Forgot your password?
typodupeerror
DRM Privacy Microsoft Security

Would You Secure Personal Data With DRM Tools? 101

Posted by Soulskill
from the enemy-of-my-enemy-is-my-friend dept.
museumpeace writes "From its own EmTech conference, Technology Review reports on a privacy strategy from Microsoft's Craig Mundie: When sharing music online took off in the 1990s, many companies turned to digital rights management (DRM) software as a way to restrict what could be done with MP3s and other music files — only to give up after the approach proved ineffective and widely unpopular. Today Craig Mundie, senior advisor to the CEO at Microsoft, resurrected the idea, proposing that a form of DRM could be used to prevent personal data from being misused." Mundie also thinks it should be a felony to misuse that data. He thinks larger penalties would help deter shady organizations from harvesting data the user isn't even aware of. "More and more, the data that you should be worried about, you don’t even know about."
This discussion has been archived. No new comments can be posted.

Would You Secure Personal Data With DRM Tools?

Comments Filter:
  • by Anonymous Coward

    Record personal info in songs and sue any companies that sell them as copy infringement. Also use DMCA to force website to take down your info - they copied my lyric!

    • clever trick (Score:5, Insightful)

      by duckintheface (710137) on Friday October 11, 2013 @04:19PM (#45104407)

      When Microsoft suggests anything to "protect" the user, I immediately look for the trap. In this case it's easy to find. When DRM violations are made a felony, it won't be a felony only when the violated party is the user. This is a back door way to make DRM violations against big corporations a felony. This has nothing to do with protecting users and everything to do with helping corporations.

      • "This is a back door way to make DRM violations against big corporations a felony. This has nothing to do with protecting users and everything to do with helping corporations."

        I agree that it should probably be a felony to gather or misuse personal data. I do not think felony should be applied to copyrighted works. Very big difference, there.

        Currently, "downloading" (making copies of copyrighted works for personal use), is not even a crime. Nor should it be. Piracy, however, which is a legal term referring to copying for profit (e.g., making bulk copies and selling them), IS a crime and probably should be.

        But they are not the same things, despite the industry's attempts to

        • But they are not the same things, despite the industry's attempts to deliberately confuse them.

          The problem the GP points to is that they will be confused into the same thing sooner or later.

        • "I agree that it should probably be a felony to gather or misuse personal data. I do not think felony should be applied to copyrighted works. Very big difference, there."--- Jane Q. Public

          I agree with eveything you say... but how do you make the legal distinction? If "corporations are people my friends", then corporate data IS personal data. The evil starts by pretending that corporations have rights. Corporations have priviledges and responsibilities but they don't have rights because they are NOT people

          • " If "corporations are people my friends", then corporate data IS personal data. The evil starts by pretending that corporations have rights. Corporations have priviledges and responsibilities but they don't have rights because they are NOT people."

            I agree. And who promoted that evil? The Supreme Court.

            What many people (and even SCOTUS) don't seem to realize is what an enormously hypocritical concept that is. If corporations have "rights", then the vast majority of government regulation of corporations is unconstitutional! If the corporation is a person, and has rights, then if it's 18 years old it can vote! As ridiculous as that sounds, that's what they're saying.

            They can have one, but they can't have both. Sooner or later, that particular hous

            • by Nerdfest (867930)

              I keep saying that it should also preclude these layered (for tax purposes, etc) corporations as if corporations are people then one corporation owning another is slavery. It would also help stop them from hiding behind shells for legal liability.

  • by fustakrakich (1673220) on Friday October 11, 2013 @03:59PM (#45104267) Journal

    You know, because it works so well, it has completely wiped out the drug trade, and there's no more murders now with our fancy death penalty. Prison for all! Lock 'em up before they commit the crime. That's even better. When you're born, it's straight to jail, until you have rehabilitated yourself.

  • by SJHillman (1966756) on Friday October 11, 2013 @04:01PM (#45104295)

    I wouldn't secure my personal data with the same thing that's apparently keeping me from downloading a car

  • by stewsters (1406737) on Friday October 11, 2013 @04:01PM (#45104297)
    He thinks larger penalties would help deter shady organizations from harvesting data the user isn't even aware of.

    The NSA is still going to harvest your data, laws clearly don't stop them. This will only be use as another point to increase the penalties for kids caught file-sharing, and they are already pretty extreme. $675,000 for 30 songs [npr.org], might as well be a drug dealer.
  • A technical solution to a moral/ethical problem is doomed to failure, as someone will always be able to work around the technical "solution". Stiff penalties for abusing personal information is actually a good idea, however.
    • A technical solution to a moral/ethical problem is doomed to failure,

      I'm not sure this quote is being understood correctly. Locks work fairly well for keeping people out of my house, for example. They aren't 100% perfect, but you can absolutely increase the security levels to the point where it is more effort to steal the thing than the thing is worth.

      • "Locks keep people out of my house". They don't keep bad guys out. Anyone can kick the door in. I can pick the lock, as can many other people. A lock is a REQUEST. a "do not disturb" sign.

        How about much bigger locks, like a bank vault? Have you ever noticed that most banks keep their vault door a) open and b) well polished? Does that look like security, or security theatre? Notice that next to the thick steel door is a plaster wall.

        It's fairly rare that you can increase security enough that something

        • It's fairly rare that you can increase security enough that something is more expensive to steal than it's worth.

          No, you are very wrong. In most cases it's easy. For example, in my house, the value of everything is less than $10k. If you can't think of a way to increase the cost of robbing my house to beyond $10k, you're naive.

          • I'd bet $100 I could simply kick in your door and walk out with your stuff.

            You COULD spend $10,000 on a security system to protect your $10,000 worth of stuff. That would be stupid, though, wouldn't it.

            Let's say you did spend $10,000 on security. In that case , a burglar would want to spend $4 on a ski mask and maybe $13 on a post driver to knock the door in. Then smash the door in an QUICKLY grab $3,000 worth of electronics etc. You spent $10,000, the bad guy spent $17 to defeat it (and didn't wait aroun

            • You can win any argument if you change the argument.
              • You said it's easy to secure your house such that it costs more than $10,000 to break in. I pointed out that no, it wouldn't cost more than $17 to break in. I can see why you might want to change your argument.

                • And you can't think of a way to secure my house such that it costs more than $10,000 to break in?
                  • Can you? You could cover your $10,000 house with $100,000 of concrete. It'd no longer be your house, though, since you couldn't get inside. Not a bad way to handle high level nuclear waste, though.

                    You could set up a shotgun booby trap and you'd probably end up in prison or dead.

                    Armed guards 24 / 7? Two guards at $20 / hour is $50,000 / year to protect $10,000 of property, and STILL it only costs the bad guy a few bucks to shoot them.

                    It's normally going to cost the owner more to completely protect th

                    • Well, you thought of some ways, thereby proving you are not a complete idiot. Good job.

                      You are however, irredeemably argumentative. Too bad.
                    • So in other words, no you have no reasonable way to prevent someone from breaking into your house, or even making it difficult to do so. You could just admit you were wrong instead of acting more and more of an asshole with each post.

                      Your interesting signature references beautiful open source code. Do you know how we get beautiful open source code? I post something on my github, Tim points out how it could be improved. I make those improvements, "admittingx" that my original code had flaws. Then Mary co

                    • So in other words, no you have no reasonable way to prevent someone from breaking into your house, or even making it difficult to do so. You could just admit you were wrong instead of acting more and more of an asshole with each post.

                      A lock on the front door works well enough for my own purposes. What I have seen in a case where a church kept having their televisions stolen by gang members, they got a steal door for the storage room and lined the entire inside of the room with a cage made of rebar. BTW I didn't say the security measures had to cost less than $10k, that's probably where you got confused.

                      Your interesting signature references beautiful open source code. Do you know how we get beautiful open source code? I post something on my github, Tim points out how it could be improved. I make those improvements, "admittingx" that my original code had flaws. Then Mary comes along and points out more imperfections. I admit it still wasn't perfect and make the changes. Then it goes to the integrators for a repeat. That's how we end up with beautiful code, by admitting that our first thought wasn't quite right. Hell even Microsoft admits they were wrong with Windows 8. Are you as intellectually honest as Microsoft?

                      Go ahead, check it out [github.com]

                      I am curious about your sig. What do you have going there? Tim Hunt produces some code that's beautiful in it's perfection, but you may be looking for beauty in terms of being concise and as simple as possible. There's an implementation of strcpy that's beautiful in that way, something along the lines of:

                      Generally looking for beauty in any way.....some code can be visually attractive but a nightmare to work on (li

        • "Locks keep people out of my house". They don't keep bad guys out. Anyone can kick the door in. I can pick the lock, as can many other people. A lock is a REQUEST. a "do not disturb" sign.

          Of course locks keep people out. They keep out anyone who is less determined than the effort and risk circumventing the lock poses. Why do you think criminals walk through parking lots checking door handles for open doors? By your logic they would just start smashing windows.

          How about much bigger locks, like a bank vault? Have you ever noticed that most banks keep their vault door a) open and b) well polished? Does that look like security, or security theatre? Notice that next to the thick steel door is a plaster wall.

          If you think that bank vaults are big steel doors surrounded by plaster walls, you're a dumbass.

          It's fairly rare that you can increase security enough that something is more expensive to steal than it's worth. Sometimes, but rarely. What you CAN do is avoid being low-hanging fruit.

          Oh. You are a dumbass. "Low hanging fruit" is something that is less trouble/risk to steal than its worth. Physical security revolves entire

          • I watched a thief check door handles once, looking for low hanging fruit. As I said, as long as he found plenty unlocked, the locked ones were safer. When four in a row were locked, he smashed a window. Locks didn't keep him out, not when either a lots of people used them or he saw something he wanted.

            That thief is currently serving time for murder for hire.

          • BTW, you can hook and book a Ferrari with an alarm. It's worth more than it takes to steal, so by your definition. it's. low hanging fruit. I don't think that. means what you think it means.

            I think low hanging fruit is comparative - the bad Guy won't. break into my house of my neighbor leaves his door wide open. If we ALL lock our doors, the thief will get a crow bar.

            Posted via crappy old phone that inserts extra periods.

  • Microsoft? Trying to push DRM? Well, I never.

  • by sl4shd0rk (755837) on Friday October 11, 2013 @04:10PM (#45104353)

    This sounds like a company dying of a sucking chest wound. Any way to leverage a hated technology and force it onto people while collecting money from the RIAA/MPAA for it's implementation.

  • Right... (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Friday October 11, 2013 @04:11PM (#45104357) Journal
    Even if you thought that this was a good idea, how would you?

    The foundation of DRM is building computers whose primary allegiance is to some entity other than their owners, with this allegiance enforced by technical means (and, in the most pure form, building computers that 'default-deny' all non-DRMed content in order to make cracked cleartext copies from subverted systems useless: the iDevice 'app' situation or the contemporary console space is probably the best example of this: both realize that the cat is out of the bag for music, and most of the way for movies; but unblessed application binaries are simply refused; so, while doing so is easy, obtaining 'cracked' apps is useless without a blessed signing key).

    If the intended victim is end users, this works; because the root-of-control entity simply has to have financial and/or legal ties with the 'content owners' that are closer than its ties to end users.

    If actually-powerful-and-influential data brokers/advertisers/spooks/etc. are the target, though, who, pray tell, is going to be the cryptographic root of control? Google? Uncle Sam? Microsoft? Don't be absurd.
    • No idea, but I suspect it starts and ends with gullible people giving MS money.
    • The allegiance would be to Microsoft. Microsoft would take the power from both users, and the content creators.

      Much like Apple has done with their iPhone.
      • I find it hard to imagine that they weren't deliberately being dicks when they named their 'enterprise' DRM-for-documents-and-stuff system "Rights Management Services" and refer to it as 'RMS' throughout the documentation.

        That aside, they probably are proposing themselves as the totally-neutral-and-disinterested seller of 'trusted' systems and software to absolutely everybody. Like good old Clipper; but private sector!
    • The foundation of DRM is building computers whose primary allegiance is to some entity other than their owners, with this allegiance enforced by technical means (and, in the most pure form, building computers that 'default-deny' all non-DRMed content in order to make cracked cleartext copies from subverted systems useless: the iDevice 'app' situation or the contemporary console space is probably the best example of this

      In 1985, legit consumers saw this default-deny policy as a feature. They had been burned by a flood of poor quality releases on the Atari 2600, and not having to take a chance on a game that turns out to be absolute crap was a selling point for the then-new Nintendo Entertainment System. A gamer back then didn't want the hardware's allegiance to be to him because he lacked the time and money ($60 or more after adjusting for inflation) to buy each new game and vet it himself.

      • You don't really need 'default-deny' in the DRM sense to achieve that, just a simple, trademark-law-backed seal of approval (which, indeed, Nintendo had, and slapped on more than few totally shit titles, so long as the vendors thereof were participating in their licensing program... not unlike the notorious dogs for the Atari 2600 that were first-party releases, and thus would have cut like a neutrino through any default-deny policy built into the 2600...)

        For any console in the pre-networking period (def
        • by tepples (727027)
          Thanks for reminding me about certification marks [wikipedia.org]. Now I'll see how certain PlayStation fans who trot out the 1983-1984 console recession as an argument in favor of entry barriers react to this.
    • "some entity other than their owners" but what if YOU own and enforce it.

      "Publish" all of your data to a backup drive, apply DRM to "secure it*" and issue take downs to any intruder (like the NSA) to force them to remove it or face litigation and hassles from the sheriff.

      All you need to do is have a warning page/file at the lowest lever on the backup drive and then encrypt your backup.

      *) "Secure it" can be as flimsy as the original DVD DRM. The point is to insure the protection of the law, however unwilling

      • Unlike copyright (which creates an ownership right/control in the given work regardless of how it was obtained), DRM only makes attacking the DRMed system legally problematic. It provides no protection whatsoever if the same data are obtained by other channels, and is legally in the same (uncertain in the US, somewhere between 'leaky' and 'sunk' in the UK) boat as conventional personal data encryption for protecting media seized directly by the feds. In the UK, the RIPA allows them to compel you to disclose
  • by evilviper (135110) on Friday October 11, 2013 @04:13PM (#45104369) Journal

    In this case, the "DRM" in question a tiny bit of metadata saying "please don't do X with this".

    Sure, your data is encrypted, but as with all DRM, you're giving out the decryption key along with it. It was always a stupid idea that can NEVER work.

    If you want to see the end result of well-implemented DRM, see Blu-rays... Everybody can play and copy any Blu-ray disc they want, but somebody has to go through the small hassle to do so. If the official player programs weren't closed-source and heavily obfuscated, it wouldn't even take any effort at all. That is really why Microsoft likes to push DRM... It's a back-door way to eliminate open source software from consideration.

    So the crux of his point is: âoeYou want to say that there are substantial legal penalties for anyone that defies the rules in the metadata. I would make it a felony to subvert those mechanisms.â

    Without the laws in place to enforce that, DRM doesn't help you AT ALL. With the laws in place to restrict what can be done with your private information, YOU DON'T NEED THE DRM.

  • There may be some specific instance where I would consider using DRM, but mostly DRM stupidly prevents valid usage while failing to stop a persistent attacker. It's the nature of such things.

    That is unless, of course, you're counting all encryption as "DRM". Encryption is useful. But the main reason Microsoft wants to push DRM for personal/business documents is that, by having their own proprietary DRM scheme, they create a stronger form of vendor lock-in. They can make it so that, if you want to read

  • ...if you'd use an armored division of WW2 era tanks to defend your home.

    DRM doesn't work very well...in those few situations where it does work, it's an enclosed environment with a massive investment in identity management. The real key to making DRM work is being able to assert who people are...otherwise you can't tell people apart, and thus can't differentiate between who should and should not be allowed to see the content. So it's infeasible for "personal" use, off the bat; if you don't control the en

  • by Anonymous Coward

    Now all I need is a team of lawyers!

  • I think this is a great place to discuss how wonderful Steam is, and how it never causes anyone any problems ever.
  • I'm sure it will prove equally so for three-letter-agencies and other government entities.

  • Mundie also thinks it should be a felony to misuse that data. He thinks larger penalties would help deter shady organizations from harvesting data the user isn't even aware of.

    Curious how the data collectors and abusers that we're so concerned about lately are parts of the government, thus mostly immune to their nefarious work being controlled or prosecuted. As the saying goes, "it's okay if I do it but not if YOU do it."

  • by Anonymous Coward

    Felony used to be limited to the most serious of crimes. Now we permanently cripple their ability to survive over such petty issues as copyright infringement.

  • #1) "felony" is US-centric. The MS guy obviously ( still ) thinks the entire internet is governed by US laws. Prolly a balding 60-year old who has lost touch with reality, and especially with where, nowadays, innovation is coming from. #2) I can not recall having ever seen a good idea originating within Microsoft. Nor can I recall having seen any good idea that took the internet by storm fathered or mothered by Microsoft.
  • What bugs the shit out of me is that people who should know better act as though DRM isn't impossible. Quick, describe a system to me in which I can give you my data but you can only process it in ways I approve of. That means that you can't copy-and-paste it, or even just take a film photo of the screen and scan that in. Seriously. Working copy protection cannot be implemented in this universe, perhaps short of every participating computer having a quantum component that stops working as soon as you observ

    • by black3d (1648913)

      > perhaps short of every participating computer having a quantum component that stops working as soon as you observe it.
      Shh.. don't give them any ideas. ;)

    • or even just take a film photo of the screen

      So long as drugstore photo departments continue to process film.

      and scan that in

      Scanning software and image editing software already have measures against use with images of currency.

      I'd secure my personal data with contracts that say "this is what you can do with it, and I'm going to sue you into oblivion if I find it on the Internet".

      Such a contract would apply only to parties to the contract, under the "privity of contract" doctrine. DRM lets a copyright owner use 17 USC 1201 and foreign counterparts to apply terms like these even to people who haven't signed the contract.

  • Encryption sounds like what he wants, most likely the public-private key type. It has the flaw of being uncontrollable once it's reached the recipient, and his solution proposes to solve it, but that's not how data works, so they are going to be equally efficient.
  • Whoever that guy is, he should be laughed down by the serious IT and security world for his stupid "input".

    If your security solution requires that you pass a law making it illegal to break your security, then it's not a solution.

    • by gatfirls (1315141)

      "If your security solution requires that you pass a law making it illegal to break your security, then it's not a solution."

      I love that quote. Pretty much sums up the entire argument when it comes to DRM.

      • by eyenot (102141)

        I certainly can't claim origin. I am just carrying on a philosophy / mentality that has been a "torch light" for the DIY / engineering community for decades.

        I'm glad you see the merits in that simple statement. I'm also glad I was able to have my cognitive faculties intact enough to still produce a statement that concise.

    • by lgw (121541)

      No, that's just not true. Any fool with a "bump key" can unlock my front door. The lock doesn't keep people out - the law does. The lock just makes it quite clear that a specific act breaks the law. Does that prevent all burglary? No, of course not. But it prevents a lot.

      I'm not sure how that metaphor extends to DRM protecting my personal info, but I could see making it clear to individual employees of companies that have my data that "if you do X with this data, you're committing a crime", and that

      • by eyenot (102141)

        You entire argument rests on the assumption that your bump key for your front door is secure.

        Answer? Obviously, it isn't! All you are saying, here, is that you have PURCHASED an insecure system in lieur of a security system, that you know fully well its weaknesses and that it can (basically, let's admit it -- WILL) be defeated by easy to replicate means, and that your only HOPE is that law enforcement will discourage your predators.

        I expect better debate than this out of Slashdot. Please don't respond if yo

  • except with the record companies.

    The true history is that the labels forced DRM on Apple and over time, Apple's DRM along with the popularity of iPods and iTunes gave Apple negotiating leverage over the record companies since it sold 70% + of the digital music and no one else could sell DRM protected music for the iPod.

    When they asked Apple to license their DRM, Steve Jobs said no and told them if they wanted interoperability with iTunes and iPods with other vendors let everyone sell DRM free music,

    http://w [apple.com]

  • Would You Secure Personal Data With DRM Tools?

    Well, sort of, I guess. But it's called ENCRYPTION. And the only one with the rights to that material is me.
    DRM traditionally let's other people sorta kinda maybe see the material. And is bound to fail.

  • When Microsoft and other companies try to fight copyright infringement, they essentially made the law that "making the product available" constitutes the infringement. It doesn't matter if anyone has actually downloaded the copyrighted material or used it in any way that might be illegal, the fact that the product was "made available" is a violation of the law and implies under hefty statutory damages without the owner needing to prove any damages. The corporations were successful at crafting the law that
  • We don't need DRM to protect personal data. All we need is for companies to be fined for $millions every time they let 15 parts of our personal information file get passed on to a 3rd party.

    The problem would solve itself fairly quickly that way. It may not have worked for them but there's a key difference. I am one of billions being chased by a few. They are few being chased by millions.

    Shame the end result currently is a class action, a rich lawyer, and a voucher for a 10% discount next time we hand our p

  • Let's not forget what DRM actually is. DRM-encrypted files are encrypted so that, at least in theory, only one program can read it. That program can arbitrarily impose restrictions on the user. How does that protect the user at all? From themselves and from their friends?

    Encryption is a good way of protecting your privacy. Encrypting for Microsoft is a good way of losing control of your data.

  • We defeated DRM for years, and we would want to protect us? That is nonsense.

    And legal DRM protections will not help. NSA will find a way around it, and megacorporations will rely on offshore societies subjected to different juridiction to do the dirty job.

  • While it's true that (poor) encryption is often used in DRM schemes, they aren't really the same thing. Encryption is designed to prevent third parties from observing your data without access to the decryption keys. This is an effective method of keeping secrets from adversaries even on systems that you don't know about and don't control. Contrast this with DRM which has the neigh impossible task of preventing devices, not in the custody or control of these "rights holders", from making copies of or format

  • I suppose it depends on which ones you define as shady.

    Along with most of the planet, I would describe every huge US, pseudo international, corporation as something that may well be shady. Every US TLA spook name I have ever heard of has shown itself to be shady at times. They all have what is called an "excessive sense of entitlement".

    These groups will see it as their entitlement and their duty to ignore and breach any DRM used in this way. Using DRM like this would, however, rehabilitate it in the mind

It is much easier to suggest solutions when you know nothing about the problem.

Working...