The Incredibly Technical History of Digital Rights Management
DRM, one of the internet’s dark arts, was already in the works—complete with epic patents—years before the existence of Napster gave it a business case.
A version of this post originally appeared on Tedium, a twice-weekly newsletter that hunts for the end of the long tail.
Digital rights management seemingly came out of nowhere to define our relationship with technology in the modern day.
Popularly, it seemed like its birth had come as a direct response to the growth of piracy in the film and music industries, but what's interesting—and perhaps not properly contextualized—is that it existed for years prior to Napster, and had a technical component before the Digital Millennium Copyright Act gave it a legal component.
The roots of DRM go back a little further than you might guess. Here's how those roots have played out in the broader market.
"We felt that this would be impractical and inconvenient for users and expensive for IBM. We also concluded that any single-machine locks and keys, or special time-out and self-destruct programs, would be onerous to our best customers and not effective against clever thieves. Because we could not devise practical physical security measures, we had to rely on the inherent honesty of our customers. Our hope was that legal protection and criminal prosecution would limit the piracy problem."
— Watts S. Humphrey, an IBM employee in the late 1960s, discussing the decision by the company to move away from any effort to heavily protect its software through encryption. The issue came up for the company in 1969, after the firm decided to unbundle its software from hardware. Decades later, IBM would produce its own DRM technology called Cryptolope.
The roots of modern digital rights management came from the world of libraries
The word "middleware" isn't sexy. Nor is the word "container." And "encryption," while slightly more sexy than the prior two words, just isn't the kind of phrase that rolls off the tongue.
"DRM"? Now that's a sexy phrase—a memorable one that sticks with people. But the terminology didn't come about right away, and a big part of that has a lot to do with the fact that the problem of securing copyrights online was something that engineers and researchers were initially focused on.
Specifically, one company, made up of a whole lot of academically-minded engineers, lined the roads on which a lot of secured content would drive down. That company was called Electronic Publishing Resources, Inc., a firm that used the words "middleware," "container," and "encryption" to describe its earliest attempts at the creation of DRM.
The firm was founded by a guy named Victor Shear, who built his name in the information management sector. In the 80s, he was the head of a Maryland company called Personal Librarian Software, which produced a database management system that could effectively manage historic information. This company, which mostly served large corporations, exposed some of the earliest roots of digital rights management, as it Shear's company pondered ways to limit access to different kinds of information.
A 1986 patent, credited to Shear, explained the issue as one of "return on investment," in which methods of "tamper-proof" protection, such as a self-destruct feature, were added to the software to limit how much access a user had based on their payment. A 1989 article for Online noted that the goal of the software, which was literally called ROI, was to allow for access to CD-ROM databases both within libraries and outside of them, while ensuring the creators of those databases got paid. Per the article, the method was described as such:
PLS believes that libraries, as centers for subscription-based CD-ROM usage, would "seriously undermine potential CD-ROM publishing subscription revenues by providing users with an alternative to contracting for expensive subscription licenses." PLS believes that ROI would lessen the need for reliance on libraries and information centers "while providing a level of convenience and real-time response with which libraries can not compete."
This model clearly wasn't long for this world—as I noted recently, encyclopedias were very much a race to the bottom once CD-ROMs came along—but it did inspire Shear's follow-up company, Electronic Publishing Resources, later renamed InterTrust. By the mid-1990s, InterTrust had strongly advanced the ideas around the monetization and security. And they did so with some of the most complex patents you've ever seen. This one, for example, is 178 pages long (in tiny type), and includes 100 separate patent illustrations.
In the paper "DigiBox: A Self-Protecting Container for Information Commerce," three of Shear's colleagues—Olin Sibert, David Bernstein, and David Van Wie—explain, in depth, the process of creating a secured container around a piece of information, with the goal of protecting the object's commercial value.
"Without rules to protect the rights of content providers and other electronic community members, the electronic highway will comprise nothing more than a collection of limited, disconnected applications," the authors argued.
The technology, called DigiBox, was perhaps the first, and most important, piece of modern digital rights management software. It would soon have many imitators—but none of them would be able to compete in quite the same way.
Big companies suddenly become interested in DRM's potential value
In the early 90s, idealists like Electronic Frontier Foundation founder John Perry Barlow saw the internet as an opportunity to fix the status quo of information exchange. Rather than keeping information locked away, the digital revolution, particularly online, would radically reinvent copyright.
"Everything you know about intellectual property is wrong," Barlow explained at the beginning of one essay on the topic for Wired.
Another digital visionary, a Xerox PARC research fellow named Mark Stefik, tried his hardest to prove Barlow wrong. In a 1997 essay for the Berkeley Technology Law Journal titled "Shifting the Possible: How Trusted Systems and Digital Property Rights Challenge Us to Rethink Digital Publishing," Stefik specifically references Barlow's comments, then calls them short-sighted, emphasizing that copyright did have a role in the digital revolution. He then, in a lengthy, technical essay, described the ways that digital rights management could work in practice.
"With digital works, it need not be the case that transfer rights are free or universally granted," Stefik noted in a section about the difference between copying (which Xerox, of course, is known for) and transferring information. "Publishers could charge a small fee whenever a work is transferred between repositories. The same mechanisms that prohibit copying without a right to copy could prohibit transferring without a right to transfer. The same billing mechanisms for a copyright work for a transfer right. The technology itself is neutral on this point. Trusted systems could enforce either policy."
The work of Stefik and others at PARC eventually came to be known as ContentGuard, a technology that would grow in prominence as the interest in digital rights management grew in the industry.
Not long after Xerox PARC formulated the idea, IBM licensed its own version of it from Xerox, putting its own twist on it, calling it a cryptographic envelope, or cryptolope. (Is "cryptolope" a sexy term?) The idea was part of IBM's efforts to create "plumbing" online—that is, they wanted to run the internet's backend, and offering digital rights technology was a small part of it. It sold off its content businesses, but offered its cryptolope as a way to secure online distribution of both content and Java applications.
IBM's early efforts ultimately failed in part because its technologies asked too much of 90s computers. But the fact that IBM cared at all showed that DRM would soon become the lingua franca of big business, whether consumers liked it or not.
Case in point: More than 120 companies worked together on something called the Secure Digital Music Initiative, a group formed in 1998 with the goal of creating an open framework for sharing encrypted music—an unusual goal when you explain it like that.
The group tried to balance the interests of both the music industry and the average consumer: "SDMI's work is based on the core principles that copyrights should be respected and that those who wish to do so should be able to use unprotected formats," the group explained in a fact sheet.
SDMI ultimately failed to give us a universal DRM standard, but its concepts did create a framework for a technology that's still heavily used today: The Secure Digital memory card.
The earliest DRM building blocks have proven most successful in the courtroom
If you look at the InterTrust website today, they look like basically any other enterprise cloud computing player, offering up tools that are clearly designed for large businesses instead of mere mortals.
But InterTrust, as a company, wouldn't exist today if it were not for an incredibly ballsy lawsuit against Microsoft. In 2002, the company sued over the technologies in Windows Media Player—then expanded the suit to cover every major product line Microsoft had at the time, including Windows XP, Microsoft Office, and the Xbox.
The move came in part after a lack of success selling software—including a failed effort at launching a digital music store named after its encryption technology, DigiBox.
But it also was the result of the fact that InterTrust had created patents so immaculate and well-considered that it would have been wrong not to sue—you don't create a patent with 100 separate drawings to just put on the shelf, never to use again. And they seemed to know this going in. Of InterTrust founder Victor Shear, one former employee told Fortune: "He never let us forget that we were not 'protecting music,' but 'developing the basis for a civil society in cyberspace.'"
And that civil society in cyberspace paid well. Just a few years after Microsoft agreed to a major antitrust settlement, it agreed to a major InterTrust settlement, with the DRM maker receiving a $440 million payday. The gamble worked.
Years later, InterTrust received a similar settlement from Apple, though it's not all about litigation for the company. Earlier this year, they launched a partnership with Google called PatentShield to defend small startups against patent lawsuits.
While InterTrust's approach has proven effective over the years, its best-known DRM competitor, ContentGuard, has had a bit less luck doing the same thing.
It was spun off from Xerox in 2000 at the behest of Microsoft, and the bones of the firm were eventually sold off to a trio of firms—Microsoft, Time Warner, and Thomson—and its technology helped lead the way for Microsoft to produce its own DRM, PlayReady. (It also helped the acquisition took place around the time MS settled with InterTrust.)
But in 2011, the company was sold to Pendrell, a firm that invests in valuable intellectual property.
ContentGuard actually makes new apps with its technology—it built a Snapchat clone in 2014, for example—but it's better known these days for suing the pants off of companies with DRM interests, like Apple, Samsung, and Google.
Those lawsuits, taking place in the patent-lawsuit-friendly Eastern District of Texas, have not gone well, with courts often finding against ContentGuard.
It's probably because they didn't use as many patent drawings.
In 1999, two European security experts created a tool called DeCSS, a utility that infamously broke the Content Scramble System, the movie industry's attempt at putting DRM into the the DVD format.
Its creation both set the stage for the widely successful digital film piracy industry we have today, and also gave consumers more control over the product they owned. One thing it didn't do, however, was destroy the film industry.
On its own, the creation of DeCSS should have made a powerful case to content makers that digital rights management was bad news. But it took a media mogul to put a puncture hole into the heart of digital rights management as a consumer platform, at least in the case of music.
A decade ago, Apple CEO Steve Jobs famously wrote an essay titled "Thoughts on Music," in which he made the case against licensing his company's FairPlay encryption software, which he noted would have to be hardened up significantly if it were sold to other vendors and made universal. He then made the case that nearly all music was already sold in a DRM-free format, using these old, outdated things called CDs.
"So if the music companies are selling over 90 percent of their music DRM-free, what benefits do they get from selling the remaining small percentage of their music encumbered with a DRM system? There appear to be none. If anything, the technical expertise and overhead required to create, operate and update a DRM system has limited the number of participants selling DRM protected music," he wrote.
What's fascinating about this document is that, 38 full years after IBM decided against what became DRM for its business software, Jobs made the case against it with much of the same kinds of thinking that his company's onetime biggest competitor used: It hurts consumers who play fair far more than it hurts those who steal content; it was frustrating and inconvenient; and it required a large investment of time and money that could be better spent elsewhere.
It was a seed of an idea that proved far more effective than any software-based security system, closer in mindset to John Perry Barlow than Victor Shear.
In just a few years, Jobs's arguments paved the way for a change in negotiating strategy, and effectively killed digital rights management for the music industry.
Of course, it only came back after Spotify became popular and killed the idea of ownership entirely.