FTC Town Hall to Address Digital Rights Management Technologies - Event Takes Place Wednesday, March 25, 2009, in Seattle
I think the FTC should leave DRM alone, except perhaps for pursuing fraud allegations against DRM providers that don't live up to the terms of their agreements. DRM is a bug, not a feature. DRM provides no benefit whatsoever to the consumer of the DRM-encumbered device or data, but rather is a negative, reducing the value of the product to the customer. It is also relatively expensive to implement (and re-implement when it gets broken, which it always will - see below), so it has a negative effect on the producer as well. DRM's bug status explains why companies do not indicate the DRM restictions on their products - they know that it would result in lower sales, because none of their customers want DRM. DRM is already being dealt with by the market. With iTunes going DRM-free, all the major digital music providers provide DRM-free music, at market prices. Computer games are following suit, with heavily-encumbered games like Spore being dragged down in sales, while unencumbered games like Sins of a Solar Empire sell in large numbers. In this economy, there is simply no reason for the FTC to take action. Consumers have already realized that DRM is a bad deal, and are avoiding it in droves. Companies hiding DRM in their products only results in further acrimony from consumers, since the DRM cannot be hidden - simply attempting to copy the target software or data and then use it will generally reveal whether or not it is present. Sometimes mild repetition is required, but that's trivial. Added to this is the fact that DRM control is an agreement that is voluntarily entered into by the customer - if they don't read the fine print, what FTC requirements could be established that would make them? Large stickers on computer game boxes? What about on digital files? It's not worth the effort. Why DRM Can Never Work: DRM is based on encryption. The target data or software is encrypted, and then a key is provided to "unlock" the software and allow it to be read and run. Encryption is a specific defense against a specific attack: encryption protects the communications of two parties (lets say, Alice and Bob) against a third party (Carl). Encryption is highly effective in this regard, and good systems are very difficult for Carl to break - as long as he cannot gain access to either Alice's or Bob's unlock keys. The fundamental problem with DRM is that there is no third party - there is no Carl. The attacker and the user are one and the same - Bob. In this situation, encryption can never work - Bob's unlock key will always be exposed at some point, because it has to be used to unlock Alice's encryption. DRM revolves around technology to obfuscate this key from Bob, while simultaneously allowing the encryption to work. This is fundamentally impossible, because Bob has complete control over the computer that the DRM is running on. There is no current DRM system on the market that has not been broken, in fact, there are clubs of people who break DRM for the intellectual challenge. In many cases, such as Spore, the DRM is broken even before the product goes to market.