2.3
DRM and Market Power
DRM affects more than just the relationships among the label, the vendor, and the user. It also impacts the
label's and vendor's positions in their industries, in ways that will shape the companies' DRM strategies.
For example, DRM vendors are in a kind of standards war--a company that controls DRM standards
has power to shape the online music business. DRM vendors fight this battle by spreading their platforms
widely. Record labels want to play DRM vendors off against each other and prevent any one vendor from
achieving dominance.
Major record companies such as Sony-BMG are parts of larger, diversified companies, and can be ex-
pected to help bolster the competitive position of their corporate siblings. For example, parts of Sony sell
portable music players in competition with Apple, so Sony-BMG has an incentive to take steps to undermine
Apple's market power.
Having examined the goals and motivations of the record labels and DRM vendors, we now turn to a
description of the technologies they deployed.
3
CD DRM Systems
CD DRM systems must meet difficult requirements. Copy protected discs must be reasonably compliant
with the CD Digital Audio standard so that they can play in ordinary CD players. They must be unreadable
by almost all computer programs in order to prevent copying, yet the DRM vendor's own software must be
able to read them in order to give the user controlled access to the music.
Most CD DRM systems use both passive and active anti-copying measures. Passive measures change
the disc's contents in the hope of confusing most computer drives and software, without confusing most
audio CD players. Active measures, in contrast, rely on software on the computer that actively intervenes to
block access to the music by programs other than the DRM vendor's own software.
Active protection software must be installed on the computer somehow. XCP and MediaMax use Win-
dows autorun, which (when enabled) automatically loads and runs software from a disc when the disc is
inserted into the computer's drive. Autorun lets the DRM vendor's software run or install immediately.
Once the DRM software is installed, every time a new CD is inserted the software runs a recognition
algorithm to determine whether the disc is associated with the DRM scheme. If the disc is associated, the
active protection software will interfere with accesses to the disc, except those originating from the vendor's
own music player application. This proprietary player application, which is shipped on the disc, gives the
user controlled access to the music.
As we will discuss further, all parts of this design are subject to attack by a user who wants to copy
the music illegally or who wants to make uses allowed by copyright law but blocked by the DRM. The
user can defeat the passive protection, stop the DRM software from installing itself, trick the recognition
algorithm, defeat the active protection software's blocking, capture the music from the DRM vendor's player,
or uninstall the protection software.
The complexity of today's CD DRM software offers many avenues of attack. On the whole, today's sys-
tems are no more resistant to attack than were simpler early CD DRM systems. When there are fundamental
limits to security, extra complexity does not mean extra security.
Discs Studied
Sony deployed XCP on 52 titles (representing more than 4.7 million CDs) [1]. We exam-
ined three of them in detail: Acceptance, Phantoms (2005); Susie Suh, Susie Suh (2005); and Switchfoot,
Nothing is Sound (2005). MediaMax was deployed on 37 Sony titles (over 20 million CDs) as well as dozens
of titles from other labels [1]. We studied three albums that used MediaMax version 3--Velvet Revolver,
Contraband (BMG, 2004); Dave Matthews Band, Stand Up (Sony, 2005); and Anthony Hamilton, Comin'
4