Here is a typical problem: I have a document file that I want to share with my coworker James. I want James to be able to read the file and send me his thoughts and corrections, but I don't want him to be able to print it or share it with anybody else in his office.
You might wonder why I am sending this document to James at all, since I obviously don't trust him to behave in a responsible manner. But perhaps I don't have a choice. Perhaps the document is a price list that James needs to get his job done: I'm worried that James might be thinking about taking a job with a competitor, but the data may help him close a deal for our company today. Perhaps what I've been calling a "document" is really a movie file and James is a critic for the Los Angeles Times. I want him to write a review, but I don't want him to share copies of the DVD with 10,000 of his closest friends. Perhaps my real fear isn't James at all, but his 16-year-old son who recently installed file-sharing software on his home computer. With all the Trojan horses that are loose in the world, the document might get out without James even realizing his complicity in the act.
What's needed here is a strong dose of digital restrictions management, better known as DRM. Many people in the computer industry think that DRM stands for digital rights management. Don't believe it. DRM is all about imposing restrictions and limitations on computer users and their systems so that certain activities are difficult or virtually impossible. DRM is about restrictions, not about rights.
Microsoft's Word on DRM
There are many different kinds of DRM systems. Some are based on strong cryptography, others lock up content so that it can be accessed only with special readers or viewers that implement particular restriction policies, but all are fundamentally based on the honour system. Each of these approaches is built into the current version of Microsoft Word, which makes Word an excellent tool for exploring DRM.Next time you edit a document in Microsoft Word, click on the Options menu and then on the Security tab. You'll have an option to give your document a password to open or a password to modify. Although these passwords sound similar, they have very different implementations. Word turns your password to open into an encryption key that's used to scramble the contents of your document when it is saved. Anybody who doesn't know the password can't open the document. This restriction is implemented by the mathematics of cryptography, not by the Word application, so you can't get around it by trying to open the document with another application - for example, using the TextEdit application that's built into the Macintosh operating system.
On the other hand, the restrictions implemented by a password to modify are implemented by the Word application itself. When you tell Word to open a document with a modify password, Word asks you for the password. If you don't know the password, Word gives you the option to open the document in read-only mode. Once opened, Word remembers whether you typed the correct password, which it uses to determine which restrictions you need to abide. Other programs don't implement these restrictions. You can open a Word document saved with a password to modify using TextEdit and modify the document to your heart's content. And even Word isn't too circumspect about its restrictions. You can't modify a document that's opened "read only," but you can copy the text and paste it into a new Word document. Indeed, there is nothing to prevent you from taking this new document and saving it under the original's file name.
Despite these limitations, this approach of putting the security into the document itself has advantages. You don't need to worry about executives losing laptops or enemy hackers stealing precious documents, since the security is in the document itself. Also, different documents can have different policies - just give them different passwords.
Managing all of these passwords can be a real hassle. That's the idea behind systems such as Microsoft Windows Rights Management Services (RMS), a special breed of DRM that's designed for protecting Microsoft documents. With RMS, each document has its own encryption key. RMS checks each user who wants to access a document to make sure that he is allowed to do so. If he is allowed, RMS automatically hands a copy of the document's key to the user's copy of Word or Excel, and the application opens the document. The whole thing is supposed to be completely transparent to the user. Microsoft has another plug-in that makes RMS work with HTML documents downloaded over the Web.
If It Quacks Like a Duck...
On its Web pages describing RMS, Microsoft argues that its enterprise rights management framework is different from DRM systems. DRM systems, says Microsoft, are a "specific kind of rights management, focused on protecting commercial content such as songs and movies." But this is not a difference based in technology - it's one based on marketing. Commercial DRM systems designed to restrict access to songs and movies are controversial, and Microsoft is doing its best to differentiate its business-targeted RMS technologies from its consumer-targeted DRM offerings.DRM is controversial because the technology's fundamental goal is to restrict what consumers can and cannot do with digital content - in many cases digital content that the consumers have legally purchased and expect to use as they wish. Back in 1984 the Supreme Court of the United States ruled in its famous Sony v. Universal Studios that it is legal for consumers to tape movies that are broadcast over public airwaves and watch them at a later time - a practice that's sometimes called "time-shifting." Of course, the same technology could also be used to copy prerecorded videotapes, a practice that's sometimes called "piracy." Universal Studios had sued Sony, arguing that it should be illegal to sell the Betamax Video Cassette Recorder because the device could be used for illegal purposes. The Supreme Court disagreed.
Striking out in the courts, record labels and studios turned to technology to make it harder for consumers to make unauthorized copies. For example, in 1985 the movie industry introduced a system called Macrovision, which was designed to disrupt the analog VCRs of the day and make it impossible for them to copy prerecorded videotapes. Macrovision is still used today, although these days modern VCRs and DVRs automatically detect the Macrovision signal and display a warning message stating that the content may not legally be recorded.
Rootkits and iPods
DRM got a bad name this past Christmas season when Sony, now a major record label, snuck a DRM technology (involving a rootkit) onto several dozen musical discs that it was selling. The discs played just fine in a conventional CD player, but put one into a PC running the Windows operating system and the CD would covertly install a program that was designed to limit what the consumer could do with the disc that he had just purchased. Unfortunately, the Sony software also damaged the PC, rendering the computers vulnerable to attack by hackers and, in some cases, making the computer crash. Sony suffered a huge amount of embarrassment from the incident, was targeted by several class-action lawsuits and was ultimately forced to recall millions of discs..But the lesson here is not that consumers will reject DRM and that companies should avoid it at all costs. Apple has sold hundreds of millions of songs on its popular iTunes service, even though every one of those songs is encoded with a DRM system that restricts songs so they can be played only on computers belonging to the person who bought them. One important difference between the Apple and the Sony systems is that Apple DRM is implemented directly in iTunes and doesn't modify the host computer's operating system. Another important difference is that Apple doesn't try to covertly hide the program from the user, the way Sony did.
Ultimately, though, all of these DRM systems can be defeated. You can burn your iTunes songs to an audio CD and then play them on any computer you want. Sony's rootkit didn't work on Macs or PCs running the Linux operating system. Future hardware advances such as the Trusted Computing Group's Trusted Platform Module (TPM) eventually will make it easier to build strong DRM systems. But ultimately all of these systems, even though based on TPM, can be defeated. Consider my friend James: He always has the option of reading his DRM-protected document out loud while a coconspirator types the words into a laptop. If people can read the content, people can copy it.
-------------------------------------------------
Simson Garfinkel, PhD, CISSP, is at Harvard University researching computer forensics and human thought.