Thoughts on Ebook DRM Standards

I’ve recently been performing some research into so-called “social DRM” as it applies to digital files for my own knowledge bank. I’ve been very interested in the approaches to DRM shown by groups such as The Pragmatic Programmers and ebooks purchased from outlets like Lulu, where the name of the purchaser is automatically embedded within the purchased file in order to provide it with some measure of discouraging sharing/piracy.

iTunes has done this from the start, and even though they have dropped the traditional notion of DRM from their music files now, they still mark each and every file you download with the email address of the Apple ID used to purchase the song. It’s not used in any sort of enforcement application (that we know of to date), but knowing it’s there stops some people from posting the tracks publicly or sharing them with anyone who is not a close personal friend or relative (my conjecture).

In doing this research, I ran across a two year old blog post from Bill McCoy of Adobe. He has some words to say about the same, which is fascinating coming from the GM of their ePublishing department. His comments are in reaction to the Steve Jobs note from 2007 regarding music and DRM—something that ended up happening less than two years after the fact. I also ran into some more recent comments from McCoy, speaking to the establishment of a DRM standard that is cross-platform instead of complete advocacy for the removal of traditional DRM systems from ebook titles.

Let’s talk about why this isn’t feasible and how we can learn from the past.

First, some quotes from the Steve Jobs piece.

To begin, it is useful to remember that all iPods play music that is free of any DRM and encoded in “open” licensable formats such as MP3 and AAC. iPod users can and do acquire their music from many sources, including CDs they own. Music on CDs can be easily imported into the freely-downloadable iTunes jukebox software which runs on both Macs and Windows PCs, and is automatically encoded into the open AAC or MP3 formats without any DRM. This music can be played on iPods or any other music players that play these open formats.

Ebooks have no equivalent to the CD in terms of the adoption of digital files. I can’t just shove my books into my computer and receive ebook versions of the same. This is a fundamental difference in the adoption of digital books versus digital music (and also in the adoption of downloadable video).

Since Apple does not own or control any music itself, it must license the rights to distribute music from others, primarily the “big four” music companies: Universal, Sony BMG, Warner and EMI. These four companies control the distribution of over 70% of the world’s music. When Apple approached these companies to license their music to distribute legally over the Internet, they were extremely cautious and required Apple to protect their music from being illegally copied. The solution was to create a DRM system, which envelopes each song purchased from the iTunes store in special and secret software so that it cannot be played on unauthorized devices.


To prevent illegal copies, DRM systems must allow only authorized devices to play the protected music. If a copy of a DRM protected song is posted on the Internet, it should not be able to play on a downloader’s computer or portable music device. To achieve this, a DRM system employs secrets. There is no theory of protecting content other than keeping secrets. In other words, even if one uses the most sophisticated cryptographic locks to protect the actual music, one must still “hide” the keys which unlock the music on the user’s computer or portable music player. No one has ever implemented a DRM system that does not depend on such secrets for its operation.

This is a good basic description of what DRM is and how it operates. Apple holds all the keys in this situation. Jobs goes on to describe three potential outcomes for the DRM situation in the music industry. The first:

The first alternative is to continue on the current course, with each manufacturer competing freely with their own “top to bottom” proprietary systems for selling, playing and protecting music. It is a very competitive market, with major global companies making large investments to develop new music players and online music stores. Apple, Microsoft and Sony all compete with proprietary systems. Music purchased from Microsoft’s Zune store will only play on Zune players; music purchased from Sony’s Connect store will only play on Sony’s players; and music purchased from Apple’s iTunes store will only play on iPods.

This is the current state of ebook DRM. Multiple vendors, multiple locking schemes. Books downloaded on one device won’t necessarily play on another. Worse yet, if your DRM provider either goes out of business or shuts off their DRM servers, you’re left with a file that doesn’t work any more and has been stripped of its worth. Customers don’t like being ripped off.

The second option:

The second alternative is for Apple to license its FairPlay DRM technology to current and future competitors with the goal of achieving interoperability between different company’s players and music stores. On the surface, this seems like a good idea since it might offer customers increased choice now and in the future. And Apple might benefit by charging a small licensing fee for its FairPlay DRM.

This has been suggested by many as a standardized counterpart to the Epub file standard. Since the file format has found standardization, why not standardize a locking scheme? Every file will be encrypted with the same hash and method, and then everybody’s files will work on everybody’s machines, since the machine manufacturers have been given access to the same. McCoy actually has spoken in the recent past concerning this very idea.

The problem is that it’s doomed to fail. Jobs knew this:

However, when we look a bit deeper, problems begin to emerge. The most serious problem is that licensing a DRM involves disclosing some of its secrets to many people in many companies, and history tells us that inevitably these secrets will leak. The Internet has made such leaks far more damaging, since a single leak can be spread worldwide in less than a minute. Such leaks can rapidly result in software programs available as free downloads on the Internet which will disable the DRM protection so that formerly protected songs can be played on unauthorized players.

This, of course, leads to the inevitable conclusion as to why DRM is a bad thing. It’s a neverending game of cat-and-mouse with people who are trying to unlock their files. A universal system will be broken faster than you can invent it. DVD CSS encyption was broken due to this very principle—having the key available to every device out there only ensured that the cryptographic scheme would be broken eventually. All of this leads to changes to the system that can only inconvenience your best customers, who are the ones who like giving you their money in exchange for a product or service.

The third option Jobs discusses:

The third alternative is to abolish DRMs entirely. Imagine a world where every online store sells DRM-free music encoded in open licensable formats. In such a world, any player can play music purchased from any store, and any store can sell music which is playable on all players. This is clearly the best alternative for consumers, and Apple would embrace it in a heartbeat. If the big four music companies would license Apple their music without the requirement that it be protected with a DRM, we would switch to selling only DRM-free music on our iTunes store. Every iPod ever made will play this DRM-free music.

Why would the big four music companies agree to let Apple and others distribute their music without using DRM systems to protect it? The simplest answer is because DRMs haven’t worked, and may never work, to halt music piracy.

Clearly (and thankfully), cooler heads prevailed in the music industry—or quite possibly, they didn’t have a choice—and this argument won out. DRM is quickly disappearing from the music scene, and there have been no reports that sales have suffered as a result. Customers are unencumbered with files locked to a particular ID or account, and the music industry still gets its money. Luckily, they figured this out before it was too late.

This is where electronic publishing needs to go, and it needs to get there faster if it is going to survive. The temptation in these tough economic times is to grab hold of intellectual property and refuse to let it go unless its absolutely necessary, but the lessons of the past indicate that to be precisely the opposite action required. Opening up the floodgates for digital content and making it easy to consume and use appears to be the most beneficial path available. Making it convenient and easy for consumers to purchase your goods means more of them will do so. Happy customers means making money.

Not long after Steve Jobs wrote his letter to the music industry asking for the removal of DRM, Bill McCoy wrote this:

Jobs has clearly elevated the DRM debate to a new level. His offer to stop selling DRM protected music altogether on the iTunes Store, if the top four music companies agreed to eliminate the DRM requirement, certainly raises the ante. As a consumer and advocate for maximum access to information, I hope that the “Jobs Principle” that DRM hurts content publishers as well as consumers spreads, not just for music but for other forms of content. For eBooks, I really like the “social DRM” approach of The Pragmatic Programmers, who “stamp” PDF eBooks with a “For the Exclusive Use of …” and the name of the purchaser. Given that they are making more than 30% of their total sales on eBooks, far more than any other traditional publisher, it’s hard to argue that this approach is infeasible.


I would like nothing more than to have DRM technology just fade away. After all the main challenge we have in digital publishing is to get it adopted by mainstream consumers. And the main challenge 98% of book authors and publishers have is to get people to be aware of their books, not to prevent piracy. So my challenge to print publishers and authors: why not support “social DRM”, rather than heavyweight DRM? If that’s a direction you are willing to go, Adobe will back you up, 1000%.

“Social DRM” seems to be the future of protecting your digital content from would-be pirates and sharers of information. In the ebook world, this means that the bottom of each page, or perhaps the inside page, of an electronic book is stamped with your name and perhaps your account number or other personally identifying information. This acts as a significant deterrent to those customers who would openly break copyright laws and choose to share these unlocked documents with others or with download sites.

McCoy outlines three options in his most recent article as to the future of ebook DRM, which he sees in a unified format and application:

There are many possible roads to Rome. One is “social DRM“: not explicitly limiting copying, but “watermarking” user information into content, visibly (“Ex Libris …”) and/or invisibly. Another is that the industry, perhaps through a body like the IDPF, would adopt a de jure ebook DRM open standard. Lastly, a particular vendor’s solution might become a de facto cross-platform standard, with support across a critical mass of desktops and devices.

Only one of those roads actually leads to Rome for both publishers and customers: social DRM. A de jure DRM standard would be broken unbelievably quickly, which would limit its effectiveness and drive customers crazy when the industry tried to fix it. As an example of this type of DRM, he (earlier in the article) references the DVD CSS implementation, where every disc and every player has the same implementation of DRM. That system was defeated years ago, and in any case certainly hasn’t stopped people from pirating DVDs. Putting all the eggs in one vendor’s basket likewise seems to be a very poor idea, as it puts pricing and distribution under monopolistic control (but discussion of Kindle will have to wait for another post).

Social DRM does everything it needs to. It provides customers with a file they can use and even lend to people within a certain circle—something they can already do with print books—and it provides publishers with at least some kind of buffer that people aren’t going to be throwing up complete collections on Web sites for the entire world to download.

It’s easy to say that ebook publishing is in its infancy, but the truth is that it’s not. Ebooks have been around for longer than a decade; this is merely the second go at them. The first one didn’t make it because of cost and platform restrictions. It’s too early to say what’s going to happen this time around, but I do hope that the publishing industry takes its cues from the music industry and makes the right choice for the customer.