« Property Destruction and Kelo : Further Thoughts | Main | Tomorrow's Law »

February 17, 2006


TrackBack URL for this entry:

Listed below are links to weblogs that reference Adding Mistrust to Digital Rights Management:

» Suspicious DRM from Novus Diem
I am slightly amazed by Randy Pickers recent post on DRM points out some possible changes made to DRM schemes to make them more effective, such as watermarking or embedding your account info into the content. The mistake here (which he partial... [Read More]

» The University of Chicago Law School Faculty Blog: Adding Mistrust to Digital Rights Management from brachiator
Randy Picker at the U of C law school has an intriguing and maddening proposal about Adding Mistrust to Digital Rights Management. In embedding identity into content, we may also need to embed access to something valuable, a hostage or mi... [Read More]

» DRM & Mistrust from IPcentral Weblog
Ray Gifford was impressed by a talk given by Chicago Prof. Randy Picker at a recent Silicon Flatirons program on The Digital Broadband Migration. His major point: Meaningful DRM may need to be identity-based, meaning that we can glean the... [Read More]


Feed You can follow this conversation by subscribing to the comment feed for this post.


"[W]e can deal with that problem by simply eliminating the ability of content players from using content not protected by the DRM scheme."

You're trolling, aren't you, Cory?


I realize that one can argue that this won't work if people can just convert the content from digital to analog and back again.

Isn't the whole point of a watermark to be robust to straightforward format conversions? If you can remove a watermark by simply converting it to an MP3 file, then it's not going to be very useful for tracking down the source of P2P files, which are often converted to MP3 format before trading.

Cory Hojka

For the benefit of other readers, the definition of "troll" or "trolling" according to wikipedia is as follows:

"[A] troll is a person who posts rude or offensive messages on the Internet, such as on online discussion forums, to disrupt discussion or to upset its participants. 'Troll' can also mean the message itself or be a verb meaning to post such messages. 'Trolling' is also commonly used to describe the activity."

So to answer a question posed by nedu, I'm not trolling in so far as I can tell.

Of course, that doesn't mean that something I might say is not without controversy. I can see why you might feel the ability of content players to use only DRM-protected content is a controversial position. However, it's pretty clear that content providers, hardware manufacturers, and lawmakers are already considering such a position with the next generation of HDTV content (see http://www.eff.org/IP/DRM/). Regardless of whether these approaches are morally right or wrong to one's choice of perspective, we should nonetheless be willing to consider such approaches in our analyses of Picker's proposal.

Also, I'd emphasize that the consumer use of digital content is not the only market for DRM tools. There are other systems, such as secure networks for corporate, military, or intelligence use, where the ability to manipulate and use DRM-free content in their systems may serve no beneficial purpose, but simply pose a security threat to the integrity of such a closed network.

Cory Hojka

Tim wrote, "Isn't the whole point of a watermark to be robust to straightforward format conversions?"

In reply, I'd say that the proposal I offered is robust to straightforward format conversions if the content being manipulated is the digital form of the content. That it doesn't bear that characteristic in the analog representation is deliberate. The point is that the watermark remains in the digital content and is undetectable to the user (and unremovable) unless the entire DRM scheme has been broken.

Further, in DRM-only systems, cracking the DRM scheme doesn't entirely solve the problem. If I want to share the content with you via p2p, we need to also know how to remove and replace the watermark with a new valid one (after which I'd reconstruct the DRM wrapper). Otherwise, if it's shared over an open network, the detection of that watermark could lead to the content's de-authorization in the DRM-only system.

As for the mp3 problem, there are approaches to eliminating or reducing that as a concern. One is to use DRM-only content players. Another is to take a statistical image of the mp3 content, compare it against a database of copyrighted songs, and then if it appears too similar to an item in that database we can choose any number of actions (such as refusing playback or notifying the content holder of the event).



So when you say we should "use DRM-only content players," are you proposing that iPods be outlawed? Will the police be conducting house-to-house searches to make sure everyone gives their iPods up?


"Will the police be conducting house-to-house searches to make sure everyone gives their iPods up?"


The University of Chicago Press publishes a model statute just for that. Some people might think the language just a little bit archaic, and in need of an update. Otoh, I've always rather like the poetry in this passage:

"And for the better discovering of printing in Corners without License Be it further enacted by the Authority aforesaid That one or more of the Messengers of his Majesties Chamber by Warrant under His Majesties Sign Manual or under the Hand of one or both of His Majesties principal Secretares of State or the Master and Wardens of the said Company of Stationers or any one of them shall have power and authority with a constable to take unto them such assistance as they shall thinke needfull and att what time they shall thinke fitt to search all Houses and Shops where they shall knowe or upon some probable reason suspect any Books or Papers to be printed bound or stitched especially Printing Houses Booksellers Shops and Warehouses and Bookbinders Houses and Shops and to view there what is imprinting binding or stitching and to examine whether the same be licensed and to demand a sight of the said License and if the said Booke soe imprinting binding or stitching shall not be licensed then to seize upon so much thereof as shall be found imprinted togeather with the several Offenders and to bring them before one or more Justices of the Peace whoe are hereby authorized and required to commit such Offenders to Prison there to remaine untill they shall be tried and acquitted or convicted and punished for the said Offences [...]"

14 Car.II, c.33

Cory Hojka


There is no need to outlaw ipods as they are. Nor is there any need for jack-booted thugs to kick in your doors and grab them out of your hands. All that need occur is for Congress to pass a law that requires content players (whether manufactured in the US or imported) to only play content according to a DRM industry standard. For an example of such a possible legal mandate of this nature, take a look at the Digital Content Protection Act of 2006, which would impose DRM compliance on appliances that convert analog video to digital content.

Regardless, even legal mandates may not be necessary, as we've seen in the cellular industry how wireless providers use closed networks and controlled access to cell phones in order to protect revenues from ringtone services. If people one day stop buying ipods in favor of iTunes-enabled phones, do we need Congress pass laws imposing DRM to achieve DRM-only systems? Perhaps not.

Now, on a separate point, I'd like to note that people will often have strong reactions about how and whether DRM should control our access to digital content (as I think is indicated by some of the comments exhibited above). That's perhaps not a bad thing in itself, but I don't think our pro-DRM, anti-DRM, or totally ambivalent feelings about DRM should negate our consideration of the many ways that DRM can be implemented from a technical or legal perspective.

In other words, where a proposal is made about sowing distrust in P2P networks, why shouldn't we consider how such approaches can be made in various different situations, such as: 1) where a legal mandate requires DRM-only systems, 2) where the network and network appliance are stringently controlled by the provider and thereby establish through private means a DRM-only system, 3) where DRM-only systems are prohibitied all together, but where DRM is still tolerated, or 4) any other reasonable and feasible applications of DRM within a network environment?

Ed Felten


In this DRM-only world you're talking about, are programmable, general-purpose computers allowed? If so, how can the kind of watermark you propose possibly be robust? Is there any evidence at all, either theoretical or practical, that such a watermark can exist?



I'm still not understanding your position. Right now, I've got an iPod that plays MP3 songs. Unless the police come and take it away from me, I plan to continue using it until it dies, which might take decades, given that it's a solid-state device. So even if you could design a totally hack-proof watermark, your DRM-only mandate would merely discourage me from purchasing future generations of iPods. I'd still be able to listen to all the bootleg music I wanted.

As Prof. Felten suggests, the challenge with general-purpose computers is even greater. There are several hundred million of them in the wild today, the vast majority of them capable of playing MP3 files. So unless you're going to confiscatethose as well and mandate that everyone computer on XBoxes 360s and PS3s, it's not clear to me how you're going to prevent people from writing MP3 players for their computers, the law be damned.

Cory Hojka


Since May 19, 1986, the manufacture of machine guns to individuals has been prohibited in the United States. In essence, this means that the only legal market in machine guns for public consumption are those that were made and registered prior to May 19, 1986. As a result, while there is a limited, small, and legal market for machine guns in the United States for individuals, for the most part we could entirely ignore it as non-existent when considering the general market in firearms that exists in the United States today. This isn't to say that ipods should be treated as machine guns, but I feel perhaps this analogy might help to demonstrate why your possession of an mp3-enabled ipod of today could be totally irrelevant to the market of tomorrow (and without us ever having to bother to confiscate it).

I think a more serious criticism one could ask though is how permeable an attempted ban could be. In other words, even if Congress mandated DRM-only portable music players, would people be able to get around the laws by illegal importation of portable music players from other countries?

Here, unlike machine guns, there is not going to be stringent enforcement of the import ban. Nonetheless, even without federal laws, we can see an example of DRM restrictive use in the marketplace, which people could avoid by some savvy buying or importation, but generally where they do not attempt to do so. What I'm referring to here is the region-encoding of DVD players. While some people do go out of their way to purchase region-free/programmable DVD players, we generally can assume that the vast market of such products in the US generally consists of voluntarily purchased Region 1 DVD players.

Thus, if we have general compliace today with a DRM restriction in the market, even where a small black market exists to the contrary, I don't see why a legal or market ban on non-DRM-only could not also be effective. True, such a ban is going to have to take into account the individual incentives to violate the ban and what the transactional costs to do so will be, but that is true of any ban.

(Ed, as for your question, I think I'd have to live in magical land to believe that such computers will not exist in the future. Perhaps there will be some countries that don't allow them for public consumption (i.e., China), but as a whole it's reasonable to assume that they will continue to exist. That doesn't mean, though, that they will always have equivalent access to a communication network. This can have important consequences where the availability of content is determined by accessibility to certain networks (such as if music is only distributed though controlled-access cellular networks).)

Ed Felten


You're really suggesting that the *only* distribution channel for music will be through controlled-access networks? No CDs? No iTunes Music Store? No Pandora? No new-Napster? No radio? In short, no music distribution technology that has ever been successful? This doesn't seem like a good plan for saving the music business.

P.S. I'm writing this on a general-purpose computer that is connected to a controlled-access cellular network.

Cory Hojka


A word without CDs isn't all that shocking to comprehend. Last that I checked, the market for new eight-track tapes is very small (Sidenote: You may also want to read up on why it is that consumers were forced to switch to CDs from records. It's a classic example of how consumer preferences aren't always what drive the market).

As for radio, we have XM and new digital broadcast standards moving into the market. After all, why stay with old analog methods when new digital methods shall become available that enhance reuse and offer additional features? If so, why can't radio become a controlled network? To my knowledge, no one out there is hacking XM radio, but even if there is, it doesn't seem like it's much of an issue for the XM market as a whole.

And yes, your computer is allowed access to the Internet via the cellular network, but you don't have any access beyond that to the cellular network. If your cellular provider disables certain bluetooth features on your new nifty phone, the only way to get content on your phone is through their services. Your computer's limited and controlled access to the network will have bear no consequence on that situation.

(In addition, cell phones are subsidized to the point of being free, yet to my knowledge no cell phone company has ever subsidized the purchase of a laptop. I think this is a good indication that music-enabled ipod-killing phones might also be distributed in such a fashion, in which case consumers might be very happy to get a "free" product that is strongly controlled by DRM when subscribing to their cellular services provider.)

Finally, I think that it's pretty apparent that arguing "what works today is a restriction on what happens tomorrow" is an argument that becomes quite tenuous the further we look ahead in terms of technology. Ten years ago, commercial distribution of music via the Internet was next to non-existent. Twenty years ago, cell phones were little more than sophisticated walkie-talkies. Fifty years ago, computers were still made with vacumn tubes. That's only in technical terms, we could also look at the sophistication of commercial practices to see that they too have evolved quite a bit each decade. Thus, where we are talking about certain commercial industries (DRM, commercial networks, etc) that are only in their infancy compared to other mature technologies, I think it's a bit extreme to only consider what is currently commercially viable as the only basis for determining what technically feasible approaches may shape the future markets of tomorrow.

Randy Picker

Ed Felten has a post on this at http://www.freedom-to-tinker.com/?p=980

Worth reading and he promises to post generally on watermarking tomorrow.


Intriguing proposal, but troublesome (granted, I loathe the RIAA and MPAA as a starting point).

The policy and economic problem I see here, beyond that this proposal would further threaten my traditional use rights, is that what creates the risk and negative incentive to share for the purchaser also creates opportunity and positive incentive to steal legitimately purchased music including by engaging in "illicit" downloading of tracks that have made it into "the wild." I elaborate on this a bit more on my blog-like scratchpad at http://www.brachiator.net/?p=159, but the upshot is that I see the individual music track being transformed from an item of commerce and art into an item of currency, with each track potentially worth more to a thief in redemption value than in musical value. The negative incentive is a supply-side solution, which may be more appropriate in this context that in any other, but I see the increased demand as worrisome.

On the other hand, I have largely abandoned all but absolutely necessary downloads from the DRM'd iTunes Music Store, in favor of bands, labels and distributors (e.g., eMusic.com) who not only trust me but recognize the positive value of me sharing my music with my close friends. So there will probably always be a market alternative... and these may become more attractive anyway, as purchasers realize their major label downloads and CDs could cost them $50 or $500 a pop.


I always find these sorts of discussions by politicians and lawyers fascinating, because they are inevitably so divorced from what is feasible technically. One of the posts in this discussion (nedu's) made it sound that there could be a law that only DRM controlled devices could exist. Congress could try to repeal the law of gravity too, and it would do just about as well.

The problem is that the heart of an audio player is what's known as a Digital-Analog Converter, and in a recorder is an Analog-Digital converter. Closing the "analog hole" legally requires outlawing A/D converters. I spoke to an engineer friend of mine recently about outlawing A/D converters and he chuckled - they are really quite simple to make even from transistors or other readily available components. In fact, making them is one of the projects in an introductory electrical engineering class. Of course you don't have to go that far: there are literally billions of A/D and D/A converters in existence today - in every computer sound card, for instance. There are millions of people around the world who can use them to build "illegal" unrestricted digital recorders.

So if you can't close the analog hole, you have to allow people to re-record sound files digitally. The presence of a imperceptible-to-humans water mark would have to survive the re-recording process. Assuming this is even possible, to top it off, what and where in the file it is has to be kept secret - forever. Once it gets out, as it inevitably will, it will be trivial for anyone to write software that scrambles or invalidates the mark.

Time to stop thinking about this - it really is game over as far as DRM in audio is concerned.


Well that's one way to create work for the anti-fraud enforcement groups! You can't seriously be arguing in favor of exposing people's accounts this way. Programs like LimeWire routinely search through the user's hard drive and share all media files. All it takes is one bad user on a computer to install a P2P app that does that and... that's all she wrote for a few users' identities.

Randy Picker


As I say in the current draft of the paper, this proposal flips around the current Darknet critique of DRM. That says it only takes one: one person to break the DRM scheme and then the content is out in the clear.

As your comment makes clear, it may take only one bad user to sow distrust in the p2p system and that may reduce considerably the extent to which consumers are willing to share files.



I think your solution causes far more problems than it solves, based on the summary you provide. If I get a chance, I'll read your full paper soon, but no promises right now ;)

Anyway, consider DVDs. The DRM is weak, but effective. The main reason that DVDs have been difficult to pirate has been technical, not legal. It's common practice for bad data to be put into disks to make DVD copying programs choke. Believe it or not, but DVD rippers have what amount to shelf lives. They get a little bad data sometimes and BOOM (to put it in layman's terms).

Bandwidth throttling of P2P networks is the best way to squeeze the life out of them. The studios should be paying ISPs all around the country to throttle their networks. Imagine paying $1-$3/user for throttled bandwidth for P2P apps. I've seen it work very well at my alma mater, JMU. It can be very practically applied, and Gnutella-based stuff is almost worthless there now because it gets 5mpbs for the entire 15,000+ student body. That's not even 2 cable connections shared between 15,000 potential P2P users. As you can imagine, that's killed a lot of it.

If DVDs had been designed to use 128bit encryption, we'd probably only now be finally seeing useful ripping software. 48bit encryption can be broken easily on a Pentium II. Today's dual core multi-gigahertz processors would annihilate it.

I think your solution is going to be quite dangerous from a technical point of view. Just me, but I think that exposing that much control over user accounts via a media file is the height of bad design. That's my view as a software developer, anyway. There are a lot of major technical issues that make it extremely difficult to have an open, competitive DRM market. This proposal sounds like it would end up being a ticking time bomb of liability on many fronts for the companies that use it.


And one more thing before I forget. You want to make it a mind-numbing experience. Cause random timeouts on their connection and make it peak at about 4-5kb/second. That download rate will keep some doing it overnight, but the timeouts will cause them to have to sit around searching for it over and over again unless the software does automatic search/reconnect EVERYTIME that it gets cut off.

Cory Hojka


If they have the right motivation and tools to do so, people can build a lot of things, such as machine guns, aircraft, log cabins, and even D/A and A/D converters. That people can and may even do such things does not mean that laws cannot have a significant impact.

For example, back in the days of the Reagan administration, Congress passed the Electronic Communications Privacy Act of 1986 (see http://floridalawfirm.com/privacy.html). As a result of this law, technical constraints were imposed on radio scanners sold or imported in the United States (primarily to restrain people from listening to cellular/cordless phone conversations).

Now, it's true that someone with enough skills and effort can modify or build a radio scanner that gets around these limitations. However, one can't just walk into a store and buy one. As a result, the number of people with the ability to listen to these prohibited RF bands has significantly decreased. Thus, even though there are still people engaged in the activity , the law has been effective in reducing the specific undesirable activity targeted.

In terms of the "analog hole," a law restraining the sale and import of sophisticated A/D equipment may be enough to severely limit the number of people engaged in bypassing DRM measures through D/A to A/D techniques. Thus, we could see a reduction in piracy with regards to this specific reconversion activity.

Of course, this success could simply lead to people deciding to share the content more broadly when someone else does the reconversion, instead of doing the reconversion themselves. So to reduce piracy overall, we would also need to reduce the incentives for sharing pirated material, which is what Picker is discussing in his proposal above.

Ugly American

In terms of the "analog hole," a law restraining the sale and import of sophisticated A/D equipment may be enough to severely limit the number of people engaged in bypassing DRM measures through D/A to A/D techniques. Thus, we could see a reduction in piracy with regards to this specific reconversion activity.


So you're anti-independent and pro monopoly? This is the same equipment used by independent filmmakers (and we have had the same issue in the music business wrt digial media for a long time).

Such laws disadvantage the independent content producer and cement the exploitative position of the record companies and major movie studios.

AFAICS, the only ones with "digital rights" are the studios. What about my rights? I purchased half a dozen Disney DVD's when living in Europe and upon returning home learn all about region coding. I've purchased the rights to the content, but I'm not allowed to see it unless I'm Europe? Disney won't exchange them (although they will exchange scratched disks for a reasonable media fee of $7).

We're gettin screwed and I'm not playing anymore. I'm not purchasing any media without a clearly written rights license that separates the rights from the media and allows me to make media transfers for personal use.

Otherwise, what did my money buy? Apparently, there is no clear answer to this question and it needs to be settled in the courts.

Cory Hojka

"Ugly American,"

Please let me revise my statement:

In terms of the "analog hole," a law restraining the sale and import of sophisticated A/D equipment, which is designed to bypass or not respond to DRM measures, may be enough to severely limit the number of people engaged in bypassing DRM measures through D/A to A/D techniques.

I apologize that I was not as clear as I should have been, but that was the original intent of my statement there.

In addition, considerable care should be taken when trying to infer someone's actual policy positions from discussions he has made about what is legally or technically feasible. What the law or market "can be" and "should be" are two separate issues, and I've seen many commentators who can spend all day talking about what the law and economics can be on some matter, even when they hold views hostile to such possibilities. Honestly, flexibility between these two areas of consideration is necessary; for example, if a lawyer is going to be able to adequately represent the best interests of his or her clients. Consequently, I feel that assertions or questions about whether I am “anti-independent” or “pro-monopoly” are neither relevant nor fair assumptions given the contributions I have made to this discussion.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.