Douglas Crockford




2024 Appearances






Electric Communities


Flickr Photo Album



Pronouns: pe/per


May 2007

Cyst and Decease

AACS, the DRM system used by HD-DVD and BluRay, is failing shortly after launch. It was claimed to be secure and robust, and that it would "keep honest people honest" while protecting Hollywood from the terrifying onslaught of progress.

Now that AACS's design errors have resulted in its failure, it is no longer able to fulfill its mission of protecting content. So the AACSLA is taking the next inevitable step: Using legal remedies to protect AACS. The idea is that if they can use legal intimidation to force the hackers to stop distributing the results of their hacking, then the failure of AACS can be more easily ignored. So AACS has been issuing FU letters to the operators of popular websites, demanding that they censor postings exposing the AACS encryption codes. Given the highly distributed nature of the net, this is ultimately an impossible task. AACSLA's legal attack on the net will fail, but they will cause a lot of harm before they are done.

Before AACS was tarnished by exposure to reality, its developers were very confident of its robustness because it was based on strong cryptography, and because they learned the lessons from the failure of CSS, the copy protection system in DVD. But they got both things wrong.

Ideally, cryptography allows two parties to exchange messages without fear that a third party could learn the contents of the messages. DRM uses cryptography, but perverts the underlying assumptions in a way which, as the hackers have clearly demonstrated, has no strength. In natural cryptography, the sender trusts the receiver to have the shared secret code and the cleartext of the message. In DRM, the receiver is not trusted. Only the DRM device is trusted. But it is obviously true that you should not trust devices that are not under your absolute control. In this case, the DRM devices are the property of the hackers who bought them at retail and who are now convincing the devices to give up their secrets.

So AACSLA is trying to use legal remedies so that it can continue to trust devices not under its control.

In the meantime, the format war continues. My advice: Don't buy either until the manufacturers are allowed to remove the AACS feature. This will reduce the cost and the failure modes of the players.


DRM is sometimes called an enabling technology, in that it is supposed to enable new business models. But it is really a disabling technology. As DRM fails, there have been suggestions that the name be changed to something that includes the word enabling; give it a better image; something more right than rights.

DRM isn't just a disabling technology, it is also a disabling contractual framework. To sell a DVD device, you must make a deal with the DVD Copy Control Association in order to use the CSS copy protection system that was broken nine years ago.

Kaleidescape is a startup that makes a media server. It is like an MP3 player for movies. You transfer your DVDs onto it. You can even transfer rentals. Kaleidescape encrypts the content, so the system cannot be used to make multiple copies.

DVD-CCA sued Kaleidescape, claiming that they breached the CSS license agreement. Kaleidescape's product, while legal, did not match MPAA's criteria for new business models. So they took legal action to shut them down.

I am happy to report that Judge Leslie C. Nichols found in favor of Kaleidescape last month. It is common in IP law to assert nonexistent rights. On this occasion, DVD-CCA didn't get away with it.

The time of suing John Doe is over.

As DRM fails, we can expect to continue to see bizarre legal behavior from the DRM organizations as diminishing options lead to desperation.

Here is an example: Media Rights Technologies has sent a cease and desist letter to Microsoft, Adobe, Real Networks and Apple demanding that they stop distributing media players that do not include MRT's don't-need-it DRM system. Now, here in America, a man is free to have his attorney send a cease and desist letter to anyone he pleases. But if you want people to respond to the letter, you need to be ready to make a convincing legal argument.

MRT's argument is that the DMCA outlaws copyright circumvention technology. A device that does not include MRT's DRM, according to MRT, will fail to protect content, and therefore is a circumvention device. They also include this threat:

Failure to comply with this demand could result in a federal court injunction to any of the above named parties to cease production or sale of their products and/or the imposition of statutory damages of at least $200 to $2500 for each product distributed or sold.

I don't think this is an act that a healthy company would commit. The hit to a company's reputation from a stunt like this could be fatal, so to risk it, they must already be close to dead. So with their last breath they fire an FU letter and a press release in the hope that someone with deep pockets might not be paying enough attention and offer some go-away money.