[Ecommerce] Philippe Aigrain on DRM and Free Software debate

Wed Feb 1 15:36:01 2006

Philippe Aigrain on DRM and Free Software debate

Philippe Aigrain examines the issue of compatibility between DRM and
free software, hot issue that has emerged in the news in France in
the context of intense debates on the new copyright and related
rights law (DADVIS) and globally because of the review of the GNU GPL
license.  These debates are complex and important and for Philippe
there are several dimensions:  philosophical or political, technical
and legal.  So, what is at stake here?  The author apologizes for the
length of his analysis but writes "this is not a topic that can be
treated lightly".

After providing a useful history of TPM and DRM systems, he examines
what are exactly DRMs and why talk about them and free software? He
then examines free software in the context of the DADVSI law and in
the context of the GPL revision process.

You can post comment on his blog.  The debate is far from over.

Manon

http://www.debatpublic.net/Members/paigrain/blogue/DRMS#english

DRM stands for Digital Rights Management. Within the free software
and open information communities, some have proposed to interpret the
acronym as standing for Digital Restrictions Management, as to better
highlight the corresponding functionality.  Issues linked to the
relation between DRM systems and free software have popped up at the
occasion of debates in France on the DADVSI (Author Rights and
Neighbouring Rights in the Information Society) law [transposing in
French law the European homonym directive, which is our variety of
DMCA with some elements differing]. It also hit the news at the
occasion of the undergoing process of revising the GNU General Public
License, the fundamental constitution of free software. These debates
are complex and important. They have a triple dimension:
philosophical or political, technical and legal. The present text
tries to clarify their nature and stakes. Sorry for its length, but
the subject is not fit for approximative shortcuts.

1. A brief history : from technical protection measures (TPM) to
digital rights management (DRM) systems

In December 1996, WIPO adopted after a relatively brief preparation
its Copyright treaty and its Performances and Phonograms Treaty, that
are the first texts to impose a legal "protection" against
circumvention of "effective technological protection measures" "used
by authors" (and performers and producers for sound recordings) "to
restrict acts" "which are not authorized by the authors concerned or
permitted by law". See article 11 of the first treaty and article 18
of the second treaty for the exact texts, that did not define
"effective". The predominant distribution mode for digital
information was then its distribution on carriers, even if on-line
distribution was common for text-based information, databases,
software and photographs. Public debate and NGO watch had not caught
up with WIPO at the time, and it was working in a peaceful remoteness
to promote and extend property mechanisms in all domains of the
intellectual sphere. Though as a UN agency it is governed by the
general assembly of its Member States, it had long forgotten the
mission statement definition in the agreement it had signed in 1973
with the UN when it became one of its agencies, and focussed on
serving its "customers" (such as the International Intellectual
Property Alliance) and on implementing a narrowly defined mission. In
addition, WIPO was trying to come back to grips with a subject on
which she had partially lost control with the signature of the TRIPS
agreement at the time of the creation of WTO (1994). The TRIPS
agreement contains many disputable and debated provisions, but has
nothing regarding the circumvention of technical protection measures.
The 1996 treaties are thus the first TRIPS+ texts (going beyond what
is required by TRIPS in terms of toughening the execution of property
rights).

Few people paid attention to the importance of this transformation at
the time. TPM were mostly seen as access control devices (preventing
the unauthorized access to a given work) integrated onto its carrier
or possibly running on the server giving access to it. TPM were not
perceived as resting upon the detailed control of what's happening in
a user machine. In the next few years, the reference universe
drastically changed. It started with the US Digital Millenium
Copyright Act of October 1998, though it remains quite close to the
wording of the 1996 treaties regarding the prohibition of
circumventing TPMs (Title 1201 : No person shall circumvent a
technological measure that effectively controls access to a work
protected under this title.). One can truly measure the change with
this sentence of art. 6.3 of  directive 2001/29/CE "Copyright and
Related Rights in the Information Society" : Technological measures
shall be deemed "effective" where the use of a protected work or
other subject-matter is controlled by the right holders through
application of an access control or protection process, such as
encryption, scrambling or other transformation of the work or other
subject-matter or a copy control mechanism, which achieves the
protection objective. A fundamental concept appears that will
transform TPMs in DRMs : usage control.

Why such a transformation, that will expand to much more than this
issue of vacabulary ? A whirlwind of panic develops within the large
content production / publishing / distribution corporations. The
Internet imposes itself as a major channel for the distribution of
works, which means that the content industries must invest it or
accept a decline of their commerce. But they can develop Internet-
based commerce only if they are able to impose upon it what they see
as the key characteristics of their business : the concentration of
supply and even more of promotion on a limited number of titles whose
performances are more or less predictible. "More or less predictible"
means here uncertain in terms of individual performance but
predictible when averaged on a limited number of titles (around ten
for major feature films, hundreds for music recordings, a few tens of
thousands for photographs, etc.). This revolution occurs just at the
time when after the success of the CD, the DVD has initiated a strong
growth of their revenues, and vertical as well horizontal
concentration develops. However, just as the Internet becomes a
compulsory path for them, it evades them radically. First, it appears
that distribution can be done by users themselves, and thatnew
prescription mechanisms develop outside the (principally broadcast)
non-Internet media. This means a need for ever stronger promotion in
order to maintain the concentration of demand on best-selling titles
(thus the increasing share of promotion in the expenses of the
content corporations). Second, it becomes more and more evident that
in a context of possible (re)distribution by users, TPMs in their
former meaning are totally inefficient. Incapable or unwilling to
reinvent themselves for this new context, the large content
corporations, lead by the MPA and the IFPI are going to give flesh to
the total usage control model. For a while the computer, telecom and
consumer electronics industry will oppose this idea, knowing that its
full realization would be disastrous for the continuation of the
extraordinary growth of their industry. However, a number of them
start to see the DRM deployment process as an escape path from the
hard game of competition (or a way to remain outside of its grasp for
Microsoft). Microsoft, Philips, Nokia, Sony and Apple (though in a
more subtile manner) all hope to conquer a dominant position -or a
participation ticket in an oligopoly- in what they see as the key to
control of the markets: usage control systems. IBM and Sun cannot
abstain from joining in the dance, though their communication
stresses more open approaches.

The driving players quicky realize that usage control can not be done
halfways. As early as 8 January 1999, Microsoft applies for a key
patent for implementing a total control on all software that runs on
a computer, and in particular the operating system (US 6,327,652
granted on 4 December 2001). Ironically, the main researcher
involved, Paul England, who has now applied for more than 15 patents
on related techniques, was previously known for some nice research
work within Bellcore to assist user access to information. Such a
trajectory that led a number of information access researchers to
switch to access restriction research is not exceptional. From then
on, the nature of the debate surrounding the regulation arenas will
change. An opposition is staged between a scenario supported by the
content industries (Disney, MPA, Vivendi-Universal) that would make
totalitarian DRMs (for which TPM are no longer but a conventional
legal appellation) compulsory in any device, and a scenario supported
by the technology suppliers that would leave it to the market to
decide which is the best massive destruction weapon against freedom
of use. In reality, the technology suppliers are afraid for a debate
on a compulsory DRM legislation to lead to an obligation for DRM to
make legal use possible in practice. The few consulted groups that
stand for the rights of users or the public (blind union, library and
information centres associations, consumers) are marginalized in
processes such as the DRM working groups put in place by the European
Commission. In this exercice just as in other co-regulation arenas
such as the French Copyright Council (CSPLA), the view points
stressing more general cultural or civilization objectives are simply
ommitted in public reports.

The compulsory DRM model appears in the various bill proposals by
Senator Hollings in particular CBDTPA, and more recently in the
Digital Content Transition Security Act and the French Vivendi-
Universal / CSPLA proposed amendment to the DADVSI law under
discussion. One will note that the CBDPTA (March 2002) planned for
compulsory DRMs to be implemented as open source software. This was
meant to preempt critics based on market control risks. At the time,
this idea was rejected by both the proprietary technology suppliers
and free / open source software advocates.

 From 2000, critics perceive the true nature of DRM and denounce it.
US copyright specialist Julie Cohen from Georgetown University
identifies the key reversal associated with DRM protected against
circumvention : the judgement on the legitimacy of usage is
transferred from judges to usage control devices. She shows that such
a transfer breaks with the core tradition of intellectual rights and
freedoms.  I write in 2000 : "The public space is endangered not so
much by explicit attempts at restricting it, than by the indirect
effects of restrictive management of intellectual property. The
development of "protection" technology, its embedding in access
devices and telecommunication technology are a major risk in that
respect. In many cases, the exigence of keeping the public space free
is not included in the requirements for the design of these devices
and technology. The history of DVD player technology is a good
illustration of this point. So the principle stated above is not only
of a declarative nature, it must be binding in future decisions on
technology implementation, and such decisions must also include the
consideration of the limited duration of property exceptions.
Finally, the public space is centered around the access of all to the
public domain, but also around the access for some usage to all
entities. Provision should also be made for this to turn into
reality: protection technology must not block the possibility of
quotation for the sake of criticism for instance, or access by the
disabled" (one will note that I could not give a truly representative
example of DRM at the time).  More recently, Cory Doctorow wraps up
the critical analysis of DRM in his Microsoft Reseearch DRM talk, a
true work of art that was translated into 13 languages and many open
formats.

The traditional institutional inertia, the security frenzy after
September 11, and the successful strategy of a few content
multinational corporations depicting non-commercial sharing of
information as an advanced form of terrorism will help DRMization to
continue. It will even intensify with the generalization of attempts
to make it compulsory and criminalize more severely its
circumvention ... or even publicly stated disagreement.

2. Yes but what are exactly DRMs and why talk about them and free
software?
The detailed Wikipedia article on DRMs provides much useful
information, but, it my opinion, does not truly throw light on the
strategic issues raised by DRMs. Thus, let's have a go at it.

A DRM system is a set of software and hardware, some within your
personal machine, other running on servers, that does its best to
control as specified by rights owners and the system builders what
you can and can't do with a digital representation of a work
submitted to copyright and related rights. A key difficulty of this
discussion is that no currently deployed system represents the full
model. That's partly because some promoters of DRMS wait for all the
legal locks to be available before deploying more complete systems,
partly because of baiting strategies (installing the usage of
services that are associated with weak DRM easily circumvented, prior
to toughening it), and partly because of the technical absurdity of
DRMs whose accomplished model can only function in a totalitarian
society. What is this accomplished model?

More than on anything else, it rests upon  the detailed control of
any piece of software that can be run on the user's machine and that
can interact with the use of a file or an on-line service. That means
first and foremost the basic components of the operating system. One
of the scenarios for such a control (presently being deployed) uses
TCPA (Trusted Computing Platform Alliance) chips to implement
cryptographic checks in order to verify that any component, and in
particular the operating system boot is associated with keys
testifying that it is "safe" for the DRM. See Ross Anderson's TCPA
FAQ for details. Other models will no doubt appear (there are already
some using biometric identification of authorized users) but they
will all try to transfer to the DRM suppliers and their content
industry customers the ability to check and authorize what can be run
on the user's machine. Why? Because without that a DRM is easily
circumvented (see Cory Doctorow's above-referenced talk).

Oh, by the way, even with such a transfer of control, DRM will be in
effect massively circumvented, for a reason that surprinsingly
escapes most commentators. For DRM to be massively circumvented for a
given work, there is no need for a great number of users to
circumvent it (which of course is not easily done by an ordinary
layman). It is enough for one person or group, anywhere in the world,
to be able of such circumvention and to put in circulation a DRM-free
version of the corresponding work. DRMS play a billion games against
the whole planet, and it is enough for one game to be lost to ensure
that all are. Note that those who can later access the work are not
directly circumventing (in the legal sense) anything, they are only
in possession of an open format representation of a copyrighted work.
If the reader believes that watermarking can change this situation in
any way, would s/he please read S. Craver, N. Memon, B. L. Yeo, and
M. Yeung, "Can Invisible Watermarks resolve Rightful Ownerships?,"
IBM Research Report RC 2050, republished in Storage and Retrieval for
Image and Video Databases, SPIE, 1997, pp. 310-321.

Does this mean that I am happy for DRM (total or inaccomplished) to
be possible to circumvent, and that I am thus making myself guilty
(if the 12 July 2005 criminal sanctions plan proposed by the European
Commission is adopted as it stands) of the future crime of inciting
or encouraging infringements of IP. It depends. I am not particularly
keen on seeing a massive sharing of works whose creators and
producers have been stupid enough to make them public while at the
same time using extreme means to stop them from becoming public.
Imagine however a person who needs to practive some legal usage on a
work and is stopped from doing so because the law has not made
provisions for DRMs to make this usage possible in practice. Then, I
am very keen for this person to be able to circumvent the DRM. The
legal protection of TPMs -if it  is extended to DRMs- results in a
paradox: it is inefficient against what it claims to stop ("piracy")
and potentially efficient against legal usage. The planet-wide
circumvention will of course be quicker for best-sellers than for
rare contents and it will difficult to order it "on demand", for
instance to practice a legal usage. As Cory Doctorow's has stressed,
there will also be quick dissemination of circumvention means, but
their users can be prosecuted if the law creates a legal protection
against circumvention even when it is needed for legal usage,
contractually authorized usage, or in cases where the user was not
properly informed of the limitations of the DRM.

That's only the beginning. The true prize paid for the ficition of a
continued scarcity of information lies in the destruction of the
freedom of action for non-specialist users. This is of course the
true desired benefit of DRM. French readers can see by reading the
article by Ulhume on the Mechanical Sheep site that even those DRMs
that are presently used (implementing only part of the model) already
present a danger for the constitutive freedoms of everyone's ability
to be a contributor to an information society.

A specific point to rember for later discussions of the relation with
free software: it is easy for DRM promoters to claim that the
obligation to disseminate them as open source software (Fritz
Hollings' proposal) or to provide free / open source software
developers who wish to implement them with the necessart information
will ease the planet-wide circumvention.

3. Free software in the context of the DADVSI law
One needs to distinguish carefully between 3 questions (they are not
thought experiments but refer to existing cases):

Is it relevant to ask for TPMs to no longer be protected against
circumvention when interfering with the functioning of the user
machine operating system or the freedom of each user to run software
of his/her choice?
Is it relevant to ask for information needed to implement TPMs that
are legally protected against circumvention to be made accessible for
those who wish to implement these TPMs as free software.
Is it relevant to implement free software-based DRMs ?
The third question is of a different nature: it is not about demands
regarding the law, but about what developers should be incited or
adviced to do. My answers to these questions are as follows: a clear
yes to the first one, a clear no to the last one, a nuanced no to the
second one.  Let's see why:

The first proposal has the great benefit to force to clarify the
definition and perimeter of protection measures that are granted a
legal protection regime (further than already done by the 134=136=144
amendment voted last December). Note that it is equally important to
obtain a positive vote on amendment 92 that precises that
circumvention of technical measures can not be prohibited when it is
necessary for the sole purpose of a legal usage or a contractually
authorized usage, or when information about restrictions was not
provided. 2 good provisions are better than one.
After reading the previous section, the reasons that lead me to
reject the idea of implementing free software DRMs should be clear. I
consider such an idea to manifest a deep misunderstanding, since DRMs
consist precisely in depriving users from the freedom to control
software running on their machine, freedom that is the essence of
free software.  I know that -Fritz Hollings excepted- those who
imagine doing such an implementation have no desire to deprive users
from such a freedom. Their intentions are laudable, since they wish -
if DRM undergo a wide deployment- to avoid the situation where free
software usage would be marginalized in a small ghetto because its
users would be incapable to access widely disseminated contents. But
they can only believe that it would be a useful move if they are
mistaken on what DRMs are. They mistake them for TPMs of the 1996
era, for little isolable and confinable components. Of course it is
relevant to implement DeCSS as free software, and to obtain for this
implementation to remain legal. But not as a TPM, simply as a piece
of software needed to practice a legal action. And it is even less
relevant to implement free software DRMs.
Finally the second question is very tricky. To propose for the specs
of TPMs that are legally protected against circumvention to be
accessible to free software developers (which means disseminable)
would of course have the advantage of forcing proprietary DRM
providers to make their refusal explicit. However, it seems to me
that in a more significant manner, such a demand would legitimate the
DRM model (at least if one does not obtain satisfaction on the first
issue) and risks legitimating a compulsory DRM scenario. One would
exchange a fiction (avaibility of what proprietary technology
providers consider as their absolute weapon to free software
developers) for a well real risk: legitimating the one model that
represents the highest risk for an information society in which all
can be contributors.

4. DRMs in the context of the GPL revision process
Past 16-17 January, MIT hosted the launch event of the a revision
process for the General Public License, the most used free software
license and, in my opinion, a fundamental component of the free
information ecosystem. Version 2 of the GPL dates from 1991, and
there exists a consensus of most players who adopt a wide vision that
a revision is desirable. The aim is to: adapt to new conditions
created by the explosive growth of free / open source software
development and usage ; find solutions to some compatibility problems
with other F/OSS software licenses; solve issues connected to the
present lack of avaibility of official linguistic versions in
languages other than English; and include provisions that can be made
necessary by the evolution of the legal framework such as software
patents in countries that are in the unlucky situation of recognizing
them or the legal protection of TPM in copyright law. The revision
process will last at least a year and is one of the most ambitious
global governance exercises for the information commons ever done
(though of course some will question the specifics of its organization).

On 16 January a draft proposal for version 3 of the GPL was issued
and it is since open for comments. This draftincludes in the preamble
and in section 3 a number of provisions regarding DRMs. This is by
far the aspect that has triggered most debate. Linus Torvalds reacted
against the proposal that he comments as if it was the final version
and has declared that he would not apply the GPLv3 to the Linux
kernel (everyone will be free to switch to the version 3 or keep the
present version for one's software). Some French libre software
players have also commented against these DRM provisions on the
escape_l discussion list and in comments on the GPLv3 site. Even
those who think that it is necessary to include DRM provisions in teh
GPLv3 are far from enthousiast about some aspects of the present
drafting, judged to be confusing and risking to have undesired side
effects on DRM-unrelated cryptography for instance. Can one clarify
the present debate by using my analysis in the previous sections? The
debate is too recent and heated for me to submit more than a
tentative position.

The presently proposed text contains one sentence that seems clear to
me: no covered work constitutes part of an effective technological
protection measure. When read with some introductory context, this
sentence does not limit the nature of systems that can be realized
under the GPL, but precises that these systems are not "effective
technical protection measures legally protected against
circumvention" in the specific field of copyright and related rights.
It does not create any obligation for developers or users of
cryptography systems to make their private keys public, nor does it
make legal software or practices that can be illegal in some
countries. It only guarantees the beneficiary of the license against
accusations of having circumvented a technical protection measure
when modifying the covered software. This clause of course makes
visible for all that the GPL is not a meanningful choice for creating
DRMs or TPMs that are protected by law against circumvention. Is it a
good idea? For DRMs I claim that yes (see previous section, question
3). For TPMs as conventionnally defined by law, the DeCSS software
presents us with a concrete example of what happens when one accepts
to prohibit circumvention of TPMs without excluding from this
prohibition acts that are needed to legal use such as playing a DVD
under GNU/Linux. The example demonstrates that the resulting
situation is disastrous from a legal view point as well as from a
practical perspective, but of course does not stop real usage. There
are widely used free software that work only when one adds DeCSS or
an equivalent, and proprietary software players, of which some have
been suspected of including GPL-ed code in a way that would
constitute an infringement of the copyright of the licensor. Would
things be better if it was possible to write an approved DVD reader
under GNU/Linux under the GPL? But it IS possible under GPLv2! Why
doesn't it happen 8 years after DMCA (four and a half years if one
start from the MPAA vs. 2600 decision)? Because the content
multinational corporations do not want it, and because the F/OSS
developers are conscious that it is impossible.

The remaining part of the DRM provisions in the GPLv3 draft seem to
be confusing at best, including the sentence that is supposed to
explain the one that I have just commented. Some parts of section 3
describe intents, and if they belong somewhere, it can only be in the
preamble. Other parts have triggered concerns within the
cryptographic community. Let's say so, let's argue it, and I don't
see any reason for the committees that are supposed to synthetize
comments into issues submitted for decision and for Richard Stallman
who has the responsibility of making the corresponding decisions to
ignore these comments.

Finally, Rishab Ghosh signalled that the draft stated intention of
preventing free riding on F/OSS by players whose deployment of DRMs
goes against the aims that F/OSS intends to serve could only be met
by including in section 7 a DRM-retaliation clause that would
withdraw the  benefit of the license to any party initiating a legal
case based on circumvention of a TPM. Such a clause would be only an
option (not included in the basic license but deemed compatible with
it). This merits an open debate.

************************************************
Manon Anne Ress
manon.ress@cptech.org,
www.cptech.org

Consumer Project on Technology
1621 Connecticut Ave, NW, Washington, DC 20009 USA
Tel.:  +1.202.332.2670, Ext 16 Fax: +1.202.332.2673

Consumer Project on Technology
1 Route des  Morillons, CP 2100, 1211 Geneva 2, Switzerland
Tel: +41 22 791 6727

Consumer Project on Technology
24 Highbury Crescent, London, N5 1RX, UK
Tel: +44(0)207 226 6663 ex 252 Fax: +44(0)207 354 0607