Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Steal This Essay 2: Why Encryption Doesn't Help

"Doveriai no proveriai." (Trust but verify.)
- Russian proverb, as quoted by Ronald Reagan

Even as content becomes a public good, content creators (or at least the publishing and recording industries that claim to represent them) have been led to believe that encryption can protect their revenue streams. As I noted in the first of these essays, they are lambs being led to the slaughter.


Why is all content becoming a public good? It has realistically been nonrival for some time now, meaning that I can copy your CD of music or software for a few pennies or less, and you are in no way disadvantaged. (Of course, the author of that content may feel quite disadvantaged by this "theft," but as long as I don't scratch your CDs, there's no reason for you to care that I borrowed them for a few minutes.) In fact, the central concept of digitization - converting all content to streams of zeros and ones - entails making it infinitely copyable without any loss of quality, the very essence of nonrival goods.

What has only become clear in the last couple years (although the Recording Industry Association of America - the RIAA - still has its head in the sand) is that digital content is also nonexcludable. Of course, tens of millions of dollars have been spent on a variety of means to make digital content uncopyable. Supposedly unremovable watermarks are embedded in images to detect copies (e.g., SDMI and Macrovision), content is encrypted so that it can only be viewed through an authorized player (e.g., DVD CSS and Microsoft's and Real Network's digital rights management systems being used in the music industry's Napster competitors, PressPlay and MusicNet), or some form of registration is required for activation (e.g., Office and Windows XP).


Encryption Is Ultimately Futile -- The problem with the security of these approaches is that, as cryptographer Bruce Schneier points out, there are basically only two types of users: regular ones against whom any form of copy protection will work, and experienced hackers, whom no form of technology can stop. Your technophobe mother represents the first category, and your geeky nephew exemplifies the members of the second category. Why can't the hackers be stopped by encryption? If the challenge were just to transfer a file from one point to another without letting someone get to see its contents, encryption is up to the job. But, consumers don't listen to or watch encrypted versions of content. (I have, and it looks like static). They watch the regular, unencrypted version. So, somewhere close to the user, the content must be decrypted. And that decryption process typically runs on a PC, where experienced hackers can watch it work one instruction at a time, and change those instructions to enable the unencrypted content to be copied.

Phrased differently, as long as the intention is ultimately to deliver the content to the customer (and hopefully even the RIAA is still trying to do that), then it's impossible to stop wily hackers from getting at the content in its unencrypted form and having their way with it. "Trying to secure [digital goods] is like trying to make water not wet," Schneier said recently. "Bits are copyable by definition."

In early 2000, a 16-year-old in Norway named Jon Johansen was upset because he wanted to be able to play DVD movies in his Linux box's DVD drive, but the movie industry had not authorized any players for Linux. So, working with several anonymous contacts on the Internet, he cracked the copy protection scheme used by all DVDs, enabling them to be played on his machine and, incidentally, to be copied endlessly and perfectly. (The Norwegian police actually confiscated his computer at the request of the Motion Picture Association of America several days after he distributed the code on the Internet, providing a classic example of tardy barn door closing.) More to the point, one could ask what chance any copy protection scheme has, when random 16-year-olds with an Internet connection can succeed in breaking it in their spare time.

But the news for authors such as myself, who might want to get paid for our work, gets worse. There are many in the music industry who believe that a 98 percent copy protection rate would be just fine, the same way that department stores calculate a presumed level of spoilage (i.e., stolen goods) in their inventories. That works for department stores because their goods are rival, so that even if a few shoplifters get their items for free, everyone else still has to pay. The problem for the RIAA is that nonrival content means crack once, run everywhere. That is, all it takes is one smart hacker to defeat the copy protection schemes for everyone. Then, your nephew can either distribute his hacks in an easy to use format that even your mother can install, or, more directly, he can just distribute the unencrypted content.

Advertising Support? If content can't be made excludable (and thus easily charged for) via encryption, perhaps there are other ways to build business models around content. What about advertising? After all, broadcast television is essentially nonrival and nonexcludable, and it's financed by advertising. Unfortunately, no. First, as they have become ubiquitous, banner ads have dropped dramatically in effectiveness, as measured by click-through rates, which have fallen from 4 percent to 0.1 percent. This is not too surprising, given that most people hate banner ads and do everything to try to ignore them. Ad rates for some large sites have fallen correspondingly from 40 cents per impression to less than 0.1 cents, one of the primary causes of the many new applications of former dot-com employees for Starbucks barista positions.

And for content providers, the news grows still worse. The downturn in the economy has made it harder, particularly for publications without loyal readers, to attract advertisers, even at the lower ad rates. Then there's software such as WebWasher that automatically detects the banner ads on any given Web page and strips them out, which incidentally causes the page to load faster (just as a 30 minute television sitcom can be viewed in 22 minutes without the ads). Ad blocking software replaces the ads that are supposed to be funding the content with blank space, which is what content providers' revenue models are starting to look like. The software is not perfect, but it's getting better and is already effective enough to strike fear into the hearts of content publishers and advertisers.

<http://www.webwasher.com/en/products/wwash/ functions.htm>

Even the soap companies that have funded so many years of daytime drama may start reconsidering their advertising budgets over the next decade, as digital video recorders such as TiVo become increasingly common. These enable viewers to have their favorite shows easily stored to a hard drive, where they can be conveniently replayed at the time of the viewer's (rather than the programmer's) convenience. Imagine setting your own viewing schedule rather than having it dictated by snotty network executives in LA and New York. Plus, these devices let you skip right past the commercials with a few clicks of the remote, thereby crumbling the foundations of 50 years of a profitable broadcast industry. New PC-based recorders such as SnapStream even support sharing recorded shows across the Internet, enabling video to take its place next to MP3s on the new peer-to-peer networks that are quickly replacing Napster. Why schedule your evening around a broadcast schedule and sit through brain-numbing commercials, when the show is available whenever you want it with the commercials already edited out? A world full of digital video recorders is one in which the couch potato is liberated from the slings and arrows of network programming (how dare they put that promising new show against Survivor!), and once again is empowered to make real choices about how, when, and what to watch. [For more on TiVo, see Andrew Laurence's two-part article series "TiVo: Freedom Through Time Shifting" and be sure to read the in-depth TidBITS Talk discussion on how personal video recorders are changing advertising. -Adam]


Are there any categories of content from which individuals can be excluded? Only two that I can see. The first is showing movies at movie theaters. With a significant investment in digital distribution, and an even bigger investment into physical security at the theater, studios should be able to distribute movies without them immediately being copied onto the Internet (but watch out for those 16-year-old projectionist/hackers). The other category would appear to be Web services, where software is split into components that are loosely coupled and distributed across the Internet. Since you're interacting with numerous other computers, your identity can be continually reaffirmed (what Microsoft is planning with Hailstorm), making it nearly impossible to avoid paying. But any software that supports a disconnected mode (such as an operating system), can be easily (by hacker standards) modified so that it no longer "calls home" to ensure authenticity. The registration system for Windows XP was cracked so that running a simple program will remove the requirement for online activation, six months before the software was even released.

Content won't truly be a pure public good for another ten years or so until broadband home Internet connections are ubiquitous, making it trivial to transfer large files around. But, since the process is already accelerating (Napster began with college students who already have broadband connectivity, and some new peer-to-peer file sharing services are designed explicitly for downloading very large files in the background), it's worth asking why anyone will create content when the old models for getting paid don't work. The answer will have to wait for another essay.

[Dan Kohn is a General Partner with Skymoon Ventures. His writings are announced through <dankohn-subscribe@yahoogroups.com> and can be discussed through <dankohn-discuss-subscribe@yahoogroups.com>.]



PDFpen and PDFpenPro 9 add 100+ enhancements to improve your PDF
editing experience, with annotations, Tables of Contents, and more
export options. For PDF reviewing, editing, signing, redacting and
exporting, PDFpen has you covered. <http://smle.us/pdfpen9-tb>