Last week the panel investigating CBS’s botched reporting about President Bush’s military service released its report. The report was offered on the net in PDF format by CBS and its law firm. CBS was rightly commended for its openness in facing up to its past misbehavior and publicizing the report. Many bloggers, in commenting on the report and events that led to it, included quotes from the report.

Yesterday, Ernest Miller noticed that he could no longer copy and paste material from the report PDF into other documents. Seth Finkelstein confirmed that the version of the report on the CBS and law firm websites had been modified. The contents were the same but an Adobe DRM (Digital Restrictions Management) technology had been enabled, to prevent copying and pasting from the report. Apparently CBS (or its lawyers) wanted to make it harder for people to quote from the report.

This is yet another use of DRM that has nothing to do with copyright infringement. Nobody who wanted to copy the report as a whole would do so by copying and pasting – the report is enormous and the whole thing is available for free online anyway. The only plausible use of copy-and-paste is to quote from the report in order to comment, which is almost certainly fair use.

(CBS might reasonably have wanted to prevent modifications to the report file itself. They could have done this, within Adobe’s DRM system, without taking away the ability to copy-and-paste material from the file. But they chose instead to ban both modification and copy-and-paste.)

This sort of thing should not be a public policy problem; but the DMCA makes it one. If the law were neutral about DRM, we could just let the technology take its course. Unfortunately, U.S. law favors the publishers of DRMed material over would-be users of that material. For example, circumventing the DRM on the CBS report, in order to engage in fair-use commentary, may well violate the DMCA. (The DMCA has no fair-use exception, and courts have ruled that a DMCA violation can occur even if there is no copyright infringement.)

Worse yet, the DMCA may ban the tools needed to defeat this DRM technology. Dmitry Sklyarov was famously jailed by the FBI for writing a software tool that defeated this very same DRM technology; and his employer, Elcomsoft, was tried on criminal charges for selling fewer than ten copies of that tool.

As it turns out, the DRM can apparently be defeated easily by using Adobe’s own products. A commenter on Seth’s site (David L.) notes that he was able to turn off the restrictions using Adobe Acrobat: “The properties showed it set to password security. I was goofin around and changed it to No Security adn it turned off the security settings. I then saved the pdf and reopened it and the security was gone…. Apparently forging documents is not all that CBS sucks at.”

UPDATED (12:35 PM) to clarify: changed “cut-and-paste” to “copy-and-paste”, and added the parenthesized paragraph.

The recording industry may be publishing spyware-infested copies of their songs on P2P networks, according to a PC World story by Andrew Brandt and Eric Dahl.

The files are encoded in a Microsoft file format. When the user plays such a file, the user’s browser is forced to visit a URL contained in the file. For the files at issue here, the page at that URL uses various spyware-insertion tricks to try to infect the user’s machine with standard spyware programs. Ben Edelman reports that when he clicked on one such page, “My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting, including at least the following 31 programs…” Ed Bott notes that fully patched systems won’t catch spyware from this file unless the user foolishly accepts downloads; but Ben Edelman argues that the files try to mislead the user into accepting the downloads, and in any case we know that users often are fooled by such tricks.

Even more interesting, PC World reports that, for at least one such file, the spyware-distribution page is hosted by Overpeer, a company that does lots of business with the recording industry. (It’s not clear whether the particular file Ben Edelman studied had any relation to Overpeer.) Overpeer, for example, is paid by the recording industry to spread spoofed files on P2P networks, in the hope that P2P users will download the fake files rather than real (infringing) ones.

The really interesting angle here, to me at least, is who approved the release of these spyware-bearing audio files onto P2P nets. It sure looks like Overpeer created the files. Did Overpeer release them? That would seem likely.

If Overpeer did release these copyrighted songs onto P2P nets, did they have the permission of the record companies that own the copyrights on the songs? If not, then Overpeer is a P2P infringer. It seems unlikely that Overpeer would take this risk, especially since the files contain a URL that points right back to Overpeer.

So it seems more likely that the record companies gave permission. If so, is it fair to say that these particular files, which contain copyrighted music, are circulating on P2P nets with the copyright owners’ permission? And what does this say about the record industry’s incessant argument that P2P nets distribute spyware?

All of this is speculation, of course. We don’t know for sure who did or didn’t participate in the files’ release. But it’s hard to see a scenario that makes both Overpeer and the record industry look good. There’s a nice investigative reporting opportunity here.

[Updated at 1:40 PM to clarify that the file tested by Ben Edelman might not be one of the files related to Overpeer. Thanks to Ben for his comment pointing this out.]

[Read the comments on this post – they’re particularly good.]

On Friday I wrote about DVD region coding, which allows the manufacture of DVDs that (in theory) can only be played in certain regions of the world. U.S. public policy, in the form of the Digital Millennium Copyright Act (DMCA), plays an important role in shoring up the region coding mechanism. Is this good public policy? Should the U.S. want DVDs to be region coded?

Let’s look at the economic effects of region coding. These days, the main effect is to allow the studios to price discriminate by selling the same DVD at a different price in the U.S. than overseas. Generally, we can expect the U.S. price to be higher – let’s assume the price is Pu in the U.S. and Po overseas. If it weren’t for region coding, this differential pricing would be hard to sustain, because people could buy DVDs cheaply overseas and resell them in the U.S. Region coding prevents this kind of reimportation.

(Similar issues arise in the debate over drug reimportation, where we also see U.S. producers wanting to price discriminate, and reimportation posing a threat to that price discrimination strategy. The drug reimportation issue is more difficult – there, policy decisions take on a moral dimension, because drug pricing is literally a life and death issue for some patients.)

If region coding were abolished, then the U.S. price and the overseas price for a DVD would equalize, at a level below the current U.S. price and above the current overseas price. The studios could no longer price discriminate, and so would be worse off. U.S. consumers would be better off – they would spend fewer total dollars on DVDs, and would get more DVDs for those dollars. Overseas customers would see a price increase, and so would be worse off. Total welfare would decline, with the gains of U.S. consumers outweighed by the losses of U.S. studios and overseas consumers.

But we shouldn’t expect U.S. policy to care much about the welfare of overseas consumers. And if we focus only on the impact on U.S. people and companies, then region coding doesn’t look nearly as good – it looks like a deliberate policy of boosting DVD prices in the U.S. Indeed, region coding acts just a like a tariff of Pu-Po dollars on each reimported DVD. If we didn’t have region coding, would Congress enact such a tariff? I doubt it.

(Note: My analysis above assumes that all movie studios are located in the U.S., so that the U.S. economy captures all of the producer-side benefits of price discrimination. If overseas studios use region coding to boost their prices in the U.S., this hurts U.S. consumers while providing no countervailing U.S. benefit, so region coding looks even worse.)

(Another note: Some readers may object that the U.S. shouldn’t be so selfish as to ignore the welfare of people outside its borders. Point taken. But surely you would agree that, whatever level of U.S. aid to the world community is appropriate, that aid should be used to attack a problem more pressing than the high price of DVDs.)

As I noted yesterday, part of the license that DVD makers have to sign is <a href="As I noted yesterday, part of the license that DVD makers have to sign is available on the DVD Copy Control Association (DVD-CCA) website. It’s 48 pages of dense technolegalese, consisting mostly of a list of things that DVD players aren’t allowed to do. On reading it, three things jumped out at me.

First, DVD region coding, the mechanism designed to stop DVDs bought in one part of the world from being played in another part, is the subject of much more regulatory effort than I expected. For example, there are special robustness requirements for region coding. (In the weird Orwellian language of DRM vendors, “robustness” is a code word denoting the use of deliberately complex, nonmodular designs so as to resist diagnosis, analysis, and repair.)

Second, it seems to be impossible to build a software DVD player that complies with the requirements. According to section 6.2.4.2 (page A-20),

Specificially, [software] implementations shall include all of the [required anti-reverse-engineering characteristics] which shall be implemented in a way that it is reasonably certain they: cannot be defeated or circumvented using widely accessible tools such as but not limited to debuggers, decompilers, and similar Software development products; and can only with difficulty be defeated or circumvented using professional computer engineering equipment such as … logic analyzers …

To comply with this, one would somehow have to write a piece of software whose data and algorithms absolutely cannot be determined by a person using a debugger or decompiler. We can be “reasonably certain” that any program written today can be understood using these tools. (It seems reasonable to read “cannot” as requiring absolute impenetrability, given that the next clause says “only with difficulty”.)

Third, the document bans DVD players from taking a movie that is encoded on a DVD at one level of resolution and outputting that movie on an analog output at a higher level of resolution. (Section 6.2.1.1 (2), page A-11) This ban holds even if the DVD publisher wants to allow a higher-resolution output. I couldn’t figure out what the purpose of this restriction might be. Maybe the document’s authors just got carried away after writing pages and pages of text limiting the functionality of DVD players.

There’s a budding format war in the movie industry, over which video medium will replace the DVD. The candidates are called HD-DVD and Blu-Ray. For some reason, HD-DVD advocates are claiming that their format can better resist unauthorized copying.

As far as I can tell, there is essentially zero evidence to support this claim. In fact, as James Grimmelmann neatly argues, there is really no reason to think that either of these technologies will be effective at stopping peer-to-peer sharing. Here’s James:

Already I’m confused. What will changing the physical format of non-interactive discs do to “stem rampant piracy?” The new format will have to be readable by some class of devices. It will have to be writable by some other class of devices. The level of “rampant piracy” of DVDs has never been a function of the weakness of CSS; the level of rampant piracy of HD-DVDs won’t be a function of the weakness or strength of the encryption algorithm.

Making HD-DVDs harder to copy than DVDs would take one of three things:

• It’s not practical to get at the bits except to throw them immediately up on the screen. But this would mean no HD-DVD readers or writers for computers – and the equipment vendors have been saying that HD-DVD drives for computers are one of their major markets.
• The discs (or disc substitutes) are in some way “smart” and do a two-way handshake with the computer so that you can’t, as with CSS, extract a key once and use it forever. But that would raise the manufacturing costs immensely, which defeats one of the major design goals.
• The discs are individuated and the readers have to check in with home base to be authorized to read a particular disc and get its particular key. But this would require every HD-DVD device to have an Internet connection.

Actually, they would probably have to do all three of these things, and more, to make any dent in P2P copying. The system will be attacked at its weakest point. If they fix only one or two of their many problems, the remaining one(s) will still be fatal.

Reporters and industry analysts are still surprisingly gullible about DRM vendors’ claims. What we have here is essentially a replay of the early security claims about DVDs, which turned out to be spectacularly wrong.

Perhaps people are drawing the wrong lesson from the failure of DVDs to prevent copying. It’s true that the CSS encryption system used on DVDs turned out to be laughably weak. But, as James notes, that wasn’t even the biggest problem in the DVD anti-copying strategy. Indeed, if you replaced CSS with an utterly unbreakable encryption system, DVDs would still have been easy to copy, by capturing the data after it was decrypted, or by reverse-engineering a player to learn the secret decryption key.

Here’s a good rule of thumb for reporters and analysts: If somebody claims to have solved a security problem that nobody has ever solved in practice before, don’t believe them unless they present independently verified evidence to support their claim.