A rant on Digital Rights Management
Mention Digital Rights Management
and I go bug eyed with paranoia.
Why is it that no one else seems to see it as an all-encompassing
conspiracy to overthrow all that is good in human civilization
and and enslave us to evil brain-eating cockroaches?
Security is a balancing act.
We all know that computer security is a continuum, with bad choices
at either end of the scale, but have we stopped to think about the
fact that this continuum is just a mirror of the same reality we
face when we consider personal or National security?
Tech people can be very inconsistent between their views on tech
subjects and their views on social or political realities, but
these two worlds are really analogies of one another.
You might be a real "computer security nazi", but a libertarian
in "real life". Why?
What is at stake?
Before you can even think intelligently on computer security,
you need to define what it is that you are attempting
to protect. And this is where your political and social
will silently determine the outcome
of your thought processes, before you have even begun.
Nowhere is this more true than in the emotional and polarized
debate over Intellectual Property.
If I have made the assumption that I rightfully own a piece of
property, all of my strategies for protecting it will flow
from that assumption. If my computer belongs to me, then I insist
on having control over the software it runs, the content displayed
on the screen, who can write to my hard drive. I may delegate
these rights to those I trust, and I may deny it unconditionally
to all others. It is my computer.
Whose computer is it?
Maybe it really isn't my computer at all. Once upon a time
not so very long ago there were no personal computers. A business
would own a powerful computer with a multi tasking multi user
operating system. They could then connect numerous dumb
terminals to this machine so that people could log on and
work. Since the company owned the computer, it, or its appointed
sysadmin decided what rights could be safely delegated to
Users were digital peons, working on the master's
The microprocessor revolution.
The availability of cheap microprocessors shattered, at least
temporarily, the digital paradise of centrally controlled
computing. People bought desktop computers and discovered the
joys of learning to write their own software. They were
empowered. They experienced the feeling of ownership,
responsibility, and rights. Bad news for the advocates
of an authoritarian concept of computing.
A gray area
Having one's own computer probably felt pretty good at first,
but people became bored and discontented with the underpowered
early PCs, and no doubt were thrilled when they became
powerful enough to run networking software, and able to connect
to the fast growing internet. But now, going from a free-standing
personal computer to a participating host on a network,
you enter a gray area, a twilight zone between the totally
decentralized, fragmented world of individual PCs, and the
authoritarian world of mainframe and dumb terminal.
Rival Computing Models = Rival Security Models
It should be no surprise that people are arguing radically
different philosophies of computer security. Their underlying
philosophies of computing make this inevitable.
The decentralized model of security says that "It's your
computer", therefore security is your own responsibility.
This philosophy favors firewalls, Anti-virus software,
Spam filters, and other user-initiated and user-maintained
measures to mitigate, but never eliminate security threats.
The centralized model advocates comprehensive and
systemic measures, built into the fundamental design
of the net, its protocols, and even the very hardware,
to make security threats impossible.
Cyberspace and Ordinary Space.
If you suspect that I'm about to make an analogy between
the digital world and the "real" world, you are correct.
The very same arguments about security are raging about our
physical security. One group says that conventional
and traditional security measures are adequate. Local law
enforcement is seen as adequate to deal with crime.
Normal and lawfully mobilized armies can defend nations.
Traditional diplomacy. Civil liberties. Constitutional
The other camp, again, wants a radical and comprehensive
solution, a "new world order", some kind of systemic
redesign that will make security threats impossible.
Utopia is Hell.
But before we can talk intelligently about security threats,
we need to ask, "Who is being threatened by whom?"
the answer to this question isn't as obvious as you think.
To you and me, this may seem simple. A security threat
is something that threatens me.
A virus. Spyware. Someone wanting administrative access
to my computer, to steal my personal info, empty my
bank account, or whatever.
But if you are the president of a monopolistic business,
head of the RIAA, the MPAA, your definition of "threat"
may seem curiously inverted, at least from my point of view.
New technologies that allow users to share files unsupervised,
the ability to inspect and "reverse engineer" software,
or to write programs that unlock copy protection. These are
"security threats" from their point of view. Things that I
do in the privacy of my own home can be viewed as threats to
Since it is "intellectual property" that they are trying to protect,
my discovery of their secrets is a greater threat to computer security
than some petty virus. To ordinary users, the enemy is the rogue or
criminal who releases the destructive virus or worm. To authoritarians,
it is ordinary users who are the threat, not by doing something
criminally destructive, but by obtaining hidden and forbidden
Digital Utopia would be a place where users are only allowed the
minimum privileges necessary to allow them to do their work. This may seem
sensible if you are the sysadmin at a nuclear weapons lab,
but do you want the internet run that way? Do you want your PC to be managed
remotely by the regime of Digital Rights Management?
There is a lot at stake here.
The internet is still a friendly and cooperative place.
It is not the wild wild west, in desperate need of a
gunslinging sheriff to come and impose law and order.
Security is evolving naturally, and meeting the needs of legitimate
users. The rogues and outlaws are a small minority.
If it ain't broke, don't fix it.