FTC Town Hall to Address Digital Rights Management Technologies - Event Takes Place Wednesday, March 25, 2009, in Seattle
DRM infringes on the rights of individuals to install, uninstall, and make archival backup copies of lawfully purchased software. While DRM is not, of itself, inherently bad, the implementation by vendors or their designated agents is often bad, for a number of reasons. In a number of cases, DRM is tied to authentication systems controlled by the manufacturer (or a designated agent), which 1) requires a connection to the Internet for software activation/deactivation (if deactivation is supported) and 2) is completely controlled by the manufacturer/designated agent. In some cases, periodic mandatory reactivation is required. If a user loses access to the Internet, or the product reaches its end of life and the manufacturer/designated agent decides to discontinue activation support for the product, the user can suddenly be denied access to software he lawfully purchased, or be prevented from reinstalling and reusing the software when a replacement system is deployed, or from reselling the software to another user under the first sale doctrine. This has already happened in cases involving digital music download services utilizing DRM, where the vendor has discontinued the service (or threatened to do so), orphaning lawfully purchased products. While manufacturers have a right to develop mechanisms to protect their products from unlawful copying, this right should not come at the expense of a user's right to use (or reuse) a product as lawfully allowed under existing federal statutes and case law. The Sony copy protected CD debarkle serves as an excellent case study of how not to implement DRM. DRM has several additional pitfalls - it often installs additional programs without explict user consent or knowledge, such programs often communicate on the Internet without the user's explicit consent or knowledge, and such programs often open vulnerabilities in a system which antivirus or antispyware software may be unable to protect against. Any approved DRM system, then, must be: unintrusive, only installed with full user consent, disclose any communications with the Internet (and the nature of such communications), be secure, and the manufacturer/designated agent must design in advance a mechanism to deactivate the DRM at the product's end of life in such a way that users will continue to enjoy full use of the product as if it never had DRM. One other point I wish to emphasize - ANY DRM must be prominently disclosed on the packaging or advertising for the product that contains it. It is important to include this disclosure in advertising, because many people purchase products over the Internet, and never see the actual packaging until the product arrives at their homes. The FTC should enact a rule that allows a 30 day return period for any reason on products that implement DRM, since the implementation, even with packaging and advertising disclosure, may prove detrimental to a particular user's configuration in such a way that is impossible to determine prior to installation of the software. Typically, most vendors refuse to accept returns on software once the software package has been opened, but the user should not bear the risk of a shoddy DRM implementation damaging his system without at least a refund on the purchase price of the software itself.