Mitch Wagner wrote a piece on DRM for Security Pipeline that is getting some play [Update: also available on his weblog], from BoingBoing and Teleread amongst other places. In general I agree with the sentiment, but I think he uses seriously flawed logic to arrive there. I think it’s flawed in two big ways.
One: He makes reference to the fact that “DRM doesn’t work.” Neither Mitch nor anyone is in a position to make the statement that any technology not precluded by the laws of physics “doesn’t work.” There is a huge difference between that and “didn’t work” or “hasn’t worked.” Engineering and product failures in the past are not indicative that a technology is impossible, just that it has not yet succeeded. There was a point in time where one could have sat in Edison’s workshop and made the claim “Look Tom, incandescent light just doesn’t work. You’ve tried 400 filament types, when are you going to admit it doesn’t work?” Successful technologies sometimes arise from the ashes of many failures, and you could always make the claim that they “don’t work”, up until they “do work”.
Two: What feeds into the whole “doesn’t work” is a “zero incident” model. This is the wrong way of looking at security issues, of which DRM is a weird special case where the security is a vendor protecting a product from the customer. Bruce Schneier covers this mode of thinking to exhaustion in his writings. Security is not about incident prevention, it is about risk reduction, risk quantification and risk management. Mitch is claiming that DRM doesn’t work because it has been defeated in the past. The question isn’t whether DRM can be defeated, it is the cost of the defeat. I worked in a DRM company at one point, and the mantra of what we did was “make it cheaper to buy than to steal.” If you can defeat the DRM but it requires you to reformat your drive and reinstall the OS to get the illicit copy, that’s probably a risk that most copyright holders would accept. Schneier’s example is always safes and bank vaults. You don’t buy an “impenetrable” safe, you buy one with a rating; will withstand 30 minutes of torch cutting or whatever. You don’t choose it based on the impossibility of the valuables being stolen, you choose it so that the cost is in line with the value of what it protects and the cost of getting into the safe. DRM is the same way. That DRM can be defeated does not mean that it is useless, the defeat has to be qualified with the cost. There are easy, redistributable defeats in some cases and there are high cost, very involved defeats. Something like the command line program that strips the Microsoft Reader security and allows for distribution of the clear file, that’s the former. Something that allows you to read someone else’s copy of a book but only when you reinstall your OS or change your system’s fingerprint information at a high cost, that would be the latter. Making any statement about the defeat of a DRM without qualifying the cost of the defeat is useless, because the cost could be wildly higher than the purchase price. In that case, although a crack exists, defacto it is not any danger to the business. This has a lot of variables, because the value could be a $5 book or a $500 analyst report or a $50,000 document. When Mitch makes the blanket statement that DRM can be defeated, he’s torching the straw man but not really adressing the serious issue of whether the cost of that defeat is balanced with the value of the product.
Here’s where I think Mitch went wrong. I do think he ends up in the right place, but his arguments were bogus. The real reason that his conclusion is correct is not technical at all, but economic. DRM costs money, and puts more layers in the markup chain. Imagine in physical goods if someone decided to insert another whole layer of distrubutorship, something that would increase the overhead and make things take longer to get to you. From your vantage as a customer, you are getting worse service and yet the higher price is passed along to you. DRM is the same situation. It adds another layer of overhead and price markup to the delivery chain of digital goods, with the final goal of making the product less usable to the consumers.
The folks at Fictionwise talk about this. They try to get all their books sold as DRM free multiformat books. Some publishers refuse, because they are worried about the distrubution and unauthorized copying, so those books get DRM via the Palm Reader or secure Mobipocket or other providers. Although they are tight with the numbers, Fictionwise states that these books tend to sell around an order of magnitude less than would be expected from sales of similar DRM-free books. Part of this is because the DRM books aren’t multiformat, which means that there will always be readers who can’t or don’t want to read from the smaller set of supported formats. Part is because the price is higher because of the DRM markup, and part is people just plain don’t want to buy books with limitations on their use. I have started to buy things from Fictionwise and then realized they were DRM books and aborted the purchase. Although I wanted that specific book, I was willing to settle for other thing in the tens of thousands of books in their inventory just to avoid the DRM. It costs more, is of less utility, and that pushes sales away even from motivated buyers.
My contention – for which I don’t have any solid data so it must be an article of faith – is that there is indeed risk that an unprotected book will be copied and read by people who didn’t buy it. However, weighing that risk versus the alternative of preventing sales by selling it for a higher price with DRM, the total revenue lost will be less from unauthorized copying than from avoided sales. The example of Baen Books has been that when they freely gave away electronic copies of some of their books, the paper sales actually went up. Cory Doctorow saw the same thing with Down and Out in the Magic Kingdom. Thus, it isn’t even known for sure that the copying would even be a loss. It is known for sure that selling via DRM does costs sales, this can be measured at the retail point. I’m not claiming that if someone puts copies of ebooks on P2P networks that sales will go up, but I’m saying that the damage is probably less than publishers think it would be. On the other hand, the damage of DRM is incurred on every sale that is not completed because of it, and on all the money lost from the value chain into the pockets of the DRM providers. Publishers are losing two ways, lower sales and lower margins on the sales they do make.
I’ve sort of known Mitch as an online presence for a long time. I talk with him on Dueling Modems and SFF.net, and even as far back as GEnie. In general I like the guy a lot and listen to his opinions. I read his weblog, even though it appears to have been moribund for a while. This article is getting a lot of links because it has the popular anti-DRM stance. However, I wish that it had better rigor in getting there, because I don’t want to see his weak arguments become the standard ones, especially not when there much better ones to use.
[Update: Mitch’s blog is not moribund, he changed the RSS url and I somehow missed that. I’ve missed 4 months of it in my aggregator, and here I though he just wasn’t posting to it. His last entry in the feed I have subscribed tells of the migration, but I just didn’t notice it. Damn.]