Laser & DRM [LWN.net]

Liability & Reputation

Posted Oct 6, 2006 18:55 UTC (Fri) by sepreece (subscriber, #19270) [Link]

I didn't actually claim that DRM made the products safer [and, of course, I was talking about Trusted Computer, rather than DRM]. It makes the manufacturer safer by reducing potential liability. In the particular example that started this subthread (modifying the software controlling a laser to increase its output) it presumably would also make the product safer, but that's not really what we were talking about.

You actually asked why software should be different than hardware. I wasn't really arguing that it should. The same kinds of liability and PR issues attach to hardware as well, and manufacturers typically do what they can to avoid user modification of dangerous or regulated hardware, including things like sealing cases, drilling out screw heads, and using sealed modules.

You ask now if there is a public benefit to tolerating locked-down software [I assume that's what you meant by DRM in this context.] For regulated devices, I think there is a clear public benefit; otherwise the devices wouldn't be regulated. Note that here you asking for software to be treated more permissively than hardware, where you had previously asked why they should be treated differently - there are no legal restrictions on manufacturers' ability to make hardware unmodifiable.

You posit commercial and nefarious reasons for manufacturers to deploy DRM. I certainly know of cases where manufacturers have used reversible technical measures (either hardware or software) to downgrade special versions of products, so that they could sell them at lower prices than products without those restrictions. This is sometimes referred to as "slugging". In most cases those have been in situations where there was a contractual relationship preventing the customer from (like the well-known case of the IBM unit-record equipment that could be jumper-modified to be twice as fast]. TC clearly would help the manufacturer avoid customer self-upgrades. I don't consider that to be nefarious (nor qualitatively different from the case where exactly the same end is achieved with a one-way change that makes the device non-upgradeable).

I don't expect to convince anybody who is already convinced in the other direction. If you believe the freedom of your code is paramount, and don't mind that that freedom limits its use in certain kinds of devices, that's your choice.

Public Benefit is the Question

Posted Oct 10, 2006 3:44 UTC (Tue) by GreyWizard (guest, #1026) [Link]

I was talking about Trusted Computer, rather than DRM

Then you were off topic. You comment is a reply to mine which is about DRM. That comment is attached to an article about the GPLv3 drafts which would prohibit distribution of code licensed that way to implement DRM. Perhaps you are confused about what the relevant clauses of the GPLv3 drafts do and suppose that they restrict activities which are not DRM?

It makes the manufacturer safer by reducing potential liability.

This claim is fanciful in the case of DRM and questionable otherwise. I have some devices which are user servicable and others with comparable purposes which use sealed cases of one kind or another. Do you contend that the manufacturers of the former are more exposed to liability than the latter? I find that hard to believe. Once I take a screw driver to a thing the results are clearly my responsibility, which is why there are sometimes safety warnings on stickers covering the screws. On the other hand I have no trouble believing that liability and public relations are excuses to conceal motives such as market segmentation.

Making dangerous things easy might make a manufacturer liable. Failing to make them impossible will not. Generally speaking, making a laser scanner with a knob that allows the output to be set to unsafe levels is a recipe for trouble. Making a laser scanner for which the user can extract the source code, modify that using specialized programming skills, compile and install the result is not. Good luck convincing a court that you did all that accidentally.

You ask now if there is a public benefit to tolerating locked-down software [I assume that's what you meant by DRM in this context.]

Here is the text you responded to: "I am asking if there is a public benefit that might justify the costs of tolerating DRM [...]" I am pleased that when I write "DRM" you *presume* that I mean "DRM" but I cannot guess your motive for making a fuss about this.

For regulated devices, I think there is a clear public benefit; otherwise the devices wouldn't be regulated.

What you seem to be saying is that "compliance with appropriate regulations is good" implies "any measure which makes non-compliance more difficult is good." Nonsense. Every check on compliance has a corresponding cost. Requiring a police officer to monitor the use of all laser scanners would make it much harder to use an unsafe power level than merely deploying DRM, but obviously this is not a reasonable solution.

So far uses of DRM that don't involve managing digital rights seem like solutions in search of problems.

Note that here you asking for software to be treated more permissively than hardware, where you had previously asked why they should be treated differently - there are no legal restrictions on manufacturers' ability to make hardware unmodifiable.

You believe I am asking for this because it pleases you to do so, not because I have suggested legal restrictions on locking down software or otherwise proposed some policy. Perhaps you are confused by the phrase "tolerate DRM"? By this I did not mean "allow DRM to be a legal practice" (this community has no power to make that decision) but "permit software that we write to be used to implement DRM" -- in other words reject the relevant provisions of the GPLv3 draft. I have been asking for an explanation of how DRM might benefit the public as well as criticising some examples that seem poorly thought out (specifically voting machines, x-ray equipment, liability and reputation).

You posit commercial and nefarious reasons for manufacturers to deploy DRM.

A discussion would be easier if you bothered to read before responding. I noted that the reasons manufacturers like DRM include advanced market segmentation (of which your story about "slugging" is an example) as well as more nefarious reasons. I did not offer an opinion on whether advanced market segmentation is nefarious, except to say that more nefarious reasons exist. Anyway, the point of all that was to say that there is no question that some manufacturers like DRM. They do.

The issue worth discussing is whether DRM can provide a practical benefit to the public. That your attempts at an answer are muddled nonsense does not prove that a reasonable affirmative case can't be made, so I don't know the answer.

Public Benefit is the Question

Posted Oct 13, 2006 2:03 UTC (Fri) by sepreece (subscriber, #19270) [Link]

Umm, The topic of the thread was technology used to lock down software so the user/owner can't modify it. That's TC, not DRM. TC is often used in implementing DRM, but is not iteslf DRM, in normal usage.

Your belief that fear of liability is fanciful may make you comfortable, but the corporate lawyers I know disagree with you. And, yes, a device that is user-serviceable carries more potential for liability than one that isn't, other things being equal. I never said it was practical or a goal to remove all risk of liability; that doesn't reduce the impetus to reduce it where the cost is not prohibitive.

"I have been asking for an explanation of how DRM might benefit the public as well as criticising some examples that seem poorly thought out (specifically voting machines, x-ray equipment, liability and reputation)."

Cell phones are a reasonable example of a place where there is a public good in making operating software non-modifiable except by authorized parties. Modified cell phones could be used to disrupt cellular networks that are considered to be public safety assets. As to actual DRM, as opposed to TC, I guess I'd have to ask how you define "public benefit". Is it a public benefit to make content available to consumers that otherwise would not be?

I did not say you said that market segmentation was nefarious, I said you had posited commercial and nefarious raasons. I intended that to mean reasons that were commercial and reasons that were nefarious, but I guess that it was ambiguous.

DRM is the topic

Posted Oct 15, 2006 3:05 UTC (Sun) by GreyWizard (guest, #1026) [Link]

Umm, The topic of the thread was technology used to lock down software so the user/owner can't modify it.

No, the topic is DRM. I should know since it was my comment that started this thread. I said, "Perhaps there are legitimate uses for DRM [...]" and did not mention any implementation technology. Your comment that began this sub-thread is attached to mine, in which I mention DRM twice and Trusted Computing not at all. Finally, this thread is attached to an LWN article titled "Similar in spirit?" which likewise mentions DRM but not Trusted Computing. The controversial GPLv3 draft terms in question would prohibit DRM but not any particular technology. There is no reason to be discussing Trusted Computing in this context.

Your belief that fear of liability is fanciful may make you comfortable, but the corporate lawyers I know disagree with you.

Are you referring to fear of liability in general? If so, then you are off the mark yet again because I made no statement about that. Here is the text you are responding to: "This claim [that DRM makes a manufacturer safer by reducing potential liability] is fanciful in the case of DRM [...]" If not and you intend to demonstrate that fear of liability caused by leaving out including DRM is reasonable then you must do better than invoking unnamed lawyers who take your position. Can you name one? Can you cite a case in which a manufacturer was found liable for failing to include DRM? Do you even have much weaker evidence like a manufacturer that explicitly claims in a public statement to use DRM for reducing liability?

Cell phones are a reasonable example of a place where there is a public good in making operating software non-modifiable except by authorized parties.

Cell phones are an excellent example of a technology where openness would benefit the public by unlocking the potential for innovation. Despite the message you are replying to you still ignore the costs of preventing modifications. For good measure you overstate the benefits too: a cell phone is not the only or even the most convenient way to disrupt cellular networks. Cell phone jamming devices are illegal but readily available and possibly even a benefit to the public in some cases. (See http://www.slate.com/id/2092059/ for a thought provoking discussion of this topic.) A case for the public benefit of DRM needs less ambiguous examples.

DRM is the topic

Posted Oct 17, 2006 14:11 UTC (Tue) by sepreece (subscriber, #19270) [Link]

"in which I mention DRM twice and Trusted Computing not at all"

I apologize. Your note that started this thread mentions DRM twice and "tamper resistance" also twice. One of those uses is in a place where it appears to be paralleled to "DRM". I mistakenly took "DRM" to be mteaning tamper resistance, which I interpreted as TC (locking down the software, as opposed to content). The base LWN article, however, is about TC (anti-Tivoization) as much as it is about DRM.

I am not free to quote or name our corporate lawyers. However, the liability w/r/t DRM would be based on contract conditions with whatever service the DRM was protecting. Similar issues could arise at several levels in a cell phone context (the content provider(s) and the carrier). For cell phones, there would also be potential liability for network damage or interference caused by a modified device. That last liability would be unlikely to end up in court, but would be a factor in negotiations between manufacturer and carrier.

The fact that there are other means of jamming cellular networks is completely irrlevant to the question of whether it's a public benefit to avoid malicious modification of cell phones. The phone itself is a particularly easy and ubiquitous vector for an attack. Note that there are cases of incorrect operation by phones (not modified phones) not just doing local jamming, but bringing down a broader network.

I'm not sure what you're asking for in saying that I'm ignoring the costs. I'm sure there is an opportunity cost in reduced innovation, though I don't think you can quantify it any better than I. On the other hand, contractual requirements with carriers make it, to some extent, a moot point - the level of TC support required by the carriers for tamper resistance is increasing steadily.

Again, I am interpreting "DRM" in this case to mean "tamper resistance", which I take to mean "trusted computing", because that's what you seem to be talking about. DRM (content control) clearly has nothing to do with protecting the network. I agree that it's hard to quantify the public benefit of DRM.

There clearly is public demand for content that the content owners will make available only under DRM. Some of that content is stuff that most people would describe as a public benefit (educational and cultural material). Obviously, there is also public demand for other things that would not usually be considered a public benefit (like pornography), so demand is not a sufficient argument.

Defining DRM

Posted Oct 17, 2006 19:20 UTC (Tue) by GreyWizard (guest, #1026) [Link]

The base LWN article, however, is about TC (anti-Tivoization) as much as it is about DRM.

I'm not sure what you mean by this. The LWN article is about the GPLv3 drafts, which would prohibit the use of covered software in systems that implement DRM. By DRM I mean a system which enforces some software behavior regardless of what the owner might want. This seems to be the conventional definition of the term, so "Tivoization" is DRM. Trusted Computing is a technology with which DRM and possibly other things can be implemented. Since the GPLv3 drafts would affect Trusted Computing only when it is used for DRM I still don't see how it can be relevant.

However, the liability w/r/t DRM would be based on contract conditions with whatever service the DRM was protecting.

DRM clearly has advantages for the businesses who control the keys in the same way censorship is an advantage for those implement it. The question is whether a free software license should attack DRM. I don't propose to answer that question but clearly contracts between vendors are not relevant.

The fact that there are other means of jamming cellular networks is completely irrlevant to the question of whether it's a public benefit to avoid malicious modification of cell phones.

On the contrary, the availability of jamming devices demonstrates that cell phone network disruption is not a serious problem in practice.

Consider an analogy. Some programmers create malicious software that attacks exposed internet services. Wouldn't there be a public benefit to regulating compilers and using DRM to embed identifying information in all source code? This way people who do harm could be discovered and punished. Isn't the availability of unauthorized compilers completely irrelevant to the question of whether this would be beneficial?

I'm sure there is an opportunity cost in reduced innovation, though I don't think you can quantify it any better than I.

I'm not asking you to quantify it exactly but to think through the consequences. DRM doesn't seem to accomplish anything for cell phone network robustness that couldn't be done more effectively with proven technology, but it clearly creates problems. Gloves can be used to avoid leaving fingerprints at the scene of a crime, but we don't insist they be registered. Cryptography can be used by criminals for conspiracy, but this is not a strong enough reason to keep it out of the hands of legitimate users. For the same reason, we should not insist on preventing people from changing a cell phone operating system merely because we can imagine disruptive uses.

There clearly is public demand for content that the content owners will make available only under DRM.

There is no shortage of educational and cultural material on the market and the notion that content owners are sitting on an enormous pile of it that they will only release when the playing field is tipped still further in their favor is often presented by certain trade associations but is always unescorted by evidence. We've reached the point of diminishing returns on that strategy. Distributing material under copyright without the consent of the owner is already illegal and successful enforcement happens all the time, often without the need to go to court. Indeed, enforcement is so easy that legitimate uses are often suppressed. Denying people control of their own computers is not going to improve this situation.

Defining DRM

Posted Oct 18, 2006 22:20 UTC (Wed) by sepreece (subscriber, #19270) [Link]

"By DRM I mean a system which enforces some software behavior regardless of what the owner might want. This seems to be the conventional definition of the term, so "Tivoization" is DRM."

I haven't heard "DRM" used this way other than in this discussion of GPLv3. The conventional use of "DRM" is for content control (management of access rights to content). That was my point (and I'm not the only one who has tried to make that point in both this discussion and in the Busybox discussion that was on the same LWN front page). Locking down software is TC, not DRM.

"clearly contracts between vendors are not relevant"

All I can say is, it's not irrelevant to the companies that make consumer electronics, nor to the people who want to buy content despite the DRM that the content owners require. You are, of course, free to consider that they are irrelevant.

"we should not insist on preventing people from changing a cell phone operating system merely because we can imagine disruptive uses."

Well, we DO choose to ban or control some things with dangerous or disruptive uses. So far, the manufacturers, the carriers, and the FCC are on the side of controlling this one. If you can convince them otherwise, then arguing about the GPL would be unnecessary. Changing the GPL isn't a high-leverage approach to convincing them.

"Denying people control of their own computers is not going to improve this situation."

Generally, they're not being denied control of their computers, even if you buy the argument that a cellphone should be considered a computer. They're being denied the ability to access services with untrusted clients. That seems to me to be within the purview of the service providers, regardless of the ownership of the device.

DRM, DRM, DRM

Posted Oct 19, 2006 3:05 UTC (Thu) by GreyWizard (guest, #1026) [Link]

The conventional use of "DRM" is for content control (management of access rights to content).

And in what way does this statement contradict mine? Tivo clearly employs DRM for content control. That the conventional use is content control does not deny the possibility of other uses. The LWN article seems to agree with me, as it refers to the GPLv3 draft provisions that would affect Tivo as "anti-DRM provisions" several times.

Locking down software is TC, not DRM.

First, Trusted Computing is but one technology for locking down software. See http://en.wikipedia.org/wiki/Trusted_Computing for more details. Second, locking down software can be done under the control of the hardware owner or some other party. Since the GPLv3 has no effect on the former case it should be clear that locking down software in general is not what is at issue. We need some term that expresses only the latter. DRM seems to be that term as far as I can tell (though of course DRM can be implemented less effectively without hardware), but if that usage offends you propose another term that doesn't confuse the issue in this way.

Here is the text you were responding to: "The question is whether a free software license should attack DRM. [...]clearly contracts between vendors are not relevant." In what way is it unclear that "relevant" means "relevant to the question" in this case? Replacing the plain meaning of those words with the notion that companies making consumer electronics and the people who buy them are "irrelevant" in general is either an incredible failure of comprehension or outright intellectual dishonesty.

Well, we DO choose to ban or control some things with dangerous or disruptive uses.

Cell phone disruption is generally much less dangerous than guns or drugs, to choose two such things over which there is much disagreement. The preferences of established economic powers and the politicians they patronize does not demonstrate that strict regulation in the specific case of cell phone operating systems would be appropriate or reasonable.

Changing the GPL isn't a high-leverage approach to convincing them.

Some people would dispute this claim and many who wouldn't still find ensuring that their software is not used to implement DRM reason enough. But this is a larger issue than the one raised by this thread, which is merely whether DRM has advantages for society as a whole.

Generally, they're not being denied control of their computers, even if you buy the argument that a cellphone should be considered a computer.

I wrote about "denying people control of their own computers" in response to your claim that there is "public demand for content [...]available only under DRM" which was not specifically about cell phones. That said, while one might plausibly argue that control of a cell phone operating system is unimportant or that cell phones are such special purpose devices that freedom is not useful enough to defend (we'll have to agree to disagree on these points) the ability to replace cell phone operating system software is undeniably a form of control and a modern cell phone is most definitely a computer.

Since you've forced me to revisit this, I wish I had noted in my last message that claiming DRM is good for the public because content owners will only release things the public wants under those circumstances is circular reasoning. Suppose the public wants cultural or educational content owned by an organization that refuses to release it without a human sacrifice. Does this demonstrate that human sacrifice is good for society?