Say No to Digital Rights Management and Intellectual Property Rights?

The big battles are over music, video and games, but serious IP protection focuses on documents
The big battles are over music, video and games, but serious IP protection focuses on documents

 The French have a saying that there are always two possibilities. So we all despise digital rights management (DRM) – the great evil of modern times. But at the same time industry tells us that something must be done to stop the theft of intellectual property (IP) that is causing enormous economic harm.

You don’t get more two more contrary possibilities than that.

In May 2013, the Commission on the Theft of American Intellectual Property published a report stating that over $300 billion of revenue per year are lost. “Apart from loss of revenue, that theft undermines the means and incentive for entrepreneurs to innovate”, the report notes. So we are not just talking about the record and movie industries, or branded clothes, perfumes or foods. Recall that all of these are IP – you don’t get to pick good intellectual property rights (IPR) and bad IPR. The Commission concluded that reporting IPR theft ought to be mandatory in order to get corporate leaders to take seriously the protection of IP.

In the other corner, “Those opposed to DRM contend that there is no evidence that DRM helps prevent copyright infringement, arguing instead that it serves only to inconvenience legitimate customers, and that DRM helps big business stifle innovation and competition”, says an entry from Wikipedia on the subject. “Digital locks placed in accordance with DRM policies can also restrict users from doing something perfectly legal”, it ads.

This is a seriously emotive subject. PC game makers get flamed if they put DRM in their products, and there have been some spectacular ‘own goals’, with systems that messed up people’s computers or stopped them from using things they had bought. Back in 1999, former Sun Microsystems CEO Scott McNealy famously said, “You have zero privacy anyway. Get over it”, and he was being honest, as he saw it.

Is There a Third Way?

Everyone needs security – whether it’s to stop viruses and hackers or IP thieves. The Electronic Frontier Foundation (EFF) doesn’t want their documents misrepresented. There are many Facebook users who wish they had some actual control over the privacy of their information. In fact, on the privacy side, you won’t find anyone who thinks it’s a good idea that anyone and everyone can have access to their personal lives and do anything they like with it. But…

A lot of people peddle the idea that if you can’t absolutely prevent IP theft, then you should not bother at all. This is like saying that door locks don’t prevent burglaries or speed limits don’t prevent road deaths, so why bother having them? Therefore, while the IT industry engages in its DRM wars, almost nothing gets done and everybody loses.

The big battles are over music, video and games, but serious IP protection focuses on documents, because most secrets (your personal information) are in documents (ask the NSA or WikiLeaks if you don’t believe me). The current document format of choice is the ubiquitous Adobe PDF (not Word or ePub or some version of HTML). This is because the legal eagles demand that the document looks the same for whatever device displays or prints it (they call it form and format), and also that you can have photos as well. Adobe was the first to get into document protection, except that ElcomSoft (famously publishing a method for breaking the Adobe controls back in the late 1990s) demonstrated that the initial techniques were not secure.

Things have come a long way since then. The original, and very basic controls, were to stop alteration, and print in a degraded mode. Since then, however, a lot of attention has been given to fine tuning.

As I said earlier, you can’t prevent people copying files or documents, but you can make it unattractive. Modern systems like those developed by LockLizard provide a whole range of controls to help deter the IPR or privacy thief. Putting watermarks on print out or screen displays can include the name of the person you sent them to (so everyone knows who was the rat) or can make photocopies of the documents unreadable. Others can be so fine that fake documents can easily be spotted because, just like banknotes, the lack of a watermark means it’s a fake. Encrypting documents stops people from forwarding them. You can also ensure documents have an end of life regardless of what other people might think.

But to accomplish this you have to do a little bit of work. You have to figure out who you are going to ‘trust’ with which documents, and then forward them on that basis. And don’t rely on the idea that someone else will look after your data for you. However, for some people that’s a pain. It’s far easier to post your holiday photos to all 480 of your Facebook friends and not worry about who they might forward the candid ones to (forgot to take them out of the folder?).

That is why IP and privacy protection is still developing, instead of being a done deal, and why the aforementioned Commission said “corporate leaders don’t take it seriously”. If it takes some work to do something and everyone says it can’t be done, then you cannot be criticized (by a court?) for doing nothing. It doesn’t matter that with modern methods you can steal vast numbers of documents in seconds, but could not photocopy them even if you had a couple of years to spare. Just think about how fast Dropbox can distribute documents.

The most active areas for IP protection are the education and training industries, and the market analyst industries. These are characterized as industries that live by selling valuable information, so it is in their commercial interests to take steps to protect them and their clients (the clients need to be sure where the information came from and if it is correct). Book publishers are interested in developing in this area as they transition from print publishing to digital media. And pharmaceutical firms increasingly need to protect valuable IPR. Nevertheless, the industry has a long way to go.

Where we are at, to paraphrase St Augustine of Hippo, is, “God grant me DRM and IPR – but not yet.” So it seems the French did get it right.


Steve Mathews is a management consultant with specialist interests in IT and security/privacy. He is a Fellow of the Institute of Consulting, and a founding member of the London Computer Law Group, specializing in IPR, copyright and patent law. As a member of the committee ISO/IEC JTC1/SC32, he was co-editor for ISO/IEC 15944-8:2012 Identification of Privacy Protection Requirements as External Constraints on Business Transactions.

What’s hot on Infosecurity Magazine?