Derek Slater discusses Fraunhofer’s new Light Weight DRM system. Derek is skeptical but states his opinion cautiously, not being a technologist. In any case, Derek gets it right.
It’s hard to see much that’s new in this proposal. If we ignore the newly coined LWDRM buzzword and the accompanying marketing spin, we’re left with a fairly standard looking DRM scheme, of the type I call mark-and-trace.
Mark-and-trace DRM schemes try to put a unique, indelible mark on each legitimate copy of a work, so that any infringing copies found later can be traced, with the aid of the mark, back to the legitimate copy from which they originated. Such schemes have fallen out of favor recently, because of two problems.
First, the mark must really be indelible. If an adversary can remove the mark, the resulting “scrubbed” copy can be redistributed with impunity. Nobody has figured out how to make marks that can’t be removed from music or video. Past attempts to create indelible marks have failed miserably. A notable example is the SDMI watermarks that my colleagues and I showed were easily removed.
Second, blaming the buyer of an original for all copies (and copies of copies, etc.) made from it just isn’t practical. To see why, suppose Alice has a big collection of music on her laptop. Then her laptop is stolen, or somebody breaks into it electronically, and all of her songs end up on millions of computers all over the Net. What then? Do you take all of Alice’s earthly possessions to compensate for the millions of infringements that occurred? (And if that’s the policy, what sane person will buy music in the first place?) Or do you let Alice off the hook, and allow burglars to defeat your entire DRM scheme? Nobody has a plausible answer to this question; and the Fraunhofer people don’t offer one.
Mark is right about the problems with a CRL, and Cypherpunk is right that the designers are “screwed either way”, whether they choose to have a CRL or not.
Mark – You make good arguments against the CRL. As I posted above, I agree that they add enormous complexity to the system. However, without them the system’s security is incredibly brittle. All it will take is one single certified private key to be leaked, stolen or otherwise published, and from then on everyone will be able to sign with that key and create legal LWDRM files. The security of the system will be totally destroyed.
So they’re screwed either way. If they have CRLs they face all the problems you describe. If they don’t have CRLs their system will lose security as soon as anyone can steal or con their way into a certified key with someone else’s name on it. As we say in these parts, that puts them between a rock and a hard place, and that’s not a promising place for a new technology to be.
I don’t think the lack of CRL is puzzling at all, given how little even non-embedded real-life systems make actual use of revokation. (When was the last time IE updated its CRL from Verisign?) Consider the consequences of trying to support a revocation list:
1) The revocation list must be updated periodically. This must be a mandatory operation, or else an attacker can just configure his or her firewall to block access to the CRL server and continue using compromised keys. But, that means that every user has to give their device access to the CRL, whether they are downloading music or not! (I suppose the constraint could be lowered to require updates during new music downloads only, but the requirement for secure updates still implies a secure time source…)
2) Every device supporting the DRM scheme must support a CRL as well. How big does the CRL have to be? If every key found on a file-sharing network is entered, then it has to be pretty large indeed.
3) Someone has to set up the resources to pass out new versions of the CRL. This isn’t necessarily cheap. You have to maintain it indefinitely or face lawsuits from consumers (point 1) and it forms an attractive target for DoS attacks.
For what this technology is trying to do (provide more information about the source of copied files), I think the engineering tradeoffs strongly favor not supporting CRL.
As far as the signature, my understanding was that it was supposed to remain attached to the music, and that this would be enforced because a LWDRM compliant device would not play music unless it had a signature attached to it. You could strip away the sig but then a LWDRM compliant device wouldn’t play the music. You’d have to convert the music to some other format like MP3, or make a player that would play the LWDRM format even with the signature missing. Then, as you say, the watermark would come into play.
Some responses:
Todd: Good point. I haven’t heard of any legal test on this question.
Karl-Friedrich: It looks like the LWDRM scheme, if it works, does not require anybody but you to know what music you have. Your computer would put your personal stamp on your music, but your ownership of that music would not have to be conveyed to anyone. If your copy leaks to the Net, your stamp will be found on it. But if your copy stays only on your own machine, nobody needs to know that you have it.
zaba: If Alice has a laptop full of infringing music, the DRM scheme has already failed. If the scheme works at all, there will have to be many Alices with laptops full of legitimate music.
The LWDRM scheme doesn’t address the used-CD problem you describe. Presumably it would be used with electronically distributed music, and not with CDs.
Cypherpunk: Yes, they do use signatures as you describe. But the signature is just another kind of mark on the music. As far as I know, all existing digital signature schemes allow the signature to be removed from the content. If they have a new signature scheme that tries to attach signatures irrevocably to the content, they don’t say so. Such a scheme would effectively be a watermark anyway, and would face the two problems I described in the original post.
The lack of a CRL is indeed puzzling. It seems obvious that one would be needed.
Actually the watermarking was described as sort of a backup mechanism. The main idea was that the new data format requires songs to be signed by the person who downloaded them, and compliant devices won’t play songs unless they have these signatures.
One problem I saw with this is that there was no mention of a CRL (certificate revocation list) to be installed into devices (which is understandable since CRLs add enormous complexity). That means that if someone could get a certificate in a fake name, maybe with a stolen credit card, they could publicize the secret key and then everyone could use that one. Everyone could sign their songs with that key, append the bogus cert, and then share them; and the devices would apparently accept them. But this would reveal nothing about the actual person who shared the song.
I don’t think Alice’s example with mass amounts of music on her laptop is gonna play to most people. (That is, I think most “techno-illiterate” people will assume music on her laptop is stolen to begin with).
Bob, on the other hand, might be a better example. He purchases a CD (with a credit card, so we know that he is the one who purchased it). Bob decides he doesn’t like it and sells it to the local used CD store. He gets cash for the transaction. Thus, there is no proof he sold it.
Charles purchases the CD from the used CD store (with cash, of course. It’s less than 10 bucks) and immediately offers it for sharing on a bunch of P2P networks.
Who is the RIAA going to go after? Bob or Charles? If I can come up with an additional scenario to the one Mr. Felten proposes (with nary a thought, mind you), then perhaps the whole DRM scheme needs a lot of improvement before it is implemented.
Both examples show the important relation of DRM to privacy (data protection) standards. In Ed Felten’s example, one might ask why any copyright holder should be entitled to know what songs Alice has on her computer in the first place. Most consumers would not necessarily appreciate having rightholders peeking over their shoulders all the time. In Todd Jonz’s example, there is the question if someone providing Internet access needs to ask for proof of identity first and keep log files later, or if you are allowed to provide anonymous access. Obviously, the latter position will be much more popular with consumers.
Ed writes:
> suppose Alice has a big collection of music on her
> laptop. Then her laptop is stolen, or somebody breaks
> into it electronically, and all of her songs end up on
> millions of computers all over the Net. What then?
There’s similarly gray area involved in tracking piracy by IP address.
We have a wireless ethernet behind a NAT router in our home. Guests are welcome to connect to our net when they visit, and quite a few have done so. One was the son of an old friend, who I know for a fact had a Kazaa client on his laptop. If he had downloaded any copyrighted music during his visit and I subsequently received a love note from the RIAA, what would my recourse be? Would the RIAA consider me complicit for failing to sufficiently police the activity of my guests while they were using my network connection?