Digital Rights Management, IPR and copy control

The Internet is the right to copy

Steve Mathews — Fri, 12 Feb 2010 22:03:00 GMT

One of the most unreasonable arguments that you see applied day in and day out on the Internet (and on roads before the introduction of speed cameras) is the 'right' to do something just because you can.

It's an interesting argument because it is really an argument for the ultimate failure in ordered society - that I can do anything I can get away with - I have no morals, ethics, scruples or responsibilities.

After all, it justifies any action at all, rape, murder, child pornography - you name it and it's OK.

Hey, but wait a minute, you say. That's all too heavy. I didn’t mean all that nasty and illegal stuff. Obviously that's all way too bad and has got to be wrong (well I sure hope that's what you're saying).

So we are into drawing lines? Some things are agreed to be bad and just because you can do them does not mean that you should, and if society (not just the cops) finds you doing them then there shall be punishment.

Now obviously murder is not good. But where is drug dealing? Does it rank alongside liquor selling? Is pornography OK but child pornography is not? And how do you define them anyway? Where do you rate selling dud cars (maybe that's a bit too topical right now).

But let's cut to the chase. Does the guy who writes music or the gal writing a play or the group playing a track deserve to get paid for their work?

OK, you could argue that the group playing tracks can get paid for live performances, but I don't know as Elvis, The Beatles, or Madonna would be terrifically impressed by that. Yes, live work is important to artistes because they get what you never can from a dead studio - an audience, the feel, the thrill of the audience. So, what about the others. Are they just supposed to produce and then give it away? How long do you think authors would last if they had to give away their work and rely on a few crumbs from the hostel to keep them going?

True, some authors made it big on the conference circuit. Now I don't mean Tony Blair or GW Bush or their like. For one thing, authors they ain't. But Charles Dickens did very well of it for the Brits, and Mark Twain for the Yanks, and you can certainly describe them as authors.

But their real money did not come from lectures, but from printing. Thomas Paine made his legendary contribution - The Rights of Man, for the American Civil War, as a paid for pamphlet! If the Internet had existed then, do you suppose Twitter would have produced anything like in under a century? Being well read is not the same thing as being well paid.

In fact the laws of copyright were introduced in order to prevent the rich (the well paid) from gaining a monopoly over the production and delivery of information.

So whilst the Internet may have given enormous freedoms - the freedom of expression - the access to open and alternative publicity, it has not created a new medium by and through which those creating information as their trading activity can make their livings.

And whilst this remains the case, however much the Internet may prevent censorship and may grant great voice to the weak and the oppressed - truly great capabilities of our time - it acts to deny information and knowledge creators their right to employment and to trade.

At the moment, outside of the communities paid for by advertising, people pay in order to make information available on the Internet. Whether it's purchasing your own server or paying for a domain name, or paying to put up a web site, it's all paying to peddle your own knowledge. But can you afford to give away the information that you need to sell to make a living? Maybe the knowledge economy is already dead.

A crisis of identity

Steve Mathews — Wed, 09 Dec 2009 15:39:00 GMT

It is difficult to guess whether the national security and counter terrorism and contra paedophile brigades will, even when combined, push through a demand for electronic identity more than the anti-hacker and anti-spam and DRM must be personal brigades. No, this is not one of those nice after dinner talking points, but a close analysis of the must have an identity brigades and their stances.

In our own little backwater of the United Kingdom we have seen the government move through regulations that mean you cannot open a bank or savings account, or buy property or trade in shares, without producing photo-id. Never mind who that disenfranchises. You know it is for your own good because it could only ever be a problem if you had something to hide!

That might not be so bad except they also intend to use it to enable them to dig into every aspect of every electronic transaction you ever carry out, and once cheques and cash have been removed that should just about cover it. After all, no-one could ever steal your electronic identity - could they?

But bigger battles are being fought in the US and the Far East.

In the US there are some interesting conflicts (and I am not talking about Iraq/Afghanistan here), with the national security boys wanting to be able to monitor anything wherever, whenever and however they choose, the counter-terrorism (not quite the same slice) people wanting to make sure they can identify who everyone is at a physical level, and the contra paedophile groups wanting to be able to identify everyone who has ever gone near a porn site because they must be inherently evil. Their ideas of identification vary significantly, because their end objectives of using the information also vary.

The US and the Far East also have some interests in common, perhaps because the Far East is now a major investor in the entertainments sector – films, music, computer games and hardware – the DRM brigade. In some circumstances (downloading from file sharing or similar) they wish to be able to identify who is at both ends of the equation, but mainly they want to be able to enforce a series of use rules for electronic information, and they really really really do not want to know who is the user unless that is the only way to run the system because it causes lots of other problems.

But the war is being fought by global commerce and industry. They are sick to the back teeth with the cost and damage caused by spam, hacking, information theft, so-called social networking systems and other employee time-wasting activities that it seems impossible to prevent. That is where real money is lost that makes the cries of all the other players unimportant.

And the people that deserve a bit of help here are commerce and industry – globally. Because there is no angle for gain by any one country over all the others. After all, security mechanisms fail at the weakest link, don't they. So we are either all in this together, or we have nothing at all.

But since global commerce and industry do not have a voice, whilst all the other players do, we are going to continue seeing the lobby industries maintain their conflicting momentum whilst successfully draining time, energy and money from the people actually trying to do business. Of course they will say that their agenda is valid and will solve everyone’s problems, but then they would, wouldn't they.

Meantime I think we will stick to our guns. Simple DRM systems that do not try to identify the actual individual who is licensed, but stop whoever they are from readily giving away what they have bought. It may not solve the world's problems, but it solves a defined problem, which is a lot better than doing nothing.

Oh, and it avoids all the stuff about personal data, monitoring and so on, that gets some regulators really excited.

Is DRM open to abuse?

Steve Mathews — Wed, 19 Aug 2009 16:35:00 GMT

Is DRM open to abuse?

In a word, yes.

Whilst we are not ashamed to be significant suppliers of DRM enforcing mechanisms and systems, we are convinced that the original reasons for creating copyright law, as demonstrated by the debates in the British parliament, were correct, and should be observed.

Although the origins of copyright might be argued to go back to ancient China and the right to reproduce official forms, modern copyright was determined to make sure that authors (creators) of works would be able to enjoy the fruits of their labours, just as those who created physical goods. Because if they did not, then the only authors would be those sponsored by government, industry and commerce, an unhappy trinity on which to place your reliance.

And it was recognized that, in those days, getting full recompense for the writing of a book (other than popular novels) could take a very long time, and so copyright was granted even after the death of the author so that the family might draw benefit of the inheritance.

There was strong debate to the effect that the legislators did not want ‘publishers’ to be able to buy copyrights, because that might give them the means to decide what was to be published and what was not, but market forces prevented the development of the idea that author rights should be inalienable.

Now all of us can readily develop arguments to propose that in the Internet age distribution costs are marginal, and access to market is immediately global, and therefore perhaps copyright should last for no longer than the author (as it were). But we cannot support arguments that say that an author should be behoven to hand-outs from those who feel like giving some money. This reduces the author to the status of a street beggar, a corner musician or a pavement artist. We believe that approach to be flawed (as no doubt would JK Rowling on the one hand and the estate of JRR Tolkein on the other).

But that should not be taken to mean that we believe DRM should be used as a mechanism to forcibly manipulate markets.

We live today in what Arthur C Clarke famously described to the US Congress (positing words originally from Marshall McLuhan) that the world is a global village. But the dictum is that we are global. And to be global is to be transparent in our dealings with our global customers.

So we do not accept that there should be regional pricing models, or that Internet goods and services should be restricted by either price of delivery date. We, as a business, operate transparently in all markets. We offer what we have at the same price (on the day of quotation since we suffer from exposure to the [unnecessary] manipulation of the currency markets) to any and all countries in the world permitted to purchase encryption technology by regulation.

When we release new product it is done globally, even though we have the tools to do otherwise. Why don’t we charge different prices in different markets? Simply because we believe that is a flawed and dangerous trade model. It would be wrong for us to, through our pricing structures, compel different regions to compete at an economic (dis)advantage as determined by us. The world is already the global village that Clarke foresaw, but it seems that some folks have thus far failed to, following Belshazzar, read the writing on the wall.

So we believe that DRM controls are correct, and that it is essential to reward the rights of an author to get paid for the work that they have carried out. But we do not believe that DRM controls should be used to manipulate the economic environment.

Associated Press makes the DRM news (but not how you think)

Steve Mathews — Mon, 10 Aug 2009 20:11:00 GMT

I read in an article arstechnica.com/tech-policy/news/2009/07/drm-for-news-inside-the-aps-plan-to-wrap-its-content.ars that Associated Press (AP) would like a bit more DRM control over information they publish on the web.

Now you might be forgiven for thinking that applying security to information you want to publish for public use, and to be incorporated, either by reference or as text, in the work of others, would be a challenge. And you’d be right!

The reasons security is so difficult to introduce are:

-   content suppliers put accessibility above everything else;
-   web product providers want to be first to get the latest and greatest out there and grab whatever market share for themselves – regardless of the sustainability (more frequently lack of) of the economic model they are pursuing;
-   information security requires people to do something for which they do not perceive they have any gain or any responsibility, so they don’t bother.

So what is AP trying to do? Introduce another HTML tag which contains the authors (or copyright owner’s) rights.

Now that’s not likely to set the world on fire, and I agree with the other security people talked to about this, it doesn’t change current security at all.

But whilst the AP approach looks like fig leaf and mirrors (conceals and reveals all at the same time – a bit like the Windmill?) there actually is some value to it.

It doesn’t stop copying or actual theft and manipulation. To achieve that it would have to envelope content and have a content licensing system, and that would be heavy, complex (for them to implement) and could have profound implications on their direct customers using them as a news feed. Bad news indeed.

But it does achieve two things that will go a long way to solving problems caused by ‘deep linking’ where a web site links through content that is not its own, but makes it look like it is from them.

The first is that by adding tags that will pass through the browsers unharmed, anyone doing nothing more than linking will be caught by a simple tool such as a web crawler, which can automatically process the apparent content and locate unauthorized content re-distributors who can then be investigated manually, and prosecuted when it is in the commercial interest of AP so to do.

The second is to establish a ‘standard’ (and they ought to be looking to join a European initiative on that front because this is not a competitive matter and because if you go for two standards the odds are you will lose both) by which authors rights can be represented, so that the encoding can get international recognition, and, perhaps, go on to become something that law can be used to dignify and recognize. That would be valuable to the IT industry because it would set markers for how to start looking at the rules to apply to web content. And you never know – DRM integration might just be starting.

Arguments for and against DRM

Steve Mathews — Fri, 03 Apr 2009 13:49:00 GMT

The US Federal Trade Commission recently held a ‘town hall’ meeting in order to listen to the arguments being put for and against DRM.

Naturally, the great and the good from all [California?] camps were represented and much was said about the music, film and computer games industries, and how DRM was evil and had failed and therefore should never ever be used, and, in fact, you should never try to protect any information (my own summary).

Gamers and music players said, “DRM only harms lawful owners and does nothing to prevent dedicated hackers, so there is no purpose in having it.”

Well, I guess you might say that having speeding or DUI laws has no effect on criminals (actually, no amount of law has any effect on criminals if you think about it) so we should not have laws. Maybe bank fraud is OK as well?

The nub of the argument goes that if I try it and like it then I might think about buying it. But I have a full copy already, so there’s not actually any real pressure on me to do anything! This is about the same as having access to every book in the world for free and then trying to make a case for having to buy one of them.

Freedom in artistic and literary expression comes from the ability to profit from it, not be condemned to starve for lack of income. Great pamphleteers such as Thomas Paine didn’t give away their work – far from it. He sold it. He wrote the three top-selling literary works of the eighteenth century, which inspired the American Revolution, issued a historic battle cry for individual rights and challenged the corrupt power of government churches. And the income helped him continue his work. Perhaps the modern age would prefer he had never succeeded?

Aha! cry the modern Internet copiers. But talent is what sells, not scarcity.

Well, if you are a music group and you get your real money out of gigs then
I can see where you are coming from. But if you are a writer, then exactly what gigs do you present at? And if you do electronic training courses precisely because you can’t be at all the gigs, then are you supposed to suffer because you have a different economic model?

The only economic model you ever have to consider is how sales get made and invoices get paid. So if a folk band find that giving away tracks is good PR for getting ‘bums on seats’ at gigs then that’s fine. But don’t go claiming that it’s the only possible and valid economic model.

DRM is here to stay where the economic model dictates that scarcity is the most effective route to market. Who would spend a lot of money for a financial analysis of a market if they can get it for nothing, or pay for a training course if they can get it for free. The fact of the matter is that people don’t pay for what they get for free. There is no economic model here.

Even the people who first brought in Copyright law said that they hated the idea of it, but if you denied the author economic benefit from the use of their intellect (as opposed to their hands) then there was no incentive to create works. And if you left it to ‘market forces’ (the rich, companies, governments) then you would usher in the most deadly of futures for the creation and dissemination of knowledge.

So forget the posturing of the music copying community. They are busy re-inventing music concerts (gigs) as the way bands made their livings before records really got going. Maybe they want to reinvent the public lecture tours when successful authors made a part of their living (now a circuit for retired politicians). Check out your own economic model, and if you need scarcity to protect your intellectual capital, then you need DRM!

Anti-DRM fun and fallacy

Steve Mathews — Thu, 11 Dec 2008 22:53:00 GMT

Reading through many articles and blogs provides curious glimpses into the thinking processes of authors (or perhaps more accurately academic project writers?).

A recent observation that interested me was a statement that, “I don’t see why I should have to pay to read a whole book. All I want is a very small portion of the text, and I don’t see why I should have to pay for that.”

Having just had dinner, I wondered how my butcher/supermarket would feel if I said that I didn’t want the whole cow, just the fillet of beef, and since that was such a small piece I didn’t see why I should pay to have it either.

OK, maybe that’s not such a good example.

So let’s get to the point. How would you know, without reading a significant portion of the book, which paragraph was the right one to quote from and why? And why is it you think there should be a right to grab a key piece of the hard work of someone else for nothing in order to benefit yourself, for nothing?

Let’s expand on this. The only way you can possibly know the value of one paragraph as against another in an author’s work is to have read it. Take the following abstraction from an article by Joseph Priestly:

“It is no doubt time, and of course opportunity of examination and discussion, that gives stability to any principles. But this new theory has not only kept its ground, but has been constantly and uniformly advancing in reputation, more than ten years, which, as the attention of so many persons, the best judges of everything relating to the subject has been unremittingly given to it, is no inconsiderable period. Every year of the last twenty or thirty has been of more importance to science, and especially to chemistry, than any ten in the preceding century. So firmly established has this new theory been considered, that a new nomenclature, entirely founded upon it, has been invented, and is now almost in universal use; so that, whether adopt the new system or not, we are under the necessity of learning the new language, if we would understand some of the most valuable of modern publications.”

Now this is jolly good stuff, and with very little effort you could use this paragraph to support almost any scientific claim that you might feel like making. It might dampen the ardour to understand that Priestly was arguing about Phlogiston, in 1796. To know whether he was for or against, you would have to read a great deal more of the text. And that is the point our modern author pointedly ignores.

The second point is to wonder why people think anything in a digital format is a ‘free lunch.’ Just because something is in digital form does not mean it is being given away – just try convincing Microsoft to give away Windows Vista and see where that gets you! Sure modern authors and publishers are moving to using digital form for publishing. But that does not equate to them giving everything away for free. Publishers pay people to write, they pay to create market interest, awareness, they syndicate work with other publishers, and so on. That all costs money, and, especially in this modern economic climate, people expect to be paid for what they do. As any student of entropy will tell you, “There are no free lunches.”

So maybe our scholars should think more carefully? If you want to go out and do the work needed to be able to write the paragraph in your own name, that’s fine. But don’t claim that in advance you know exactly which paragraph of a work is exactly correct for you. That’s obviously not true unless you have already read the work, and one might wonder how that could be without having purchased it? And please don’t claim that you shouldn’t have to pay for just choosing a very small part of the work. Maybe pearls are free in WalMart this week, but likely not.

Cryptography isn’t DRM

Steve Mathews — Tue, 21 Oct 2008 12:46:00 GMT

One of the commonest errors you see made in articles about information security is to equate the secrecy obtained by cryptography with the licensing control applied by DRM.

You will see plenty of ‘experts’ state that you can use cryptography to ensure the security of your information, when what they actually mean is that a recipient can check that what they receive has not been altered or falsified, and that unauthorized people cannot have read it first.

Now that isn’t DRM. When you, as the authorized recipient of encrypted information decrypt it, you can do precisely what you like with it. Copy it, send it to your friends (or even your enemies), alter it, anything you feel like.

But DRM is about very much more.

DRM has to deal with what you are allowed to do with information that you are authorized to receive. Generally you are not allowed to pass information on to others. (That is considered implicit in military systems, but is a physical or manual control, and you can’t apply that to electronic information. What the military do is make sure it can’t leave the system it is stored on, which is not an option if you’re selling eBooks.)

As importantly, you may not be able to make printed copies, or that might be allowed but a Copyright mark is prominently displayed when you do that. You might only be able to use the electronic information for a limited number of times (pay per view) or for a limited time period (documents for evaluation or for bidding for contracts).

Only DRM controls have the ability to ensure that the controls, or license terms that go along with the information actually get enforced.

Of course DRM also makes use of encryption technology both to be sure that nothing can be used unless the recipient is authorized, but that’s only the start of the story.

So next time someone tells you that all your security problems can be solved by encryption, just let them know better.

It’s a funny old world

Steve Mathews — Wed, 24 Sep 2008 16:11:00 GMT

Although not the only person to use the quotation, Margaret Thatcher famously said those words to describe losing the election to be the leader of the Conservative Party and therefore the post of Prime Minister and First Lord of the Treasury.

And when you look out at the IT security industry you risk having the same feeling that she did.

Although not very surprising, people have gone out and solved problems that were easy, leaving the difficult ones to specialists whilst using marketing muscle to ‘persuade’ customers that their solutions fit the problems.

A good case in point would be the global adoption of the secure connection technology SSL (Secure Sockets Layer). Pedalled for many years as the certainty of a secure connection, it has been nothing of the kind. Yes, it very securely connects together two locations that do not know each other. And that’s the problem. You only think you are connected to the bank, and they only think they are connected to you.

It’s been a bit the same with DRM.

At one level it has been stunningly bad. The music and film copying brigades got it into their heads that just because in the cassette tape days you could tape anything off the radio or the record deck (mind you the quality was absolutely dreadful) and make copies (which were even worse – but you could do it!) then you had the divine right to copy anything. After all, let’s not worry about copyright.

And at the other end of the equation, DRM system providers did themselves no favours either. They tried to implement DRM that prevented people from making copies of their own works, or DRM that just enabled suppliers to charge different amounts for exactly the same product in different places around the world. Finally, DRM providers made the serious mistake of trying to embed themselves into operating systems, and behaving like viruses or hackers.

There has also been the dichotomy about use of DRM protected products – to print or not to print? I have discussed this with several eBook publishers and they have mixed views. At one level we all agree that the eBook has immense power and potential over the paper book – quick indexes; searching; linking both internal and external: all things a paper book simply can’t deliver. At another level, people just don’t really read eBooks the same way they do paper.

When did you last take your laptop to the lavatory so you could read something in peace?

And maybe that’s what’s lacking in the eBook development thinking? An eBook version of a training course is not quite the same proposition as the eBook version of a fashion magazine. And the eBook version of your broker’s guide to share trading is not the same as the latest best selling novel.

There are similarities, certainly, but a good guide would be found by looking at the ‘intended use scenario.’ Is the product intended primarily for social, domestic and leisure, or is it primarily for business?

Current document DRM systems are focused on business applications use (which includes handling formal business documents that may be used both at work and at home – the home element does not dominate the primary point that the business use dominates the rights and rights management). Business DRM is reasonably well scoped.

But many suppliers are leaping onto the DRM bandwagon trying to apply it to scenarios where the use (and the formality of use) is very different.

If you argued that when you buy a novel, when you have read it then you can give it, in its entirety (not a copy) to someone else that might be an acceptable use. But a business training course was never provided for that purpose. It was provided for a specific and limited use, often for a very restricted period of time. And the same concepts do not apply.

And some business documents are not being distributed for copying at all. Some are business secrets, some are documents disclosed because they have to be, but only to identified individuals, and so on. There is absolutely every reason for the distributor to want to be sure that the document is not copied, or forwarded to anyone, or maybe even printed.

But the DRM mechanisms are just the same. The secret is in who you apply them to and how you apply them.

Of course you will upset people by introducing DRM. All the people who think they should be able to copy and distribute your information for starters! And all the people who hate DRM just on principle (but please see the first group again also).

But maybe those are the very people you wanted to control in the first place?

It’s a funny old world, isn’t it?

DRM is a barrier to eBook adoption say students

Steve Mathews — Tue, 02 Sep 2008 21:57:00 GMT

Being interested in opinions on the rights, wrongs, virtues and demerits perceived by many communities, I found the following article http://arstechnica.com/news.ars/post/20080828-study-students-need-open-source-e-textbooks.html to be of some interest.

If you read the article, you start from an offered conclusion that student text books ought to be available under open source type Creative Commons licenses. But as you dig further down, you find out that students are complaining about the cost of text books.

The arguments seem to be:

- text books are too expensive anyway;
- you can’t print out much at a go;
- they have a short life;
- they cost as much as the print editions.

So the complaints seem to be much more like those being used on film and music companies than they are about DRM itself.

Now I would have to agree that it seems very strange that it costs me the same to buy a book that I have for ever, or an electronic book which I only get to use for 6 months. At the same time the electronic book supplier might be offering me something rather different with the electronic book – things I just can’t do with the paper edition. Searching (it saves me having to read the whole thing although maybe I actually learn less?) and hyperlinking to other reference work, articles, forums and so on are things I just don’t get on paper, or images I can work with.

Why should I get upset about not being able to print the ebook? If I want a print edition then surely that is what I should have purchased to begin with. If I want to print information then I should expect to pay a premium (normally called a royalty) for the right to make copies of the book. That’s totally normal. And just the same as in the software world. It isn’t realistic to think I can buy some software for one machine and then put it on as many machines as I suddenly decide – hey man, that’s piracy.

So I am not totally convinced by the student’s arguments. Yes, we all moan about the price of things, from cars to condos and from tuna to text books. And that’s normal, good and healthy. And in the bargaining business you always start from an extreme position if you think you can get away with it, so, of course, a study that asks the students the right questions will get whatever result they feel like.

I’m equally certain that if you asked the College Professors who specified the books for the term and the course (and maybe even wrote them?) they would not be wanting to give away their work, even though they were paid to gain their expertise. And if you asked the publishers, they will have a view all of their own (but don’t ask me what it is because I haven’t asked them).

So bottom line, it’s popular to attack DRM because, hey, it stops me from doing my own thing. Everyone seems to think that buying something grants you the right to use what you bought anyhow you want. Well, that isn’t the case with automobiles, guns, software, drugs, or a whole load of other things. And so far there’s no proof ebooks are any different.

As a closing thought, the other day I had to spend 350 bucks to buy a paper book that is a definitive reference on company valuation methods. It is out of print, and there are only two companies who can supply it from stock. There are no electronic versions, and it is not in the library. Next? I would have liked an ebook version with search and hyperlinks but it isn’t available. And I bet if it was it would cost a damn site more than the paper edition – and I would have paid it!

Is there such a thing as personal data anymore

Steve Mathews — Tue, 26 Aug 2008 17:58:00 GMT

The other day we see reported in the press (in this case SC Magazine http://haymarket.puresendmail.com/hmiclick/4t6676cRbkg92yRmd0R8l9a2cRng1R4tbura/2/www.scmagazineuk.com/UK-Government-takes-rap-for-latest-data-blunder/article/115785/) that yet again personal data held by the UK government has leaked its way out into the public domain.

In the past we have managed to hit tax claimants, car drivers, and student doctors. But just as we thought things were getting better they and their partners managed to hit a most unlikely and vulnerable sector of society – criminals.

It might well be jingoism to say, “Well, why should they get protection – so who cares.” But as we know, it turns out that there are wrong convictions, and not every prisoner is a paedophile, murderer, rapist or thief. Some are just people who couldn’t pay the mortgage.

And would we want people to be readily exposed to blackmail because of their pasts? Making it easier for other criminals to recruit them when they have served the punishment society exacted? Probably not a good idea.

What it also does is reinforce genuine and growing concern that information professionals and management simply do not have any grip on protecting the privacy of information. They may (and the Press may say they may not) have some grasp about access controls. But there seems to be no clue about how to stop the leaking and spreading of information that has been entrusted to them to manage.

And the biggest collectors and processors of really high value and fairly accurate personal data are - governments, whether national or local.

So the nightmare scenario is that governments give themselves the right to collect more and more personal information about people (not just their citizens), and consolidate it under the guise of (pick one or more for your own country as required) identity control, taxation, prevention of terrorism, then they are at the same time creating the opportunity for even bigger targets for hackers, and ever bigger losses of personal data.

But whilst there seems to be no effective way, if news stories are correct, of persuading government officials and the companies working for them to raise standards and take personal responsibility for losses, then you can forget having personal data.

Customers demand DRM controls – it’s true

Steve Mathews — Tue, 19 Aug 2008 21:11:00 GMT

Now even consultants would normally be hard pressed to find an argument that customers want DRM controls protecting information.

If you believe the modern anti-DRM blog sites, DRM is akin to the works of the (please pick a suitable negative deity suited to your particular persuasion). Imposing controls on honest citizens is an affront to their dignity (let’s just not worry about speed traps because we don’t believe you can be trusted to obey the law).

But, and this is serious, there are sectors of the community that want the protection of DRM controls.

One important group is the individuals or organizations that are buying training courses so that they can train themselves or their people so they can carry out licensed services and demonstrate that they have proven capabilities and expertise. They are investing serious money in the enhancement and development of their staff and their businesses. The last thing they want to see is competitors being able to undercut them because they haven’t paid the proper fees. That is unfair competition from the unethical and unscrupulous. Why should the honest and law abiding suffer at the hands of the dishonest? Or is that the purpose of hacking?

Another group who demand DRM controls are those receiving confidential information. Because when confidential information leaks out, the finger pointing starts, and absent DRM controls that can act to identify the actual source of a leak, then the selection of a scapegoat can commence. So the presence of DRM controls helps protect the recipients of information, because it can help prove they were not the source of any leak or compromize. And when it comes to keeping your reputation as well as your job, DRM can prove invaluable.

And a third group who want DRM controls are those who need to receive information but the owner of the information wants some actual certainty the information will be looked after properly. In this group are the people who have to send out personal data that has to be human accessible. This is the fastest growing group, because US regulation is now getting much more stern about encrypting personal data in computers. It is now specifying that there has to be some management and control, and is going for tougher penalties to incentivise compliance. Naturally, people sending out DRM controlled information are better placed to easily prove they did a good job.

So before you show me another web site about how bad DRM is and how it is that nothing should be DRM protected, just think for a moment about the fact that it is essential in some industries, and, that without it, your personal data can still be handed around without anyone being able to stop it.

When in doubt – shoot the messenger!

Steve Mathews — Wed, 06 Aug 2008 21:59:00 GMT

Sophocles, in his work Antigone, said, "No one loves the messenger who brings bad news."

This week provided more than it’s share of light entertainment with blogs of disinformation. Top of the list goes to the people who figure that Lizard Safeguard ought to work on every operating system known to man (or is that persons?). It says clearly on the box, works with PC and Mac – and nothing else. It’s rather like buying a book that’s published in English and then complaining because it isn’t in Danish (and likely never will be). It doesn’t run on an IBM mainframe either, btw.

And second error prize has to go to those who say it doesn’t work on the Mac. It does.

As a general rule, two out of three is pretty bad, but what about number 3?

“The system is unusable because it insists on always connecting to the Internet before you can use anything.”

It is true that you have to connect to the Internet the first time you open a document – it has to check that you are the bona fide purchaser, and it has to get the information needed to decrypt the document. After that, it totally depends on what the owner of the document has chosen to enforce. And nothing to do with LockLizard, because they can only enforce what the publisher defines as the rules. You don’t go round blaming Microsoft because your system administrator decided the frequency you update your logon password – so why blame LockLizard about the way the system administrator has configured their controls?

But, of course, the modern attitude is to use any possible reason to try and prevent people from implementing DRM controls, even though all the available evidence proves rampant piracy and theft of digitized information. So use every possible opportunity, no matter how ridiculous, to claim rights that don’t exist.

And don’t forget to blame the messenger! The DRM provider creates a toolkit that the publisher implements in whatever way they see fit. But of course the DRM provider is the evil guy because they are stupid enough to implement what the publisher said. It’s Hobson’s choice - damned if you do and damned if you don’t. If you are the DRM provider and you don’t enforce what your customer, the publisher, says, then they will soon be after you, and probably with good cause. But it seems that if you implement what the publishers want, then the people getting the information want to blame you for doing a good job!

Of course the attitudes are so different if what is being published is personal data – oh you should have taken the strongest possible means to protect it – what do you mean you didn’t check who was accessing the data. And so on. Just because it’s not your personal data, it doesn’t mean you have the right to do what you like with it – or does it?

Web 2.0 - What’s wrong with using what you know?

Steve Mathews — Wed, 06 Aug 2008 11:29:00 GMT

It has been interesting reading the blogs, analysts and industrial pundits who have decided that Web 2.0 is the best thing since ….. well, maybe Web 1.x? and that every being on the planet should endorse its concepts – sharing information, whether personal or corporate in places whether public or private.

Team playing, that’s the thing. As long as we all work together the results will be bigger, better, quicker, cheaper, more FUN.

To try and avoid the risk of being a party pooper I put out a few inquiries (name the usual search engines) about Web 2.0 security. After all, before I go revealing whatever it is that I decide I’m going to reveal, I’d rather like a few ideas about who might get their sticky little hands on whatever I am posting. Well, Google muscled in with (around?) 160,000,000 entries, Yahoo hoisted 316,000,000 and MSN claimed 72,800,000. I admit it. I didn’t read them all, I just didn’t have the time.

But the summaries on the first few pages, regardless of who I consulted, was just the same. No security, and no plan for security.

Now this is kind of worrying.

We are all supposed to bring in whatever we want and then share it (knowingly or otherwise) with a group of people we may (or may actually not) know, and that’s good.

Somehow I figure there’s going to be a ton of material that my CEO (wife, partner, children, friends and acquaintances – the list goes on) does not want me to give to other people. Yes, I know a couple of those photos after the hot tub might be a bit insensitive, but, hell, it happened didn’t it? And maybe I shouldn’t have published that extract about how we always get the best procurement price – but it is what we do, isn’t it?

You see, that’s the problem. We all coexist with and in many groups, all at the same time. But those groups are not connected by common views, objectives, rules or members. And it’s not clear if the members of each group even share common ideals. All Americans support America, of course. Except those who crash jets, or oppose foreign wars, or ….

So even when you think you know who the players are you don’t know what they will do with the information you give them, or what information you may have given them access to without your even knowing.

The problem is that Web 2.0 does not have DRM controls that help you decide the limits that can be put on the use of your information. It’s certainly the information super highway – but it’s all about sharing and none of it’s about control. Caveat orator – let the speaker beware – should be our watchword.

But no doubt, like the IT fashions and fancies that have gone before, it will require a lot of fingers to be burned before any security, let alone DRM gets added. So in the meantime, if you don’t want your information being shared about, get some DRM protecting what you have got, whilst you still have it.

Does the death of music DRM mean the death of DRM itself?

Steve Mathews — Thu, 31 Jul 2008 19:00:00 GMT

I am sure you will have read the article in efflux.com http://www.efluxmedia.com/news_Yahoo_Music_Dead_Another_Reason_To_Never_Buy_DRM_Protected_Tracks_21005.html warning of the death of the Microsoft music DRM by August 31, and Google by September 30 (2008).

Their conclusion? “Digital rights management technologies are a failure commercially and technically. There are too many standards which are not interoperable, they restrict the customer's freedom to high degrees and they are an everyday nuisance to work with.”

Well wash my mouth out with soap (no I don’t mean SOAP which is another load of XML).

Let’s look at that rather broad conclusion.

There are too many standards? Excuse me? I looked up DRM standards in ISO (International Standards Organization, the people who figure out what is the standard for electric cable so you don’t blow your hands off touching the stuff, the rails that trains run on so that they stay running on them, and serious computer standards – you know, stuff that matters), and drew a blank. Now if someone had said manufacturer’s standards, I could buy into the argument.

An everyday nuisance to work with? Well, you might get paid to listen to music tracks. Or maybe they just mean you can’t readily copy tracks and give them away? (I bet you can buy a license to do that, but its costly.)

But what most people have yet to understand is that the DRM industry is seriously new, and that there is precisely no desire by major players (tape, CD, DVD, PDF and so on) to provide interoperable standards, when we haven’t even agreed what standards are being looked for, and why, or how they should be implemented.

The current market is in what the economists call the ‘prime mover’ phase. Literally, that means that the first into the market can do what they like, set any standards they feel like, and charge any price that suits them! The market has been there since the late 1990s. Not quite recently? And mainly because it has not suited any major player to see International Standards emerge, it has not changed.

Actually, rather than worry about the latest squabble about whose industrial standard should be dominant, we should be worrying about what sorts of DRM standards are going to emerge, and how to be able to influence them. They are rather like taxation – you can never stop a government from taxing you. That’s how they stay alive, by taking your money (and if the statistics are correct they get more money out of individuals than they get out of corporations, which ought to be rather worrying).

Despite what the pundits say, DRM is not going to go away. The people who create and sell intellectual property (IPR) have to make their livings from doing that. They are not going to give away their livelihoods any more than you or the pirates are going to. The people you really need to fear are those who do not need a day job to pay their way, or where the day job is so badly supervised that they can afford to waste their employer’s time whilst they pursue illegal interests.

And just as the Internet has moved from being a free information source (1995-2002) it is now increasingly a paid information source and what was previously free is no longer available unless you pay for it. If you examine information sources now they consist of sources that have been paid for as a matter of public interest (the Gutenberg series that have made much of the Classical repertoire (Shakespeare, Plato and many other Classical greats such as Chaucer) accessible to any and all. We applaud these measures. Even if modern schooling fails to inculcate any appreciation for works other than Homer Simpson, we agree that works out of copyright should be available to all – but MUST be assured as being the actual words, and not some Bowdlerism (Thomas Bowdler (July 11, 1754 – February 24, 1825) was an English physician who published an expurgated edition of William Shakespeare's work that he considered to be more appropriate for women and children than the original, and, according to some sources, actually made it more accessible!).

Apparently political correctness is not a new disease?

Seekers after truth deserve some measured verity. But you can’t deliver that without DRM. Because DRM is, as the Germans say, “A sword with no handles.” It does not merely control what a recipient can do with the information they receive, it verifies that the information they have gained possession of is truly coming from the claimed source – the publisher.

There is nothing negative in this for the publisher. Actually, for the publisher it is a comfort. Because otherwise how else can a publisher ‘prove’ what it is they actually published, given the modern world where information theft and the misuse of information are commonplace? The fact of DRM tools provides an abiding proof that they truly are the source of specific information, and that can help publishers obtain prosecution of unreasonable and irresponsible pirates on the one hand, and avoid prosecution for things they never did publish, on the other.

So think carefully before trying to consign DRM to the dustbin of history. It may be following closely behind such must have’s as death and taxes.

Does organized piracy contribute to better markets?

Steve Mathews — Mon, 28 Jul 2008 23:09:00 GMT

I read, from the July pages of www.StarNewsOnline.com that “The Pirate Bay, which is based in Sweden, presents a devilishly fearless challenge to American textbook publishers. It describes itself as an “anticopyright organization” and offers music, movies, television shows and software, as well as e-books like textbooks — not a single item of which, it boasts, has ever been removed at the request of a copyright owner.” Hmm. Sounds like Pirates?

But how many economic analyses have you read that actually examined the effects of piracy on product markets? Probably very few.

Big hitters like the music, TV and film people complain about losses in their industries. Designer label clothes and perfume producers complain. Software manufacturers also complain.

But if you make a careful analysis, piracy always occurs when there are serious market pricing inequalities that are not addressed by regulation. Or to try to be a bit clearer, when you can buy a product in one country for x, and in another country for a half of x, there is a serious price inequality. If no action is taken to correct a price inequality, this creates the vacuum that pirates, being, at heart, just as serious capitalists as any industrialist, will naturally seek to fill.

This is not some vague modern theory. Rather it is a statement that has stood the test of time. When in the UK in the 1800s, it was decided by government to raise the tax on alcohol and tobacco to be significantly above that of France, somewhere only 14 miles away, pirates were handed a market second only to the government forcing you buy your postal service from them (and they did do that).

There are many more recent examples. Designer jeans manufacturers and perfume manufacturers won global legal battles that enabled them to enforce per country pricing for their products, and to be able to prevent countries purchasing at lower prices from reselling to other, higher priced countries.

The same has been true in the information world.

I cannot understand how it is that the same information can possibly have a different value in a different country. I agree, that, if translation into a different language from the source is necessary, then that might introduce a cost that has to be paid for, but I also assume that the seller will have thought about the effects of price on market before launching their wares, and will have worried about what price to set in order to make a viable return (please see economists for the math behind price/market/demand models, I don’t have the desire to write a book on it). To give you a practical example, the other day I paid over $350 for a book that it was essential I could read right now, was out of print, and only one supplier could deliver a copy next day.

The bottom line, as they say, is that any DRM controls built by man can be removed by man. It all depends on cost/effort/desire. Risk analysis. DRM controls over things that can be seen or heard can be ‘removed’ using a camera and a microphone. That cannot be prevented. There will be loss of quality, and, if your product has high embedded functionality (ability to search on information, links to other objects, embedded information) there may be critical loss of functionality that renders a copy of little or no value in the market place. You may also be using features such as dynamic watermarking, that significantly reduce the desire of legitimate users to allow pirates access to their materials because they may be personally identified as the source of piracy. Hopefully, in your DRM system, you are using features such as encryption, that can prevent trivial ways of accessing and copying your work(s).

But do please always remember that to a greater or lesser extent, if the cost and effort are low enough, and the desire is high enough, then copies of the basic information can be made. What can be stopped is stealing embedded functionality that the DRM controls also protect.

The greatest effector you can face is desire. If your market is students and your strategy is to charge premium price then you can expect a high ‘desire’ to break your controls. If you choose a lower price because you can sell year on year the same product, then you lower desire.

We sell our products at exactly the same price globally. There are no exceptions. There are no premiums. There are no discounts. At one level it’s a rough deal because poor economies have to pay ‘relatively’ more. But there is a level playing field. There is no market price fixing. We do not demand a different price in Chile from Canada, or in the United States from the United Kingdom. And maybe that’s part of the equation? Part of the equation of persuading people it’s not worth the bother of pirating information is to set prices that are both globally consistent and do not overly increase the desire to find a way to bypass them.

That’s not part of the choice of a DRM product supplier, although you might prefer to choose one that is realistic about what can be achieved and clear about being a DRM provider and nothing else.

Getting too casual with information

Steve Mathews — Tue, 15 Jul 2008 14:05:00 GMT

As can be the case, we have been rather overtaken by recent events – in my case an office move – actually only about a mile as the (insert the feathered creature of your preference) flies.

Fortunately our office move really did happen over a weekend. And whilst it had precisely zero impact on our customers – everything carried on running seamlessly – that was not entirely the case for us staff.

Take me (please), for instance. For reasons that are so obvious I am not going to explain them, my shaver cord happened to be on my desk when the removers came. That is the last time I, or anyone else saw it. So the emerging beard can be explained by the fact that I am too tight to buy a new Braun top of the range machine without a fight!

And what has that got to do with information security?

Well, during last week the UK government published a whole series of reports (on the same day, so you know they had saved up all the bad news for a moment when they hoped nobody was watching) on how major government departments like the Inland Revenue (HMRC in the UK and IRS in the US) and the Ministry of Defense had managed to lose millions of people’s personal data and that none of it was protected in any way, shape or form.

The major thrust of the reports was that management did not consider that the personal data they held in trust was their responsibility to protect and therefore they did not see any need to spend any money at all on protecting it.

A second, and perhaps even more dangerous revelation was that government collected information that it subsequently used for purposes that were not consistent with what it had been collected it for.

It is, of course, now normal that neither government ministers nor civil service officials will be exposed as charlatans or hypocrites, and that nobody will have their careers ended because they clearly failed to live up to the standards (moral, ethical, documented or expected) that they pretended were in force. Governments and their officials should not pretend surprise when the electorate ignore them – if nobody is accountable then who cares who gets elected?

Well, with guidance like that from on high, what hope is there for the rest of us?

Usually we look to governments and big industry to show the way in both corporate and civil behaviour. After all, they make the law, and they enforce that law.

But right now their governance is, to put it mildly, severely lacking. If, to quote a very famous film, “Frankly, my dear, I don’t give a damn,” then why should we believe them when they talk about Copyright and similar protections? It looks like a load of irrelevance, and anyone wanting information protection will have to go with what they can get. There’s no point in waiting for the prognostications of the governments, or the divinations of standards bodies (international or industry led) because it is totally clear that the leaders are not interested.

And that brings me back to the power cord. Nobody at the removers is interested in my problem. So I am going to have to sort it out for myself – and the beard itches!

The case for Digital Rights Management

Steve Mathews — Tue, 01 Apr 2008 16:31:00 GMT

There are many good and valid reasons why people wish to be able to publish and transmit information electronically. The rise of social web sites testifies to the willingness of people to make information available to selected individuals or groups.

However, a willingness to share should not be interpreted as a wholesale license to all and sundry to freely make copies of electronic information and re-distribute it without even acknowledging the original ownership, or paying a Copyright fee.

Much has been made, in the technology world, of the concepts of Open Source, CopyLeft, Limited Rights and so on, as arguments for the desirability of making all electronically held information freely available to all comers. In the music receiving industry (as against the music publishing industry) there has been considerable pressure to make copying and redistribution a ‘right,’ merely because it is difficult to prevent.

Such arguments are intellectually barren. They are like saying that because you own a gun you have a ‘right’ to shoot anything you like because it is difficult to stop you, or that because you can buy a car you can drive it anywhere you like and in any manner that you wish.

Because people suffer physical harm as a result of such poor behaviours we pass laws to take action if behaviour is unacceptable. Since Copyright is an economic right, we also have laws to protect Copyright owners from economic harm where behaviour is unacceptable.

So we must reject the claim that merely because you can do something then you automatically have the right to do it. (This was never true in Roman Law countries anyway.)

Empirical evidence suggests that computer users cannot be trusted to use information provided electronically only and solely for lawful purposes. Regrettably, it is essential to instil enlightened self-interest into the users of electronically provided information. This is essential, simply because, “Computers are all about copying.” (Prof. JAL Sterling and S Mathews in a paper on protocols and interfaces). Not only do computers facilitate copying, but they ensure that such copies are always perfect in every detail.

This creates significant problems whose Intellectual Property(IP) (whether being offered for sale or being made available for some purpose as the result of a commercial agreement or a ruling of a competent Court, or some other reason) is being distributed electronically. Agreements for the control of the use of IP are normally very precise, and set out to prevent unauthorized use. Given the propensity of users to do things because they can, it is essential to provide a system of controls (Digital Rights Management or DRM) that actively ensure that the permitted uses must be observed, and cannot be trivially ignored.

Similarly, those wishing to make their livings from selling their intellectual capacity (creating works by thinking) as opposed to their physical capacity (making objects) must have the ability to enforce their economic right. To suggest that all the world (tout le monde) cannot make their livings from publishing and selling on the Internet would be a travesty of the so-called knowledge-based economies. Whilst some may seek to demonstrate their intellectual capacities by ‘giving away’ the fruits of their labours as marketing in the hope of selling something else, not everyone has the luxury of such an indulgence. One cannot see authors such as JK Rowling agreeing, http://entertainment.timesonline.co.uk/tol/arts_and_entertainment/books/article3621625.ece seems to be an indication of her view about copying!

Academics (who, incidentally are paid to write, and often write as a matter of advertising, as do I) may claim that all intellectual capacity should be available for their study, comment, parody and so on. I wonder how many electronic copies of Deathly Hallows were provided free gratis to the academic community for that purpose? And without any limitation as to copying and being able to pass on?

The fact of the matter is that there are cogent economic and political reasons why DRM technologies are required to protect documents in electronic form, and it is wrong to suggest that that there should be no mechanisms enforcing the control of authorized use made available and put in place. Let those who wish to give away their work do so if they will, but allow those who sell their work to obtain fair and relevant recompense for their labours.

National ID law without debate – achieving the unacceptable by the unscrupulous?

Steve Mathews — Wed, 06 Feb 2008 23:48:00 GMT

Those familiar with reading our columns know that we are not normally exercised by minor debates. But we are amazed by the report (which we rely upon as being true) by ZDNet at http://news.zdnet.com/2100-9588_22-6228910.html?tag=nl.e550 (correct at the time of publication) that the United States has mandated Federal identity controls on the back of a Bill ostensibly to do with "Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005."

Well, OK, we do have the text in there about the ‘Global War on Terror’ so I guess that this might be a fine argument.

But come on – get real – if you read the text it’s all about making the driver’s license the authorized Federally approved identity document!

Now I realize that in the USA if you do not have a driver’s license then you are probably some kind of low life that does not exist, so therefore you are of no significance, and obviously not a terrorist, and therefore we do not need to worry about you. After all, a terrorist could not possibly drive a car without a license just to deliver a bomb, could they?

Hey, but that’s only a social analysis that says that the downtrodden underclasses are not likely to be terrorists, so we don’t need to worry about them.

Let’s try thinking out of the box for a moment. Why would you want this legislation when the people you are trying to catch are running outside of the system in the first place? After all, history teaches us that criminals are generally outside the system because being inside the system is a highly negative advantage!

Think for a moment about the costs that are going to be involved in granting the Secretary of Homeland Security this (wild?) desire to collect, at the expense of the States, and therefore at the direct expense of the Citizen, without there being any demonstrable benefit from this to that citizen (unless you count the collection of information about law-abiding people, because no self-respecting terrorist of any kind would be caught by such a an obvious trap) provable personal identifiers to standards that have not been promulgated and security controls that have not yet been identified.

Yes, this bill will be the mother of all pork barrels to industries who strut their stuff about all manner of personal identification methods (despite the simple fact that there are no recognized international standards in this field, so anyone can claim anything they like – snake oil?) and the bill completely fails to say anything of any substance about standards, compliance, certification, accreditation and so on.

So we screw the US car driver for shedloads of money – is that a problem?

Well, if the punter is willing to pay, then I guess not. After all, that’s what a capitalist economy is all about. Capitalism is about what industry can screw out of consumers and governments can screw out of both (not maybe what Carl Marx actually wrote, but close enough).

So this may actually come down to cost. If the cost of implementing legislation that has not had public debate, is of questionable public benefit, has a cost that may not be appropriate to the actual benefit achieved (Since 9/11 precisely what has happened? Well at the current rate of experience, nothing.) then why are we bothering? Surely governments are being held to account for spending taxpayer money wisely and effectively.

But, of course, if this is really a bill to hand the Secretary a future blank check for getting funding, even if that office has so far failed to do anything tangible for the protection of the public, then it is completely understandable.

But then, you have to accept that by insisting on the registration of the law abiding (at an unknown, but certainly high cost to them personally) you can catch terrorists, who are, by definition, not law-abiding, and therefore outside of the system, then this is something you should go for. But please suspend the use of logic, finance, governance or anything similar.

On the other hand, if you feel like funding another Star Wars program personally, then step in line and vote.

DRM is dead – Long live DRM!

Steve Mathews — Tue, 15 Jan 2008 00:42:00 GMT

If you believed everything you heard from the music and film industries, you could get very confused very easily. And you could all be fooled into thinking that they are the only industries that exist when it comes to needing DRM (it’s a bit like saying that governments are the only organizations that need privacy!). So Amazon and Sony now say DRM is dead? Or is this nothing more than the usual marketing hype after a disaster?

Actually, music and film have had long, chequered and cyclical love/hate relationship with DRM, mainly because they were the first people to get seriously exposed to piracy, and to feel pain where it truly hurts – in the bank account. They got there in the 1960’s, long before the PC, or the iPod were more than the work of science fiction writers like Arthur C Clarke. The fact that it would take almost 50 years before book publishers and organizations woke up and smelt the coffee is just history.

Their first outing was the cassette tape. Up to then, copying a record was practically impossible, and although reel-to-reel recorders were around they were too expensive and difficult to use for normal mortals. But anyone could use a cassette, and everyone did. They tried suing people who sold cassette decks that would copy from one to another, but they failed, and thus started the hunt for the Holy Grail of the industry – a way of stopping people from copying music (and later film) so that they could charge premium rates for their wares.

Alas, it was not to be. They lost the cassette wars, and later the VHS wars. They won the DAT war (Digital Audio Tape) – remember it? maybe not, when the hardware manufacturers lost a fortune because no consumer would buy into it because the copying controls were so aggressive you couldn’t necessarily copy your own personal recordings. CD controls proved to be a lost cause, and DVD region pricing was outflanked by hardware manufacturers who were determined not to lose out on their own market opportunity this time around. I remember a big meeting in LA when the music industry said they were going to implement secure MP3! Laugh like a drain? Well, I must confess I was close to being thrown out of the meeting. Lately it seems that Sony decided on a rootkit approach to preventing copying that also opened up a serious hacking opportunity.

So maybe you should see the current position to be nothing more than posturing by an industry that wants to be the content deliverer to the mass consumer market, and has only one objective in mind – its own profitability.

That’s not to say that there’s anything bad about profit. All of us are in business (in a particular sense), and if we don’t show a profit, one way or another, then things are very bad indeed (see Charles Dickens on Wilkins Micawber).

And what most people (and organizations, for that matter) trade on is their intellectual property. In the ‘knowledge economy’ that is what we are selling. So we have to safeguard that IP or anyone and everyone (I used to say the World and His Wife, but apparently that is no longer Politically Correct, and saying it would render me liable to being excommunicated by the deity or politician of your choice) can rip (RIP – Requiescat In Pace or ‘you will rest in peace’) you off and make your personal trade value slightly lower than that of a Eunuch’s scrotum. (Apparently that is still Politically Correct!)

What one has to think about very carefully, is what value DRM controls provide to you (either as an individual or as a business) in order to say if they matter, and when it is that they matter.

The music/film industries are under the cosh because you can either copy their stuff, or you can’t. If you can buy a legal version, and then copy it by recording the sound or filming the picture on a seriously high quality screen then you are in business. And they are not.

But that is a problem for those industries. You can buy cracked codes for satellite TV systems with little or no effort or risk. Try eBay – if it’s too cheap can it be real?

But, for the document handling industries, things are only just beginning to warm up. Computing is all about copying. When you read this you are looking at a copy of what I wrote, in fact I am doing that when I watch the characters come up on screen in front of me. And that’s the major hazard for the PC and the Internet. Everything has been set up to promote copying. And the software does not give a ‘tuppeny damn’ whether the information is to be public, be controlled, or kept totally secret. Which is bad news if you are in the business of selling, or simply providing, information (your knowledge, expertise, capability, private advice to clients, tax return computations, price lists, sales manuals, repair manuals ….. the list seems endless).

So enter DRM. DRM is the only approach available that lets you specify not only who can see your proprietary information, but what use they can make of it. The film and music industries were interested in preventing copying, but you will likely need to be able to stop people using information after a particular date, or make sure they can only see it for a couple of times, or print it once, or any number of other things. Encryption does none of these things, it just prevents the un-anointed from being able to access information, not limit how and when they might use it.

So whilst the music and film businesses figure they need to flex their market in order to maximize their own profits, they are operating in a different environment. Commerce, industry, publishers, authors and ordinary mortals need DRM technology to protect their personal and commercial interests. They have nothing else. They are exposed to commercial or personal ruin by the uninhibited ability of the PC and the Internet to copy and re-distribute their information without any control at all.

So whilst the record industries declare DRM is dead, we say, “Long live DRM.”

A brand new Whitehall farce?

Steve Mathews — Mon, 03 Dec 2007 22:26:00 GMT

Without question, the doyen of the Whitehall farce from 1944 to 1969 was Baron Bryan Rix (made a life peer for his tireless work for the mentally handicapped). But he had the wisdom to appear at the Whitehall theatre, and deliberately set out to entertain and delight his customers.

The twists and turns of another Whitehall farce, in this case starring Her Majesty’s Revenue and Customs (HMRC) and the National Audit Office(NAO), in what is about to become the long running Child Benefit Data Farce, can now be seen onstage at the BBC (and any number of other entertainment purveyors).

Sadly, these jokers appear to lack all the skills of the Baron Rix. They do not entertain and delight their audience either. It did not appear to concern them that there are laws (the Data Protection Directive 95/46/EC, and the Data Protection Act 1998) that have to be considered before processing data.

If we are to believe http://news.bbc.co.uk/1/hi/uk_politics/7108532.stm then the only concerns shown by all concerned were to save a few pounds (30 to buy some decent encryption software) and to skimp on proper delivery controls (it seems that HMRC don’t know what courier they used, or even if the courier ever got the missing CDs) – and, just for fun, it seems that at least 6 CDs have vanished and not just the two they first mentioned.

Ah, now it sounds much more like the traditional farce. In the Rix farces, every time one of the main characters walks onstage some new disaster that was hidden from us is now revealed. And any additional characters are unwillingly dragged into a doom not of their own making. It seems that the NAO thought it was OK to regularly send all the data to their own auditors because NAO didn’t have the computer power needed to do their own audit work (?) and that was OK because the auditors were a ‘long standing strategic partner.’ To be scrupulous, the NAO did ask HMRC to remove unnecessary data, but HMRC refused, and so it’s all ‘their’ fault that the disks had unnecessary data.

The HMRC web site makes the following statement about their exemptions from the Data Protection Act: “
• Section 29 ‘crime and taxation’
• Section 35 ‘disclosures required by law or in connection with legal proceedings’.
The application of exemptions is quite complex and if you require further information or assistance you should seek further guidance.”

Well, now that’s quite clear, since we are entitled, as a matter of fact, to understand that what is listed publicly are truly the most important exemptions, and that all others are minor and trivial because if they were not then they should have been made just as clear. This is the same argument as is used in contract law, that if something is so important that you have to rely upon it in a Court of Law, then you must have made it utterly clear in the agreement, not hidden it away deep in some small print.

But back to the plot.

So the NAO figure they are not responsible for their own actions of distributing disks that contained data that were not necessary for a specified business purpose, because it was not their data. It was the HMRC data. They gave us data we didn’t ask for so there was nothing wrong in us giving it to other people. Maybe there is going to be a glorious moment when Basil Fawlty walks on stage and tells us, “We were only obeying orders.” Or maybe that’s in Act 2. Thank goodness I booked triple drinks for the interval.

Now OK, maybe you think I am being a bit harsh. But if you ever ask government for information about anything, the very first question is, “Who needs to know?” That is the bedrock of handling classified information. So why is it that UK government departments seem to have such a casual indifference when handling the personal (and, given what we know about threats such as identity theft) sensitive data of some 25 million people (not quite half the country in round terms). Well, in the true sense of farce, if there were not some things that are completely impossible to explain, or completely defy any form of logic, then farce would not work.

I guess if you didn’t have a classical education you might miss the subtle difference between farce and tragedy. Ask any Greek. The difference is the number of dead at the end of the play. But if governments run true to form there will be no shortage of sacrificial goats.

The really sad part of the whole play (remember, Shakespeare said, “All the world’s a stage, And all the men and women merely Players.”) is that the people actually at risk are, on the one hand, the people claiming child benefit, and on the other hand the taxpayer (because they are the real lender of last resort to any and every government). When the Northern Rock hit a hard place the British taxpayer picked up the bill. So much for the moral risk.

Now maybe (or most likely) the people inside governments are too overcome with their own self-importance to notice that they are also taxpayers, or maybe they have inflation proof pensions, so they really don’t care about the implications of what they do, because they, uniquely, are where no amount of incompetence can harm them. In any event, you should be saying that only those who can be personally harmed by their decisions should be allowed to make decisions.

So maybe that’s what the farce is. That really big organizations behave as if they are either outside or above the law, and have deep enough pockets that all they have to fear is press exposure, because nothing else can really harm them. And the tragedy is that public confidence continues to fall as electors see that governments serve themselves and not their electorates. Perhaps the Greeks were right after all?