DRM Anticircumvention for Dummies

I have seen a lot of writings and gotten a lot of feedback regarding the EPUB Lightweight Content Protection (EPUB LCP) scheme I am helping to design for the International Digital Publishing Forum (IDPF), which oversees the EPUB standard.  The criticisms fall into two buckets: DRM sucks, why is the IDPF wasting time on this; the security is too weak, publishers need stronger protection.

Yet these diametrically opposed criticisms have one thing in common: a lack of understanding of how anticircumvention law, such as Section 1201 of the DMCA in the United States, works in practice and how it figures into the design of EPUB LCP.  This lack of understanding is common to both DRM opponents and people from DRM technology vendors.  Anticircumvention law makes it a crime to hack DRMs.

So I thought I would offer some information about the practicalities of anticircumvention law, presented as rebuttals to some of the false assertions that I have heard.  Three caveats are in order: first, the following is going to be U.S.-centric.  That’s because am I most familiar with the U.S. anticircumvention law, but also because the U.S. law is by far the most highly developed through litigation.  Second, I am not a lawyer — nor are any of the people who have talked to me about this.  So if you’re a legal expert and I’m wrong, please correct me.  Third, I’m not an official spokesman for IDPF, and they may have different views.

Assertion: Anticircumvention law doesn’t stop hacks; hacks are going to be available anyway.

Reality: Of course the law doesn’t  eliminate hacks, but it does make hacks less easily accessible to people who are not determined hackers.  The law comes down hardest on those who gain commercially from their hacks.  Because of the anticircumvention law, there is not (for example) a “convert from Amazon” option in Nook readers and apps, or the converse in Kindles; instead you have to go find the hack, install it, and use it – something that requires more time, determination, and skill.  (Note that this is a different issue from “DRM doesn’t stop piracy.”  Here I agree: absolutely, there are various other ways to infringe copyright, some of which are easier than hacking DRMs.)

Assertion: DRM systems that aren’t robust don’t qualify for the anticircumvention law.

Reality: This one comes from DRM vendors, which have vested interests in robustness.  To answer this, you need to look at the history of litigation (again, this is a US-centric view). The most important legal precedent here is Universal v. Reimerdes, which was decided in U.S. district court in 2000 and upheld on appeal.  This case was one of several involving the weak CSS encryption scheme for DVDs.  The defense asked the court to find it not liable because CSS was too weak to meet the definition of “effective” in “technological measure [that] effectively controls access to a work” under the law. In his opinion, the judge explicitly refused to establish an “effectiveness test” by deciding this issue.   I know of a couple of cases that attempted to revisit this issue but were dropped.  The effect, at least for now, is that any DRM that’s as strong (i.e. weak) as CSS, or stronger, should qualify for protection under the law.

Assertion: The IDPF intends to sue hackers as part of the EPUB LCP initiative.

Reality: Not true at all.  The IDPF is not even in a position to facilitate litigation the way the MPAA and RIAA do.  (For one thing, it’s an international body, not a national one.)  If any organization is going to facilitate litigation, it would be the Association of American Publishers (AAP) in the U.S., which has not been involved in the EPUB LCP initiative.  More generally, it may help to explain how the litigation process works in practice.  Copyright owners do the suing; they are the actual plaintiffs.  They will only bother to sue under the anticircumvention law if they see hacks that are being used widely enough to cause significant infringement and/or the supplier of the hack is making money from the hack.  So as a practical matter, a hack that “sits in the shadows” as described above is unlikely to be used widely enough to draw a lawsuit.

Assertion: Users get sued for using hacks.

Reality: Although the law does provide penalties for using as well as distributing hacks, individual users have never gotten sued for using hacks (or for creating hacks for personal use only).  Users have been sued for copyright infringement; if you hack a DRM, you may be infringing copyright.  Only those who make hacks publicly available have ever been sued for DMCA 1201 violations.

Assertion: This is a US matter and irrelevant elsewhere in the world, especially now that ACTA is dead in Europe.

Reality: As mentioned above, the interpretation of “effectiveness” is a US-centric one that may or may not apply elsewhere.  But otherwise, this statement is also incorrect.  Anticircumvention law is on the books today in most industrialized countries, including EU member states (resulting from the European Union Copyright Directive of 2001), Australia, New Zealand, Japan, Singapore, India, China, Brazil, and a few others; South Korea and Canada should get anticircumvention laws soon.


  1. I’ve been mostly encountering examples of “DRM sucks, why is the IDPF wasting time on this?” It brings home the challenge that DRM is generally not perceived as supporting variants. For most observers either there is DRM or there isn’t; the word “lightweight” can’t be used in the same phrase.

    The media these days seems to be failing in the department of subtle nuance (which is a part of what made the deep and thoughtful David Lowrey post so bracing). I fear that the IDPF is on its own with EPUB Lightweight Content Protection, which is not to say that it’s a bad idea.

  2. Thad,

    Unfortunately it’s not just a question of “The media … failing in the department of subtle nuance.” It’s the general acceptance of the use of the term DRM to describe anything that restricts techies from being able to do anything. The funny-shaped screws on Apple portables and glue holding I-forget-which products together are “hardware DRM.” DRM is blamed for platform lock-in when other unrelated technologies contribute to lock-in as well.

    The IDPF scheme is not called DRM per se, but the descriptions of it in documents don’t avoid the term — mainly because that would just invite further derision; the best way to ensure that something gets called DRM in the techblogosphere is to say “this isn’t DRM” (Best recent example: Intel Insider) or to try to circumlocute it or rebrand it as another term.

    Two ironies are worth noting here. First, back in the 1990s, the term DRM originally had a broader meaning than “systems for encrypting files” — it was meant to apply to any technologies that manage rights, including databases of rights information for purposes of permissions or royalty payments. The media commandeered the definition to “systems for encrypting files” because that was the part of it that affected consumers; now the definition has been re-broadened but in a different way.

    The second irony is that there is one big exception to my rule above about saying “this isn’t DRM.” It comes from none other than that master of reality distortion, Steve Jobs. When Apple removed DRM from music files to stave off competition from Amazon, Jobs saw a PR opportunity. The reality is that the iEcosystem locks consumers in, in various ways, without DRM; and with 70+% market share, Apple didn’t need DRM anymore anyway. So, Jobs got to say “this isn’t DRM” about his platform lock-in system and get away with it.

  3. Some good coverage on both sides of the issue:

  4. Thad,

    You call that article “coverage on *both* sides of the issue?” Oh please.

    The article is monumentally biased. The author had his conclusion in mind and then backfilled it with cherry-picked quotes and dubious assertions. There’s no quote from any publisher defending their continued use of DRM. There’s no quote from any DRM vendor. He cites an academic study which is merely hypothetical and does not contain a shred of actual data, and quotes one of the study’s authors making a statement (that digital music sales rose because of going DRM-free) that if he had bothered to check with anyone in the music industry, he would have found completely baseless.

    Yet this article proves my point brilliantly by saying “Another perhaps even more controversial form of DRM is the e­book formatting—Mobipocket, Topaz, EPUB and PDF—that retailers and publishers currently employ.” So now formats are DRM… even EPUB!!! So much for Steve Jobs’ reality-distortion field…

  5. Well, with your response we’ve now got the other side! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: