"Tactics and ethics of a hacker"? or "fully legal, independently developed paths to achieve compatibility, choice and quality"? If you happen to be the producer of the popular iPod, you'll probably call RealNetworks attempt to achieve interoperability the former. If you happen to be RealNetworks, producer of the not-so-popular RealMedia player, you'll probably call your attempt the latter.

What gave rise to both statements was RealNetworks' decision to offer its Harmony Technology, which, according to the press release, is „the world's first DRM translation system to enable consumers to securely transfer purchased music to every popular secure music device“ (RealNetworks 2004). Unlike before, music bought at Real's online music store can be encoded in Apple's proprietary music format and listened to with Apple's iPod. And unlike before, the integrity of Apple's music distribution system is threatened and an important reason for buying music from Apple's music store has vanished. And that's why Apple announced that it will investigate the legal implications of Real's decision to sell songs in Apple's format.

Regardless of the legality of Real's decision, its attempt to offer interoperable file formats for music distribution offers a new example of an old problem: how to solve the tension between interoperability and information security.

The problem
To answer this question, and elaborate on why exactly there is a tension between the two, some background on digital music distribution systems (also called DRM systems) is helpful. DRM systems consist of several parts: an encoder and a decoder, sometimes combined with a server and a receiver. These components could be offered by several producers, but in reality they often form an integrated system, offered by one and the same producer.

One important reason for this is that an integrated DRM system offers content providers a complete channel for the distribution of secure content. Content providers value secure channels. As will be discussed in more detail below, there are reasons to assume that integrated distribution channels are more secure. And consumers want high quality, functional music players. If sufficient competition between integrated DRM systems exists (and if one believes in the benefits of the free market), DRM systems will compete for the user, offering better functionality, and higher quality.

However, DRM systems incline to dominance, because network effects prevent alternative DRM systems from entering the marketplace. If alternative DRM systems will not be able to license enough content, they will not attract sufficient users. And if they will not be able to attract sufficient users, they will not be able to license sufficient content. Users will not easily switch to alternative formats if they have a music collection in one format. Given high switching costs and high barriers to entry, in the absence of competition, consumer choice will lessen, and functionality and quality of music players will lower. The question then becomes how to safeguard consumer interests in the face of dominant DRM providers while providing incentives for innovation.

One solution might be to allow third-party producers of individual components of the dominant DRM system to enter the market. This, however, creates a threat to the security offered by the DRM system. DRM systems contain complex technologies designed to offer secure content distribution. Third-party DRM-parts might unintentionally or intentionally break this security. For example, third-party decoders could intentionally ignore metadata (the rules describing how the content may be used), and save content on the computer harddisk, contrary to the wishes of the content provider. Or third-party DRM parts might unintentionally contain design flaws which open the system up to attacks from malevolent users aimed at freeing the content from the distribution channel. On the long term, a battle between code makers and code breakers might lead to more secure systems. In the short term, it definitely will not. This is exactly why interoperability and information security are at odds.

Another solution might be to strictly regulate dominant DRM products. Regulations could for example oblige DRM systems to contain a fast-forward capability, or a skip-the-commercial button. This solution, however, would involve far-reaching governmental intervention, and will therefore not easily be accepted by the marketplace. In addition, the question remains whether strict regulation could sufficiently take into account consumer interests. Consumer demands are pluriform and complex, and the marketplace probably will be better able to address these demands than the government, even in the absence of competition.

The third solution might be to prohibit third-party DRM parts from being offered on the market. Laws in Europe and the United States currently take this approach. Article 6 and 7 of the Copyright Directive, and Article 1201 of the Digital Millennium Copyright Act currently prohibit the circumvention of technological measures to protect content. Third-party DRM parts circumvent these measures, and are therefore currently prohibited, even though they might have perfectly non-infringing uses.

However, this solution not necessarily offers the highest security for content distribution. A dominant DRM provider has only limited incentives to design its system in a secure manner if no realistic competition exists. But content providers might only switch to alternative DRM systems if they have sufficient reach. And if users are locked-in in one DRM system, alternative systems will not acquire sufficient reach.

The better option
The better option is to have dominant DRM system providers compulsorily license their technology to others. This should be done on reasonable and non-discriminatory terms, as has been envisioned in the context of digital pay-TV in the European Access Directive. This would safeguard the security of the distribution channel, while still offering consumers enough choice in price and quality.

There definitely are reasons for not doing this. Some might argue that software producers, faced with the threat of compulsory licensing, will be hesitant to produce innovative secure systems. This is an empirical question, and I do not have an answer to that.

However, assuming that this solution will not forestall the emergence of innovative security technologies, it poses different questions as well. The most pressing question is on what parameters licensees should be allowed to compete. For one, licensees should not be allowed to compete on the core functionality of the distribution channel: the security itself. This solution is adopted in the Access Directive where it states that a potential licensee should comply with ``relevant and reasonable conditions ensuring, as far as he is concerned, the security of transactions of conditional access system operators''. Alternative DRM systems should respect metadata and not create leaks in the content. But competition on any other parameter should be allowed. But even still: there is a thin line between „information leaks“ and functionality. Content providers consider a skip-the-commercial-button in a DVD-player an information leak. Users consider it a function. Content providers consider the possibility to copy content to an MP3-player an information leak. Users consider it a function.

These are difficult distinctions, but if anyone should have to decide on what leaks can be considered a function, it should be content-providers, not technology producers. If producers of third-party DRM parts offer a secure system, they should be given a license. Only if content providers fail to respect consumers' wishes, is it time to think about the difference between information leaks and functionality.

Bottom line
All in all, my suggestion is that information security and interoperability are in tension, but can co-exist. If the „tactics and ethics of a hacker“ are being used to create „fully legal, independently developed paths to achieve compatibility, choice and quality“ – I'm all for it.


About the author: Ot van Daalen is an attorney, specialised in ICT and anti-trust law, at De Brauw Blackstone Westbroek, The Hague.

Status: first published in INDICARE Monitor Vol. 1, No 3, 27 August 2004; licensed under Creative Commons