[d@DCC] Acronym soup: TPM, DRM, TCPA, oh my..

Russell McOrmond russell at flora.ca
Wed Jan 12 15:29:21 EST 2005

  I'm wanting some help in trying to explain the long-term negative
effects of what is being asked for in the 1996 re-intermediation treaties.  
I just had a fairly long email discussion with someone where it turns out
that we were talking about two different things, and that language is yet
again in the way.

The treaty says:

  "Contracting Parties shall provide adequate legal protection and 
   effective legal remedies against the circumvention of effective
   technological measures that are used by authors in connection with the
   exercise of their rights under this Treaty or the Berne Convention and
   that restrict acts, in respect of their works, which are not authorized
   by the authors concerned or permitted by law."

  This is confusing given the language doesn't make sense, so we have to
read into what the lobbiests are intending and what they will be trying to
convince policy makers (later including Judges) to agree to.

  At first I found that there was confusing about referring to this as
"Legal protection for TPM" because there are a wide variety of TPMs that
are not related to the issues in this treaty.  TPMs include cryptography
and passwords used to control access to a computer/service, provide
privacy, and provide authenticity.  While these features of TPM are
components of Digital Rights Management (DRM) systems, it is only their
configuration as a DRM system that causes us concern.

Note: Many people involved in creating TPM systems were at the copyright
consultations in opposition to WIPO ratification/DMCA/etc.  This included
a number of people from the freeswan.org team.

  It turns out that referring to this as "Legal protection for DRM" also 
doesn't provide enough clarity given there are different understandings of 
what DRM is.

  DRM is generally a system where content is encoded in a cryptographic
format such that it cannot be decoded without cryptographic keys/etc.  
Devices on the audience side that can disallow the audience from making
copies are then granted access to the keys/etc required to decode this
content.  In order to disallow this copying the device must be under the
control of the DRM company, meaning that it has direct or indirect (via
agreements with other software vendors) control over all the relevant
software that can run on that platform.

  If the user has control over the operating system, and an application
has access to the content, then it is trivial for the user to instruct the
operating system to "store" the decoded content rather than displaying it
on the computers hardware.  It is because of this that I don't consider an
application alone running on a generic computer to be an example of DRM.  
In order to have DRM you need to have an entire DRM platform, not just a
single application.

  In a world where applications are run on user-controlled operating
systems, there is no effective protection against copying (and rightfully
this environment should not qualify under the langauge of the treaty).  

  Many such systems currently exist, with the systems used by DVD CCA
(with authorized players existing for many user controlled general
operating systems), Microsoft (Media player) and Apple (the underlying
operating system of MacOS/X being FLOSS Darwin) being examples.  In all
these cases there is no real "effective technological measures that are
used by authors in connection with the exercise of their rights" given the
media file can just be 'played' once on a computer that is set to record
the output of the media player.

  The only way to have effective DRM is to have a complete DRM platform.  
Current dedicated media player "hardware" such as DVD players are examples
of this where all software is under the control of the DRM vendor and/or a
vendor licensed by the DRM vendor.

  In order to get effective DRM on a "generic" computer the computer must
be entirely controlled by the vendor and not the user, which is the
purpose of the so-called "Trusted Computing" platform. Only with trusted
computing can there be DRM on a "generic" computer, at which point it is
not really a generic computer but a dedicated DRM computer that runs more
authorized applications than a more "dedicated" device might.


  Most of us recognize who is most likely to "win" the DRM wars, and it
won't be the current content industry.  The Content Industry are assuming
that they have the most valuable intangible property: content.  I believe
this to be false, with the most valuable intangible property that will
exist by the end of the DRM wars being "audiences" which will be under the
control of the DRM vendors, not the content industry.

  The irony with all of this is that if the current content industry gets 
their wish of effective DRM, it is unlikely that they will survive.  Their 
roll as gatekeepers of the channels of communication between creators and 
audiences will be entirely taken over by the DRM vendors.

In search of a name:

  What do we call all of this? The treaty articles are titled "Obligations
concerning Technological Measures" and yet I've been told that talking
about TPM or DRM is not clear enough to describe the direction that these
treaties are intended to take us.

  I wrote about the whole control issue in
http://www.flora.ca/russell/drafts/copyright-cops.html which was based on
DRM-compatible computing platforms, and at least one person found it
implausible because they were assuming I was including non-DRM
environments where multiple media players supporting multiple media 
formats was possible.

  In a generic computing environment there is no effective DRM, and thus
the problems of DRM don't really exist.  On a non-DRM platform it is
always possible to create a new file format that is a plug-in to an
existing media player (IE: how FLAC and OGG took off so quickly, as codecs
to existing media players), or with a new media player.  This is a
circumvention of the purpose of DRM in that it assumes a computing
platform where the user can add new applications without the
permission/control of the software vendor.  These applications can include
new media player applications, and can also include software to record the
output of any media player application.

Thought experiment:

  Al media player applications are just a file conversion utility to
convert a stream of data from some specific encoding into the well-known
format used by the operating system.

  If you play some content on "Microsoft Media Player" running on 
Microsoft windows, and use software that can "record" generic operating 
system media calls, which of the Microsoft Player, Microsoft operating 
system or third party multi-purpose application will be considered the 
"circumvention device"?

  If you run Microsoft Media Player under WINE on a Linux or *BSD computer
and record, what part is considered the "circumvention device"?

  What multi-purpose software will be considered banned in order to make
this treaty "effective" (whatever that means)?

 Russell McOrmond, Internet Consultant: <http://www.flora.ca/> 
 Happy Hacking, Eh!    http://www.digital-copyright.ca/blog/2 (My BLOG)
 Sign the Petition Users' Rights! http://digital-copyright.ca/petition/

More information about the Discuss mailing list