November 21, 2024

Apple Offers to Sell DRM-Free Music

The Net is buzzing with talk about the open letter posted by Apple CEO Steve Jobs yesterday. In an apparent reversal, Jobs offers to sell MP3 files, free of anti-copying DRM technology, on the iTunes Music Store if the major record companies allow it.

Much as I would like to see Apple renounce DRM entirely, that’s not quite what Jobs is saying. The letter describes three possible futures for Apple’s music technology: (1) continue the current path with a closed Apple-only DRM system; (2) license Apple’s DRM technology to other companies to build compatible systems; and (3) sell DRM-free music.

Apple’s preferred outcome, Jobs says, is outcome (3), selling DRM-free music. This is notable, and somewhat surprising, as the consensus has been that Apple strategy has been to seek outcome (1), using its proprietary DRM to lock customers in to its iTunes-iPod world. If Apple really prefers to eliminate DRM, that is news.

But this part of the letter might just be cheap talk. As Jobs points out in the letter, Apple sells music at the pleasure of the record companies. And if the record companies announce tomorrow that they don’t want Apple to use DRM, then Apple will have little choice but to smile and go along.

So there is little downside to Apple saying that they they willing to get rid of DRM. In this respect, Apple is like the kid who says he is willing to go to the dentist, because he knows that no matter what he says he’s going to see the dentist whenever his parents want him to.

The least-discussed aspect of the letter is its praise for the status quo (outcome (1)). Jobs says that the current system is working well:

The first alternative is to continue on the current course, with each manufacturer competing freely with their own “top to bottom” proprietary systems for selling, playing and protecting music. It is a very competitive market, with major global companies making large investments to develop new music players and online music stores. Apple, Microsoft and Sony all compete with proprietary systems. Music purchased from Microsoft’s Zune store will only play on Zune players; music purchased from Sony’s Connect store will only play on Sony’s players; and music purchased from Apple’s iTunes store will only play on iPods. This is the current state of affairs in the industry, and customers are being well served with a continuing stream of innovative products and a wide variety of choices.

His real scorn is for outcome (2), where Apple licenses its DRM technology to other companies. It’s easy to see why this is the worst outcome for Apple – the company loses its ability to lock in customers, but everybody still has to put up with the cost and hassle of using DRM.

What the letter really does, in typical Jobsian fashion, is frame the debate. It does this in two respects. First, it sets up a choice between two alternatives: stay the course, or get rid of DRM entirely. Second, it points the finger at the major record companies as the ones making the choice.

This is both a clever PR move and a proactive defense against European antitrust scrutiny. Mandatory licensing is a typical antitrust remedy in situations like this, so Apple wants to take licensing off the table as an option. Most of all, Apple wants to deflect the blame for the current situation onto the record companies. Steve Jobs is a genius at this sort of thing, and it looks like he will succeed again.

Record Companies Boxed In By Their Own Rhetoric

Reports are popping up all over that the major record companies are cautiously gearing up to sell music in MP3 format, without any DRM (anti-copying) technology. This was the buzz at the recent Midem conference, according to a New York Times story.

The record industry has worked for years to frame the DRM issue, with considerable success. Mainstream thinking about DRM is now so mired in the industry’s framing that the industry itself will have a hard time explaining and justifying its new course.

The Times story is a perfect example. The headline is “Record Labels Contemplate Unrestricted Music”, and the article begins like this:

As even digital music revenue growth falters because of rampant file-sharing by consumers, the major record labels are moving closer to releasing music on the Internet with no copying restrictions — a step they once vowed never to take.

Executives of several technology companies meeting here at Midem, the annual global trade fair for the music industry, said over the weekend that at least one of the four major record companies could move toward the sale of unrestricted digital files in the MP3 format within months.

But of course the industry won’t sell music “with no copying restrictions” or “unrestricted”. The mother of all copying restrictions – copyright law – will still apply and will still restrict what people can do with the music files. I can understand leaving out a qualifier in the headline, where space is short. But in a 500-word article, surely a few words could have been spared for this basic point.

Why did the Times (and many commentators) mistake MP3 for “unrestricted”? Because the industry has created a conventional wisdom that (1) MP3 = lawless copying, (2) copyright is a dead letter unless backed by DRM, and (3) DRM successfully reduces copying. If you believe these things, then the fact that copyright still applies to MP3s is not even worth mentioning.

The industry will find these views particularly inconvenient when it is ready to sell MP3s. Having long argued that customers can’t be trusted with MP3s, the industry will have to ask the same customers to use MP3s responsibly. Having argued that DRM is necessary to its business – to the point of asking Congress for DRM mandates – it will now have to ask artists and investors to accept DRM-free sales.

All of this will make the industry’s wrong turn toward DRM look even worse than it already does. Had the industry embraced the Internet early and added MP3 sales to its already DRM-free CDA (Compact Disc Audio format) sales, they would not have reached this sad point. Now, they have to overcome history, their own pride, and years of their own rhetoric.

AACS: Modeling the Battle

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

By this point in our series on AACS (the encryption scheme used in HD-DVD and Blu-ray) it should be clear that AACS creates a nontrivial strategic game between the AACS central authority (representing the movie studios) and the attackers who want to defeat AACS. Today I want to sketch a model of this game and talk about who is likely to win.

First, let’s talk about what each party is trying to achieve. The central authority wants to maximize movie studio revenue. More precisely, they’re concerned with the portion of revenue that is due to AACS protection. We’ll call this the Marginal Value of Protection (MVP): the revenue they would get if AACS were impossible to defeat, minus the revenue they would get if AACS had no effect at all. The authority’s goal is to maximize the fraction of MVP that the studios can capture.

In practice, MVP might be negative. AACS makes a disc less useful to honest consumers, thereby reducing consumer demand for discs, which hurts studio revenue. (For example: Alex and I can’t play our own HD-DVD discs on our computers, because the AACS rules don’t like our computers’ video cards. The only way for us to watch these discs on our equipment would be to defeat AACS. (Being researchers, we want to analyze the discs rather than watch them, but normal people would insist on watching.)) If this revenue reduction outweighs any revenue increase due to frustrating infringement, MVP will be negative. But of course if MVP is negative then a rational studio will release its discs without AACS encryption; so we will assume for analytic purposes that MVP is positive.

We’ll assume there is a single attacker, or equivalently that multiple attackers coordinate their actions. The attacker’s motive is tricky to model but we’ll assume for now that the attacker is directly opposed to the authority, so the attacker wants to minimize the fraction of MVP that the studios can capture.

We’ll assume the studios release discs at a constant rate, and that the MVP from a disc is highest when the disc is first released and then declines exponentially, with time constant L. (That is, MVP for a disc is proportional to exp(-(t-t0)/L), where t0 is the disc’s release date.) Most of the MVP from a disc will be generated in the first L days after its release.

We’ll assume that the attacker can compromise a new player device every C days on average. We’ll model this as a Poisson process, so that the likelihood of compromising a new device is the same every day, or equivalently the time between compromises is exponentially distributed with mean C.

Whenever the attacker has a compromised device, he has the option of using that device to nullify the MVP from any set of existing discs. (He does this by ripping and redistributing the discs’ content or the keys needed to decrypt that content.) But once the attacker uses a compromised device this way, the authority gets the ability to blacklist that compromised device so that the attacker cannot use it to nullify MVP from any future discs.

Okay, we’ve written down the rules of the game. The next step – I’ll spare you the gory details – is to translate the rules into equations and solve the equations to find the optimal strategy for each side and the outcome of the game, that is, the fraction of MVP the studios will get, assuming both sides play optimally. The result will depend on two parameters: L, the commercial lifetime of a disc, and C, the time between player compromises.

It turns out that the attacker’s best strategy is to withhold any newly discovered compromise until a “release window” of size R has passed since the last time the authority blacklisted a player. (R depends in a complicated way on L and C.) Once the release window has passed, the attacker will use the compromise aggressively and the authority will then blacklist the compromised player, which essentially starts the game over. The studio collects revenue during the release window, and sometimes beyond the release window when the attacker gets unlucky and takes a long time to find another compromise.

The fraction of MVP collected by the studio turns out to be approximately C/(C+L). When C is much smaller than L, the studio loses most of the MVP, because the attacker compromises players frequently so the attacker will nullify a disc’s MVP early in the disc’s commercial lifetime. But when C is much bigger than L, a disc will be able to collect most of its MVP before the attacker can find a compromise.

To predict the game’s outcome, then, we need to know the ratio of C (the time needed to compromise a player) to L (the commercial lifetime of a disc). Unfortunately we don’t have good data to estimate C and L. My guess, though, is that C will be considerably less than L in the long run. I’d expect C to be measured in weeks and L in months. If that’s right, it’s bad news for AACS.

AACS: Sequence Keys and Tracing

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

This is the sixth post in our series on AACS, the encryption scheme used for HD-DVD and Blu-Ray discs.

It’s time to introduce another part of AACS: the Sequence Key mechanism. Throughout our AACS discussion, we have done our best to simplify things so readers could follow our logic without having to digest the entire technical specification. At this point, continuing the discussion requires some background about Sequence Keys.

We wrote previously about the AACS traitor tracing algorithm, which the AACS central authority can use (under some circumstances) to figure out which device keys have leaked. The Sequence Key mechanism gives the authority further help in figuring out which devices are compromised.

Sequence keys don’t seem to matter as of yet. Discs are not required to use sequence keys, and indeed we have yet to see a disc that uses them. We would be interested to hear of any current HD-DVD discs that use them. (Your disc uses sequence keys if it contains the file “AACS/SKB.AACS”.)

The sequence key mechanism uses two tricks. First, it assigns each player device a unique (or nearly unique) set of sequence keys. Discs that use the mechanism contain a special header that a player can decode, using the player’s sequence keys, to get a group of six decryption keys called the variant volume keys. Things are set up so that different players, presented with the same disc, will often end up with different variant volume keys.

The second trick is to take a few snippets of the movie, and put those snippets on the disc several times, encrypted under different variant keys. The movie publisher might create eight slightly different variants of the snippet, and encrypt each variant under a different key. Every player will know one of the eight variant keys, so it will be able to decrypt one of the variants – but different players will decrypt different variants.

The effect of this is that the movie will look slightly different, depending on which player was used to decrypt it. If a ripped copy of a movie is redistributed, the central authority can look at which variant of each snippet is in the rip, and can then identify which player device did the ripping. Each snippet lets it narrow down the number of suspected players by roughly a factor of eight (assuming roughly one-eighth of the players get each variant of that snippet). Given multiple snippets, they can divide by eight for each snippet, rapidly narrowing down the suspects to a few players, or even just one.

Having identified a specific player, the authority can then blacklist its keys, as we described in previous posts, so the player will be unable to decrypt or play any new discs. (It will still be able to access existing discs.)

The BackupHDDVD tool, as it is today, cannot cope with discs that use the Sequence Key mechanism – it uses only the per-disc volume keys and does not have or use any sequence keys. It wouldn’t be hard to modify BackupHDDVD so that it also downloaded and used the variant keys for a disc, allowing it to access discs that use the Sequence Key mechanism. This would require reverse engineers to extract and publish more keys (probably the so-called Volume Variant Unique Keys, along with the associated Variant Data) but that probably isn’t a fundamental impediment.

Doing this would allow the central authority to look at the newly added keys and figure out which player they were extracted from. (Actually things get interesting if the attackers get Variant Keys from many different players and then combine them cleverly to try to avoid being identified; there’s a whole theory considering how well such attacks will work.)

In the end, none of this affects our basic analysis much. Our modeling of the interaction between attackers and the central authority already assumes that the central authority will be able to identify a compromised player, whenever that player is used to capture a significant number of keys. Sequence keys make the mechanism more complicated but they don’t make AACS much more effective, if the attackers are smart.

AACS: Title Keys Start Leaking

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

Last week we predicted that people would start extracting the title key (the cryptographic key needed to decrypt the contents of a particular next-gen DVD disc) from HD-DVD discs. Indeed, it turns out that WinDVD, a popular software player that runs on PCs, leaves the title key laying around in memory when it finishes playing a disc. This may seem like an elementary mistake, but it is more common and harder to avoid than you might think. Fairly easy methods for capturing these keys are already well known.

There are even websites, such as aacskeys.com and hdkeys.com, that claim to contain title keys for about fifty HD-DVD discs. (That’s about one-third of the discs available on Amazon.) At least some of these title keys are correct. Within days, expect to see a software program that downloads keys from such a site and uses the keys to play or copy discs.

So far the attackers have published most of what they know. We know which title keys they (claim to) have found, and we know they extracted those keys from WinDVD and possibly PowerDVD. As Alex explained on Thursday and Friday, a clever attacker will withhold some information strategically so as not to provoke a response from the AACS central authority.

The authority might respond by blacklisting the device keys assigned to WinDVD. To avoid angering honest WinDVD users, they might first push out a software update to WinDVD containing new keys along with new programming to better protect the keys.

But as Alex suggested last week the authority might not want to blacklist WinDVD, even if it can. As long as the attackers limit what they publish, the authority might be better off accepting the damage they see now rather than provoking more damage by cutting off the usefulness of WinDVD to the attackers. The result is a kind of uneasy equilibrium between the attackers and the central authority.

Even if the attackers want to cause maximum financial harm to Hollywood (which probably isn’t their goal), their most effective strategy is to limit how many title keys they publish. One way to do this is to give Hollywood a “release window” – a kind of grace period after each disc is released, in which the title key doesn’t get published. A site could let people upload the headers of a disc; the site would then wait N days before decrypting and releasing the title key.

Interestingly, this release window strategy resembles the studios’ current approach to extracting revenue from films, in which a film is available first in the highest-revenue format – in theaters – then later in a succession of lower-revenue formats – DVD and television. The idea is to extract more revenue from the most enthusiastic fans in early stages and pick up whatever revenue is available from everyone else later.

What’s the optimal length of the release window (for the attackers); and what is the financial effect on the studios? We can answer these questions with a simple economic model; but that’s a topic for another day.