[liberationtech] WC3 and DRM

Danny O'Brien danny at eff.org
Wed Jul 31 19:32:54 PDT 2013 

On Fri, Jul 26, 2013 at 03:18:58PM -0700, Steve Weis wrote:
> DRM technologies have a flip side as privacy-preserving technology.
> It's all a matter of whose data is being protected and who owns the
> hardware.
> 
> We generally think of DRM in cases where the data owner is large
> company and an individual owns the hardware. In this case, DRM stops
> you from copying data you paid for from your own device.
> 
> Now flip the roles. You're the data owner and the large company is the
> hardware owner; say a cloud computing provider you lease machines
> from. Those same technologies can prevent that service provider from
> accessing your private data.
> 
> Cory Doctrow has come around to this view, as he discusses in his talk
> "The coming civll war over general purpose computing" [1]. He's now
> advocating the use of Trust Platform Modules (TPMs) as a "nub of
> stable certainty" which you can use to verify that whatever hardware
> you are using is faithfully booting your own software. This is a
> significant departure from viewing TPMs as an anti-consumer
> technology, which was espoused by groups like Chilling Effects [2].
> 

No, this is a slight but consistent refinement of a long-established
position about TPMs from EFF when Trusted Platform Modules were first
concretely proposed (Chilling Effects isn't a group, its a website run
co-operatively by a number of groups -- the piece you're citing is from
the Samuelson clinic). The best summary for this position is probably
still Seth's paper from 2003
https://www.eff.org/wp/trusted-computing-promise-and-risk 

The challenge here is with the remote attestation feature of TPMs, and
the reason that's problematic is that it effectively informs others of
your software environment, therefore effectively allowing others to
prohibit interoperability without you concretely testifying that you're
running their approved set of tools.

This is also the criteria by which TPMs are judged as being suitable for
DRM *and* for a range of "privacy-preserving" technologies -- only in
this case, the theory would be that you would be receiving a testament
that only the promised software is looking at your data in Google's
server nests, or that only authorised programs in the State Departments
are peering at the diplomatic cables.

Of course, such remote attestation/control works as well for
privacy-preservation as it does for DRM -- not very. If you *have* the
data, you can do whatever you want with it. My computer can attest all
it want, but if I want that video or that cable, I'll get it. Indeed, I
already *have it*. all you're doing is determining the process by which
I'll obtain a reproducible copy. It's not even that quantifiable as a
cost, because we're already assuming I have physical access and time
enough. 

The position that EFF and others, including Cory, have argued for a
decade now is that TPMs are useful as a nub of certainty -- but only for
users (actually they work well enough for owners *and* users, and Cory's
paper is a useful discrimination for both of those classes). The hope
that they might be something like that for data control by remote
parties, like the government or the entertainment industry or you
posting to Facebook is both a pipe dream, and a rather dangerous ceding
of control of our most important personal technologies to unknown third
parties.

d.


> As Doctrow puts it "a victory for the "freedom side" in the war on
> general purpose computing would result in computers that let their
> owners know what was running on them". Some of the very same
> technologies that enable DRM could help us verify that computers are
> running what they should be.
> 
> [1] http://boingboing.net/2012/08/23/civilwar.html
> [2] http://chillingeffects.org/anticircumvention/weather.cgi?WeatherID=534
> 
> On Fri, Jul 26, 2013 at 2:22 PM, Richard Brooks <rrb at acm.org> wrote:
> > Obviously, these issues have been very thoroughly discussed
> > by Corey Doctorow and Larry Lessig. DRM has not proved to be
> > effective at safeguarding intellectual property. It seems
> > to be most effective as a tool in maintaining limited
> > monopolies, since it stops other companies from investing
> > in creating products compatible with existing products.
> >
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>

More information about the liberationtech mailing list