Why an open standard for DRM won't prevent the DRM trainwreck

If you've been following my various rantings on this blog, particularly the ones about file formats (OpenDocument Format vs. Microsoft's Office XML-based formats) or digital restrictions management (DRM) [sic], or a lot of what I've written over the last five years about open standards and intellectual property, then you'll know that for the benefit of technology buyers (ZDNet's audience), I'm a strong advocate of open standards.  Although I think its important to stick to open standards as much as possible in as many technologies as possible, I'm more sensitive to the areas in technology where proprietary choices can lead to or help maintain very large technology monocultures that restrict choice and, by virtue of that, often result in artificially propped up pricing for technology. 

When technology buyers opt for a proprietary foundational technology (be it a file format, a security technology like DRM, or something else like them), they're handing control of almost everything about that part of their technology -- the budget for it, the security of it, the performance of it, the choices for things that work with it, etc -- to the owner of that proprietary technology (ownership is usually afforded to the owners by way of a patent). 

As an example, whether they know it or not, users of Apple's iTunes Software, iPods, and Apple's iTunes Music Store (iTMS) are, by virtue of Apple's FairPlay DRM -- a security technology that lives at the core of all three offerings -- leaving the long term value of their investment up to Apple.  Today, iPod buyers may be happy with their purchase and many are buying tons of music on iTMS.  But somewhere down the line (1) after they've amassed a few thousand 99-cent songs (and now $1.99 videos) in their private content collections and (2) when they decide they like the features of some software other than iTunes or a device other than Apple's iPods, they may be disappointed to learn that their content won't work in that software or on those devices.  The choices at that point will be difficult; Throw away the content collection and start over, or buy one of the devices on the market that Apple says you can buy, if you want to continue to enjoying the content you've purchased through the iTMS at whatever price Apple dictates. 

The technology world refers to this as a "lock-in" or a "walled-garden."  As the cliche's imply, once you're in a walled-garden, you're pretty much at the mercy of the local horticulturist to get out.  And, getting out isn't just an issue for those looking to switch to new playback technologies (for whatever reasons; features, cost, performance, security, etc.).  It's also an issue for those looking to interoperate.  For example, if you buy content from the iTMS, wouldn't it be nice to know that it will playback on your home theatre system as easily as it plays back on your iPod? In other words, the content should easily interoperate across all of your playback technologies.  But it doesn't and the situation, on its present course,  is only going to get worse.  99 cents is a seductive price when it comes to amassing a collection of a la carte audio.  $1.99 is a great price for video as well.   Those are the proprietary razor blades.  The more of these sold into the market, the better the prospects are for the Apple's razors in five or ten years and the more control Apple is given over the market for razors.

In explaining the interoperability conundrum to a less technical audience than ZDNet's, BusinessWeek's Stephen Wildstrom does a masterful job (far more eloquently than I have in any of my posts) of describing how the proprietary DRM schemes from Microsoft and Apple are leading us to a trainwreck (free registration may be required):

Let's say you have a Windows Media Center PC linked to your TV, with some episodes of Desperate Housewives stored on the hard drive. Because iTunes won't work through the Media Center software, you'll have to switch the Media Center to regular Windows mode and trade your remote for a mouse to see the shows. Even so, you're better off than a Mac owner who wants to download a show from Movielink: The service's DRM software works only on Windows PCs.

I've been writing extensively about the trainwreck and how, until the public responds to the purveyors of these technologies the way it responded to Sony for the recent rootkit fiasco (the threat of economic punishment), the situation is likely to spiral to a point of no return that will leave many of us wishing we acted when we had the chance.  Until last night, when I met Brad Templeton, chairman of the board at the Electronic Frontier Foundation, my position has basically been that DRM as an idea is a bad idea (especially the way it is being implemented) but that if we must have it, then at least let's have one that's based on an open standard so that the content you buy can flow frictionlessly from one of your devices to the other without running into a playback gotcha.  But, based on what Templeton told me, I now realize that even an open standard won't do much to solve the problem.  This for me -- a huge proponent of open standards -- was such devastating news that Templeton will tell you that at first, I refused to believe it.  But it's true and perhaps just as troubling is how open source software is one of the reasons why.

Templeton taught me something about how DRM works that I had never stopped to consider.  As it turns out, a proprietary DRM scheme relies on the proprietary closed source software that works with it to form the one-two punch of what makes DRM function.   The great thing about open standards is that they make it possible for anybody including open source developers to implement them in their software.   But if there was an open standard for DRM, the resulting open source implementations would very likely defeat the purpose of the DRM in the first place.  The reason proprietary DRM works is that the vendor is in control of both the DRM technology that secures the content and the playback technology that knows how to unlock it and play it back.  So, by virtue of what the proprietary playback software is capable of, that vendor is completely in charge of what happens to the content once it's unlocked.  For example, through their software, the vendor is in charge of whether music can be played back, whether a CD can be ripped from it, and even how many CDs can be ripped.  The one thing they don't let you do with their software is create unauthorized copies that can be distributed en masse via the Internet.  At least not without some difficulty (what I call friction).

But when the vendor doesn't control both parts of the one-two punch, as would be the case if the DRM scheme was based on an open standard that anybody including open source developers could support in their software, the DRM is essentially rendered in effective because the minute someone else like an open source developer can develop the playback technology, that someone else also gets to decide what can be done with the content after it's unlocked.  For example, the software can make unauthorized digital copies -- the very thing DRM is supposed to prevent in the first place.

Of course, the loophole exists with or without open source developers.  Nothing for example prevents IBM from going off and developing a playback technology that supports the open standard and that can make digital copies too.  But the likelihood that some open source software that makes copies would turn up a day or two after the open standard is published is about 100 percent. 

So, is all hope lost? In other words, is getting rid of DRM altogether (something that the entertainment industry will never consider) the only other option in order to avoid the trainwreck or are there are other options.  For example, if there was a single standard (not an open one, but a single one that was overseen by a single DRM authority that everyone agreed to support), then the licensing of that standard could be conditional on what the licencees do with it. For example, if your software makes unprotected digital copies of music -- something DRM was designed to prevent -- then you won't get a license to the DRM standard and you won't be able to incorporate support for it into your software.  The central authority would also be responsible for the compliance testing to make sure developers are toeing the line.  This is very much like the way the Java ecosystem works  -- where there's a compliance test that stands between software developers and (1) certification and subsequently (2) the ability to license the Java trademark.

Right off the bat, one problem with this sort of proviso is that it's probably incompatible with open source licensing since it prevents sublicensing (a key tenant of open source development).  Any time developers must answer to a central licensing authority in order to develop an implementation of some specification like a DRM scheme, the specification is inherently not sub-licensable.  There are other "incompatibilities" with the open source gestalt noted Templeton in an e-mail to me:

All the DRM systems that have relied on standards (such as DVDs, CableCard etc.) have had a certification body that would not let your hardware or software have the keys unless it went through a certification process (usually very expensive) to test if it met their rules and was robust enough.   No open source system could meet any of these rules, even if the developers could afford the large fees to be told they don't meet them....The newer systems include the ability to revoke keys, too, so if a key is compromised from some player, they can cancel it out, and the compromised player will stop working, either entirely, or with any new media issued.

In general, anytime such control points become part of an important ecosystem, the other nasty little side effect is the stifling of the same innovation that the open source source community is known for.  Wrote Templeton:

Because DRM can't be implemented solely in an open source system, we're left with two choices -- either barring open source tools from the media playing arena, or doing all media playing in secured hardware which blocks the end user's ability to change the system or innovate....Since everybody wants their computer to play media these days, barring open source systems from participating in the media playing arena is untenable, and will deny the world the very thing that's driving much of the innovation in the space.

So, for the record, I stand corrected thanks to Mr. Templeton.  At this point, avoiding the DRM trainwreck apparently means avoiding DRM altogether which means we're in for a helluva bumpy ride since DRM ain't about to go away anytime soon.