May 30, 2024

Archives for December 2005

DRM, Incompatibility, and Market Power: A Visit to the Sausage Factory

Yesterday Alex wrote about how SonyBMG’s XCP CD copy protection software includes a feature – apparently built on illegally copied open-source code – to translate music files into the FairPlay format used by Apple’s iTunes and iPod, but the feature was not exposed to users. The details are interesting. But equally interesting, I think, is the question of how this situation came about. Why would Apple make compatibility so difficult? Why would First4Internet go to the trouble to make its software compatible? Why would First4Internet and/or SonyBMG then turn off this already-working feature? And why would SonyBMG then blame Apple for the difficulty of moving XCP files into iTunes and iPods?

Today I’ll try to answer these questions. My answers will be speculative, as I’m not privy to any special information about the companies’ plans. But the story I’ll tell should be plausible, at least, and it will shed some light on how companies use DRM (copy protection) as a weapon in struggling for market supremacy.

Let’s start by reviewing why Apple makes it hard for others to encode files in the Apple FairPlay format that is used by iTunes and the iPod. Apple could easily facilitate such encoding if it wanted to; but it doesn’t. Instead, Apple seems to be trying to ensure that customers are locked in to a particular DRM scheme. This is the strategy we would expect from a company with high market share – customers try to avoid lock-in, but if they must be locked in they typically choose to be locked in to the dominant vendor. So the dominant vendor – Apple in this market – often tries to foster market structures with lock-in.

Recall that when RealNetworks, an Apple rival, created its Harmony software, which could translate Real-format files into FairPlay, Apple cried foul. Apple hung the dreaded “hacker” label on RealNetworks and threatened to sue on some vague DMCA theory. When Real didn’t back down, Apple just changed the FairPlay format, rendering Real’s software incompatible once again. Apple was willing to use both legal threats and technical changes to frustrate compatibility.

First4Internet (F4I), in developing its XCP copy protection software, started out with no market share. F4I knew that customers wouldn’t want its software, because the main effect of the software is to stop customers from doing things they want to do. F4I wanted to reduce the unpleasantness of using its software, and one way to do that was to give customers a way to transfer XCP music files into iTunes or an iPod. And that meant translating the files into FairPlay format. To do this, F4I could have reverse-engineered iTunes and written code to do the translation. Instead, it apparently just swiped some open-source code called DRMS (written by Sam Hocevar and DVD-Jon), in violation of the DRMS license. Using this code, F4I built a working translate-to-FairPlay function as part of its software.

At some point, F4I licensed its software to SonyBMG. F4I would surely have told SonyBMG about the FairPlay compatibility feature. But when SonyBMG CDs shipped with F4I’s XCP software on them, the compatibility feature was disabled and hidden from users. Somebody must have decided to disable the feature, and it’s hard to believe it was anybody but SonyBMG. SonyBMG was F4I’s first major customer. SonyBMG was putting its name on the CDs. And SonyBMG would have been the main target for hacking accusations and/or lawsuits from Apple. So we have to conclude that SonyBMG chose not to make the software on its CDs FairPlay-compatible.

Why would SonyBMG do this? It would have been easier to retain compatibility, and SonyBMG’s customers would have benefited. So SonyBMG must have thought compatibility would hurt it, somehow. How might that happen? Perhaps SonyBMG was afraid Apple could bring a successful lawsuit against it; but that seems unlikely given the apparent weakness of Apple’s legal claims. Two other theories seem more likely.

The first theory is that SonyBMG wanted to avoid the public spectacle of two DRM companies fighting with each other. DRM advocates like to argue (against the evidence) that the only impact of DRM is to prevent infringement. When DRM companies fight over compatibility, this just emphasizes the role of DRM as a strategic tool companies use to lock other companies out of markets, and that sets back the cause of DRM. Much better from SonyBMG’s viewpoint, perhaps, to maintain the fiction of one big happy DRM family, even if customers suffer.

The second theory is that SonyBMG was trying to fragment the world of music-file formats, in order to reduce Apple’s negotiating power. Record companies have been complaining lately that Apple, as the biggest seller of Internet-delivered music, has too much market power. Apple’s market power helps it drive a hard bargain with record companies in negotiating the price and terms of Apple’s online music sales. SonyBMG, as a record company, would like to see Apple’s market power shrink.

Whichever explanation is right, it certainly appears that SonyBMG decided that XCP shouldn’t be compatible with FairPlay.

What SonyBMG did next showed a particular sort of genius. It blamed Apple for the incompatibility. Indeed, SonyBMG went so far as to ask its customers to petition Apple to solve the problem. Here’s SonyBMG’s web site:

Sony BMG wants music to be easily transferable to any device that supports secure music. Currently, music from our protected CDs may be transferred to hundreds of such devices, as both Microsoft and Sony have assisted to make the user experience on our discs as seamless as possible with their secure formats.
Unfortunately, in order to directly and smoothly rip content into iTunes it requires the assistance of Apple. To date, Apple has not been willing to cooperate with our protection vendors to make ripping to iTunes and to the iPod a simple experience.
If you believe that you should be able to easily move tracks from your protected CD to your iPod then we encourage you to use the following link to contact Apple directly and tell them so.

If you were SonyBMG, and you were clever but not overly concerned with telling the truth in public, this is exactly what you would say in this situation. Why pass up a chance to paint Apple as the bad guys?

Running through this whole convoluted tale are two consistent threads. DRM is used as a weapon not against infringers but against market rivals. And when companies use DRM to undermine compatibility, law-abiding customers lose.

Hidden Feature in Sony DRM Uses Open Source Code to Add Apple DRM

For weeks, the blogosphere has been abuzz with tales of intrigue about Sony’s XCP copy protection system. Among the strangest revelations was that XCP itself infringes on the copyrights to several open source software projects. In one case, Sam Hocevar found conclusive evidence that part of XCP’s code was copied from a program called DRMS, which he co-authored with DVD Jon and released under the terms of the GPL open source license. What made this finding particularly curious is that the purpose of DRMS is to break the copy protection on songs sold in Apple’s iTunes Music Store. Why would XCP rip off code intended to defeat another vendor’s DRM?

The answer is that XCP utilizes the DRMS code not to remove Apple DRM but to add it. I’ve discovered that XCP uses code from DRMS as part of a hidden XCP feature that provides iTunes and iPod compatibility. This functionality has shipped on nearly every XCP CD, but it has never been enabled or made visible in the XCP user interface. Despite being inactive, the code appears to be fully functional and was compatible with the current version of iTunes when the first XCP CDs were released. This strongly suggests that the infringing DRMS code was deliberately copied by XCP’s creator, First4Internet, rather than accidentally included as part of a more general purpose media library used for other functions in the copy protection system.

This isn’t the first time another vendor has tried to make its DRM compatible with Apple’s. Apple’s DRM, a system called FairPlay, places restrictions on songs purchased through the iTunes Music Store. FairPlay is the only DRM compatible with the immensely popular iPod, and Apple has declined to license it to rival music distributors, effectively locking rivals out from the iPod platform (at least as long as the rivals insist on using DRM). In 2004, RealNetworks attempted to work around Apple and reverse engineered FairPlay so that Real Player could create FairPlay files for use with the iPod. Apple responded by making vague legal threats and updating iTunes to break this compatibility. It looks like the people at First4Internet wanted to create their own iPod compatibility system, but rather than take the time to reverse engineer FairPlay themselves, they copied critical pieces of code from DRMS in violation of the GPL license.

Intriguingly, the FairPlay compatibility code in XCP is not limited to converting files from XCP CDs. The code appears to support conversion into FairPlay of files in a wide variety of input formats – MP3s, WAV files, raw audio files, and standard unprotected audio CDs – in addition to XCP-protected discs. It’s also strange that the FairPlay compatibility code is shipped but not made available for use by applications, not even XCP’s own player software. (Technically, the code is not exported from the shared library where it is stored.) This might indicate that First4Internet decided to remove the feature at the very last minute, shortly before XCP CDs started to ship.

In any case, the code is present and still works. It’s possible to execute it by jumping to the right memory location after performing some basic setup. I’ve used this method to test various aspects of the software. Here is a screenshot of iTunes playing a protected file that I made from a regular MP3 file using the hidden XCP functionality:

It seems these findings raise more questions than they answer. Where did the code come from? Since it supports audio sources other than XCP CDs, did First4Internet license it from another vendor? Why did Sony disable the code but continue to ship it? How does iTunes compatibility fit in with Sony’s overall copy protection strategy? Which is the greater evil – incompatible DRM platforms or GPL violations? Tune in again tomorrow when Ed will weigh in on these and other conundrums.

* * *

[This rest of this post contains technical information about how XCP uses the DRMS code. Feel free to stop reading now if you aren’t interested in the details.]

Understanding how XCP uses code from DRMS requires some basic knowledge about FairPlay. When you buy a song from the iTunes Music Store, you receive a FairPlay encrypted audio file that can only be played with knowledge of a secret key assigned to you by Apple. iTunes retrieves this key from an Apple server, which prompts you to log in with your Apple ID and password. Your user key is stored on your hard drive in an encrypted key database (a file called SC Info.sidb). When you play the song again, or if you try to copy it to an iPod, iTunes reads your key from the database instead of reconnecting to the server.

FairPlay’s security depends on the encrypted key database being difficult for anyone but Apple to decipher, so it is protected using a proprietary encryption method and a system-dependent secret key. (As security experts predicted, this protection was quickly broken; today DRMS is able to defeat FairPlay because DVD Jon painstakingly reverse engineered the database decryption code in iTunes.) iTunes encrypts the key database using a two step process. First, it XORs the plaintext database with the output from a proprietary pseudorandom number generator (PRNG) using a system-dependent seed; then it applies AES encryption with a system-dependent key. As a consequence of this design, the code for the PRNG is exactly the same whether the file is being encrypted or decrypted. To decrypt, iTunes applies AES decryption, then XORs the same PRNG output again. This explains why parts of the DRMS code – in particular, a function called DoShuffle, which computes the PRNG’s output – are useful for encryption as well as their original purpose, decryption.

The complex, proprietary PRNG must have been especially difficult to reverse engineer. Rather than expend this effort themselves, XCP’s authors appear to have lifted the DoShuffle code verbatim from DRMS. XCP uses this code to manipulate the iTunes key database in the process of adding FairPlay protection. Starting with an unencrypted audio file, such as a track from a protected CD, XCP compresses the audio in memory, then encrypts it using the same algorithm as FairPlay. Instead of using an Apple-assigned user key, XCP creates a new random user key and, with the help of the DRMS code, adds it to the iTunes key database. This ensures that the song file can only be used on the computer where it was created.

The XCP FairPlay compatibility code is contained in a file named ECDPlayerControl.ocx that is installed the first time an XCP CD is played. Here is how the DRMS code ties in with the rest of the library. (I’ve provided a debugger offset for each function as an aid to other investigators.) The DRMS DoShuffle subroutine (0x10089E00) is called from only two places, a function that encrypts the iTunes key database (0x1008A0C0) and a function that decrypts it (0x1008A300). Both these functions are called from only one other routine, which serves to read the key database, decrypt it, and, if necessary, to add the XCP user key to the database and write it out again in encrypted form (0x1008A470). This routine is called by a higher level function that converts an audio file into a FairPlay-protected AAC file (0x10027D20). You can test these functions by jumping into an earlier routine (0x10010380, apparently the start of a thread for transferring music to iTunes) after some simple initialization. I’ll happily provide serious investigators with rough sample code and instructions.

My tests indicate that XCP’s FairPlay-compatibility code works with iTunes up to iTunes version 4.8. iTunes 4.9, released June 28, 2005, included changes unrelated to FairPlay that cause the XCP code to fail. XCP CDs released after this date do not appear to contain an updated version of the code.

The DMCA Should Not Protect Spyware

Yesterday was the deadline to submit requests for limited exemptions from the DMCA’s ban on circumvention of access control technologies. This happens every three years. Alex Halderman and I submitted a request, asking for an exemption that would allow the circumvention of compact disk copy protection technologies that have certain spyware-ish features or create security holes. We’d like to thank Aaron Perzanowski and Deirdre Mulligan of the Samuelson Clinic at UC Berkeley, whose great work made this possible.

Many people decided not to submit exemption requests in this round, because of the way previous rounds have been handled. For example, the EFF argues that the process is so strongly tilted against exemptions, and the Copyright Office tries so hard to find excuses not to grant exemptions, that there is no point in asking for one. Even Seth Finkelstein, the only person who has had any real record of success in the process, decided to sit out this round. I submitted requests for research-related exemptions in 2000 and 2003; and having seen how those requests were handled, I sympathize with the skeptics’ position.

Nevertheless, I think it’s worth asking for this exemption, if only to see whether the Copyright Office will acknowledge that copy protection technologies that install spyware or otherwise endanger the security or privacy of citizens are harmful. Is that too much to ask?

To most readers here, the most interesting paragraph of our exemption request is this one:

Researchers like Professor Edward Felten and Alex Halderman waste valuable research time consulting attorneys due to concerns about liability under the DMCA. They must consult not only with their own attorneys but with the general counsel of their academic institutions as well. Unavoidably, the legal uncertainty surrounding their research leads to delays and lost opportunities. In the case of the CDs at issue, Halderman and Felten were aware of problems with the XCP software almost a month before the news became public, but they delayed publication in order to consult with counsel about legal concerns. This delay left millions of consumers at risk for weeks longer than necessary.

The DMCA exemption process continues, with reply comments due February 2.