by

Advocates of DRM (copy protection) have been keeping their heads down lately, while they try to figure out what went wrong in the SonyBMG DRM spyware fiasco. No doubt they’ll try to explain it away as an anomaly – just a little speed bump on the road to the effective, unobtrusive DRM future that they’re sure will be arriving any day now.

There are some problems with this story. For starters, we’re not talking about a single DRM system – we’re talking about two totally separate systems (XCP and MediaMax), developed by rival companies, both of which turned out to be spyware and to endanger users, in strikingly similar ways. Is this just a coincidence?

Of course it’s not. If we look carefully at CD copy protection as a technical problem, we’ll see why DRM designers are drawn to spyware tactics as their best hope of stopping copying. Let me explain why.

CDs store music files in Compact Disc Digital Audio (CDDA) format, which is easily readable by a wide range of devices. If the music is encrypted or stored in some other tricky format, ordinary audio CD players won’t be able to read it, and the disc will be useless to most customers. So backward compatibility requires that the music be stored in a format that is readable by computer software.

(Technical digression: There are actually small differences between how a computer reads a disc and how ordinary audio CD players read it. So-called passive protection technologies try to exploit these differences by putting things on the disc that try to confuse computers without affecting ordinary players. For our purposes, it will suffice to say that purely passive protection systems are not viable, because computers are not so easily confused. To my knowledge, purely passive CD DRM technologies aren’t being used any more, although some current vendors combine passive protection with active measures. For reasons too boring to go into here, passive protection doesn’t really affect my analysis; and so to streamline the discussion I’ll assume from here on that there is no passive protection.)

If the music is encoded on the disc in a format that any software program can read, the only way to stop programs from reading it is to install software on the user’s computer, and to have that software actively interfere with attempts to read the disc, for example by corrupting the data stream coming from the disc. We call this “active protection”.

For example, suppose the user wants to use iTunes to read the disc. But the DRM vendor wants to stop the user from doing this, because iTunes can be used to make copies of the disc. The active protection software will detect this and will interfere to ensure that iTunes gets a garbled copy of the music.

Here’s the key issue: Active protection only works if the DRM software is running on the user’s computer. But the user doesn’t want the software on his computer. The software provides no value to him at all. Its only effects are to stop him from doing things he wants to do (such as listening to the music with iTunes), and to expose him to possible security attacks if the software is buggy.

So if you’re designing a CD DRM system based on active protection, you face two main technical problems:

You have to get your software installed, even though the user doesn’t want it. Once your software is installed, you have to keep it from being uninstalled, even though the user wants it gone.

These are the same two technical problems that spyware designers face.

People who face the same technical problems tends to find the same technical solutions. How do you get software installed against the user’s wishes? You mislead the user about what is being installed, or about the consequences of installation. Or you install without getting permission at all. How do you keep software from being uninstalled? You don’t provide an uninstaller. Or you provide an uninstaller that doesn’t really uninstall the whole program. Or you try to cloak the software so the user doesn’t even know it’s there.

Of course, you don’t have to resort to these tactics. But if you don’t, your software will have trouble getting onto users’ computers and staying there. If your whole business model depends on installing unwanted software and preventing its uninstallation, you’ll do what’s necessary to make that model work. You’ll resort to spyware tactics. (Or you’ll quit and go into another business.)

Having set off down the road of CD copy protection, the music industry shouldn’t be surprised to have arrived at spyware. Because that’s where the road leads.