Terminally Incoherent

I was always a little bit on the fence on the issue of piracy. I do not want to openly endorse it here on a public blog. I agree that conceptually it is a wrong thing to do, and that theoretically it does impact the content creators. However for me to openly condemn it would be just hypocritical. I just accept it as a fact of life, and approach it pragmatically. It is a bit like littering. Is it ok, to toss a candy wrapper or a cigarette but out of the window of your car while driving on an empty road cutting through the forest? Nope, it’s not ok. Most people will agree that it is bad for the environment, inconsiderate and anyone who does it is an ass. But, then everyone has probably done it at least once in their life. Most people don’t even think about it - they just toss something out the window and drive away. I noticed that most people have almost identical attitude about piracy.

Let me give you couple of examples. The other day I was at work and overheard the following conversation:

This was conversation between grown, educated women in their late 20’s and 30’s with white collar jobs and plenty of disposable income they could spend on music. They barely know how to turn on a computer in the morning, but they are into file sharing anyway. They are aware that the practice was illegal, but they are willing to take that risk - just like they take the risk speeding on a highway, or running the stop sign on their way to work.

I once asked my students to raise their hand if they ever illegally downloaded a movie, song or a piece of software from the internet. Almost everyone raised their hands. One girl sitting in the middle looked around, and exclaimed “Where do you people download this stuff?”. Needless to say, that day she went home with bunch of “useful” links carefully written in her notebook. Most people don’t really care, unless they get caught.

And even if they get slapped on the wrist, they don’t really stop pirating. I once had the following conversation with a coworker:

Yep, don’t use torrent - use Usenet instead. File sharing is perfectly ok, as long as you don’t get caught! Can you see pattern emerging here? Anyone trying to combat piracy by appealing to morality, ethics and etc is facing an uphill battle. While it might be wrong, it is socially acceptable… No, socially permissible to break copyright law. There is no social stigma around it. In our society smoking and drinking is less accepted than blatant copyright infringement - and these two things are perfectly legal.

Here is another conversation I have overheard - this time at the video game isle at Wallmart:

You could argue this is bad parenting, and/or irresponsible behavior. Perhaps it is. But I have yet to see a parent who gets upset that their kid is “saving them money” by downloading movies and video games from the internet. Most parents are actually pleased - they think it’s somewhat frugal. Some worry about the potential legal issues in an event their children will get caught. But then again, how many people who got sued by RIAA or MPAA you know personally? You know, like a friend of your second cousins former roommate fathers sister in law kind of thing.

No? Me neither. Very few people actually ever saw a victim of the *AA legal machine. Statistically, chances of you getting caught are somewhat akin to chances of you winning a lottery. Most people are ok taking this risk - especially if they mostly leach, and do it very casually. Downloading 5-6 mp3’s and perhaps one movie every month makes you a relatively small target - especially if you close the torrent connection or remove the files from your shared folder as soon as they are downloaded as many people do.

To tell you the truth, I have yet to hear someone IRL preaching about the evils of piracy, and condemning file sharing. I swear, I have never in my life met a person who did not indulge in a little bit of piracy now an then or at least benefit from it. Even the conservative, religious and law abiding little old ladies I met while I was working at a doctors office back in the day openly admitted they watched a movie or listened to a CD burned for them by their grandchildren and thought nothing of it.

I’m not saying there are no people like that out there - idealists, who refuse to download movies and music from the internet. I’m just saying they are a dime a dozen and I have yet to meet one in person. And even then, I wonder if they sometimes borrow movies or music from friends. Cause if they do, they are no different from the rest of us. In my mind there is no difference between downloading a DVD rip, watching it once and deleting it, and borrowing a DVD from a friend or a relative. Or rather the only difference is the legal scope. Former is legally shady, while the later I believe is perfectly ok. But logically, morally and ethically - I can’t tell a fucking difference between the two.

And that is the problem. We can either completely lock down our media and make it virtually impossible to socially share, re-sell, and exchange them or just accept piracy as a social phenomenon of digital age and concentrate on adding value to your products to make them better than free. The entertainment industry decided to take the first route trying to lock down our media. But as we have seen it over and over again, this just doesn’t work. Almost every form of DRM can and will be broken. And if it is too difficult to break, it can be defeated using the analog hole. And of course the scene folks have inside suppliers who can leak out pre-release material before it even gets wrapped in DRM to begin with. In other words, investing in DRM is like tilting at windmills. Wasteful, futile, silly and deeply tragic.

I talk about DRM a lot, but I never really found a perfect way to explain it to people who are clueless about technology. When I teach a class on digital media, and go over DRM I usually briefly cover different methodologies, and then put up dates when they were cracked at the end of each slide. I found that it really drives the point home when I go through this buildup stage, explaining these extremely complex systems and conclude each series of slides with “Oh, and this scheme was actually cracked 3 days after release”.

Then I usually reuse few slides from my cryptology lecture and give them Bob, Alice and Eve example, emphasizing how in DRM world Alice and Eve are the same person. This is a great example that really speaks to people who understand and care about cryptography, but Fluency in Technology students usually find it a bit confusing. I’d love to have something explains the absurdity of DRM in a way that is clearer, funnier and doesn’t involve the 3 most hated people in my classroom (sorry Bob, Alice and Eve).

I think I might have found an allegory that might just work on that level. This is how Shamus from Twenty Sided described DRM in his recent post:

In the original Monkey Island, at one point you are captured by natives who lock you in a simple bamboo hut. There is a trap door in the floor through which you may escape. If you’re dumb you can walk over to the natives once you’re out, and they will grab you and throw you back into the hut. The second time they throw you in, they add chains to the door. The next time the door is made of metal. This keeps going until eventually (if you keep going back) they have a bamboo shack with a massive steel vault door on the front, a timed lock with an alarm system on it. It looks like the front of Fort Knox.

“How he keeps getting out is almost as mysterious as why he keeps coming back.“

In a lot of ways these DRM schemes are a bamboo hut with a vault door on the front. The keep using a bigger and bigger lock and a more complex system of authentication, but it still has to run on a machine where you can edit the executable, and all the hacker has to do is go in and disable the part that says, “Do the security check.” It doesn’t matter how secure or complex or devious the security check is, if the machine’s not doing it, it’s not doing it.

I played that game, and I remember that part but I never connected the two! But it is a perfect fit! It’s vivid, funny and really gets the point across. I really don’t expect my students to actually know what Secret of the Monkey Island was. Most of them are just to young to have played it when it was still on the market, and to clueless to download it from one of the the abandonware sites and play it via ScummVM. Well, maybe one or two would actually know about it. Still, the story is silly enough to work so I’m totally stealing it.

Here is a youtube video of that scene for your reference:

escape from the hut © pheedbaq

Shamus is right of course - it very difficult to design copy protection software in a way which will be difficult to crack by a 15 year old kid armed with a debugger and a hex editor. Anything that is running on the client machine can and will be tampered with. The only way to make the game uncrackable is to have the copy protection run on a remote server and have the client simply forward over user authentication. Still, that doesn’t prevent people from sharing accounts and hacking the client to do weird things. Not to mention the costs of running an operation like that. Most of video games that are not MMO’s are really client based applications ant as such will always be vulnerable.

So the second best thing you can do is to mislead and confuse the potential attacker and make his job difficult. Adamantyr posted a god example of this practice in the linked thread over at Twenty Sided:

Concerning executable cracking, Chris Crawford has a VERY good write-up of how he protected one of his games in his book “Chris Crawford On Game Design”.

In particular, he uses obfuscation techniques such as:

• Burying work code inside of recursive loops, so reading the active process stream has a ton of noise the hacker has to wade through to find the ONE interval that does something.
• Code over-writing, in other words, the program overwrites parts of itself while running in memory. This is actually really bad from a security standpoint nowadays, but it’s fiendishly clever and sadistic for the poor hacker who’s world view has just been demolished by code that changes when he’s NOT LOOKING.
• Dummy variables with obvious names that draw the hacker away from the actual important ones.
• Storing actual data in the stack garbage and fetching it in a clandestine way, like an “accidental” buffer over-run.
• Deliberately breaking the game so the legitimate version would “fix” one element of data. Otherwise the game can’t be finished.

He actually hired a professional hacker to try and break his program after he’d finished it, and the guy never got past the first level of defense he set up. He later found cracked versions online, but none of them were actually completable as his “flawed” data element wasn’t fixed.

I haven’t read Chris Crawford’s book but the techniques mentioned above would indeed make the life of your average teenage cracker very difficult. However, they would make the life of your average game developer a nightmare as well. Some of these things are really bad practices. Storing data in garbage, controlled buffer overflows, cryptic spaghetti code - this stuff is just bad software development plain and simple. If you are a single programmer on the project, you can probably get away with scattering stuff like that all over your code. When you are working as part of the team, this is the kind of stuff that will get you beaten up by an angry mob of coworkers who have to debug your cryptic code.

These methods do not really seem to fit well into the modern software development model. The only way to make this soft of copy protection work is to have it tightly woven into the very fabric of your software. The copy protection checks should be tightly coupled with real processing code, overlapping and hiding behind real data in as many places as possible. But who the hell is going to test and maintain that kind of stuff? No one really does copy protection this way anymore.

These days most companies think of DRM as a security layer or a module you can buy or license then slap onto a wide range of products your products. They view it as installing a lock, on the bamboo hut because that makes sense and is economical. Once you build an awesome lock, you can use it on any hut you want. Sadly, a hut is still a hut. It is made out of bamboo which can be defeated with a hacksaw, and you can always tunnel under it since it has no floor. What Crhis Craftword seems to be proposing is building a Cube like environment instead of a hut. But that is a hard job which requires not only dedication but also experience. The problem is that most game developers are not really experts in obfuscating their code, and building copy protection mechanisms into their code. In fact they are usually the exact opposite of that. They are trained to write clean and understandable code that is easy to test, easy to debug and conforms to the best practices. Game development studios just want to make games. Who insists on DRM then? The publishers of course. They are the major driving force behind the copy protection industry because “piracy” cuts into their profits the most. And they are not experts on writing obfuscated software either. What they want is something simple like this:

1. Get a nice black box containing precompiled binaries for the game from the developer studio
2. Purchase a another box with a complete, end-to-end DRM solution
3. Pay some low skilled employee to wrap the game proper in the DRM container creating master package to be burned on CD’s or DVD’s
4. ???
5. Profit

Neither game developers nor publishers are really interested in building these protection systems. They are interested in buying them, and thus a whole new industry grew as a response to this. Companies started specializing and building DRM systems as separate products. DRM is now a piece of software that is generic and modular designed to fit with as many different products as possible to maximize profits. It can’t blend seamlessly into the game it is protecting or hide behind live data. By necessity, the number of places where the game code intersects with DRM code is limited. The more you try to integrate the two, the more of custom code and modifications you need. And of course, DRM makes charge for this kind of stuff at a premium rate. So the direction which the game industry seems to be taking is building really complex and impressive locks to use on their bamboo huts because it is really the only logical and economical way to do this. The other route is just plain nutty - exuberantly expensive, and potentially creating huge maintenance problems in exchange for what? They can’t guarantee you success - no one can. If something runs on the client machine, it can and will be tampered with - any part of it can be overwritten or modified.

But as you can see the whole system is deeply flawed. Sometimes I wonder how do executives who make the decisions to use DRM systems such as SecuRom or StarForce react when they find out that a cracked version of their product hit the torrent sites 3 hours after the release? How do they justify the expenses they incurred to license the protection technology? Perhaps they don’t. Perhaps no one tells them these things. Perhaps they live out their lives oblivious to the truth, thinking that the millions of dollars spent on licensing some DRM product actually made their software invulnerable. More likely though they hide behind company policy so they can then justify low sales to their sock-holders telling them stories how evil pirates are still robbing them blind despite these strong counter-measure steps they took.

Anyway, if you don’t mind Shamus, I’m gonna use your Monkey Island allegory next semester when I’m teaching my class about digital media and DRM.

In the past if you missed an episode of your favorite show you had very limited choices. If you had Tivo or a similar service you could just pray and hope it was smart enough to record it. You could also hope it was available on some sort of on-demand service provided by your cable. Failing that, you could either wait for a re-run, or go online and download the episode from your favorite P2P network. Added bonus was that the friendly folks who were uploading the shows usually grabbed them from HD feed, and were kind enough to remove commercial breaks. I did this myself several times for this or that show. There is just no way to prevent it.

At the time I used to wonder why the networks didn’t simply put the episodes online, complete with commercial interruptions. Since they already circulate in the wild, why not turn around and profit from it. This rejection of adopting a viable stream of revenue out of fear that it will make it easier for pirates to “steal it” seemed silly to me. I mean, some groups out there are able to start seeding an episode 15-20 minutes after it was aired - all they need to do is to grab the file from their VDR, and cut out the commercials. Not releasing a digital copy of your show didn’t necessarily impede their work.

Conversely, if you stream the episodes from the official website, surround them with one or two advertising banners and include commercial spots embedded in your stream, you are capitalizing on several of the 8 generatives Kevin Kelly talked about in his essay Better than Free. Since this is an official release the fans of the show know immediately where to find it (they can bookmark the page, instead of searching P2P networks), and furthermore they know the content is authentic and trustworthy which is not always the case with the less than legal sources.

Well, lo and behold - this idea is starting to take ground. This Friday I missed the new Battlestar Galactica episode and to my surprise I noticed that all 3 episodes of the new season are available via SciFi Channels Rewind service. Yes, the quality is low, and the commercial breaks are a tad annoying but you know what - I don’t really care. I just want to catch up with so that I can participate in online discussions and the obligatory Monday lunch hour BSG discussion at work. And for that the grainy, slightly above Youtube quality compressed FLV is just fine. Hell, it’s in fact more convenient since all I need to do is to click a button and watch. I don’t need to wait for the download to finish, and I don’t need to worry that part 5 of 6 will be taken down before I am able to watch it as it is often the case on the TV-Links like link services.

I wanted to commend Scifi and all the other networks which choose to follow this route. I’m glad people are slowly begging to see the light. When you put episodes online like this we all win! You get an extra stream of revenue and I get to watch my show whenever I want. This is exactly how you should combat piracy - compete with them on terms they cannot match. The streaming show on your website is official, safe, permanent and readily available when needed - it is better than free.

Is this an indicative of change? I don’t think it’s just Scifi that is doing this. I think ABC was doing something very similar for Lost episodes, although I’m not sure if they just offer the last episode, or all of them. So there are networks out there that are beginning to understand how to make a buck in the digital world, and that is filling me with hope. Perhaps future is not as bleak as we all suspected.

Let’s talk more about digital distribution. I don’t know why but I suddenly have a lot to say about these things. We already established that distributing data online can be profitable if you approach it the right way. We also know that so far very few industries have learned how to do it. Even book publishers who have a built in advantage (most modern e-book readers suck) are very uneasy about electronic distribution. No one can really figure out how to deal with this internet debacle. And I think part of the problem stems from the big dissonance between what customers desire, and what distributors are willing to provide.

It’s actually really easy to figure out what consumers want. As with any other product that is easy to find, high quality affordable, accessible and easy to consume. What does that mean? Let’s say that Joe Public wants to buy a song he heard on the radio. He should be able to find it in his favorite music store by searching by title, band or lyrics. He should be able to buy that song for an iTunes range price or lower (this stuff should be competitive) and download it immediately without jumping through any hoops. Just pay with paypal/credit card, and download.

The music should be accessible and easy to consume. This means that Joe should be able to click on the song and have it open in the music player of his choice. He should not need to use some bloated, proprietary player. He should not need to activate it, wait for it to fetch a license from the online store, or provide login or license number information. All Joe really wants is to take that song, play it on his computer, then put it on his ipod/iphone, his laptop, an his work computer. In this day and age it is not uncommon for people to own and use several different machines on a daily basis like that.

Is it really that much to ask? All we really want is a file that is in some standard format can be played on any device and any operating system without any major hassle, or need for internet access. But to music industry this is an outrageous. If I pitched this idea to the RIAA folks they would probably call me a raving lunatic who tries to ruin them and then phone for security and have me escorted out of the building.

Here is a pitch that would make them cream their pants on the spot:

First, music should only be sold via a single online store. It needs to be withdrawn from iTunes and all other online distributors. This will help increase the artificial scarcity of the song, and also add another revenue stream as the store will be able to serve advertising to the shoppers. Next, we remove all the search boxes from the online store. Instead we have a list of categories, and alphabetized list of performers. To find the song he wants, Joe Public will need to drill down 6 or 7 levels into that category tree generating page views for our banners, and popup advertising.

Then, before Joe can place the order and download his song we make him click through 10 to 20 special offers from “our affiliates”. Once the credit card payment is in, we make Joe install a custom downloader software that will fetch the song from our server for him. Naturally the software comes bundled with more special offers and addware. Once he installs the software, he will be able to download the song, which will be in proprietary format that can only be played by our custom music player (with more addware).

The song will naturally be tied to the hardware signature of Joes computer as soon as it is downloaded (long before he even tries to play it). To listen to it, Joe must use the cutom player, provide his login information, and the license code for the song that was sent to him in his email. The player will then call home and confirm the license and increment the play counter by one. Joes card will be charged some nominal sum for each play. It’s probably a good time to note that the custom player has no pause button or any way to fast forward or rewind the song. Ever time you play it, you get charged. The song will expire after 24 plays or 24 hours whichever comes first. After this time Joe will be able to re-purchase it for the full price.

Naturally, even the slowest, least progressive RIAA members realize that such an atrocious, anti-customer model would fail miserably. No one in their right mind would ever agree to a pay-for-play scheme - especially not when iTunes provides a much more user friendly and affordable, while still locked down service. This is why most studios hates iTunes with a passion - because they made digital distribution work without really squeezing the customers that much. Let’s face it, once you subtract bandwidth costs and maintenance of the online store, any profits on top of that are essentially free money.

So there is this huge gap between expectations on each side. Customers just want an affordable product they could use. Copyright holders want an unusable product which forces the customers to hand over large sums of money to them. It’s obvious that some sort of compromise must be worked out. If your digital distribution model is to restrictive or unfriendly, the customers will just happily continue pirating your content. If it is to lenient, you will probably get fired because your boss will not be able to sleep for months, thinking about the millions of dollars he probably lost because your scheme allowed someone to play the song on 3 computers instead of just one.

This is entirely silly since all you need to do to make profit is to capitalize on some of Kevin Kelly’s generatives. You can sell un-protected, un-encrypted mp3’s and still turn profit. Apple actually gets it and the reason why they are so successful is that they are really exploiting these things. First, they heavily rely on the brand. Their music store is closely associated with their flagship product - the iPod. Apple is a trustworthy brand with a carefully cultivated image. This is one intrinsic value that cannot be digitized and downloaded from a torrent site. People trust Apple more than they trust the “Pirate Bay” or other strangely named site like that. Second, the iTunes store really capitalizes on several of the generatives. It has an impressive searchable index, keeps track of your music and makes it accessible to you wherever. Naturally they also compromised and have that DRM of theirs which doesn’t really do anything other than annoy customers. But in the current climate it is necessary - no DRM, no content is the mantra of the entertainment industry.

Theoretically, if someone came along with a similarly sized catalog of content, but offered lower prices and no DRM they could blow iTunes out of the water. There are two problems though - iTunes is an entrenched brand, and it would be hard for a no-name service to compete, at least initially. They’d really have to provide a better service - and not just slightly - they would have to catch the eye of the public. The second problem is that without DRM they would have real trouble getting licenses for distributing content. They’d probably get enough content to be attractive to some, but not enough to threaten iTunes using their music catalog.

So we are really at an impasse. The copyright holders desperately try to shift the market towards a model that is more restrictive, and more prone to milking than iTunes. Customers just want something that works, and doesn’t cost an arm and a leg. Unless the copyright holder mindset doesn’t change, we will continue getting shafted with horrible deals, atrocious DRM and business models that just can’t work.

We will probably continue arguing over this for years to come, but I think customers will win in the end. It’s already slowly changing for the better as new DRM-less schemes are popping up now and again. People are starting to realize that customer lockdown is a dead end. It will get better, eventually…

I said it before, and I’ll say it again: downloading copyrighted content without author’s consent is not theft. It’s copyright infringement! It doesn’t make it any less illegal, but it is a very different crime. Please get it right, otherwise any discussion about copyright is impossible!

Claiming that infringing copyright can be equated to theft is essentially building up a straw man argument. After all, everyone knows that theft is a relatively serious crime and one that affects the victim in a very real way. Infringement is very different crime which really requires a different set of laws and a different mindset. If you try to convince people that file sharing is harmful while basing your argument on claiming it is “like theft” you are simply doing it wrong. You are simply building a straw man, and toppling it with impeccable logic but none of that applies to copyright. Unless we change the law to treat intellectual property the same way we treat physical property, your argument is flawed.

It is really simple to explain, but most people on the other side of the fence (pro copyright) just don’t get it. When you download copyrighted content you are simply violating someone else’s exclusive distribution right. There are many real world examples people use to illustrate how infringement works, but I like this one:

Imagine there is a big game in the local ball park. Bunch of local kids decide to watch the game by climbing a tree growing on public property right outside the fence. They get caught. Should they be charged for theft? Do you think their crime is equal to for example that of a pickpocket who swiped game tickets from an unsuspecting sports fan?

They were able to watch the game because the tree was there to provide them with a good viewing platform. If it wasn’t there, would all of them buy tickets? Could you with any degree of confidence estimate how much money each of them would spend on tickets, hot dogs and refreshments?

If you haven’t figured this analogy yet, let me break it down for you. The ball park is the official distribution channel for the multimedia content. The ballpark owner is RIAA, MPAA and etc. The sports team playing inside are the artists. The kids are “the pirates”, and the tree symbolizes the internet. Downloading movies and music is like climbing that tree and watching the game for free. It’s not right naturally. You ought to buy a ticket to watch the game - so it can be said that the owner didn’t earn any money on you. But it can’t be said he actually lost any money because no one can prove whether or not you would actually buy a ticket if the tree was not there.

Infringement has nothing to do with steeling. This is why the MPAA’s “You Wouldn’t Steal a Car” campaign is nothing more than muddying the waters. It’s propaganda - a calculated distraction. Entertainment industry does not want to discuss the real issue here because it is not in their best interest. What they want to do is to sow fear, uncertainty and doubt. And it’s not that they do not have an argument to begin with. The law is on their side. But we have to agree that infringement is much lesser crime than theft.

Then again, you have to wonder what good is a law that is virtually unenforceable. When I meet new people the topic of file sharing invariably comes up sooner or later. I have to say that I have yet to meet a person below 40 who can honestly say they never downloaded a song or a movie from the internet. It is simply unheard of. I’m counting both males and females of all races, creeds and education levels. In fact, many times I was honestly surprised to find out that a given person engages in this activity. No one respects the copyright law. Copying is as natural as breathing to us. This is what computers and internet were designed for.

And there is no way to stop it. Technological means to curb copying (DRM) don’t work. And statistically chances of getting caught are close to zero. Only a very small percentage of people will ever get sued by RIAA and MPAA.

Who what is the point of un-enforceable law that everyone breaks without even thinking about it? Protecting revenue streams of distributors might be a reason here, but there is something wrong with this picture. Let’s step back and think about it for a second.

I just said that I don’t know a single person below 40 who doesn’t do at least a little bit file sharing. This means that a huge chunk of population is involved here. And yet, I haven’t heard about a single movie or music studio closing it’s doors because of losses incurred due to “piracy”. Movies, music and software keeps getting made so the alleged losses cannot be that significant. Entertainment industry can talk all they want about “lost sales” and projections of lost revenue but most of us know these are just wild guesses that cannot be substantiated with any concrete data. There is just no evidence to support them.

If this was theft, we would see real very tangible evidence of loss. But we have no such evidence - just fuzzy, optimistic estimates. And this is the gist of the problem that the pro RIAA and pro MPAA advocates try to avoid discussing.

So please, next time you get into this discussion, get it right. Otherwise you are just regurgitating a flawed argument that has no basis in reality.