How DRM Harms Our Computer Security
DRM and the laws that back it up actively undermine our computer security. On this Day Against DRM, the first one since we learned about the US government’s efforts to sabotage the integrity of our cryptography and security technology, it's more important than ever to consider how the unintended consequences of copyright enforcement make us all less safe.
How does this happen? In a misguided effort to “protect” digital media, DRM makes computer users more vulnerable. It does this by inhibiting research on security and encryption, and by devising methods for computers to disobey their owners.
Laws That Prop Up DRM Chill Security Research
DRM on its own is bad, but DRM backed by the force of law is even worse. Legitimate, useful, and otherwise lawful speech falls by the wayside in the name of enforcing DRM—and one area hit the hardest is security research.
Section 1201 of the Digital Millennium Copyright Act (DMCA) is the U.S. law that prohibits circumventing "technical measures," even if the purpose of that circumvention is otherwise lawful. The law contains exceptions for encryption research and security testing, but the exceptions are narrow and don’t help researchers and testers in most real-world circumstances. It's risky and expensive to find the limits of those safe harbors.
As a result, we've seen chilling effects on research about media and devices that contain DRM. Over the years, we've collected dozens of examples of the DMCA chilling free expression and scientific research. That makes the community less likely to identify and fix threats to our infrastructure and devices before they can be exploited.
The Unlocking Technology Act, a bi-partisan bill introduced last year in Congress, would address part of this problem. If passed, the bill would help to bring the DMCA's anti-circumvention provisions into line with common sense: specifically, by limiting the prohibition to situations that would actually lead to infringement. Security research is among the many legitimate and lawful uses that DRM blocks; the Unlocking Technology Act would help make the world safe for those uses.
DRM Requires Computers To Take Orders From Somebody Else
More fundamentally, though, DRM creates a massive security hole by requiring users to give up some control of their own computers. This point is best expressed by EFF Special Advisor Cory Doctorow, who has outlined it in two talks about what he describes as the coming wars over general purpose computing.
As he lays out, people that want to restrict what users can do with their own computers are faced with a problem: there's no way to make a computer that runs every kind of program except the ones regulators don't like. Instead, regulators can push for spyware that observes users and steps in when they're engaged in objectionable behavior—a situation Doctorow likens to the film 2001 and its famous line, "I can't let you do that, Dave."
From Doctorow's talk:
DRM only works if the "I can't let you do that, Dave" program stays a secret. Once the most sophisticated attackers in the world liberate that secret, it will be available to everyone else, too.
... DRM has /inherently/ weak security, which thereby makes overall security weaker.
Certainty about what software is on your computer is fundamental to good computer security, and you can't know if your computer's software is secure unless you know what software it is running.
The public response to Snowden's revelations about computer security has, sensibly, centered on a push for more transparency. More than ever, security tools must be open for inspection and the process of deciding standards must be open to debate. Even when it's not directly creating security debacles like in the case of the Sony rootkit, DRM undermines these goals by requiring secrecy instead.
Proponents of DRM like to dismiss real problems with it as mere inconveniences. But as computers enter—and come to dominate—more and more of the interactions of our life, it's time we acknowledge that making them less safe in the name of copyright restrictions is not something we can tolerate.
- Webinar on Issues with DRM in International and U.S. Law
Recent DeepLinks Posts
Mar 27, 2017
Mar 27, 2017
Mar 26, 2017
Mar 26, 2017
Mar 25, 2017
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- UK Investigatory Powers Bill
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Eyes, Ears & Nodes Podcast
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Shadow Regulation
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games