I’m keynoting the O’Reilly Security Conference in New York in Oct/Nov, so I stopped by the O’Reilly Security Podcast (MP3) to explain EFF’s Apollo 1201 project, which aims to kill all the DRM in the world within a decade.
A couple things changed in the last decade. The first is that the kinds of technologies that have access controls for copyrighted works have gone from these narrow slices (consoles and DVD players) to everything (the car in your driveway). If it has an operating system or a networking stack, it has a copyrighted work in it. Software is copyrightable, and everything has software. Therefore, manufacturers can invoke the DMCA to defend anything they’ve stuck a thin scrim of DRM around, and that defense includes the ability to prevent people from making parts. All they need to do is add a little integrity check, like the ones that have been in printers for forever, that asks, “Is this part an original manufacturer’s part, or is it a third-party part?” Original manufacturer’s parts get used; third-party parts get refused. Because that check restricts access to a copyrighted work, bypassing it is potentially a felony. Car manufacturers use it to lock you into buying original parts.
This is a live issue in a lot of domains. It’s in insulin pumps, it’s in voting machines, it’s in tractors. John Deere locks up the farm data that you generate when you drive your tractor around. If you want to use that data to find out about your soil density and automate your seed broadcasting, you have to buy that data back from John Deere in a bundle with seed from big agribusiness consortia like Monsanto, who license the data from Deere. This metastatic growth is another big change. It’s become really urgent to act now because, in addition to this consumer rights dimension, your ability to add things to your device, take it for independent service, add features, and reconfigure it are all subject to approval from manufacturers.
All of this has become a no-go zone for security researchers. In the last summer, the Copyright Office entertained petitions for people who have been impacted by Section 1201 of the DMCA. Several security researchers filed a brief saying they had discovered grave defects in products as varied as voting machines, insulin pumps and cars, and they were told by their counsel that they couldn’t disclose because, in so doing, they would reveal information that might help someone bypass DRM, and thus would face felony prosecution and civil lawsuits.
Cory Doctorow on legally disabling DRM (for good)