GPLv3 Myth #3: GPL forbids DRM

GPLv3 Myth #3: GPL forbids DRM

Summary: In our continuing series on the world's most popular (and least understood) free/open source license, today we look at a controversial subject: Digital Rights Management (DRM). There are two sides to DRM that often get mushed together in discussions: restrictions on content and restrictions on code. We take a look at each one separately and discuss where GPLv3 stands on each issue.

SHARE:
11

In our continuing series on the latest version of the world's most popular (and least understood) free/open source license, today we look at a controversial subject: Digital Rights Management (DRM). My colleague David Berlind has another name for DRM: Content, Restriction, Annulment, and Protection (CRAP).

Disclaimer: This information was culled from a variety of sources, including the GPLv3 web site, interviews with experts involved in the process, and analysis from various industry watchers. However this isn’t intended as legal advice.

Myth 3: GPL forbids DRM.

False. GPLv2 was created in 1991, before the time of RIAA lawsuits and electronic voting booth debacles. Early drafts of GPLv3 took an activist, anti-DRM stance, prompting an outcry from the open source community. It wasn't because people like DRM technologies such as copy protection, anti-tampering cryptography, and time bombs -- quite the opposite is true -- the issue was whether or not anti-DRM agendas had any place in a software license.

There are two sides to DRM that often get mushed together in discussions, which tends to confuse things. They are:

  • Restrictions on content (audio, video, PDF documents, etc.)
  • Restrictions on code (C++, Java, C##, whatever)

Let's take a look at each one separately. People who follow this full time will probably cringe at my over-simplifications, but I'm just trying to get across the general idea.

Restrictions on content When most people think of "DRM" they're thinking of restrictions on content. For example, when you buy a song at a music site and then find out you're not allowed to copy it to your other computer. Typically this is accomplished from some form of cryptography - content is stored in an encrypted format which can only be decoded if the licensing terms are met. Crackers (sometimes called hackers but I don't like to use the word that way) take great delight in breaking these protection schemes to allow content to be use freely (including, maybe, uploading it to the network so anyone can use it without paying anything).

One of the ways that media companies discourage cracking is the infamous DCMA (Digital Millennium Copyright Act) and related WIPO treaties. It criminalizes production and dissemination of technology used to circumvent these restrictions.

GPLv3 does not tackle DRM directly but it does tackle DCMA. In section 3 it says:

When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.

In non-legal-speak, when you distribute GPL code you're giving permission to do the things that DCMA forbids. So DRM isn't disallowed per se, but you make it easier for people to work around your DRM. Dedicated crackers are going to work around it anyway, but now they can be more open about it.

Restrictions on code The whole purpose of GPL (any version) is to ensure access to the source code that is covered by the GPL. And the purpose of that is ostensibly to allow a knowledgeable user to modify that code. The only reason you'd want to modify code is so you can run it, so GPLv2 had an implication that users should be able to run modified code. Well, that seems obvious but what about an embedded device like a voting machine, a phone, or (you knew I would mention it) a TiVo?

Early drafts of GPLv3 said that people distributing programs with GPL code in them absolutely had to allow anybody to modify and replace and run that code. Many people including device manufacturers worried this might open the door to service disruptions and other shenanigans, especially on networked devices. Linux creator Linus Torvalds summarized the problem nicely when he wrote:

I literally feel that we do not--as software developers--have the moral right to enforce our rules on hardware manufacturers. We are not crusaders, trying to force people to bow to our superior God. We are trying to show others that co-operation and openness works better.

In light of such comments, the final release of GPLv3 removed all mention of "digital rights" and "technical restrictions". However it does say that for "user products", like TiVos and alarm clocks, users have to be provided with information that would allow them to install modified software into the products.

There are two big exceptions. First, there's the non-user products, like voting machines and airplanes. They are exempt from this rule. Second, there are devices that because of hardware design (such as unflashable-ROM) don't allow anyone to modify the software, even the manufacturer. These devices are also exempt.

Conclusion GPLv3 does not forbid DRM protections on content or code outright. However the usefulness of any protections on content is limited a bit because you're giving permission for anyone to circumvent them. Restrictions on code are weakened by GPLv3, especially in user/consumer products, by the requirement to provide installation information (i.e., if you can install a new version, you need to let others install a new version).

The result is a compromise between the desires of content and code creators, and the freedoms of the ultimate consumers of all this technology. When you're deciding what license to use for your own code, only you can determine whether GPLv3 goes too far in one direction or another.

Topics: Open Source, Security

Ed Burnette

About Ed Burnette

Ed Burnette is a software industry veteran with more than 25 years of experience as a programmer, author, and speaker. He has written numerous technical articles and books, most recently "Hello, Android: Introducing Google's Mobile Development Platform" from the Pragmatic Programmers.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Actually, it is the business ecosystem that forbids DRM

    MS doesn't want DRM on Linux. They allowed it on BSD (Apple), so obviously coding to Linux is trivial. MS keeps bending over backward to be the platform of choice for all DRMed content and is it not true that they are currently the only platform that can (if you jump through enough hoops, buy enough hardware and then get really lucky) to watch HD-DVD movies on a PC.

    The argument that DRM is more or less crackable on other platforms as opposed to Linux is another urban legend. Linux DRM would be cracked as easily and probably almost as quickly as Windows DRM.

    TripleII
    TripleII-21189418044173169409978279405827
  • What about cars?

    Are cars (and other vehicles) user products? I wouldn't want to purchase a used car that could potentially have modified software running on it. Not that I know if any GPL software is used in cars.

    Quote from the license, a car seems to be a "doubtful case": [i]A ?User Product? is either (1) a ?consumer product?, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage.[/i]
    Villane
    • Bizarre Comment.

      If the software modifications in a car somehow made it better of course you would want to purchase it. Your comment is based on the notion that for some odd reason someone might purposely alter the software in a bad way for some odd reason. The fact of the matter is if that was a likelihood then they might just as likely alter the software in a bad way if it was under any licence. In fact there are alot more common mechanical things that are prone to being altered in a negative way then the software in a car. And who wants any product that has been altered in a negative way, software or otherwise.

      In your struggle to come up with a reason why allowing software modification can be a bad thing, all you have done is restate the obvious, a bad modification to anything is not a good thing, and who wants that. GPL software is at no more of a serious risk for such an outcome then most other consumer products so your point has no real significance.
      Cayble
  • Distinction without a difference.

    You may have interviewed too many people who earn their livings comparing the striations on split hairs. Lawyers in other words.

    Here's your argument:

    DRM is protected by provisions of the DMCA.
    GPLv3 prevents the provisions of the DMCA from coming into effect.

    Therefore, GPLv3 is not opposed to DRM.

    Turning something into a dead letter is not a favorable action. It's not even neutral. It's forbidding DRM indirectly.

    DRM can be used. But the license will assure that there will be no difference between using DRM and not using DRM.


    Quoting:

    One of the ways that media companies discourage cracking is the infamous DCMA (Digital Millennium Copyright Act) and related WIPO treaties. It criminalizes production and dissemination of technology used to circumvent these restrictions.
    ...
    In non-legal-speak, when you distribute GPL code you?re giving permission to do the things that DCMA forbids. So DRM isn?t disallowed per [se], but you make it easier for people to work around your DRM.


    Also, how does this apply to the notorious Must be able to change embedded code permission?

    That's not just hardware-embedded DRM, it's every other embedded code as well.
    Anton Philidor
    • DCMA and DRM

      I would argue that the DCMA hasn't been terribly useful in preventing DRM cracking. After all, shrink wrap EULAs have forbidden reverse engineering for years yet software was still cracked. WMA DRM was cracked, AAC encryption was cracked, HD-DVD and Blu-ray were cracked, etc... There are people who seem to be able to read machine code just as easily as source code, and it only takes one.

      I'm not sure what you're referring to wrt embedded code.
      Ed Burnette
    • Danger! danger! Will Smith

      "when you distribute GPL code you’re giving
      permission to do the things that DCMA
      forbids" (it's DMCA, by the way, not DCMA)

      Must automobile dealers now issue licenses
      forbidding the use of the vehicles they sell
      (distribute) for criminal activities?

      Sounds like you have a short in your tin
      foil hat (unless the problem runs deeper
      than that).
      Ole Man
  • A bit?

    "However the usefulness of any protections on content is limited a bit because you?re giving permission for anyone to circumvent them."

    I'd say that limits the usefulness more than a bit. It essentially renders such protections non-existent. Content providers are effectively relinquishing any protection by releasing copyrighted material under GPLv3.

    And yet, those supporting the GPL would not hesitate to call for lawsuits against anyone who tried to circumvent the provisions of the GPL. Ironic, isn't it?

    Carl Rapson
    rapson
    • You are right, however, irrelevant

      The GPL publicly states, basically, that you own the machine, you are free to use it any way you see fit and anyone writing GPLed software has to either suck it up or not.

      This is different from people privately using their machines in any way they see fit and basically telling those who try to limit their freedoms to...um, go away. :D

      You argument seems to imply that DRM is useful and effective. If it were, your argument would be a huge factor.

      Same end result, so does it matter?

      TripleII

      P.S. Living in a DRM free world (on owned content, not subscription, or cable TV, etc) is quite easy, and doesn't support a broken business model.
      TripleII-21189418044173169409978279405827
    • A bit.

      You write: "Content providers are effectively relinquishing any protection by releasing copyrighted material under GPLv3"

      I'm not sure whether you're referring to copyrighted content (like music) or copyrighted code (like a music player).

      I think of DRM like a lock on your front door. If somebody wants to rob your house that's unlikely to stop them. But it's darned inconvenient if you lock yourself out with your keys inside.

      Making the specs to the lock freely available isn't going to help thieves as much as you might think because they either already have the specs or can figure it out just by looking at it. And it's not going to help you get back in the house either if you don't know the first thing about locksmithing and you don't have the right tools.
      Ed Burnette
    • What does it matter...

      Aside from the fact that all DRM has largely accomplished is to give honest consumers for frequent headaches, what has DRM accomplished? In all seriousness absolutely nothing? When was the last time you read an article or heard on the news that someone finally has created an unbeatable form of DRM? Never thats when. Will you ever hear of that? Not by way of software based DRM thats for sure. Its not physically possible to build programs of make music or video based software that can run on any common player yet cannot be reverse engineered to remove DRM.

      And further, the tougher and tougher DRM gets the more and more it ends up binding up the common honest user. DRM is one of the most pointless and annoying things ever invented and the only reason the media and software producers keep pushing it is that there are DRM developers out there trying to sell their ideas and they work hard at trying to convince an already receptive audience in the aforementioned producers that they have a product that will actually work.
      Cayble
  • Well said..

    and I don't think there is any thing I could add.... Well done :)
    johnson12