Freedom to Tinker

Alex Halderman has published an interesting technical report analyzing the newest CD “copy protection” technology. Alex, who is a graduate student here in Princeton’s computer science department, also wrote the definitive paper on the previous generation of CD copy protection.

Alex’s paper explains how the SunnComm technology works and why it won’t help the record labels fight copyright infringement. Despite the usual claims by the vendor (SunnComm) that the technology provides “an incredible level of security for the music”, Alex found that it is quite weak.

This technology is going to end up in the hall of fame beside the previous Sony technology that was famously defeated by drawing on the CD with a felt-tipped pen. This time, the technology can be defeated completely by holding down the computer’s Shift key while inserting the CD.

Is this the end of the road for CD copy protection? It ought to be. At the very least, I hope people in the industry will learn to ask for proof before they believe the next DRM vendor peddling “an incredible level of security”.

A debate has started over the suggestion by Harvard Law prof Charles Nesson that artists respond to file-sharing of their work with “hacktivism,” by launching targeted denial-of-service attacks on people who redistribute their work. The reaction in blogworld has been negative.

This is probably illegal, but Derek Slater writes that Prof. Nesson is looking for ways to “support its legality.” Perhaps he would resurrect the Berman-Coble bill, which died in Congress last year . That bill would have legalized such attacks, if carried out on behalf of copyright owners.

Discussion has focused on the short-term effects of allowing targeted DoS attacks, for example on the possibility of mistaken attacks on innocent people.

If we look instead at the long term, the picture becomes even clearer. I wrote about this in the written testimony I submitted last year to a House hearing on the Berman-Coble bill:

The designers of peer-to-peer software will not simply accept this situation, but will respond by modifying their software to thwart such targeted denial of service attacks. They might do this, for example, by eliminating the self-imposed limit on the number of connections the peer-to-peer program will accept. These countermeasures will start an “arms race” between copyright owners [or artists, in Nesson’s version] and peer-to-peer system designers, with copyright owners [or artists] devising new types of targeted denial of service attacks, and peer-to-peer designers revising their software to dodge these targeted attacks.

Computer security analysis can often predict the result of such technical arms races. For example, analysis of the arms race between virus writers and antivirus companies leads to the prediction that antivirus products will be able to cope almost perfectly with known virus strains but will be largely helpless against novel viruses. This is indeed what we observe.

A similar analysis can be applied to the arms race, under the Berman Bill’s rules [which presumably are similar to the rules Nesson would choose], between peer-to-peer authors and copyright owners. In my view, the peer-to-peer authors have a natural advantage in this arms race, and they will be able to stay a step ahead of the copyright owners. Copyright owners will be forced either to give up on the strategy of narrowly targeted denial of service attacks, or to escalate to a more severe form of denial of service, such as one that crashes the target computer or jams completely its Internet connection. I understand that these more severe attacks are currently illegal, and would not be legalized by the Berman Bill, so such an escalation would not be possible within the law even if the Berman Bill is enacted. I conclude that the Berman Bill as written is unlikely to do copyright holders much good in the end.

Derek Slater put it much more succinctly when he wrote that “A technological arms race can only have one result: going nuclear. “