Cory Doctorow on the game plan to crush DRM

Author and Electronic Frontier Foundation (EFF) activist Cory Doctorow presented the opening keynote at SCALE 14x in Pasadena on January 22, using the opportunity to highlight the project that brought him back to the EFF after a decade. That project is Apollo 1201, an effort to challenge the ever-expanding problem of "digital rights management" (DRM)—now built into all manner of mass-produced products, not just entertainment media—that threatens the rights of individuals. The dangers of DRM are even greater than those posed by traditional proprietary software, Doctorow said, precisely because the rise of "smart" devices is putting DRM-locked software everywhere around us.

Doctorow told the audience that the fight against proprietary software has taken place on four fronts, which correspond to the factors Lawrence Lessig says regulate behavior: "code," "markets," "norms," and "laws." The "code" front is seen, simply enough, in Apache unseating IIS because Apache was a better web server. The "market" front is where open source creates new business opportunities that would not exist otherwise and the popularity of the new market overwhelms the proprietary software. Samba is an example, he said: it made SMB shares more useful and spawned new products; the popularity of those products took Microsoft out of the driver's seat. The "norm" front is ethical and moral debates, where advocacy changes the minds of the public. And the "laws" front involves all of the instances where city, regional, or national governments have passed laws mandating open-source software, open data, and the like.

Those four fronts describe the competition between "open" and "closed" technology in recent years, Doctorow said, but there is "a more profound kind of 'proprietary' on the horizon" now—one that goes beyond whether or not a product is "open" or "free." The new form of proprietary is code that includes DRM, which is much harder to fight against.

"You all know the DMCA [Digital Millenium Copyright Act]," he said. "It's the author of all your favorite YouTube videos." The problematic part of the DMCA is Section 1201, he reminded the crowd, "which makes it a crime to give people tools that they could use to bypass DRM." But that law was just the beginning: the US Trade Representative has been "patient zero," spreading the problem around the world by persuading other countries to enact their own equivalent laws. The worst example was the New Zealand law's Section 92A, which sparked protests in the streets. The backlash initially derailed the bill, he said, but entertainment industry lobbyists forced it through by reintroducing it as a rider on the disaster-relief bill passed after the 2011 Christchurch earthquake.

While such laws spread around the globe, DRM was also making its way into more and more devices. The Lexmark printer-cartridge case is a well-known example, as was the case of Skylink garage-door openers. In both cases, a company used poor, easily broken encryption software to attempt to block interoperability with third-party products, then sued rival companies who broke the encryption. In both instances, the courts sided with the defendants, noting that the DMCA only protects copyrighted works (rather than, say, trade secrets), which meant that the only DMCA-protected work in the Lexmark printer cartridge or Skylink garage-door opener was the DRM software itself.

But those cases were years ago, Doctorow noted; today, more and more devices do include significant amounts of software inside, from WiFi light bulbs to smart appliances, even to smartphone-enabled rectal thermometers—"yes, they now want to put DRM up our asses," he told the crowd to a peal of laughter. The sole reason the makers of these products are employing DRM is to stifle competition, he said; it has nothing to do with "piracy" and never has. Furthermore, DRM has never been a selling point; "if there were two Netflixes for the same price," he said, "and the only difference was that one had a 'save' button, no one would ever sign up for the other one."

Follow the money

The clear conclusion is that people are either oblivious to the DRM around them or they just do not care. Yes, he conceded, there will always be "a few supernerds" with the skills to bypass DRM themselves, but without real reform, DRM will continue to prop up anti-competitive behavior in the global economy.

Companies make money with anti-competition in three ways, he said. First, they double-dip on sales, as when they require people who have bought DVDs legally to pay again to put the same video on their phone. Second, they control parts and repairs. There are cheap diagnostic scanners that can read car "check engine" codes, but only for individuals; mechanics "operating a business with an address you can sue them at" have to buy expensive scan tools from carmakers, who require them to also sign contracts to purchase all replacement parts directly from the company. Finally, they make money by making promises to other businesses. For instance, cell carriers give away iPhones to customers, but only because Apple has promised to prevent those customers from ever installing a tethering app—by locking down the OS with DRM.

So, every day, "DRM costs you and me and everybody we love money," Doctorow said, "but that's not why I worry and that's not why I've returned to the EFF," Doctorow said. What worries him is how DRM prevents the patching of security vulnerabilities. When we can't examine our devices, we are stuck with ancient software filled with unfixable bugs.

He shared several "horror stories" about DRM. The Jeep remote exploit Charlie Miller and Chris Valasek published in 2015 was demonstrated on that car because that model's software did not employ DRM and the authors could thus avoid a felony prosecution. Subsequently, other automotive-security researchers have said similar flaws affect most other cars, but their lawyers have advised them not to disclose the vulnerabilities.

Jay Radcliffe (who is diabetic), refuses to use an insulin pump "thus taking years off his life" because of the security vulnerabilities he has seen in the devices' software, but which he cannot disclose because they are "protected" by DRM. In Ukraine, people who took their mobile phones near the site of anti-government protests later received text messages saying that they had been recorded as participating in an illegal action and warning them against doing so again. The unique identifiers baked into each phone are protected by DRM.

There were plenty of other examples, from John Deere tractors to voting machines to criminals capturing wireless webcam video and blackmailing the owners by threatening to publish the camera footage online. DRM makes it illegal to disclose security vulnerabilities in devices, and the Internet of Things makes that problem ubiquitous. That, Doctorow said, is why he decided to return to the EFF to work on the Apollo 1201 project.

Apollo

The goal of Apollo 1201 is to eradicate DRM in ten years' time by rewriting the laws. If you work on any sort of anti-circumvention project, Doctorow said, the EFF wants to talk with you. The point of the conversation is two-fold. First, the EFF can provide advice on how to structure one's project and how to discuss it publicly (although he made a point to say this was not of the formal "legal advice" variety). Second, the EFF wants to be prepared for when such projects inevitably result in lawsuits; it plans to fight a number of such cases and to take the fight all the way to the Supreme Court.

Since code is ultimately a form of First-Amendment–protected speech, the EFF is confident it can eventually defeat Section 1201 on Constitutional grounds. That process will likely take close to a decade. Fortunately, "this is a target-rich environment," he said, so the EFF believes it will have no trouble finding solid test cases and well-prepared defendants to work with.

In the meantime, though, a lot can change on the ground. As soon as the DRM threat for a particular product class begins to look uncertain, he said, companies will begin to attack the profit margins of the DRM purveyor. That will bring the fight to a second front (markets). And the courts, he said, deeply want the law to be relevant: if it is obvious that successful businesses and millions of people regard DRM as an obsolescence, they will rule against DRM. That principle was a large part of why the court upheld home recording in the 1984 Betamax case: millions of households already used VCRs to tape television.

He also challenged the audience to take the fight to the "norms" front, to talk about DRM wherever they can. "We're at peak indifference now. Every week, something bad [like the horror stories he related] will happen. When the people you know ask you how this happened, tell them." Finally, he asked the audience to do what they can to support the work of fighting DRM. "You probably give money to one of these companies every month," he said. "I just ask you to tie it, to match what you give these companies with something you give to organizations fighting for your freedom."

After the keynote, Doctorow stayed to discuss the project further and to answer questions. Among other matters, he said that the EFF may have already identified what project will be its first Apollo 1201 test case, and that the defendant in that case has been braced for such a fight for many years—even before the EFF announced the project.

He also noted that there was a chance that a case the EFF takes might result in only a narrow ruling, rather than cutting out the heart of Section 1201. But that is still a victory, he said, and narrow rulings can still shift the economic factors in a major way. As in the "dancing baby" case, where the court ruled that copyright holders must consider fair use before issuing any DMCA takedown notices, or else be held responsible for damages. The ruling turns the mass issuance of takedown notices into a financially risky proposition for entertainment publishers, a fact that defense attorneys are beginning to notice. He also encouraged open-source developers to join the fray and help disrupt the DRM-protected businesses. "We want people to see that there's money in them there circumvention devices."