April 24, 2014

avatar

DRM, and the First Rule of Security Analysis

When I teach Information Security, the first lecture is dedicated to the basics of security analysis. And the first rule of security analysis is this: understand your threat model. Experience teaches that if you don’t have a clear threat model – a clear idea of what you are trying to prevent and what technical capabilities your adversaries have – then you won’t be able to think analytically about how to proceed. The threat model is the starting point of any security analysis.

Advocates of DRM (technology that restricts copying and usage) often fail to get their threat model straight. And as Derek Slater observes, this leads to incoherent rhetoric, and incoherent action.

If you’re a copyright owner, you have two threat models to choose from. The first, which I’ll call the Napsterization model, assumes that there are many people, some of them technically skilled, who want to redistribute your work via peer-to-peer networks; and it assumes further that once your content appears on a p2p network, there is no stopping these people from infringing. The second threat model, which I’ll call the casual-copying model, assumes that you are worried about widespread, but small-scale and unorganized, copying among small groups of ordinary consumers.

If you choose the Napsterization threat model, then you fail if even one of your customers can defeat your DRM technology, because that one customer will inject your content into a p2p network and all will be lost. So if this is your model, your DRM technology must be strong enough to stymie even the most clever and determined adversary.

If you choose the casual-copying threat model, then it’s enough for your DRM technology to frustrate most would-be infringers, most of the time. If a few people can defeat your DRM, that’s not the end of the world, because you have chosen not to worry about widespread redistribution of any one infringing copy.

Many DRM advocates make the classic mistake of refusing to choose a threat model. When they complain about the problem, they seem to be using the Napsterization model – they talk about one infringing copy propagating across the world. But when they propose solutions they seem to be solving the casual-copying problem, asking only that the technology keep the majority of customers from ripping content. So naturally the systems they are building don’t solve the problem they complain about.

If you’re a DRM advocate, the first rule of security analysis says that you have to choose a threat model, and stick to it. Either you choose the Napsterization model, and accept that your technology must be utterly bulletproof; or you choose the casual-copying model, and accept that you will not prevent Napsterization. You can’t have it both ways.

Comments

  1. Juxtaposition says:

    DRM threat analysis shows futility in DRM mechanisms

    This analysis shows how DRM solutions are ineffective because they [attempt to] address the wrong threat model. “Many DRM advocates…

  2. Curiosity is bliss says:

    What is DRM trying to solve?

    Here is a quick but interesting analysis on DRM, by Edward Felten. What is the threat model that DRM is trying to mitigate? Is it casual-copying or massive napsterization? He rightly points out that although the media companies seem to…

  3. Curiosity is bliss says:

    What is DRM trying to solve?

    Here is a quick but interesting analysis on DRM, by Edward Felten. What is the threat model that DRM is trying to mitigate? Is it casual-copying or massive napsterization? He rightly points out that although the media companies seem to mostly complain …