Harvard team: Let consumers hack abandonware

What if a failing DRM-based media store didn't result in consumers being left high and dry? What if they had a legal right to gain access to content for which they had paid?

Chris Soghoian
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/.
Chris Soghoian
5 min read

See my full write-up of all of the other DMCA requests here.

When a digital rights management-based music, video, or software product shuts down, as has happened in the past with Microsoft, Google, Yahoo and Wal-Mart Stores, one thing is guaranteed: customers lose legal access to works for which they paid.

Existing copyright law makes it a crime to attempt to circumvent DRM protections, even on legally purchased music, and so consumers are generally dependent upon the failing media store to provide some remedy--perhaps a refund, or a temporary delay of a few months in the death of the DRM-authenticating servers that are necessary for full use of the music. However, the store instead may simply choose to say "bah humbug," shut down, and leave consumers high and dry.

What if, instead, consumers had a legal right to circumvent the DRM protecting those legally obtained but now useless songs, videos, software, and video games? If this blogger and a legal team from Harvard University are successful, this just might be possible.

The Digital Millennium Copyright Act makes it illegal for users to break or reverse-engineer the DRM that protects music, video, software, and consumer electronics. However, every three years, the Copyright Office asks the public to submit requests for new exemptions to the law.

In years past, consumers were given the right to hack region-locked mobile phones, and security researchers were allowed to circumvent the DRM protecting malware-infected music CDs (such as in the famous Sony rootkit fiasco).

The deadline for this year's requests was Tuesday afternoon.

A team from Harvard's Berkman Center for Internet and Society has requested an exemption that, in the event that a central server-based DRM scheme fails in the future, would permit consumers to circumvent and evade the DRM protecting the music, movies, software, and games that they have previously purchased, in order to maintain their existing lawful right to access those works.

The team is made up of myself, Phil Malone, a clinical professor of law at Harvard Law School and director of the Cyberlaw Clinic, and Arjun Mehra, a law student in the clinic. Our full submission can be downloaded here.

In just the past few years, a number of DRM-based music and video stores have gone kaput, leaving their customers without a lawful way to access works for which they paid good money. These include Microsoft's MSN Music Store, Google's Video store, Yahoo Music, and Wal-Mart.

In some cases, consumers could keep listening to media on the same computer, after the shuttering of the authentication server, but they were unable to transfer the songs and videos to new MP3 players or other computers, or even to reactivate them on their original devices, in cases where they had a hard drive crash or needed to reinstall the operating system.

While we're not aware of examples so far of shutdowns or failures of similar DRM systems protecting software and games, this sort of consumer harm is likely in the next few years. For example, were Electronic Arts to go bankrupt, the millions of customers who had purchased a copy of the game Spore would be unable to reinstall that lawfully purchased copy after a hard-disk crash or virus infection.

Under a plan floated by Electronic Arts this past May, some of its games would need to contact a DRM server every 10 days to continue functioning. Such a regime would lead to the instant orphaning of every installed copy of the game, if the company later shut its doors or shut down its authenticating servers.

Luckily for angry EA fans, the company abandoned the 10-day authentication plan after massive consumer backlash, but the likelihood that other game or software vendors will use similar measures in the near future is high.

A researcher exception too
If researchers have to wait until the central authenticating DRM servers have been switched off before they can begin the reverse-engineering process, they might never be able to learn how the DRM works and how it might be lawfully evaded, if a DMCA exemption permitted it.

To understand how to effectively circumvent a DRM system, researchers need to be able to watch authentication messages flowing back and forth between a legitimate client and the master DRM server. Once the server has been turned off, there are no authentication messages being transmitted that the researchers can observe and study.

As a simplistic example, consider that Ali Baba needed to sit outside the 40 thieves' cave in order to overhear the correct password ("open sesame"). Had the thieves vanished, and Ali Baba been left outside the cave, trying random passwords, it is likely that he never would have been able to get inside.

To solve this problem, we have asked the Copyright Office for a second exemption to the DMCA's anticircumvention provisions. We have asked that technologists and researchers be allowed to circumvent such DRM stores in the course of good-faith research before the death of the server, for the purpose of documenting the inner workings of the DRM system.

This way, for example, researchers would be able to legally circumvent the DRM in iTunes or Spore, even while the services are still functioning, in order to understand and document how the DRM software functions.

This would give legitimate researchers (both professional and amateur) the legal protections necessary in order to safely tinker with and take apart existing DRM systems so that, should the services ever be shut down, it wouldn't be too late to gather vital circumvention information.

Of course, it would still be illegal for the general public to use that information to circumvent a DRM store, until the service was shut down and the DRM servers stopped functioning.

I'd like to thank Phil Malone and Arjun Mehra, who donated their time to work on and draft this request with me. I'd also like to thank Ed Felten, Tim Lee, Nicole Ozer, Chris Riley, Pam Samuelson, Wendy Seltzer, and Fred von Lohmann, all of whom provided us with valuable feedback during the drafting process.