Immutable Security

Recently, I blogged about how Amazon removed certain legitimately purchased eBooks from Kindle readers. One of those books, ironically, was George Orwell’s “1984.”

Today, I learned that they’re trying to make up for the incident. According to this thread, affected users are being offered the book back or a $30 credit.

While the DRM issues are still concerning, this is a truly great response from Amazon. They know it was a mistake and are trying to make good.  Hats off for customer service.

Amazon, let’s take it one step further and get rid of the DRM on the books. Get rid of the contractual agreements that force users to leave their rights under US copyright at the door. People will still pay for a good product and we will have freed the information. Do the right thing and I’ll become a customer of your digital wares.

By now you’ve probably heard about how the Amazon Kindle erased some e-Books that were legitimately purchased. One of those was George Orwell’s “1984.” I don’t think I have to explain how that just oozes irony. Amazon apologized–a truly class act.

Today, the Consumerist ran a story on how they can’t quite get a straight answer about Kindle licensing. Licensing for a book, you say? Well, yes. Remember, with DRM things aren’t always what they seem.

You see, when you buy the eBook, you’re not really buying the book. I know, it seems like you paid for it, so it’s yours. But, according to Amazon, you really only have a license to read the eBook. It’s as if there’s some sort of special privilege they are granting you to feast your eyes on the author’s creation. Think of it as a long-term rental, which may expire at any given time.

They limit how much text you can clip from the book. US Copyright law allows you to use portions of copyrighted work without the author’s permission under certain circumstances. How much you can use very much depends on context. The courts have looked at individual cases in the past and applied certain sniff tests to determine if the use was fair. But if you buy an eBook, the author calls the shots. What you end up with is a situation where you don’t need their permission to sample the work, but where the digital locks, to which only they hold the key, effectively keep you from exercising that right.

Finally, as the Consumerist article points out, not much of this is that clear up-front. You may not actually find out about the restrictions until you run into them. By that time it’s too late.

eBook readers are convenient–there’s no doubt about that. But as I’ve said before, realize that this convenience comes at a price. That price is the loss of freedom. Think about that.

Awhile back I bought a new Toshiba laptop. I got a great deal and it looked like it would serve my needs just fine. I knew exactly how I was going to use it.

When powering new computers on for the first time, most of them immediately lead you into the Windows installation routine. That makes sense because most people want Windows. But I didn’t. This laptop came with Vista, which from a previous experience playing with, I knew wasn’t for me. For kicks, I reviewed the license agreement. That was the nail in the coffin. I declined the EULA, rebooted to an Ubuntu installation CD and proceeded to send Vista to the bit-bucket.

I knew I couldn’t return Windows for a refund. Toshiba covered that nicely with a small notice on bright paper in the laptop box. But perhaps someone else can use the copy and I can get a few bucks back, I thought. Even thirty bucks would be enough for a casual dinner out.

I decided to look at the possibility of selling my copy on eBay. According to eBay’s policy on OEM software, I cannot sell it unless I also sell the original hardware the computer came with. Apparently, I can’t just ship the customer an old motherboard. Or if I do, it sounds like it would be a technical violation of the policy.

So, here I am. I have a copy of Vista I don’t want. I did not agree to the license terms and still, I can’t sell my copy of Windows (at least on eBay). Although I in no way agreed to Microsoft’s terms and conditions, including the condition that OEM software must be sold with hardware, I am still somehow bound by it.

If copyright law grants me the first-sale doctrine right and if I refuse to accept additional licensing terms from the copyright holder, how can the copyright holder assert any additional rights over what the law allows? Food for thought.

When Apple, Amazon and others encumbered their music with DRM, it cause all sorts of mayhem. People had issues playing music on and transferring music to multiple devices, DRM servers went down, causing music to be unplayable; in some cases, they even had to re-purchase their once legitimately purchased music.

Although the media industry seems to have an ongoing affair with DRM, they realized that it was affecting consumer confidence and the ability to really make digital downloads take off. When encountered with the choice of DRM and free but questionably legal downloads, many preferred the path of least resistance. They weren’t necessarily opposed to paying for media, but didn’t want to be hassled by all of the obstacles.

A calculated gamble, the industry started to release MP3s, unencumbered. They sounded good. You could play them anywhere. And if the DRM server went down there were no problems.  The media industry and its customers had found a truce, it seemed.

But like most interesting stories, this one had a twist. The media was unencumbered with technology, but there were licensing agreements one had to agree with in order to get at the unencumbered media. That is where, as they say, the devil was–in the details.

Take Amazon’s Terms of Use for its MP3 download service. Section 2.1 states, in part (emphasis mine):

Except as set forth in Section 2.1 above, you agree that you will not redistribute, transmit, assign, sell, broadcast, rent, share, lend, modify, adapt, edit, license or otherwise transfer or use the Digital Content. You are not granted any synchronization, public performance, promotional use, commercial sale, resale, reproduction or distribution rights for the Digital Content.

In short, this means that although you can play it as much as you like, forget about selling it to someone else. There’s no selling that MP3 on e-Bay after you’re tired of it. You can’t give it to Grandma as a birthday present. You can’t trade it in for something else.

Contrast this with a traditional CD. You can go into any store and purchase a CD for cash. There are no licencing terms to deal with. You can sell it, trade it lend it, or even make a tacky wind chime.  You can do anything you want as long as you’re recognizing copyright law.

In the US, copyright allows for a balance between the copyright holder and the consumer of the copyright. The law recognizes that the copyright holder does not have exclusive rights to the work, insofar as they cannot completely control what you can do with it. One of those rights is the first-sale doctrine.

The first-sale doctrine basically says that once a good is legitimately acquired (i.e. purchased), the copyright holder has no say in what you do with it afterwards. You can buy one for Grandma, sell it to the guy down the block and even make one of those tacky wind chimes. You can do so because the law allows you to. It’s entirely ethical and it recogizes your freedom as an individual.

When you agree to terms of use such as those from Amazon, you voluntarily relinquish some of those rights. You’re making a trade-off decision: “I’m willing to give up certain rights for the convenience of sitting in my comfy chair and getting some instant gratification.”

As long as you go into that decision with all of the facts, that’s fine. But consider the long-term consequences. If this continues, the media aftermarket will be annihilated. No longer will you be able to get rid of that old stuff so you can have a few bucks for your new tastes. You will have contracted your rights away little-by-little until eventually, the media giants call all of the shots.

Welcome to Immutable Security. It is my pleasure to begin this journey with you. As we move on, we’ll cover topics of interest to information security practitioners and those who value privacy and liberty in the information age.

Why another blog? I have a few reasons for wanting to contribute to the dialogue:

1. Too may security blogs focus on the vulnerability or exploit of the day, while ignoring the bigger picture. We’re stuck in this cycle of reaction to the latest threat, when the sad reality is that most organizations fail at the security fundamentals. We need to take a step back to explore where the world of information protection is heading, and whether we’re working on the right problems.

2. The digital age has made handing over you fundamental rights to liberty and privacy all to easy. Whereas the first-sale doctrine was once well understood, licensing terms on digital goods constrain what we can do with goods we legitimately purchased. Fair use is attacked en-masse with DMCA take-down notices, while digital locks prevent us from something as simple as taking a small excerpt for classroom discussion. And just when we thought we were doing the right things, the terms change. The balance has shifted unnaturally from the consumer to the rights holder. This deserves attention and discussion.

3. In my career in information security I have learned so much from others. I feel I have something to give back. I would not be where I am today had it not been for others posting their tips-n-tricks on the web. While many of the postings will be conversational, expect deeply technical postings, as well. I’ll share what I have learned so that you may better protect yourself.

I hope you stick around for the ride. It’s sure to be an interesting one.