Digital Rights Management and Technical Protection Measures
There has been recent media coverage of the use of rootkit-like techniques as a technical protection measure in music CDs (Sony XCP) and movie DVDs (Settec Alpha-DISC). This has focussed public attention on the subject of digital rights management (DRM), and in particular technical protective measures (TPM), from both a security and privacy perspective. What is digital rights management? What are technical protection measures? How do they work and why are they a concern?
This paper is not intended to debate the merits of using technical protection measures to implement digital rights management, or to discuss concepts such as “fair use”. The use of TPMs, however, can seriously affect the privacy rights of individuals, and by invading their privacy and reporting on their behaviour, impact other civil liberties such as freedom of association and freedom of expression. While rights holders have a perfectly legitimate view of the matter, it is also reasonable to expect them to enforce their rights only in a way which respects individual privacy rights.
What is Digital Rights Management?
Digital rights management (DRM) is a catch-all term referring to any of several technologies used to enforce pre-defined limitations on the use and transfer of copyrighted digital content. The content most commonly restricted by DRM includes music, visual artwork, computer and video games and movies, but DRM can be applied to any digital content. First-generation DRM software merely sought to control copying. Second-generation DRM schemes seek to control viewing, copying, printing, altering and everything else that can be done with digital content.
The term digital rights management is often confused with terms such as copy protection, copy prevention, and copy control. Digital rights management is a more general term because it includes all manner of management of works, including copy restrictions, but copy protection/prevention/control may include measures that are not digital in nature (e.g., use of access codes to limit use of photocopiers). In addition, DRM usually includes a set of legal permissions, frequently expressed as a licensing agreement, which establish what one can and cannot do with the work.
The term digital rights management is also confused with the term technical protection measures (TPM). This term refers to technologies that control and/or restrict the use of and access to digital media content on electronic devices with such technologies installed. Increasingly, DRM relies on TPMs to implement these controls and restrictions.
Examples of TPM
A number of TPMs have been proposed over time, usually with limited success (either because they were not widely adopted or because someone eventually figured out how to circumvent them). Some of the schemes proposed include:
- the use of a dongle - a piece of hardware containing an electronic serial number that must be plugged into the computer in order to run the software;
- the use of a registration key - a series of letters and numbers that is requested when installing or running the program. The software refuses to run if the registration key is not typed in correctly and multiple use applications (e.g., multiplayer games) will refuse to run if the same registration key is typed in more than once;
- the use of Internet product activation, which requires the user to connect to the Internet and type in a serial number so the software can “call home” and notify the manufacturer who has installed the software and where, and prevent other users from installing the software if they attempt to use the same serial number;
- the use of encryption, such as the Content Scrambling System (CSS), to make copying of DVDs more difficult. In these schemes, the work is encrypted using a key included in the firmware of “authorized” players, allowing only “legitimate” uses of the work (usually restricted forms of playback, but no modification or conversion); and
- the use of digital watermarks. A digital watermark is a digital signal or pattern inserted into a digital image. A given watermark may be unique to each copy (e.g., to identify the intended recipient), or be common to multiple copies (e.g., to identify the document source).
Legitimate users may well be inconvenienced by these TPMs, as anyone who has had to find and type in a lengthy product code to re-activate a software program can testify. Fighting the theft of intellectual property must be balanced with how much inconvenience a customer is willing to tolerate, and so we are seeing a movement towards TPMs which operate without too much user participation. In the Sony Rootkit incident, the company appears to have strayed rather far over to the other extreme, since most users were unaware of what was going on at all.
It is clear that we are moving into an era of distributed intelligence, where hardware that used to be purely mechanical in nature, such as printers, now has processing, storage and communications capabilities and if not already, will soon be connected to the Internet. This allows devices to get instructions from someone other than their legitimate owners. Enterprising companies are keenly interested in getting feedback on the use of their products through the use of transactional data, so it is safe to say that in the next few years we will see a trend to more and more devices “phoning home” to give useful information about consumer behaviour to the manufacturer or rights holder. Software already routinely phones home to get automatic updates, and consumers are correctly sensing a loss of autonomy and control. Clearly this has implications for privacy and, more broadly, for trust in the new digital world in which we live. A mistake in one area of the economy will have a ripple effect in other areas. Thus the recent stories about Rootkit technology, used as a technical protection measure, may have a lasting impact on consumer trust, just as the “cookies” scandal involving Doubleclick did in 2000.
A TPM ‘Gone Bad’ - The Sony XCP Incident
In October 2005, a security researcher discovered that new software had been installed on his computer after playing a Sony copy-protected music CD. The software in question is called Extended Copy Protection (XCP) and is a DRM tool intended to prevent unauthorized copies of the CD being made. The creator of the copy-protection software is a British company called First4Internet (http://www.first4internet.com). Sony also used a second copy-protection product, called MediaMax, which is written by SunnComm International Inc. (http://www.sunncomm.com/index_flash.html).
The problem that made this a media issue is that the copy-protection software used a sophisticated cloaking technique that involves a “rootkit” – something not dangerous in itself, but a tool often used by virus writers to hide all traces of their work on a computer. XCP also remains active in the background of a computer, taking up a small amount of memory, even when the CD is not being played.
What is a Rootkit?
Rootkit software has been around for over a decade but has recently come to increased prominence as more writers of viruses and the like adopt it for their purposes. Rootkits are a set of tools used by third parties to gain unauthorized access to computer systems, generally through the creation of backdoors. Once the attacker has access, they can download sensitive information from the machine or turn it into a zombie to create denial of service attacks on other systems. Other exploits have included key loggers and sniffers to capture passwords and financial information. The most dangerous rootkits dig deep into a computer’s operating system to hide the fact that certain software files exist or that the computer is performing certain functions. They are generally invisible to virus-checking and anti-spam products.
In the case of XCP, active attempts were made to misuse the rootkit mechanism with the release of Trojan horse programs designed to exploit flaws in the software. The Trojans, named the Tro/Stinx-E and Stinx-F Trojans, arrived as an attachment to an e-mail. If the attachment was opened and run (usually simply by double-clicking on the attachment icon), the Trojans copied themselves into a file that was then hidden by the rootkit in the Sony copy-protection software. This made the Trojan invisible on computers that used CDs carrying the rootkit.
According to some security researchers, this strain of Trojans then opened up a backdoor channel with a remote host, similar to that a fully-fledged rootkit would normally create. The strain is also apparently capable of being instructed remotely to delete, download, and execute files. It automatically adds itself to the "whitelist" of allowed programs in Windows Firewall, circumventing the ability of the firewall to stop the malicious package from accessing the Internet.
While SonyBMG eventually issued a patch to remove the rootkit, the patch itself was poorly written and created its own security and privacy risks. To get the uninstaller program, users had to fill out online forms, surrendering even more personal information in the process. Once the forms have been submitted, they download and install a program designed to get the computer ready for the fix, essentially leaving the computer vulnerable to the downloading and installing of any code, including malicious code, from the Internet. There are no mechanisms in place to ensure that code being downloaded and installed comes from a trustworthy source (i.e., SonyBMG or First 4 Internet). It is also important to note that the rootkit could have infected any machine on which the CD was played, necessitating the owner contacting anyone who might have borrowed the disc, or where she herself brought the disc to play it.
Security and Privacy Concerns
A number of privacy concerns arise with the use of TPMs, especially those that are based on rootkit technology. These include:
- Failing to give adequate notice that these technologies are being used and failing to obtain informed consent from users;
- Automatically installing files even when users choose not to run the application. Although users may be presented with terms and conditions that refer to software installation before launching the CD, it appears safe to assume that few, if any, realize that doing so could result in a security and potential privacy risk;
- Requiring users to reveal their identity and rights to access protected content, thus preventing the anonymous consumption of content;
- Facilitating the profiling of users' preferences or limiting access to certain content. This is done by assigning an identifier to content or to the content player, and attaching personal information to the identifier. If based on online verification, DRMs may invade people’s privacy by tracking personal data and transmitting them to DRM managers;
- Establishing a connection with the vendor’s site and sending the site an ID associated with the media or content. Vendors may not be doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it; and
- Failure of the uninstaller programs to completely remove the software.
Alternatives exist that would provide copy protection and at the same time protect privacy. For instance, token and password systems could be used to authorize a download of digital content. Alternative, non-privacy invasive solutions do not appear to have been explored adequately, and this is what we must demand of DRM systems that are deployed in Canada.