Via Slashdot comes an article from Groklaw about DRM's effects on computer security. If you've been following DRM stories for years, it's a good read. If you're a DRM novice who can't quite remember what "DRM" stands for, it's a good read. Author Victor Yodaiken sums up what DRM is and what content-providers want it to do.

At its core, DRM -- which stands for "digital rights management" -- is about control. Content providers want to control how you view their content and make sure that you don't use that content in a way that they don't want you to. Sometimes, this control is designed to prevent copyright infringement. Sometimes, it's designed to make the Internet and computers behave like old markets so that content companies don't have to innovate and create new business models.

But my favorite sentence from the whole article is this one: "DRM is being introduced as if there was no role for computers except as personal entertainment devices and as if computer users were purely consumers of prepackaged 'content.'" Sony-BMG introduced DRM into its CDs in December without any care as to how the DRM would affect computer security. All that Sony-BMG cared about was locking down content and preventing users from using the content in a way that Sony didn't want them to. And if users' security is compromised, Sony-BMG throws up its hands and says, "Not my problem."

And, finally, from Cory Doctorow's Microsoft DRM talk, here's an explanation of why DRM just doesn't work. In this example, Alice and Bob want to exchange messages without Carol intercepting those messages:

Enter keys: a cipher that uses a key is still more secure. Even if the cipher is disclosed, even if the ciphertext is intercepted, without the key (or a break), the message is secret. Post-war, this is doubly important as we begin to realize what I think of as Schneier’s Law: “any person can invent a security system so clever that she or he can’t think of how to break it.” This means that the only experimental methodology for discovering if you’ve made mistakes in your cipher is to tell all the smart people you can about it and ask them to think of ways to break it. Without this critical step, you’ll eventually end up living in a fool’s paradise, where your attacker has broken your cipher ages ago and is quietly decrypting all her intercepts of your messages, snickering at you.

Best of all, there’s only one secret: the key. And with dual-key crypto it becomes a lot easier for Alice and Bob to keep their keys secret from Carol, even if they’ve never met. So long as Alice and Bob can keep their keys secret, they can assume that Carol won’t gain access to their cleartext messages, even though she has access to the cipher and the ciphertext. Conveniently enough, the keys are the shortest and simplest of the secrets, too: hence even easier to keep away from Carol. Hooray for Bob and Alice.

Now, let’s apply this to DRM.

In DRM, the attacker is also the recipient. It’s not Alice and Bob and Carol, it’s just Alice and Bob. Alice sells Bob a DVD. She sells Bob a DVD player. The DVD has a movie on it – say, Pirates of the Caribbean – and it’s enciphered with an algorithm called CSS – Content Scrambling System. The DVD player has a CSS un-scrambler.

Now, let’s take stock of what’s a secret here: the cipher is well-known. The ciphertext is most assuredly in enemy hands, arrr. So what? As long as the key is secret from the attacker, we’re golden.

But there’s the rub. Alice wants Bob to buy Pirates of the Caribbean from her. Bob will only buy Pirates of the Caribbean if he can descramble the CSS-encrypted VOB – video object – on his DVD player. Otherwise, the disc is only useful to Bob as a drinks-coaster. So Alice has to provide Bob – the attacker – with the key, the cipher and the ciphertext.

Hilarity ensues.

DRM systems are broken in minutes, sometimes days. Rarely, months. It’s not because the people who think them up are stupid. It’s not because the people who break them are smart. It’s not because there’s a flaw in the algorithms. At the end of the day, all DRM systems share a common vulnerability: they provide their attackers with ciphertext, the cipher and the key. At this point, the secret isn’t a secret anymore.

And that is the problem with DRM: the recipient of the message is also the "attacker," the person who is clandestinely trying to intercept the message. Content providers want people who buy DVDs to be able to watch those DVDs, but not take the content off those DVDs. DRM schemes as we know them are inherently screwy because, as Doctorow says, "they provide their attackers with the ciphertext, the cipher, and the key." It's very schizophrenic and it doesn't work. Either content providers have to completely lock down their content and prevent anyone from viewing it, or they have to remove the DRM and let the information be open to anyone. To do otherwise is to pretend that there is real security and real freedom, when in fact there is neither.