sign in sign up
<<
Home , Content Scramble System, Copyright, Fair use, Free software, Public domain

DRM {AND, OR, VS.} THE

By Pamela Samuelson

opyright industries are hoping that management (DRM) technologies will prevent infringement of commercially valu- able digital content, including and movies. These industries have already per- suaded legislatures in the U.S., the European The main purpose Union, and other countries to adopt broad of DRM is not to anti-circumvention rules to protect DRM prevent from being hacked, and have inter- preted these statutes even more broadly than the lawmakers infringement but to intended.C change consumer Some copyright industries now want DRM to be mandated in expectations about all devices, either through standard-setting processes what they are or through . Though mandates for ubiquitous DRM are unlikely to be legislated soon, the threat of DRM mandates should entitled to do with be taken seriously. Computing professionals should be aware that digital content. private standard-setting processes may result in even less protection for consumer and other public interests than legislation that in the past has included at least some consumer-protection rules. U.S. Reps. Rick Boucher (D., VA), Zoe Lofgren (D., CA), and others, recognizing that DRM and overbroad anti-circumvention rules

COMMUNICATIONS OF THE ACM April 2003/Vol. 46, No. 4 41 abjure expressing them unless forced to do so by law THE DMCA IMPEDES THE or competition. DRM is more aptly described as “code as code” PROGRESS OF SCIENCE, is [4]—a private governance system in which economically unjustifiable, program code regulates which acts users are (or are not) authorized to perform—than as a rights man- and lacks the balance the agement regime or as a copyright-enforcement mech- anism. An alternative phrase for DRM is “digital Constitution requires of restrictions management,” given its use by copyright intellectual legislation. industries to restrict rights [3]. Whether users ought to be able to circumvent DRM to exercise their interfere with legitimate interests of consumers, have rights has been the subject of some debate. proposed legislation to safeguard these interests. Computing professionals who want to contribute Anti-Circumvention Rules to more balanced policy should In response to industry concern about the vulnera- do two things: collectively articulate the positive bility of DRM technologies to hacking, the U.S. social benefits of general-purpose technologies to Congress in 1998 passed the Digital Millennium counteract proposed DRM mandates; and strongly (DMCA) in order to outlaw certain support consumer-protection legislation for DRM- acts of circumvention and technologies designed to protected content (such as warning labels) and pro- circumvent technical measures used to protect copy- posed reform of anti-circumvention rules. righted works; other countries have followed suit (see Dusollier’s article in this issue). Section DRM Goes Beyond Copyright 1201(a)(1)(A) forbids circumvention of technical DRM is sometimes said to be a mechanism for measures copyright owners use to protect access to enforcing [9]. While DRM systems can their works. Section 1201(a)(2) forbids manufacture certainly prevent illegal copying and public distribu- or distribution of technologies primarily designed or tion of copyrighted works, they can do far more; produced to circumvent access controls, while paral- they can as easily prevent the copying and distribu- lel provision 1201(b)(1) outlaws other circumven- tion of public-domain works as copyrighted works. tion technologies. Anyone injured by violation of Moreover, even though copyright law confers on these rules can sue for damages, injunctive relief, copyright owners the right to control only public and attorney fees. Violating these rules willfully and performances and displays of these works, DRM for profit is a felony. systems can also be used to control private perfor- Circumvention is permissible for some purposes, mances and displays of digital content. DRM sys- such as achieving program-to-program interoperabil- tems can thwart the exercise of rights and ity and engaging in research and com- other copyright privileges. DRM can be used to puter security testing. However, the statutory compel users to view content they would prefer to exceptions are very drawn narrowly and fail to recog- avoid (such as commercials and FBI warning nize many legitimate reasons for circumventing tech- notices), thus exceeding copyright’s bounds. nical measures, including to engage in research about Given that DRM permits content owners to exer- nonencryption-based watermarking technologies or cise far more control over uses of copyrighted works analyze computer viruses or worms [6]. than copyright law provides, the moniker “DRM” is A careful study of the legislative history of the actually a misnomer. These technologies are not really DMCA and the detailed structure of the anti-circum- about the management of digital “rights” but rather vention rules reveals that Congress intended for cir- about management of certain “permissions” to do X, cumvention of copy- and use-controls to be lawful Y, or Z with digital information. If DRM systems when performed for noninfringing purposes, such as were about digital management of rights, they would to enable fair uses. Circumvention of access controls need to be designed so users could express their rights was treated differently by lawmakers on the theory under copyright, too. Thus far, digital rights expres- that lawful access is a prerequisite for fair use rights. sion languages (RELs) lack semantics to allow the Unfortunately, early decisions interpreting the expression of concepts like fair use [5]. DRM cannot DMCA, such as Universal City Studios v. Corley in accommodate user rights without REL vocabularies 2000, have treated persistent access controls, such as capable of expressing them. Even if RELs developed the Content Scramble System (CSS) used in DVD semantics to express user rights, content owners may players and discs, as access controls. Universal charged

42 April 2003/Vol. 46, No. 4 COMMUNICATIONS OF THE ACM Corley with violating 1201(a)(2) for posting a CSS embed CSS in the licensed DVD players. decryption program known as DeCSS on his 2600 The recording industry hoped to achieve a similar magazine’s Web site as part of its news coverage of the result in negotiations with makers of digital music controversy about DeCSS. By ruling that DeCSS was players through the Secure Digital Music Initiative a 1201(a)(2) tool, not a 1201(b)(1) tool, the (SDMI), a consortium organized by the major labels implicitly ruled that circumventing CSS to make fair who are members of the Recording Industry Associa- use of a DVD movie violates 1201(a)(1)(A). tion of America and that included representatives of In this and other respects, the Corley decision makers of digital music players. These negotiations adopted the copyright industry’s preferred interpreta- were unsuccessful for a number of reasons, including tion of the DMCA as virtually unlimited in its pro- diverse interests of participants and weaknesses in tection of DRM. Subsequent decisions may correct watermarking technologies SDMI proposed as stan- some errors in the Corley decision, but for now it is a dards. Princeton University computer science profes- benchmark interpretation of the DMCA. sor Edward Felten, along with certain colleagues and Constitutional challenges to DMCA anti-circum- some students, quickly discovered these weaknesses vention rules were unsuccessful in Corley, but many when SDMI challenged the hacker community to scholars of intellectual continue to doubt break them (see Felten’s article in this issue). SDMI their constitutionality. Even though the Corley deci- initially tried to suppress of Felten’s paper sion might suggest that Carnegie Mellon University about the weaknesses, claiming it was an illegal cir- researcher David Touretzky’s Gallery of CSS cumvention technology. After Felten sought a court Descramblers violates the law, the First Amendment declaration that he had a First Amendment right to of the U.S. Constitution would almost certainly pro- publish, SDMI withdrew its objection. tect his right to post this educational material on his Though the content industry must surely be pleased Web site, as well as my right to link to this gallery on by recent DRM-friendly developments, such as my course Web site. ’s Palladium initiative and the Trusted Com- Further challenges to the DMCA’s rules may be puting Platform Alliance (TCPA) for embedding DRM fueled by the U.S. Supreme Court’s recent decision in into platform infrastructure, it must also worry about Eldred v. Reno. Even though the Court upheld the three things: Microsoft and TCPA firms cannot control Extension Act (CTEA) of 1998, it every platform for playing, viewing, and copying digital did so because the life of the plus 70 years was content; competition among different DRMs may frag- still a “limited time,” as the Constitution requires, ment the consumer market and suppress consumer whereas the DMCA anti-circumvention protection is demand; and as Johansen, Felten, and others have perpetual in duration. The CTEA added 20 years to proved, no DRM technology is hacker-proof. the terms of existing copyrights, thereby thwarting the Mandating standard DRM technologies in digital plans of Eric Eldred to publish works from the 1920s media devices would address the first two. Sen. Ernest on the Web. Among the whose works are still Hollings (D., SC) introduced the Consumer Broad- in copyright thanks to the CTEA are Bela Bartok, band and Digital Promotion Act of 2002 Kahlil Gibran, Robert Frost, and Maurice Ravel. The (S. 2048), contemplating that representatives of copy- DMCA impedes the progress of science, is economi- right industries, makers of digital media devices, and cally unjustifiable, and lacks the balance the Constitu- consumer groups would have 12 months to reach tion requires of intellectual property legislation. agreement on a DRM standard. Even if no consensus emerged, the Hollings bill would give the Federal DRM Mandates? Communications Commission (FCC) authority to DRM can be mandated in two ways: through stan- require digital media devices to embed whatever dard-setting processes or through public legislation. DRM technology the FCC selected as a standard. Illustrative of the former is the agreement reached in Thereafter, it would be both a civil wrong and a felony 1996 between the motion picture and consumer to make any digital media device without this DRM electronics industries about a standard technical and/or to remove or tamper with it. measure for DVD players and discs—the CSS code The Hollings bill has no immediate prospect of Norwegian teenager Jon Johansen famously reverse- enactment, in part because several prominent mem- engineered in 1999. The motion picture industry bers of Congress oppose it. But it is important to had significant leverage in these negotiations because understand it is what some in the content industry it owned key for DVD players. No firm can really want and can be expected to pursue vigorously build a DVD player without licensing these patents, in Congress. There are already two U.S. precedents and no is granted without agreement to for mandating technical measures: the Audio Home

COMMUNICATIONS OF THE ACM April 2003/Vol. 46, No. 4 43 Recording Act (AHRA) of 1992, which requires innovation, and other social values. This needs to be installation of serial copy management system chips done soon, so Congress realizes that information in all consumer-grade digital audiotape technologies; technologies are useful for more than allowing users and the DMCA, which requires Macrovision’s copy- to engage in “.” control technology be installed in all post-1998 videocassette recording devices. Meanwhile, one or Consumer Protection more “mini-Hollings” bills may soon be proposed to DRM mandates may seem inherently anti-consumer. mandate DRM in particular devices; consider, for However, AHRA allows consumers to make first-gen- example, the proposal to mandate “” eration personal-use copies of digital audiotape technology in digital to mark the programs () recordings, though they also have to pay a tax rights holders do not want users to copy. If Congress on DAT technologies for eventual distribution to mandates standard DRMs through a series of such copyright owners. Though the DMCA may have bills, it may eventually seem logical to adopt a more mandated installation of Macrovision’s copy-control general mandate of DRM in digital media devices. technology in videocassette recorders, it permits some The content industry complains bitterly that the home taping of digital content. The Hollings bill technology industry has been uncooperative with its contemplates that consumer groups would be repre- efforts to control piracy through DRM. The Hollings sented in negotiations about DRM standards and that some personal-use copying would be permissible. Hopefully, consumer discontent Three exceptions to DMCA anti-circumvention rules respond to consumer interests. Nonprofit orga- with highly restrictive DRM MAY nizations can lawfully circumvent access controls to allow them to decide whether to buy DRM-protected FORCE CONTENT OWNERS content. Parents can circumvent DRMs to regulate TO MAKE DRM MORE what their children access. Individuals can also cir- cumvent DRMs to protect against unauthorized col- CONSUMER-FRIENDLY, lection of their personal data. The U.S. in 1999 conducted a rulemaking on the though this remains to be seen. DMCA anti-circumvention rules that recognized the right of lawful users to circumvent broken access con- bill is partly intended to give the content industry trols and assess -filtering programs. leverage in negotiations with the technology industry Thus, the law already provides some consumer on DRM standards. The only way to preclude out- protection, if weakly, for DRM technology. More is siders from developing technologies lacking an agreed- in the works. Rep. Rick Boucher recently introduced upon DRM standard would be legislation to mandate legislation in response to consumer frustration with it. Privately negotiated DRM mandates are unlikely to copy-protected CDs. These CDs typically fail to warn accommodate fair uses, and once industry groups have consumers prior to purchase that: they are copy-pro- agreed on a DRM standard, the public will have little tected; they may not play on their preferred digital leverage for demanding fair use accommodations. media device; and the music may not be recordable The content industry cannot realistically expect on their personal computer. Boucher’s Digital Media DRM mandates to stop “darknet” (such as peer-to- Consumers’ Rights Act of 2002 (HR 107) would out- peer ) distribution of copyrighted content law sale or distribution of digital music products [1]. The main goal of DRM mandates is not, as the without adequate labeling and direct the Federal industry often claims, to stop “piracy” but to change Trade Commission to adopt rules about digital music consumer expectations. In the content industry’s product labeling. view, consumers don’t have rights; they have expecta- The more widely DRM is deployed, the more tions. Consumers may not like DRM systems, but if likely are other consumer-protection rules (such as for “legitimate” content is available only on this basis, user privacy) (see Cohen’s article in this issue). Begin- they’ll get used to it. ning in 2001, the imposed an oblig- The technology industry and computing profes- ation on copyright owners to enable users to exercise sionals can effectively oppose DRM mandates only by certain copyright exceptions (see Dusollier’s article in communicating to policymakers the positive virtues this issue). Even bolder is a proposal [2] to establish a of general-purpose and other technologies “fair use infrastructure” for DRM-protected content with substantial noninfringing uses and the reasons under which content owners would have to deposit DRM mandates would negatively affect competition, keys to DRM locks with an escrow agent, so fair users

44 April 2003/Vol. 46, No. 4 COMMUNICATIONS OF THE ACM could obtain the keys when needed. Rep. Christopher of enabling significant noninfringing uses of copy- Cox (., CA) has endorsed digitalconsumer.org’s righted works. It would further amend the DMCA’s “consumer bill of rights” by proposing a resolution to anti-tool rules to immunize tool making in further- announce as “the sense of Congress” that consumers ance of scientific research about technical measures. who legally acquire copyrighted works should be free to use them in various noncommercial ways, includ- Conclusion ing to time- and space-shift, make backup copies, use This article is entitled “Digital Rights Management the information on the platform of one’s choice, and {and, or, vs.} the Law” because DRM has more than transform copies from one to another. A fairer one potential relationship with the law: it can balancing of the interests of copyright owners and the enforce, displace, and override legal rights, while the public could be attained if DRM technologies had to law can constrain the of DRM. accommodate these and other consumer rights. How DRM and the law interact over the next Broader consumer protection in DRM will not decade depends on decisions made in the near future happen overnight. Unless the technology industry, by individual technologists, firms in the technology computing professionals, and public interest organiza- and content industries, participants in standard- tions define and endorse a common set of principles, setting processes, and legislators and other policymak- it may not happen at all. But the content industry is ers. DRM technology is not policy neutral but highly deluded if it thinks there are no limits on the controls policy charged, in part because of the goals the con- it can exercise over the uses of digital content. Hope- tent industry has for it. fully, consumer discontent with highly restrictive It may seem obvious to computing professionals why DRM may force content owners to make it more con- DRM should not be mandated in digital media devices sumer-friendly, though this remains to be seen. and why consumers, scientists, and other legitimate reverse-engineers ought to be able to continue to engage Reforming the DMCA in fair and other noninfringing uses of copyrighted Consumers, researchers, and other legitimate reverse works. Unfortunately, it is not as obvious to members of engineers would benefit from enactment of the Dig- Congress and other policymakers. Computing profes- ital Choice and Freedom Act of 2002 (HR 5522), sionals can make a positive difference in the policy co-sponsored by Reps. Zoe Lofgren and Mike debates over DRM—if they choose to do so. c Honda (D., CA). It states that “[c]ontrary to the intent of Congress, Section 1201 has been inter- References preted [in Corley] to prohibit all users—even lawful 1. Biddle, P., , P., Peinado, M., and Willman, B. The darknet and the future of content distribution. In Proceedings of the 2002 ACM Work- ones—from circumventing technical restrictions for shop on Digital Rights Management (Washington, DC, Nov. 18, 2002). any reason. As a result, the lawful consumer cannot 2. Burk, D. and Cohen, J. Fair use infrastructure for rights management systems. Harvard J. Law & Tech. 15 (2001), 41–83. legally circumvent technological restrictions, even if 3. Foundation. Some Confusing or Loaded Words and Phrases he or she is simply trying to exercise a fair use or to That Are Worth Avoiding; see www..org/philosophy/words-to- utilize the work on a different media device.” avoid.html. 4. Lessig, L. Code and Other of Cyberspace. Basic , NY, 2000. To restore the balance Congress intended to 5. Mulligan, D. and Burstein, A. Implementing copyright limitations in achieve with the DMCA and repudiate restrictive rights expression languages. In Proceedings of the 2002 ACM Workshop on Digital Rights Management (Washington, DC, Nov. 18, 2002). interpretations (such as Corley), the Digital Choice 6. Samuelson, P. Intellectual property and the digital economy: Why the anti- Act would allow lawful acquirers of copyrighted mate- circumvention rules need to be revised. Berkeley Tech. Law J. 14 (1999). rial to circumvent technical measures if necessary to 7. Stefik, M. Shifting the possible: How trusted systems and digital prop- erty rights challenge us to rethink digital . Berkeley Tech. Law make noninfringing uses of the work if the copyright J. 12 (1997). owner has not made publicly available the necessary means to permit the noninfringing uses without addi- Pamela Samuelson ([email protected]) is a Chancellor’s tional cost or burden to users. Moreover, the Digital Professor of Law and Information Management at the University of Choice Act would permit users to make and distrib- California at Berkeley and Director of the Berkeley Center for Law & ute technologies necessary to enable noninfringing Technology. uses of copyrighted works. This work is supported through National Science Foundation Grant No. SES 9979852. The Digital Media Consumers’ Rights bill dis- Permission to make digital or hard copies of all or part of this work for personal or cussed earlier takes a slightly different approach but classroom use is granted without fee provided that copies are not made or distributed has a similar goal. It would make circumvention law- for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute ful as long as it does not result in copyright infringe- to lists, requires prior specific permission and/or a fee. ment. Like the Lofgren-Honda bill, it would allow the manufacture and distribution of technologies capable © 2003 ACM 0002-0782/03/0400 $5.00

COMMUNICATIONS OF THE ACM April 2003/Vol. 46, No. 4 45