Sunday, March 05, 2006

imho DRM2


Found content:

My take:

DRM is another name for the doctoral research motherlode that this topic has unleashed.

Everybody’s developing their own DRM dissertation, or so it seems. The referenced article presents Wendy Grossman’s self-described “manifesto,” which consists of several (prescriptive and proscriptive, rather than descriptive) “principles of responsible DRM,” which appear to have been inspired by what she describes as Sony’s “damn-fool rootkit” and “evil deed” (what would the DRM-bashing community do without this new whippingboy media/electronics giant?). Her principles (all of which primarily apply to DRM only in its B2C content license management and anti-piracy application, not to the equally important B2B federated identity and access management side of this topic, which some have referred to as “enterprise rights management” or “identity rights management”) are as follows (I’ve chosen to number them for the sake of easily referring back to individual principles):
  1. “DRM should not violate the user’s computer…. By "violate", I mean the software should not: hide its presence, send back information about either the user or the computer without permission (and what gets sent should be fully auditable by the user), or do other things that, if Sony were a teenaged hacker dressed in black working out of a back bedroom would send it to jail.”
  2. “A company whose DRM breaks the law ought to be fined and treated exactly like a wanton environmental polluter.”
  3. “DRM should respect the public domain. That means it should automatically expire, leaving the content freely accessible, on the date when the work enters the public domain.”
  4. “DRM should not be allowed to apply more restrictions to a work than that same work would have in the analog world.”
  5. “Circumventing DRM should not be a crime (as of course it is under the US's Digital Millennium Copyright Act) in and of itself.”
  6. “Rightsholders who do not incorporate features to allow disabled access should be required to allow third parties to do so.”
  7. “When a new format is adopted and new work begins being released on it, the technical specifications for how to build a reader (and a copy of the player) should be filed in the copyright libraries.”

I’m looking at these responsible-DRM principles and trying to find some core principle that underlies them all. Principles #1 and #2 simply articulate principles of responsible computing, which should cover DRM and other infrastructure and applications technologies. Principles #3, #4, #5, #6, and #7 address aspects of the DRM dilemma: the equitable balancing of the rights of content publishers vs. the rights of content consumers. And, fundamentally, they all derive from a common DRM (prescriptive/proscriptive) principle:

  • Principle of Minimal and Diminishing Restrictions: Content publishers must, to the extent they apply DRM, always license and implement the minimal set of necessary access restrictions on authorized consumers, apply a similar set of restrictions to those enforced in other content-distribution channels, and allow consumers to progressively diminish these restrictions as time, fair-use, and other extenuating circumstances permit.

All of which puts me in mind again of Kim Cameron’s “laws of identity.” Don’t they posit a set of DRM-like laws? Summarizing them again (I first touched on them early in this blog’s life, in December 2004, and then again throughout the first half of 2005), they are (to requote myself paraphrasing Kim):

  • “According to Microsoft/Cameron, IdM systems must gain user consent prior to revealing information identifying the user; disclose the minimum amount of identifying information necessary; limit that disclosure to parties with a need to know; provision public and private identifiers for pointing to users’ identity data; and provide user interfaces that help people avoid revealing personal information to phishing and pharming scams.”

In an “identity metasystem” (Kim’s phrase), who are the “publishers” and “consumers” of this particular type of content (i.e., identity info)? Are the identity providers (IdPs)—in other words, those who register, manage, make assertions about other people’s identities—the “publishers” or “consumers” of identities? IdPs certainly publish identities, and certainly consume this information in order to authenticate users, make assertions about those users, personalize presentation of information to those users? Are the people who the identifiers identify the “publishers” of their identities (in the sense that they opt to let the IdPs republish this info) or “consumers” (in the sense that they use their identity info to login to systems and access various resources by proving possession of information about themselves that many would assert, including Kim Cameron, that they “own”)?

At some fundamental level, we can construe Kim’s principles as being based on the notion that the individual owns, hence publishes, his or her own identity info, and that everybody (the IdPs and the service providers, or relying parties) consumes this info. In which case, Kim’s principles seem diametrically opposed to Grossman’s DRM principles: the “publisher/owner” of identity content (i.e., the identity subject) always reserve the right to apply a maximal and never-diminishing set of restrictions on “consumer/IdP/relying party” access to this content.

Or perhaps both Cameron’s identity-metasystem principles and Grossman’s DRM principles derive from a common, unspoken principle:

  • Principle of Sticking it to "The Man": Each of us should have maximum leverage over resources—such as our own identity information or other people’s published content—that is controlled by big, impersonal, “evil,” “greedy” institutions.

If you believe in demonizing the economic system that sustains us all, and allows all productive classes—including content publishers—to make a decent living from the sweat of brows that squint at monitors all the livelong day.