Dennis D. McDonald ( consults from Alexandria Virginia. His services include writing & research, proposal development, and project management.

Halderman & Felten's "Sony CD DRM" Paper Published

By Dennis D. McDonald

J. Alex Halderman and Edward W. Felten have published their "Lessons from the Sony CD DRM Episode" after an open and collaborative publishing and review cycle on their Freedom to Tinker blog. The PDF version of this 27-page report can be downloaded by clicking here, which is the same link provided in their February 14 announcement of this paper.

This is the first paragraph from Halderman & Felten's Introduction:

This paper is a case study of the design, implementation, and deployment of anti-copying technologies. We present a detailed technical analysis of the security and privacy implications of two systems, XCP and MediaMax, which were developed by separate companies (First4Internet and SunnComm, respectively) and shipped on millions of music compact discs by Sony-BMG, the world’s second largest record company. We consider the design choices the companies faced, examine the choices they made, and weigh the consequences of those choices. The lessons that emerge are valuable not only for compact disc copy protection, but for copy protection systems in general.

I'm not going to attempt to summarize the report; it's too detailed and technical in spots to do that here. I would like to point out some high points:

  1. The authors state, "Using DRM to enforce copyright law exactly as written is almost certainly not the record label’s profit-maximizing strategy." This reinforces my concern that the actions of companies like Sony are antithetical to generating public support and respect for intellectual property protection. In other words, if someone uses copyright law to justify spyware and computer security risks, it is natural that such actions will give copyright a bad name. In the long run, I believe, that's not in the best interest of record labels or the artists whose work they promote -- we need more respect for intellectual property interests, not less.
  2. The authors state, "But if, as seems likely in practice, the label has imperfect knowledge of the technology, then the vendor will sometimes act against the label’s interests."  This statement follows from the authors' comparison of the goals of record labels and the goals of DRM vendors, including the higher tolerance for risk that the DRM vendors in the Sony case may have had. I say "may" since the arguments made by the authors comparing vendor and label financial and risk aversion behavior appear to be based more on inferences than on direct evidence. But these arguments ring true and a bottom line issue is that Sony got into trouble partly because it did not really understand the technology it was dealing with. (I've made this point elsewhere, as have others.)
  3. The authors state, "The complexity of today’s CD DRM software offers many avenues of attack. On the whole, today’s systems are no more resistant to attack than were simpler early CD DRM systems. When there are fundamental limits to security, extra complexity does not mean extra security." They then proceed to dismantle DRM schemes using what appear to me to be technical skills that are widely available among computer, software, and security professionals. (Be sure to read their "rosetta stone" discussion for their creative approach to analyzing "watermarking" techniques.)
  4. The authors state, "Though it is no surprise that spyware tactics would be attractive to DRM designers, it is a bit surprising that mass-market DRM vendors chose to use those tactics despite their impact on users. If only one vendor had chosen to use such tactics, we could write it off as an aberration. But two vendors made that choice, which is probably not a coincidence. We suspect that the vendors let the lure of platform building override the risk to users." This is the most disturbing aspect of this paper, since what is being discussed here is the ease with which unknown -- and potentially malicious -- applications can find their way onto individual personal computers.

While I try to be religious in my use of anti-virus and anti-spyware software on my own computer, I know that I lack the technical capabilities of the authors of this paper to decrypt what's "really going on under the hood."  And, I'm not too happy that it wasn't the companies that supply my antivirus and antispyware software that made me aware of Sony's rootkit, it was my own web based research into whether the audio CD's sold by online vendors (like Sony BMG!) would be playable on my machines that led me to the original articles on the rootkit.

My initial conclusion based on my reading this paper is that techniques that piggyback on existing distribution platforms are bound to fail. The authors have documented how it was to be expected that DRM vendors adopt spyware techniques given record label desires not so much to control copying but to establish a proprietary platform that could compete against another platform (i.e., iTunes) while at the same time controlling and monitoring use in ways not envisioned -- and probably not sanctioned -- under copyright law.


Learning to Use Google Analytics, Part 4

"Best Practices" and Reality