How can I explain why DRM cannot work?

Question

I am looking for the shortest comprehensive way to explain to people that are trying to use DRM as a technology to prevent users from using their data in some fashion deemed undesirable, why their solution cannot work by definition.

Ideally I'd like something that:

• Covers why technically it is impossible to have people access local data, but only in such-and-such a way
• Imparts an understanding of why this is, to avoid follow-on "But what if" rebuttals
• Is intuitive enough and short enough that even a politician (j/k) could grasp it

When faced with this situation I try to be clear and concise, but I usually end up failing at least on one of these points. I'd really like to have a 'stock' answer that I can use in the future.

Answer 1

The fundamental problem with DRM is that you're giving somebody a locked box and the key used to open it. You're distributing a copy of the key with the lock. Every person that possesses a protected Blu-Ray, DVD, software package, and protected CD also possesses the key that will unprotect it.

The people who design the DRM systems can try as they might to hide the key such that only those in the know (i.e. authorized decryptors/players/users) can find it, but there are a lot of curious people in the world, and all it takes is one person (or group of people) to be smarter than the ones who hid the key, and the box is open forever. As soon as one unprotected copy of the content exists it can be distributed everywhere, making the protection on the other copies irrelevant.

Answer 2

Digital files cannot be made uncopyable, any more than water can be made not wet.

— Bruce Schneier (source)

Answer 3

To sum the anti-DRM argument up in one easy word?

SPORE

How could a game with such intrusive DRM restrictions not be able to stop its excessive piracy rate.

If you wanted the hypothetical politician to understand why DRM wont work, don't give them a tech talk, give them a shining example of where it went wrong. One key point that 'management types' need to understand is that a pirated copy (DRM bypassed) is not equivalent to a lost sale. It just so happens that people are prepared to pay good money for products when they see the value in those products. "Copy protection actually increases rather than decreases the piracy of games." What left wing nut job said that?? It was only Gabe Newell from Valve. Ignorant companies are now competing with their own product, they now have to compete with 'free'.

When software is cracked (generally within the first day of release), DRM then only hurts the loyal consumers who paid for the product.

Side comment: A good quote I found on the Internet regarding gaming piracy and steam.

I'm not pro Steam/Valve, I'm just anti-stupid.

Answer 4

Okay, let me have a stab at combining (albeit inelegantly) the best points from the other answers... I'll make this answer CW so that if someone sees a chance to improve the polish (or content) they can (plus I don't want to gain rep for combining other people's answers).

---

• With DRM, you're giving people the means to unlock the content you've protected, along with the content itself. Someone's going to find that "key" at some point, thus defeating it.

• At some point, you have to decrypt the content. If the hacker(s) can get access to this data then they've defeated your DRM.

• At some point, you also have to show the content to the user and then he/she can simply re-record it "in the clear" from that data. See Analog Hole (This is less of a problem with games, as interactive content can't easily be recorded then interacted with again at a later date)

• DRM only punishes legitimate buyers, because adding DRM is only going to reduce the scope in which they can use your work and thus makes them less inclined to buy it.

• All it takes is one person with the skill, tools, and time to crack it then it can be shared with anyone and there's no point in buying your version (except if you don't want to do something illegal of course! (Or if you honestly want to support the maker)).

• Many people will opt to use a free version of your product regardless of the legality of using it without your DRM, because you are imposing unreasonable restrictions on how, where and why they use your work. Spore is a good example of this, as are many other programs/games/etc.

Answer 5

DRM creates an inferior product

In addition to 'it will always be cracked,' DRM has another flaw: it creates an inferior product.

Forget cost. Imagine you're willing to pay $X for a movie. Your options are:

1. A physical disc that can't be saved to your hard drive, backed-up in case of damage, or shared, which needs an expensive player to watch, and which forces you to watch the previews. (My standalone DVD player puts a "no" sign on the screen when I try to skip them. Infuriating!)
2. A digital copy that can be watched on a variety of devices that give the viewer full control, backed up with your other data, copied and shared.

Option #2 is a better product for your money. The fact that it's free (for some pirates) is just a bonus. Some people even buy a legitimate copy, then download a pirated one because it's easier to use.

Answer 6

Cryptography, in essence, is about Alice sending a message to Bob so Eve can't tell what's being said.

In DRM, Bob (the person getting the message) is the same as Eve (who's trying to eavesdrop).

Therefore, DRM is not only impossible but sexually perverse.

(For when you think a bit of humor will drive in the point better.)

Answer 7

DRM solves an imaginary problem

If a song or piece of software has been pirated 10,000 times, that does not equal 10,000 lost sales, for several reasons.

• The demand curve. A product that sells 10,000 copies at $1 might only sell 500 copies at $10. This is basic economics.
• The free factor. The biggest leap on that demand curve will be between $0 and $1. If something is free, it is zero-risk. Lots of people will get it on a whim to see if they like it. Even a price of $0.01 could drop the number of downloads considerably, if it means having to negotiate a transaction.
• Viral impact. Although a free product may undermine some of the market for a paid version, it can also create a market. Consider Windows, which has been pirated widely in places like China, spurring on legitimate sales. What if they had just used Linux? Or consider Adobe Photoshop. It's an industry-standard piece of software that costs more than $500. Businesses will pay for it, but high school students probably can't. Which scenario is better for Adobe?
  • Students never get their hands on Photoshop until they get to college or the work force, at which point, having no preference, they'll use whatever software someone provides them
  • Students pirate Photoshop and started tinkering at age 12, know it inside-out before they ever get to college, put it on their resume, and scoff at the suggestion of using anything else when they're in the work force

DRM assumes that "piracy is always bad," when in fact, piracy has pros and cons. In general, though, it seems that "everybody pirates our product" is preferable to "nobody has heard of our product."

Answer 8

This is not a technical, more a social answer, so it might not be exactly what you asked for:

Nobody who would illegaly copy a piece that's not DRMed, would even pay a penny for it if it were DRMed. They'd find a way to get it for free or not get it at all.

So, you're not winning anything (as in: cash) by DRMing; however, you're driving away the honest customers, because even if there were such a thing as a secure DRM, it could never be frictionless for the user.

Answer 9

Ok, I will use short sentences:

1. DRM is based on encrypted content

2. The DRM will decrypt the content only if a valid license is present

3. Once the decrypted content can be copied, the DRM is broken

4. The content needs to be decrypted in memory, in order to do anything meaningfull with it (play a song/movie etc)

5. A person that has physical access to a machine can get direct access to all data in it's memory

6. If someone has direct access to the decrypted content, he/she can make an unlimited number of copies of it

The most difficult things to grok for a layperson are 5, and maybe 4, IMO.

Answer 10

I always liked something that Leo Laporte said on his radio show one day. (Paraphrasing from a fuzzy memory here...) He wondered why the MPAA didn't just require that every DVD package contain pepper spray to zap the buyer in the eye since the DRM really only punishes the legitimate user without slowing down the pirate at all.

Answer 11

There are two reasons why DRM cannot work:

1. If you have unrestricted access to a computer, you can do anything to it. If for instance the operating system prevents you from doing some operation, you can alter the operating system so it allows you to. This is related to something mentioned on 10 Immutable Laws of Security: "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore".


2. Even if you are not tech-savvy enough to know how to do it, someone somewhere is, and he will distribute the result. This is mentioned in The Darknet and the Future of Content Distribution: "Any widely distributed object will be available to a fraction of users in a form that permits copying."

Answer 12

If Hollywood studios and game publishers cant stop it neither can you.

Answer 13

If you can see or hear it, you can copy it. Not always with exact the same quality, but it will be possible, thanks to the analog hole. You can mount a camera and film the TV/PC screen, or you can use a good old tape recorder to copy DRM-infected music.

People also want to have full control over items they've bought legally. Would you like to have a book you could read only three times or on Tuesdays only?

Answer 14

It actually does work up to a certain degree. The goal of DRM is not to prevent a person to run/copy the software, but to make it more difficult and annoying to do so.

If there isn't a crack yet then you will have to reverse engineer the protection mechanism and create one. Most people don't know how to do it, and most of the people who do find the process too annoying and prefer just paying for the software. If there is a crack, all the people who download it risk getting infected by a trojan or virus.

The real world is full of protection mechanisms similar to DRM. For example in my city they sell a $50 device to pay parking fees:

When you activate it, it will display how much money you are paying per hour, and how much money you have left. When you run out of money you throw it away and buy a new one.

That's a hardware device that is in your hands. By definition, it is absolutely possible to "hack" it so that you have infinite money. But hey, no one does it! So the "DRM" is working in this case.

Other examples of DRM-like technologies are cash: you can in theory make fake bills that are exactly the same as real bills. It's just extremely difficult. And the list goes on: passports, IDs, etc.

So the goal is not to make it impossible, it's to make it difficult, and in this case DRM does work.

Answer 15

This general question in Stack Overflow links here and the first answer, that Microsoft couldn't, is the right answer for your question. Qwerty above suggests Spore. Brant Bobby gives a rational and detailed answer to your very question - like many of the answers here, ideal to convince people who think like us of the utter futility of DRM, copy protection, etc.

So - why am I still here? It's because you asked the question wrong - and I know what you should know too. You probably aren't trying to convince someone that DRM cannot work at preventing copies. Instead you're probably trying to convince them that DRM isn't worth it, which is much more difficult, and the Spore and Microsoft examples aren't useful there. What you need are facts.

Here's a fact that makes managers loose sleep at night. Approximately 90%. That's how many of your users might be pirating your goods. 90%. Here's where things go wrong - the manager thinks - if we could convert those 90% pirates into sales, why, our money problems would be solved! If we could only convert even a fraction of them! And so, the decision is made - DRM will increase conversions and reduce piracy some, so they want it. We need to rain on their parade with another number. 0.1%. That's 1 in every 1000, and is roughly how many of those pirates will convert if you break their free distribution of your data. So, let's do the math - 1000 paying users + 9000 pirates * 1 / 1000 = 1009 paying users... Let's ask yourself - are those nine sales justifying the cost of the DRM - including the loss of network externalities (make sure to use that phrase - if they were trained in business school, it's their Power Law).

If your data that needs to be protected is selling for enough per copy, those 9 customers might pay enough to make it worth it. Or, if you have 1,000,000 paying customers, you'd earn 9,000 sales, certainly worth it even at $5 per copy, right? Let's drop the other shoe and provide another case study: 2D Boy's World of Goo. They make the blatant claim to having no DRM. And their piracy rate was a mere... 90%. That's about the same piracy rate as Reflexive - who were releasing from the start with DRM. Actually it's possibly lower, down to 82%. No statistical difference. They didn't follow the industry accepted practices, but it still worked just the same.

The time comes then to make a decision - to accept DRM and the tricky problems it brings, assuming and hoping that the conversions come in to justify the price - or alternatively to take the plunge and assume that your customers aren't different from those of Reflexive and 2D Boy, and maybe save the full cost of DRM to use on the next big thing. With what you know now, I'd pick no DRM - but I could be wrong in doing so.

Answer 16

If you hide the key near the lock, eventually somebody will find it. Per your comment, you can't give me something that's locked such that I can't open it otherwise I can't use it. I just have to spend the time to figure out how to unlock it and eventually, I will.

Answer 17

The best way I find to explain technical concepts to non-technical people is to use analogies with which they have an understanding, generally because it forms part of what they perceive to be "common sense"

From a technical standpoint, the weakness in DRM is that people are likely to reverse-engineer any given DRM scheme when given adequate motivation, time and resources, so:

"DRM technologies are not a good solution because like any lock, a person with enough time, motivation and skill will break that lock"

Or taking another approach: if one buys something, there is a general expectation that one should be able to use that item for whatever purpose they see fit, DRM often prevents this:

If you buy an apple there is no reason you cant eat it whole, cut it in half, or eat it at a friends house, anybody who tried to tell you you couldn't do any of these things would be denying your rights

With DRM controlling where music can be played, the recrd companies are trying to tell consumers where they can play the music they have baught, if you won't accept it from a supermarket, why a record label?

Hope this helped.

Answer 18

The Cracker Principle: Ultimately, the decision to grant access to content is manifested as a single 0/1 value in the memory of the computer (and can be manipulated).

Don't Trust the Client: The media must be run on hardware and software that the user (not the industry) controls.

Inevitable Failure: Once broken, it is frequently easier to pirate the content wholesale rather than legitimately purchase it. (ie. patched XP iso vs. purchase and activation) It may be infeasible for the licenser to correct the DRM's flaws due to compatibility concerns.

Answer 19

I always use the point that if you can see it (for TV/movies) or listen to it (for music) then you can copy it.

It might not always be the highest fidelity copy (camera pointed at screen, microphone in front of speakers for example), but if someone wants to copy it badly enough they'll find a way.

Obviously if there's a high value to the copy then it's worth investing in time and equipment to get a higher fidelity copy as you can sell this for even more than a ropey copy.

The link to Wikipedia provided by CesarB, goes into a lot more detail on this.

Answer 20

DRM is like running a haunted house. You want everyone to go in through the entrance and leave through the exit. But sooner or later someone is going to try the "Employees Only" door and let all his buddies in without paying.

Then before you know it your mummy has been unwrapped Dracula is dressed like a circa 1970s pimp and Frankenstein looks like Bozo the clown.

Dang you pesky kids... and your dog too!

Answer 21

If the music is to be playable, then some software must be able to read it unencrypted and load it into memory.

If your software can do it, another piece of software also can, and once it does, it can make unlimited copies of it.

Even if you design it so that only a certain hardware can decrypt it, at the end of the day, that hardware won't do anything that a piece of software can't (this is hard to explain for mere mortals I guess), because the hardware is only manipulating data, a software can also do the exact same manipulation.

Even if you manage to create the perfect copy-prevention mechanism. Guess what, as soon as the music/video is playing in a device, it can be [re-]recorded, easily, and with high quality.

Answer 22

I'd like to make an argument for why DRM is actually achievable.

Usually the argument against is something like "you are distributing a locked box along with the key to open it and this cannot work in the long term."

However, with regards to PC software, if the OS is redesigned around a complete DRM solution then it could be made unbreakable.

Say a company is publishing a video game. What they need to do is control the content from beginning to end. The OS would be given access to an online store or repository of some sort, and the content would be sent encrypted, and then it would be stored encrypted on the hard drive, via some sort of hardware mechanism like a TPM chip. Some portion of storage would be encrypted with the TPM and therefore the video game's binaries would be inaccessible by the user even if they read from the storage directly while the computer was off. When loaded into memory, the OS would protect against the user reading or writing the memory. The only user visible manifestation of the software running would be what it is displaying on the screen. This would be less of a protection for copyrighted movies, but for interactive content like video games it is enough. For this to work every dll or binary that the game loaded would have to also be stored in the protected space so as to be unmodifiable by the user. If they were modifiable, then a pirate could simply inject his own code into them, which would then be loaded into the game's process, and the barrier between the DRM'd software and the user accessible part of the system would be broken.

It would take some work, but I believe it would be unbreakable. The only thing I would worry about is that it would allow OS companies to hide things on your computer which even a highly sophisticated user would not be able to detect.

Answer 23

DRM is like poisoned food, that is tuned to feed you, but kill everybody else. So you can't share food with somebody who is starving. DRM puts you in a situation when YOU are the guilty one, if somebody dies from your poisoned food, because formally, it's YOUR food.

Replace "food" with "information" and here you go.