How DRM Harms Our Computer Security
DRM and the laws that back it up actively undermine our computer security. On this Day Against DRM, the first one since we learned about the US government’s efforts to sabotage the integrity of our cryptography and security technology, it's more important than ever to consider how the unintended consequences of copyright enforcement make us all less safe.
How does this happen? In a misguided effort to “protect” digital media, DRM makes computer users more vulnerable. It does this by inhibiting research on security and encryption, and by devising methods for computers to disobey their owners.
Laws That Prop Up DRM Chill Security Research
DRM on its own is bad, but DRM backed by the force of law is even worse. Legitimate, useful, and otherwise lawful speech falls by the wayside in the name of enforcing DRM—and one area hit the hardest is security research.
Section 1201 of the Digital Millennium Copyright Act (DMCA) is the U.S. law that prohibits circumventing "technical measures," even if the purpose of that circumvention is otherwise lawful. The law contains exceptions for encryption research and security testing, but the exceptions are narrow and don’t help researchers and testers in most real-world circumstances. It's risky and expensive to find the limits of those safe harbors.
As a result, we've seen chilling effects on research about media and devices that contain DRM. Over the years, we've collected dozens of examples of the DMCA chilling free expression and scientific research. That makes the community less likely to identify and fix threats to our infrastructure and devices before they can be exploited.
The Unlocking Technology Act, a bi-partisan bill introduced last year in Congress, would address part of this problem. If passed, the bill would help to bring the DMCA's anti-circumvention provisions into line with common sense: specifically, by limiting the prohibition to situations that would actually lead to infringement. Security research is among the many legitimate and lawful uses that DRM blocks; the Unlocking Technology Act would help make the world safe for those uses.
DRM Requires Computers To Take Orders From Somebody Else
More fundamentally, though, DRM creates a massive security hole by requiring users to give up some control of their own computers. This point is best expressed by EFF Special Advisor Cory Doctorow, who has outlined it in two talks about what he describes as the coming wars over general purpose computing.
As he lays out, people that want to restrict what users can do with their own computers are faced with a problem: there's no way to make a computer that runs every kind of program except the ones regulators don't like. Instead, regulators can push for spyware that observes users and steps in when they're engaged in objectionable behavior—a situation Doctorow likens to the film 2001 and its famous line, "I can't let you do that, Dave."
From Doctorow's talk:
DRM only works if the "I can't let you do that, Dave" program stays a secret. Once the most sophisticated attackers in the world liberate that secret, it will be available to everyone else, too.
... DRM has /inherently/ weak security, which thereby makes overall security weaker.
Certainty about what software is on your computer is fundamental to good computer security, and you can't know if your computer's software is secure unless you know what software it is running.
The public response to Snowden's revelations about computer security has, sensibly, centered on a push for more transparency. More than ever, security tools must be open for inspection and the process of deciding standards must be open to debate. Even when it's not directly creating security debacles like in the case of the Sony rootkit, DRM undermines these goals by requiring secrecy instead.
Proponents of DRM like to dismiss real problems with it as mere inconveniences. But as computers enter—and come to dominate—more and more of the interactions of our life, it's time we acknowledge that making them less safe in the name of copyright restrictions is not something we can tolerate.
- Webinar on Issues with DRM in International and U.S. Law