Introducing Content into the Darknet

Our analysis and intuition have led us to believe that efficient darknets – in global or small-worlds form -- will remain a fact of life.  In this section we examine rights-management technologies that are being deployed to limit the introduction rate or decrease the rate of diffusion of content into the darknet.

Conditional Access Systems

A conditional-access system is a simple form of rights-management system in which subscribers are given access to objects based (typically) on a service contract.  Digital rights management systems often perform the same function, but typically impose restrictions on the use of objects after unlocking.

Conditional access systems such as cable, satellite TV, and satellite radio offer little or no protection against objects being introduced into the darknet from subscribing hosts.  A conditional-access system customer has no access to channels or titles to which they are not entitled, and has essentially free use of channels that he has subscribed or paid for. This means that an investment of ~$100 (at time of writing) on an analog video-capture card is sufficient to obtain and share TV programs and movies.  Some CA systems provide post-unlock protections but they are generally cheap and easy to circumvent.

Thus, conditional access systems provide a widely deployed, high-bandwidth source of video material for the darknet.  In practice, the large size and low cost of CA-provided video content will limit the exploitation of the darknet for distributing video in the near-term. 

The same can not be said of the use of the darknet to distribute conditional-access system broadcast keys.  At some level, each head-end (satellite or cable TV head-end) uses an encryption key that must be made available to each customer (it is a broadcast), and in the case of a satellite system this could be millions of homes.  CA-system providers take measures to limit the usefulness of exploited session keys (for example, they are changed every few seconds), but if darknet latencies are low, or if encrypted broadcast data is cached, then the darknet could threaten CA-system revenues.

We observe that the exposure of the conditional access provider to losses due to piracy is proportional to the number of customers that share a session key.  In this regard, cable-operators are in a safer position than satellite operators because a cable operator can narrowcast more cheaply.

DRM Systems

A classical-DRM system is one in which a client obtains content in protected (typically encrypted) form, with a license that specifies the uses to which the content may be put.  Examples of licensing terms that are being explored by the industry are “play on these three hosts,” “play once,” “use computer program for one hour,” etc.

The license and the wrapped content are presented to the DRM system whose responsibility is to ensure that:

a)    The client cannot remove the encryption from the file and send it to a peer,

b)    The client cannot “clone” its DRM system to make it run on another host,

c)    The client obeys the rules set out in the DRM license, and,

d)    The client cannot separate the rules from the payload.

Advanced DRM systems may go further.

Some such technologies have been commercially very successful – the content scrambling system used in DVDs, and (broadly interpreted) the protection schemes used by conditional access system providers fall into this category, as do newer DRM systems that use the internet as a distribution channel and computers as rendering devices.  These technologies are appealing because they promote the establishment of new businesses, and can reduce distribution costs.  If costs and licensing terms are appealing to producers and consumers, then the vendor thrives.  If the licensing terms are unappealing or inconvenient, the costs are too high, or competing systems exist, then the business will fail.  The DivX “DVD” rental model failed on most or all of these metrics, but CSS-protected DVDs succeeded beyond the wildest expectations of the industry.

On personal computers, current DRM systems are software-only systems using a variety of tricks to make them hard to subvert. DRM enabled consumer electronics devices are also beginning to emerge.

  In the absence of the darknet, the goal of such systems is to have comparable security to competing distribution systems – notably the CD and DVD – so that programmable computers can play an increasing role in home entertainment.  We will speculate whether these strategies will be successful in the Sect.

DRM systems strive to be BOBE (break-once, break everywhere)-resistant.  That is, suppliers anticipate (and the assumptions of the darknet predict) that individual instances (clients) of all security-systems, whether based on hardware or software, will be subverted.  If a client of a system is subverted, then all content protected by that DRM client can be unprotected.  If the break can be applied to any other DRM client of that class so that all of those users can break their systems, then the DRM-scheme is BOBE-weak.  If, on the other hand, knowledge gained breaking one client cannot be applied elsewhere, then the DRM system is BOBE-strong.

Most commercial DRM-systems have BOBE-exploits, and we note that the darknet applies to DRM-hacks as well.  The CSS system is an exemplary BOBE-weak system. The knowledge and code that comprised the De-CSS exploit spread uncontrolled around the world on web-sites, newsgroups, and even T-shirts, in spite of the fact that, in principle, the Digital Millennium Copyright Act makes it a crime to develop these exploits.

A final characteristic of existing DRM-systems is renewability.  Vendors recognize the possibility of exploits, and build systems that can be field-updated.

It is hard to quantify the effectiveness of DRM-systems for restricting the introduction of content into the darknet from experience with existing systems.  Existing DRM-systems typically provide protection for months to years; however, the content available to such systems has to date been of minimal interest, and the content that is protected is also available in unprotected form. The one system that was protecting valuable content (DVD video) was broken very soon after compression technology and increased storage capacities and bandwidth enabled the darknet to carry video content.

Software

The DRM-systems described above can be used to provide protection for software, in addition other objects (e.g. audio and video).  Alternatively, copy protection systems for computer programs may embed the copy protection code in the software itself.

The most important copy-protection primitive for computer programs is for the software to be bound to a host in such a way that the program will not work on an unlicensed machine.  Binding requires a machine ID: this can be a unique number on a machine (e.g. a network card MAC address), or can be provided by an external dongle.

For such schemes to be strong, two things must be true.  First, the machine ID must not be “virtualizable.”  For instance, if it is trivial to modify a NIC driver to return an invalid MAC address, then the software-host binding is easily broken.  Second, the code that performs the binding checks must not be easy to patch.  A variety of technologies that revolve around software tamper-resistance can help here.

We believe that binding software to a host is a more tractable problem than protecting passive content, as the former only requires tamper resistance, while the latter also requires the ability to hide and manage secrets. However, we observe that all software copy-protection systems deployed thus far have bee broken. The definitions of BOBE-strong and BOBE-weak apply similarly to software. Furthermore, software is as much subject to the dynamics of the darknet as passive content.