Skip to main content

Closed, Proprietary, Felonious: The Toxic Rainbow of Locked Technology

DEEPLINKS BLOG
December 20, 2018

Closed, Proprietary, Felonious: The Toxic Rainbow of Locked Technology

When is software free? Is it enough that the software be licensed under a free or open license? What about patents? Software as a service? Trade secrets? What about DRM? Is software ever free?

There's a saying in the software freedom movement: "if you can't open it, it's not yours." That is, if you can't run it, study it, improve it, and distribute it, then your technology isn't free. It's closed, proprietary, un-free.

When software was first invented, it wasn't considered to be a copyrightable work; it was something more like math, a collection of utilitarian facts. A series of acts of Congress and court decisions in the 1970s and 1980s gradually and firmly moved software into the realm of copyrightable "literary works" and in reaction, Richard Stallman started the Free Software movement, with the goal of halting and reversing the encroachment of un-freedom on software.

The early free software licenses focused on clearing copyright claims, giving software authors a boilerplate legal tool to give away many of the exclusive rights that copyright automatically conferred upon them, retaining just enough copyright to prevent others from locking up the code they'd made free.

Then came software patents: the Supreme Court held 1972 that most software couldn’t be patented, but softened that line in 1981, and then in 1996, the US Patent and Trademark Office issued new guidance putting software patents back on the table -- and since the Patent Office has long made a practice of granting patents with only the most cursory of prior-art checks (or common sense), it wasn't long before every obvious technology idea imaginable had been patented, sometimes several times over by different patent-holders.

Patents have proved thornier than copyright for software freedom. Between the sheer volume of software patents and the deliberately impenetrable argot in which patents are written, it can be nearly impossible to know if someone holds a patent over something you're trying to do with software. It's not enough to make contributors to free software projects promise that they're not inserting code that violates their own patents -- it's not even enough to license patents that you know about! With the chaos that the USPTO has created by granting so many low-quality, unreadable patents over software, you can never be sure that you're not infringing a patent.

To make things worse, patent trolls actively seek out these overbroad, low-quality patents and then threaten people who may or may not be violating them, asking for "license fees" that are calculated to always be just a little less than it would cost to go to court to contest them. These shakedown artists mean that no one is safe from a bogus patent-threat.

Just as the free software movement was wrestling with all this, there came a new challenge to software freedom: software-as-a-service, in many guises, including "cloud services" and "client-server systems." This is software that users can't run solely on their own computers, rather, your computer has to communicate with a remote server where key components live. The code that's running on those servers may be licensed as free software, and it might be free of patent encumbrances, but you still can't freely use it, because you can't set up your own server. There are many reasons why people use remote services, including convenience and security considerations, but in doing so they give up the ability to understand and modify some of the software they use.

In many cases, you can't even try to set up your own server. Cloud companies routinely require users to click through "license agreements" and "terms of service" that ban them from attempting to figure out how the server works so they can make their own. These license agreements can have teeth: the Reagan-era Computer Fraud and Abuse Act (CFAA), a vague and badly-written law, has been misused to turn terms-of-service violations into federal civil or criminal claims. People who've tried to make their own servers so they won't be beholden to a distant corporation have faced bitter legal disappointments.

It's hard to overstate the extent to which the CFAA, combined with the trend towards cloud services, has sucked the freedom out of free software. As Benjamin "Mako" Hill said in his 2018 keynote at the Libreplanet conference, cloud computing has allowed corporations to steal all the software freedom from users, while still preserving it for themselves.

Between copyrights, patents, and terms of service, it can be very hard -- even impossible -- to be 100 percent certain that the software you're using is truly "free": that is, that you are allowed to run it, study it, improve it, and circulate it. Even writing your own software from scratch is no guarantee that it will be free; there's always the chance that some patent troll will come after you with a claim that could tie you up for years.

But there's another kind of un-freeness – a whole different realm of badness: the un-freeness that comes with "Digital Rights Management" (DRM).

DRM is a class of technologies that, broadly speaking, try to limit how you use your computer: from your DVD program that refuses to play discs bought overseas; to your iPhone or Xbox that won't let you run software unless it comes with the manufacturer's stamp of approval; to the code in your printer that enables it to refuse third-party and refilled ink cartridges.

DRM comes with its own legal protections: Section 1201 of the Clinton-era Digital Millennium Copyright Act bans tampering with, removing or weakening "access controls" for copyrighted works, including the copyrighted software embedded in devices from pacemakers to tractors to cars to voting machines. Under 1201, "trafficking" in tools (or even knowledge!) that enables people to bypass DRM is a potential felony, punishable by a five year prison sentence and a $500,000 fine (for a first offense!).

This is a whole different realm of badness. This isn't like, say, patents: a patent bans you from using a specific "method" or "invention," but if these patents also have to explicitly describe the inventions and methods, and if you can figure out how to do the same thing in a different way, the patent doesn't apply.

It's not like copyright, either: copyright has important limits, like "first sale" (which says that after a rightsholder sells or gives you a copy, they can't control how you use that copy: you can sell it, study it, or dispose of it; and "fair use" (a broad spectrum of activities that copyright permits, including transformative use, quoting, and reproduction for criticism and analysis).

The powers in DMCA 1201 are their own species of monster. They are routinely used to threaten, intimidate, and silence security researchers who discover defects in widely used products, meaning that your ability to learn that you're trusting your privacy, finances, physical safety or democratic elections to a defective system is contingent on the manufacturer of the system being willing to let someone make a truthful disclosure about their stupid mistakes.

DMCA 1201 ensures that no one can get funded to make devices that do lawful things (like unlocking your phone, or replacing a part in your car engine, or ripping your DVDs), giving companies control over their competitors.

DMCA 1201 helps companies force silence on investigators who find defects in their products, giving them control over their critics.

And DMCA 1201 deprives you of the tools to reconfigure your devices to work to your benefit (rather than the benefit of the manufacturers' shareholders), giving companies control over their customers as well.

Competitors, critics and customers: no other rule gives corporations more ways to force everyone else in the world to act to enrich them, even at our own expense.

Now, of course, companies rarely use just one of these locks on their products. Your iPhone has DRM to lock you out of enabling third-party app stores; it has a license agreement that bans you from trying; the software on it is copyrighted and you can't legally distribute modified versions that allow third-party apps, and the information about the processes and negotiations that govern how your phone interacts with your carrier and the manufacturer is not available to you.

Modern electronic gadgets are a toxic rainbow of bad tech policy, but not all of them encompass the entire spectrum of badness.

Here's a good example: MQA is a proprietary audio format aimed at audiophiles. The company controls the ability to encode songs into the format, and licenses playback technology to a variety of companies.

There has been some controversy over whether MQA contains DRM. The format's creator, Robert Stuart, holds patents that describe a DRM system called "Versatile music distribution," and one researcher who examined a player in the field discovered inactive DRM code in it.

Stuart told me that his team "abandoned" its DRM patent, along with the idea of putting DRM in the format after his "team investigated several topics prompted by questions from the creative community relating to secure workflows for pre-release and distribution of music."

But audiophiles I spoke with are still skeptical. They weigh MQA's insistence that there is no DRM in the system against its proprietary technologies and secretive practices and conclude that they're being asked to take something on faith when there's no good reason not to prove it.

It's not an unreasonable position. Many DRM technologies are licensed to manufacturers on condition that their products be "renewable" -- that is, that they can be field-updated by the DRM vendor. Even if MQA doesn't have DRM now, the presence of vestigial DRM code suggests that it's not out of the question for the company, and if MQA's license terms require renewability, then MQA could turn on DRM at a later date, after updating all the players in the field to support it. That would let them lure in customers who hate DRM, and then surprise them by remotely adding DRM to their players after they have sunk a lot of money into proprietary music that will only play on an MQA player.

And yet, MQA denies that they have a "renewability" clause in their vendor contracts. They also say that the production version of the MQA file format does not support DRM. And they say that there is no "robustness" requirement that forces manufacturers to design their equipment to resist "end-user modification" (a common license requirement with DRM systems).

But you have to take MQA's word for it: unlike most of the media formats you use -- video, ebooks, audio, text, presentations, spreadsheets, web-pages, etc -- MQA's file format is a secret, a trade secret. And unlike other proprietary systems you use: DRM'ed movies, say, or DVDs, or iPhone Apps, the contracts that manufacturers have to sign to implement MQA are also a secret.

Stuart explained his company's rationale for this secrecy. On license terms, he told me, that "[b]ecause we work very closely with our licensees to optimize the audio performance, a mutual non-disclosure agreement is needed." In a followup, he added, "Our licenses are tailored to the partner’s needs, their position in the supply chain or use-cases. This is very much in line with industry practice."

On secrecy for the format, he told me, "MQA is a ground-breaking audio technology. We license patents and know-how and trademarks and don’t currently see any commercial benefit in publishing more than we have done to date."

So the upshot is that MQA is patented, involves copyrighted code, terms of service, and trade secrets, but (probably) not DRM. That means that your ability to enjoy the MQA music you buy is completely at the mercy of the company, which could change the format at some later date and enjoin manufacturers from continuing to support the music you've purchased.

Your decision to trust the company can't be informed by transparency in its licensing terms, either: maybe the company has promised its licensors that it would never force them to orphan your music -- and maybe it hasn't. It could easily prove this one way or another, but it won't, and while the company claims this is a widespread practice in its industry, it is certainly not common practice in any of the other audio (or other media) you're likely to own.

But MQA does not (at the moment) contain DRM, and that means something. You can audit an MQA player and freely report on the defects you find there. You can reverse-engineer the file format and publish it, and you can examine the patents and find ways to decode the files and play them back that does not overlap with MQA's patents. And, importantly, any trouble you get into with MQA is far more likely to be a civil matter than a felony: you might get sued by MQA for trying to open its format, but you're probably not going to get threatened with a jail sentence.

MQA touts is "proprietary" nature and its portfolio of patents as reasons to buy the technology, so it's a fair assumption that these don't bother the majority of its customers. You may not make the same choice, but that disagreement is less urgent than it would be if DRM was in the picture: it's one thing to buy a product someone else thinks is a bad investment, but it's another altogether to entrust your digital security to a product that can only be audited with permission from the manufacturer.

Back to top

JavaScript license information