PlayReady on Android and iOS Shines at NAB April 14, 2011
Posted by Bill Rosenblatt in DRM, Mobile, Technologies.1 comment so far
Three vendors of DRM technology made announcements timed to this week’s huge NAB conference in Las Vegas: AuthenTec, BuyDRM, and Discretix. The common theme among these announcements was support for Microsoft’ PlayReady DRM on the Android and Apple iOS platforms.
AuthenTec, a company based in Florida whose main business is fingerprint readers (as in human fingerprints, not digital ones), acquired DRM assets from SafeNet a year ago. These assets included a multi-DRM framework called DRM Fusion and OMA DRM software — acquired respectively from DMDSecure of the Netherlands in 2005 and Beep Science of Norway in 2008.
Usually this many acquisitions in so short a time implies deals that are euphemistically called “asset sales” and an acquiring company that lets the technology wither and die. I had serious doubts that AuthenTec was going to do anything with the SafeNet DRM product lines other than support existing customers, but this announcement dispels that doubt. DRM Fusion enables service providers to distribute content packaged in several different DRM formats; it originally supported Windows Media DRM (Microsoft’s older technology), then added OMA DRM support. Now it has added support for PlayReady in a downloadable application for Android and Apple iOS clients called DRM Fusion Agent.
BuyDRM of Austin, TX, is a longtime Microsoft partner that has built its DRM service infrastructure, KeyOS, around Windows Media DRM. It announced KeyOS: Cloud Edition, a version of KeyOS that uses Microsoft’s Windows Azure cloud-based service platform. Along with the support for Windows Azure, BuyDRM will be offering PlayReady for Android and iOS. BuyDRM has HBO Eastern Europe as a launch customer, and general release is planned for June.
Discretix of Israel has also been known for multi-DRM support, focusing on mobile clients. It too had been supporting Windows Media DRM and OMA DRM implementations. But its new product, SecurePlayer, focuses exclusively on PlayReady for Android and iOS. SecurePlayer is a downloadable application that combines a port of PlayReady to the target device along with a video player that is tightly coupled to the DRM. This is more secure than a DRM implementation that merely relies on a device’s native video player, where content can be exposed in the clear.
All of these DRMs focus on delivery of video to “app phones” and tablets, whether through download or streaming. This ties in with the more general trend of providing a given set of video content on any device — via a service like Hulu, the cable industry’s TV Everywhere initiative, or other channels. Services like these need cross-platform DRM support in order to comply with studio and network licensing requirements. Meanwhile, Microsoft is doing little by itself — other than making an SDK available — to help enable porting of its DRM onto non-Microsoft platforms. Thus the opportunity for these third-party vendors.
Another trend that these announcements indicate is further indication of OMA DRM 2.x’s fade into irrelevance. The number of services using this DRM has been small enough as it is. In the music market, its demise was hastened last year with the news that Vodafone was phasing out its OMA DRM 2.1-based mobile music subscription service in favor of paid MP3 downloads. The number of vendors offering OMA DRM implementations has dwindled.
Of course, other cross-platform DRMs for portable video-capable devices are available, such as Marlin (Intertrust) and NDS VideoGuard. (The fate of Widevine’s DRM technology after its acquisition by Google late last year is uncertain.) But PlayReady is the hot technology of the moment.
Now, on a completely different subject:
Personal Appeal for Aid to Japan
I have heard people say that the crisis unfolding in Japan is horrible but they aren’t sure how to help. Many organizations are collecting money, but it’s hard to know how it will be used or where it will go. Now here’s a more targeted and personal way to help:
My brother-in-law has lived in Japan for several years. He lives in Tokyo now, but he started out teaching English in a village called Kawauchi, which is within the evacuation zone in Fukushima Prefecture near the stricken Daiichi nuclear plant. He has deep personal relationships with people in the village and is organizing aid for its few thousand residents, who are currently in a facility analogous to the New Orleans Superdome after Hurricane Katrina here in the U.S. He says:
Please send:
Toys and activities for children, school supplies, paper products including tampons, diapers for children and adults, personal wipes, tissues, toothpaste and toothbrushes (including for dentures) make-up, shampoo, games, new clothes, music, books and magazines (in Japanese only).
Sending along special foods and snacks will definitely be appreciated. Rations at the evacuation center are not particularly pleasant!
Aside from the basics, please feel free to send anything you think might cheer the villagers up. It is unlikely that any of them will be able to see their homes for many years, if ever.
Please note that people of Kawauchi Village cannot read English past a first grade level. Many of the evacuees are elderly, too.
Pass this note on and feel free to contact me directly if you have any questions. Thank you! – Barry Lustig, barry_lustig@hotmail.com
Here is the address:
Yoshinobu Ishii from Kawauchi Village
South 2-52, Koriyama City
Fukushima Prefecture
963-0115 JAPAN
telephone: (+82) 09022773557
〒963-0115 福島県郡山市南二丁目52番地
川内村教育長石井芳信 様
Irdeto Sets Next Level in Video Content Protection March 7, 2011
Posted by Bill Rosenblatt in DRM, Technologies, Video.3 comments
Last week, Irdeto of the Netherlands announced its new ActiveCloak for Media content protection technology for video. This is a real, bona fide breakthrough technique. It’s also revolutionary, in that it starts with a a bold statement for the DRM industry: an admission that it has a problem.
A long, long time ago, there was a myth: that DRM was hack-proof. Most knowledgeable people stopped believing this myth years ago, especially since it came to light that many DRMs were designed to be cheap to implement rather than strongly protective of content. But somehow the myth persisted and was very hard to eradicate.
The media industry responded to weak DRM in a couple of ways. First, they got a law passed that made hacking DRMs illegal. This law — the DMCA — placed liability for hacking solely on the hacker. The idea was to deter hackers through criminal penalties rather than to give incentives to technology vendors to create stronger DRMs, or to make the vendors liable for hacks.
Next, the industry created licensing frameworks for DRM technologies that bolstered them by imposing additional technical obligations on implementers. If you wanted to implement a system using a certain DRM technology, you had to agree to so-called robustness rules, which were designed to prevent the software “around” the DRM from leaving doors open to hackers. Robustness rules cover things like how to hide keys in software and how to “harden” software so that it can’t be reverse engineered.
As we know, DRMs are still routinely hacked.
Yet in some quiet corners of the industry, hacking is treated as a given. One example: the CEO of a software antipiracy technology company recently boasted about his company’s success in the gaming market. He measures success by the length of time until a game is hacked. The game publisher is pleased, he says, because his technology works well enough that games aren’t hacked until after their “new and hot” period is over. By this point, the game company has made the bulk of its money; it’s happy for the hacked game to “go viral” and generate demand for the next version of the game.
Try telling this to a Hollywood studio.
Meanwhile, DRM technologies have advanced by limiting the impact of hacks, through techniques such as key revocation (preventing the offending device from doing any more damage) and field-upgradeable encryption (changing the encryption algorithm so that a specific hack no longer works). But these techniques are analogous to making air passengers take their shoes off at security because someone tried to hide a bomb in his shoe once: they don’t prevent the damage from happening in the first place.
With last week’s announcement of ActiveCloak, Irdeto has taken the next logical step. Instead of trying to design DRMs so that they are hack-proof, or even so that they take as long as possible until they are hacked, assume they are going to be hacked and act before they are.
ActiveCloak enables network operators and service providers to change the content protection software proactively as well as reactively. Instead of upgrading the encryption or revoking keys after a hack — or as we Americans say, locking the barn door after the horse has escaped — ActiveCloak lets operators change the client configuration on a regular basis at intervals shorter than the time to expected hack. (Service providers could do this on their own, but ActiveCloak makes the process automated and much more straightforward.)
Irdeto doesn’t just do this by changing encryption keys or even random seeds used in code obfuscation algorithms. ActiveCloak represents a synergy between Irdeto’s legacy content protection technology for digital TV and the software hardening and key hiding technologies of Cloakware, which Irdeto acquired in late 2007.
Cloakware’s main offering in the digital media industry is tools and techniques for hardening DRM implementations so that they meet robustness rules. Many implementers of several different DRMs use Cloakware to harden their code; its only real competition in the digital media market is the smaller Arxan Technologies.
In fact, when the acquisition was announced three years ago, I had assumed that Irdeto’s objective was to collect a “toll” from those who implement content protection solutions from its competitors.
Now we have a product that embodies true synergies between the legacy Irdeto and Cloakware technologies. The system renews itself with respect to the key hiding and code hardening as well as the content protection itself, and it does so on a proactive basis. ActiveCloak gives new meaning to the term “race against the hackers”: hackers must do their thing before the clock runs out and the system is renewed. The integration of Cloakware’s technology makes outwitting this system that much more difficult — assuming, of course, that no one figures out a way to disable the overall scheme.
As Irdeto admits, ActiveCloak will be more expensive than comparable video content protection technologies — in terms of both upfront cost and operational complexity. The company argues that the total cost of ownership is lower than that of a system that has to be patched or replaced due to hacks.
With pay TV operators (cable or satellite), this may well be a reasonable sales proposition. Pay TV operators are somewhat unique among content service providers in that their economic incentives are aligned with those of TV networks, movie studios, and other content owners: none of these entities want their signals to be stolen. The same is emphatically not true for, say, an Internet content retailer or consumer device maker.
ActiveCloak for Media is initially targeted toward OTT (over-the-top or IP-based) content delivery to tablet, Google TV, and other devices. Ports to Apple iOS, Android, and Intel’s “Sodaville” chipset for set-top boxes exist. The technology is running on three Google TV platforms, Boxee, and tablet and PC implementations with unnamed operators.
Although ActiveCloak is a real step forward in content protection technology, it still presupposes that Hollywood is dissatisfied enough with current technologies — and the various legal backstops — to make its content licensees pay a premium for the new technology. It’s doubtful that Hollywood studios will take other content protection technologies off their “approved lists,” but it may make robustness rules more stringent with respect to renewability.
At the same time, I’ll hazard a guess that if this approach catches on — if the rest of the industry is willing to admit that it has a problem — then Irdeto’s competitors will be looking to emulate ActiveCloak. If I were Arxan, I’d have investment bankers ready and waiting to field the incoming acquisition offers. And if I were Irdeto, I’d have my patent lawyers working overtime to protect the technology.
E-Book Lending: The Serpent in the Garden of Eden March 3, 2011
Posted by Bill Rosenblatt in Business models, DRM, Law, Publishing, Services, United States.22 comments
I wrote my previous article about e-books and libraries in response to an article by my colleague Thad McIlroy on his Future of Publishing site. The news that HarperCollins had put restrictions into its e-book licenses for lending library services so that each “acquired” title could only be loaned out 26 times was fresh and appeared as a side note in my article. HarperCollins (a division of Rupert Murdoch’s News Corp) is one of the world’s largest trade book publishers. So, what about this major development?
First, let’s quickly review the technical and legal backdrop to what HarperCollins is doing. Libraries normally buy (acquire) books to lend to library patrons. This is made possible through the copyright law, specifically section 109, which is known as First Sale. Section 109 says that anyone who legitimately obtains a copy of a copyrighted work (e.g., a book) can do whatever she wants with it, including resell it, lend it, or give it away. Eventually physical books in lending libraries become worn and damaged; libraries may repair them or dispose of them. Libraries control lending abuses by collecting fines from patrons who return books late or not at all.
In the world of e-books, libraries don’t buy titles; they license e-books in order to license them to patrons. A license is a contract, the terms of which are ultimately up to the publisher. Copyright law allows libraries to lend digital works to their members, but DRM-packaged e-books are governed by licenses, and thus contract law, not copyright law.
Of course, it takes no effort to make a copy of an e-book. That’s why library services use DRM to ensure that e-books are loaned only to properly credentialed users (i.e. members of the library) and that those users can’t make copies for their million best friends. Service providers like Overdrive and NetLibrary have arisen to make it possible for libraries to “lend” e-books in a way that is very similar to the way they lend hardcopy books: you get access to the e-book for the library’s lending period (perhaps a couple of weeks, or for a reference work, a few hours), and then it “disappears” from your device and becomes available to another library member. Libraries can license multiple copies of popular works so that more than one patron at a time can borrow them.
The noted library technologist Eric Hellman calls this the “Pretend It’s Print” model — a characterization I don’t quite agree with, but leave that aside for the moment. Hellman characterizes “Pretend It’s Print” as a reasonable model, at least for the time being. But HarperCollins appears to be taking “Pretend It’s Print” quite literally: they seem to be trying to emulate physical wear and tear on a book that leads some libraries to discard books after a while. Still, Hellman’s blog post on the subject drips with contempt for HarperCollins.
I also believe that HarperCollins has done the wrong thing, but for a different set of reasons. Let me preface my reasons with a couple of caveats: I have no access to statistics on the expected lifespans of library books, though I found a couple of data points that expect between 20 and 35 loans until a book must be either discarded or repaired at a cost that may exceed its value — thus making HarperCollins’s 26 seem like an appropriate number (or did they find the same two articles I did?). I also have no insight into a library book’s promotional value to a publisher, but I suspect it’s not very high.
HarperCollins’s 26- loan limit is just a bad decision. It is bound to please absolutely no one. It is a lose-lose-lose proposition. The library community is up in arms on Twitter and elsewhere about the decision. Many are calling for libraries to boycott HarperCollins material in hardcopy as well as e-book format.
Yet at the same time, two other major publishers, Macmillan and Simon & Schuster, never licensed e-books for library lending in the first place. Librarians complain about this, but not very much.
As I said previously, I had heretofore considered e-book lending to be one of the real success stories of DRM. Libraries get to lend e-books, publishers get paid for those e-books, and library patrons can read them on a wide range of devices (pretty much anything but a Kindle) without leaving their homes or offices. Everybody wins.
Furthermore, let me be clear that some form of content protection is absolutely necessary for library e-book lending. To allow library patrons to make additional copies of “borrowed” digital materials with even relative impunity is just plain unfair to publishers and authors. (Yes, DRMs can be hacked; people can make digital scans of hardcopy books too.)
Yet HarperCollins is making two serious mistakes in DRM implementation. One is to try – too literally – to use DRM emulate a physical product in the digital domain. This has never worked, because a digital emulation will always contain one or more shortcomings with respect to the original physical model that will not meet user expectations. ”Pretend It’s Print” may be a convenient point of reference for consumers, but it is more effective to focus on the content access model rather than the physical product in designing digital content services. (As far as I know, record labels aren’t experimenting with DRMs that gradually introduce clicks, pops, and skips into digital music files.)
In this case, the HarperCollins model will fail to meet “user expectations” by angering librarians, who don’t like DRM in principle. Either the e-book will suddenly become unlendable without warning or the DRM system will warn librarians that they will soon have to pay for another license to keep lending the e-book. How many libraries will re-up? Not many, I suspect.
Furthermore, this move defies logic regarding publishers’ strategies for their backlists (catalogs of older content). Publishers believe that their backlist titles have less value than frontlist titles, and they constantly seek ways to invigorate sales of their backlists. By making it unlikely that e-books will be available for library lending after a year or so, HarperCollins is both cutting off access to products that it presumably does not value highly in the first place and hurting its ability to invigorate its backlist. This makes no sense at all.
The other mistake that HarperCollins has made is to introduce complexity into a DRM implementation in a way that adds no value for users. Many early digital music services failed to gain user acceptance because they were too complex for users to understand. Some, for example, had Byzantine pricing plans – X permanent downloads, Y timed downloads, and Z streams per month – that resembled the bad old days of confusing cell phone plans. iTunes won because it kept things simple. Nowadays, as music services take on more and more new features in their attempts to unseat the iTunes juggernaut, they risk similar user confusion and alienation (most egregious current example: the feature-overloaded MOG).
If HarperCollins wanted to try something different with licensing terms, it should have done something that offered value or choice. It could, for example, have offered a choice of limited-loan titles for less money or unlimited-loan for full price. (Eric Hellman tried polling this question; the responses he got prove little more than how emotional everyone is over this issue — which is exactly my point.)
If HarperCollins does not get value from e-book lending, then why not just pull its catalog entirely and join Simon & Schuster and Macmillan as library holdouts? If they do that instead, librarians need not bother boycotting HarperCollins’s e-books; and any threats to boycott the publisher’s hardcopy releases will surely ring hollow.
The end result of a move like this can only be the slow and painful death of library e-book lending. HarperCollins may hope that other publishers will follow its model – though not so closely as to invite antitrust scrutiny. This will only lead to further confusion for librarians and users alike: HarperCollins allows 26 loans, Random House allows 35, Penguin allows 20, etc. There is no way that a model like this can lead to the growth in library e-book lending that libraries need to survive as e-reading grows in popularity. `
Libraries are highly unlikely to reverse the tide in the market alone. Boycotts may be emotionally satisfying but will have no practical impact. Instead, the library community’s best hopes lie in the legal system.
The most likely route would be to try to get the Copyright Office, at its next DMCA rulemaking in 2013, to approve an exemption that would allow libraries to circumvent (hack) DRMs in order to lend e-books as long as they re-package them for the library patron with the same type or strength of DRM. This would be a more elaborate exception than any that the Copyright Office has granted in its four DMCA rulemakings to date. It also has various disadvantages: it could only last three years under the DMCA rulemaking rules (every exception only lasts until the next triennial rulemaking); it could cost libraries more money to support than they pay Overdrive or NetLibrary, which benefit from scale economies; and it could induce publishers to demand (and perhaps even pay for!) DRM that is more difficult to hack.
But perhaps it’s worth a try. Unlike the Section 108 Study Group — a body that recommends changes to the part of copyright law that covers libraries, which ironically has little bearing on the issue at hand — it is possible for anyone to submit a request for a DMCA exemption to the Copyright Office without first having to run a gauntlet of copyright industry lobbyists.
If the Copyright Office were to grant such an exemption, it would mean that a library could be free to purchase any e-book — not just those that the publisher decides to license — and lend it to its members on its own terms while respecting copyright. The result would be a better version of “Pretend It’s Print” — in the business model sense, where it counts.
Are Libraries Locked Out of the E-book World? February 27, 2011
Posted by Bill Rosenblatt in DRM, Law, Publishing, Uncategorized, United States.8 comments
Publishing guru Thad McIlroy was kind enough to link to one of my stories on the e-book DRM scene in an article on his excellent Future of Publishing site. (I have had the pleasure of working with Thad on various projects over the years. Especially when it comes to production and output issues for publishers, he is The Man.) So it’s incumbent on me to return the favor.
In his piece, Thad accuses book publishers and Amazon of effectively colluding to shut out libraries from access to e-books. You can borrow e-books from many public libraries in the United States, but the process is clunky – because it entails using a system provided by a third party, Overdrive – and you can’t read them on a Kindle device or any of the Kindle apps.
On the one hand, de facto (if not necessarily explicit) collusions of this type are far from uncommon; in fact the history of copyright law is littered with such arrangements (read Jessica Litman’s Digital Copyright
First of all, Amazon is not the only company with a popular e-book platform. Adobe’s e-book platform works on just about every e-reader except the Kindles (including the Barnes & Noble Nooks and Sony Readers) as well as on PCs, Macs, Android, and so on. The Adobe platform supports library lending and in fact is at the heart of Overdrive’s public library e-book lending service. Moreover, a very recent study indicates that the Kindle’s market share among the e-book reading public has dropped below 50%, mainly thanks to the Apple iPad… and regarding iOS devices’ compatibility with the Adobe e-book platform, yes, there’s an app for that. So, if you want to borrow e-books from your public library, just don’t use a Kindle; you have plenty of other choices.
In addition, there is a legal as well as technological or market-based angle to the problem of libraries in the era of digital content that’s worth discussing. Section 108 of the U.S. copyright law grants libraries and archives rights to content that exceed those granted to people under normal conditions. Among other things, it allows libraries to make copies of copyrighted works for noncommercial lending, as long as those copies are limited in number and afforded adequate protections against infringement.
There are various subtleties to Section 108 and its interplay with other areas of copyright law, not to mention moving-target implications of digital technologies. Accordingl, the law requires a group of interested parties to revisit Section 108 every five years and recommend any changes they deem necessary. The Section 108 Study Group is an analog to the better-known rulemaking on Section 1201, which the U.S. Copyright Office conducts every three years. Section 1201 — enacted as part of the Digital Millennium Copyright Act — is the law against circumventing (hacking) DRM on copyrighted works.
The Section 108 Study Group (in its 2008 incarnation, at least) has 19 members, which are well balanced between copyright-owner and library/archive interests: nine from each side and a neutral “legal advisor” from Columbia Law School.
Section 108 allows a library to make a copy of an e-book and lend it out to the library’s members. Under this law, a library could presumably buy an e-book and lend it out. But if the e-book is packaged with DRM, there are two problems. First, the library is not actually buying a copyrighted work, it is licensing the work; see below. Second, Section 108 doesn’t allow the library to hack the DRM in order to make the copy – not even if the library agrees to re-package the copy in a DRM scheme that lets a specific library patron read the e-book. Such hacking would have to be allowed as an exception to Section 1201, which is the province of the Section 1201 rulemaking, and thus of the Copyright Office, not the Section 108 Study Group. (See, I told you this stuff is subtle and complex.)
Because major publishers require DRM on their e-book releases, this means that libraries aren’t able to exercise rights under Section 108 just as a matter of law. This has given rise to services like Overdrive, which facilitate the licensing of e-books from publishers for library lending purposes.
A license is a contract. The licensing of digital content exists in a legal realm that is separate from copyright law – at least for the moment. The upshot is that publishers are free to choose whether to license their material in e-book form for library lending and to dictate some of the terms of those uses, such as the number of devices on which a given user can read the material, period of lending, or number of times an e-book can be loaned. For example, Simon & Schuster doesn’t license for e-book lending at all, and HarperCollins just introduced a policy to limit the number of loans per licensed e-book to 26, in an apparent move to mimic the lifespan of a physical book in library circulation.
Because libraries and publishers will perpetually disagree on these terms, it helps to have a third party like Overdrive or NetLibrary to act as a buffer or intermediary. Some publishers may also agree to license their content through these services because of the risk that their refusal to do so will cause the Section 108 Study Group to recommend changes in the copyright law that give libraries more latitude in lending digital works. As it is now, the copyright-owner contingent in the Study Group can point to services like Overdrive and NetLibrary as evidence that the market is providing solutions so no changes in the law are necessary.
The last Section 108 Study Group Report (for which I consulted to the Study Group) came out in 2008, which means that the activity in preparation for the next one will take place next year. The next Copyright Office 1201 rulemaking also takes place in 2013. If the members of the 108 Study Group who are on the “library side” want greater flexibility for libraries to lend digital works, they may want to try to get exemptions to the 1201 anti-hacking law for library lending proposed and approved.
If that happens, then Amazon and book publishers definitely will no longer have the “library lock-out” that Thad McIlroy described in his article.
Cricket Wireless Sings the Same Old Song December 21, 2010
Posted by Bill Rosenblatt in Business models, DRM, Mobile, Music, United States.1 comment so far
Cricket Wireless, a small wireless carrier that spun out of Qualcomm in 1998, announced the imminent launch of a new music service called MuveMusic. The service will launch at CES next month in the Las Vegas area, with other markets to be added later. Unfortunately, the Wall Street Journal’s All Things Digital blog (piece written by Ina Fried of CNet, who ought to know better), Engadget, and other media outlets have fallen for the deceptive hype that this service has created for itself.
MuveMusic calls itself “the first wireless plan with unlimited music included.” It offers a library of millions of tracks from all of the major music companies. This description is misleading. MuveMusic is actually similar to services offered in Europe and elsewhere, such as from Vodafone and other carriers through Omnifone’s white-label MusicStation service. It’s really a paid monthly subscription music service where the US $10/month fee happens to be tacked onto your mobile phone bill instead of paid separately, as with Rhapsody, Napster, MOG, Rdio, etc.
The only “first” about the business model is that it is the first such price-bundling deal to launch in the United States. (Look carefully at the quotes from the music execs in Cricket’s press release and you’ll see that they agree.) And the network offering it is a small one by US standards, with about 5 million subscribers, compared to over 90 million each for AT&T Mobility and Verizon Wireless.
As for the technology, Cricket also claims that the service offers “DRM-free files,” the truth of which — to be charitable — depends on your definition of “DRM.” The files themselves are not encrypted, though they are surely sent over the air to the handset (about which more shortly) using an encrypted protocol. But the files are stored in a secure partition of a special SD card from Sandisk. The files can only play on the user’s handset; capacity is limited to 3000 songs (or about 300 albums); there is no streaming. It’s unclear whether a user can take her SD card to another MuveMusic-licensed handset and play the music there (thereby “lending” the music). Unlike Vodafone’s service and similar ones, the music files cannot be played on users’ PCs.
In any case, this is not new either, but rather reminiscent of Datz Music Lounge, which launched in the UK back in 2008 and has since folded. Datz Music Lounge offered unlimited downloads for £99/year but required users to insert a dongle-like secure USB device into their PCs in order to download music to them.
In fact, MuveMusic files can only be played on a single handset model, the $199 Samsung Suede SCH-r710. Unlike the Omnifone services (or device maker-based bundled services like Nokia’s Ovi Music Unlimited), MuveMusic files can’t be played on users’ PCs at all.
The “DRM-free” claim that so many new content services make is rich in irony for those of us who have been in the field for a while. In the early days of DRM (mid-late 1990s), the term DRM was meant to cover a wide range of technologies for managing rights in a digital environment, only some of which happened to involve encrypting files and controlling their use. Subsequently the press co-opted the term so that it only referred to the narrower, more restrictive technology. Supporters of rights management cried foul.
Now this interpretation has been turned on its head: content services that put limits on content uses can be called “DRM-free” as long as they don’t meet the narrow definition of DRM or don’t use a “brand-name” DRM technology such as PlayReady or Marlin or OMA DRM or Flash Access or Widevine.
Subscription services like MuveMusic need some form of usage restrictions, otherwise they are too easily abused. MuveMusic is no exception; otherwise the majors would not have licensed it. As I’ve said before, the term “DRM” has turned into a pejorative, so subscription services are using the idea of DRM while avoiding (or, in Cricket’s case, outright denying) the term.
No, Cricket Wireless’s MuveMusic is not a “game changer for everyone,” as Ben Bajarin of Creative Strategies amusingly puts it in the press hype. With newer mobile music services offering such features as cloud-based sync among all of a user’s devices, higher-fidelity files, and streaming, all Cricket is really offering is a billing convenience. In all other respects, it’s just singing the same old song.
Google Acquires Widevine December 5, 2010
Posted by Bill Rosenblatt in DRM, Video.10 comments
Less than a day after I pooh-poohed announcements made by Google’s general counsel about supposed steps the company is taking to enhance copyright enforcement over its services, Google announced a deal to acquire Widevine Technologies, one of the last remaining independent DRM vendors. The price was undisclosed, although Widevine has accrued investments well into the tens of millions of dollars from such companies as Samsung, Cisco, Liberty Global, and EchoStar.
I had known of other companies potentially interested in acquiring Widevine, but Google was never one of them. Yet there are at least three reasons why Google might be interested in owning Widevine. The most obvious, and the one cited by most other pundits, is Google’s need to implement DRM technology that will make Hollywood studios comfortable in licensing content to Google TV. Google TV has not had the warmest of critical receptions since its recent launch, so Google may be thinking that they can’t do without licensed “premium” content after all.
Acquiring a company seems like an overly elaborate way to obtain studio-approved DRM — and indeed, Widevine is on all of the major studios’ approved lists as well as that of the DECE/UltraViolet consortium. Google could have simply licensed Widevine’s technology, as many cable, satellite, and Internet video distributors have already done. Google does have a predilection for developing and owning technologies rather than licensing them from third parties. Yet Google is undoubtedly aware of the difficulties in getting studio approval for content protection technology that isn’t already on their approved lists. Therefore acquisition does seem to be a better alternative than licensing, at least from Google’s perspective.
The second possible reason for the deal has to do with Widevine’s strategic alignment with companies that could complement Google and improve its positioning against competitors in the emerging Internet video space, such as Apple, Amazon, Adobe, and Microsoft. Widevine’s DRM, unlike Apple’s FairPlay or Microsoft’s PlayReady, is supported on a very broad range of consumer devices, from handsets to set-top boxes to PCs. It’s also part of the CinemaNow/Best Buy ecosystem, which would give Google a retail presence to rival Apple’s.
Finally, Widevine offers adaptive streaming video technology that competes with similar technologies from Adobe (which Amazon uses), Apple, and Microsoft. This could be a useful piece of the puzzle for Android and Chrome OS, as well as for Google TV, since TV watchers are naturally less tolerant of “rebuffering” than, say, YouTube watchers. Furthermore, Widevine holds patents covering combinations of adaptive streaming and stream encryption.
In any case, when this deal closes, Google will be unequivocally in the DRM business. It will no longer be able to pretend that it isn’t, even though Google’s e-book technology includes a form of “DRM” by presenting e-books as hard-to-reproduce page images on web pages instead of downloadable files. Google will have to support Widevine’s existing customer base and possibly continue to sell the technology to various types of network operators.
Now that – unlike the relatively inconsequential pronouncements of Google’s GC last Thursday — is a seismic shift in Google’s attitude towards copyright protection and DRM.
The End of the DRM-Sideloading Era December 2, 2010
Posted by Bill Rosenblatt in Devices, DRM, Music, Services.2 comments
Rhapsody has released new versions of its mobile app for iPhone and Android platforms that enable subscribers to download songs over the air for offline listening as opposed to streaming. This brings Rhapsody into line with Spotify, MOG, and a few other subscription services that offer offline listening on mobile devices. Rhapsody has mobile apps for iPhone, Android, and BlackBerry.
Rhapsody had been one of the primary users of Microsoft’s PlaysForSure DRM scheme for tethered portable devices. With PlaysForSure, users could download music (or video) files onto their PCs and transfer them to certain portable devices via cable. The devices would have to be connected at least once a month to get their DRM licenses updated.
This scheme never worked smoothly. There were always glitches with licenses, especially if you did something like upgrade your PC version of Windows Media Player. And if you had a Mac, you were out of luck.
The new breed of subscription services for mobile devices are able to assume better and faster connectivity, at least up to a point. Therefore they can allow over-the-air downloads as well as streaming, knowing that most users will have decent experiences, even in the relatively mobile-challenged United States.
These services, as I have mentioned before, use DRM for their so-called offline listening modes. Rhapsody lets users set “force offline mode” so that all tracks are downloaded to the user’s handset. The files appear on the device in encrypted form. The value of this type of service for device makers, from the DRM perspective, is that they need not support a DRM (Microsoft Windows Media DRM for Portable Devices in this case) out of the box. The DRM is now included in the software download.
For example, my new Motorola Droid 2 Global runs the Rhapsody app for Android, and it’s registered to my original Rhapsody account on my PC. But it doesn’t show up in the PC Rhapsody app when I connect it via USB cable to my PC. Both devices are on the same account, can view the same library, share playlists, and so on. But there’s no “tethering” to the PC; it’s all done through the cloud.
In all, it’s a superior user experience. Microsoft has considered PlaysForSure a legacy technology for years; Rhapsody’s move to cloud-based authentication is yet another nail in PlaysForSure’s coffin.
Rhapsody only exists in the US market. Its new 2.0 mobile apps do an admirable job of closing the feature gap with Spotify — which has now missed yet another of its projected US launch dates (though Rhapsody Mobile 2.0 has glitches of its own which have nothing to do with DRM).
File-based DRM will become unnecessary in subscription applications like Rhapsody if and when mobile infrastructure becomes fast and reliable enough — and perhaps more importantly, user confidence over streaming rises high enough — to support the true long-held vision of the “celestial jukebox.” When that happens, digital music fans will really have three distinct options: DRM-free file ownership, streaming subscription services, and various flavors of web radio.
Assessing the HDCP Hack September 19, 2010
Posted by Bill Rosenblatt in DRM, Standards, Technologies, Video.7 comments
Intel confirmed last Thursday that a hack to its High Definition Content Protection (HDCP) link protection scheme for high-def video had been discovered and published online. HDCP is used in Blu-ray players, DVD players, set-top boxes, and other devices to protect high-definition content when it is transferred to other devices, such as TV monitors. After several days of conjecture and dubiously informed blog posts, some facts have become clear that enable us to assess both the nature and impact of this hack.
First, given that Intel designed HDCP in the first place, we can take its word as authoritative. Second, someone either leaked or discovered the master key* that is used within the “root of trust” for the HDCP system, which is the Intel subsidiary Digital Content Protection LLC (DCP). They also figured out a way to use that master key to generate the unique private keys that DCP normally generates per device, which enable HDCP-compliant devices to encrypt and decrypt content.
There are two big differences between the nature of this hack and that of the CSS encryption scheme for DVDs, to which DRM hacks are often compared. First, CSS was so weakly designed that all the hackers had to do was discover a single set of keys which are present on all DVD players; in contrast, HDCP does not actually store its master key on user devices. Hollywood has at least learned that lesson about key management. In contrast, the HDCP hack depends on computing device private keys on a per-device basis.
Second, not only is computing device keys harder to do, but it can’t be done in software; it has to be done in silicon. We’ll talk more about this shortly when we discuss the impact of the hack.
HDCP is designed to be able to revoke devices with compromised keys. The hack, once someone actually implements it, makes this task essentially useless. An HDCP ripper would keep generating new device private keys, which the overall HDCP scheme would have to revoke by constantly updating lists of revoked devices that are embedded into HDCP-encrypted content, such as Blu-ray discs. It would be both inordinately expensive and ultimately futile to do this.
Worse, it’s only possible to revoke HDCP device keys, not renew them, as is possible in DRM schemes that take advantage of device connectivity, such as Marlin. This design decision results from the fact that many current HDCP-compliant devices are unconnected devices such as Blu-ray players, and it’s only practical to renew keys over a network (just ask makers of SmartCard-based conditional access systems for cable TV, which have to physically ship new SmartCards if old ones are compromised).
The master key for HDCP, like that of other DRMs, was only supposed to be known to a “root of trust” (central security authority) — in this case DCP. Either the key was leaked or it was discovered.
Researchers in 2001 had found a hack for discovery of the HDCP master key that involves collecting 40 different HDCP-compliant devices and working backwards from their private keys to calculate the master key. The number 40 is a function of the configuration of the cryptographic algorithm that HDCP uses: Blom’s scheme, invented in the early 1980s. It determines a data matrix that would have to be kept in memory, the size of which increases geometrically with the size of the number. So, the choice of 40 was a compromise — inevitable in all DRMs — between security and implementation cost.
The eminent cryptographer Paul Kocher — one of the brains behind the BD+ protection scheme for Blu-ray discs — says that the hack resulted from poor design. But it’s also possible that a DCP insider leaked the key. Even if the latter was the case, the system was designed with the weakness that knowing the master key makes it possible to use it outside of the root of trust environment to create device private keys. This was another choice made in the interest of low implementation cost rather than security.
Now let’s talk about the practical impact of the hack. It is just as wrong to suggest, as some have, that the HDCP hack has the same impact on high-definition video as the CSS hack has had on DVDs. Part of the assessment of the strength of the security of a DRM system is that of the fallout when the system is inevitably cracked.
First of all, the impact of the HDCP hack is such that it would be necessary to create chips that implement it. As some have pointed out, a fabrication facility somewhere in China may well be working on just such a chip as I write this, and soon Blu-ray players and other devices with the chip, or standalone HDCP ripper devices, could appear on the black market or outside the United States.
This is a “hardware speed bump” in the sense that someone has to manufacture the devices and sell them, presumably at a profit. Such devices would be illegal in the US and various other countries under anticircumvention law. People would have to find, buy, and use the devices; and the devices would require real-time playback of the video to make the decrypted content available.
In contrast, the CSS hack led to software DVD rippers that anyone could download over the Internet, and the odds of detecting such (also illegal) activity are virtually nil. Furthermore, so-called DeCSS rippers work almost instantaneously and do not require real-time playback. With movies, this is a big difference.
Intel’s stance on the HDCP hack is that it won’t affect their business. You’d expect Intel to say that, but in this case it’s basically true. Unencrypted, uncompressed movies appear on BitTorrent sites now; this process will become somewhat easier for dedicated rippers to do once HDCP rippers become available, but the average BitTorrent user won’t experience much difference.
Let me say this one more time: just because there’s a hack to a DRM scheme does not necessarily mean that every piece of content encrypted with that DRM scheme is suddenly in the clear.
Here is the analogy I like to use to explain this; it is not terribly accurate but illustrative anyway. Let’s say I develop a technique for picking a certain popular brand of combination locks and publish it on a web page. That does not mean that every school locker using that lock is suddenly open and millions of backpacks, sweatshirts and textbooks are stolen. Even leaving aside the fact that a lock-picker has to physically go to each lock and operate on it, taking advantage of the hack may require special skills, special tools, and time to work.
I have not in recent years met anyone in the media industry who believes that any DRM is hackproof. Furthermore, studios treat HDCP and other DRMs as just a few of many tools for keeping consumers buying their content and not infringing their copyrights. Thus, this hack is unlikely to affect the attitudes that Hollywood studios have towards DRM.
*I made a comment on a popular tech blog that there wasn’t a single master key. My comment was incorrect. At the time, I did not properly understand the nature of the hack, and I did not make the distinction between master keys that are actually present on client devices by design (a la DVDs and CSS) versus those that are designed to exist only within the confines of the root-of-trust facility (DCP in the cast of HDCP). However, the author of this blog piece also failed to make that distinction and generally under-researched and mischaracterized the hack, in his usual fashion. For that reason, I won’t name the blog or author.
New IEEE Standards Initiative Aims at “Digital Personal Property” July 2, 2010
Posted by Bill Rosenblatt in DRM, Standards, Technologies.8 comments
The IEEE Standards Association has approved the formation of a new working group, P1817, the Standard for Consumer-Ownable Digital Personal Property. Chairing the working group is Paul Sweazey, an engineer who has been working on this idea for some time. A draft spec of P1817 is available, and the first working group meeting of the initiative will be in Silicon Valley on July 14.
The basic idea of P1817 is as old as the first generation of DRM implementations: to approximate important characteristics of physical media products in the digital world, so that physical-world business models can migrate online. But P1817 follows a different approach to this goal than DRM systems have done so far. Briefly, it binds a “playkey” tightly to an encrypted content file, so that you have to possess the playkey in order to play the content (or more accurately, to decrypt a content key which unlocks the content). So far, so typical; but here’s the difference: a key identification and management scheme sits in the background and ensures that only one user can possess a given playkey at a time.
Contrast this with DRM schemes that incorporate licenses that are bound to devices, such as those used for mobile handsets, like OMA DRM v.1. In this type of scheme, it’s not normally possible for a user to pass the content and the license to another user. In other schemes, licenses cover a set number of devices, such as Apple FairPlay’s limit on the number of PCs, Macs, or iPods that can play an encypted iTunes file.
With P1817, it is supposed to be easy for users to pass playkeys to others. Owners of content (e.g., those who purchase it online) also get a second playkey, which sits in what amounts to an online rights locker and allows the user to access the content over the Internet from any connected device.
The purpose of this standard is to make it so that purchasers of digital products get rights that are more similar to those embodied in physical products than has been the case with previous DRMs. You can play the content (on a player that supports this scheme) without connecting to a server for license issuance or authentication. You can give your key out to others whom you trust to give it back to you, just as if you would lend or rent out content; the key is tied to the user’s identity so that rights resembling First Sale in copyright law (a/k/a Exhaustion in most countries outside the US) are ensured.
Sweazey positions P1817 as being different from DRM. He says that DRM is good for models like streaming and subscriptions, which preclude consumer ownership of content, while P1817 is explicitly about ownership.
But let’s face it: P1817 is a form of DRM. In effect, it’s a further extension of a theme pioneered around 2001-2 by Microsoft for its e-book DRM (Digital Asset Server): a publisher could select a level of protection whereby the e-book’s cover page contained some valuable personal information, such as the credit card number used to buy the e-book. The idea was that the user would only feel comfortable giving a copy of the e-book to someone whom she trusted with her credit card number. Later schemes, like Light Weight DRM (2003) and Bitmunk (2004), took this a step further by embedding watermarks into the content with personal information.
Yet in none of those cases was the content encrypted, meaning that users could still make copies and give them to people they trust. Paul Sweazy’s scheme encrypts content and thus does not allow this. His idea is to create an environment where content is protected from rampant unauthorized copying and yet consumers feel that they have bought something that they actually own, and are not “licensing” or “renting” or subjecting themselves to periodic “phone-homes” or license checks or renewals.
Nate Anderson of Ars Technica has raised thoughtful objections to the P1817 scheme. One of them was that because it seeks to emulate the physical world, it’s retrograde. But let’s remember that Apple succeeded with the iTunes Music Stores by emulating the “retrograde” model of a record store online. People understand record stores; they didn’t understand the other online music models of that era (around 2003), which were as confusing and opaque as early cell-phone usage plans. If “retrograde” means that consumers are more likely to accept it, then it may be a good thing.
Anderson also objected to P1817 because it’s a content encryption system and thus is inevitably going to be hacked — and then what happens? My view is that this isn’t all that important. Just as DRMs can be hacked, so can analog products be copied… potentially with some time, trouble, and cost on both sides. I have never agreed with the copyleft truism that DRMs become worthless (from a security standpoint) if they are hacked.
To me, there are more fundamental questions about this scheme that must be addressed. If you’ve followed my writings closely for a while, you can probably guess the first question I’d ask: who would pay for this? I.e., what type of entity would be motivated to pay for the technology necessary to implement P1817 - which relies on hardware and software in consumer devices as well as servers and authentication infrastructure?
Consumer device and software vendors might be interested in adopting such technology if they are confident that media companies will issue their most important content under this scheme. So let’s start answering the question by looking at different media markets.
The music industry? No. They’ve abandoned DRM for permanent Internet downloads and are distributing individual tracks in unprotected MP3 format; and there’s a trend toward file-sharing rules in music services that still use DRM which are already more liberal than those implied in P1817. Music companies would not see a need for this scheme.
Not Hollywood, either: many movie studios are eager not to enable First Sale (Section 109 of the US copyright law) for digital downloads because they believe it means lost revenue from potential incremental purchases. Fox, for example, is even careful to avoid using the otherwise common term “electronic sell through” (EST) to describe schemes like iTunes movie sales; instead they prefer the term “electronic license,” because it implies that the transfer of content to the user is not a sale of a copyrighted work — a question that is unsettled under current law.
If there is a market for P1817, it has got to be book publishing. With a few minor exceptions, book publishers have only implemented digital business models that emulate physical books. There are no analogs to “streaming” in book publishing, unless you count browser-based platforms such as Google Editions or Amazon Pages (which display page images in web browsers). There are only a couple of subscription e-book services in niche markets: only Safari Books Online (O’Reilly and Pearson) for IT professionals and Disney Digital Books for children come to mind.
A DRM system for e-books that emulates First Sale might actually satisfy publishers. After all, book publishers have lived with First Sale – i.e., with public libraries and used bookstores — for decades or centuries longer than record labels or film studios. They don’t like First Sale in certain market segments, such as textbooks, but otherwise most publishers understand that support of First Sale is key to consumer acceptance of e-books.
The objections people raise to e-book DRM generally fall into two categories: you can’t share e-books, and you can only read them on certain devices. P1817, if done right, solves the first of these problems. But it only solves the second if every device implements it. That isn’t going to happen without economic incentive, i.e., subsidy. And even then it’s a challenge.
Open standards in DRM only stand a chance of success if they have financial backing. The only truly successful open DRM standard is OMA DRM v1, which probably has an installed base of a billion units worldwide by now and has been backed by major handset makers. No DRM has ever been financially supported by content owners.
So, there’s the answer to the fundamental question that should determine the success of Consumer-Ownable Digital Personal Property. To grow and succeed, the e-book market has to navigate between the Scylla of platform monopoly (e.g., by Amazon or Apple) and the Charybdis of platform fragmentation (leading to lack of consumer interest). If book publishers are concerned enough about this — as they should be – then they might just be motivated to find a way of subsidizing implementations of P1817 that doesn’t run afoul of antitrust law.
If Paul Sweazey and his IEEE P1817 compatriots believe this line of reasoning, then their market development task is well-defined — albeit difficult to pull off. As with other standards initiatives, P1817TM’s success depends crucially on the types of companies that participate. (Hello, Adobe? Overdrive? Random House? And dare we say it: Amazon? Apple?) We’ll get a clue to this after the July 14 working group meeting. If they do succeed, it would truly be a meaningful new development in DRM technology.
Sonic Solutions to Acquire DivX June 3, 2010
Posted by Bill Rosenblatt in Devices, DRM, Technologies, Video.2 comments
Sonic Solutions, owners of CinemaNow and various software tools for producing digital media, announced yesterday that it will acquire DivX in a cash and stock deal valued at about US $300 Million. The deal is expected to close by September.
DivX makes a video format that includes proprietary compression and DRM technology and is suitable for delivery on physical media (such as DVDs) as well as through digital downloads. The format is supported on a wide range of consumer electronics, including DVD players, Blu-ray players, set-top boxes, Internet TVs, various portables, and the Sony PS3 gaming console.
Sonic’s relationship with DivX is not new: CinemaNow has been offering a selection of downloadable movies in DivX format since last December (a few other download sites also offer the format). Still, this move represents Sonic’s latest attempt to make the big move from a provider of professional media tools to a serious competitor in the home media marketplace — which is still relatively nascent and fragmented.
DivX has had a tortuous history. It started out in 2000 as a “rebel” format, positioning itself as an outsider to the Hollywood/DVD establishment. The company went public in September 2006, and its fortunes started to turn upward several months later following the departure of controversial founder and CEO Jordan Greenhall.
About half of the major Hollywood studios have licensed DivX. One reason that has been cited is to fill a need for a competitor to Apple, in fear that Apple will dominate digital movie economics the way it has dominated digital music downloads. Whatever the reasons, the virtuous cycle of network effects has benefited DivX, which is now supported on thousands of consumer electronics devices from all of the major manufacturers.
The combination of CinemaNow and DivX should give Sonic a better route into the digital home, which is potentially far more lucrative than Sonic’s original software tool business. Sonic’s strategy also includes its partnership with Best Buy, now the leading standalone retailer of consumer electronics in the US market. But that leads us to a kink in the story: DRM. The CinemaNow/Best Buy partnership has been developing around content protection (and other technologies) from Widevine. It’s possible that Sonic could retain both DRMs, e.g. DivX’s for downloaded content and Widevine’s for streaming. But the two technologies overlap, which could lead to some confusion and some hard decisions.
In the end, Sonic Solutions is gambling that its combination of tools (Roxio), online distribution (CinemaNow), format and CE tie-ins (DivX), and retail (Best Buy partnership) will be synergistic enough to add up to a full digital video ecosystem to challenge Apple and other contenders, including Wal-mart/Vudu, Amazon/Adobe, Blockbuster/Microsoft, and the emerging DECE consortium. In other words, Sonic is betting $300 Million that DivX will not end up among HD-DVD, SACD, DVD-A, ATRAC, and other formats that form the scrapheap of digital media history.
It’s a big gamble, given that six “ecosystems” is about three or four too many for the market to ultimately sustain. But the Internet video industry is far from mature and there’s plenty of room for competitors to establish themselves.
Bill Rosenblatt
Azita Arvani
Bill Jones
Niels Thorwirth
