Source

Controlling Access--Activation and DRM
By Jason Cross

So here's the problem. You're selling something digital (software, music, video, e-books, whatever), and you want to make sure that people actually buy it. Broadband penetration is higher than ever, fast file-sharing software like Bittorrent is easier to use than ever, and about 30 seconds of searching on any number of sites will turn up just about any digital thing worth having. In short, it's downright trivial for people to steal what you're trying to sell. The RIAA's propensity to troll with a wide net of random lawsuits notwithstanding, it's really very hard to catch the thieves in that great anonymous, international cloud of the Internet. And as we all know, "free" always wins.
So how do you make sure that the people who use your stuff actually paid for it? One method is to use Digital Rights Management, of course. "DRM" is a blanket term that gets thrown around a lot these days. The loudest voices don't seem to truly understand it (which makes sense: understanding it takes the fear away, so people with a good handle on DRM don't tend to scream "the sky is falling" over it). DRM is, simply put, a software mechanism that "manages" your "digital rights." This can be anything from the DRM Microsoft has developed for Windows Media (audio and video, though certainly it's possible to create WMV and WMA files that are DRM-free), to the FairPlay DRM added onto all the AAC files that Apple sells on the iTunes Music Store, to the stuff attached to Blu-ray and HD DVD movies.

But there are others. Most of the crowd screaming about how Windows Vista is "DRM infected!!!" don't realize that other major operating systems are, too. Vista supports the protections necessary for Blu-Ray and HD DVD, but does not somehow magically add them to DRM-free stuff.

DVDs also contain DRM. Legally purchased DVDs use the Content Scrambling System to ensure that only players with licenses can play DVDs. It's DRM just as much as that found on iTunes songs; it just enforces different rules: instead of limiting the number of machines you can play a song on or how many times you can burn it to an audio CD, it limits the devices you can play it back on. Of course, the CSS scheme has been broken quite thoroughly, so it's possible for unsanctioned, unlicensed playback software and hardware to play DVDs these days. But that's circumventing DRM, not eliminating it. If you buy a DVD, you're supporting DRM. Note that Apple computers ship with legal DVD players, and iTunes, and are therefore "infected" with DRM just as much as Vista is. It's just different DRM than the stuff required for Blu-ray and HD DVD playback, which is why Apple, a big supporter of Blu-ray, doesn't ship computers with Blu-ray drives (yet).

Yeah, DRM is annoying, and adds no real value for the customer—usually. It's there to protect the profits of content holders.


I personally don't get very alarmist about DRM in general. It's there to enforce certain usage restrictions—if I agree with them, I'll buy content with DRM attached. I'll buy DVDs, for instance. If I think the price of a piece of DRM-laden digital stuff is not worth the DRM-imposed restrictions on it, I simply don't buy it. I don't buy songs for a buck a pop over iTunes, or Rhapsody, or Zune, because I think that's a crappy deal for music that doesn't sound good enough, costs the same as the CD I buy in a store, and limits my usage too much.

On the other hand, I'll happily lease music from the Zune Marketplace. The restrictions imposed on me are heavy (just as they are when you lease a car, or an apartment, or whatever), but in exchange I get a lot more music for a lot less money. For $15 a month, a Zune Pass lets me download all the music I want. Other monthly subscription deals are similar. So a feature made possible by DRM (to make sure I'm not using the music after I cancel my subscription) is actually used to add value in this case. It's used to give me unlimited access to millions of songs for a very low price.

Lately, an old form of DRM has been making new waves: product activation. And boy, what a headache it has been.

Product Activation is a sort of DRM that basically says "hey, thanks for buying our product. Before you use it, we're going to check and make sure it's legal and not a copy." The software you buy checks in with some activation server out there on the Internet and registers its key along with a hash of some values that help the server uniquely identify your machine, presumably without transferring any information that could be used to personally identify you.

Windows XP works like this, as does Vista. Some games do as well, like Microsoft Flight Simulator X. Lately, the activation in BioShock has raised alarm flags. Some people got their copy of BioShock home and couldn't play it, because the activation server was overloaded and unresponsive. Some people installed it at work, then at home, then on a laptop, and found that it wouldn't work past two installs (a real problem if you frequently upgrade your computer and re-install Windows). Most software using activation limits the number of machines you can use it on, but they're usually transparent about the activation process. BioShock just suddenly says "sorry, your activations are up!"

Read about Jason't trials and tribulations with his TiVo.

Activation kind of makes sense in some situations. I can see why Microsoft does it on Windows, for instance. They're not going to require you to put a copy-protected Windows disc in the drive every time you boot up, so they have to do something to make sure you don't just run around with one Windows disc, installing it on every computer you get your hands on. Microsoft is pretty forgiving about it, too. If you don't activate, you can use their software (including Flight Simulator X) in a "trail mode" for a while.

BioShocksimply won't let you start it up at all. The two-machine limit would be fine—if they notified you about it ahead of time and if they didn't require you to have the disc in the drive. How many copies do you think they would sell if the box clearly stated you needed to activate the software online to use it, and you could only install it twice, but you would still need to put the disc in the drive? If pirates defeat the copy protection, won't they defeat the activation just as easily? Take 2, the game's publishers, increased the limit to five installations in response to customer complaints.


On the surface, product activation seems like a reasonable compromise as DRM goes. Once they make sure you have a legal copy, you could use it as you want, right? Only what all too often happens is that you can't use it however you want. And what happens when the activation server is down? In the case of BioShock, you just can't play it. Microsoft has that grace period for Windows, and even so, if the server is down it assumes copies are valid. That didn't stop their activation system from screwing up recently, though. The WGA Blog has details of a recent screw-up that caused thousands of Windows copies to be temporarily flagged illegal. "Don't call it an outage" they say, since the WGA servers weren't down. It's human error—someone installed pre-production code on production servers, and it handled a bunch of activation checks wrong.

In other words, thousands of legit Windows customers that shelled out over $100 for some Microsoft software got treated like criminals because somebody else screwed up. But hey, thanks for the money, suckers!

This has brought to light a whole host of possible holes in product activation as a means of controlling access. BioShockis a single-player game. What if you install it on a machine that isn't connected to the 'net? Does the box clearly state that you need an internet connection to even install it? How does the software react if the activation server is down, or overloaded and unresponsive? If it assumes you're legal, can't hackers easily spoof their network connection to act like the server is down? A grace period like Microsoft uses on Windows only works for long-term-use software like an OS. You could be done with a game in just a few days, so "we'll assume you're legal now and try again later" isn't a good solution.

Is your head spinning yet? Mine is. All these forms of DRM are simply creating more technical hassles that I have to deal with as a legal customer. Meanwhile, cracks and keygens and other ways to steal BioShock are all over the file-sharing networks, and are actually less hassle than the legally purchased bits. Legal music downloaders have to deal with songs that will only play on certain devices (iTMS, Zune, Urge/Rhapsody, Napster or limited libraries (eMusic). Pirates quickly download whatever they want in all-device-friendly MP3 format.

So that's what's pissing me off lately. I'm assumed to be a criminal unless I can prove otherwise, and the process often seems to involve technical glitches that I can't even fix, because they're out there in The Cloud somewhere. The actual criminals, on the other hand, get fewer technical glitches and greater interoperability. Does that seem right to you?

'DRM is, simply put, a software mechanism that "manages" your "digital rights."'


We don't need some technology company to manage our rights, that's what laws are for, and DRM often oversteps its bounds and restricts rights that are clearly allowed by relevant legal code. DRM is a slippery slope that takes away rights guaranteed to you by law.

DRM = Dictatorship Rules Music.