foundation for information policy research
> Home
> About
> Policy Work
> Trust in E-commerce and E-government
> Surveillance and security
> Intellectual property and the public domain
> International law and the Internet
> Academic freedom
> Achievements
> Friends of FIPR
> Events
> Contact FIPR

EU Consultation on Digital Rights Management

Ross Anderson

Foundation for Information Policy Research

Executive Summary

The Foundation for Information Policy Research is an independent body that studies the interaction between information technology and society. Its goal is to identify technical developments with significant social impact, commission and undertake research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe.

We wish to make the following comments in response to the European Commission's consultation on the Final Report of the High Level Group on Digital Rights Management.

In our view, the Report is deeply disappointing. The High Level Group that wrote it was composed overwhelmingly of producer interests from the music and computer industries; the consumer representative (BEUC) was unable to subscribe to most of its recommendations. It is quite improper for the Report to nonetheless represent its findings as a `consensus'. It was particularly inappropriate for the Commission to let a music lobby group, IFPI, act as the Rapporteur for the Group.

Rights-management mechanisms affect a wide range of public policies. For example, DG Competition has found Microsoft guilty of anti-competitive practices in respect of Media Player, which incorporates Microsoft's rights-management technology and seeks to abuse the Windows monopoly in order to create unlawfully a further monopoly in rights-management platforms for music distribution.

Microsoft has appealed this finding and is pressing ahead with the implementation of its rights-management technology throughout Windows, Office and Outlook. It appears that Microsoft seeks to defeat EU competition law using the same strategy and tactics used in the `browser wars' – appeal and delay legal sanctions while making the technology so pervasive in its deployed platforms that there is no practical alternative for the EU but to acquiesce in their illegal and predatory misconduct. This is a blatant challenge to the competition law and policy of the European Union. The Commission should respond vigorously.

The Group thus gravely undermines its credibility by reporting that `the market development for (DRM) systems is still at an early stage', and arguing that therefore it requires legislative and other help from the Commission. DRM is a deployed technology, in which unlawful monopolies have been built and are being extended. The proper role of the Commission is not to promote DRM, but to regulate it aggressively.

Rights-management technology potentially affects many other sectors beyond music and computers. It has vast potential to help vendors create new monopolies, and to extend existing ones to related products and services (which will generally be contrary to European law). Affected sectors range from pharmaceuticals through perfumes to cars, clothing and even luxury foodstuffs. If this technology is allowed untrammelled free rein, then the Single Market itself will come under threat. (It is rather ironic that DG Internal Market is the promoter of stricter IP-law protection for such mechanisms.)

In general we propose that Europe must introduce legislation to restrict the `fruit of the poisoned tree': that is, that a rights-management mechanism, or other technical protection mechanism, which is abused contrary to other settled law, such as competition law or consumer law, should lose its protection against circumvention under the EU Copyright Directive. Furthermore, once an aggrieved party has served notice on the holders of the underlying rights protected by the offending mechanism, the rightholders should be unable to enforce or exercise these rights anywhere in the European Union for so long as the abuse continues.

As for the Report of the High-Level Group, its conclusions are fatally flawed as a result of the Group's restricted and biased membership, and its narrow focus on the profits of the music industry to the exclusion of consumer issues, the effects on other industry sectors, and the broader social aims of the European Union. This Report cannot prudently be used as a basis for future policymaking.


Early music and film technologies had inbuilt technical limitations on copying – consumer copying devices such as tape recorders produced low-quality copies, while commercial-quality copying required capital investment in mastering. Digital technology has changed that somewhat (though not to anything like the extent that the music industry often represents).

A number of rights-management technologies have become widely deployed. Satellite-TV broadcasters have for years provided their subscribers with quite sophisticated systems that by now include on-demand pay-per-view for premium events, personal video recorder functionality and even online shopping. Media player software, such as Microsoft's Windows Media Player, Apple's iTunes and Real Networks' RealPlayer, provide competing platforms for the rapidly-growing and sharply competitive business of selling music tracks online. (Indeed, as noted above, Microsoft's tactic of bundling its player with Windows has been found by DG Competition to be too sharp a practice, and contrary to European law.)

Rights-management technology is being constantly extended to new platforms. The most controversial example (though not the only one) is Microsoft's `Information Rights Management' (IRM) product, shipped with Windows and Office in 2003. This enables people to extend rights management to arbitrary digital objects, such as emails, word documents and spreadsheets. For example, it becomes possible to send someone an email which she will be able to view on screen, but not print, and which will become unreadable after 90 days. This may appeal to companies who wish emails to behave more like phone calls than letters, and be impossible for lawyers to discover during later legal proceedings. (This creates possible conflicts with many other European policies – for example, emails relating to exports covered under the Dual-use Regulation are supposed to be kept for two years.)

Another controversial use of rights management is in accessory control. Printer makers have for several years fitted their products with chips that authenticate ink cartidges, in order to block third-party cartridge suppliers. In the case of a printer vendor with a dominant market position (such as Hewlett-Packard) this might amount to its unlawful extension into the accessory market. The Commission has not so far taken action against HP on this basis, but as this rights-management technology also blocks cartridge recycling, it has adopted a Directive on waste electrical and electronic equipment [2002/96/EC] which will force Member States to outlaw, by the end of 2007, the circumvention of EU recycling rules by companies who design products with chips to ensure that they cannot be recycled.

Yet another example is radio frequency identification (RFID). When originally proposed by the Commission, the recent Directive on the Enforcement of Intellectual Property Rights included a substantive law change that would have extended the anticircumvention provisions of the EUCD to RFID, and indeed to all technical protection mechanisms which, inter alia, are claimed to make counterfeiting harder. Following lobbying by FIPR, this provision was removed from the Directive by the Legal Affairs Committee. But there is no doubt that vendor interests will try again to broaden the scope of the anticircumvention rules. This is in direct tension with the Single Market, as we shall now explain.

Economic fundamentals

Economists generally agree that price discrimination is efficient: a vendor will try to sell to each customer at that customer's marginal willingness to pay. If the vendor is a monopolist, then perfect price discrimination is even Pareto-optimal. Many mechanisms have been invented for selling to different customers at different prices – from student and pensioner discounts, through business versus economy air and train fares, and different prices for the same goods in different countries, to personal haggling in markets.

It is also well understood that price discrimination is generally resented by customers as unfair. In the nineteenth century, popular anger at the wide range of complex train ticket prices (and the poor seating conditions imposed on low-budget passengers in order to force the middle classes to buy more expensive tickets) led to the railways being heavily regulated in some countries – and taken into public ownership in others [Odlyzko03]. In the present century, economy air passengers feel towards the airlines as their great-great-grandparents felt towards the train operators. Britons have complained for many years that prices of new cars are perhaps 30% higher than in Belgium (and at last have secured some action against the industry structures that entrenched this). There is also discontent in many countries at the higher prices charged for CDs in Europe compared with the USA, coupled with resentment of DVD region coding which prevents DVDs simply being bought by mail order from the USA, as CDs are. Very recently, the UK Consumers' Association has brought an antitrust complaint against Apple for charging UK customers 20% more than other European customers for downloaded music tracks (which are even cheaper still in the USA).

The Single Market, one of the cornerstones of the European Union, is a touchstone of the political forces arrayed against discriminatory pricing. Although a US clothing company might prefer to sell its blue jeans for $20 in Lisbon, $30 in Brussels and $40 in London, Member States have agreed that (with a few exceptions) traders are free to buy goods in one Member State and sell them in another. Thus we have a doctrine that trademarks and other intellectual property rights exhaust on first sale – so the manufacturer cannot use its trademark rights to prevent grey-market trading. This trading sets natural limits on price dispersion within the Union.

Manufacturers generally dislike these Single Market provisions and try all manner of tricks to circumvent them. It is notable that DRM systems, with few exceptions, fail to implement the first-sale doctrine. The Commission, for its part, must be vigorous in upholding the Single Market, and its supporting provisions such as first-sale; otherwise in the long term it risks losing credibility and political support.

Rights management and value-chain control

Rights-management systems are the core of a technology package whose promise to vendors is much finer-grained market control than ever before.

For example, in future we expect that a drug manufacturer will embed an RFID tag in each pharmaceutical package, which will identify it uniquely. This will no doubt be justified to the public by talk about safety, but it is at heart a supply-chain-control technology. While previously a drug had a barcode identifying it as (for example) 28 tablets of 30mg Adalat, the RFID tag will identify it as an individual package. On presentation at the checkout, the 128-bit RFID code will have a header identifying the manufacturer (Bayer), while the rest of the code will enable Bayer to identify the product to the shop.

The safety advantage of this is that if Bayer finds a batch of its product to be defective, they can block its sale instantly throughout the distribution chain by blacklisting it on their database; defective packages will then be intercepted at the checkout. The disadvantage to the public is that, if someone buys a shipment of Adalat in Poland and sells it in Germany, Bayer can refuse to serve up the product details from its database. In effect, the right to free trade within the Single Market is revoked (the EUCD exempts online database services from fair use / fair dealing exemptions to IP law). This will affect a wide range of goods, from pharmaceuticals to clothes, and is why FIPR has described RFID as `region coding for blue jeans'.

Another example comes from the car industry. This industry has long sought to control markets for spare parts and accessories, while the European Commission and some Member States have resisted such control. But now that motor vehicles are ever more dependent on software, manufacturers are starting to use the tricks of the software industry to tie parts to vehicles and bundle parts with services. We anticipate that the old battles about accessory control and aftermarket control will be fought all over again.

In general, as we put CPUs, communications and software into most objects that cost more than a few Euros, software will come to provide more and more of their value. Many industries will become more like the software industry. We will get the good (flexibility), the bad (frustration with ever-more complex and hard-to-use products) and the ugly (monopolies).

The role of lock-in

This makes it important for the Commission to understand the unique features of the software industry. Information goods and service industries generally have three distinguishing characteristics, all of which increase the likelihood of monopoly: high fixed costs and low marginal costs; network externalities; and the pervasiveness of customer lock-in as the defining source of value to platform owners. Indeed, under often reasonable assumptions, the value of a software firm is just the total switching costs that would be borne if all its customers were to switch to the competition.

What this means, for example, is that if a typical company with 50 clerical employees is paying Euro 1000 per seat for Microsoft Office, then the cost of switching to a competing product such as OpenOffice (including training, file conversion, installation and so on) would be 50,000 Euro. (If it were less, they would switch; if it were more, Microsoft would put up its prices.) Thus incumbents such as Microsoft try as hard as they can to increase their customers' lock-in, while smart customers (and the incumbent's competitors) try to minimise it.

This is central to the role of rights-management mechanisms. Suppose, for example, our typical 50-person company were to use IRM. Then, at least in its current implementation, they would be locked in much more tightly, as IRM transfers ownership of Office files from the person on whose machine they are kept to the person who created them. Thus, in order to convert to a different productivity package, our company would have to get the digitally-signed consent of all of its customers, and of any other parties, who had supplied any IRM-protected documents. This would greatly increase the cost of switching, and so can be expected over time to drive up the cost of Office (see Anderson for more detailed economic analysis).

Content industry specifics

The music and film industries, in particular, have generated much publicity about losses allegedly caused by digital file-sharing networks. In the case of the film industry this is not very plausible, as the volumes of data involved make film-sharing extremely slow, even over broadband links. In the case of music, there is a real question about whether file-sharing causes significant losses.

File sharing may displace some sales, as people download what they would otherwise have purchased; it may also lead to new sales, as people have the opportunity to sample products that they would not have otherwise encountered. The question of whether it harms or helps the industry is an empirical one, which must be answered with reference to data rather than by propaganda. The most definitive study to date, by Oberholzer and Strumpf, suggests strongly that there is no net effect.

As noted above, rights-management mechanisms have been developed by industry over the last ten years and are now supplied by a number of vendors including Microsoft, Real Networks and Apple. After years of pleading for government assistance, the industry has instead launched into competition to sell music tracks online. These sales are growing rapidly. Under the circumstances, it is hard to see any case for further tilting the playing-field in the direction of the industry.

Instead, the Commission should bear in mind that changing patent regulations in favour of the drug companies over the last 20 years has not led to increased competition: on the contrary, the rule changes made Big Pharma lazy. By 2002, of the 78 drugs approved by the FDA, only 17 contained new active ingredients, of which only 7 were classed by the FDA as improvements. The other 71 were variants on old drugs, or at least no better than drugs already on the market [P Neroth, `Big pharma use European law to protect their profits', The Lancet, to appear]. In effect, the industry found it more profitable to extend its existing monopolies than to invest in real innovation. Money was spent on lobbyists and lawyers, rather than on research scientists. At a time when online music sales are just taking off, the last thing the Commission should do is signal to the music industry too that it might make more money lobbying for special protection than seeking to satisfy its customers, as it is now doing at long last. The music industry should be encouraged to develop as a vehicle for channeling money from listeners to musicians, not to lobbyists, lawyers and platform owners.

Specific Defects in the Final Report

The Final Report lacks credibility for a number of reasons. It ignores the growing use of rights-management technology in applications other than music and video content (e.g. accessory control, aftermarket control, IRM) and downplays its use in consumer electronics (where satellite TV and DVD region coding get only a passing mention, and other DVD mechanisms are ignored). Similarly, the mechanisms already fielded by mobile phone vendors and network operators are derided as a `small niche'.

Throughout, it uses producer-oriented rather than consumer-oriented language, and adopts a number of the assumptions and propaganda words of the content industry lobbyists. It is not appropriate for the European Commission to endorse a document that simply repeats IFPI propaganda, for example by describing DRM rollout as `migration to legal services'.

Many of its technical claims are simply wrong. For example, it claims that a compatible but noncompliant device would undermine all DRMs. But such devices must exist lawfully for law-enforcement, anti-virus development and research purposes, and other infringing devices will surely be made too. Rights-management system designers are investing some effort in avoiding break-once-run-anywhere attacks; this is the reason for revocation mechanisms.

Perhaps this spin arises because the authors of the Report do not wish to consider many of the broader questions that rights-management systems raise. For example, there are free speech issues – what is the effect on society of pervasive revocation? If mechanisms exist whereby an aggrieved copyright owner can get a court order that revokes a book chapter that has `leaked' to the internet – thereby causing all compliant PCs, PDAs and other devices to delete it, or at least refuse to display it – then what happens when a court orders that these mechanisms be used to censor material that it finds defamatory, or seditious? The definitions of these terms vary quite widely from one country to another; material may be found libellous in the UK while being constitutionally-protected free speech in Germany, while the French privacy laws prohibit the publication of material about politicians' sex lives that are free to the market in most other European countries. Will rights-management systems force either a harmonisation of speech laws, or a drastic revision of mutual legal assistance provisions? Will making censorship technically easier result in more censorship?


The European Commission must not view DRM as just another baby technology whose birth can be assisted using programmes such as the Sixth Framework. DRM is a developed technology, and is widely deployed. It has already fallen foul of European law on at least two occasions – the most recent Microsoft antitrust ruling, and the Waste Electrical and Electronic Equipment Directive. There will surely be more cases, as rights-management is in many ways a natural ally of the monopolist.

The Commission would be most unwise to compromise more important policy goals in competition and consumer law by technology-specific exceptionalism driven by the lobbying of the music and software industries.

There remains the question of what might be done in practice to make DRM less dangerous. Our suggestion is that we need a `fruit of the poisoned tree' rule to circumscribe the implementation of the EUCD anti-circumvention provisions.

The particular problem of the anti-circumvention rule in the EUCD is that it transfers regulatory power from governments (including the European Commission and Parliament) to the writer of the software protected by the anticircumvention legislation. We believe that this will need eventually to be tackled in a further round of international treaty negotiation. For the time being we argue simply that, even if Parliament is content to delegate to arbitrary software writers its power to regulate copyright, it acts ultra vires if it thereby gives the software writer the power to override the Treaty of Rome. Thus, where a rights-management mechanism has the effect of removing a constitutional right, the legal protection that was granted to it by Parliament and the Commission was granted ultra vires, and is therefore void.

There is a useful precedent in the UK Patents Act 1977. This consolidated a provision in UK patent law whereby a patent owner who entered into an unlawful contract of adhesion thereby rendered his patent unenforceable against everybody else. For example, if I owned a flour-milling patent and licensed it to you on condition that you bought all your wheat from me, then the mere fact of this was a full defence for anyone else whom I sued for infringing this patent.

In the same way, we propose that the Commission initiate legislation with the effect that whenever a rights-management mechanism is used to infringe a constitutionally-protected right, or to extend or entrench a monopoly in contravention of Articles 81 or 82, then that mechanism must lose the legal protection afforded under EUCD against circumvention. Furthermore, once an aggrieved party who is unable to exercise a legal right because of an abusive protection mechanism places the holder of the underlying copyright on notice, the holder should become unable to enforce that copyright against anyone else in the European Union, for so long as the abuse continues. The threat of losing legal protection is likely to cause mechanism owners to think hard before letting them be used for unlawful purposes. They will rather take care to make mechanisms available whereby consumers and others can exercise their fair-use and fair-dealing rights under the established laws of the European Union and its Member States.

Ross Anderson

Foundation for Information Policy Research

16th September 2004

Valid XHTML 1.0
Problems viewing this site?