Cory Doctorow Rails Against the Effect of DRM and the DMCA

If you weren’t at [Cory Doctorow’s] DEF CON talk on Friday you missed out. Fighting Back in the War on General Purpose Computing was inspiring, informed, and incomparable. At the very lowest level his point was that it isn’t the devices gathering data about us that is the big problem, it’s the legislation that makes it illegal for us to make them secure. The good news is that all of the DEF CON talks are recorded and published freely. While you wait for that to happen, read on for a recap and to learn how you can help the EFF fix this mess.

The Tech

I love reading [Cory Doctorow], he’s a great futurist and books like Down and Out in the Magic Kingdom have really affected the way I think about the world. It’s no surprise that he has his finger on the pulse of where our “future” tech is right now. This is a picture of the Internet of Things: smart homes and devices you can talk to. But this future comes with the cost that we are surrounding ourselves with devices that are always listening and always watching. How do you know when that listening and watching is being misused? This depends on the security of the device and your ability to know how access and data are being used.

The Inkjet Business Model

Devices are being sold as a platform that is intended to be completely controlled by the manufacturer. They can continue to monetize the device by selling add-ons and controlling who can build accessories for the platform. But it goes much further than that, the manufactures are also building ways to remotely shut down devices and further control how you use them.

One of the best examples of this is sub-prime car lending. These types of agreements can include where you’re allowed to drive the vehicle, and if you go out of bounds an ignition interlock can remotely disable your car. [Cory] carries this concept forward by citing [Hugh Herr], who uses an amazing set of robot legs (check out this TED talk if you haven’t already). These legs cost as much as a house… what if your creditors decide to shut down your legs?

Another example [Cory] cited was the John Deere tractor story we covered in May.

DRM and the DMCA

The side-effect of the Inkjet Business Model is that manufacturers want do defend their ability to enforce the business practice and the method that’s long been in use is Digital Rights Management, or DRM. At its core this is the ability for a device to verify that the content being used on it is authorized by the manufacturer. Inkjet is a perfect example as there was a landmark court case where Lexmark sued an inkjet cartridge refill company who was resetting the chip in the cartridge that indicated it was out of ink.

The idea of DRM was codified in the 1998 Digital Millenium Copyright Act or DMCA. The key provision of this law is DMCA 1201 which deals with Anti-Circumvention. This makes it crime to break a lock that is protecting any copyrighted material, and the penalties are severe: 5 years in prison and $500,000. One of the key provisions of this bill is that it shifts the cost of enforcement onto the government; companies don’t have to pay to litigate against anyone who violates the DMCA.

The penalties are a huge deterrent. But this has an unpleasant side-effect. There is no allowance for security research. Which means that if you find a vulnerability and disclose it you are breaking the law. Let me repeat that… if you disclose a security vulnerability (privately) to the company that makes the hardware you are breaking the law. This makes our system fundamentally insecure by strongly disincentivizing anyone other than criminals from finding — or at least reporting — security flaws.

This is well-outlined in the Electronic Frontier Foundation’s report: Fifteen Years under the DMCA.

We Can Solve This

It is unlikely that the DMCA is going to be fixed in congress, so [Cory] and his colleagues at the EFF have a plan to fix this. They want to kill DRM worldwide in the next 10 years and we couldn’t agree more with the plan. He also makes the case that killing it in the United States will likely kill it worldwide as this legislation has been pushed on other nations in what he calls “a suicide pact”.

Security researchers are breaking DMCA 1201 all the time. Disclosing vulnerabilities means the companies are pressured to fix them lest they be liable for security breaches that use those attack vectors. Removing DRM will make it legal to report vulnerabilities, leading to a more secure world where we can have our futuristic cake and eat it too.

Check out the EFF website on ways you can get involved. This can be talking about your experiences with security research, telling others about this important work, or donating time, talent, or treasure to the effort.

30 thoughts on “Cory Doctorow Rails Against the Effect of DRM and the DMCA

  1. I would imagine that penalising people for disclosing security flaws would backfire on the company that have been breached in public opinion, as it did on the airline which infotainment system was lately hacked.

    First, it gives the impression that they are careless about their patching or security going after guy instead of publicly being serious about their own shortcomings. Secondly, ordinary customers (soldering iron types and coders) will feel alienated and discurraged. Maybe it´s not that grave. The law is old and there have been very few cases. I still tear everything technical I buy apart at some point in it’s life cycle and have been since I was 6.

    Were would we be if cases “Xerox copier typo flaw” had’nt been disclosed? Hardware hacking is in the publics aswell as the companies best interest.

    So the lesson here is; if you discover a flaw that needs patching or a hack that improves functionality, go public about it. Any following legal steps will just make the other party look unsympathetically stupid.

    1. I completely agree with your viewpoint but I want to point out that there has been numerous cases of people doing just that and labeled as hackers – in the bad meaning of this word. Even here, on HaD, I’ve seen debates about whether they actually are or not. And, even though it will – or might – make the other party look stupid, it won’t necessary be the same view for the judge. We do absolutely need legal protection for these cases, and we also need companies to understand it will happen a lot.

  2. Simply commenting on t what the article outlines without studying what’s under the included links. Frankly I find it hard to be optimist anymore ever since, I realized it was the land owners and Merchants who started the American Revolution, wrote and ratified the US Constitution. With that one needs to replace the word People every where it appears in the Gettysburg Address with merchant to really understand government in the USA. Labor, not organized labor, but labor in general has discounted it’s own importance and considerable power to make a difference. Becoming good little consumers, not understanding demand drives an economy not supply.

    What gets me a lot of what corporations are try to to day is similar to what corporations tried to do early in the auto industry, and where prevented from doing so. But then nearly a century has passed, and a less involved ignorant electorate exists at all level below the business and government elite.

    1. +1

      It’s more than DRM that’s broken. DRM is the symptom. The US is now owned and run by corporate interests. Politicians and media are paid for by corporates, and even the courts bend over backwards to accommodate corporates.

      Sadly this anti-democracy is exported around the world, everyone wants to copy “US success”. Meanwhile the people don’t care if their rights are abandoned as long as they have the latest iPhone and the Kardashians on TV.

      Irony: who is the most popular anti-establishment candidate? Yup, billionaire corporate nutcase Donald Trump. The US is really screwed.

    2. You thought exhausted farmers wrote the Declaration of Independence? It would have happened in England and Germany if that were the case. What does a Leninist screed have to do with DRM? The manufacturer’s will have to realize that the parts they use and protocols are in common use by many many people who make Open Source repo’s and other information available to all and from nearly every point on Earth and nearby space. The toothpaste got out of the tube a long time ago. Still, nobody wants to hire an expensive lawyer because you get picked out as an example and some protection would be nice. However, at least in the U.S., you can’t prevent civil suits and someone can exhaust your resources by repeated civil legal actions.

      1. “However, at least in the U.S., you can’t prevent civil suits…”

        With all due respect you’re wrong. Since 1986 us citizens have lost the right to seek damages in court for any and all harms to their children from a vaccine. Regardless of the science of vaccines the legal reality is that you can’t take a vaccine manufacturer or any person or entity involved in the vaccine process from manufacturing to injection to court to seek damages caused by the vaccine.

        In 1986 the vaccine courts were created as part of the National Childhood Vaccine Injury Act. Anyone seeking damages caused by a vaccine must do so in the vaccine courts which means they are taking the government to court and not the private entity that made the vaccine. So in as far as the vaccine industry goes they enjoy federal protection from any and all liability for their products.

        So in America you can be prevented from seeking a civil lawsuit when it comes to vaccine related injuries.

        As afoot note, just in case someone argues that this is irrelevant because vaccines are proven to be safe and effective, you should know that since the vaccine court was established it has awarded over 3 billion dollars in vaccine related damages to over 2,500 families of children who suffered damages caused by a vaccine.

        1. 1. No medical intervention is risk-free. Vaccines are good medical interventions because they do massively more good than harm.
          2. A finding in a federal court is not evidence of causation.
          3. “Over 80 percent of all compensation awarded by the VICP comes as result of a negotiated settlement between the parties in which HHS has not concluded, based upon review of the evidence, that the alleged vaccine(s) caused the alleged injury.” (www.hrsa.gov/vaccinecompensation/data.html)

          Even if every single claim made against the vaccine court were valid and upheld, that would correspond to less than one person in a million. I challenge you to find any other medical intervention as effective.

          1. @arachnidster

            You’ve argued for why you believe vaccines are a good thing but you’ve failed to counter my argument that we have lost the right to sue vaccines manufacturers, I’d also like to point out that since its been a year since I posted my comment the movement against forced vaccinations has grown; not shrunk. That said my argument is for or against the science of vaccinations but the reality that we have lost the constitutional right to go after these companies. A side effect of this is that the pharmaceutical industry is moving more heavily towards vaccine based methods for treatment of specifically because they are free from liable for any harm a vaccine may cause. If you think the nasty side effects of the DMCA are bad just imagine what would happen if other industries were able to use the federal government as a shield from being liable for their products/services.

            The argument is about whether the science of vaccines work but whether or not those who manufacture vaccines should be free from liable because we deem the products they produce to be beneficial.

    1. The story has 4381 characters from the 2006 copyright notice to blurb about the author. All the Gutenberg legalese has 20903 characters. Why do free stories need so much junk tacked on?

      1. Because Doctorow is part of the Copyfight which is pretty much like the non-sheeple of Occupy Wall Street. This means some sort of fifty part Creative Commons licensing and full disclosure of distribution. He is an awful writer imho, and a bit of a bell end if you ever caught his constant outrage during the boingboing days. I would just suggest watching Thunder in Paradise and that awkward scene where Hulk Hogan is paragliding with some kid. Way more entertaining and engaging than c.d. :)

  3. I think we should make “DRM Money”. Pay all companies with money sealed in a little plastic bag whose use is subject to a EULA. Then the EULA could be posted Online somewhere with information which details what uses that money can be applied to, and methods for verification. The EULA’s could be vetted by lawyers (how about the EFF?) but with features suggested by the community so that companies would be bound to spend the money in useful, sustainable, community-friendly ways instead of continuously raping the earth and their various communities and pursuing their typical scorched-earth sales tactics. DRM, if it’s good enough for them, it’s great for us.

  4. Cory Doctorow is a textbook opportunist, an author writing his cliche books (he cowrote a book about a “female gamer” at the height of the whole gamergate thing ffs) and giving talks about things he doesn’t really have an expertise in.

    And the cherry on top of the shit sunday, he can’t code, never learned to code, works at the EFF. The fact we all turn up our noses at Richard Stallman (both a lawyer and developer) and listen to this idiot says a lot about what direction we, the unwashed masses, are heading.

    pls hackaday this site is one of my few getaways from the ever encroaching douchebaggery of the modern internet, no more boingboing fanboy shit.

    1. Word. He and JENNY(smh) tacked their names onto more things than were humanly possible back then. Glad someone pays attention out there. And yes, he probably ghost-wrote Thu Hunger Games series- that is how derisive and basic his books are lol. Kinda hits Apple levels of undeserved hype. Hopefully folks will just learn to ignore him and this is the last we see of him on HaD.

  5. Talks like these are really good at pointing out the elephant in the room, by not pointing out the elephant in the room. We’re not saying that it is legal for a company to have security holes in there products and use them. That would really sound like a conspiracy. What we are saying is that if you could prove it you will have broken the law.

  6. I only see this as a problem with inkjet Printers.

    Why: HTML5-EME, Intel’s Insider and TXT(and I think vPro had TPM DRM), ARM and AMD TEE have all been there a while and nobody is using them. Game consoles have rightful copy protection. PC games have all the PE and ELF based protectors and they all have revoke features.

    I’m not sure how code signing and crypto on phones is a bad thing.. It actually needs more, in the form of real auditing, in my opinion.

      1. Free QA and security audit? How dare they..

        I think this discontent stems from the socialism around the $99.00 dev license.. People just don’t want capitalism to happen unless they are the profiteers..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s