As more users explore the magical world of Pottermore, J.K. Rowling’s site for all things Harry Potter, we are finding out that the EPUB e-book files it sells may be DRM-free, strictly speaking, but are not devoid of rights technology. Instead of encryption-based DRM, Pottermore is using a watermarking scheme that the Dutch vendor Booxtream markets as “social DRM.”
Users can purchase each Harry Potter e-book title once and download it up to eight times, in multiple formats. That’s a real convenience; it’s a “rights locker” scheme reminiscent of UltraViolet for movies. As I mentioned previously, the Kindle and Nook versions have DRM. The EPUB version that I downloaded is not DRM-protected; instead it contains two things: “This book is watermarked and was acquired by user ec107c00b9577436d6354e54cd9da5c9 on 31 March 2012” on the copyright page, and various bits of data inserted invisibly into images and other places inside the book.
This data ought to be easy to remove without trace. The files appeared on torrent sites very shortly after the Pottermore Shop went live. A programmer with middling skills could write code that detects and removes the data; even if the illustrations in the book were a bit damaged, readers wouldn’t care. Such a hack for Booxtream doesn’t exist yet (at least publicly), but the irony is that if this scheme catches on with more authors and publishers, it surely will.
Such a program would be perfectly legal; it would not violate anticircumvention law such as DMCA 1201 in the United States. It would be what I call a “one-click hack,” like the (illegal) DeCSS rippers that hack the weak CSS encryption on DVDs, which the non-tech-savvy can easily use and which is permanent. In other words, it would impose the same level of effort on users as a format conversion tool, such as the free Calibre, which can (among other things) convert EPUB files to MOBI files for Kindles so that users who are in online colleges that offer free laptops can get DRM-free Harry Potter titles for their Kindles after all.
Furthermore, even though Section 1202 of the DMCA forbids removing “copyright management information” from files, the watermark does not qualify as copyright management information as defined in the law. This means that under U.S. copyright law, the user is free to apply such a hack.
Some would argue that watermarks are no different from weak DRMs (like CSS) in terms of the “speed bump factor” because both have one-click hacks available. But the fact that watermark removal tools are legal and DRM strippers aren’t makes a difference. DRM strippers must hide in the shadows, but watermark removal tools can exist out in the open. If they are available for free (which seems very likely), then it would be difficult to try to stop them through legal channels. I could even see a watermark removal feature built into a popular application like Calibre, since it’s free and open-source.
Pottermore’s Terms and Conditions forbid altering or removing the watermark data, but this may not mean much. It is possible that copyright law may prevail over such terms; this is a legal gray area.
The legal principle here is First Sale (Section 109 of the U.S. copyright law), known as “exhaustion” outside the U.S. This says that the publisher has no further control over a work once a person has obtained it lawfully. While this law enables libraries, used book/record/video stores, and other such institutions for physical goods, its applicability to digital files is unsettled — although as I said previously in connection with ReDigi, the digital music resale service, both media companies and digital retailers are highly motivated to ensure that Digital First Sale never happens. This Harry Potter case is yet another example of why.
(By the way, an update on ReDigi since I wrote about it last November: EMI sued the company back in January. The following month, the judge in the case denied EMI’s request for preliminary injunction, meaning that ReDigi can keep operating as the case goes to trial.)
This all leads me to question why Pottermore bothered with this watermarking scheme in the first place. It seems rather pointless.
I assume that “user ec107c00b9577436d6354e54cd9da5c9” is an obfuscated version of my user account ID on Pottermore. I also expect that Booxtream lets the retailer use whatever character strings it wants. If Pottermore really wanted to discourage me from infringing the copyright on the e-book, it would put my email address, or even the number of the credit card I used to buy it (which was an option in the now-discontinued Microsoft Reader e-book technology). Even the vehemently anti-DRM publisher O’Reilly & Associates uses a watermarking scheme for its downloaded PDFs that puts the user’s real name on every page of the books.
Instead Pottermore, put a character string that means nothing to nontechnical users, presumably to avoid privacy complaints (which would also encourage hacking), and put it in a single place that most readers ignore. This “social DRM,” at least the way Pottermore has implemented it, is a shy and retiring beast. There is also a standard legalese copyright notice in the e-book, but no one pays any attention to those either.
Given that non-EPUB versions of the Harry Potter e-books have DRM, I suspect that Pottermore would have used DRM if it were possible to have a seamless user experience with EPUB files, as is the case within the Kindle and Nook ecosystems. (Pottermore could have chosen to do without DRM for those formats too, but it didn’t.) The lack of a standard DRM for EPUB integrated with EPUB reader apps makes such an experience unobtainable; hence Pottermore’s use of Booxtream instead of DRM. In other words, Pottermore is not against DRM, but it intentionally traded off the best possible user experience and respect for user privacy against some level of protection.
I fail to understand what behaviors Pottermore is trying to prevent here. Even a plain-language message to purchasers — which involves no technology and costs nothing to implement — would alert them to legal and contractual limitations on use. Instead, the current scheme, with its cryptic message, legalese, and hidden data, doesn’t really alert anyone to anything, let alone prevent anyone from doing anything. At best, it’s a “Gotcha!” for nontechnical users who upload files to places where Pottermore presumably pays Booxtream to look for watermarked files. Those aren’t the users whom Pottermore should be most interested in targeting, and if Booxtream does catch anyone and cause a nastygram to be sent, then backlash will ensue. And isn’t Pottermore trying to prevent backlash in the first place?
Retailers that pay for rights technology ought to get something for their money. Booxtream might be effective if used differently; otherwise I don’t see much benefit to Pottermore for this watermarking scheme.