Pluralistic: The urinary tract infection business-model (03 Dec 2022)


Today's links



A wood-paneled living room with a large flat screen TV on a stand. Before the TV sit two small boys with their arms around each others' shoulders, sitting crosslegged on the carpet in front of the set. The screen of the set displays a giant arcade machine '25¢ Push to Reject' coin-slot. Above the set, the glaring red eye of HAL9000 from 2001: A Space Odyssey oversees the scene, ringed with a burned circle.

The urinary tract infection business-model (permalink)

There were two competing visions at the dawn of the modern digital era: in one camp, you had people who saw computers as a way to empower people to push back against corporate and state control; in the other camp, there were the people who wanted to use computers to transfer power from the public to corporations or governments.

I've always been baffled by the technologists who pursued control over liberation: surely their own formative experiences were of the liberatory power of technology. After experiencing that power, how could these Vichy nerds lend their skills to the project of forging digital shackles?

https://pluralistic.net/2020/10/12/redeeming-hackers/#origin-stories

And yet, there they were, from the earliest days. Back in 2017, Redditor /u/vadermeer was browsing a Seattle thrift-shop and unearthed a trove of early internal documents from Apple's SSAFE project, an early, doomed DRM project from 1979:

https://www.reddit.com/r/VintageApple/comments/5vjsow/found_internal_apple_memos_about_copy_protection/

The files (now hosted at the Internet Archive) are a chronicle of the battle between technologists pursuing user liberation and technologists who want to use computers to control their users. There are some great cameos from Woz:

https://archive.org/details/AppleSSAFEProject

SSAFE bombed, but the fight raged on for decades and rages on still. I've been in the thick of it for more than 20 years – literally. My first day on the job for EFF, back in 2002, was spent attending the inaugural meeting of the Broadcast Protection Discussion Group (BPDG), an inter-industry conspiracy to put all computers in chains, forever:

https://pluralistic.net/2022/01/02/the-internet-heist-part-i/

The BPDG's mission was to create a standard for a Broadcast Flag a single bit that would be included in the headers for video files. If the flag was present, any device that encountered the video would have to restrict its playback, checking to see whether and under what circumstances that playback could occur.

In order to make this work, the group – an alliance of giant corporations from consumer electronics, IT, broadcast/cable/satellite and movies – would get a friendly lawmaker (Billy Tauzin, one of the dirtiest Congressmen who ever held office) to pass a law that required anyone building a video-capable device to seek out and respond to the flag.

As part of this proposal, all video-capable devices would also need to be "resistant to end-user modification" – that is, they'd have to have enough Digital Rights Management (DRM) technology to trigger Section 1201 of the Digital Millennium Copyright Act (DMCA), which banned removing copyright locks on penalty of a 5-year prison sentence and a $500k fine.

Strip away all the acronyms and obfuscation and here's what that meant: if this group got their way, every computer would only run proprietary software (no free software/open source allowed) and if you tried to reverse-engineer it to change it to do your bidding in any way, you could be sent to prison for five years.

Under this system, whatever restrictions the manufacturer imposed on the use of their computer-enabled products would be the final word. It would be a felony for a rival to make a tool that plugged into their system and let you do stuff the manufacturers blocked, even if that stuff was perfectly legal.

For example, under this system, distributing ad-blockers would be a felony. If the manufacturer designed a computer – any computer, whether or not it was used to watch video, because the standard was video-capable not video-intended – so that the browser used the operating-system's DRM to prevent ad-blocking, bypassing it would be a crime.

At the time, we warned that giving manufacturers the power to restrict how you configured your own digital products would lead them to abuse that power – not to prevent copyright infringement, but to shift value from you to them. The temptation would be too great to resist, especially if the companies knew they could use the law to destroy any company that fixed the anti-features in their products.

Sometimes, this was dismissed as fearmongering, with company insiders insisting that they knew their colleagues to be good and honorable people who wouldn't ever abuse this power. I expected that: no one is the villain of their own story, and we are all prone to inflated assessments of our power to resist moral hazard.

But there was another response to our activism, one that was far more telling: "Yes, we are going to take away all the features you get with your digital media and sell them back to you one click at a time. So what?"

These people were in thrall to a specific ideology: the neoliberal doctrine that markets are the most efficient way to allocate resources, and anything that isn't a market can be improved by turning it into one.

That's the species of brain-worms that leads "entrepreneurs" to flood the entire IRS switchboard with thousands of auto-dialers and then auction off the right to be bridged into a call when someone picks up:

https://pluralistic.net/2021/10/07/markets-in-everything/#no-th-enq

It's the same species of brain-worms that causes "entrepreneurs" to make apps that let people vacating a public parking spot sell off the right to park there next:

https://www.theverge.com/2014/6/23/5836232/san-francisco-is-going-after-apps-that-let-people-sell-their-public-parking-spots

It's the same species of brain-worms that causes "entrepreneurs" to make fake bookings for every hot table at every restaurant in town and then auction off the right to dine:

https://brianmayer.com/2014/07/how-i-became-the-most-hated-person-in-san-francisco-for-a-day/

In the case of digital media, these brain-worms manifested as the certainty that we get too many rights when we buy or subscribe to digital media. The argument goes:

  • When you buy a book or movie or song or game, you may not want the right to sell it on the used market, or give it away, or re-read or re-watch or re-listen to it;

  • Because the only way to get media is to buy it outright, you might be paying more than you need to for that media;

  • Perhaps the seller would offer you a discount on a book you could only read once, or a Christmas movie you could only watch in July;

  • The blunt instrument of sale means that there are lots of discount offers that never get made, so there are lots of people with less money to spend who are excluded from the market.

Put that way, it sounds reasonable, and indeed, in the margins, there have been some successes from the ability to transform an unconditional sale to a conditional license. You can "buy" a streaming movie on Youtube for $10, or "rent" it for $3; and you can pay $10/month for ad-free Spotify, $5/month for Spotify with some ads, or $0/month for ad-heavy Spotify.

But these are exceptions. Most of the pre-digital offers aren't available at any price: you could buy a DVD and keep it forever, even if you never went back to the store again. If you "buy" a video on Prime or YouTube and then cancel your subscription and delete your account, you lose your "purchase."

If you buy a print book, you can lend it out or give it away to a friend or a library or a school. Ebooks come with contractual prohibitions on resale, and whether an ebook can be loaned is at the mercy of publishers, and not a feature you can give up in exchange for a discount.

For brain-wormed market trufans, the digital media dream was our nightmare. It was something I called "the urinary tract infection business model." With non-DRM media, all the value flowed in a healthy gush: you could buy a CD, rip it to your computer, use it as a ringtone or as an alarmtone, play it in any country on any day forever.

With DRM, all that value would dwindle from a steady stream to a burning, painful dribble: every feature would have a price-tag, and every time you pressed a button on your remote, a few cents would be deducted from your bank-account ("Mute feature: $0.01/minute").

Of course, there was no market for the right to buy a book but not the right to loan that book to someone else. Instead, giving sellers the power to unilaterally confiscate the value that we would otherwise get with our purchases led them to do so, selling us less for more.

The Broadcast Flag was actually adopted by then-FCC chairman Michal Powell, so we sued him, along with our allies at Public Knowledge and the American Library Association, and kicked his ass, and the Broadcast Flag died in 2005:

https://www.eff.org/cases/ala-v-fcc

But the dream of the Broadcast Flag never died. All the streaming apps on your phone come with the same restrictions that the Broadcast Flag would have imposed on over-the-air videos.

It's much worse on your big screen. Your cable receiver is a gigantic, energy-sucking, wallet-draining piece of shit; the average US household spends $200 on these clunky, insecure devices, and every attempt to "unlock the box" has been thwarted by Hollywood and the Copyright Office:

https://www.eff.org/deeplinks/2016/10/newly-released-documents-show-hollywood-influenced-copyright-offices-comments-set

The UTI business-model didn't take hold in most markets, but it's alive and well in your cable box. That box is mandatory, and modifying it runs afoul of DMCA 1201, meaning you can go to prison for five years for helping someone unfuck their cable box.

Back when PVRs like Tivo entered the market, viewers were as excited about being able to skip ads as broadcasters and cable operators were furious about it. The industry has treated ignoring or skipping ads as a form of theft since the invention of the first TV remote control, which was condemned as a tool of piracy, since it enabled viewers to easily change the channel when ads came on.

The advent of digital TV meant that cable boxes could implement DRM, ban ad-skipping, and criminalize the act of making a cable box that restored the feature. But early cable boxes didn't ban ad-skipping, because the cable industry knew that people would be slow to switch to digital TV if they lost this beloved feature.

Instead, the power to block ads was a sleeper agent, a Manchurian Candidate that lurked in your cable box until the cable operators decided you were sufficiently invested in their products that they could take away this feature.

This week, Sky UK started warning people who pressed the skip-ad button on their cable remotes that they would be billed an extra £5/month if they fast-forwarded past an ad. The UTI business model is back, baby – feel the burn!

https://www.examinerlive.co.uk/news/sky-warns-customers-charged-5-25644831

This was the utterly foreseeable consequence of giving vendors the power to change how their devices worked after they sold it to you, under conditions that criminalized rivals who made products to change them back.

Back in 2004, Wired published a special edition featuring reviews of new digital AV technology, almost all of which was encumbered with DRM. I had worked as a Wired reviewer on and off for years at that point, and I published a blog post taking the magazine to task for failing to note that all the features that it was praising in these devices could be taken away by the manufacturer at any time:

https://memex.craphound.com/2004/12/28/bittorrent-write-up-in-wired/

Then editor-in-chief Chris Anderson defended the move, saying that DRM would encourage rightsholders to make their media available, and this was a net benefit:

https://longtail.typepad.com/the_long_tail/2004/12/is_drm_evil.html

I replied, saying this wasn't the point: if you're a trusted reviewer and you're telling readers, "Buy this device because it has these three excellent features," you have a duty to warn them that any of these features could be taken away due to factors beyond your control, leaving you without any recourse:

https://memex.craphound.com/2004/12/29/cory-responds-to-wired-editor-on-drm/

This is a case I've made to other reviewers since, but no one's taken me up on my suggestion that every review of every DRM-enabled device come with a bold warning that whatever you're buying this for might be taken away at any time. In my opinion, this is a major omission on the part of otherwise excellent, trusted reviewers like Consumer Reports and Wirecutter.

Everywhere we find DRM, we find fuckery. Even if your cable box could be redesigned to stop spying on you, you'd still have to root out spyware on your TV. Companies like Vizio have crammed so much spyware into your "smart" TV that they now make more money spying on you than they do selling you the set.

https://pluralistic.net/2021/11/14/still-the-product/#vizio

Remember that the next time someone spouts the lazy maxim that "If you're not paying for the product, you're the product." The problem with Vizio's TVs isn't that they're "smart." The problem isn't that you're not paying enough for them.

The problem is that it's illegal to unfuck them, because Vizio includes the mandatory DRM that rightsholders insist on, and then hide surveillance behind its legal minefield.

The risks of DRM aren't limited to having your bank-account drained or having your privacy invaded. DRM also lets companies decide who can fix their devices: a manufacturer that embeds processors in its replacement parts can require an unlock code before the device recognizes a new part. They can (and do) restrict the ability of independent service depots to generate these codes, meaning that manufacturers get a monopoly over who can fix your ventilator, your tractor, your phone, your wheelchair or your car.

https://pluralistic.net/2022/05/08/about-those-kill-switched-ukrainian-tractors/

The technical term for these unlock codes is "VIN-locking," and the "VIN" stands for "vehicle identification number," the unique code etched into the chassis of every new car and, these days, burned into into its central computerized controller. Big Car invented VIN-locking.

VIN-locking is the major impediment to securing the Right to Repair. Manufacturers of all kinds bootstrap the DMCA – a Clinton-era copyright law – into a new doctrine that Jay Freeman calls "felony contempt of business model." Removing DRM is illegal, so any business model that hides behind DRM is illegal to thwart:

https://pluralistic.net/2022/10/23/how-to-fix-cars-by-breaking-felony-contempt-of-business-model/

With Felony Contempt of Business Model, repair is just the tip of the iceberg. When security experts conduct security audits of DRM-locked devices, they typically have to bypass the DRM to test the device.

Since bypassing this DRM exposes them to legal risks, many security experts simply avoid DRM-locked gadgets. Even if they are brave enough to delve into DRM's dirty secrets, their general counsels often prohibit them from going public with their results.

This means that every DRM-restricted device is a potential reservoir of long-lived digital vulnerabilities that bad guys can discover and exploit over long timescales, while honest security researchers are scared off of discovering and reporting these bugs.

That's why, when a researcher goes public with a really bad security defect that has been present for a very long time, the system in question often has DRM – and it's why media devices are so insecure, because they all have DRM.

But these days, "media device" has ceased to be a meaningful category. As we warned Chairman Powell in 2003, soon every device would have a general purpose computer inside it, and any rule regulating "media devices" would regulate everything.

Cars are media devices. Many new cars sell with Sirius XM players built into their media centers (mine did, and I was bombarded with calls and letters from Sirius begging me to subscribe to it). These players have DRM. They also have incredibly grave security defects.

Security researcher Sam Curry and his colleagues discovered that they could hijack Sirius XM-enabled cars, armed only with the VIN number that was printed on its windscreen. Sirius's authentication sucks and once you authenticate to an in-car Sirius-enabled app, you're in:

https://gizmodo.com/sirius-xm-bug-honda-nissan-acura-hack-1849836987

Curry and pals were able to plunder personal information from connected cars, lock and unlock them, and execute other commands available through the cars' telematics systems. A similar hack of Jeep cars in 2017 let attackers seize control over steering, brakes and acceleration:

https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

The auto industry itself admits that its products gather so much information on you – the contents of your phone, the places you go – that any breach could endanger your very life. Indeed, they made this claim to try to scare Massachusetts voters away from passing Right to Repair legislation in 2020:

https://pluralistic.net/2020/09/03/rip-david-graeber/#rolling-surveillance-platforms

The same structural factors that make cars dumpster-fires of slapdash security are also present in your phone, and, thanks to the 2017 decision to standardize DRM in browsers, in your browser:

https://www.eff.org/deeplinks/2017/09/open-letter-w3c-director-ceo-team-and-membership

This all starts with the idea that the problem with "content" is that Congress gave us, the public, too many rights under copyright, and that nickel-and-diming us to buy those rights a la carte would fix this problem. 20 years later, the benefits of this system are thin gruel indeed, and the costs keep mounting.

(Image: Cryteria, CC BY 3.0, modified)


Hey look at this (permalink)



This day in history (permalink)

#15yrsago Holy crap, I love the cover of my next book! https://memex.craphound.com/2007/12/03/holy-crap-i-love-the-cover-of-my-next-book/

#15yrsago Canadian Industry Minister refuses to defend Canadian DMCA in public https://web.archive.org/web/20071205061815/https://www.cbc.ca/searchengine/blog/2007/12/jim_prentice_says_no.html



Colophon (permalink)

Today's top sources: /r/LateStageCapitalism (https://www.reddit.com/r/LateStageCapitalism/).

Currently writing:

  • The Bezzle, a Martin Hench noir thriller novel about the prison-tech industry. FIRST DRAFT COMPLETE, WAITING FOR EDITORIAL REVIEW

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. (92849 words total) – ON PAUSE

  • A Little Brother short story about DIY insulin PLANNING

  • The Bezzle, a Martin Hench noir thriller novel about the prison-tech industry. FIRST DRAFT COMPLETE, WAITING FOR EDITORIAL REVIEW

  • The Internet Con: How to Seize the Means of Computation, a nonfiction book about interoperability for Verso. FIRST DRAFT COMPLETE, WAITING FOR EDITORIAL REVIEW

  • Vigilant, Little Brother short story about remote invigilation. FIRST DRAFT COMPLETE, WAITING FOR EXPERT REVIEW

  • Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION

  • Spill, a Little Brother short story about pipeline protests. FINAL DRAFT COMPLETE

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Sound Money https://craphound.com/news/2022/09/11/sound-money/

Upcoming appearances:

Recent appearances:

Latest books:

Upcoming books:

  • Red Team Blues: "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books, April 2023

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

(Latest Medium column: "Poe vs. Property: A detective story of shifting rationalizations" https://pluralistic.net/2022/11/27/poe-vs-property/)

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla