DRM: it's like those zombie movies

No matter how many times the content owners wish it worked, DRM has a fundamental technical flaw: you have to give the key to the person you're trying to lock out! Microsoft gets this, even if the RIAA doesn't.

Matt Rosoff
Matt Rosoff is an analyst with Directions on Microsoft, where he covers Microsoft's consumer products and corporate news. He's written about the technology industry since 1995, and reviewed the first Rio MP3 player for CNET.com in 1998. He is a member of the CNET Blog Network. Disclosure. You can follow Matt on Twitter @mattrosoff.
Matt Rosoff
4 min read

You know those movies where you think they've killed the last zombie and then the hero turns a corner and here comes a whole new crop of them sprung fresh from the graveyard? That's how it feels with DRM in the last couple of days. First, the New York Times' Bits blog leads with a questionable assertion from an NBC exec that Microsoft is considering building some sort of content-filtering into the Zune which would block transfer of non-approved video. (I know, this isn't quite the same as DRM, but bear with me.) Then RIAA exec David Hughes claims that new forms of music distribution will create a comeback for good ol' DRM.

Want...technical...solution...to...piracy...NOW! Joel Friesen via Wikimedia Commons

Let's start with Hughes first. He says he made a list of 22 ways to sell music, and that 20 of them required DRM. OK, but are those 20 plans wishful thinking or actual business models with demonstrated success or at least a fighting chance? I mean, I could sell my last band's CD at $100 a pop and quickly cover my recording costs, but nobody would buy it. Subscription services haven't taken the world by storm, and I can't imagine consumers buying lots of play-per-view songs or ad-supported songs either. Why not?

Let's go over it one more time.

1. Horse, meet barn door. Free unrestricted downloads are already broadly and easily available. Any time you ask a consumer to buy something, you have to give them more than what they can already get for free--more convenience, more quality, something. iTunes is more convenient than file-sharing networks for what people generally want--to get a particular song or album to play on their iPod. The software comes with the player, the store's built into the player. Boom. That's why iTunes succeeded where other download stores...not so much. Subscription services are convenient only for that subset of music fans who like to listen to lots of different songs a few times, but don't care about long-term ownership (or don't mind paying in perpetuity). Pay-per-play? Advertisements? Those sound even less convenient--enough less-convenient for users to skip them or, if they really want the song, taking the trouble of learning how to use LimeWire.

2. The thieves have the key. Good old-fashioned DRM has a fundamental technical flaw. With computer security systems, data's encrypted with some sort of key. Unless you have the key, you can't access the data. This is all well and good when you're trying to protect the data against a "man in the middle" to whom you'll never give the key. But DRM tries to protect the data against the very people who need to access it. You have to give end-users the key to decrypt the data--the song or movie or TV show--that they have paid for, otherwise you have no business. And if you have to give them that key, somebody's going to figure out how to duplicate it. The race gets more complicated with hardware-based encryption and revocable keys, but the fundamental problem is the same: security by obscurity can't work forever.

The EFF's Cory Doctorow spoke to Microsoft Research about this four years ago (a transcript is here). That gets me to my second point. Microsoft is well aware of this fundamental security problem thanks to its years of trying to combat software piracy. While the company continues to add technical hurdles against piracy, like product activation, it knows that these are just stumbling blocks. The real progress comes when you convince the national government of a country where piracy is rampant that cracking down on it is in their interest--usually because they've got a fledgling software industry they're trying to support. In talks with analysts, Microsoft has mentioned South Korea and Taiwan as countries where this precise chain of events happened, and I think its investments in China are partly geared toward the same end.

So before building a "copy cop" into the Zune, Microsoft would have to consider the following factors. First, how many potential buyers would they lose? (In this case, many.) Second, is the content they're getting worth alienating that number of users? (In this case, I don't think so.) Finally, what's the ongoing cost of patching the technology whenever the scheme is broken? (Higher than you might think--ask the team that used to work on Windows Media DRM.)

That's why, when Microsoft says it's not planning to build new anti-piracy technology into the Zune, I believe it. More generally, Microsoft's whole digital media business has been moving away from this kind of content protection at a pretty rapid pace--there's not even a Windows Media product group any more, much less a DRM team in that product group, and the Zune Marketplace is adding DRM-less MP3s as fast as the content owners are making them available. Sure, Zune has to offer DRM on a subscription service, and Microsoft doesn't seem to be ready to give up on suscriptions because it's white space where the iPod isn't playing. But overall, I think Microsoft is much more sober and rational about content copy-protection than it was about even two or three years ago. (Here's hoping they prove me right.)

And before the angry commenters on my last DRM post get into it again, let me state really clearly that I believe musicians and all their designated agents--managers, producers, manufacturers, distributors, band psychiatrists--have a right to make a living. But DRM's the wrong way to go about it, for the reasons I listed before--it asks consumers to pay more for less, and it doesn't work.