The impossibility of DRM: Russell's Law

"I ca'n't believe that!" said Alice.

"Ca'n't you?" the Queen said in a pitying tone. "Try again: draw a long breath, and shut your eyes."

Alice laughed. "There's no use trying," she said "one ca'n't believe impossible things."

"I daresay you haven't had much practice," said the Queen. "When I was your age, I always did it for half-an-hour a day. Why, sometimes I've believed as many as six impossible things before breakfast."

Lewis Carroll, Through the Looking Glass

Back in the days of Bubble 1.0, I was a full-time cryptographic engineer. This meant that I had to know enough about cryptographic protocols to implement them in software without breaking them. This is not as easy as it sounds, which is why virtually all software packages have periodic security update patches. The companies I worked for at that time were typical Bubble 1.0 companies, which meant that they were trying to come up with the next "killer app", something that would cost us nothing to make and for which everyone would pay us gobs of money. So part of my job became explaining to various people why cryptographic protocols could not solve one problem or another. The most common recurring theme in these ideas for money-making crypto apps was copy protection -- preventing people from making digital copies of digital data.

I explained my reasons for thinking this to be an impossible task so many times that I had it boiled down to a single sentence: You cannot encrypt past the intended recipient. I even began to egotistically refer to it as Russell's Law. Originally, it referred to encrypted email, when someone suggested trying to enforce a "For Your Eyes Only" prohibition. This cannot be done with cryptography. If you can't trust the person who is supposed to be able to read your message, you're hosed. It seemed as obvious to me as the old saying: If an attacker has physical access to your computer, it's already compromised. (If anyone knows who first said this one, let me know.)

Fast forward to 2007, and the current debate about the merits of DRM (Digital Rights Management). (If you don't know what DRM is, you can read Wired's How to Explain DRM to Your Dad.) What's the point of DRM? It intends to prevent people from doing prohibited things with digital data after they have received it. It tries to do this via various cryptographic protocols. In other words, it's a violation of Russell's Law. It's trying to achieve the impossible.

Want proof? DVDs had an encryption method built into them, as an attempt to control in what part of the world each DVD could be viewed. That was defeated, by the intended recipients. The lesson learned from this by the Big Media Producers was that they needed bigger, better, stronger encryption for the next new standards, Blu-Ray and HD-DVD hi-resolution video discs. Guess what? Not long after release, those protocols were broken, too! Russell's Law is still just as valid as ever.

Much has been made of Steve Jobs' blogging where he makes a good case for abandonment of DRM, but it troubles me that he still talks as if DRM is something that can successfully be implemented. Much more interesting is the response from Macrovision, a DRM vendor. If you want to know why I quoted Lewis Carroll at the top, read this and imagine the Queen speaking to Alice. Better yet, read Daring Fireball's translation of Macrovision's response.

But the beat goes on -- Bill Gates probably understands the validity of Russell's Law, but Microsoft is still creating new DRM schemes. I'm sure this one, like all the others, will make money being sold to companies who believe six impossible things before breakfast. I'm also sure that it will be defeated, and quickly.

1 comment:

Steve R. said...

Great post.

On DRM, by the way of analogy; imagine that your content is a gallon of milk that costs $4. The gallon of milk of course is "made-up" of four pints that would be equivalent to fair-use, time shifting, transferring content to other media, compiling your own mix, etc. In short a bundle of rights.

The content industry likes to claim that DRM enhances the consumer experience through greater "flexibility" and "innovation". What they are actually doing, as we already know, is segmenting the bundle of rights so the consumer does not have freedom to select from from the bundle of rights.

Back to my analogy, instead of being able to buy a gallon of milk, we are forced to by the milk at a $1.50 a pint or $6.00 a gallon. I hardly find this to be a benefit for the consumer.