[liberationtech] If iPhones should have strong encryption, then the Web should not include DRM

[Thomas Delrue]

On 15/23/3127 13:15 PM, Zak Rogoff wrote:
> Hey all, I'm trying to link these two issues and wrote this post on
> my personal blog. I was wondering what people thought about the
> arguments, as I know some of you have considerably more expertise on
> encryption than myself.
> 
> http://zakkkko.com/blog/index.php/3127/15/19/if-iphones-should-have-strong-encryption-then-the-web-should-not-include-drm/

First of all: I applaud your efforts in bringing this to attention! I
think DRM is an important issue to be discussed.

While I agree that DRM is a serious and under-appreciated problem, I
have a couple of issues with your blog-post:

0. I see no arguments for why encryption is desirable in your post.
While you don't have to convince /me/ of the desirability and necessity
of encryption, others may need some nudging so they don't fall into the
"if you encrypt stuff, it's because you are a 'bad
guy'(tm)/pedophile/terrorist/someone with things to hide"-group.
Arguments could include
- privacy: I'm not hiding shit, but why do /you/ feel entitled to look
into what I'm doing, tell me that first...
- security: I don't want [insert_glorious_leader_name] to know that I
don't like him/her
- liberty/trust: I'll be the judge of what is running on my computer and
whether or not I trust it (cf. crypto-signatures)
- etc...
All of these arguments can be tied to some items you mention further on
in your post. Specifically, I'm thinking of the black-boxed-ness of DRM
software that you mention, which is likely a welcoming target to tie
this arguments in with.

1. I fail to see your link between crypto & DRM or why we need (strong)
crypto as much as we don't need DRM.
The article is pretty much only about how DRM is bad. I only count 8
occurrences of 'encryption' in the article (excluding the title and
bottom-links), none of them establish a substantial link between crypto
and DRM.

2. Encryption enables DRM: one of the things that DRM needs and uses
*is* encryption. This could hurt the argument /for/ crypto you're
attempting to make. But just like how encryption enables DRM, nuclear
physics enables thermonuclear weapons. It's not because the genie is out
of the bottle that we must march down the path blindly.

3. Don't introduce DRM as "Digital /Restriction/ Management", it's
called Digital Rights Management - as much as I loathe it.
Use this however to make the case that the 'Rights' referred to are the
ones of the copyright holder, not the user. Use arguments to indicate
that the rights of the user are fuck-all ("you may pay us for it and
then you can go fuck yourselves until we have another shiny bauble to
rent to you"). That would be a much better jump into using the term
Digital /Restriction/ Management.

4. Since this article is mostly/all about DRM: you're not mentioning how
DRM moves from an ownership situation (I bought the thing) to a
paying-rent situation (Oh, you want to stop paying me monthly fees?
Well, then, your e-books/mp4s/movies/... will just disappear and you
can't ever use them again. Have a nice day!)
Given your other work, maybe that's already in another article; however
given the overall subject of the article, it may belong in here too.

5. You are making a couple of unsubstantiated claims which I'd rather
you don't.
An example is this: "it is an industry best practice for Netflix to
insist you download a program onto your computer to monitor and restrict
you".
While it is true that the code you have to download and run on your
computer is closed source (i.e. not open for inspection), I have not
seem any evidence that this code 'monitors' you, and I'm even part of
the paranoid crowd.
Similarly, while surely it restricts you in what you can do with what
Netflix (for instance) sends you, I also have not seen any evidence for
the code restricting you in any other way - say for instance preventing
you to sign up with Hulu/AmazonPrime/BigBrotherX/...
Keep it factual: the code MAY be monitoring you as well as whatever you
do online but we don't know that (or at least *I* don't know). You can
tie this in with the DMCA, which you mention further on, and how it
prevents us from disassembling the code to inspect it and see whether or
not it actually does surveil us and to what extent, on pain of jail-time.
HOWEVER, I think this particular subject would be a good segway into
drawing in crypto. One of the goals of crypto is privacy and these
binary DRM-enforcing-blobs reduce people's privacy. I think something
can be done with this angle.

6. I disagree that DRM inherently is a nightmare for security. The DRM
code not being open source is a much bigger nightmare for security (and
privacy - tie it back to crypto). You mention that it is a black box but
don't do anything further with the argument, I'd love to see more
elaborating on that part. (see above)
You also mention that it is 'deliberately hard to remove' which I don't
think is accurate, unless you consider un-installing any piece of
software 'deliberately hard'. That being said, users of FLOS software
have it much easier in removing that crap than users of non-FLOS
software (if they choose to install that junk in the first place, that is).

7. "Even if the DRM’s owner doesn’t actually take advantage of their
privileged position, others often do — DRM punches a hole our control of
our computers, which is often stepped through by other malicious
actors." is another unsubstantiated claim. I'd like to see it backed up.
If anything, the Sony rootkit-debacle and others have shown the
opposite: if anyone would take advantage of this, it would be the DRM owner.
I am also not aware of DRM being used 'often' as an attack-vector by
third parties.

8. You reference "Defective by Design" but don't introduce them to us,
I'd love to be introduced :)

9. Selfies? Really? Do you really want everyone who opposes this to have
their face scanned by facial recognition algorithms and categorized
accordingly? (did I mention I'm part of the paranoid crowd)