One of the commonest errors you see made in articles about information security is to equate the secrecy obtained by cryptography with the licensing control applied by DRM.

You will see plenty of ‘experts’ state that you can use cryptography to ensure the security of your information, when what they actually mean is that a recipient can check that what they receive has not been altered or falsified, and that unauthorized people cannot have read it first.

Now that isn’t DRM.  When you, as the authorized recipient of encrypted information decrypt it, you can do precisely what you like with it.  Copy it, send it to your friends (or even your enemies), alter it, anything you feel like.

But DRM is about very much more.

DRM has to deal with what you are allowed to do with information that you are authorized to receive.  Generally you are not allowed to pass information on to others.  (That is considered implicit in military systems, but is a physical or manual control, and you can’t apply that to electronic information.  What the military do is make sure it can’t leave the system it is stored on, which is not an option if you’re selling eBooks.)

As importantly, you may not be able to make printed copies, or that might be allowed but a Copyright mark is prominently displayed when you do that.  You might only be able to use the electronic information for a limited number of times (pay per view) or for a limited time period (documents for evaluation or for bidding for contracts).

Only DRM controls have the ability to ensure that the controls, or license terms that go along with the information actually get enforced.

Of course DRM also makes use of encryption technology both to be sure that nothing can be used unless the recipient is authorized, but that’s only the start of the story.

So next time someone tells you that all your security problems can be solved by encryption, just let them know better.

 
Although not the only person to use the quotation, Margaret Thatcher famously said those words to describe losing the election to be the leader of the Conservative Party and therefore the post of Prime Minister and First Lord of the Treasury.

And when you look out at the IT security industry you risk having the same feeling that she did.

Although not very surprising, people have gone out and solved problems that were easy, leaving the difficult ones to specialists whilst using marketing muscle to ‘persuade’ customers that their solutions fit the problems.

A good case in point would be the global adoption of the secure connection technology SSL (Secure Sockets Layer).  Pedalled for many years as the certainty of a secure connection, it has been nothing of the kind.  Yes, it very securely connects together two locations that do not know each other.  And that’s the problem.  You only think you are connected to the bank, and they only think they are connected to you.

It’s been a bit the same with DRM.

At one level it has been stunningly bad.  The music and film copying brigades got it into their heads that just because in the cassette tape days you could tape anything off the radio or the record deck (mind you the quality was absolutely dreadful) and make copies (which were even worse – but you could do it!) then you had the divine right to copy anything. After all, let’s not worry about copyright.

And at the other end of the equation, DRM system providers did themselves no favours either.  They tried to implement DRM that prevented people from making copies of their own works, or DRM that just enabled suppliers to charge different amounts for exactly the same product in different places around the world.  Finally, DRM providers made the serious mistake of trying to embed themselves into operating systems, and behaving like viruses or hackers.

There has also been the dichotomy about use of DRM protected products – to print or not to print?  I have discussed this with several eBook publishers and they have mixed views.  At one level we all agree that the eBook has immense power and potential over the paper book – quick indexes; searching; linking both internal and external: all things a paper book simply can’t deliver.  At another level, people just don’t really read eBooks the same way they do paper.  

When did you last take your laptop to the lavatory so you could read something in peace?

And maybe that’s what’s lacking in the eBook development thinking?  An eBook version of a training course is not quite the same proposition as the eBook version of a fashion magazine.  And the eBook version of your broker’s guide to share trading is not the same as the latest best selling novel.

There are similarities, certainly, but a good guide would be found by looking at the ‘intended use scenario.’   Is the product intended primarily for social, domestic and leisure, or is it primarily for business?

Current document DRM systems are focused on business applications use (which includes handling formal business documents that may be used both at work and at home – the home element does not dominate the primary point that the business use dominates the rights and rights management).  Business DRM is reasonably well scoped.

But many suppliers are leaping onto the DRM bandwagon trying to apply it to scenarios where the use (and the formality of use) is very different.

If you argued that when you buy a novel, when you have read it then you can give it, in its entirety (not a copy) to someone else that might be an acceptable use.  But a business training course was never provided for that purpose.  It was provided for a specific and limited use, often for a very restricted period of time.  And the same concepts do not apply.

And some business documents are not being distributed for copying at all.  Some are business secrets, some are documents disclosed because they have to be, but only to identified individuals, and so on.  There is absolutely every reason for the distributor to want to be sure that the document is not copied, or forwarded to anyone, or maybe even printed.  

But the DRM mechanisms are just the same.  The secret is in who you apply them to and how you apply them.

Of course you will upset people by introducing DRM.  All the people who think they should be able to copy and distribute your information for starters!  And all the people who hate DRM just on principle (but please  see the first group again also).

But maybe those are the very people you wanted to control in the first place?

It’s a funny old world, isn’t it?

 
Being interested in opinions on the rights, wrongs, virtues and demerits perceived by many communities, I found the following article http://arstechnica.com/news.ars/post/20080828-study-students-need-open-source-e-textbooks.html to be of some interest.

If you read the article, you start from an offered conclusion that student text books ought to be available under open source type Creative Commons licenses.  But as you dig further down, you find out that students are complaining about the cost of text books.

The arguments seem to be:

- text books are too expensive anyway;
- you can’t print out much at a go;
- they have a short life;
- they cost as much as the print editions.

So the complaints seem to be much more like those being used on film and music companies than they are about DRM itself.

Now I would have to agree that it seems very strange that it costs me the same to buy a book that I have for ever, or an electronic book which I only get to use for 6 months.  At the same time the electronic book supplier might be offering me something rather different with the electronic book – things I just can’t do with the paper edition.  Searching (it saves me having to read the whole thing although maybe I actually learn less?) and hyperlinking to other reference work, articles, forums and so on are things I just don’t get on paper, or images I can work with.

Why should I get upset about not being able to print the ebook?  If I want a print edition then surely that is what I should have purchased to begin with.  If I want to print information then I should expect to pay a premium (normally called a royalty) for the right to make copies of the book.  That’s totally normal.  And just the same as in the software world.  It isn’t realistic to think I can buy some software for one machine and then put it on as many machines as I suddenly decide – hey man, that’s piracy.

So I am not totally convinced by the student’s arguments.  Yes, we all moan about the price of things, from cars to condos and from tuna to text books.  And that’s normal, good and healthy.  And in the bargaining business you always start from an extreme position if you think you can get away with it, so, of course, a study that asks the students the right questions will get whatever result they feel like. 

I’m equally certain that if you asked the College Professors who specified the books for the term and the course (and maybe even wrote them?) they would not be wanting to give away their work, even though they were paid to gain their expertise.  And if you asked the publishers, they will have a view all of their own (but don’t ask me what it is because I haven’t asked them).

So bottom line, it’s popular to attack DRM because, hey, it stops me from doing my own thing.  Everyone seems to think that buying something grants you the right to use what you bought anyhow you want.  Well, that isn’t the case with automobiles, guns, software, drugs, or a whole load of other things.  And so far there’s no proof ebooks are any different.

As a closing thought, the other day I had to spend 350 bucks to buy a paper book that is a definitive reference on company valuation methods.  It is out of print, and there are only two companies who can supply it from stock.  There are no electronic versions, and it is not in the library.  Next?  I would have liked an ebook version with search and hyperlinks but it isn’t available.  And I bet if it was it would cost a damn site more than the paper edition – and I would have paid it!

 
The other day we see reported in the press (in this case SC Magazine http://haymarket.puresendmail.com/hmiclick/4t6676cRbkg92yRmd0R8l9a2cRng1R4tbura/2/www.scmagazineuk.com/UK-Government-takes-rap-for-latest-data-blunder/article/115785/) that yet again personal data held by the UK government has leaked its way out into the public domain.

In the past we have managed to hit tax claimants, car drivers, and student doctors.  But just as we thought things were getting better they and their partners managed to hit a most unlikely and vulnerable sector of society – criminals.

It might well be jingoism to say, “Well, why should they get protection – so who cares.”  But as we know, it turns out that there are wrong convictions, and not every prisoner is a paedophile, murderer, rapist or thief.  Some are just people who couldn’t pay the mortgage. 

And would we want people to be readily exposed to blackmail because of their pasts?   Making it easier for other criminals to recruit them when they have served the punishment society exacted?  Probably not a good idea.

What it also does is reinforce genuine and growing concern that information professionals and management simply do not have any grip on protecting the privacy of information.  They may (and the Press may say they may not) have some grasp about access controls.  But there seems to be no clue about how to stop the leaking and spreading of information that has been entrusted to them to manage. 

And the biggest collectors and processors of really high value and fairly accurate personal data are - governments, whether national or local.

So the nightmare scenario is that governments give themselves the right to collect more and more personal information about people (not just their citizens), and consolidate it under the guise of (pick one or more for your own country as required) identity control, taxation, prevention of terrorism, then they are at the same time creating the opportunity for even bigger targets for hackers, and ever bigger losses of personal data.

But whilst there seems to be no effective way, if news stories are correct, of persuading government officials and the companies working for them to raise standards and take personal responsibility for losses, then you can forget having personal data.

 
Now even consultants would normally be hard pressed to find an argument that customers want DRM controls protecting information. 

If you believe the modern anti-DRM blog sites, DRM is akin to the works of the (please pick a suitable negative deity suited to your particular persuasion).  Imposing controls on honest citizens is an affront to their dignity (let’s just not worry about speed traps because we don’t believe you can be trusted to obey the law). 

But, and this is serious, there are sectors of the community that want the protection of DRM controls.

One important group is the individuals or organizations that are buying training courses so that they can train themselves or their people so they can carry out licensed services and demonstrate that they have proven capabilities and expertise.  They are investing serious money in the enhancement and development of their staff and their businesses.  The last thing they want to see is competitors being able to undercut them because they haven’t paid the proper fees.  That is unfair competition from the unethical and unscrupulous.  Why should the honest and law abiding suffer at the hands of the dishonest?  Or is that the purpose of hacking?

Another group who demand DRM controls are those receiving confidential information.  Because when confidential information leaks out, the finger pointing starts, and absent DRM controls that can act to identify the actual source of a leak, then the selection of a scapegoat can commence.  So the presence of DRM controls helps protect the recipients of information, because it can help prove they were not the source of any leak or compromize.  And when it comes to keeping your reputation as well as your job, DRM can prove invaluable.

And a third group who want DRM controls are those who need to receive information but the owner of the information wants some actual certainty the information will be looked after properly.  In this group are the people who have to send out personal data that has to be human accessible.  This is the fastest growing group, because US regulation is now getting much more stern about encrypting personal data in computers.  It is now specifying that there has to be some management and control, and is going for tougher penalties to incentivise compliance.  Naturally, people sending out DRM controlled information are better placed to easily prove they did a good job.

So before you show me another web site about how bad DRM is and how it is that nothing should be DRM protected, just think for a moment about the fact that it is essential in some industries, and, that without it, your personal data can still be handed around without anyone being able to stop it.

 
Sophocles, in his work Antigone, said, "No one loves the messenger who brings bad news."

This week provided more than it’s share of light entertainment with blogs of disinformation.  Top of the list goes to the people who figure that Lizard Safeguard ought to work on every operating system known to man (or is that persons?).  It says clearly on the box, works with PC and Mac – and nothing else.  It’s rather like buying a book that’s published in English and then complaining because it isn’t in Danish (and likely never will be).  It doesn’t run on an IBM mainframe either, btw.

And second error prize has to go to those who say it doesn’t work on the Mac.  It does. 

As a general rule, two out of three is pretty bad, but what about number 3?

“The system is unusable because it insists on always connecting to the Internet before you can use anything.”

It is true that you have to connect to the Internet the first time you open a document – it has to check that you are the bona fide purchaser, and it has to get the information needed to decrypt the document.  After that, it totally depends on what the owner of the document has chosen to enforce.  And nothing to do with LockLizard, because they can only enforce what the publisher defines as the rules.  You don’t go round blaming Microsoft because your system administrator decided the frequency you update your logon password – so why blame LockLizard about the way the system administrator has configured their controls?

But, of course, the modern attitude is to use any possible reason to try and prevent people from implementing DRM controls, even though all the available evidence proves rampant piracy and theft of digitized information.  So use every possible opportunity, no matter how ridiculous, to claim rights that don’t exist. 

And don’t forget to blame the messenger!  The DRM provider creates a toolkit that the publisher implements in whatever way they see fit.  But of course the DRM provider is the evil guy because they are stupid enough to implement what the publisher said.  It’s Hobson’s choice - damned if you do and damned if you don’t.  If you are the DRM provider and you don’t enforce what your customer, the publisher, says, then they will soon be after you, and probably with good cause.  But it seems that if you implement what the publishers want, then the people getting the information want to blame you for doing a good job!

Of course the attitudes are so different if what is being published is personal data – oh you should have taken the strongest possible means to protect it – what do you mean you didn’t check who was accessing the data.  And so on.  Just because it’s not your personal data, it doesn’t mean you have the right to do what you like with it – or does it?

 
It has been interesting reading the blogs, analysts and industrial pundits who have decided that Web 2.0 is the best thing since ….. well, maybe Web 1.x? and that every being on the planet should endorse its concepts – sharing information, whether personal or corporate in places whether public or private.

Team playing, that’s the thing.  As long as we all work together the results will be bigger, better, quicker, cheaper, more FUN.
 
To try and avoid the risk of being a party pooper I put out a few inquiries (name the usual search engines) about Web 2.0 security.  After all, before I go revealing whatever it is that I decide I’m going to reveal, I’d rather like a few ideas about who might get their sticky little hands on whatever I am posting.  Well, Google muscled in with (around?) 160,000,000 entries, Yahoo hoisted 316,000,000 and MSN claimed 72,800,000.  I admit it.  I didn’t read them all, I just didn’t have the time.

But the summaries on the first few pages, regardless of who I consulted, was just the same.  No security, and no plan for security.

Now this is kind of worrying.

We are all supposed to bring in whatever we want and then share it (knowingly or otherwise) with a group of people we may (or may actually not) know, and that’s good.

Somehow I figure there’s going to be a ton of material that my CEO (wife, partner, children, friends and acquaintances – the list goes on) does not want me to give to other people.  Yes, I know a couple of those photos after the hot tub might be a bit insensitive, but, hell, it happened didn’t it?  And maybe I shouldn’t have published that extract about how we always get the best procurement price – but it is what we do, isn’t it?

You see, that’s the problem.  We all coexist with and in many groups, all at the same time.  But those groups are not connected by common views, objectives, rules or members.  And it’s not clear if the members of each group even share common ideals.  All Americans support America, of course.  Except those who crash jets, or oppose foreign wars, or ….  

So even when you think you know who the players are you don’t know what they will do with the information you give them, or what information you may have given them access to without your even knowing.

The problem is that Web 2.0 does not have DRM controls that help you decide the limits that can be put on the use of your information.  It’s certainly the information super highway – but it’s all about sharing and none of it’s about control.  Caveat orator – let the speaker beware – should be our watchword.

But no doubt, like the IT fashions and fancies that have gone before, it will require a lot of fingers to be burned before any security, let alone DRM gets added.  So in the meantime, if you don’t want your information being shared about, get some DRM protecting what you have got, whilst you still have it.

 
I am sure you will have read the article in efflux.com http://www.efluxmedia.com/news_Yahoo_Music_Dead_Another_Reason_To_Never_Buy_DRM_Protected_Tracks_21005.html warning of the death of the Microsoft music DRM by August 31, and Google by September 30 (2008).

Their conclusion?  “Digital rights management technologies are a failure commercially and technically. There are too many standards which are not interoperable, they restrict the customer's freedom to high degrees and they are an everyday nuisance to work with.”

Well wash my mouth out with soap (no I don’t mean SOAP which is another load of XML). 

Let’s look at that rather broad conclusion.

There are too many standards?  Excuse me?  I looked up DRM standards in ISO (International Standards Organization, the people who figure out what is the standard for electric cable so you don’t blow your hands off touching the stuff, the rails that trains run on so that they stay running on them, and serious computer standards – you know, stuff that matters), and drew a blank.  Now if someone had said manufacturer’s standards, I could buy into the argument.

An everyday nuisance to work with?  Well, you might get paid to listen to music tracks.  Or maybe they just mean you can’t readily copy tracks and give them away?  (I bet you can buy a license to do that, but its costly.)

But what most people have yet to understand is that the DRM industry is seriously new, and that there is precisely no desire by major players (tape, CD, DVD, PDF and so on) to provide interoperable standards, when we haven’t even agreed what standards are being looked for, and why, or how they should be implemented.

The current market is in what the economists call the ‘prime mover’ phase.  Literally, that means that the first into the market can do what they like, set any standards they feel like, and charge any price that suits them!  The market has been there since the late 1990s.  Not quite recently?  And mainly because it has not suited any major player to see International Standards emerge, it has not changed. 

Actually, rather than worry about the latest squabble about whose industrial standard should be dominant, we should be worrying about what sorts of DRM standards are going to emerge, and how to be able to influence them.  They are rather like taxation – you can never stop a government from taxing you.  That’s how they stay alive, by taking your money (and if the statistics are correct they get more money out of individuals than they get out of corporations, which ought to be rather worrying).

Despite what the pundits say, DRM is not going to go away.  The people who create and sell intellectual property (IPR) have to make their livings from doing that.  They are not going to give away their livelihoods any more than you or the pirates are going to.  The people you really need to fear are those who do not need a day job to pay their way, or where the day job is so badly supervised that they can afford to waste their employer’s time whilst they pursue illegal interests. 

And just as the Internet has moved from being a free information source (1995-2002) it is now increasingly a paid information source and what was previously free is no longer available unless you pay for it.  If you examine information sources now they consist of sources that have been paid for as a matter of public interest (the Gutenberg series that have made much of the Classical repertoire (Shakespeare, Plato and many other Classical greats such as Chaucer) accessible to any and all.  We applaud these measures.  Even if modern schooling fails to inculcate any appreciation for works other than Homer Simpson, we agree that works out of copyright should be available to all – but MUST be assured as being the actual words, and not some Bowdlerism (Thomas Bowdler (July 11, 1754 – February 24, 1825) was an English physician who published an expurgated edition of William Shakespeare's work that he considered to be more appropriate for women and children than the original, and, according to some sources, actually made it more accessible!). 

Apparently political correctness is not a new disease?

Seekers after truth deserve some measured verity.  But you can’t deliver that without DRM.  Because DRM is, as the Germans say, “A sword with no handles.”  It does not merely control what a recipient can do with the information they receive, it verifies that the information they have gained possession of is truly coming from the claimed source – the publisher. 

There is nothing negative in this for the publisher.  Actually, for the publisher it is a comfort.  Because otherwise how else can a publisher ‘prove’ what it is they actually published, given the modern world where information theft and the misuse of information are commonplace?  The fact of DRM tools provides an abiding proof that they truly are the source of specific information, and that can help publishers obtain prosecution of unreasonable and irresponsible pirates on the one hand, and avoid prosecution for things they never did publish, on the other. 

So think carefully before trying to consign DRM to the dustbin of history.  It may be following closely behind such must have’s as death and taxes.

 
I read, from the July pages of www.StarNewsOnline.com that “The Pirate Bay, which is based in Sweden, presents a devilishly fearless challenge to American textbook publishers. It describes itself as an “anticopyright organization” and offers music, movies, television shows and software, as well as e-books like textbooks — not a single item of which, it boasts, has ever been removed at the request of a copyright owner.”  Hmm.  Sounds like Pirates?

But how many economic analyses have you read that actually examined the effects of piracy on product markets?  Probably very few.

Big hitters like the music, TV and film people complain about losses in their industries.  Designer label clothes and perfume producers complain.  Software manufacturers also complain.

But if you make a careful analysis, piracy always occurs when there are serious market pricing inequalities that are not addressed by regulation.  Or to try to be a bit clearer, when you can buy a product in one country for x, and in another country for a half of x, there is a serious price inequality.  If no action is taken to correct a price inequality, this creates the vacuum that pirates, being, at heart, just as serious capitalists as any industrialist, will naturally seek to fill.

This is not some vague modern theory.  Rather it is a statement that has stood the test of time.  When in the UK in the 1800s, it was decided by government to raise the tax on alcohol and tobacco to be significantly above that of France, somewhere only 14 miles away, pirates were handed a market second only to the government forcing you buy your postal service from them (and they did do that). 

There are many more recent examples.  Designer jeans manufacturers and perfume manufacturers won global legal battles that enabled them to enforce per country pricing for their products, and to be able to prevent countries purchasing at lower prices from reselling to other, higher priced countries.

The same has been true in the information world.

I cannot understand how it is that the same information can possibly have a different value in a different country.  I agree, that, if translation into a different language from the source is necessary, then that might introduce a cost that has to be paid for, but I also assume that the seller will have thought about the effects of price on market before launching their wares, and will have worried about what price to set in order to make a viable return (please see economists for the math behind price/market/demand models, I don’t have the desire to write a book on it).  To give you a practical example, the other day I paid over $350 for a book that it was essential I could read right now, was out of print, and only one supplier could deliver a copy next day.

The bottom line, as they say, is that any DRM controls built by man can be removed by man.  It all depends on cost/effort/desire.  Risk analysis.  DRM controls over things that can be seen or heard can be ‘removed’ using a camera and a microphone.  That cannot be prevented.  There will be loss of quality, and, if your product has high embedded functionality (ability to search on information, links to other objects, embedded information) there may be critical loss of functionality that renders a copy of little or no value in the market place.  You may also be using features such as dynamic watermarking, that significantly reduce the desire of legitimate users to allow pirates access to their materials because they may be personally identified as the source of piracy.  Hopefully, in your DRM system, you are using features such as encryption, that can prevent trivial ways of accessing and copying your work(s). 

But do please always remember that to a greater or lesser extent, if the cost and effort are low enough, and the desire is high enough, then copies of the basic information can be made.  What can be stopped is stealing embedded functionality that the DRM controls also protect. 

The greatest effector you can face is desire.  If your market is students and your strategy is to charge premium price then you can expect a high ‘desire’ to break your controls.  If you choose a lower price because you can sell year on year the same product, then you lower desire.

We sell our products at exactly the same price globally.  There are no exceptions.  There are no premiums.  There are no discounts.  At one level it’s a rough deal because poor economies have to pay ‘relatively’ more.  But there is a level playing field.  There is no market price fixing.  We do not demand a different price in Chile from Canada, or in the United States from the United Kingdom.  And maybe that’s part of the equation?  Part of the equation of persuading people it’s not worth the bother of pirating information is to set prices that are both globally consistent and do not overly increase the desire to find a way to bypass them.

That’s not part of the choice of a DRM product supplier, although you might prefer to choose one that is realistic about what can be achieved and clear about being a DRM provider and nothing else.

 
As can be the case, we have been rather overtaken by recent events – in my case an office move – actually only about a mile as the (insert the feathered creature of your preference) flies. 

Fortunately our office move really did happen over a weekend.  And whilst it had precisely zero impact on our customers – everything carried on running seamlessly – that was not entirely the case for us staff.

Take me (please), for instance.  For reasons that are so obvious I am not going to explain them, my shaver cord happened to be on my desk when the removers came.  That is the last time I, or anyone else saw it.  So the emerging beard can be explained by the fact that I am too tight to buy a new Braun top of the range machine without a fight!

And what has that got to do with information security?

Well, during last week the UK government published a whole series of reports (on the same day, so you know they had saved up all the bad news for a moment when they hoped nobody was watching) on how major government departments like the Inland Revenue (HMRC in the UK and IRS in the US) and the Ministry of Defense had managed to lose millions of people’s personal data and that none of it was protected in any way, shape or form.

The major thrust of the reports was that management did not consider that the personal data they held in trust was their responsibility to protect and therefore they did not see any need to spend any money at all on protecting it.

A second, and perhaps even more dangerous revelation was that government collected information that it subsequently used for purposes that were not consistent with what it had been collected it for. 

It is, of course, now normal that neither government ministers nor civil service officials will be exposed as charlatans or hypocrites, and that nobody will have their careers ended because they clearly failed to live up to the standards (moral, ethical, documented or expected) that they pretended were in force.  Governments and their officials should not pretend surprise when the electorate ignore them – if nobody is accountable then who cares who gets elected?

Well, with guidance like that from on high, what hope is there for the rest of us?

Usually we look to governments and big industry to show the way in both corporate and civil behaviour.  After all, they make the law, and they enforce that law.

But right now their governance is, to put it mildly, severely lacking.  If, to quote a very famous film, “Frankly, my dear, I don’t give a damn,” then why should we believe them when they talk about Copyright and similar protections?  It looks like a load of irrelevance, and anyone wanting information protection will have to go with what they can get.  There’s no point in waiting for the prognostications of the governments, or the divinations of standards bodies (international or industry led) because it is totally clear that the leaders are not interested.

And that brings me back to the power cord.  Nobody at the removers is interested in my problem.  So I am going to have to sort it out for myself – and the beard itches!

There are many good and valid reasons why people wish to be able to publish and transmit information electronically.  The rise of social web sites testifies to the willingness of people to make information available to selected individuals or groups.

However, a willingness to share should not be interpreted as a wholesale license to all and sundry to freely make copies of electronic information and re-distribute it without even acknowledging the original ownership, or paying a Copyright fee.

Much has been made, in the technology world, of the concepts of Open Source, CopyLeft, Limited Rights and so on, as arguments for the desirability of making all electronically held information freely available to all comers.  In the music receiving industry (as against the music publishing industry) there has been considerable pressure to make copying and redistribution a ‘right,’ merely because it is difficult to prevent. 

Such arguments are intellectually barren.  They are like saying that because you own a gun you have a ‘right’ to shoot anything you like because it is difficult to stop you, or that because you can buy a car you can drive it anywhere you like and in any manner that you wish.

Because people suffer physical harm as a result of such poor behaviours we pass laws to take action if behaviour is unacceptable.  Since Copyright is an economic right, we also have laws to protect Copyright owners from economic harm where behaviour is unacceptable.

So we must reject the claim that merely because you can do something then you automatically have the right to do it.  (This was never true in Roman Law countries anyway.)

Empirical evidence suggests that computer users cannot be trusted to use information provided electronically only and solely for lawful purposes.  Regrettably, it is essential to instil enlightened self-interest into the users of electronically provided information.  This is essential, simply because, “Computers are all about copying.” (Prof. JAL Sterling and S Mathews in a paper on protocols and interfaces).  Not only do computers facilitate copying, but they ensure that such copies are always perfect in every detail.

This creates significant problems whose Intellectual Property(IP) (whether being offered for sale or being made available for some purpose as the result of a commercial agreement or a ruling of a competent Court, or some other reason) is being distributed electronically.  Agreements for the control of the use of IP are normally very precise, and set out to prevent unauthorized use.  Given the propensity of users to do things because they can, it is essential to provide a system of controls (Digital Rights Management or DRM) that actively ensure that the permitted uses must be observed, and cannot be trivially ignored.

Similarly, those wishing to make their livings from selling their intellectual capacity (creating works by thinking) as opposed to their physical capacity (making objects) must have the ability to enforce their economic right.  To suggest that all the world (tout le monde) cannot make their livings from publishing and selling on the Internet would be a travesty of the so-called knowledge-based economies.  Whilst some may seek to demonstrate their intellectual capacities by ‘giving away’ the fruits of their labours as marketing in the hope of selling something else, not everyone has the luxury of such an indulgence.  One cannot see authors such as JK Rowling agreeing,  http://entertainment.timesonline.co.uk/tol/arts_and_entertainment/books/article3621625.ece seems to be an indication of her view about copying!

Academics (who, incidentally are paid to write, and often write as a matter of advertising, as do I) may claim that all intellectual capacity should be available for their study, comment, parody and so on.  I wonder how many electronic copies of Deathly Hallows were provided free gratis to the academic community for that purpose?  And without any limitation as to copying and being able to pass on?

The fact of the matter is that there are cogent economic and political reasons why DRM technologies are required to protect documents in electronic form, and it is wrong to suggest that that there should be no mechanisms enforcing the control of authorized use made available and put in place.  Let those who wish to give away their work do so if they will, but allow those who sell their work to obtain fair and relevant recompense for their labours.

Those familiar with reading our columns know that we are not normally exercised by minor debates.  But we are amazed by the report (which we rely upon as being true) by ZDNet at http://news.zdnet.com/2100-9588_22-6228910.html?tag=nl.e550 (correct at the time of publication) that the United States has mandated Federal identity controls on the back of a Bill ostensibly to do with "Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005."

Well, OK, we do have the text in there about the ‘Global War on Terror’ so I guess that this might be a fine argument.

But come on – get real – if you read the text it’s all about making the driver’s license the authorized Federally approved identity document!

Now I realize that in the USA if you do not have a driver’s license then you are probably some kind of low life that does not exist, so therefore you are of no significance, and obviously not a terrorist, and therefore we do not need to worry about you.  After all, a terrorist could not possibly drive a car without a license just to deliver a bomb, could they?

Hey, but that’s only a social analysis that says that the downtrodden underclasses are not likely to be terrorists, so we don’t need to worry about them.

Let’s try thinking out of the box for a moment.  Why would you want this legislation when the people you are trying to catch are running outside of the system in the first place?  After all, history teaches us that criminals are generally outside the system because being inside the system is a highly negative advantage!

Think for a moment about the costs that are going to be involved in granting the Secretary of Homeland Security this (wild?) desire to collect, at the expense of the States, and therefore at the direct expense of the Citizen, without there being any demonstrable benefit from this to that citizen (unless you count the collection of information about law-abiding people, because no self-respecting terrorist of any kind would be caught by such a an obvious trap) provable personal identifiers to standards that have not been promulgated and security controls that have not yet been identified.

Yes, this bill will be the mother of all pork barrels to industries who strut their stuff about all manner of personal identification methods (despite the simple fact that there are no recognized international standards in this field, so anyone can claim anything they like – snake oil?) and the bill completely fails to say anything of any substance about standards, compliance, certification, accreditation and so on.

So we screw the US car driver for shedloads of money – is that a problem?

Well, if the punter is willing to pay, then I guess not.  After all, that’s what a capitalist economy is all about.  Capitalism is about what industry can screw out of consumers and governments can screw out of both (not maybe what Carl Marx actually wrote, but close enough).

So this may actually come down to cost.  If the cost of implementing legislation that has not had public debate, is of questionable public benefit, has a cost that may not be appropriate to the actual benefit achieved (Since 9/11 precisely what has happened?  Well at the current rate of experience, nothing.) then why are we bothering?  Surely governments are being held to account for spending taxpayer money wisely and effectively. 

But, of course, if this is really a bill to hand the Secretary a future blank check for getting funding, even if that office has so far failed to do anything tangible for the protection of the public, then it is completely understandable.

But then, you have to accept that by insisting on the registration of the law abiding (at an unknown, but certainly high cost to them personally) you can catch terrorists, who are, by definition, not law-abiding, and therefore outside of the system, then this is something you should go for.  But please suspend the use of logic, finance, governance or anything similar.

On the other hand, if you feel like funding another Star Wars program personally, then step in line and vote.

If you believed everything you heard from the music and film industries, you could get very confused very easily.  And you could all be fooled into thinking that they are the only industries that exist when it comes to needing DRM (it’s a bit like saying that governments are the only organizations that need privacy!).  So Amazon and Sony now say DRM is dead?  Or is this nothing more than the usual marketing hype after a disaster?

Actually, music and film have had long, chequered and cyclical love/hate relationship with DRM, mainly because they were the first people to get seriously exposed to piracy, and to feel pain where it truly hurts – in the bank account.  They got there in the 1960’s, long before the PC, or the iPod were more than the work of science fiction writers like Arthur C Clarke.  The fact that it would take almost 50 years before book publishers and organizations woke up and smelt the coffee is just history.

Their first outing was the cassette tape.  Up to then, copying a record was practically impossible, and although reel-to-reel recorders were around they were too expensive and difficult to use for normal mortals.  But anyone could use a cassette, and everyone did.  They tried suing people who sold cassette decks that would copy from one to another, but they failed, and thus started the hunt for the Holy Grail of the industry – a way of stopping people from copying music (and later film) so that they could charge premium rates for their wares.

Alas, it was not to be.  They lost the cassette wars, and later the VHS wars.  They won the DAT war (Digital Audio Tape) – remember it?  maybe not, when the hardware manufacturers lost a fortune because no consumer would buy into it because the copying controls were so aggressive you couldn’t necessarily copy your own personal recordings.  CD controls proved to be a lost cause, and DVD region pricing was outflanked by hardware manufacturers who were determined not to lose out on their own market opportunity this time around.  I remember a big meeting in LA when the music industry said they were going to implement secure MP3!  Laugh like a drain?  Well, I must confess I was close to being thrown out of the meeting.  Lately it seems that Sony decided on a rootkit approach to preventing copying that also opened up a serious hacking opportunity.

So maybe you should see the current position to be nothing more than posturing by an industry that wants to be the content deliverer to the mass consumer market, and has only one objective in mind – its own profitability.

That’s not to say that there’s anything bad about profit.  All of us are in business (in a particular sense), and if we don’t show a profit, one way or another, then things are very bad indeed (see Charles Dickens on Wilkins Micawber). 

And what most people (and organizations, for that matter) trade on is their intellectual property.  In the ‘knowledge economy’ that is what we are selling.  So we have to safeguard that IP or anyone and everyone (I used to say the World and His Wife, but apparently that is no longer Politically Correct, and saying it would render me liable to being excommunicated by the deity or politician of your choice) can rip (RIP – Requiescat In Pace or ‘you will rest in peace’) you off and make your personal trade value slightly lower than that of a Eunuch’s scrotum.  (Apparently that is still Politically Correct!)

What one has to think about very carefully, is what value DRM controls provide to you (either as an individual or as a business) in order to say if they matter, and when it is that they matter.

The music/film industries are under the cosh because you can either copy their stuff, or you can’t.  If you can buy a legal version, and then copy it by recording the sound or filming the picture on a seriously high quality screen then you are in business.  And they are not.

But that is a problem for those industries.  You can buy cracked codes for satellite TV systems with little or no effort or risk.  Try eBay – if it’s too cheap can it be real? 

But, for the document handling industries, things are only just beginning to warm up.  Computing is all about copying.  When you read this you are looking at a copy of what I wrote, in fact I am doing that when I watch the characters come up on screen in front of me.  And that’s the major hazard for the PC and the Internet.  Everything has been set up to promote copying.  And the software does not give a ‘tuppeny damn’ whether the information is to be public, be controlled, or kept totally secret.  Which is bad news if you are in the business of selling, or simply providing, information (your knowledge, expertise, capability, private advice to clients, tax return computations, price lists, sales manuals, repair manuals ….. the list seems endless). 

So enter DRM.  DRM is the only approach available that lets you specify not only who can see your proprietary information, but what use they can make of it.  The film and music industries were interested in preventing copying, but you will likely need to be able to stop people using information after a particular date, or make sure they can only see it for a couple of times, or print it once, or any number of other things.  Encryption does none of these things, it just prevents the un-anointed from being able to access information, not limit how and when they might use it. 

So whilst the music and film businesses figure they need to flex their market in order to maximize their own profits, they are operating in a different environment.  Commerce, industry, publishers, authors and ordinary mortals need DRM technology to protect their personal and commercial interests.  They have nothing else.  They are exposed to commercial or personal ruin by the uninhibited ability of the PC and the Internet to copy and re-distribute their information without any control at all.

So whilst the record industries declare DRM is dead, we say, “Long live DRM.”