The Year We Went on Offense Against DRM: 2016 in Review
A decade ago, DRM seemed like it was on the ropes: it had disappeared from music, most video was being served DRM-free by YouTube and its competitors, and gamers were united in their hatred of the technology. But by 2016, DRM had come roaring back, finding its way into voting machines, insulin pumps, and car engines.
Like all invasive species, DRM is hardy, and in the years since the mid-2000s, it has gone on to colonize nearly every category of software-enabled device, from thermostats to voting machines to cars and tractors to insulin pumps. Companies have worked out that since section 1201 of the Digital Millennium Copyright Act provides penalties for breaking DRM, they can simply design their products so that using them in ways that the manufacturer dislikes requires breaking DRM first, and then they can claim that using your property in ways that displease the company that made it is a literal felony.
Companies use DRM to force you to pay extra for repairs at their authorized service centers, or to buy their official consumables—everything from printer ink to detergent for automated cat-litter boxes—or to control which software will run on your device, forcing you to download only from an official, controlled "app store."
Every business has a mix of legal rights—like Netflix's right against infringing distribution of its videos—and commercial preferences—like Netflix's wish that you will only use its "offline viewer" to watch videos later, and not a third-party recorder that lets you take your videos on any device of your choosing. By adding DRM to their products, companies can convert those commercial preferences into legal rights—they can claim that it's illegal to arrange your affairs in ways that are suboptimal for their investors.
Worst of all, companies claim that basic security research—finding and disclosing defects in products that threaten their users' safety and privacy—is also a violation of the law against breaking DRM. If you know about a defect in a product, you might be able to exploit that knowledge to figure out how to get around the DRM.
In 2015, the U.S. Copyright Office held its regularly scheduled triennial hearing about DMCA 1201, and the world's top security researchers described the bewildering constellation of devices they've discovered to be unfit for service, but whose defects they cannot disclose because of the DMCA. The result was a set of short-lived, symbolic—but nonetheless vindicating—exemptions to DMCA 1201, and in 2016 we've built on that victory, and we're going to kill all the DRM in the world, forever.
We're fighting DRM on many fronts. We've built an unprecedented coalition to beat back DRM in the core standards for the Web, we're using consumer regulations to push for DRM labeling on products, and building coalitions with security researchers, entrepreneurs, service and repair professionals, and international groups involved in this fight.
It all comes under the banner of a project called Apollo 1201, whose mission is to end all the DRM in the world in a decade.
We're in the right time at the right place. Some 20,000 EFF supporters signed our letter to Hewlett-Packard after the company pushed a fake "security update" that actually turned on DRM used to force printer owners to buy HP ink. These were the leading edge of a massive wave of people who are figuring out that their toaster is one next-generation computer vision system away from rejecting unauthorized bread and their dishwashers need only a simple RFID reader to begin rejecting third-party dishes.
The good news is that DRM is such a disaster in so many ways—so bad for consumer rights, so bad for innovation, so bad for security—that the coming opposition will come from many fronts, and we'll be there, leading the charge.
This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2016.