So, the only thing stopping a user from obtaining a clean copy of the content is the fact that the CDM is closed source?
What if a CDM vendor leaked the source code? I guess the DRM server would block them after a while, but before they notice, the user would have free access to the content, right?
The primary purpose of content encryption tools is to trigger DMCA 1201 anti-circumention provisions to prohibit people from writing decryption tools. Nothing more and nothing less. All DRM schemes are a form of obfuscation; some particularly secure ones use hardware decoding enclaves not present on desktops that are harder to crack, but that's about it. The only practically useful DRM schemes are ones where any tool that could circumvent them would be so special-purpose as to be illegal.
Here's how that works legally. DMCA 1201 actually comes in two parts: the first prohibits you from circumventing ANY technological measure (yes, even something as simple as a right-click blocker, domain lock, Youtube's rolling URL cipher, or what have you) and then lays out exceptions shaped similarly enough to fair use that the first part really doesn't alter the law beyond adding another tort to the pile. What's already infringement becomes infringement with a circumvention tort; and what's already fair use stays fair use.
However, the second part is rather broad. It prohibits the marketing of any sort of tool whose sole purpose is circumvention, lacks non-circumvention uses, or is marketed for circumvention. In practice, this means that there's a dividing line between DRM that can be circumvented with standard tools and those that require domain specialists to write you a tool. You can circumvent YouTube's "rolling cipher" by just launching OBS. You can't circumvent DVD CSS with anything but a specialized tool that falls under the second part of DMCA 1201 and is thus illegal to provide - even for otherwise legal circumvention.
(Yes, I know DVD CSS is laughably bad encryption; but the law doesn't care. You still have to write some code to brute force the laughably short ITAR-compliant key lengths.)
If the CDM vendor themselves released their source code, I doubt that would be considered a circumvention tool per se. If they had also started telling people to pirate movies while they still can, then they are violating the law. However, the CDM vendor likely promises to their customers not to do so, possibly in contracts and definitely implied in their marketing material. Releasing source moves the DRM scheme from the "domain specialists only" side to the "10 minutes with developer tools" side.
It's relative to the behavior of whoever is providing the software. So, if I make a page with an OBS download on it entitled "DOWNLOAD ALL MUSIC OFF YOUTUBE FOR FREE", then I'm violating DMCA 1201. But OBS itself isn't illegal - just my particular actions.
> The primary purpose of content encryption tools is to trigger DMCA 1201 anti-circumention provisions to prohibit people from writing decryption tools.
What if those tools are hosted outside of the US where the DMCA has to force?
Certainly the US is a larger centre of gravity when it comes to tech, but it's not the only place.
DMCA 1201 is not an American law, it's just the American implementation of the anti-circumvention provisions of the WIPO Copyright Treaty. It exists in the EU (ISD Article 6), at the least. Given that the underlying treaty has 95 parties to it you're probably going to have to go deep into the third world to find a hospitable jurisdiction willing to host circumvention tools.
> the first prohibits you from circumventing ANY technological measure (yes, even something as simple as a right-click blocker, domain lock, Youtube's rolling URL cipher, or what have you)
The law provides a definition of "effective" which has nothing to do with actual effectiveness in practice. To be effective protection under the DMCA, all that needs to happen is that it provides some restriction of access "in the normal course of its operation". Getting around these access restrictions may well be trivial -- but it's also a felony under federal law punishable by up to five years in prison!
There is a pending legal challenge to parts of DMCA 1201 being spearheaded by the EFF (Green v. DOJ) but I have no idea if it'll actually pass. I hope it does, as there is a legitimate conflict in law between free speech rights and DMCA 1201's restriction on circumvention tools. However, that doesn't mean they're automatically unconstitutional. It just means that strict scrutiny applies. That means it's constitutional if-and-only-if:
1. The restriction is necessary to a "compelling state interest";
2. The restriction is "narrowly tailored" to achieving this compelling purpose; and
3. The restriction uses the "least restrictive means" to achieve the purpose.
So, I can give you some spoilers: copyright is explicitly mentioned and authorized by the US Constitution, it even gets it's own separate clause. That means copyright is automatically a compelling state interest, and it follows that if we have code that enforces the law, we also have a compelling state interest in protecting that code, too. The EFF's case (and, more generally, any constitutional challenge to DMCA 1201) is going to hinge on the 2nd and 3rd questions of the strict scrutiny test - could they reach the same goal of automated copyright enforcement with a narrower, less restrictive law?
Regarding your particular objections to treaty negotiation, the WIPO Copyright Treaty's undemocratic negotiation process is immaterial to constitutional questions. This is because the US Constitution is explicitly opposed to that. It says the President negotiates treaties and the Senate consents to them. It provides no provision for further democratic control in international relations. In other words, international law is inherently and constitutionally undemocratic. Think about what it means for that to NOT be the case: we'd need every treaty to have a corresponding election in which the citizens of both countries have an up-or-down vote. Very few treaties work this way; the EU sits comfortably at top-of-mind but that's about it.
Problem with DMCA 1201 is that it's not even about copyright. It's about forbidding breaking DRM, which can have cases that have nothing to do with copyright (i.e nothing is infringed by breaking it).
So whatever was authorized for copyright, can't just automatically legitimize DMCA 1201 which is an overreaching prohibition (which is ironic, since what makes DRM itself unethical is that it's an overreaching preemptive policing).
If DMCA 1201 just forbade breaking DRM for copyright infringement, then it could be different. But it's not doing that, so it has to be repealed.
> the WIPO Copyright Treaty's undemocratic negotiation process is immaterial to constitutional questions.
This is important for showing the corrupt nature of both DRM proponents and policy around DRM. It is undemocratic to use treaties as a backdoor to control legislative process. It's simply corruption. And if it's the nature of treaties to be undemocratic, then there should be even a stronger to push against using them to subvert legislation.
What you're describing is the actual state of the law regarding DMCA 1201. DRM only gets legal force when it has the effect of controlling access to a copyrighted work. This has been court-tested: Lexmark v. Static Control Components proves that you cannot legally enforce DRM that does not control access to copyrighted works. You can't copyright ink, ergo you can't argue that ink DRM is protected by DMCA 1201.
That's probably the only reason why DMCA 1201 would pass a strict scrutiny test at all - it's evidence of narrow tailoring.
BTW, what you're describing with treaties has a name: it's called policy laundering.
> DRM only gets legal force when it has the effect of controlling access to a copyrighted work.
But that's not what DMCA 1201 is about though, it's just a trick it's using. It's about forbidding DRM breaking [on a copyrighted work]. What if breaking DRM has no bearing on the copyright itself? I.e. it doesn't affect it because nothing is infringed. DMCA 1201 still forbids it. So it's clear that it's wider than simply being about copyright and that's exactly the problem with it - being overreaching and forbidding perfectly legal things that copyright should have no business touching.
DRM proponents realize it very well, and they abuse DMCA 1201 to extend copyright law into any area they want, as long as they can slap any kind of copyright + DRM on it. It basically gives them a rogue lawmaking tool that doesn't need to involve actual legislators.
Like for example forbidding one to switch mobile carriers because it involves breaking DRM. Nothing really to do with copyright - it's about controlling the market. But they use DCMA 1201 for it.
So DMCA 1201 is utter garbage and it's not only corrupt, it's clearly easily abused.
> BTW, what you're describing with treaties has a name: it's called policy laundering.
Yep, that's exactly the origins of DMCA 1201, so I'm always surprised when anyone tries to defend such clearly corrupt law. That's basically being proponents of corruption.
It's security through obscurity. For pure software stuff, like Widevine L3, you can just patch the browser or insert a shim to spit out the decrypted video somewhere.
Is that the decrypted and decompressed video, or decrypted and still compressed? If the former, that's going to be a gigantic file, and you're going to lose quality when recompressing (although if you were planning to recompress anyway the quality loss is no worse).
Exactly - which is why the CDM is a contentious topic because you have no way to see what's inside it. Also, technologies such as HDCP, Trusted Execution Environment prevent the decrypted and decoded frames from being leaked. At least, that's the intention.
And the CDM vendors are Google, MSFT, and Apple. There's no way they are going to leak their code :)
What's really strong is the rotation of decryption keys. Content providers rotate the keys often (at times, in the middle of a movie, and very often during a live stream) to deter people from cracking the key.
Cracking DRM can be done and the goal from the other side is to make it hard and expensive. Nothing is impossible :)
IMO it isn't that hard to crack a DRM system. My understanding is that most of the protections are legal, not technical, as in, if you do it, they'll sue the hell out of you and win.
Yeah, there are many trivial systems out there that mostly provide legal protection.
But there are also some pretty sophisticated DRM systems that are technologically quite well implemented and take a large effort to break. BD+ is one of these for example.
And maybe going to platforms where the whole hardware is specialized is not what most people have in mind when they think DRM but the basic building blocks are similar. Microsoft's "Guarding Against Physical Attacks: The Xbox One Story" talk is also one of the few examples I know of where a manufacturer explains how they implemented such a system. [1]
Thanks for linking this talk, it was indeed interesting. Especially the part where he said that "if the hack costs more than 10 games, we're fine". Indeed, you probably aren't breaking this thing unless you have millions of dollars worth of equipment and the expertise to use it.
But then video game consoles are special. They were always these closed, tightly-controlled ecosystems. General-purpose devices, like phones and computers, typically lack this kind of integration between their components. Yes, there's ARM TrustZone, and that's about it. Thankfully. And I'm not aware of anything similar on x86 PCs (besides the Apple T2, which was recently compromised).
"Eventually, all DRM will be cracked" LOL. Gerhard Lengeling would like a word. He spent as much time implementing the copy protection for Notator as he did writing the program itself, which copy protection involved a dongle in the Atari ST's cartridge port. And despite crackers' best efforts, it remained uncracked for at least two decades.
Also Adobe, although I'm not sure if their CDM (Adobe Primetime) is still relevant.
> which is why the CDM is a contentious topic because you have no way to see what's inside it
Related to this: Firefox takes steps to try to contain the CDM blob within a sandbox. [0] See also this old blog post from before Firefox switched from Adobe's CDM to Google's WideVine CDM. [1]
You're completely right but the source code doesn't even need to be leaked. Just reverse engineered. How else would we pirate movies from Netflix/Amazon/etc :)
For HD, you'd also need a valid vendor-signed key to do the key exchange (which would get swiftly revoked once public), and/or to crack the trusted execution environment.
This isn't true. Multiple Google devices have had their Widevine keys leaked/recovered and Google has waited around before revoking them since it would break hardware playback on the device or cause other issues. The Nexus 6, for one, has been downgraded from Widevine L1 to L3 as a result.
Very informative article. Never knew different aspects of the DRM. However i chuckled when I saw the names Ram, Shyam and Hari. Not too often do you see any names besides Alice and Bob.
If you know anyone involved in creative work, you would bite your tongue before saying DRM is unethical.
Such people universally, to a man (or woman) believe that unauthorized distribution of their output is unethical because it makes them unable to make money for all their hard work. Inasmuch as DRM prevents this, it is a boon to these people.
DRM is a part of life now. Without it, you would not be able to enjoy the rich variety of content available on today's internet.
And if you know anyone who has paid for content that suddenly they had lost access to because of shut down DRM servers or intermittent internet connectivity, then you might be inclined to think a bit differently.
Ultimately I think there needs to be a balance here, and most importantly users ought to be made more aware of what they're usually getting when purchasing DRM-protected content: a limited license to consume their paid-for content for a (possibly unspecified) period of time on a specific set of devices under certain circumstances that often lie well beyond their control.
I'd like to think that some kind of free market-based approach of consumers choosing to support the content creators who take a more balanced approach to DRM (or just avoid it entirely) would "solve" these problems, but I'm not too hopeful of this ever working out given the enormous knowledge asymmetry between content creators/distributors and consumers about how stuff like this works.
Some people in the creative field have sense and don't respect DRM. Check Lexy Alexander's posts on this topic. Check also releases by CD Projekt Red and their DRM-free games store GOG.
We need something like this to eventually succeed and disrupt current messed up DRM situation in video too:
DRM is and will remain unethical, no matter how much its proponents will try to whitewash it with demagoguery, claiming it's "part of life now".
And for the reference, DRM doesn't do anything good for creators. It's always a crooked tool, especially when combined with policy laundering that produces stuff like DMCA 1201.
I've been trying to understand this drm for some uses for past 6 month. I got few bits and pieces, but this article really put them together in a marvelous fashion. kudos
What if a CDM vendor leaked the source code? I guess the DRM server would block them after a while, but before they notice, the user would have free access to the content, right?