April 23, 2024

CD DRM: Threat Models and Business Models

Alex and I are working on an academic paper, “Lessons from the Sony CD DRM Episode”, which will analyze several not-yet-discussed aspects of the XCP and MediaMax CD copy protection technologies, and will try to put the Sony CD episode in context and draw lessons for the future. We’ll post the complete paper here next Friday. Until then, we’ll post drafts of a few sections here. We have two reasons for this: we hope the postings will be interesting in themselves, and we hope your comments will help us improve the paper.

Today’s excerpt is from a section early in the paper, where we are still setting the scene before the main technical discussion begins:

Threat Models and Business Models

Before analyzing the security of any system, we need to ask what the system is trying to accomplish: what its threat model is. In the case of CD DRM, the system’s goals are purely economic, and the technical goals of the system exist only to protect or enable the business models of the record label and the DRM vendor. Accordingly, any discussion of threat models must begin and end by talking about business models.

It is important to note that the record label and the DRM vendor are separate entities whose goals and incentives are not always aligned. Indeed, we will see that incentive differences between the label and the DRM vendor can be an important factor in understanding the design and deployment of CD DRM systems.

Record Label Goals

The record label would like to prevent music from the CD from becoming generally available on peer-to-peer file sharing networks, but this goal is clearly infeasible. If even one user succeeds in ripping an unprotected copy of the music and putting that copy onto P2P networks, then the music will be generally available. Clearly no CD DRM system can be nearly strong enough to stop this from happening; and as we will see below, real systems do not even try to achieve the kind of comprehensive coverage of all major computing platforms that we would needed as a prerequisite for stopping P2P sharing of protected music. We conclude that the goal of CD DRM systems cannot be to prevent P2P file sharing.

The record label’s goal must therefore be to stop many users from making disc-to-disc copies or from engaging in other forms of local copying or use of the music. By preventing local copying, the record company might be able to sell more copies of the music. For example, if Alice cannot make a copy of a CD to give to Bob, Bob might buy another copy from the record label.

By controlling other local uses, the record company might be able to charge extra fee for those uses. For example, if the record label can stop Alice from downloading music from a CD into her iPod, the label might be able to charge Alice an extra fee for iPod downloads. Charging extra for iPod downloads creates a new revenue stream for the label, but it also reduces the value to users of the original CD and therefore reduces the revenue that the label can extract from CD sales. Whether the new revenue stream outweighs the loss of CD revenue depends on detailed assumptions about customer preferences, which may not be easy for the label to determine in practice. For our purposes, it suffices to say that the label wants to establish control over the uses made by at least some users, because that control will tend generally to increase the label’s profit.

We note also that the record company’s profit-maximizing strategy in this regard is largely independent of the contours of copyright law. Whether the label would find it more profitable to control a use, as opposed to bundling it with the CD purchase, is a separate question from whether the law gives the label the right to file lawsuits relating to that use. Attempting to enforce copyright law exactly as written is almost certainly not the record label’s profit-maximizing strategy.

Monetizing the Platform

Even beyond its effect on controlling copying and use of content, CD DRM can generate revenue for the record label because it installs and runs software on users’ computers. The label can monetize this installed platform in various ways. For example, the DRM software comes with a special music-player application which is used to listen to the protected disc. This application can display advertisements or other promotional material that creates value for the label. Alternatively, the platform can gather information about the user’s music listening habits, and that information can be exploited for some business purpose. If these tactics are taken too far, the DRM software can become spyware. Even if these tactics are pursued more moderately, users may still object; but the record company may use these tactics anyway if it believes the benefits to it outweigh the costs.

DRM Vendor Goals

The DRM vendor’s primary goal, obviously, is to provide value to the record label, in order to maximize the price that the vendor can charge the label for using the DRM technology. If this were the only factor, then the incentives of the vendor and the label would be perfectly aligned and there would be no need to consider the vendor’s incentives separately.

However, there are at least two ways in which the DRM vendor’s incentives diverge from the record label’s. First, the vendor has a much larger tolerance for risk than the label does. The label is a large, established business with a valuable brand name. The vendor (at least in the cases at issue here) is a start-up company struggling to establish itself. The label has much more to lose than the vendor does if something goes horribly wrong. Accordingly, we can expect the vendor to be much more willing to accept security risks than the label is.

The second incentive difference is that the vendor can monetize the installed platform in ways that are not available to the record label. For example, once the vendor’s software is installed on a user’s system, the software can control copying and use of other labels’ CDs. Having a larger installed base makes the vendor’s product more
attractive to other labels. Because the vendor gets this extra benefit from installing the software, the vendor has an incentive to be more aggressive about pushing the software onto users’ computers than the label would be.

In short, the vendor’s incentives diverge from the label’s incentives in ways that make the vendor more likely to (a) cut corners and accept security and reliability risks, and (b) push its software onto more user’s computers, even in some cases where the label would prefer to do otherwise. If the label knew everything about how the vendor’s technology worked, then this would not be an issue – the label would simply insist that the vendor protect its interests. But if some aspects of the vendor’s design are withheld from the label as proprietary, or if the label is not extremely diligent in monitoring the vendor’s design choices – both of which are likely in practice – then the vendor will sometimes act against the label’s interests.


  1. White Patriotic American says

    Consumer rights simply doesn’t make sense. If you want to listen the songs in portable device, then you are morally obliged to buy the same songs again in MP3/WMA format. Ripping your legally-purchased CD equals thievery, because by doing so, you infringes record labels’ profit by not buying the same songs again in different format.

    What is more ridiculous is the right to backup your legally-purchased Audio CD. Making backups equals thievery, because it denies record labels potential profit from selling the same CD again. As Hilary Rosen has said, “Even if CDs do become damaged, replacements are readily available at affordable prices.” You hear that? “Affordable prices”. If record labels are kind enough to provide affordable prices, then it is our moral obligation to NOT backing up the CD and buy the same CD again in case the CD gets damaged.

    As you understand, We The People have moral obligations to protect the interests of the Atlas. As a consumer, it is our duty to maximize the profit of big corporations. Monopoly is good for America. Unecessary spending is good for America. High prices is good for America. Internet advertising is good for America. Making backups is communist. Saving is communist. AMERICAAAAAAAAA!!!!

  2. J. E. Schmidt says

    The “Joe Sixpack” Analogy

    I believe that everyone here has forgotten about “Joe Sixpack.” Who’s he? He’s the end-user — the guy that goes to the store and buys something and takes it home, such as a music system or a digital video recorder.

    Joe Sixpack has no representation in Congress any more, as neither do any of the rest of us in this era of “The New Corporate Government of America.” However…..

    He’s not going to read the manual, he’s just going to plug in the speakers, connect to the AC-power wall outlet and then stick in his CD, and then discovers this product he’s paid $300 for won’t play his CD [due to some variant of DRM.] Joe Sixpack’s going to take it back to the store and say “This thing doesn’t work, I WANT MY MONEY BACK!

    When he finds out his new DVR won’t record the TV show he wants to keep for a while and watch later, he’s going to take the DVR back. If he buys a VCR (and yes, there are still being made) and it won’t work for what he wants, like the older ones do, he’s going to take the VCR back.

    We’ve already seen the Sony rootkit fiasco, which will cost Sony many millions of $$ in settlements, plus the cost of reissuing CDs without DRM to all their customers, plus future losses from all the consumers who are so mad they say “I’ll never buy another Sony product again.” This incident has already cost Sony many times more than it could ever gain in profits from DRM. Regardless… will the executives give up on DRM? Not likely, they are too stupid.

    And many of Joe Sixpack’s cousins may already have wisely decided not to buy any CD containing DRM, all of which adds up to more lost sales.

    Thusly, for whatever reason, it is the marketplace which may finally settle the DRM issue. When the Joe Sixpacks nation-wide begin taking the stuff back to the store and demanding their money back, it will not be economically feasible for manufacturers to produce this crippled merchandise, even though Hollywood has paid off Congress to buy the laws it wants.

    As to music, there are alternative sources other than buying Cds from the labels. And I will never part with my two Otari reel-to-reel analog recorders nor any of my other analog equipment. I still run on Windows-98SE and carefully archive all the “legacy software,” knowing full well that “upgrades” these days may lead to “unhappiness.”

  3. From hearing the discussion, it seems like an argument could be made that coporate shields and other trickery can in fact make the small company less risk-averse. In some ways this is saying that having a smaller “brand” means that your ethical standards can be lower, which I find distasteful, but concede may be true of some players. In any case, the discussion here seems to support my basic contention that the point regarding risk-aversion is non-obvious and debatable.

  4. Anon,

    Apple’s not the onlymajor OS that’s unprotected, Linux also falls into that category. But both Apple and Linux users together are a smaller share, naturally. I would suggest that the reason for the published work-around probably had more to do with a deluge of user requests to Suncomm rather than an impetus on Sony’s side to make it convenient for users to use the competing hardware. And, of course, this is just Suncomm, which is one out of the two Sony DRM schemes. But of course, we can’t guess at motives, and so perhaps it is not as good of an example of using DRM to make hardware sales as well.

    However, I still maintain that DRM can be monetized by locking people in to hardware, and even in other ways. You have pointed out some issues with Sony’s, so let’s try another example: Let’s look at Apple, rather than Sony.

    Apple is of course also using DRM, the FairPlay technology. As you mentioned, Apple refuses to license FairPlay to other players, and even other companies that just want their music to be played on an iPod. The short story is that if you want your content to be covered by a DRM, you have to do it through Apple’s technology. Therefore, you must sell it through Apple’s iTunes store, and play it on Apple’s iPod hardware. Without the DRM, these kind of market games cannot be played. With it, suddenly, Apple is driving sales through at least two different channels. And if they wish to license it to other hardware players, get a guaranteed piece of that market if it develops.

    I see this as no different than when Gilette patented their connection mechanism for their razor blades to the razors themselves. When other competing companies made generic versions of the blades, they sued and kept their monopoly.

    This part of Professor Felten’s paper is rightfully shedding light on the fact that this software is not just about protecting copyrighted content. DRM is clearly also about monetization of the side effects of the software (and other added indescretions like spyware and such). I believe that it is also part of the gamesmanship in the hardware and content sales markets. Somehow, Apple gained enough popularity to dictate the rules of the game in this short term.

  5. Randall

    “Apple’s lockdown of their iTunes music precipitated this move by Sony’s, to make it so that, at least with their own content, you can’t use the iPod.”

    But you are persisting with the incoorect belief that Sony didn’t want their CDs ripped to an iPod. Their implementation (V5 of MediaMax) allowed Windows Media versions of the tracks to be created on the fly and they have been begging Apple to allow them to produce Fairplay versions on the fly that could be loaded on an iPod. Apple refused to license Fairplay. So as not to disadvantage users, Sony-BMG / SunnComm provided a work around for Windows users to produce files off the CD for the iPod (the instructions are on SunnComm’s website). Additionally, Apple PCs could always rip the CD to iPods as MediaMax offered no protection on a Mac (unless the user specifically invoked it).

    I am not a SunnComm shill and believe the company is utterly corrupt (at least the management). But fair is fair.

  6. Ed,

    Great work!

    Regarding monetization, I think that you might want to drop in something more explicit about monetization based on selling hardware. When I consider what Sony was trying to do with this DRM, I see them competing in the MP3 player market and getting beaten by the iPod. They can’t play anything sold on iTunes, but the iPod can easily play ripped CD’s from their array of content.

    Since the iPod can’t play WMV’s, suddenly, the lockdown of the Sony content CD’s makes sense. You can’t play it with the iPod, but you CAN play it with Sony’s own players, giving them a similar advantage at least with their own artists. It seems that very little of the DRM out there is purely about protecting the content, as you say here. It’s about market positioning, and is just another move in a game of market share. Apple’s lockdown of their iTunes music precipitated this move by Sony’s, to make it so that, at least with their own content, you can’t use the iPod. Basically, using one part of their business in order to help another part of their business. Something that Sony has done well in the past. It’s really just them trying to leverage parts of their business.

    This is complicated, but I think that it’s an important part of this discussion.

    By the way, I’m from an independent band, and find that the DRM discussion actually even affects independent bands, as well. This is not just about the labels, and I would request that you take care to also include indies in your discussion, as it comes in to play. It affects us quite directly when we sell our music on these digital music stores, as most of them have DRM. My band personally had someone lose access to our music that he bought from the new Napster when he cancelled his service. (We gave him DRM-free copies ourselves).

    We talk about it on our website, and actually, we quote you as one of the major sources. You and the others reading this board) might find some useful material below.

    File Sharing, an Independent Band’s Perspective:


    A section in the above work on DRM, discussion how it affects indie bands:


    And we’ve been a big fan of your work for quite a long time, and you are quoted here, in a section called “File Sharing Can’t be Stopped”


    Hope this is useful to you!

    -Randy (rc-btg at beatnikturtle.com)

  7. Dave,

    Regarding the revenue decrease: Revenue can decrease even if the price stays the same, if the number of units sold goes down.

    Your control issue is a good point that we should probably discuss, though milder language is appropriate in an academic paper.

  8. “Charging extra for iPod downloads creates a new revenue stream for the label, but it also reduces the value to users of the original CD and therefore reduces the revenue that the label can extract from CD sales.”

    Theoretically yes, but the XCP and Sunncomm CDs were not priced lower. Either consumers weren’t aware their CDs were devalued, or the protection was so ineffective that most consumers just considered it an annoyance to be circumvented with the shift key. The only way the price is going down is if consumers perceive they are getting less and demand drops in a way that can be attributed to DRM-protected music. That should happen in theory, but it hasn’t happened yet.

    Regarding the platform, the record labels perfected the racket of being a controlling middleman with a stranglehold on both sides of the transaction. Surely they aren’t blind to the value of controlling the DRM platform. They’ve seen the problem with Apple refusing to license FairPlay, and can’t be all that excited about jumping into the Microsoft PlaysForSure camp. What stops Apple or Microsoft from eventually squeezing out the labels and signing groups to direct contracts? Nope, there’s only room for one dictatorial middleman.

  9. Too bad Allan Friedman’s paper about the threat analysis of the broadcast flag costs $30 to either get the PDF or “text with links”. I guess I won’t be reading that one.

    This Coral group sounds suspiciously like “everyone but Apple and Microsoft”, which is interesting but destined to fail.

    Do you think anyone will “follow the money” to see exactly what went on between Sony and the two DRM vendors?

  10. What is the role of the Coral Consortium in this DRM Mess .

    ED-I wonder if they will let you evaluate Coral ….

    The Coral Consortium is a group of compaines including consumer electronics DRM and media companies working towards a interoperable cross platform DRM frame work.

    The Coral technology is based on Intertusts technology that is owned by Coral Members Sony and Phillips.


    Heres a list of the current Coral Consortium Members .

    Promoter Members

    * Hewlett-Packard Corporation
    * IFPI
    * Intertrust Technologies Corporation
    * Koninklijke Philips Electronics N.V.
    * Matsushita Electric Industrial Co., Ltd.
    * NBC Universal, Inc.
    * Samsung Electronics Co., Ltd
    * Sony Corporation
    * Twentieth Century Fox Film Corp.

    Contributor Members

    * Ardtully Technologies
    * AOL
    * Cisco Systems
    * Cloakware Corporation
    * Comcast New Media Development, Inc.
    * EMI Music
    * Enikos Pty. Ltd.
    * Gibson Guitar Corporation
    * Irdeto Access B.V.
    * Kenwood Corporation
    * LG Electronics
    * Motion Picture Association of America
    * Motorola
    * NDS Americas, Inc.
    * Pioneer Corporation
    * Recording Industry Association of America (RIAA)
    * Seagate Technology, LLC.
    * SecureMedia Inc.
    * Sony BMG
    * Starz Entertainment Group LLC
    * STMicroelectronics, N.V.
    * Sun Microsystems
    * Time Warner Cable
    * Universal Music Group
    * Verimatrix, Inc.
    * ViDeOnline, Inc.
    * Warner Bros. Technical Operations Inc.
    * Warner Music Group
    * Widevine Technologies

  11. V., you are correct, but I was economizing on my verbage. The CD or DVD that is bought today, as you correctly point out will probably, expire of old age by the time the copyright expires. Neverless the question of DRM and copyright extension remains and should be explored. What happens in the case of a CD or DVD manufactured one year before the copyright entitlement expires???????

    Partially summary below: http://supct.law.cornell.edu/supct/search/display.html?terms=copyright&url=/supct/html/01-618.ZS.html
    No. 01—618. Argued October 9, 2002–Decided January 15, 2003

    The Copyright and Patent Clause, U.S. Const., Art. I, §8, cl. 8, provides as to copyrights: “Congress shall have Power … [t]o promote the Progress of Science … by securing [to Authors] for limited Times … the exclusive Right to their … Writings.” In the 1998 Copyright Term Extension Act (CTEA), Congress enlarged the duration of copyrights by 20 years: Under the 1976 Copyright Act (1976 Act), copyright protection generally lasted from a work’s creation until 50 years after the author’s death; under the CTEA, most copyrights now run from creation until 70 years after the author’s death, 17 U.S.C. § 302(a). As in the case of prior copyright extensions, principally in 1831, 1909, and 1976, Congress provided for application of the enlarged terms to existing and future copyrights alike.

  12. Steve R., you’re talking about the traditional copyright system which was written for the promotion of the arts by rational people. I don’t remember numbers off the top of my head by copyrights ran fairly shortly at the time. Today’s are so long that they’ll without doubt outlive the format they’re put on.

    On what SammyJankis said, regardless of the “need” to make a backup, the courts say we have a right to do it. I have a friend who makes a copy of every DVD he buys, and what he found was the ripped copies (without DRM) actually work much better.

    Which makes me wonder, what kind of programmers go into the copy protection business? Seeing from F4I and Suncomm, not good ones, and definitely not ones who give a damn about the customers. I’m starting to wonder why if for all the ingenuity there is in the computer industry, none of it seems to find its way to DRM, unless of course they see it for what it really is. Then again, how can any programmer avoid understanding that what they’re working on is a war against consumers, unless they really don’t care so long as they make money?

  13. Edward Kuns says

    Steve R, good point! Let’s say I purchase a CD of content whose copyright has expired or even whose content is in the public domain. It’s to the interest of the company selling the CD to prevent me from making other uses of that CD — to prevent me from copying the CD — even though they have no legal way to sue me if I make unlimited copies.

    Once something is in the public domain, there should be no restrictions placed on it.

    This brings up the issues of the many private companies being the sole outlet of public information (weather, Congressional reports, building codes, and so on). Those companies historically have tried to block other avenues of access to that content even when that content is clearly in the public domain. They don’t care about the information being public. They care only about their revenue stream.

  14. Because the vendor gets this extra benefit from installing the software, the vendor has an incentive to be more aggressive about pushing the software onto users’ computers than the label would be.

    I have to disagree. The software pushed onto computers allmost always is a software that tries to establish itself as “this is the player software to play your CD’s from.”
    Also this software is always branded by the record company heightening trademark awareness. there is an extra benefit to both DRM vendor and record company.
    If customers get accustomed to this software it is a formidable way to monopolize attention and mindshare, which in turn is a huge benefit for the deploying label. even moreso if the software “happens” to “accidentially” disable key functionality of competing software like F4I’s driver did with apple iTunes.

    If the competitors software starts “acting funky” (which is not unusual with windows applications I’m told) due to a driver that “unintendedly” misbehaves in conjunction with a competitors software, the competitors software is badmouthed since it is not clear to the user this misbehaviour is triggered by software installed by the record company.

    So I have to disagree deploying this application on the computer is also a big boon for the record company since it’s a milestone to lock out competitors.

    That is not to say a record compay would be stupid enough to actively support this desperate installing behaviour or request it, just that the incentives on turning a blind eye if the DRM software has these “features” are big.

  15. A concept that we appear to be overlooking is that the copyright entitlement is supposed to be of limited duration, it isn’t forever. Once the copyright privalage expires, the product enters the public domain. In posts that I have been reading, I have not detected any discussion of how DRM would be turned OFF once the copyright expires and the product enters the public domain. In theory, all DRM technology should be time aware. (Of course we wouldn’t change the system clock.) Since this issue is “silent”, I will make the assumption that DRM technology has been designed to make the copyright entitlement virtually permanent by locking the content in a proprietary technology. This would further support the concept that DRM is really being designed to “Monetize the Platform”.

  16. Dan asks about F4I.

    Their web site has reduced to three pages with redumentary contact details at http://www.first4internet.co.uk. The xcp site they had has been taken down except for a page at http://www.xcp-aurora.com which appears to be the work of a professional excuse-author.

    F4I are also world leaders in image content filtering (I know that’s true because I read it on their web site) and there have been reports in various forums that their programmers were seeking help from internet communities with that a few years ago.

    There are reports that according to UK public records, they have been losing over half a million pounds a year since they were founded in 1999. (I wonder where that has come from?). I’d be surprised if the company isn’t put into liquidation shortly.

    Incidentally, Sony BMG are in the news in the UK. Apparantly, London Underground are investigating reports that Sony have been paying buskers (who have permits) to play specified music in tube stations. That gives a new meaning to the term “payola”.

  17. Edward Kuns says

    It seems that many in business have no fear of going out of business. Just form a corporation to get the corporate shield and take the risk. The worst that happens is that you go bankrupt and have a shell corporation purchase the assets and continue with almost no interruption. Obviously this depends on the business, but Suncomm (for example) has shown a willingness to play this sort of game (at least from what others report). It depends on what the goal of the corporate owners is: A quick buck, or a long term business plan.

    I would say that the DRM venders — in practice — have shown different motivations from the people who distribute the copyrighted works. I don’t know where Macrovision fits into all of this, because their business plan seems different from F4I and Suncomm. Macrovision has been around for quite a long time and seems to have a business plan that depends on that Like Sony. Like BMG. But then again, Macrovision is not a small startup. They have other products that do not depend on the music CD market.

    A small startup that solely depends on the music CD market can easily have a motivation to cut corners, misrepresent their product, and get the most money as rapidly as possible. And if something goes wrong, let the corporation go bankrupt because the officers of the corporation still made their money.

    Once you are established in one market, you are not going to risk your corporation’s existence by taking overt risks in another market. Until that point, however, what is your motivation to avoid risk?

  18. Dan,

    “Seriously, who is F4I and what were their qualifications to get that DRM contract?”

    Whether the contracts were won by fraud or not will probably be never known. But I believe one of F4Is top execs is from the Sony side of Sony-BMG and MediaMax Technology’s (SunnComm’s sham marketing arm) new CEO, Kevin Clement, has come from the BMG side of Sony BMG. Clement was the one who pushed SunnComm’s case at BMG according to SunnComm shills.

    In the case of Kevin Clement, he must have known about all the shonky acts that SunnComm got up to in the past (ficticious deals etc.). I can’t remember which one, but in a article from a few years ago, SunnComm’s CEO Peter Jacobs said that the BMG team came to a meeting with a document that had been sent to them by a “basher” that contained a list of all the allegations against SunnComm that have been raised here and on other message boards.

  19. Larry-

    I didn’t say that, anonymous did. I said that Sony was in an unusual position (compared to the other labels) as a platform vendor as well as a content provider- and that they had incentive to push DRM even further because of it.

  20. Larry Rosenstein says

    Tim Howland says “The labels would like to be Apple compatible, but Apple won’t budge.”

    In addition to Ted Mielczarek’s comments about MP3s, at least some of the songs on the protected CDs are available on the iTunes Music Store. iTMS is another way record companies can make their music “Apple compatible”.

  21. I think it’s fantastic that this excerpt addresses the incentives of the DRM vendor. Finally someone considers this aspect of the issue as well!

    I’ve started 2 relatively successful software companies, and in both instances I had the opportunity to make more money if I bended the rules (slipped in code from another project or source, put in a back door in the case of non-paying customer, etc…) but that’s not who I am & that’s not how I operate.

    I never over-sold my company or its abilities. I never stole code. I never promised the world & underdelivered. I slept well at night, had happy customers and happy employees.

    What really frosts my **ts is that everyone is targeting Sony, when really my (admittedly narrow) interest is in First4Interet and Suncomm.

    As I understand it, there is a pretty clear trail of someone named “Ceri” at First4Internest basically admitting she didn’t know what the hell she was doing and asking the internet community for help writing her scum code. Also I understand that there are fingerprints of (GPL’ed???) code from another source in F4I’s XCP.

    Seriously, who is F4I and what were their qualifications to get that DRM contract? I will bet anyone who reads this the balance of his/her bank account that some money was exchanged under the table between a Sony exec or developer, and someone @ F4I. C’mon, there are 100 companies who could have done a better job (maybe none of them would have touched this contract w/ a 10-foot pole though) – but why was F4I chosen?

    BTW, I am retired and don’t (didn’t) have a dog in this race… no sour grapes here, although maybe I am projecting a bit from when I had companies & lost contracts to over-promising bottom-feeders & charlatans… but regardless, the point is that F4I had very little to lose, and LOTS to gain, because they can just fold up & say “sorry, take our $50k in assets, we’re going belly up” while Sony has MUCH more to lose.

    Sorry for the rant, I am just wondering why no one seems to be looking int F4I. If a someone supplied firmware for Mercedes ABS systems that failed / caused harm, I guarantee you that the name of the supplier would be heard as much or more as Mercedes. Why do we let snake-oil DRM vendors get off any easier?

  22. SammyJankis says

    The point “about controlling what users can do after the purchase.” rings quite true. Big media and consumers often have a quite different definition of constitutes “fair use”.

    Check out this Q&A from copyprotected.com a “copy protection awareness” site created by the movie and music industries:

    Q: Can I create a back-up copy?
    A: No. DVDs were manufactured to stand the test of time and remain of high quality no matter how many times they are viewed. As long as reasonable care is taken, there should never be a need to back-up the data on a DVD.

    As the father of two young children, I can attest that DVDs do not in fact “stand the test of time and remain of high quality no matter how many times they are viewed.”

  23. Thanks for your comments so far. This is very helpful — exactly what we hoped would happen when we decided to post parts of the paper.

    One thing to bear in mind in your comments is that we’re facing a hard limit on the overall length of the paper, so we can’t afford to make this section much longer. This draft has some fat that can be squeezed out, but we can’t say everything we would like to say.

    Still, I do expect that we’ll incorporate several of your suggestions. Keep ’em coming!

  24. BoingBoing linked to a DRM free video site over the weekend, http://www.4Flix.Net

    To quote Cory Doctorow: “If you amass a video collection of DRM video from Microsoft, Apple, Google, Yahoo or other restrictive suppliers, you’re dooming yourself to either throwing out all your movies when you want to change platforms, or keeping multiple players and libraries from these competing companies that are attempting to woo the entertainment companies to licensing content for their locked-down platforms by promising ever-tighter restrictions in their players.

    With 4Flix, you get great movies and a great investment — because the movies arrive without DRM, you can be sure that you’ll be able to play them back on devices and players from lots of companies for the rest of time. You can give them to your kids in your will or donate them to a school library. They’re yours, and you can use them as you see fit.”

  25. Anonymous:
    “Both you and Ed have missed a very important point in the suggestion that CD-DRM is intended to make the CD incompatible with iPod. It is Apple that refuses to licence its DRM to the labels. The labels would like to be Apple compatible, but Apple won’t budge. ”

    You’re making the same false argument here that plenty of other people have. The iPod plays *MP3s* as well as Apple’s DRM-protected content. To be iPod compatible, all you have to do is provide MP3s or CD audio, which iTunes is quite capable of converting to MP3. If the record labels’ insistence on DRM keeps them from providing unencumbered CD audio, then it is their own fault that their CDs are not iPod compatible.

  26. Scott Karlin: You are quite correct. In Ed’s previous post “Analog Hole Bill Would Impose A Secret Law” he mentions the upfront fee (barrier-to-entry) needed to license DRM technology. I missed the implication, at that time.

  27. Mr. Felten, you wrote:

    “For example, if the record label can stop Alice from downloading music from a CD into her iPod, the label might be able to charge Alice an extra fee for iPod downloads.”

    This statement is incorrect for obvious reasons.

    1) Apple’s Fair-play DRM isn’t available for licensing so your argument is completely wrong. If it were available and ipod tracks were not on the CD this could be true, but this is simply not the case.

    2) The record labels are allowing windows drm protected wma files to be encoded from the CD’s, if your argument had any chance of being true they would not allow any wma file to be encoded off the cd. There are music download sites now that only provide wma versions of the music when you purchase the music. The difference is simple: Windows licenses their DRM, Apple does not.

    By the way, have you or Halderman looked into Macrovision’s method of installing software in your pc with the CDS300 system?

  28. Steve R.

    I do agree that the recent ability of content creators to reach the public directly via the Internet represents a threat to the record labels. While it’s probably a second-order effect, record labels would benefit if all CDs used DRM and there was a high barrier-to-entry for individual content creators to use that same DRM.

  29. Unlike several other commenters, I agree with your assessment of vendors’ risk acceptance. Having been in a few startup companies, I can tell you that *everything* is about risk. A company like First4Internet has to balance the risk that they will die because no one buys their products against the risk that they will be sued out of existence. From their point of view, each of these outcomes is the same: they’re dead. It simply doesn’t matter to them that they enter bankruptcy with $1000 in liabilities in one case, and with $100 billion in liabilities in the other case.

  30. C Scott Ananian

    I agree. The risk to the small DRM vendor is greater than that to the label. First4Internet are now relying solely on their other products to survive and SunnComm, with no other products to fall back on (and hot air doesn’t consitute products), is in serious trouble. They will have received a check for their December sales (sales ceased December 18th) and now have nothing coming in. The revenues they were receiving were already miniscule as Sony-BMG roll out was behind schedule (25M CDs at 1 cent per CD is just $250K and that was over the last 2 years).

  31. There’s another aspect of “enabling new business models” that you may want to call out explicitly: decreasing the utility of today’s media may be necessary to enable acceptance of tomorrow’s media.

    In the past, the labels have been successful at getting many people to purchase their entire libraries over again every decade or so, by creating new media formats that were compelling. These include the shifts from LPs to cassettes and from cassettes to CDs. While the industry points to sound quality as the driver behind these shifts, I believe it was really convenience. However, the next generation of media (SACD, BlueRay, et al) will be less convenient than the current generation, albeit at higher quality. Therefore, the labels want to reduce the convenience of today’s media to be less than the convenience of tomorrow’s.

    (Yes, I’m aware that the inconvenience of the next generation of media is itself caused by DRM. But I suspect that that irony is lost on the entertainment executives.)

  32. Tim Howland

    “With regard to the idea of monetizing the platform, isn’t it also interesting that this is SONY-BMG; they manufacture a competing hardware platform to the Apple IPOD- a portion of their DRM strategy is probably related to ways that they can handicap a competitor by making their music incompatible and unavailable to that platform? In other words, DRM is used by mixed hardware and content companies to lock out competiton and augment sales.”

    Both you and Ed have missed a very important point in the suggestion that CD-DRM is intended to make the CD incompatible with iPod. It is Apple that refuses to licence its DRM to the labels. The labels would like to be Apple compatible, but Apple won’t budge.

  33. You might be interested in a paper I published a few years ago in Telecommunications Policy on “Understanding the broadcast flag:a threat analysis model”. (Initially presented at the 2003 Telecom Policy Research Conference)

    The abstract and citation info are available here: http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6VCC-4CXT8F4-3&_user=768479&_handle=V-WA-A-W-AA-MsSAYWA-UUW-U-AAVUZAYEDA-AABYAEEDDA-ZUZVVEYUZ-AA-U&_fmt=summary&_coverDate=09%2F30%2F2004&_rdoc=4&_orig=browse&_srch=%23toc%235951%232004%23999719992%23512094!&_cdi=5951&view=c&_acct=C000042510&_version=1&_urlVersion=0&_userid=768479&md5=a41301608b998ef273f765bf2ca244b1

    The full paper can be found on my website.

  34. Please address two scenarios:
    (1) The effect on users of installing, say, six different DRM systems on their computers. I doubt computers with so much DRM would be at all stable; certainly they could be extremely inconvenient

    (2) The effect on media vendors of trying to live with Microsoft’s Vista solution inside the OS. would inevitable security leaks make it difficult to keep, say, SONY music from being copied into iTunes? Would it really be economically feasible to lock the Mac and Unix and Linux out of the media market because they lacked Vista DRM?

  35. Yay! Nice to see others do get it!

    I’m been trying to convince people that DRM isn’t about preventing piracy via P2P networks, even the RIAA and MPAA know it doesn’t work. Its about controlling what users can do after the purchase.

    The example I always use is the disabling of the “Stop” button on my DVD player. There’s no anti-piracy argument I can think of for not allowing a user to stop the playing of a DVD at any time they want, whether its during a preview or even during the anti-piracy warnings. The only reason I get an “Operation Not Permitted” when pushing the stop button at times is because someone wants to control what they otherwise couldn’t -what I lawfully do in my own living room.

    Use that familiar, real-world example and even my parents suddenly understand why they don’t want things like the broadcast flag. DRM is not about preventing piracy, its about exerting control.

  36. I found the argument regarding the vendors larger tolerance for risk less than convincing. Certainly not as well-thought-out as the “Record Label Goals” and the “vendor can monetize the platform” discussions. Couldn’t you equally well say that the vendor is *more* risk-averse, *because* it is a small company? After all, if Sony has to refund $100 million, it continues to survive very well. If the small company’s technology gets a public black eye, the labels may shun it forcing the company to fold. Sony may stand to lose $100 million, but the vendor may lose *everything* (even though “everything” is valued at less then $100 million).

    A stronger argument may be via desperation and time pressure: the startup is in a much tighter place financially, and may not be able to afford the time and effort needed to properly secure their software. They are interested in cutting corners and leaving the customer vulnerable only because they “must” and/or their economic incentives do not make it profitable for them to spend more of their scarce resources on something which is not immediately visible to their clients, the record labels. How many labels are qualified to properly evaluate security claims?

    It’s a hard argument to make, because the disclosure of the MediaMax,etc problems has in some ways already changed the landscape here. In the future, it’s hard to imagine security not entering explicitly into the negotiations between vendor and label, whereas before we imagine it may never have been addressed (and thus security decisions were not conscious ones).

    Finally (a minor point): “The record label would like to prevent music from the CD from becoming generally available on peer-to-peer file sharing networks, but this goal is clearly infeasible.” This paragraph strikes me as a little glib. Just because reason and “science” shows the goal to be infeasible doesn’t mean that the (irrational) goal processes of the label will class it as such. P2P networks aren’t perfect, copies placed on them eventually expire when sharers lose interest, and one may argue that latency is important (the more technical skill/obscure OS needed to rip the content, the longer the delay between the labels’ publication and availability on a P2P network of some title). If there’s a study showing these factors to be irrelevant, you should cite it. Otherwise, they merit consideration among the label’s goals. I’m sure an economist could put a hard monetary value on (say) delaying the introduction of a title onto P2P by one day.

  37. Attempting to enforce copyright law exactly as written is almost certainly not the record label’s profit-maximizing strategy.

    One might note that quite the reverse is true: that is, the recording industry wishes to make copyright law conform to their profit-maximizing strategy.

  38. Dear prof. Felten,

    I noticed a small typo: s/that we would needed/that we would need/ (or …/that would be needed/, of course).

    (I wouldn’t post this just to nitpick on your blog, but since you explicitly said your intention was to improve the paper…)



  39. With regard to the idea of monetizing the platform, isn’t it also interesting that this is SONY-BMG; they manufacture a competing hardware platform to the Apple IPOD- a portion of their DRM strategy is probably related to ways that they can handicap a competitor by making their music incompatible and unavailable to that platform? In other words, DRM is used by mixed hardware and content companies to lock out competiton and augment sales.

  40. Thank you for the opportunity to critique sections of your proposed paper.

    Threat Models: The Internet has changed the landscape for how information is disseminated. We are in a transition stage from an “old” distribution system to a “new” distribution system. In cultural process terms, the “old” players (record labels) are failing to adapt and are using whatever draconian measures they can dream-up to “freeze” the economic landscape to their benefit (self preservation). The “new” threat model, which you may want to include in your paper, is the ability of the content creators (authors, musicians, etc.) to reach the public directly. This ability is further enhanced by the ability of the content creators to easily buy technology that allows them to directly develop and market their content. The very relevance of the distribution companies (music labels) can now be questioned.

    Record Label Goals: I think the term “Monetizing the Platform” is terrific. It summarizes magnificently the trend. To bring in my points above, DRM can be used as a means of keeping the content creators “on the leash”. Since traditional business models take a while to fade into oblivion, I don’t know how long it would take for the content creators to realize that they have the capability to go independent. It’s always a helpful feeling to have an agent (“a large, established business with a valuable brand name”) promoting your cause.