What Does Windows Vista's Copy Protection/DRM Protect?
I have my own set of question from an online debate regarding how Windows Vista implements copy protection and digital rights management.
Over Christmas there was an interesting
paper published by Peter Gutmann
regarding some of the "enhanced"
copy protection and digital rights management features included in Windows Vista.
I've met Peter and he's one smart cookie in my book. His paper is lengthy, but
full of interesting technical stuff and some very funny commentary to boot,
so I think it's well worth the read.
Nick White, a Microsoft product managers working on Vista, took the time to
respond to Peter's paper in his blog. His
response is informative, but all in all I found it too marketing-oriented
to really be considered a thorough response to Peter's paper.
To quickly summarize: Peter thinks the "enhanced" features are going
to cost consumers considerably and have taken away much of our ability to make
choices of our own. Instead, Windows Vista allows owners of a copyright to determine
how they want your machine/operating system to behave while using their copyright.
Nick thinks consumers want this, as it's the only way they're going to be able
to view premium content such as HD-DVD and BluRay media. Nick thinks that some
of what Peter talks about are theoretical or inaccurate.
I read through the 65 or so responses to Nick's blog post and came away with
a few questions of my own. Since Nick hasn't been responding to questions being
posed in his blog, I thought I might ask them here, instead.
Q: Please correct me if I'm wrong, but DRM doesn't only apply to audio/video
content. Microsoft software can be licensed/controlled by DRM too, no? If
this is true, then Microsoft's implementation of DRM has a huge impact on its
own revenue. It also facilitates new revenue models for Microsoft, such as pay-per-use
Office applications. Obviously Microsoft isn't the only software maker who could
benefit from DRM, but it seems to me that Hollywood equally isn't the only one
who will benefit from the "enhanced" copy protection features in Vista.
Q: Why is there no simple Group Policy Object entry that outright denies
the ability to run anything that requires DRM enforcement? I can imagine
that many corporations would be very happy to set such enforcement in order
to ensure they could not become liable for copyright infringements by their
employees. Why wouldn't Microsoft provide such a feature so obviously beneficial
to the fight against copyright infringement and so clearly possible to implement?
If you can detect that DRM is required, you can easily just prevent it from
running, and avoid everything else that DRM requires. Companies could avoid
unnecessary software/hardware updates/upgrades until the system has been set
to allow DRM-governed content. It should be the company's choice to allow such
content to be used, and nobody else's.
Q: Where can one find a complete listing of all choices Microsoft provides
to content authors when assembling their DRM policies, together with a thorough
explanation for consumers regarding just what each policy choice means to them
and/or their equipment/experience? Policy enforcement is done upon insertion
of the content; where is the disclosure of just what I am accepting by doing
that? As it is, I have to accept whatever happens when I run DRM-protected content
without knowing, in technical detail, what I've accepted.
column was originally published in our weekly Security
Watch newsletter. To subscribe, click here.
Q: Nick states that DRM policies only affect the content that is protected.
Does Microsoft guarantee that a content author's policy choices will not
affect content/experiences not owned by that author or governed by that author's
policy choices? If an author's policy choices do affect something else, who
is the consumer to turn to?
I have always been in favor of DRM as a way of ensuring that copyright violations
are reduced. I have also always felt that competent DRM features are needed
by corporations in order to limit their liability for the actions of their employees.
I'm not against the "enhanced" DRM features in Microsoft Vista, but
I'm equally not satisfied that enough information is available to the public
regarding what we're accepting, how it will affect us and how we can make the
choices we are still able to make for ourselves.
If I get a response I'll let you know.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.