Thursday, December 8, 2022

DRM: The Urinary Tract Infection Business Model

Most of the pre-digital offers aren't available at any price: you could buy a DVD and keep it forever, even if you never went back to the store again. If you "buy" a video on Prime or YouTube and then cancel your subscription and delete your account, you lose your "purchase."

If you buy a print book, you can lend it out or give it away to a friend or a library or a school. Ebooks come with contractual prohibitions on resale, and whether an ebook can be loaned is at the mercy of publishers, and not a feature you can give up in exchange for a discount.

For brain-wormed market trufans, the digital media dream was our nightmare. It was something I called "the urinary tract infection business model." With non-DRM media, all the value flowed in a healthy gush: you could buy a CD, rip it to your computer, use it as a ringtone or as an alarmtone, play it in any country on any day forever.

With DRM, all that value would dwindle from a steady stream to a burning, painful dribble: every feature would have a price-tag, and every time you pressed a button on your remote, a few cents would be deducted from your bank-account ("Mute feature: $0.01/minute").

Of course, there was no market for the right to buy a book but not the right to loan that book to someone else. Instead, giving sellers the power to unilaterally confiscate the value that we would otherwise get with our purchases led them to do so, selling us less for more.(...)

Back when PVRs like Tivo entered the market, viewers were as excited about being able to skip ads as broadcasters and cable operators were furious about it. The industry has treated ignoring or skipping ads as a form of theft since the invention of the first TV remote control, which was condemned as a tool of piracy, since it enabled viewers to easily change the channel when ads came on.

The advent of digital TV meant that cable boxes could implement DRM, ban ad-skipping, and criminalize the act of making a cable box that restored the feature. But early cable boxes didn't ban ad-skipping, because the cable industry knew that people would be slow to switch to digital TV if they lost this beloved feature.

Instead, the power to block ads was a sleeper agent, a Manchurian Candidate that lurked in your cable box until the cable operators decided you were sufficiently invested in their products that they could take away this feature.

This week, Sky UK started warning people who pressed the skip-ad button on their cable remotes that they would be billed an extra £5/month if they fast-forwarded past an ad. The UTI business model is back, baby – feel the burn!

https://www.examinerlive.co.uk/news/sky-warns-customers-charged-5-25644831

This was the utterly foreseeable consequence of giving vendors the power to change how their devices worked after they sold it to you, under conditions that criminalized rivals who made products to change them back. (...)

This is a case I've made to other reviewers since, but no one's taken me up on my suggestion that every review of every DRM-enabled device come with a bold warning that whatever you're buying this for might be taken away at any time. In my opinion, this is a major omission on the part of otherwise excellent, trusted reviewers like Consumer Reports and Wirecutter.

Everywhere we find DRM, we find fuckery. Even if your cable box could be redesigned to stop spying on you, you'd still have to root out spyware on your TV. Companies like Vizio have crammed so much spyware into your "smart" TV that they now make more money spying on you than they do selling you the set.

https://pluralistic.net/2021/11/14/still-the-product/#vizio

Remember that the next time someone spouts the lazy maxim that "If you're not paying for the product, you're the product." The problem with Vizio's TVs isn't that they're "smart." The problem isn't that you're not paying enough for them.

The problem is that it's illegal to unfuck them, because Vizio includes the mandatory DRM that rightsholders insist on, and then hide surveillance behind its legal minefield.

The risks of DRM aren't limited to having your bank-account drained or having your privacy invaded. DRM also lets companies decide who can fix their devices: a manufacturer that embeds processors in its replacement parts can require an unlock code before the device recognizes a new part. They can (and do) restrict the ability of independent service depots to generate these codes, meaning that manufacturers get a monopoly over who can fix your ventilator, your tractor, your phone, your wheelchair or your car.

https://doctorow.medium.com/about-those-kill-switched-ukrainian-tractors-bc93f471b9c8

The technical term for these unlock codes is "VIN-locking," and the "VIN" stands for "vehicle identification number," the unique code etched into the chassis of every new car and, these days, burned into into its central computerized controller. Big Car invented VIN-locking. (...)

With Felony Contempt of Business Model, repair is just the tip of the iceberg. When security experts conduct security audits of DRM-locked devices, they typically have to bypass the DRM to test the device.

Since bypassing this DRM exposes them to legal risks, many security experts simply avoid DRM-locked gadgets. Even if they are brave enough to delve into DRM's dirty secrets, their general counsels often prohibit them from going public with their results.

This means that every DRM-restricted device is a potential reservoir of long-lived digital vulnerabilities that bad guys can discover and exploit over long timescales, while honest security researchers are scared off of discovering and reporting these bugs.

That's why, when a researcher goes public with a really bad security defect that has been present for a very long time, the system in question often has DRM – and it's why media devices are so insecure, because they all have DRM.

by Cory Doctorow, Pluralistic |  Read more:
Image: Cryteria, CC BY 3.0, modified
[ed. DRM: Digital Rights Management (DRM) technology as defined by Section 1201 of the Digital Millennium Copyright Act (DMCA), which banned removing copyright locks on penalty of a 5-year prison sentence and a $500k fine.]