Douglas Crockford




2024 Appearances






Electric Communities


Flickr Photo Album



Pronouns: pe/per


Digital Rights Management Strategies 2004

I attended Digital Rights Management Strategies Fall 2004, October 25-27, at the Sheraton Universal Hotel in Los Angeles, California. The conference chairman was Bill Rosenblatt, the managing editor of DRMWatch. The conference had two tracks: Media and Enterprise. I focussed on the Media track.


This may be the first conference to discuss Enterprise DRM. Enterprise DRM is a variation of DRM that is intended to solve information leakage problems in companies. I have heard claims that it can prevent valuable information (such as customer lists or design specifications) or sensitive information (such as embarrassing memos) from escaping from a company.

Obviously, DRM cannot prevent that. So they have been discussing conformance issues. For example, in an accounting company, consultants are not supposed to interact with auditors. An Enterprise DRM could be used to restrict the flow of documents between such people. I think this will have very bad consequences. It will make it very easy to hide bad news, so that failing projects and businesses will not get the attention that they need. It may also increase the amount of communication friction in the enterprise, slowing its responsiveness. It increase fraud, rather than prevent it.

Enterprise DRM, or "Persistent Protection" is intended to solve some of the insolvable security problems with Microsoft's network architecture. The largest vendor in Enterprise DRM is Microsoft.

I counted 30 people attending the Enterprise track, which I think was a disappointment to the conference staff. I talked to a guy from Wells Fargo Bank who said that this was not relevant to his bank.

First Sale

There was talk at this conference about balancing the interests of consumers and the content owners, and finding a compromise that can be expressed in DRM technology. It was often said that the best DRM would never be noticed by consumers, because it would not prevent consumers from doing reasonable things.

There may be two issues where a compromise cannot be achieved. These are First Sale and Fair Use.

First Sale means that a publisher is only makes money on the first sale of a work such as a book or music recording. Once it has been purchased, the buyer is free to dispose of it any way he likes. For example, he can keep it, or present it as a gift, or give it away, or sell it, or rent it, or loan it, or destroy it. The publisher's permission is not required to do any of these things. The only thing he cannot do is publish copies, because that would be a copyright infringement.

The Content Industry does not like First Sale. They want to be able to prohibit loaning and get paid for resales and rentals. So when they package digital products, they want to sell the buyer a license to use the content. They claim they are not selling a copy of the content.

This is a legal distinction which is not understood by consumers. This issue may get settled in the marketplace, or it may get settled in the courts.

Fair Use

The second issue is Fair Use. The Doctrine of Fair Use gives people rights to reasonable uses of a work. For example, it is allowed to copy part of a work for educational purposes even if the work is copyrighted.

DRM is incompatible with Fair Use in two ways. First, the rules of Fair Use are vague. A system of rules enforced by computers must be very precise. A DRM may restrict actions that a court would allow. Second, Fair Use rights are not granted by the copyright holder. In a DRM system, all rights are granted by the copyright holder. Fair Use is intended to allow new uses that have not yet been discovered. A DRM system cannot anticipate and allow new uses. A DRM system would stop innovation in the use of media by consumers.

It is not clear how the struggle between DRM and First Sale and Fair Use will be resolved. Also, Fair Use is a US concept. In the UK they have Fair Dealing, which is different. DRM must also work there, and everywhere else in the world.

There was mention of these problems at the conference, but not much importance was given to them, except by Bill Rose, a consultant, who said that Fair Use is defined by consumers. They don't willingly give back rights and capabilities they already have (or believe they have). If they think they've been wronged, they won't think twice about wronging you back.


In my view, DRM is needed to protect the Studios from change. The Studios currently structure their business around Windows of Exclusivity. This system of Windows has evolved to maximize the money that can be made from movies with analog distribution. The studios are unwilling to develop a new business model, and so need DRM to allow the old model to continue.

Typically, a movie opens in theatres. Months later it is released on home video, and then on PPV, then premium cable, then network television, and then syndication. At each step in the release cycle is an exclusive Window of Time. Also, because of the way that international rights are sold, a movie might first open in the US, and a few months later begin opening in other countries.

The problem the Studios are having is that because of piracy, the content is leaking two quickly from one Window to another. For example, there is a guy on a sidewalk in Madrid who lays down a blanket covered with illegal DVDs for movies that have not opened yet in theatres in Spain.

In this case, the guy with the blanket benefits from the Window model. Customers in Spain are aware of the movie because of the Internet, but do not want to wait for the Official Spanish theatrical and DVD releases. The Studios have created a Window for the blanket guy.

Eventually, the studios will figure out that the Window model does not work in the digital world. They must come up with a new model. But a new model requires creativity and courage. These are things the Studios do not have.

If the Studio released the movie worldwide on the same day in all media and formats (which it can do with digital distribution), then the guy with the blanket would be out of business.

I doubt that the guy with the blanket can sell enough DVDs to hurt the Studios, but I hear about him at every conference, so someone must think he is important.

The War for the Center of the Universe

There are many people who believe that DRM will be the new Center of the Universe. All digital information will go through it, will be filtered by it, and controlled by it. Money will be charged and perhaps even collected by it. The company that controls DRM can control the Universe. So Microsoft is very aggressive in DRM, because Microsoft wants to control the Universe. But many other companies are in it as well, some large and some small. There are now many DRM systems in place, and they do not work together. This is recognized as a Bad Thing. At the conference there were many calls for interoperability, so that a consumer can buy some content once, and have it managed by each of the DRM systems that the consumer may interact with.

The guy from RSA Security said Traditionally, we developed specific solutions to specific problems. There is no general solution.

An analyst said that interoperability is crucial—and missing. The Media Content owners have poor systems infrastructure. Standards Development takes time. There has been a "land grab" (seizing of territory) by proprietary DRM vendors.

The guy from Microsoft said that interoperability between standards is the key challenge.

There is a DRM system in the phone, and in the computer, and in the DVD player, and in the music player, and they are all different and they are all incompatible. The problem isn't just technological. It is mostly a conflict of incompatible business models.

It will take time for all of the DRM vendors and their client industries to learn to work together. The prevailing advice at the conference was: Do not wait. Get into the market now with whatever works.

That means that the integration of DRM systems, if it ever happens, will happen in the consumer marketplace. Consumers do not like to see that kind of conflict, confusion, change.

The OMA (Open Mobile Alliance) has a DRM framework for selling ringtones. They want to adapt it to work with other media. So the phone industry will be competing with the computer industry and the consumer electronic industry and the content industry over the control of DRM.

There was frequent mention of Coral Consortium, but no information on what they are doing. It seems that they are very secretive. Coral comes from Intertrust, which is owned by Sony and Philips. Neither Intel nor Microsoft is listed as a member.


The meaning of the term DRM is getting muddy. There are arguments about whether a particular product was a DRM system, or just a Copy Protection Scheme. Every DRM system has a different set of capabilities, and so every DRM vendor is attempting to redefine the term to mean what their product does, and to not mean what their product does not do.

Nearly everyone talked about DRM and its variations as an enabling technology. But that is wrong. It is a disabling technology.

IBM has stepped away from the term DRM. Instead, they are calling their stuff Content Protection. They gave a presentation on Broadcast Encryption (or xCP (Extensible Content Protection)), which they developed with Intel, and which is the basis of 4C's CPRM/CPPM and AACS-LA's stuff. It is was designed for applications in which content is sent on a one-way channel to many receivers, with the ability to disable selected receivers. It was designed in particular to resist the attack that defeated DVD's CSS.

The concern is that if a device is cracked, its keys can be extracted and put into clone devices. If that occurs, the Studios can modify the key block at the beginning of new content products to reject access from the clones. They think that they can do this 1000 times. I see two problems with this: First, suppose the device that is cracked is a popular Sony Blu-Ray player. Clones will be produced that look to the DRM system like a Sony player. In order to deactivate the clones, they will also have to deactivate all of the honest players, too. Will Sony have to replace them? Will Sony have to deal with the very angry customers?

Second, the attackers will look for exploits that will break the whole system, not just individual devices. IBM's hope is that the attackers will focus on the individual device attacks. (In cryptanalysis, you cannot depend on then attacking you where you are strongest.) If such a vulnerability is found (and an Intel guy at IBC said it will), then the whole system fails.

The interesting thing about DRM is that it isn't important that it actually works anymore. Section 1201 of the Digital Millennium Copyright Act (DMCA 1201) attempts to criminalize these attacks (or circumventions). There are varying opinions of the effectiveness of such laws. The kid who broke CSS was found not guilty by the Supreme Court of Norway. He is now a National Hero.

The vendors at the conference were reducing expectations about how well their DRM systems will actually work. One vendor said that DRM systems are like "speed bumps" (bumps in the road to make cars slow down). They are not claiming that they can stop pirates, only that they can slow them down. The guy from Microsoft said that "Bullet-proof protection of media is cost prohibitive." Microsoft does not have enough cash to make DRM work.


Peter Lee, VP Business Development, New Technology, of the Walt Disney Company gave a surprisingly reasonable presentation.

He talked about their MovieBeam service, which distributes movies by terrestrial datacast to a DVR-like STB.

He went through a set of scenarios of consumer usage of media that raised many difficult questions. If content is locked to a device, what happens if the device is lost or stolen or damaged? Can the owner recover the content? Can the thief use the content? What happens if the owner sells the device? What happens if the owner buys a new device? Can he transfer his content to the new device? He also brought up the Divorce Problem: How can a couple divide their digital rights?

These are hard problems, and they currently are not addressed adequately by any DRM system. His conclusion was that DRM is Good. I think he meant that an Ideal DRM would be good because it would be good for his business and consumers would tolerate it.

This was a very different attitude than the one I heard at CPTWG from someone at Disney who did not want to see a Mobile Device Transfer discussion subgroup because such an action would be a redistribution, requiring an additional purchase. The use of words has softened. No one at this conference was calling consumers bad names like pirate or thief (with the exception of a guy from Activated Content). They have stopped saying that we need to keep people honest (with the exception of a guy from Microsoft). They have stopped talking like Jack Valenti.

I suspect that the Studios have started listening to their customers, and they are now thinking more reasonably about how they can act as businesses. I think they are starting to learn the correct lesson from the Recording Industry: If you are bad to your customers, they will stop giving you their money.

Or maybe Peter Lee sounds reasonable because he has only been at Disney for a short time and does not work at the Studio.


The biggest battleground for the Content Industry is the Peer-to-Peer network. This is where the most active segment of the music market has escaped from the retail channels and set up its own distribution network for MP3s. RIAA has attempted to shut this down by suing ISP, suing Networking Companies, suing Software Companies, suing Universities, and suing Kids. Recently, Grokster won its trial and appeal, but there might be another appeal before the Supreme Court. A startup company cannot afford such legal assaults. Another company, 321 Studios, was forced into bankruptcy because it could no longer afford to defend itself. RIAA's tactics will not be successful. They are simply driving music trading underground, into secret Dark Nets.

There were many suggestions for how to recover money from P2P music trading.

The worst idea of the whole conference was from Wendy Seltzer of EFF. The Electronic Frontier Foundation is a Watchdog Group. They have done important work in presenting legal challenges to things like the Induce Act. Seltzer proposed VCL, a Voluntary Collective License. In this scheme, people would pay a monthly fee which would be collected and distributed to the Recording Companies. There was a lot of discussion of why such a system could only work if it was compulsory, and why a compulsory system would have very bad unintended consequences.

Another approach relied on digital fingerprinting. This assumes that music can be identified by a fingerprint (a metric derived from the content itself) and that the fingerprint associates the content with metadata (including licensing and rights information). The P2P operators will then be required to prohibit unrecognized uploads and collect royalties on the downloads. Audible Magic is an example. I don't think this will work. The market value of music has already been set to $0. They will have to add significant value if they want to collect money.

There were also silly ideas about "locking down" P2P with tamper-resistent software that is hardened to the sub-BIOS level.

A better idea was from a superdistribution company called Weed Share. They let you download a song for free. You can listen to it three times. After that, if you want to hear it again you have to buy it. If you send it to a friend and they buy it, you get 20% of the purchase. If they send it to someone who buys it, you get 10%. And if they send it to someone else who buys it, you get another 5%. This is a multilevel marketing plan. They are hoping that the possibility of making a little money is enough to encourage people to join the service and not attempt to break the copy protection.

A company called Burn-a-Song has a kiosk that makes custom CDs. It is intended to replace an entire music store with an electronic song catalog and just-in-time automatic custom manufacturing. Another company, Personics, attempted a similar kiosk 15 years ago. Personics failed because the Recording Industry refused to license their most popular songs. At that time, people would buy a CD album which contained only one good song. They made more money selling the album than Personics did selling the song. Burn-a-Song today is able to make a better deal with the Recording Industry because of fears of P2P.


There was a very interesting report on Consumer Attitudes by Todd Chanko of Jupiter Research. He reported that people want to watch TV on the TV and do computer stuff on the computer. They are comfortable with that specialization, and are not eager to compute with their TV or watch movies on the computer. He described movie download sites like CinemaNow and Movielink as "an experiment, not a business". The actual volume of movie downloads is very small.

People want control. They will pay a premium for the right to make a copy. This suggests to me that a pirate copy has more value than a legal copy because the pirate copy has no DRM restrictions.


There was a panel on Identity. The two big players in Identity are Microsoft's Passport and Sun's Liberty Alliance. An Identity is tied to an entity that can be sued. There is talk about using these Identity systems with DRM systems, so that rights are bound to a person and not to the device. The legal and privacy issues are extremely complex.

There was a panel on Digital Watermarking. The most common source for piracy is from prerelease review copies. Hollywood is now watermarking them. A watermark from last year's Oscar screenings led to an arrest. The Watermark vendors want to make watermarks a part of DRM systems as an Analog Hole remedy.

There was a panel on Home Entertainment Networks. This has two major problems: First, it requires the solution to the interoperability problem. Second, there is no consumer demand yet for a Home Entertainment Network.