DRM and the laws that back it up actively undermine our computer security. On this Day Against DRM, the first one since we learned about the US government's efforts to sabotage the integrity of our cryptography and security technology, it's more important than ever to consider how the unintended consequences of copyright enforcement make us all less safe.
How does this happen? In a misguided effort to "protect" digital media, DRM makes computer users more vulnerable. It does this by inhibiting research on security and encryption, and by devising methods for computers to disobey their owners.
DRM on its own is bad, but DRM backed by the force of law is even worse. Legitimate, useful, and otherwise lawful speech falls by the wayside in the name of enforcing DRM—and one area hit the hardest is security research.
Section 1201 of the Digital Millennium Copyright Act (DMCA) is the US law that prohibits circumventing "technical measures," even if the purpose of that circumvention is otherwise lawful. The law contains exceptions for encryption research and security testing, but the exceptions are narrow and don't help researchers and testers in most real-world circumstances. It's risky and expensive to find the limits of those safe harbours.
As a result, we've seen chilling effects on research about media and devices that contain DRM. Over the years, we've collected dozens of examples of the DMCA chilling free expression and scientific research. That makes the community less likely to identify and fix threats to our infrastructure and devices before they can be exploited.
The Unlocking Technology Act, a bi-partisan bill introduced last year in Congress, would address part of this problem. If passed, the bill would help to bring the DMCA's anti-circumvention provisions into line with common sense: specifically, by limiting the prohibition to situations that would actually lead to infringement. Security research is among the many legitimate and lawful uses that DRM blocks; the Unlocking Technology Act would help make the world safe for those uses.
More fundamentally, though, DRM creates a massive security hole by requiring users to give up some control of their own computers. This point is best expressed by EFF Special Advisor Cory Doctorow, who has outlined it in two talks about what he describes as the coming wars overgeneral purpose computing.
As he lays out, people that want to restrict what users can do with their own computers are faced with a problem: there's no way to make a computer that runs every kind of program except the ones regulators don't like. Instead, regulators can push for spyware that observes users and steps in when they're engaged in objectionable behaviour—a situation Doctorow likens to the film 2001 and its famous line, "I can't let you do that, Dave."
From Doctorow's talk:
DRM only works if the "I can't let you do that, Dave" program stays a secret. Once the most sophisticated attackers in the world liberate that secret, it will be available to everyone else, too.
... DRM has /inherently/ weak security, which thereby makes overall security weaker.
Certainty about what software is on your computer is fundamental to good computer security, and you can't know if your computer's software is secure unless you know what software it is running.
The public response to Snowden's revelations about computer security has, sensibly, centred on a push for more transparency. More than ever, security tools must be open for inspection and the process of deciding standards must be open to debate. Even when it's not directly creating security debacles like in the case of the Sony rootkit, DRM undermines these goals by requiring secrecy instead.
Proponents of DRM like to dismiss real problems with it as mere inconveniences. But as computers enter—and come to dominate—more and more of the interactions of our life, it's time we acknowledge that making them less safe in the name of copyright restrictions is not something we can tolerate.
This article first appeared on Electronic Frontier Foundation and reproduced here under Creative Commons license.