GPLv3 Myth #3: GPL forbids DRM
Summary: In our continuing series on the world's most popular (and least understood) free/open source license, today we look at a controversial subject: Digital Rights Management (DRM). There are two sides to DRM that often get mushed together in discussions: restrictions on content and restrictions on code. We take a look at each one separately and discuss where GPLv3 stands on each issue.
In our continuing series on the latest version of the world's most popular (and least understood) free/open source license, today we look at a controversial subject: Digital Rights Management (DRM). My colleague David Berlind has another name for DRM: Content, Restriction, Annulment, and Protection (CRAP).
Disclaimer: This information was culled from a variety of sources, including the GPLv3 web site, interviews with experts involved in the process, and analysis from various industry watchers. However this isn’t intended as legal advice.
Myth 3: GPL forbids DRM.
False. GPLv2 was created in 1991, before the time of RIAA lawsuits and electronic voting booth debacles. Early drafts of GPLv3 took an activist, anti-DRM stance, prompting an outcry from the open source community. It wasn't because people like DRM technologies such as copy protection, anti-tampering cryptography, and time bombs -- quite the opposite is true -- the issue was whether or not anti-DRM agendas had any place in a software license.
There are two sides to DRM that often get mushed together in discussions, which tends to confuse things. They are:
- Restrictions on content (audio, video, PDF documents, etc.)
- Restrictions on code (C++, Java, C##, whatever)
Let's take a look at each one separately. People who follow this full time will probably cringe at my over-simplifications, but I'm just trying to get across the general idea.
Restrictions on content When most people think of "DRM" they're thinking of restrictions on content. For example, when you buy a song at a music site and then find out you're not allowed to copy it to your other computer. Typically this is accomplished from some form of cryptography - content is stored in an encrypted format which can only be decoded if the licensing terms are met. Crackers (sometimes called hackers but I don't like to use the word that way) take great delight in breaking these protection schemes to allow content to be use freely (including, maybe, uploading it to the network so anyone can use it without paying anything).
One of the ways that media companies discourage cracking is the infamous DCMA (Digital Millennium Copyright Act) and related WIPO treaties. It criminalizes production and dissemination of technology used to circumvent these restrictions.
GPLv3 does not tackle DRM directly but it does tackle DCMA. In section 3 it says:
When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.
In non-legal-speak, when you distribute GPL code you're giving permission to do the things that DCMA forbids. So DRM isn't disallowed per se, but you make it easier for people to work around your DRM. Dedicated crackers are going to work around it anyway, but now they can be more open about it.
Restrictions on code The whole purpose of GPL (any version) is to ensure access to the source code that is covered by the GPL. And the purpose of that is ostensibly to allow a knowledgeable user to modify that code. The only reason you'd want to modify code is so you can run it, so GPLv2 had an implication that users should be able to run modified code. Well, that seems obvious but what about an embedded device like a voting machine, a phone, or (you knew I would mention it) a TiVo?
Early drafts of GPLv3 said that people distributing programs with GPL code in them absolutely had to allow anybody to modify and replace and run that code. Many people including device manufacturers worried this might open the door to service disruptions and other shenanigans, especially on networked devices. Linux creator Linus Torvalds summarized the problem nicely when he wrote:
I literally feel that we do not--as software developers--have the moral right to enforce our rules on hardware manufacturers. We are not crusaders, trying to force people to bow to our superior God. We are trying to show others that co-operation and openness works better.
In light of such comments, the final release of GPLv3 removed all mention of "digital rights" and "technical restrictions". However it does say that for "user products", like TiVos and alarm clocks, users have to be provided with information that would allow them to install modified software into the products.
There are two big exceptions. First, there's the non-user products, like voting machines and airplanes. They are exempt from this rule. Second, there are devices that because of hardware design (such as unflashable-ROM) don't allow anyone to modify the software, even the manufacturer. These devices are also exempt.
Conclusion GPLv3 does not forbid DRM protections on content or code outright. However the usefulness of any protections on content is limited a bit because you're giving permission for anyone to circumvent them. Restrictions on code are weakened by GPLv3, especially in user/consumer products, by the requirement to provide installation information (i.e., if you can install a new version, you need to let others install a new version).
The result is a compromise between the desires of content and code creators, and the freedoms of the ultimate consumers of all this technology. When you're deciding what license to use for your own code, only you can determine whether GPLv3 goes too far in one direction or another.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Actually, it is the business ecosystem that forbids DRM
The argument that DRM is more or less crackable on other platforms as opposed to Linux is another urban legend. Linux DRM would be cracked as easily and probably almost as quickly as Windows DRM.
TripleII
What about cars?
Quote from the license, a car seems to be a "doubtful case": [i]A ?User Product? is either (1) a ?consumer product?, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage.[/i]
Bizarre Comment.
In your struggle to come up with a reason why allowing software modification can be a bad thing, all you have done is restate the obvious, a bad modification to anything is not a good thing, and who wants that. GPL software is at no more of a serious risk for such an outcome then most other consumer products so your point has no real significance.
Distinction without a difference.
Here's your argument:
DRM is protected by provisions of the DMCA.
GPLv3 prevents the provisions of the DMCA from coming into effect.
Therefore, GPLv3 is not opposed to DRM.
Turning something into a dead letter is not a favorable action. It's not even neutral. It's forbidding DRM indirectly.
DRM can be used. But the license will assure that there will be no difference between using DRM and not using DRM.
Quoting:
One of the ways that media companies discourage cracking is the infamous DCMA (Digital Millennium Copyright Act) and related WIPO treaties. It criminalizes production and dissemination of technology used to circumvent these restrictions.
...
In non-legal-speak, when you distribute GPL code you?re giving permission to do the things that DCMA forbids. So DRM isn?t disallowed per [se], but you make it easier for people to work around your DRM.
Also, how does this apply to the notorious Must be able to change embedded code permission?
That's not just hardware-embedded DRM, it's every other embedded code as well.
DCMA and DRM
I'm not sure what you're referring to wrt embedded code.
Danger! danger! Will Smith
permission to do the things that DCMA
forbids" (it's DMCA, by the way, not DCMA)
Must automobile dealers now issue licenses
forbidding the use of the vehicles they sell
(distribute) for criminal activities?
Sounds like you have a short in your tin
foil hat (unless the problem runs deeper
than that).
A bit?
I'd say that limits the usefulness more than a bit. It essentially renders such protections non-existent. Content providers are effectively relinquishing any protection by releasing copyrighted material under GPLv3.
And yet, those supporting the GPL would not hesitate to call for lawsuits against anyone who tried to circumvent the provisions of the GPL. Ironic, isn't it?
Carl Rapson
You are right, however, irrelevant
This is different from people privately using their machines in any way they see fit and basically telling those who try to limit their freedoms to...um, go away. :D
You argument seems to imply that DRM is useful and effective. If it were, your argument would be a huge factor.
Same end result, so does it matter?
TripleII
P.S. Living in a DRM free world (on owned content, not subscription, or cable TV, etc) is quite easy, and doesn't support a broken business model.
A bit.
I'm not sure whether you're referring to copyrighted content (like music) or copyrighted code (like a music player).
I think of DRM like a lock on your front door. If somebody wants to rob your house that's unlikely to stop them. But it's darned inconvenient if you lock yourself out with your keys inside.
Making the specs to the lock freely available isn't going to help thieves as much as you might think because they either already have the specs or can figure it out just by looking at it. And it's not going to help you get back in the house either if you don't know the first thing about locksmithing and you don't have the right tools.
What does it matter...
And further, the tougher and tougher DRM gets the more and more it ends up binding up the common honest user. DRM is one of the most pointless and annoying things ever invented and the only reason the media and software producers keep pushing it is that there are DRM developers out there trying to sell their ideas and they work hard at trying to convince an already receptive audience in the aforementioned producers that they have a product that will actually work.
Well said..