Re: Part 2: System Structure

[Marcus Brinkmann]

At Tue, 23 May 2006 12:13:17 -0400,
"Jonathan S. Shapiro" <address@hidden> wrote:
> If we can build a sufficiently large *collective* block of users who
> refuse DRM -- big enough that these users represent a noticeable
> proportion of market share or a publicly visible group whose visibility
> imposes noticeable embarrassment or noticeable marketing and PR costs to
> the content providers, we *may* be able to restore more balance of power
> to the viewers (either through the market or through legislation), and
> by doing this we may be able to force DRM use to a more acceptable
> middle position or even eliminate it entirely.
> 
> If this is the argument, then I think that it is a good argument, and
> that it is even worth a try. Speaking personally, it's not a cause that
> I wish to adopt -- I am doing too much elsewhere already -- but it is a
> perfectly good cause.

There is something that disturbs me about the two positions you hold.
On the one hand, you completely distrust the social process to help
preventing unauthorized abuse of digital information, and make a
strong case for why the social process is unable to enforce any
restrictions effectively, so that technological means are, in your
opinion, necessary, and you are working hard on providing these means.

On the other hand, you are putting your hopes to pull the biting tooth
out of DRM into a social process of political action, which (according
to the quote above) you do not plan to support, that in todays climate
is much more difficult to implement than using existing processes that
protect abuse of information through the juridicative and executive
branch.  You criticized me strongly for trying to provide technical
means of protection to support such an opposition to DRM.

Nevermind that I disagree with your characterization of the technical
means to make the social process unnecessary; I have explained why I
think that the social process is at the root of any enforcement in
society, even the enforcement to apply certain technical means (HIPAA
enforcement was my example there).  Nevermind that I disagree with
your negative view on the capabilities of the social process.  Never
even mind that I think it is quite cruel to knowingly burden the
population with yet another problem in addition to an increasing
number of much harder problems raising the issue of our mere survival,
like poverty, the environment and nuclear weapons.

What puzzles me is that in the one case, you very intelligently
recognize each and every threat scenario, plus its characteristics,
and provide the best protection possible.  For example, you pointed
out that the social process comes too late, because the harm has
already been done, sometimes irrevocably.  That is quite correct.
However, it is also correct for the harm of DRM on the population.
And so on.

When I studied this subject, I found that I could use every one of
your security arguments for my cause, because I recognized loss of
control over ownership as a security threat.  Based on your statement
above, you seem to agree with that it is a threat, at least to some
extent.  Yet, in the other case, you deny actively (by criticizing my
position) the population the arts of the trade for this particular
threat, relying on political action and the social process instead.
In other words, you are addressing the two threats quite differently.

Even if one does not cast this into a ethical framework (where such a
position obviously would be hypocrisy[1]), this should raise some
eyeballs, because of its obvious inconsistency.  And this on two
accounts: For the way you consider the virtue of the social process,
and the way you consider the virtue of appplying technical security
measures to reduce a threat.  I have noticed a similar inconsistency
before with your liberal application of the term "voluntary use".

There are a number of obvious questions which follow from that: Do you
agree or not agree that "trusted computing" and DRM constitutes a
security threat, in the way that I[2] defined?  If you do not agree,
why?  If you do agree, do you support or not support using the tools
and arts of the IT security trade in this particular threat scenario?
If you do not support it, why?  If you do support it, do you recognize
my system structure proposal as a step in that direction?

Thanks,
Marcus

[1] I am using this term quite technically.  Wikipedia defines it the
following way: "Hypocrisy is the act of pretending to have morals or
virtues that one does not truly possess or practice."

[2] And, coincidentally, Bruce Schneier the day after me.  Although
Bruce Schneier did not offer any analysis of how it can be addressed,
aside from suggesting that people should switch to free software.