Archive for the ‘Digital rights’ Category

Response to the 2004 European Commission consultation on DRM

Tuesday, September 14th, 2004

This is a response to the 2004 European Commission consultation on DRM, as submitted to the Commission.

Dear Sir/Madam,

In response to the consultation announced on http://europa.eu.int/information_society/eeurope/2005/all_about/digital_rights_man/text_en.htm, I would like to make a number of observations and comments related to the Final Report of the High Level Group on Digital Rights Management.

First of all, I welcome the fact that the Commission is taking an interest in DRM and engaging in discussion of related issues, but would reflect that the Report appears to be based on a number of questionable assumptions about DRM, and fails to take into account the broad spectrum of views about it, including some of those expressed in earlier Workshops. In particular, the Report appears to focus on what the content industry believes to be the problems with DRM, rather than what consumers (who are after all the ultimate enabling force) perceive as the problems. In this response, I hope to clarify my concerns and offer a consumer perspective on these issues.

On the assumption that DRM is required to develop a digital marketplace:

The Report repeatedly discusses the supposed “enabling” functions of DRM. There is a limited observational truth in calling DRM an “enabling” technology, but only so far as noting that large content providers in particular appear to have been reluctant to engage in digital distribution without the perceived “protection” of DRM. However, this evidence alone is not sufficient to merit the implicit assumption that DRM is required in order to enable broader establishment of consumer services. The reality is that many large content providers have not even tried digital distribution without DRM. DRM is not called for, required or desired by consumers; rather, it is something largely being imposed on them by content providers. Thus to start from an assumption that DRM is required to enable growth in consumer services is incorrect. Statements that DRM enables a variety of trading models such as rental and sale are disingenuous; such models have thrived without DRM for a long time even in markets where unauthorised copying and distribution are easy and economically viable. Without substantial supporting evidence, it is just as reasonable to assume that it is reluctance on the part of content providers to engage with their customers in the digital marketplace which is hampering the growth of that marketplace, not the limitations of (or lack of) DRM. To the contrary, the mere presence of DRM can itself hamper the growth of those very markets, due to the inherent consumer-hostile nature of such technology, a point I shall return to later.

On the implicit assumption that the word “Rights” in Digital Rights Management refers only to the “rights” of licensors:

The Report fails to discuss or even acknowledge the long-term consequences of a heavily DRM-based content marketplace. In particular, it places heavy emphasis on the “rights” of content producers, but fails to acknowledge the effect of the balancing rights of consumers and society in general, either in the development of digital marketplaces based on DRM or in the desirability of encouraging DRM at a national or European level. What is necessary is to recognise and take into account the historical context of copyright, which is not an absolute property right but rather an artificial, limited-time monopoly granted by society which is limited in scope and grants certain rights to society as well as to the producers.

Modern DRM systems often rely, to a significant extent, on essentially ephemeral media such as computer storage for license/key management and so on. Indeed, some DRM systems work based on the assumption of the continued existence of and ability to communicate with the content provider. Whilst in the embryonic market, these issues have not risen to the surface, in time there will be an impact when businesses providing DRM-restricted content on such a basis disappear or otherwise cease providing services on the same basis that they did originally. Placing rights management outside the hands of consumers in this way seriously damages confidence when purchasing content.

For example, I am a willing and keen adopter of new online services. I have every desire to participate as a consumer in a marketplace for digital content. However, at the present time the presence of DRM makes that marketplace considerably less attractive than traditional “physical” sales. Consider a compact disc containing music for example: if I purchase a legitimate disc from a retailer, I know that my rights and freedom to use that disc are entirely under my control, constrained only by my obligations under law: once the disc is in my possession, there is no way that the content owner can physically restrict my ability to use it. Similarly, I can use it with any device, from any manufacturer of my choosing, which is capable of playing CDs. However, with digital content hampered by DRM, the content producer may arbitrarily restrict my rights in any number of ways: I may only be able to use specific software or devices (perhaps from a specific manufacturer) which may not even be available to me, I may be prevented from exercising normal rights that I have under copyright laws (for example, related to use of copyright material for the purposes of review or research) and, worst of all, it’s possible (dependent on the DRM system employed) that the content owner might in future be able to prevent my use of the content either by action or omission. (An example of action would be remotely updating a DRM license key to revoke my rights to use the content; an example of omission would be if the content provider went bankrupt and the DRM software was no longer able to verify the validity of my license and consequently prevented me accessing the content). Predictability and interoperability, as identified in the Report, are important factors to consider, but they do not alter the underlying nature of DRM.

What I hope is now apparent is that there is a fundamental contradiction lying at the heart of the Report: that DRM (at least as used and envisaged in the context of mass-produced consumer content) is fundamentally an anti-consumer technology, and yet the Report tries to examine how a marketplace can be developed which is acceptable to consumers, and provide an upbeat assessment of the future. The weak conclusions of the Report serve to illustrate a number of key fallacies that lie at the heart of DRM, which are:

  1. that it is possible to unambiguously define and enforce, technologically, a set of licensing rules for a given work. This is logically impossible within the constraints of what is “reasonable”, primarily because the delicate balance of copyright law requires subjective judgements on human behaviour such as “intent” to be made. A computer or other DRM device cannot do this; it cannot, for example, determine whether the distribution of part of a copyright work falls under a permitted use allowed by copyright law, or whether it is infringing, because the technological steps involved in doing either might be identical.
  2. that it is possible to employ DRM without restricting the freedom of the marketplace or of consumers. For DRM to work, it unequivocally requires consumers to give up certain freedoms, in particular their freedom of choice and control over the playback devices which they possess as well as the content media which they purchase. Even “open” DRM standards ultimately rely on “closed” technology to be effective. This is aggressively anti-consumer, and is a concept irreconcilably opposed to the genuinely enabling tide of technological innovation, openness and freedom which has come about in recent years with the proliferation of digital technology.
  3. that it is possible to solve societal problems (for example, a lack of respect for copyright) with technology. Again, DRM serves to aggravate the situation here rather than alleviating it. Alienating consumers with DRM can only lead to an adversarial relationship between producer and consumer. In a monopoly marketplace (as the marketplace for content mostly is, particularly in the area of films and music) where consumers cannot choose between suppliers, giving consumers a choice between “not purchasing” and “purchasing with unacceptable restrictions” serves only to alienate, annoy and potentially criminalise law-abiding consumers who only wish to purchase content and make reasonable use of it, whilst those who happily deal in infringing materials will continue to do so; the fact that they have to circumvent technological “protection” measures is unlikely to be much of a deterrent.

You will, no doubt, recognise that many of the issues are quite general in nature. Nevertheless, I feel that they are highly relevant in the context of the Report: until these fundamental issues are openly acknowledged and discussed, the lesser issues that the Report identifies such as interoperability, privacy and security, are mostly red herrings; addressing them will only mildly improve the palatability of DRM to consumers, whilst the core problems of the relationship between producers and consumers in a digital marketplace remain unaddressed.

The truth is that DRM is a hugely expensive, intrusive and problematic solution to a largely illusory problem. Contrary to the apocalyptic visions put forward by certain stakeholders, digital media technology, with or without DRM, will not destroy the content industry. Rather than giving legitimacy to DRM, the Commission’s time could be spent more constructively by researching and reporting on business models which harness the power of digital media without requiring such restrictive and adversarial technology, and undoing the damage done by the grossly reactive, imbalanced and ill-conceived European Copyright Directive.

Thank you for considering these views as part of your consultation.

Yours,

Tim Jackson

ID cards consultation response

Wednesday, January 29th, 2003

The UK Government recently undertook a consultation on “entitlement” cards – another term for identity cards. Whilst I’m very aware of the issues of identity fraud and other problems which ID card proposals purport to reduce, I have misgivings about whether they will actually help, and serious concerns over personal privacy implications.

My response, submitted to the Home Office, is below:

I am aware of the Government’s consultation on the possibility of introducing some kind of identity or “entitlement” card to the UK.

For the purposes of aggregation of for/against responses, I am against such a move.

Nevertheless, I would like to provide some more constructive and granular feedback than a simple yes/no response. Whilst resources limit the time I am able to devote to this topic, and therefore this response is less substantial than would be ideal, I would like to make the following observations which cover a number of points raised in the consultation:

  1. The potential for abuse of such a system is worrying. Whilst I have no doubt that the strict security procedures and processes mentioned in the consultation would be implemented, the practical reality is that centralising such a large amount of data, and introducing complex links with a variety of services employing a large number of people creates a substantial risk of abuse, not only by those involved in administering and using such a system, but by police and other bodies. In particular, when combined with recent legislation such as the Regulation of Investigatory Powers Act, I can only conclude that such a system will open up new possibilities for widespread intrusion of privacy, albeit by a perhaps limited number of people. As an engineer by training and someone involved heavily in IT and database systems, I certainly appreciate the elegance and efficiency which centralised and rationalised data storage can bring, but in public systems (such as that which would be required for an identity card), the technological idealism and search for efficient delivery of services has to be balanced against the privacy and other risks to society. In this case, I am of the opinion that a system of the kind proposed may very well dangerously undermine some of the inherent safeguards in a somewhat decentralised system; primarily that the administrative burden to correlate disparate data naturally limits the potential scale of widespread surveillance and/or abuse of private information.
  2. Whilst acknowledging that there is evidence that “identity fraud” is on the increase, I am not convinced that an identity card scheme will help to significantly reduce the incidence of such fraud. Whilst it may provide some benefits, I feel these may be offset by the fact that a universal identity card will provide a “high value” target for fraudsters. History shows that the higher the potential gains from forgeries and suchlike, the more resources that potential fraudsters will invest in circumventing the security provided by a system. Although a single centralised database certainly provides some benefits in this respect, only with a compulsory card and the introduction of biometric data would there be, I believe, a significant increase in the difficulty of committing identity fraud – but I do not believe that a system encompassing these features which will be acceptable to members of society at large is likely to be available in the foreseeable future.
  3. Similarly, I am not convinced of the implicit assumption in the consultation that an identity card will necessarily reduce the incidence of illegal immigration or work. A “black market” for illegal workers is likely to always exist.
  4. As correctly identified in the consultation, the risks involved in such a large-scale IT project would be significant. Past evidence of very large public/private sector IT projects shows that such projects tend to be under-estimated and may spiral out of control. With costs already estimated at £1.5bn, this is by all means an extremely large project, and I would voice a significant concern that the true end cost in purely financial terms may be much higher.
  5. If it were to be decided that introduction of an identity card was mandated, I would strongly prefer a “voluntary” rather than “compulsory” card (as defined in the consultation).
  6. The concepts discussed in the paper seem to follow very much “traditional” thinking on identity cards, whereas perhaps what is required here is some fresh thinking and new concepts. For example, whilst I don’t offer this by any means as a proposal (simply “food for thought”), how about a large-scale *decentralised* system, the fundamental concept of which would follow the lines of the PKI (public key infrastructure) trust/identity assurance system in use on parts of the Internet and other networks? The building of a nationwide, offline, optional, decentralised yet secure system where ‘networks’ or ‘webs’ of trust could be created would certainly be without precedent in the world and might easily be dismissed as “out of the question”, but perhaps in fact this is the kind of system which, with suitable planning (the enormity of which I do not underestimate) might actually enable some of the goals sought by an identity card system to be achieved, without introducing the centralisation and possibilities for abuse that “traditional” identity card systems may bring.
  7. I sincerely hope that you will take account of these views/opinions, and find them useful as part of the consultation process.

Tim Jackson