Pinterest Stumbleupon Whatsapp

DRM is harmful to our security. At best, it’s a necessary evil — and it’s arguably not necessary and isn’t worth the trade-off. Here’s how DRM and the laws that protect it make our computers less secure and criminalize telling us about the problems.

DRM Can Open Security Holes

Digital Rights Management (DRM) What Is DRM & Why Does It Exist If It's So Evil? [MakeUseOf Explains] What Is DRM & Why Does It Exist If It's So Evil? [MakeUseOf Explains] Digital Rights Management is the latest evolution of copy protection. It’s the biggest cause of user frustration today, but is it justified? Is DRM a necessary evil in this digital age, or is the model... Read More itself can be insecure. DRM is implemented with software, and this software needs deep permissions into the operating system so it can stop normal operating system functions.

The Sony BMG CD copy protection rootkit — first released in 2005 — is a perfect storm of DRM security issues.

The Sony rootkit came preinstalled on a variety of audio CDs. When you inserted the CD into your computer, the CD would use AutoRun in Windows to automatically launch a program that installs the XCP rootkit on your computer. This DRM software was designed to interfere with copying or ripping of the CD. The XCP rootkit burrowed deep into the operating system, installing itself silently, providing no way to uninstall it, consuming excessive system resources, and potentially crashing the computer. Sony’s EULA didn’t even mention this rootkit in the fine print, which shows how pointless EULAs are 10 Ridiculous EULA Clauses That You May Have Already Agreed To 10 Ridiculous EULA Clauses That You May Have Already Agreed To Let’s be honest, no one reads EULA's (End User Licensing Agreement) - we all just scroll down to the bottom and click "I Accept". EULAs are full of confusing legalese to make them incomprehensible to... Read More .

Even worse, the XCP rootkit opened security holes on the system. The rootkit hid all file names starting with “$sys$” from the operating system. Malware — such as the Breplibot Trojan — began to take advantage of this to disguise itself and more easily infect systems with Sony’s DRM installed.

This isn’t just one isolated example. In 2012, Ubisoft’s uPlay software was found to include a nasty security hole in a browser plug-in Browser Plugins - One Of The Biggest Security Problems On The Web Today [Opinion] Browser Plugins - One Of The Biggest Security Problems On The Web Today [Opinion] Web browsers have become much more secure and hardened against attack over the years. The big browser security problem these days is browser plugins. I don’t mean the extensions that you install in your browser... Read More that would allow web pages to compromise computers running uPlay. uPlay is mandatory for running and authenticating Ubisoft games online.  This wasn’t a rootkit — just “really bad code” in DRM software that opened big hole.



Laws That Protect DRM Criminalize Security Research

Laws that protect DRM can criminalize security research and prevent us from even knowing about the problems. For example, in the USA, the Digital Millennium Copyright Act (DMCA) prohibits circumventing access-control measures. What Is the Digital Media Copyright Act? What Is the Digital Media Copyright Act? Read More There are some narrow exceptions for security research, but the law broadly criminalizes most circumvention that doesn’t fall under these narrow measures. These are the same sort of laws that criminalize jailbreaking and rooting of phones, tablets, and other devices Is It Illegal To Root Your Android or Jailbreak Your iPhone? Is It Illegal To Root Your Android or Jailbreak Your iPhone? Whether you're rooting an Android phones or jailbreaking an iPhone, you're removing the restrictions the manufacturer or cellular carrier placed on the device you own – but is it legal? Read More .

These laws and associated threats create a chilling environment. Security researchers are encouraged to keep quiet about vulnerabilities they know about rather than disclosing them, because disclosing them could be illegal.

This is exactly what happened during the Sony DRM rootkit fiasco. As Cory Doctorow points out:

“…when word got out that Sony BMG had infected millions of computers with an illegal rootkit to stop (legal) audio CD ripping, security researchers stepped forward to disclose that they’d known about the rootkit but had been afraid to say anything about it.”

A Sophos poll found that 98% of business PC users thought the Sony DRM rootkit was a security threat. The law shouldn’t silence security researchers who could inform us about such serious security problems.

Due to the DMCA, it may even have been illegal for anyone to uninstall the Sony rootkit from their PCs. After all, that would be bypassing DRM.


DRM Reduces Your Control Over Your Own Computer

You have control over your own computer — that’s the core problem DRM is trying to solve. When you sit down with a general purpose PC operating system, you have full control over what’s happening on your PC. This means that you could violate copyright in some ways — record a Netflix video stream, copy an audio CD, or download files without the permission of the copyright holder.

Giving the manufacturer this much control means we give up the ability to really control our own devices and protect them in other ways. For example, this is why you have to root Android to install many types of security software — device tracking apps that persist after a factory reset Was Your Android Phone Lost or Stolen? This Is What You Can Do Was Your Android Phone Lost or Stolen? This Is What You Can Do There are many good options for remotely locating your stolen phone, even if you never set anything up before you lost your phone. Read More , firewalls that control which apps can access the network Avast! Introduces Free Mobile Security App For Android 2.1+ [News] Avast! Introduces Free Mobile Security App For Android 2.1+ [News] There are plenty of free mobile security apps available for Android. The market seems to be filled to the brim with them. Yet it’s hard to say if they’re trustworthy because often they’re developed by... Read More , and permission managers How App Permissions Work & Why You Should Care [Android] How App Permissions Work & Why You Should Care [Android] Android forces apps to declare the permissions they require when they install them. You can protect your privacy, security, and cell phone bill by paying attention to permissions when installing apps – although many users... Read More that control what apps can and can’t do on your device. They all require rooting to install because they need to bypass the restrictions on what you can and can’t do on your device.

We’ve pointed this out before — our computing devices are becoming more and more locked down Convenience Before Freedom: How Tech Companies Are Slowly Trapping You [Opinion] Convenience Before Freedom: How Tech Companies Are Slowly Trapping You [Opinion] Computers were once under our control. We could run any software we wanted on them, and the companies that manufactured the computer had no say. Today, computers are increasingly being locked down. Apple and Microsoft... Read More . Cory Doctorow explains the battle we’re facing in “The coming war on general-purpose computing”:

“Today we have marketing departments that say things such as “we don’t need computers, we need appliances. Make me a computer that doesn’t run every program, just a program that does this specialized task, like streaming audio, or routing packets, or playing Xbox games, and make sure it doesn’t run programs that I haven’t authorized that might undermine our profits.”

We don’t know how to build a general-purpose computer that is capable of running any program except for some program that we don’t like, is prohibited by law, or which loses us money. The closest approximation that we have to this is a computer with spyware: a computer on which remote parties set policies without the computer user’s knowledge, or over the objection of the computer’s owner. Digital rights management always converges on malware.”


Let’s face it — DRM is harmful. Worse yet, it doesn’t actually stop copying — just witness all the unauthorized file-downloading still going on. We need to acknowledge the problems and realize that there’s a trade-off to using DRM. If we’re going to use DRM, we should at least protect security researchers so they can tell us when we’re using DRM software that puts our PCs at risk!

Image Credit: YayAdrian on Flickr, Ian Muttoo on Flickr, Lordcolus on Flickr, Shutterstock

Leave a Reply

Your email address will not be published. Required fields are marked *