Archive for the ‘copyright’ Category

Why SDMI won't work

Wednesday, July 12th, 2000

Secure Digital Music is a bit of a buzzword amongst music industry execs at the moment. You might have wondered why there isn't much music for sale on the internet at the moment. It isn't that the music industry is full of luddites - most of them are fully aware of the incredibly lucrative new age of e-commerce and the incredible possibilities which it offers (see the accompanying essay "The future of music distribution" for some examples) and are anxious to get in there as soon as possible and start taking advantage of the internet gold mine.

The reason that they haven't, so far, is that they are terrified of losing control. They think that they will sell one copy of a song online and then the person who downloaded it will just copy it and send it on to all their friends, post it on a website, etc. Never mind that this pirate could just as easily buy a CD and do exactly the same (the hardware and software needed to extract music in digital format from a music CD is legal, cheap and easy to get hold of). This is how these people think.

In an attempt to "regain control" of this music, a technology has been developed called secure digital music. However, this technology is fundamentally flawed. It doesn't (and cannot) do what it was designed to do (eliminate piracy) and it's only effect can be to make life more difficult for those who want to use the music legally.

When designing a secure system, any security expert will tell you that you have to look at the system as a whole. Think of it as a chain keeping a boat moored to the harbour wall. The chain is only as strong as it's weakest link. It's no good pouring huge amounts of money into making one of the links amazingly strong when another consists of a piece of string. Using strong encryption to transmit your credit card number over the internet to a website is still silly if the website at the other end is a fraudulent one designed only to collect credit card numbers and not send out any goods. It's also silly if you're typing the number on the keyboard of a computer in a dodgy internet cafe which could quite easily be recording everything you type.

The idea behind SDM is that you can type in your credit card number on the music company's website and it will let you download a music file in a special format which can only be played with special software and/or hardware. This music file is encrypted so that it can only be played with a specific program or device. So there's the first problem - if you have music playing software on your computer and a portable digital music device, you'd have to download two copies of each song you wanted, one for each.

Another implementation of secure digital music only lets you make a certain number of copies of a song. For example, you might make a copy and it will work, but a copy of that copy won't. This requires the co-operation of the software which is doing the copying, so this won't even begin to work on current computers - all the software must be written and controlled by SDMI. Want to program your music player to do something that it wasn't originally designed to do? No chance, it would be too much of a security risk. Bug in the software? Tough. The only thing you can do is complain to the manufacturer. Software in general is going the other way - towards open source, where the programmers have to be completely honest to the customers because they can no longer hide behind their compilers (programs which translate human readable computer code into human unreadable, machine readable only code). Open source software is more reliable (because bugs are more easily spotted and fixed - more eyes on the source code means fewer places for the bugs to hide) and more secure for the same reason. However, if your customers can change the programming of the music playing device you're selling, they can change it to turn the copy protection features off.

Some such devices have many bugs. Even moving a song on the internal hard disk of the player device might be interpreted as "copying" so doing too much of that means the song will just stop working.

So SDMI is bad. It stops people legitimately doing what they are perfectly within their rights to do. However, I will now show that it doesn't stop the activities it's trying to stop, just makes them slightly more difficult. There are a couple of weak links in the chain which just can't be strengthened - SDMI have either conveniently forgotten these links or have chosen to ignore them to satisfy their member companies (who will be very disappointed when they discover that the chain breaks, just like it did with DVDs).

The first weak link occurs if you are able to play back the music on any general purpose computer available today, even if you are using SDMI stamped secure software to play back the music. The music must be decrypted by software to send to the sound-playing hardware inside the computer. This sound playing hardware is controlled by a small program which is part of the operating system, the "driver" for that piece of hardware. So the unencrypted music is sent to the driver, which plays it. However, because hardware is interchangable, drivers must also be, and it is quite trivial to swap any standard sound-card driver for a driver which makes a copy on your hard disk of whatever unencrypted digital music is played through it. Most users probably won't have the know how to do this, but of course all the pirates will.

So the only answer to this problem is to build the encryption into the sound playing hardware, or permit playback only on special purpose devices. Of course, you'll have to use SDMI approved speakers or headphones as well - you won't be able to use your favorite standard sound transducers because for all the SDMI approved hardware is aware, that transducer might not be an output device at all but just an interface to a device designed to capture the unencrypted sound. But even then there is a weak link which is absolutely impossible to fix with current technology (and, probably, with any future technology) - any pirate worth his salt (apologies for the pun) will just set up a high quality microphone by the speakers and re-record the unencrypted sound that way. The only truly secure digital music system would have to plug right into your brain to make interception impossible! And chances are that if we have the techology to make such implants possible, we'll also have the technology to create brain implants which can take the unencrypted sound out again...

So there you go, it'll never work. One final thing I'll say is that another of the SDMI's bright ideas to combat piracy is to introduce a new type of CD which can't be "ripped" and turned into MP3s as current CDs can - an encrypted CD. The only trouble is that these CDs can't be played on any current equipment. You'd have to buy entirely new equipment in order to play them. They won't be able to introduce these until everyone has a CD player that can read encrypted CDs. Although that's not going to happen any time soon, whenever you have the choice, only buy CD players that cannot read encrypted CDs to improve the chances for freedom in the future.

The SDMI's official website is here.