Last weekend, by the good graces of the Berkeley Center for Law and Technology and the Yale Information Society Project, I attended the Boalt Digital Rights Management Conference. There were plenty of bigwigs in attendance, and some very interesting things got said. I've gone through my notes and pulled out some of the more interesting stories and themes. Continues inside . . .
A Preliminary Matter
While I was at the Boalt DRM conference, I learned of the passing of Mary Krinsky, who was an intellectual property lawyer here in New Haven and the mother of a close friend. She had one piece of advice for every law student:
You know nothing. The more you study, the less you know. And one day, if you study enough, you may be lucky enough to know how little you know.
This conference report is for Mrs. Krinsky; between her boundless energy and her fierce irreverence, I think she’d have enjoyed the proceedings. Or at least mocked them soundly.
Has Larry Lessig Cut and Run?
The high point of the conference is the “Impacts of DRM on Flows of Information” panel, at least if you’re looking for some of that good old-time religion fire and brimstone. Larry Lessig speaks last with a Creative Commons sales pitch; the man clearly passed up a lucrative advertising career when he chose the law. He’s even got the all-black outfit.
His slides have an appealing Sesame Street simplicity. Today we’re going to learn about “None, all, and some.” There are three kinds of people. Some are communists and don’t believe in controlling information. They built the Internet. Show me “none.” Some are control freaks who think information should be totally controlled by its creator. And yea, verily, in the future of perfect DRM, they shall inherit the earth. Show me “all.” And then there’s the rest us, the other ninety percent. We think there ought to be controls on information flows, but those controls should be moderate and reasonable. Show me “some.”
Right now, the balance is tipped way over towards “all,” to the point where the “nones” are criminalized and just to be a “some” you need to sign complex legalese. It’s getting hard to be a “some:.” the moderate middle just doesn’t show up on the political radar screens. You’re Jack Valenti or you’re a pirate. Creative Commons is an attempt to build a moderate information coalition.
Lessig wants to distinguish between Digital Rights Management and Digital Rights Expression (funny, now he’s talking like the Microsoft team . . .). You can say “I don’t want you remixing my song unless you credit me as the original author” without specifying an enforcement mechanism at the same time. Most of the content in the world is not of the sort for which the whole DRM sound and light show is superfluous. Let the “all”s worry about the enforcement; we won’t use their overreaching controls for our reasonable requests. On top of an unreasonable copyright law, we’ll build a reasonable layer.
It’s a great idea, in many ways. Not least, it appeals to our notions of democracy: rather than lobbying political institutions for a policy tilt (especially since Congress and the Supreme Court don’t seem to get the problems with copyright), we’ll just tilt policy ourselves, on the ground. But in light of some of the other presentations on the same panel, I’m a little nervous.
You see, the panel opened with Hal Abelson showing a succession of rights policies from major scientific publications. In general, authors sign over copyright to the journal for “limited-time forever;” the journals give back some rights out of their magnanimity. For example, CS journals give authors the right to post their papers on their personal web sites. But CS journals are generous: Chemists can send copies to “not more than 50” colleagues; the New England Journal of Medicine gives nothing back to the authors. As Abelson puts it, “This is the world that the Statute of Anne ushered out.” It’s a world of private stationers, cartels that control publishing. Copyright was supposed to prevent publishing monopolies by giving control back to authors; DRM’s enormous network effects may very well recreate such monopolies.
Or, try Ed Felten’s presentation on DRM and public policy debates. DRM, especially in its DMCA armor, creates black boxes that Must Not be Inspected. But there are major policy issues for which good solutions are highly dependent on informed inspection of the content of those boxes. Will TIA (or its renamed successor) be vulnerable to abuses by rogue agents? Are porn blocking lists blocking political expression? Can we trust the totals from electronic voting? There’s no way to answer these questions without looking inside the black boxes to check the wiring.
It seems to me, at least, that these observations are fundamentally in tension with one of Lessig’s main premises. The Creative Commons vision is that people should have the choice to be “some”s rather than “all”s. But Abelson and Felten are concerned about abuses by the “all”s. It doesn’t matter how many of us put the (cc) on our self-published novels, as long as the voting-machine makers refuse to tell the public how their machines work. Creative Commons by itself will never take our fair use rights back from Adobe.
Lessig has a response to this attack. Creative Commons is about building a political consensus for moderation and shifting the terms of the debate. We’re not abandoning Hal and Ed to evisceration at the hands of the “all”s; we’re just emphasizing a different part of the problem and creating breathing room for a more politically tenable defense. I appreciate his point, and if he does at times seem unduly down on politics and the courts, well, first of all, he’s a little entitled to be, and besides, plenty of other speakers at the conference emphasized the need not to walk away from those other arenas.
But all the same, something has gone missing here. One of the great strengths of the copyright critique these days is that it’s so comprehensive: the story of the copyright balance being tipped too far in favor of protection ties together a remarkably wide collection of issues. Fair use by itself doesn’t necessarily raise a call to arms; neither does the black-boxing of consumer technology, the cartelization of media publishers, the marginalization of the public domain, the criminalization of security research, or the end of universal garage door openers. Placed together, they tell a compelling story and cry out for an across-the-board response. I wish Creative Commons well, but I also hope that it doesn’t forget its roots.
Running Theme Number One: Expression vs. Enforcement
Lessig isn’t the only one insisting that you can separate a description of a DRM policy from the mechanism used to enforce that policy. Half of Brian LaMacchia’s presentation is about XrML (eXtensible Rights Markup Language), a language (still in the drafting stage) for expressing rights management policies. Under XrML, a distributor can grant particular users particular rights, subject to various conditions.
XrML itself says nothing about how to ensure that these conditions are satisfied. (Indeed, even insofar as XrML can be said to have formal semantics, they’re both highly extensible and wildly undetermined). If you have a “compliant” runtime system reading your XrML grants, that system will be responsible for enforcing the terms of those grants. But XrML could just as easily be used to express Creative Commons grants or other policies that either can’t be or aren’t to be translated into direct enforcement actions.
HP’s John Erickson has, I think, the best explanation for why this kind of split makes sense. He insists that because information is so closely bound up with creativity and what he calls “constitutionally-inspired” values, the possibility of human intervention needs to be factored into DRM system design. At the very crudest end, one could imagine a check-box that overrides an anti-copying policy and says “What I am about to do is an exercise of fair use rights; I accept potential liability for my actions.” There are also far more sophisticated possibilities, each of which builds a human into the loop somewhere. (Hal Abelson says something similar: you have to allow de minimis exceptions to formal policies.)
As I see things, the space between expression and enforcement provides a workable location for human intervention. This is, of course, a place where humans have been traditionally part of the loop: the enforcement mechanism for copyright has been (until the advent of DRM) the legal system. From the decision to file suit through the enormously messy discretion afforded judges ruling on fair use through the complexities of enforcing judgments, the legal system, despite all its pretentions at precision, leaves plenty of loopholes for context-specific human flexibility.
Even in the DRMiverse, where “enforcement” is a far more rigorous concept, separating out an expressive layer opens up the possibility for some judicious restraint. Even the most tyrannical of copyright owners don’t really want perfect control all the time; whatever you think of viral marketing, its power depends on the willingness to surrender a degree of control over a meme. A little breathing room also provides a way around the problem that we still don’t know how to write rights expressions that say everything we want them to say.
Richard Epstein Puts His Foot in His Mouth
There are rumors going around that Richard Epstein called up the organizers and invited himself to the conference. He wanted a keynote, but they talked him into settling for a panel appearance. The story seems unlikely. He’s a giant of the law and economics movement; digital rights management isn’t exactly his field. Almost the first thing out of his mouth is "I don't know the specifics here. Until I do, I can't tell you whether you're protecting property or cartelizing an industry." Sure, Richard, but what would you say to a student in your torts class who tells you he doesn't know the specifics of the day's case?
The most humbling moment is yet to come, however. Near the end of the panel on legislative initiatives, another panelist suggests that perhaps music's problem is that it's distributed in the clear; DVDs are less pirated because they're encrypted. This leads Richard to suggest -- to applause -- that maybe over-the-air TV broadcast in the clear is an obsolete technology. Only 20% of Americans now get their news through traditional broadcast TV.
Mozelle Thomspon of the FTC responds with a concern: "With all due respect, a lot of people who look like me are in that 20%." Mozelle is African-American. This is, let me note, the first mention of race, class, gender, or any other systematic distinction among consumers, at the entire conference. But Richard misses the point entirely -- he thinks Mozelle is talking about those stick-in-the-muds who won't adopt new technologies out of irrational attachment to still-supported old technologies. So Richard says, "Maybe you won't look like that if we change the technology."
In the hubbub that follows, Pam Samuelson declares that this seems like an extraordinary moment at which to stop the discussion.
Running Theme Number Two: DRM Is Even Harder Than You Think
The true awesome difficulty of the DRM problem first starts to become apparent during Brian LaMacchia’s tutorial presentation. We’re accustomed to thinking about “digital rights” as reasonably simple things: “I can play this song ten times, but not copy it.” But that’s just one loop of the Loch Ness Monster. After all, the record label would be perfectly happy to send you the song if you promise to play it only five times. Conversely, your player may be a handheld with no digital output, so you’ll accept content without needing to check its copying policy.
The cryptographic handshake is more than just comparing two policies to make sure they’re identical. And, of course, if the content owner has built in an escape hatch to allow key revocation for security lapses, I’d better have some kind of strong assurance that they won’t decide to hold my music collection for ransom five years down the line.
But it gets worse. If that song is copyrighted – which, after all, is the putative basis for this whole game – that copyright will expire at some point. That means you need to build an expiration date into the rights grant (just in case your handheld is still around in 2098). Once you’ve done that, well, the device needs to be secure against rolling its clock forward to 2099; if it gets a time from a central server, that server had better be secure and trusted both by content owners and consumers.
Unfortunately, I’m simplifying the problem, because copyright law changes with monotonous regularity. After all, in 2096, Congress may well pass the Aristotle Timberlake-Bono Copyright Term Extension Act and extend copyright another half century. Which means your original rights grant needs to refer to some “Congress” entity with the authority to change the terms of the rights in various ways. That means infrastructure for Congress to sign and distribute these changes; it also means all of this infrastructure needs to be coded for in every DRM system that ships. Oh, joy. Have I mentioned that no one has yet produced a key-distribution infrastructure that has caught on?
LaMacchia runs through some of these issues with the gleam in his eye that research scientists get when they contemplate projects that will keep them happily employed working on interesting problems for the rest of their lives. You can just tell that the computer scientists in the crowd are thinking of natural language processing and other infamous tarpits; the lawyers have visions of substantive due process and the degrees of care.
And thus, the sixty-four dollar question: Is any of this really going to work? The question tends to come up about once per panel; most of the panelists do their best to avoid dealing with it. The techies are split. The ones who go to great pains to say that they don’t speak for their companies say “no, DRM is a pipe dream.” The ones who don’t include these disclaimers either avoid the question or say “well, we’re doing our best.” The content industry reps treat effective DRM as almost a foregone conclusion. It must exist, because if it doesn’t, well, that would be too horrible a future to contemplate.
The lawyers in attendance, strangely enough, don’t seem to care whether DRM can work. I would have thought that the technical feasibility of effective mass-market DRM was the critical threshold question, but apparently not. I suppose it’s because they’re so accustomed to speaking in hypotheticals.
Best Observation Overheard at Lunch
If you look at the difference between TCPA and the Technology Formerly Known as Palladium (TFKaP), you see just how brilliant Microsoft can be from a product positioning point of view. TCPA, which is basically the baby of Intel and the other hardware vendors, envisioned a new chip on the motherboard. This safe-boot chip would be tamper-proof and would verify the presence of a wholly trusted special OS.
Palladium, on the other hand, involves carving out a safe execution area for trusted code. The OS runs as usual, except that you can set a flag to load an app in the "safe" sandbox. Doing so requires a different memory architecture, at every level from on-board cache to main memory, that maintains a strict segregation between trusted and untrusted data.
In other words, under TCPA hardware designs would be almost entirely unchanged, but the OS would have to be rewritten from scratch. In Palladium, on the other hand, existing pieces of the OS can be re-used as-they-are, but almost every piece of hardware would require a complete redesign. Ed Felten also observed, in a different context, that much of computer science involves using bulldozers to shove tough problems into someone else's back yard.
Another running gag among the Microsoft crew is their continuing refusal to use the P-word in conversation. It’s called NGSCB now. That’s short for Next-Generation Secure Computing Base; funny how every time a project name gets in trouble, it’s replaced with an unpronounceable acronym. One of the Softies confirms in conversation that instructions have come down from on high not to utter the name of the Dread Metal.
Which is funny, because the MS people at the conference are among the straightest shooters in all other ways. Compared with the other industry flacks – and especially when compared with the content industry reps – they give detailed and specific presentations refreshingly free of dogma.
Running Theme Number Three: Maybe DRM Isn’t So Good For Content Companies:
Drew Dean of SRI fires the first shot in another running battle when he throws up two scathing reviews of the Sony Music Clip on the overhead. Choice words include “Potential criminal,” “insulting,” and “frustrating.” Then he reveals that these reviews were from Fortune and the Wall Street Journal, hardly figures of consumer radicalism. His point: DRM systems that are designed to keep consumers from doing things with “their” content will be vetoed by those consumers. Companies that try to force DRM on an unwilling market are just shooting themselves in the business model.
Bob Blakely from Intel goes to town with this idea Friday morning. He asks the audience to imagine a DRM Fairy, but the story he’s telling is that of the monkey’s paw. Here’re a few of his fun observations:
- Compared with the regular version of your product, the DRM version will have all sorts of fun new failure modes. That means helpdesks and higher lifecycle support costs.
- Compared with the regular version of your product, the DRM version will have more versions, more bells and whistles, more internationalization problems, and therefore higher inventory costs.
- The information-gathering your DRM does will haul your company within the scope of the EU Privacy Directive and create other new kinds of liability for you.
- Your DRM may create markets for your competitors. Blakely cites the example of mobile phones; if your ringtones are carefully protected, your competitors may sell tradable ones and undercut you.
- If rights have value – which is the point of this exercise, is it not – then your customers will comparison-shop for rights. This will put price pressure on your rights grants; pretty soon you’re back where you started. Except that since you’re selling rights instead of content, if the DRM fairy has a bad day and your DRM is broken, you’re completely hosed.
I don’t buy all of these arguments. Many of them cut both ways. But I’m certainly willing to believe that some of these chickens will come home to roost.
Hal Varian throws up some numbers to suggest that content dudes are better off selling one copy to each consumer (and charging more for it) than trying to separately cost out each particular use the consumer wants to make of the content. Put another way, publishers trying to solve the “problem” of sharing between consumers should be wary about thinking of the consumer who plays a CD at home and in her car as a “problem,” too. And if your technology keeps customers from innovating with your products, you lose the benefit of that innovation.
He also reiterates Blakely’s point about the effects of competition on rights-enabled markets: in the presence of competition, people start abandoning their copy-protection schemes, no matter how effective. On Saturday, Emery Simon of the Business Software Alliance says something very similar: he tells the history of the “dread dongle.” For its time, the dongle was the height of sophistication in preventing piracy, but the software industry wound up abandoning dongles because the companies that made dongle-less products could charge more and still sell more copies. The fight for market share is the real battle, not the fight against piracy. Simon does think that things move in cycles; he recognizes that there are times when the competition is less fierce; he also points out that consumers do accept some limitations. But he’s quite firm in saying that not all DRM makes business sense.
Yale’s Joan Feigenbaum has a more upbeat way of putting this point. “The best technological protection system is a great business model,” she says. Use technology to do what it does best naturally; an Internet distribution business should be designed to benefit from uncontrolled copying.
Lon Sobel’s Loopy Idea
You can’t blame Lon Sobel for trying. Perhaps alone of all the participants at the conference, he’s trying to cut the Gordian knot. His idea has the simplicity common to the brilliant proposal and the insane one. He wants another statutory licensing scheme. This time, copyright holders would set the amount they want to be paid for each download of their content; ISPs would then monitor all traffic through their pipes. They’d scan the bits for copyrighted content; each time they recognized something, they’d have to pay the owner the established royalty rate. Most of the time the scans would rely on watermarks; where watermarks had been stripped, fingerprinting would come to the rescue. ISPs would pass the bills on to their customers.
It’s a shame that the idea is utterly and wholly unworkable, because it’s appealing in every other way. It doesn’t try to stop the flow of information; it’s agnostic between different communications technologies in the network itself. It pays copyright holders their asking price; it gives users the opportunity to choose whether to pay that price on a per-item basis. Economically speaking, it’s a marvelous suggestion. But the techies spend the rest of the day tearing it to shreds.
Sara Deutsch from Verizon, who know from complicated billing, tells Lon that the billing system required would be “pretty ambitious.” She also points out that ISPs would have to be tax collectors on goods they don’t (and can’t) control. Even when it’s pointed out to her that this would drive out a lot of small ISPs out of business, presumably to Verizon’s benefit, she sticks to her guns. When it comes to the possible data-mining abuses, she just shudders.
Bob Blakely groans when he tries to think of the failure mode for the billing system. He says that if he were evil, he’d write a worm that went around modifying the watermarks on everything it could find to claim that he owned the copyright and wanted the deposits made to an offshore bank account. “As long as you keep buying me drinks tonight,” he promises, “I can keep on thinking up attacks.”
Ed Felten, when asked about the idea later on, just points out that users will start encrypting files they send to each other to avoid the ISP tax on recognizable content. And then you’re right back where you started, except that the genie is more or less irrevocably out of the bottle.
Sobel just keeps on grinning.
Running Theme Number Four: Is There a Fair Use Compromise Out There?
At the end of Thursday’s tutorials, Alex Alben asks whether there’s a way to make a workable fair-use carve-out from the DMCA. Pam Samuelson tells him to ask again on Saturday. Over the next two days, perhaps half a dozen speakers address themselves to this question; they give half a dozen different answers.
The content industry reps, unsurprisingly, think that the DMCA is already a decent compromise. Now that they have their lollipop, they don’t want to give it up: they insist, over and over again, that opening up any chinks in the DMCA dike will unleash a flood of piracy the likes of which the world has never seen.
At the same time, their responses expose the very real fault lines between the different media cartels. Cary Sherman of the RIAA talks a reasonably reasonable line: neither consumers nor musicians like the current wave of DRM technology. But when you can play your CD on your computer and in your car, but not Napsterize it, everyone wins. He’s also perfectly willing to speculate on new business models for the music industry: packaging concert tickets with CDs, for example. Put another way, he sees the fair use “compromise” as something consumers and companies will work out through honest back-and-forth negotiation in the marketplace.
Fritz Attaway of the MPAA, on the other hand, is as doctrinaire as they come. “Copyright has been described as a monopoly. That’s not a bad thing; that's a good thing,” is my favorite Fritz line. He pays lip service to the idea that marketplace will strike a good compromise, but does some interesting contortions to turn the broadcast flag into a “market” solution. The best he’s able to come up with is that it will “level the playing field” and let broadcasters compete properly with cable, which already can use encrypted signals. Richard Epstein (on his way to the aforementioned Kodak moment), in particular, gives Fritz a hard time for this unexpected solicitude for those poor, unfortunate, TV broadcasters.
Allan Adler, from the American Association of Publishers, on the third hand, is more willing to say that we don’t yet have a good idea what the right compromise will look like (even though his faith that such a compromise exists, is, of course, unshaken). Part of this willingness is professional frustration: the publishing industry is, apparently, still smarting from its first experiments with e-books. From Adler’s perspective, that first generation of DRM wasn’t well-tailored to the publishing industry; he’s not the only speaker who wonders why everyone’s favorite DRM test case is invariably music. More to the point, consumers haven’t yet accepted that they’ll need to give up certain traditional freedoms if they want to get the increased power of e-books in return. Consumers love the search and annotation features, but they haven’t been willing to ante up yet.
The law professors, as a camp, agree that consumer resistance to the loss of fair use rights has been strong. But they see this as a good thing. Consumers are fighting the good fight for democratic values, but they can’t hold out forever. The legal cavalry need to ride to the rescue.
Thus Julie Cohen rings some recognizable changes on her famed “right to read anonymously.” If the government specifies a meaningful baseline of affirmative consumer rights, the techies and suits can work out sensible systems and business models, respectively, that respect the contours of those rights. Raymond Ku says basically the same thing, from the perspective of content owners: fair use rights are a way to enshrine creative destruction as a principle of competition in content industries.
And Anita Ramasatry draws an analogy between fair use and “reasonable expectations” in contract law. It’s immensely hard to legislate a precise meaning in an enforceable way, but it is possible to legislate to correct imbalances in bargaining power. Markets are a “social phenomenon,” and if DRM takes away the flexibility and play of the fair negotiation process, consumers will experience it as a destruction of the social amity that accompanies their cultural interaction with copyrighted content. You know, companies suing their customers being kind of an anti-social act. Things like that.
Joan Feigenbaum, though, has what I think of as the most interesting response to this question. With a computer scientist’s eye, she runs through the legal description of “fair use” and concludes that this is no way to specify a system. It’s all mucky and complicated and it’s described entirely in terms of its exceptions. She’d rather we turn around and start thinking about the common cases, start specifying consumer rights affirmatively (rather than as exceptions to copyright-holders’ rights), and get some default rules that satisfy our expectations most of the time. That would at least be a good starting point for a conversation. One expects John Erickson to come trotting over at this point and talk about putting humans in the loop, but he doesn’t.
A Final Observation
And that, I think was perhaps the most striking theme of the conference: how many ideas wound up on the floor once their first presenter sits down. I’ve been talking about running “questions” rather than running “answers” for a very good reason: the conference was very short on answers. There were principles, articles of faith, tentative suggestions, and some moments of high comedy, but no one said anything that shook the DRM world to its very foundation.
Nor did it seem as though many people were walking away with their thinking much changed. And there were a lot of smart people kicking around at the conference; the ones on the panels weren’t the half, or even the quarter of it. For this many heavy-duty Minds, and all that Conversation, there wasn’t all that much Progress.
Or, to think of the issue in a different way, everyone knew coming in what the hard questions were. Will DRM work? How can we keep DRM from being a dagger aimed at the hearts of consumers? Without DRM, what will we do about the dagger aimed at the hearts of copyright owners? Is fair use dead? Why can’t we code our way around this problem?
The conference, if it was about anything, was about restating these questions and systematically shooting down cheap attempts to weasel out of them. After three days and a lot of debate, perhaps all we know about DRM is how little we know about DRM. But that in itself is something, as Mary Krinsky would have pointed out.
I consider myself lucky to have been there; I think many of the other attendees felt the same way.