Securius Newsletter

August 3, 2001
Volume 2, Number 6
http://www.securius.com

Information Wants to Be Free

By Seth Ross

It's one of the most compelling paradoxes of the digital age: Information wants to be free, because it has become so cheap to distribute and copy. It also wants to be expensive, because owners often derive great economic value from it. This is the heart of many of the current debates and lawsuits about intellectual property.

Many intellectual property owners benefit or wish to benefit from the cost effectiveness of digital delivery. Record companies, for example, embraced the compact disk and have reaped generous profits from this low-cost, high-fidelity format. Book publishers are evaluating various "e-book" formats with the idea of converting their book-bound property into freely moving bits.

Unfortunately, for entities like record companies, the same ease of copying and distribution that built the CD audio industry now enables widespread copying and easy re-distribution of any electronic media. The tendency of these bits to move freely enables the kind of piracy encouraged by Napster. To some extent, intellectual property (IP) companies in the record, book, and other media businesses want it both ways: easy and cheap distribution of their bits, without any easy and cheap re-distribution.

This simply isn't possible. The idea that one can widely distribute bits without widely distributing bits is absurd. Sure, one can use strong encryption to protect information. But if you want others - including paying customers - to be able to access it, then you have to provide the key. Once you provide the key, that key becomes another set of bits that can be readily copied and re-distributed along with the protected data.

Enter the Digital Millennium Copyright Act (DMCA) of 1998. Section 1201 of this US law makes it illegal to create any technology or device which is "primarily designed or produced for the purpose of circumventing a technological measure" that protects copyrighted material. The IP companies pushed hard for this bit of legal paradox. Information may want to be free, but the DMCA simply makes it illegal for anyone to actually devise ways to free it.

Computer security in general - and encryption, access control, and copy protection in particular - is very difficult to get right. Rather than recognizing this, the DMCA provides legal protection for all kinds of weak, second-rate, snake-oil encryption schemes. Rather than investing in strong cryptosystems and authentication systems, companies have discovered that they can bypass challenging scientific questions by releasing crappy protection schemes and then suing whoever has sufficient curiosity or scientific integrity to call them on it.

Case in point: Hollywood's Content Scrambling System (CSS) is designed to control access to movies recorded on Digital Versatile Discs (DVDs). CSS encrypts data with a weak 40-bit key stored in every DVD player and in DVD playback software for Windows and Macintosh. It took a Norwegian teenager a long weekend to defeat the system and develop software called DeCSS that allows DVD movies to be played back on computers that run the Linux OS.

Using the DCMA, the motion picture industry has sued or threatened to sue a variety of publishers and web sites for merely linking to the offending code. This has inspired hackers and academics alike to devise even more flexible and efficient ways for Linux users and others to watch the DVDs they've paid for. See Dr. David S. Touretzky's Gallery of CSS Descramblers at http://almond.srv.cs.cmu.edu/~dst/DeCSS/Gallery/index.html

Note that CSS does not protect against the kind of professional piracy that is the true source of economic damage to the movie industry. Nothing in CSS prevents mass duplication of DVDs. Its main impact is on legitimate DVD owners who want or need to play their DVDs on unapproved devices like Linux computers.

Second case in point: Adobe's eBook Reader, which allows electronic book publishers to prevent customers from copying or printing the electronic books they buy. Adobe's protection measures are weak. Dmitri Sklyarov, a Russian programmer, found an easy line of attack and developed a tool that can strip away Adobe's controls and allow eBook customers to regain beneficial and fair use of the products they purchase.

While the development of such a tool is perfectly legal in Sklyarov's home country, he made the mistake earlier this month of presenting his work at a conference in the US. He was arrested by the FBI on the basis of a purported criminal violation of DCMA Section 1201. Sklyarov remains in jail even though Adobe subsequently withdrew its support for the criminal complaint. You can find out more about his case and the resulting protests at http://freesklyarov.org/

Hollywood and Adobe are fighting losing battles. It's unlikely that they'll ever be able to successfully criminalize and suppress technologies that circumvent other technologies. Information wants to be free, and the very existence of a technology that provides protection implies the possibility of a technology that defeats that protection. Even as their access control schemes get stronger, they won't be able to defeat professional pirates, who will always be able to capture an analog signal and then duplicate at will.

Legislating against disruptive technologies is no more productive than legislating that the sun will rise in the west tomorrow, or that the value of pi is 3.1, or that evolution hasn't occurred. If you need to protect data, you're going to have to spend time or money to develop strong crypto-based security. If you need to protect data and publish it widely, you're out of luck. It's possible that someone will develop a new technology or method for simultaneously protecting data and publishing it freely. For now, content companies must develop realistic business strategies and models that acknowledge the current technological reality. The laws of science will always win out against legislation and litigation.



Subscribe to the Securius Newsletter
Please enter your email address:



Securius.com is a service of GuardianEdge Technologies.
Copyright © 2006 GuardianEdge. All rights reserved.
We will not share your personal information with third parties.
Nor will we contact you without your permission.