MediaMax, XCP study
p2p news / p2pnet: Peter Jacob’s US-based SunnComm MediaMax, and XCP from the UK’s First 4 Internet, both flawed Digital Restrictions Management applications, have been written up for ongoing study as models of what not to.
"In the fall of 2005, problems discovered in two Sony-BMG compact disc copy protection systems, XCP and MediaMax, triggered a public uproar that ultimately led to class-action litigation and the recall of millions of discs," say Princeton University’s professor Felten and Alex Halderman in their paper Lessons from the Sony CD DRM Episode, published today.
"We present an in-depth analysis of these technologies, including their design, implementation, and deployment. The systems are surprisingly complex and suffer from a diverse array of flaws that weaken their content protection and expose users to serious security and privacy risks. Their complexity, and their failure, makes them an interesting case study of digital rights management that carries valuable lessons for content companies, DRM vendors, policymakers, end users, and the security community."
Felten and Halderman ran draft sections on Felten’s Freedom to Tinker blog, asking for ideas and comments.
"We also asked readers to help suggest a title for the paper," they say. "That didn’t work out so well – some suggestions were entertaining, but none were really practical. Perhaps a title of the sort we wanted doesn’t exist."
Their analysis of Sony-BMG’s CD DRM, "carries wider lessons for content companies, DRM vendors, policymakers, end users, and the security community," the say, drawing six main conclusions.
- First, the design of DRM systems is driven strongly by the incentives of the content distributor and the DRM vendor, but these incentives are not always aligned. Where they differ, the DRM design will not necessarily serve the interests of copyright owners, not to mention artists.
- Second, DRM, even if backed by a major content distributor, can expose users to significant security and privacy risks. Incentives for aggressive platform building drive vendors toward spyware tactics that exacerbate these risks.
- Third, there can be an inverse relation between the efficacy of DRM and the user’s ability to defend the computer from unrelated security and privacy risks. The user’s best defense is rooted in understanding and controlling which software is installed on the computer, but many DRM systems rely on undermining the user’s understanding and control.
- Fourth, CD DRM systems are mostly ineffective at controlling uses of content. Major increases in complexity have not increased their effectiveness over that of early schemes, and may in fact have made things worse by creating more avenues for attack. We think it unlikely that future CD DRM systems will do better.
- Fifth, the design of DRM systems is only weakly connected to the contours of copyright law. The systems make no pretense of enforcing copyright law as written, but instead seek to enforce rules dictated by the label’s and vendor’s business models. These rules, and the technologies that try to enforce them, implicate other public policy concerns, such as privacy and security.
- Finally, the stakes are high. Bad DRM design choices can seriously harm users, create major liability for copyright owners and DRM vendors, and ultimately reduce artists’ incentive to create.
HOME
