'Open DRM' Is Snake-oil
from the oxymoron dept
A Pioneer spin-off called SyncTV has launched. Consumers will apparently be able to subscribe to "channels" of content, and eventually you'll be able to play those channels on a variety of devices around the home, as well as portable devices. So far, it looks like little more than vaporware, as their public website doesn't have any real details about pricing, supported devices, etc. What really irritates me about the coverage of the launch is the description of Marlin as an "open-source DRM system." This phrase is a contradiction in terms, and anyone who claims their DRM scheme is open source, or based on open standards, is either confused or trying to mislead. For a product to be considered open source, not only must the source code be publicly available, but there can't be any legal restrictions on the modification and re-distribution of the product. On the other hand, DRM works by ensuring that approved devices won't perform certain operations, such as converting content to an unencrypted format. The two sets of requirements obviously can't be reconciled. SyncTV's site phrases things slightly differently, describing its platform as "completely based on open standards." But this, too, is deceptive. An open standard is one that anyone is free to implement without asking for permission. HTML is an open standard: you don't need a license from the W3C to create a new web browser. On the other hand, a DRM scheme requires a licensing authority to verify that each new device to verify that it complies with the rules of the DRM scheme. And we've seen incumbents use this approval process (and the DMCA, which gives it the force of law) to squash innovative competitors that threaten their business models. Marlin could turn out to be marginally better than some existing DRM schemes if it employs less restrictive licensing terms. But it's still a DRM scheme, and that means there's nothing "open" about it.
Comments on “'Open DRM' Is Snake-oil”
Open Source DRM
… is in fact possible, although possibly not advisable.
“For a product to be considered open source, not only must the source code be publicly available, but there can’t be any legal restrictions on the modification and re-distribution of the product”
That is actually wrong. There are a large number of open source licenses that prohibit certain types of modifications (such as the CPAL license). And if the code is owned by one copyright holder, there is the possibility of dual licensing.
Also, from a technology standpoint, it’s perfectly possible to use open source to protect content. If that were not the case, SSL, SSH, encrypted filesystems, encrypted archives and other content protection would be basically impossible. In fact, it’s a basic tenet of cryptography that the best encryption schemes are open.
Now, whether open source DRM is in keeping with open source principles is another story. There are, however, a number of instances where DRM is actually useful, like limiting the distribution of contracts, for example, or making sure that electronic tests are not tampered with. So whether or not open source DRM is a contradiction of open source principles largely depends on how it’s applied, not the actually technology implementation.
Chris.
Re: Open Source DRM
If a license doesn’t give people the freedom to modify and redistribute a product, then in my view it’s not an open source license. Otherwise, “open source” becomes a meaningless term.
Also, from a technology standpoint, it’s perfectly possible to use open source to protect content. If that were not the case, SSL, SSH, encrypted filesystems, encrypted archives and other content protection would be basically impossible. In fact, it’s a basic tenet of cryptography that the best encryption schemes are open.
This is an apples-to-oranges comparison. While most DRM schemes include some crypto, DRM and crypto are different technologies with different purposes. The fact that secure crypto is often open doesn’t mean that DRM can be open.
Re: Re: Open Source DRM
Crypto is the core of DRM. There is no DRM without it.
It’s very, very easy to make content which can only be viewed with the correct key or certificate with things like OpenSSL. There is no magic here, all the technologies already exist, in open source. Just because the rights management engine is open source doesn’t mean you have a the correct certificate to view the content. GNUpg and Enigmail are example of this in action, both implement a form of DRM.
That was my point. Perhaps a bit technical, but it can (and has) been done entirely with open source technologies without violating any license clauses.
Chris.
Re: Re: Re: Open Source DRM
I discuss the difference between DRM and crypto in considerably more detail here. In a nutshell, the distinction is this: With traditional crypto, you’re trying to stop third parties from intercepting your message. This can be done with standard crypto techniques. With DRM, you’re effectively trying to stop the recipient from intercepting the message. That’s not a problem that’s solved by crypto. It’s a problem that’s solved by obfuscation and “security by obscurity.” This is also why every important DRM scheme in history has been cracked in a matter of months.
GNUpg and Enigmail are traditional crypto programs, not DRM programs. They focus on protecting your emails from third parties, whereas DRM schemes focus on “protecting” content from the legitimate recipient.
Re: Re: Re:2 Open Source DRM
OSS can certainly implement DRM.
DRM is effective when the correct subset of users has access to the keys used to provide confidentiality for the data. This is completely independent of whether the source code of the programs implementing the DRM is OSS, is modifiable or redistributable by the terms of the license, etc.
This is what people were so up in arms about with the introduction of the GPLv3. Originally the GPLv3 mandated that in addition to the software being distributed with the source, the *encryption keys* had to be distributed too, to prevent DRM from being implemented using a GPLv3 program.
This was also one of the first misconceptions that came around when trusted computing support for Linux was being implemented.
Kent
Re: Re: Re:3 Open Source DRM
If DRM software is open source, and the software has access to the encryption keys, then what’s to stop the end user from modifying the software to reveal the encryption key? And if the user isn’t allowed to modify the software, then in what sense is it open source?
Re: Re: Re:4 Open Source DRM
If DRM software is open source, and the software has access to the encryption keys, then what’s to stop the end user from modifying the software to reveal the encryption key?
There’s nothing that would require keeping the user from doing what you describe. The DRM might be broken, but its both a DRM system and OSS, and being OSS isn’t what broke this system. Being OSS only makes the hacker’s job easier in this case.
If you want effective DRM with any software, closed source or open source, you’ll need secure hardware such as a TPM or in the case of Tivo, hardware that checks the signature of the binary before it runs. In the Tivo case the binary that’s run is GPL and is modifiable by the end user, but the system won’t run it if its signature doesn’t match one embedded in the Tivo firmware.
BTW I’ve got no real experience with Tivo, I’m just working off my understanding based on reading the internets.
Kent
Re: Re: Re:5 Open Source DRM
Notice that the firmware that does this bit of “security” checking isn’t open source.
Not so fast.
That statement isn’t correct. That might be true for the OSI but plenty of others have different ideas about what “open source” means.
Re: Not so fast.
I agree with the OSI that any license that doesn’t include the freedom to modify and redistribute the product can’t be considered an open source license, and I think that’s what most people expect when they hear the term “open source.” Obviously, “open source” is now a trendy enough concept that various people want to label more-restrictive licenses “open source,” but that doesn’t mean they are, in fact, open source in the sense the term is normally used.
Re: Re: Not so fast.
What then would be the difference between “open source” and “free software“?
Re: Re: Not so fast.
Open source doesn’t preclude the generation of non-open source content. I think you are making a fundamental mistake in understanding this.
You can use Open Office to write a novel you sell, or you can use gcc to generate a proprietary binary. Just because the tools are open doesn’t mean that the content generated or managed by it is as well. If that were true, then open source PDF encryption projects like Apache FOP would a waste of time as you’d have to give anyone who asked the key to decrypt your encrypted PDF….
The FSF’s position on DRM, while admirable, is a political position against the entire concept. It’s been discussed at length in the community and not all open source leaders (Linus Torvalds most notably) agree with FSF’s position. See http://lwn.net/Articles/30048/
Chris.
You spelled to as ot… but good point otherwise.
“Open source is a development methodology; free software is a social movement.”
as claimed
to me the term open source (at face value) just means source available and modifiable.
but an ‘open source’ claimed and published, it must be assumed it is one that meets the OSI-approved mark.
It must be transparent and not craftily put to mislead, esp by proprietary vendors trying to associate their products with the ‘open-source’ term.
also, generally OS licencing address the binaries/programs not the content or cryptos themselves.
qed.bummer.