07 September 2006

DRM Revocation List

DRM is inherently user-hostile, acting against user interests under a cover of stealth and mystery. As such, I'd classify it as commercial malware. It's politically significant as by design, it facilitates control over users' digital resources to be exercised by global agencies. So there are problems at the top of the "trust stack" - but this post isn't about that.

One of the features of DRM is the revocation list concept. This is a list of applications approved to work with DRM-protected material, and the EUL"A" will typically allow this list to be updated in real time as the list's originators see fit.

The idea is that if media playing device X was cracked to subvert DRM protection of content Y, then the ability to use device X would be revoked.

For now, I'll leave aside the obvious questions, such as:
  • Who controls the list?
  • Who else controls the list, i.e. as associates or legally-mandated?
  • Who else controls the list, by hacking into the list updates?
  • How well-bounded is the list mechanism to what it is supposed to do?
  • Who is accepted as a DRM content provider, and on what basis?
Instead, let's consider a possible obverse of DRM revocation - as a way to disarm media providers found guilty of exploiting users.

For example, if a media provider was caught dropping open-use rootkits from "audio CDs" (hey, that would never happen, right?) one possible remedy would be to revoke all of that provider's rights over all of their material. In essence, such a provider would be found unfit to exert any sort of control over any users, and be swept off the DRM playing field.

Obviously, this would materially reduce the value of that media provider to the artists who are contracted to it - in effect, the penalty undermines the contract with the artist, because the provider can no longer protect the artist's content. So for a certain period (say, a year) the artist has the right to drop their obligations to the provider and seek a new contract elsewhere. The reverse right does not apply, i.e. the provider cannot drop the artist if the artist chooses to stay.

Further, it has to be accepted that all existing protected material from that provider is now unprotected - so for a similar period, artists can sue the provider for damages, either as a class group or outside of any class action.

If this would seem to tip the scales to the extent that the media provider's business would be smashed, then fine. After all, were the provider to be an individual caught "hacking", they'd likely lose their livelyhood and do jail time - why should larger-scale criminals get off more leniently? Do we really want to leave known exploiters in the provider pool?

I'll bet there's no plans in place to use DRM revocation lists to defend users' rights in this manner, even though it's technically feasable. That speaks volumes on why one should IMO reject this level of real-time DRM intrusion. On the other hand, once you open up DRM revocation for broader use, why not use it to apply global government censorship, etc.? After all, there's nothing to limit it within the borders of any particular jurisdiction.

1 comment:

Chris Quirke said...

I haven't started to look at either yet ;-)

So it's too early for me to tell, but let's Google up...

http://www.blu-ray.com/faq/

http://en.wikipedia.org/wiki/Blu-ray_Disc

Sony, DRM, close head-to-disk implications for durability (or lack thereof), but faster and big.

Also, Sun's Java might be compulsory, and we know how clueful Sun is about disabling old exploitable JREs, and how long the average JRE lasts before patching.

The DRM could be vicious; one rogue disk can revoke capabilities. As usual, a dangerous amount of power for such untrustworthy hands as Sony et al.

In contrast...

http://en.wikipedia.org/wiki/HD-DVD

...HD-DVD appears to have more finesse on DRM (watermarking), and reduces Media Apartheid (regions)from Blue-Ray's 3 to zero (i.e. anyone can read any region)

In practice, the media corporations will take whichever gives them the most power, and we will be pressurised to use that.