Research forms a large part of my job and I have to be honest and say I love it. That being said, some of the things that come past my desk have nothing to do with the systems I build but more to do with peoples perspective on how the systems are being implemented.

One such article which came to my attention recently is a short rant about Digital Rights Management (DRM).

Before I begin, let me take a moment to explain, DRM offers an avenue for production companies to protect the contents they have to offer from piracy. It does this by tying a data stream to a fingerprint generated from the computers hardware configuration. This recently caught me out after a fashion when the Macbook I was using died. The hard drive has been moved into a spare whilst my macbook is out for repair but for now, I can no longer access Netflix via the macbook because the fingerprint no longer matches the one Netflix expects.

After reading the article on DRM I have to say I am left feeling slightly riled. In all fairness, I am no fan of proprietary software but the authors perspective is completely skewed.

The author had made a connection between DRM and George Orwell’s 1984 which quite frankly shows a complete lack of understanding of exactly what George Orwell portrayed.

1984 is all about a dystopian society where everything we do and every move we make is monitored by the state in order to control the output and meet a ‘perfect world’. DRM on the other hand is about protection of content and the rights of artists and the companies that represent them.

What the author tries to tell us is that DRM is delivered in such a way that it makes it illegal to report vulnerabilities within the system. If a flaw is found then the person (or persons) who discovered the flaw will disappear into the system never to be seen or heard from again.

because reporting a security flaw in DRM exposes you to risk of prosecution for making a circumvention device

Why is this statement wrong?

Many companies put large amounts of money into bug bounties. They know there are likely to be problems with the systems they develop and for years, yes the author may have been right in stating that you may get prosecuted but today? I am afraid not. Many of the worlds largest companies openly encourage the average Joe to find bugs in their software and pay big money for every bug found. If you doubt what I am saying, just pop over to Bug Crowd and take a look at the list of companies on there. Netflix, Yahoo, Microsoft, Google, PayPAL, etsy, the list is pretty long and contains some major players.

As an example of the kind of reward being offered for vulnerabilities, Yahoo recently offered up to $15,000 for valid exploits against the websites they develop. How much do you think they would be likely to offer for a flaw in something such as DRM?

As I previously mentioned, DRM works by generating a fingerprint of the hardware configuration of the machine being used to access a data-stream. Because every machine is different, these fingerprints are almost certainly completely unique in every way. Swap out a stick of RAM and the fingerprint changes. Move the hard drive to a new PC and the fingerprint changes. The only way to truly break DRM is then by cracking one of the hardest mathematical problems known to man, that being the factorisation of large primes. Seriously if you break this, governments will be crying out for you to go work for them. You would become one of the most important mathematicians in history, your name written in the annals of time.

To put this in perspective, up until 2007 there was a cash prize of $200,000 on offer for the factorisation of RSA-2048. According to Wikipedia the reward has since been withdrawn. The reason the reward was withdrawn is because we have a better understanding of just how complex it is and just how many areas it offers benefits within.

Now whilst the authors perspective is skewed, there is a point buried deep within his rant. The proposed standard does have a flaw but it is a flaw which affects all encryption algorithms. Once the encrypted data has been deciphered, you can read it. If it falls into the wrong hands in its deciphered form then it’s game over.

What I find interesting about this article is that the author makes no mention of the issue he reported on back in 2012 when he previously discussed the DRM standard on boingboing.net Microsoft, Google and Netflix want to add DRM-hooks to W3C HTML5 standard. Here the author discusses Mozillas rightful concern that DRM can never be fully secure within an open-source browser as it wouldn’t take much to patch a build of the browser to write decrypted frames and samples to disk.

Going back to the article for a moment I can’t help but be reminded of the level of anger that was felt when the Metallica and the record companies shut down Napster. To me this still feels like it happened only yesterday, I still remember the feeling of betrayal I felt when a band I loved actively and openly supported the takedown of a service I had come to rely on.

What I didn’t realise until much later was that the anger I felt wasn’t at the band or even at the record companies, after all, artists have a right to be paid for their work and this is something I believe in very strongly. Rather the anger was at the fact they took from us the only way we had of sharing digital content without offering us a viable alternative.

This was at a time when the world was changing. We were waking up to the fact that the internet was here. For most, it was still a novelty and the fact of the matter was, no ground had been broken on how the rights of artists were to be reflected within this new technology.

It wasn’t until much later that the likes of iTunes and Spotify came into effect but when they did, the uptake has been enormous. Their advent showed that there was another way. We don’t have to pirate music, it can be made available on all your devices relatively cheaply. Unfortunately there is still no common standard and content is often tied to specific applications, in some cases restricting quite heavily the list of devices you are able to access that content on.

As the author quite rightly points out, Google, Apple and Microsoft have all built individual DRM systems. The author uses the word silo here which shows another lack of understanding. A Silo is a store of material whilst DRM is a system. If Silo really is the right word to use in this context then it would be more accurate to say “Silos of DRM protected material”

What DRM offers is a way for production companies to protect the rights of themselves and the artists they represent without infringing on your right to access the data. This isn’t an Orwellian dystopia, if that were the case we would be being dictated to. On the contrary, the advent of a standardised DRM would be like opening the door.

At present, DRM for the services Netflix supplies is restricted to the use of Microsoft Silverlight. If you don’t use Silverlight, you can’t use their system. This makes it tricky at best to get Netflix to work on Linux because Silverlight isn’t available on this platform. Thats not to say you can’t use Netflix on Linux, it just isn’t officially supported.

The proposal made by Google, Microsoft and Netflix is set a standard for DRM and put it directly into HTML5. This would negate the requirement for third party applications such as Silverlight for the protection of digital media and open the door for everybody to protect their content relatively cheaply. By setting it as a standard it becomes available on all platforms and all devices, Microsoft, Apple, Windows, Android, Linux. Why? Because it is a standard and it is the browser manufacturers responsibility to implement it.

Personally I think it is quite fitting that the standard should be proposed independently of the studios. After all, the companies that are involved in this proposition all offer a streaming service supplying content from multiple different sources. I think there would be a much different argument to be had if the standard was being proposed by Disney. That being said, if it is to be a standard, every platform must be able to implement and use it. This does continue to make it tricky for Linux to implement, after all Linux is built fully on open-source principles and open is, by its very nature, open. You can do what you want with it and if that includes capturing the decrypted stream, people will do exactly that.

The author makes a point of stating that this standard is primarily being driven by Netflix. If that is the case then who better? Not only are they independent of the studios but they have no ties to any platform. There are no allegiances to a specific system. They don’t build an operating system and they represent many studios the world over. The money they make from subscriptions they pour straight back into developing new shows of the highest quality and promoting new artists in a plethora of fields.

The world is changing and we must change with it. The rights of artists need to be protected but we have rights too. We have to have the right to watch what we want, when we want and how we want. Services such as Netflix supply this capability and they are well within their rights to define how we access the streams they provide.

I said earlier that standardised DRM is opening a door and I believe it is. It’s not a door into an Orwellian dystopia, it’s a door into freedom. It’s a door into being able to access what we want, where we want, how we want, whilst at the same time recognising legitimate streams. The door gives artists and production companies the freedom to protect their content and you the freedom to use it but they also have to protect our right to choose what platform we access the content from.

There is no denying that there will continue to be problems implementing DRM on a fully open-source platform but let us not make wild allegations of this forcing us into Orwells 1984. This is nothing to do with dystopia, this is about overcoming a complex technical challenge and overcoming the last hurdle left in place for an open platform. How do we access protected content whilst keeping the underlying system completely free and open?

There are no easy answers. If there were then we wouldn’t still be looking. We all know and appreciate that any DRM system needs to work on all hardware both old and new. It must work on all platforms and devices. It must respect our freedoms whilst protecting the rights and property of all parties. If that doesn’t happen then it isn’t a viable system and we will continue looking for one that does work. This has to be an area where “one size truly does fit all”.

No matter which way you look at it, Netflix has gone to great lengths to support and promote some amazing works of art (and some absolutely terrible ones). It has given us an ad-free way of accessing great and plentiful content at a very reasonable price. We can watch what we want, when we want and to some extent how we want. Contrary to dystopia, they are trying their damnedest to overcome the last hurdle and whilst it may not yet be perfect, let’s give them some freedom to try and iron out the kinks rather than accusing them of marching us blindfolded to the gallows.

The original article was written by Cory Doctorow @doctorow and is entitled We are Huxleying ourselves into the full Orwell.

Leave a Comment