16.09.2007 How to do Open Source friendly “DRM”

Usually when it comes to releasing music or movies the answer of some of the companies that create the content appears to be: “its not possible to do this without resorting to proprietary formats, players and security by obscurity / trusted computing”. And lots of problems arise from that. I know several at least two developers working for some content provider and the amount of support you need to give even for the proprietary “solutions” seems to be massive. Worse, you lock out free software completely, and often lots of old devices, too. The whole idea is causing these problems. The more people you tell a secret, the weaker your protection gets.

My proposal would be this: the companies argue that DRM provides a way for the customer to track whether he owns music or not. It does so automatically, so if you’re a honest person, you can track whether files are owned by you, much in the same way you can now look which CDs are in your CD shelf. Also restrictions such as “you can listen to this file, but only until December 2007” can be added and tracked automatically by software. If this is what the customers want to do, then I propose shipping a media ownership file with each song/album purchased, looking somewhat like:

	Album:           [album name]
	Song:            [song title]
	File:            [foo.ogg]
	Size:            4820573
	SHA1:            [sha1 sum of the file]
	Owner:           [some content provider with some unique url]
        Restrictions:    [like: expires 20071231]
	Customer:        [your name]
	Customer Mail:   [your email adress]

To make the system work, this file should be signed by the owner (some company that produces music or movies), with a PGP/GPG signature or something equivalent. So then, whereever you go and whatever you do with your music, you and your software can validate that you own it. For the honest user, this should be great. Even if you copy the files to a friend by accident, the software will still be able to catch it, and tell your friend: “this is not really music you bought”.

So I think for honest customers this system will work, because it is based on the idea that you want to compensate artists, and DRM is only a convenient way for you to track that you do it. Its also not easy to attack the media ownership file idea, because if a content provider owns a piece of music, he and only he should sign such files. So by looking up first who owns the music/movie in a global database, and then verifying that the right signature from the right person for the right customer is there, its possible to effectively avoid that somebody else hands out media ownership files for music/movies he doesn’t own.