklyarov for violating the Digital Millennium Copyright Act (DMCA) shortly after he presented a paper on cracking Adobe ROT-13 copy protection. Sklyarov remained in jail for several weeks and has been released on $50,000 bail. The Electronic Frontier Foundation (EFF) assisted in his defense and in December 2001, federal authorities dropped charges against him.

Federal authorities have now pursued ElcomSoft, Dmitry Sklyarov's employer. The case is being litigated in Federal District Court in California.

Ed Felten and Suppression of Academic Inquiry into DRM Systems

In April 2001, a team of researchers headed by Princeton Professor Ed Felten announced that they could defeat a DRM system developed by the Secure Digital Media Initiative (SDMI). Before presenting their paper, SDMI and the Recording Industry Artists of America (RIAA) threatened Felten and his team with a lawsuit under the Digital Millennium Copyright Act (DMCA). Felten's team decided not to publish the paper. Ultimately, SDMI and RIAA retreated from the treat of lawsuit, fearing that the DMCA may have been stricken as constitutionally overbroad when applied against a group of professors presenting an academic paper. In June 2001, the Electronic Frontier Foundation (EFF) bought suit against RIAA to obtain a declaratory judgment that Felten could present the SDMI research. Additionally, EFF sought the invalidation of the DMCA as an unconstitutional restriction on free expression. In August 2001, Felten presented the SDMI paper at the USENIX conference. In November 2001, a Federal District Court dismissed EFF's case. In February 2002, Felton decided not to appeal the dismissal.

4C Attempt to Embed DRM in Computer Hardware

In Fall 2000, the 4C Entity, which is comprised of IBM, Intel, Matsushita, and Toshiba, attempted to include Content Protection for Removable Media (CPRM) in the standard for all ATA devices. The ATA standard encompasses hard drives, cd-rom and cd-rw drives, flash memory, and other media storage devices. With CPRM embedded in users' hardware, content producers would have the option of enabling copy protection and hindering "unauthorized" use of files. In February 2001, IBM decided to withdraw its call for CPRM in hard drives and to limit the application of CPRM to only removable media, which includes flash memory and other storage devices associated with digital cameras and MP3 players.



DRM Defeating Technology DRM Developers

The following is a partial list of DRM systems that are available or under development:

EPIC Privacy Page | EPIC Home Page

Last Updated: March 29, 2004
Page URL: http://www.epic.org/privacy/drm/index.html