DRM is harmful to our security. At best, it’s a necessary evil — and it’s arguably not necessary and isn’t worth the trade-off. Here’s how DRM and the laws that protect it make our computers less secure and criminalize telling us about the problems.
DRM Can Open Security Holes
Digital Rights Management (DRM) itself can be insecure. DRM is implemented with software, and this software needs deep permissions into the operating system so it can stop normal operating system functions.
The Sony BMG CD copy protection rootkit — first released in 2005 — is a perfect storm of DRM security issues.
The Sony rootkit came preinstalled on a variety of audio CDs. When you inserted the CD into your computer, the CD would use AutoRun in Windows to automatically launch a program that installs the XCP rootkit on your computer. This DRM software was designed to interfere with copying or ripping of the CD. The XCP rootkit burrowed deep into the operating system, installing itself silently, providing no way to uninstall it, consuming excessive system resources, and potentially crashing the computer. Sony’s EULA didn’t even mention this rootkit in the fine print, which shows how pointless EULAs are.
Even worse, the XCP rootkit opened security holes on the system. The rootkit hid all file names starting with “$sys$” from the operating system. Malware — such as the Breplibot Trojan — began to take advantage of this to disguise itself and more easily infect systems with Sony’s DRM installed.
This isn’t just one isolated example. In 2012, Ubisoft’s uPlay software was found to include a nasty security hole in a browser plug-in that would allow web pages to compromise computers running uPlay. uPlay is mandatory for running and authenticating Ubisoft games online. This wasn’t a rootkit — just “really bad code” in DRM software that opened big hole.
Laws That Protect DRM Criminalize Security Research
Laws that protect DRM can criminalize security research and prevent us from even knowing about the problems. For example, in the USA, the Digital Millennium Copyright Act (DMCA) prohibits circumventing access-control measures. There are some narrow exceptions for security research, but the law broadly criminalizes most circumvention that doesn’t fall under these narrow measures. These are the same sort of laws that criminalize jailbreaking and rooting of phones, tablets, and other devices.
These laws and associated threats create a chilling environment. Security researchers are encouraged to keep quiet about vulnerabilities they know about rather than disclosing them, because disclosing them could be illegal.
This is exactly what happened during the Sony DRM rootkit fiasco. As Cory Doctorow points out:
“…when word got out that Sony BMG had infected millions of computers with an illegal rootkit to stop (legal) audio CD ripping, security researchers stepped forward to disclose that they’d known about the rootkit but had been afraid to say anything about it.”
A Sophos poll found that 98% of business PC users thought the Sony DRM rootkit was a security threat. The law shouldn’t silence security researchers who could inform us about such serious security problems.
Due to the DMCA, it may even have been illegal for anyone to uninstall the Sony rootkit from their PCs. After all, that would be bypassing DRM.
DRM Reduces Your Control Over Your Own Computer
You have control over your own computer — that’s the core problem DRM is trying to solve. When you sit down with a general purpose PC operating system, you have full control over what’s happening on your PC. This means that you could violate copyright in some ways — record a Netflix video stream, copy an audio CD, or download files without the permission of the copyright holder.
Giving the manufacturer this much control means we give up the ability to really control our own devices and protect them in other ways. For example, this is why you have to root Android to install many types of security software — device tracking apps that persist after a factory reset, firewalls that control which apps can access the network, and permission managers that control what apps can and can’t do on your device. They all require rooting to install because they need to bypass the restrictions on what you can and can’t do on your device.
We’ve pointed this out before — our computing devices are becoming more and more locked down. Cory Doctorow explains the battle we’re facing in “The coming war on general-purpose computing”:
“Today we have marketing departments that say things such as “we don’t need computers, we need appliances. Make me a computer that doesn’t run every program, just a program that does this specialized task, like streaming audio, or routing packets, or playing Xbox games, and make sure it doesn’t run programs that I haven’t authorized that might undermine our profits.”
We don’t know how to build a general-purpose computer that is capable of running any program except for some program that we don’t like, is prohibited by law, or which loses us money. The closest approximation that we have to this is a computer with spyware: a computer on which remote parties set policies without the computer user’s knowledge, or over the objection of the computer’s owner. Digital rights management always converges on malware.”
Let’s face it — DRM is harmful. Worse yet, it doesn’t actually stop copying — just witness all the unauthorized file-downloading still going on. We need to acknowledge the problems and realize that there’s a trade-off to using DRM. If we’re going to use DRM, we should at least protect security researchers so they can tell us when we’re using DRM software that puts our PCs at risk!