Security Watch

What Does Windows Vista's Copy Protection/DRM Protect?

I have my own set of question from an online debate regarding how Windows Vista implements copy protection and digital rights management.

Over Christmas there was an interesting paper published by Peter Gutmann regarding some of the "enhanced" copy protection and digital rights management features included in Windows Vista. I've met Peter and he's one smart cookie in my book. His paper is lengthy, but full of interesting technical stuff and some very funny commentary to boot, so I think it's well worth the read.

Nick White, a Microsoft product managers working on Vista, took the time to respond to Peter's paper in his blog. His response is informative, but all in all I found it too marketing-oriented to really be considered a thorough response to Peter's paper.

To quickly summarize: Peter thinks the "enhanced" features are going to cost consumers considerably and have taken away much of our ability to make choices of our own. Instead, Windows Vista allows owners of a copyright to determine how they want your machine/operating system to behave while using their copyright. Nick thinks consumers want this, as it's the only way they're going to be able to view premium content such as HD-DVD and BluRay media. Nick thinks that some of what Peter talks about are theoretical or inaccurate.

I read through the 65 or so responses to Nick's blog post and came away with a few questions of my own. Since Nick hasn't been responding to questions being posed in his blog, I thought I might ask them here, instead.

Q: Please correct me if I'm wrong, but DRM doesn't only apply to audio/video content. Microsoft software can be licensed/controlled by DRM too, no? If this is true, then Microsoft's implementation of DRM has a huge impact on its own revenue. It also facilitates new revenue models for Microsoft, such as pay-per-use Office applications. Obviously Microsoft isn't the only software maker who could benefit from DRM, but it seems to me that Hollywood equally isn't the only one who will benefit from the "enhanced" copy protection features in Vista.

Q: Why is there no simple Group Policy Object entry that outright denies the ability to run anything that requires DRM enforcement? I can imagine that many corporations would be very happy to set such enforcement in order to ensure they could not become liable for copyright infringements by their employees. Why wouldn't Microsoft provide such a feature so obviously beneficial to the fight against copyright infringement and so clearly possible to implement? If you can detect that DRM is required, you can easily just prevent it from running, and avoid everything else that DRM requires. Companies could avoid unnecessary software/hardware updates/upgrades until the system has been set to allow DRM-governed content. It should be the company's choice to allow such content to be used, and nobody else's.

Q: Where can one find a complete listing of all choices Microsoft provides to content authors when assembling their DRM policies, together with a thorough explanation for consumers regarding just what each policy choice means to them and/or their equipment/experience? Policy enforcement is done upon insertion of the content; where is the disclosure of just what I am accepting by doing that? As it is, I have to accept whatever happens when I run DRM-protected content without knowing, in technical detail, what I've accepted.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Q: Nick states that DRM policies only affect the content that is protected. Does Microsoft guarantee that a content author's policy choices will not affect content/experiences not owned by that author or governed by that author's policy choices? If an author's policy choices do affect something else, who is the consumer to turn to?

I have always been in favor of DRM as a way of ensuring that copyright violations are reduced. I have also always felt that competent DRM features are needed by corporations in order to limit their liability for the actions of their employees. I'm not against the "enhanced" DRM features in Microsoft Vista, but I'm equally not satisfied that enough information is available to the public regarding what we're accepting, how it will affect us and how we can make the choices we are still able to make for ourselves.

If I get a response I'll let you know.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus