Digital Rights Management & Music

It's been said that you can no more make a digital music file uncopyable than you can make water unwet. In other words, the transition from analogue to digital forms of music distribution has resulted in formats which are fundamentally redistributable without loss of quality. Almost 20 years after the compact disc was introduced, the music industry is only just beginning to face this reality. Back in the 1980s, CDs promised higher profit margins, and vinyl rapidly disappeared from the high street, even when music lovers were still asking for it.

In the present, the record labels report declining profitability, and blame piracy. In their definition of piracy, the labels include both unlicensed commercial operations and end-user redistribution of music, be it on CD-R or via peer-to-peer computer networks. Other possible explanations for declining music sales — such as the economic downturn in the USA, or the fact that teenagers are spending their money on console games and mobile phones — don't grab the headlines in the same way.

There is no doubt that counterfeiting is a serious problem for the manufacturers of all kinds of branded goods, including CDs, and the recording industry is becoming increasingly aggressive in pursuing counterfeiters through the courts. However, the legal remedies used against large-scale unlicensed CD pressing operations are usually too expensive and impractical to be used against millions of individuals, so the music business is trying to control end-user redistribution by technological means instead. To this end, a sub-industry has emerged which promises control over the end users of music and other digital content. These firms describe what they do as Digital Rights Management, a term that seems to imply some sort of fine-grained control over different kinds of users, with royalty payments collected where appropriate.

Figure 1: The SDMI watermark attack problem. For each of the four watermark challenges, Sample-1, sample-2, and sample-3 are provided by SDMI. Sample-4 is generated by participants in the challenge and submitted to an SDMI 'oracle' for testing.'Digital rights management' suggests an electronic equivalent of the work that the Mechanical Copyright Protection Society does in the UK, collecting money to make sure musicians are rewarded for their work. However, what all currently available DRM vendors' products have in common is that they attempt to restrict the playback or copying of music, which is not the same thing as collecting payment for it. A better name for the technology might therefore be 'digital rights enforcement'.

In many countries it's actually legal to make personal copies of media in some circumstances, under 'fair use' laws that date from the era of analogue tape, but the goal of most DRM systems is to prevent or limit personal copying. It might be a watermark to prevent serial copies, or a corrupt track on a CD to stop it working in a computer, but so far the implementations of DRM available are all negative: they reduce the potential of digital media rather than add features. This makes DRM-enabled music a less compelling purchase than standard CDs, in a crowded marketplace where plenty of other items compete for the music lover's disposable income. Negative forms of DRM also create another problem. The global community of music listeners has far more resources at its disposal than any DRM vendor: time, motivation, and even programming skill. It takes only one frustrated teenager with a talent for cryptography to break the most expensive and complex DRM system. The reality is that there are thousands of people around the world who have that ability, and they have worked together to defeat nearly all of the significant DRM systems established so far.

SDMI

The Secure Digital Music Initiative was an early casualty in the war on music sharing. The SDMI was relatively unusual among groups advocating DRM, in that it was a wide-ranging coalition including companies from the technology and music industries, as well as artists' representatives such as the American Society of Composers, Authors and Publishers.

A competition was announced in September 2000, in which a cash prize was offered to anyone who could break one of four different SDMI watermarking schemes. A team of academics from Princeton University and Rice University in the USA, among over 400 other entrants, decided to give it a go. Watermarking is designed to incorporate inaudible data into a digital music file which would enable unauthorised copies to be identified. It's claimed that the technique does not affect perceptible audio quality, although some audiophiles have doubts about this.

The challenge in the 'HackSDMI' contest was to remove the watermark and produce a file which sounded like the original. Presumably, the SDMI consortium must have been reasonably confident of the technologies in order to offer them for public scrutiny. The Princeton/Rice team successfully removed watermarks from all four examples, but declined the cash prizes because they would have meant signing a gagging agreement. Instead, the academics produced a paper for a technical conference in April 2001.

Before this paper was presented, the SDMI tried to suppress the information, indicating that they still believed the watermarking techniques were viable, despite the flaws discovered during the contest. The Recording Industry Association of America threatened to have the research team prosecuted (and possibly jailed) under the notorious Digital Millennium Copyright Act, on behalf of the SDMI and Verance. The Verance watermark was one of those defeated by the Princeton/Rice team, and is the DRM technology used in DVD-Audio discs.

The academics went ahead and published their research at another conference in August 2001. The RIAA eventually backed down, agreeing by 2002 that the publication of scientific research exposing flaws in watermarking was in the best interest of all parties. The SDMI consortium became dormant, although its web site still exists. A note entitled Current Status, dated May 18, 2001 says "it was determined that there is not yet consensus for adoption of any combination of the proposed technologies. Accordingly, SDMI is now on hiatus, and intends to re-assess technological advances at some later date."

Windows Media

Microsoft has its own multimedia delivery system based around the Windows Media Player, and this has a system of DRM built in. Based on encryption, unique identifiers and one-time licences that can't be shared by end users, the system is based on 'security by obscurity': no-one outside of Microsoft was supposed to be able to understand it.

Real Networks' Helix DRM system is conceived as a format that can be used to package various forms of content including audio and video. In October 2001 an anonymous man, woman or group going by the name Beale Screamer posted a series of messages to the sci.crypt newsgroup, revealing the secrets of version 2 of the Microsoft DRM system used with WMA files. The source code for a program called Free Me was also posted, which could remove the DRM protection from those files. Rather than an insider, Beale Screamer seemed to be a rogue cryptanalyst who had taken a dislike to the way media companies were implementing DRM systems.

Included with the technical information was an extraordinary message explaining why Beale Screamer had set out to break the DRM system. Addressing artists, it said "Don't fear new distribution methods — embrace them. Technology is providing you the means to get your art directly to consumers, avoiding the big record companies. They want a piece of the action for your creativity, and you don't need to let them in on it any more. Your fans will treat you nicely, unless you treat your fans poorly. Bo Diddley didn't have anything to fear from his fans, but a lot to fear from Leonard Chess. Think about that."

A paper written by four Microsoft software engineers entitled The Darknet And The Future Of Content Distribution, presented at a DRM conference in November 2002, argued that the digital genie was most definitely out of the bottle. The 'darknet' was their term for all unofficial distribution on computer networks. Following their research, the authors were quite confident that the darknet will survive, even if today's peer-to-peer networks do not.

Liquid Audio And Real Networks

Another DRM format that was once touted as the future of secure internet music distribution was Liquid Audio. However, it was never very popular with end users, and the two founders of the company behind the format resigned from their executive posts in November 2002. Earlier that year, the company had sold its DRM patents to Microsoft, so if we see Liquid Audio technology again, it may be as part of Windows Media Player.

Real Networks remain the only company providing an Internet media system with significant market share, other than Fraunhofer — who devised the MP3 format — and Microsoft. Real Networks recently announced a new system called Helix DRM, which is designed to package a number of formats including Real Audio, Real Video and MP3 inside a DRM wrapper. Whether secure media distributed via the Helix system proves popular with content creators or end users remains to be seen.

CD Corruption Systems

If you can't stop music being shared once it's uploaded to the Internet, why not stop people from putting it there in the first place? That would appear to be the rationale behind several DRM systems which are designed to prevent 'ripping', or the practice of making lossy compressed audio files, such as MP3s, from CDs. These systems include the Cactus 200, Key2Audio and MediaCloQ formats, as well as undocumented methods, and the use of these techniques is not always indicated on album packaging.

Midbar Tech's Cactus system is designed to prevent audio being 'ripped' from CDs by making them unreadable by computer CD-ROM drives. Some record labels put obvious warnings on corrupt CDs, while others use minuscule print or don't mention the DRM system at all.Taking advantage of the fact that CD-ROM drives are different from typical audio CD players, these systems use corruptions of the error-correction system to make the CD-ROM drive reject the disc as faulty, or otherwise prevent playback. Some systems offer an inferior alternative by making the computer play a lo-fi version of the music, instead of the uncompressed CD audio data. Recent releases have featured mixtures of corrupt and normal CDs in different regions, perhaps as part of test marketing.

Despite these measures, music from the earliest CDs to be 'protected', such as the promo for Michael Jackson's 'You Rock My World', still appeared on peer-to-peer systems overnight. An analogue output from a domestic CD player connected to a computer's soundcard makes ripping still possible, while owners of CD players with digital outputs can often make perfect serial copies. One CD protection scheme can even be defeated with a felt-tip pen drawn carefully over a certain track of the CD.

Older CD audio players and high-end machines have been reported to reject the corrupted discs, while some models of Apple computer have been known to lock the CD inside, requiring a return of the computer to the dealer. Interfering with error correction could mean that these discs have a shorter lifespan too, as players are less likely to be able to cope should these discs become scratched.

The theory that corrupting established CD specifications can help protect record company profits has yet to be proved. Listening habits are changing, and it seems people want to play CDs on their computer, without necessarily ripping them to an inferior lossy format. Some legitimate CDs now have less reliability and utility than counterfeit versions without copy protection, and computer owners might be even more likely to use peer-to-peer networks if they can't be sure that the CD they buy will work in their chosen listening device.

TCPA And Palladium

Having established that digital audio is hard to make uncopyable, and that interfering with CD formats provides limited protection at best, the next logical step is to put DRM technology into hardware — as a legal requirement, if necessary. Intel, as the largest manufacturer of computer CPUs, has been working on this for some time. Each Pentium III chip was planned to have a unique ID number which could be used to police the use of unlicensed software, but the company withdrew the feature after finding that customers were unhappy about the implications for privacy.

To make hardware-based DRM work, the CPU and motherboard manufacturer needs the cooperation of the company making the operating system. Microsoft's solution is to put DRM into the lowest level of Windows, where the user supposedly can't do much about it — see Dave Shapton's article on Secure Audio Path (Cutting Edge, December 2002). In to this picture comes a group called the Trusted Computing Platform Alliance, and a Microsoft scheme called Palladium. TCPA is a consortium founded by Intel, Microsoft, Compaq/HP and IBM, which now includes many other firms from the computer industry. These companies aren't record labels, and are arguably more concerned with unlicensed software than they are with music distribution. However, they are interested in the security of digital goods generally, as part of the continued growth of e-commerce.

The TCPA isn't offering a DRM system, but it is attempting to provide the foundations for one in hardware. The TCPA wants to have a chip on every motherboard which uniquely identifies a computer, and is able to report details of that computer over the network — details such as what music software is running. Some machines have already been fitted with these chips, including one model of IBM Thinkpad laptop. Later, the chip may be integrated into Intel CPUs to make it harder to tamper with. AMD, the manufacturer of the Athlon CPU, is also said to be considering including the chip in its products.

Fritz Hollings would like every American to have DRM technology in their computer, whether they want it or not. In the USA, entertainment industry lobbyists have been trying to persuade the government to make TCPA and DRM a legal requirement for any hardware which could conceivably play or copy digital media. A notable crusader for compulsory DRM has been Senator 'Fritz' Hollings, who enjoys the sponsorship of media companies including AOL Time Warner, News Corporation and Disney. In his honour the TCPA reporting device is often referred to as the 'Fritz chip'.

Microsoft's complementary Palladium system is being introduced gradually, with the foundations already in Windows XP and the second phase in XP Service Pack 1 and NET Server 2003. The third phase is due to arrive with 'Longhorn', the next version of Windows. While the details are still obscure, Palladium builds on TCPA hardware to create a system which is supposed to be secure 'from fingertip to eyeball'. This means that secure content, such as music, will only be able to be accessed using trusted keyboards, trusted video cards, and trusted applications. These computers will be 'trusted' not to perform certain tasks, which will almost certainly include the copying of music.

Starting with the assumption that anyone who wants to copy music must be doing something wrong makes creative activity marginal at best. Music has always been about reinventing the past, and sampling culture has been part of that for the last 20 years. Palladium doesn't care if you want to sample a song, obtain the necessary clearances and pay the due royalties. It might prevent you from doing anything that isn't within the narrow boundaries that its creators define. The audio professional might argue that measures such as Palladium will only affect consumer equipment, and that their own studio hardware will retain its full creative potential. However, general-purpose PCs have become a feature of studio operations over recent years, and if the TCPA system is built into motherboards or CPUs, people who make their living recording music might find it hard to avoid.

A key question remains over the ownership of the technology. Would an independent studio be recognised as a legitimate content creator, and therefore have access to the protection offered by TCPA? If you have to get all your content digitally signed by Microsoft, will the service be affordable? How would a self-employed sound engineer be distinguished from an 'end user' of music? The security of a system like Palladium depends on Microsoft retaining tight control — spread access too widely and it would almost certainly be compromised.

Potentially the greatest flaw in TCPA and Palladium is that it depends on people continuing to buy Intel or AMD-based PCs running Windows. Yet the computers of the future might look very different from PCs, and might not be based on the Intel architecture.

Where Next?

So where does this leave the musician or producer who wants to take advantage of digital distribution, but doesn't want to be ripped off? Faith that the computer industry will come up with a solution hasn't served the professional audio community very well so far. It's more likely that a better system of DRM will come from within that community, because people who make music their life's work understand it as more than just another commodity. Potentially, there could be many positive uses for DRM which would align artist and listener interests, instead of setting them up in opposition. Digital signatures are already in widespread use on the internet to help guarantee identities, and they could be used to establish the quality and authenticity of a particular music file.

There seems little doubt that some of the music currently available on peer-to-peer systems is fake, or mislabelled. When previously unreleased 'lost' material appears it can be difficult to verify independently, particularly if the artist is no longer alive. In the same manner, poor audio quality of material culled from demo tapes or bootlegs might only be discovered after a download has been made. If network distribution is to become an official established alternative to tangible media, these issues will need to be addressed.

If we download a Frank Zappa track for instance, it would be reassuring to know that it was digitally signed by a representative of the late artist's family. Faking a signature in order to sell a bogus track would presumably be a straightforward case of fraud, legally speaking. In the case of the recently released new Nirvana material, digital signatures from surviving members of the band would have offered strong evidence that it really is Kurt Cobain you can hear, and not just a good impersonator who recorded the songs last week.

The International Standard Recording Code (ISRC) system might not yet be implemented by every royalty-paying commercial music user, but it offers an established and regulated international scheme which could be integrated with a positive DRM system. Just as CDs can have ISRC codes tagged onto each track which automate royalty accounting, it's straightforward for a network-distributed format to have an ISRC alongside artist and title details. The Ogg Vorbis lossy compression format already supports ISRC tags, for example, and an ISRC-aware computer can make sure that the code is preserved when transferring formats.

Since end users don't pay a royalty every time they listen to a piece of music, there is little incentive for them to interfere with ISRC codes. Passing off someone else's music as your own in order to collect their royalties, by tampering with the ISRC, would be likely to get you ejected from the ISRC scheme for life. This penalty should deter any nefarious members of the industry from fraud, especially if the ISRC becomes the principal method of royalty collection in future.

DRM features could also be used to help build the relationship between musicians and the people who buy their recordings. A counterfeit CD is just a copy of the music, and perhaps the inlay booklet, but a unique identifier on a genuine CD could be used to register the owner as a fan of that particular artist. This could in turn unlock features on a web site, or add that person to a mailing list for tour dates and new releases. The Beatles had a serial number on the cover of the White Album, so it would be nothing new. It would be pointless to duplicate the unique identifier because it could only be used once. Anyone with privacy concerns could decline to register, and opt out of the associated benefits.

Artists have seen shellac, vinyl and tape formats come and go over the last 100 years — but the music is still with us. Record labels who pay artist royalties will never be able to beat the counterfeiters, home duplicators and peer-to-peer networks on price, so they will have to compete on quality and value if they are to survive the digital era.