Apr 25, 2024


What is...



Myths about DRM

This is a little list of common myths about DRM I put up to save myself the time from always countering the very same arguments why DRM is good or needed.

DRM, in this context, means everything that requires the user to get authorisation after the purchase of the game. Whether you need to contact the DRM server on every startup, on every tenth startup, every week or every installation does not matter. The problems are always the same. So this is basically about all forms of "online activation". Classical copy protection (like DVD checks) which could also be considered DRM depending on your definition are not the topic of this document. See foobar's thoughts on Copy Protection for this.

Another suitable definition of DRM as I understand it would be: all means that tie a software to an individual person or computer. That basically leaves online activation or registration as only technical option and cleary seperates it from classical copy protections like DVD check which tie the software to an small, anonymous object (like a DVD or a manual).

Many of these "Myths" were used in the dicussion about DRM for the new game RISEN by defenders of DRM in the german forum at World of Risen.

Myth: DRM is good because you don't need to have the DVD in your drive!

You don't really need to have the DVD anyway. That is just a copy protection method which is bound to fail anyway. But even if we ignore that for a moment, think about what you are really doing here.

I mean, sure, it's troublesome always having to insert the DVD and keep it at hand. I'm totally with you there. But the question is: What price do I have to pay to get rid of that trouble? I have to give up control! Whether the DVD is in the drive is completely under my solemn control. Okay, I have to insert it to play the game - but no one can stop me from doing so and playing the game. With DRM, a lot of people can stop me from using the game. Any time. The one who controls the DRM servers is only the most obvious in a long list. Another one would be my internet provider who has technical problems or thinks I did not pay my last bill.

The requirement to insert the DVD is artificial. Technically, it would not be necessary for playing the game. Of course, you are free to enter any golden cage put up in front of you. But if I have the choice between independence (even it is deliberately made burdensome) and some maybe even comfortable dependence... well, I would always prefer the freedom. To be honest, knowing that the independence was intentionally made painful makes me choose it more than ever. I'm a stubborn mule.

As long as you have the DVD (and it is in your hand alone to keep it available and in good shape), no one can ever stop you from using the game on your PC. On the other hand, once your permission comes from a foreign server which you cannot control and uses an internet connection that you can't control either, you're in the hands of complete strangers when it comes to playing the game.

So DRM is only good if you do not care about the fact that you give up control of how and when to use the software you bought with you own money.

Myth: The publisher would be stupid to misuse DRM. We can trust him.

I do not know what it's like where you live but we in Germany have stupid people, too. But even if you can really trust the publisher: What happens when he goes bankrupt? Or a storm cuts him off from the internet? Or some script kiddies run a dDoS attack on his servers? What if he gets taken over by a competitor who then cuts off costly support for games with which the new owner did not earn any money himself?

DRM servers have been shut down in the past. Other companies tried to shut them down and only reverted that decision because their customers protested - but how long is that going to hold?

Myth: DRM allows the publishers to reward legitimate customers instead of punishing them via a classical copy protection

How? Because you do not have to insert the DVD anymore? That was an unnecessary demand anyway. They discriminated their customers by this. We had to insert the DVD while the pirates just played the game. I would not call it "advantage" if they simply stopped this discrimination. It's more a matter of course. If a slave says: "Oh, my master is so generous; now he only whips me with the nine-tail twice a week" that is a sure sign of a broken will. Publishers have kept us in leading-strings for years now with more and more conditions to fulfil and harder and more intrusive copy protections all the time that we now perceive it as a great gift when we seem get what was rightfully ours all along - the right to play a game we bought without obstacles.

Myth: With DRM, the publisher can give his customers additional content

And why does he need the DRM for that? A publisher can always give his customers additional content. He just needs to put it on a webserver for free download. What is really meant with this but usually not said explicitely is that the publisher can use DRM to make sure that only those who paid get the content. Either paid for the game itself or paid for the content again. So DRM also is a good platform to turn any game into a cash cow. They sell you content for the game you already paid for by this. Normally, that would be more difficult because the publisher has no infrastructure to get the content to the customer (he has to use the retail industry for that). But DRM provides this infrastructure.

Ok, not all publishers may go that way. Perhaps they really want to give their customers free content. And they don't want to give that content to pirates - which is understandanle. But is it really necessary to use DRM for that? No, it is not. All you need is a proof of purchase. And that can be anything. A simple receipt or a serial code in the game's box. Or how about a list of transaction numbers (TANs)? Let's say 10-20 numbers on a list in the box. Each number can be used to download something and then becomes invalid. For the next download you need another TAN. If your TAN list is almost used up you can use one of the last TANs to download a new TAN list from the publisher. If it's safe enough for online banking it should be safe enough for games content, too. This method has a number of advantages: It is totally anonymous, you can download whatever you want and as often as you need it. When you sell the game you give the TAN list to the new owner and he fills your place without the publisher ever knowing it. If he does not trust you and thinks you made a copy of the TAN list, he'll just get himself a new one from the publisher. Secure and anonymous resale. But maybe that is exactly the problem...

You might argue that there are people who open game boxes at the store, copy the serial or TAN list and then put it back in the shelf. But there's an easy way to prevent this. Wrap the game in a foil which is "minted" with the logo of the publisher and write a notice on the box that people must not buy it with the foil removed. Now the dealer can't just put it back in the shelf and he won't have this publisher's foil. If he does have it, you can sue him for violating your trademark. So the shops have to look out for their wares and cannot just shove that problem off to the customer.

If you use DRM for purchase verification then it means that the publisher is the one who verifies your purchase. Not just once but regularly. One single check upon download of the content could be easily handled otherwise (as shown above), you don't need DRM for that. DRM is only necessary for continuous monitoring. So every now and then (each start, each installation, etc.), he takes a look at your installation and decides then, based on his current motives, legal situation and technical abilities, if you're allowed to use your software. No one guarantees you that these motives, legal situation or technical abilities won't change over time. Would you buy a desk lamp if you had to phone the manufacturer to prove to him that you have not stolen it before you can turn it on - every time?

You bought the game but the publisher still owns it. I think there's something wrong with that in principle.

Myth: DRM protects against pirates and that is good

DRM is as effective as any copy protection against piracy. It will be cracked away. Whether you remove the DVD check or whether you remove the DRM server check - it does not matter to the cracker. Technically, you just make sure that some code in the binary is not executed anymore. What that code does is totally unimportant.

Additionally, no copy protection protects against pirates. See my thoughts on that topic.

Myth: DRM allows multiple installations for some games. That is good because usually you only get one at a time.

If a publisher wants to give you the right to use the software on more than one PC at the same time all he needs to do is write that permission into the license agreement.

Do not make the mistake to confuse the terms of a license and the measures someone takes to enforce that license. If you do not trust your paying customers and want to make sure that they keep their part of the bargain then you need a way to make sure that they don't do anything not covered by the license. A single-use license can be enforced by checking for something that was in the box only once - like the DVD. You could just put two DVDs in the box for two licenses (won't cost not much more than a copy protection). But for more installations that becomes unhandy. I agree to that. Still, is there no other way to enforce the license than DRM? And why do I have to accept the unquestionable disadvantages of DRM even if I just want one installation (as most users do)?

But even under the assumption that your customers are not trustworthy, it will not work. Because for those who want to abide by the license you do not need any enforcement by definition. And those who do not want that will just crack away any enforcement in their way. The DRM can only work with those who did not require it in the first place. Basically, it's like preaching to the choir - but in a way that may turn away even the most convinced believers.

Myth: DRM does not require any intrusive drivers as other copy protections.

Really? The intrusive drivers or any other aggressive manipulations of the system are there for a reason: They are supposed to prevent cracking or at least make it more difficult. I think it's a wasted effort but obviously someone in a publisher's office thinks different. But if DRM can be cracked like any other method of CP why would it not need the same counter-measures?

Myth: We're promised a patch when the DRM service is discontinued so everything is fine.

No, it isn't. Do you really think that when the publisher gets taken over that anyone in the new board with care about the marketing promises from yesterday? And if they go broke? You think anyone in that company will waste his time to make patches for all the games of the last 10 years? They'll be busy updating their résumées and trying to get their last pay cheque!

You think a brankruptcy trustee who has the obligation to retain a much substance as possible for the creditors would give any money to that? And why should he? If he sells the DRM servers to another company who then charges the customers for this service he'll bring in new money! Freeing a game from DRM in times of financial problems is like throwing away a valueable asset.

Perhaps you think that you'll be able to sue them. For some reaons founded in the way the german legal system works this is a wasted effort - at least in my country. Maybe it's different in yours. But keep in mind that in almost any country, lawsuits are expensive and you never know how they turn out. Do you really want to risk that for a game that was worth perhaps 50 Euro at purchase and now probably muss less? In Germany, we have a saying: In a court and on the deep sea, you are in the hands of God.

And even if everything works out - such a trial can take a long time in which the publisher might already be liquidated. You cannot force something out of the dead. Then you have a nice deed and the only thing you can do with it is frame it and hang it in your living room.

Bottom line: When the going gets rough, such promises are not worth anything anymore. Don't trust in the promises of a faceless profit organisation if you do not have the power to force them to fulfill it. And that you don't.

Myth: DRM is anonymous so you do not need to worry about your privacy

Well, there are many different kind of DRM systems. Things like Steam for example where you have to enter you credit card info as far as I know are not anonymous. They know exactly who you are.

But in general, no DRM system is really anonymous. First, they know you IP address which is considered personal data by many people. Then, DRM is used to identify your PC. That is what it is there for. All the hardware you have in your PC (and perhaps even the software) is used to make sure that this PC is the one on which you activated your game.

What happens if the publisher gets to make a connection between this PC and you as person - just once? For example, by using the support (guess who'll you have to ask if you run out of activations or have any other problem with the DRM system) or by registering yourself with your name? He could always identify you by your hardware. He'll know when you play and what you play. He can find out something about your financial situation. For example, if you own a quadcore CPU with 8 gigs of RAM and two highend graphic cards linked via SLI or Crossfire and professional software worth 5,000 Euro then you probably are not poor as a church mouse. On the other hand, if you trudge through your Mass Effect even though it permanently judders on your old and slow PC then you probably don't have the fattest bank account because otherwise you would not suffer like that voluntarily. Furthermore, hard- and software can also determine your personal interest or what work you do. If you have a MIDI keyboard attached and own some Steinberg software, you're probably a musician. CAD software: engineer. Photoshop with a lot of plugins and an expensive camera on the USB port: photographer. Visual Studio in a professional version: developer. And so on, and so on. If you give it a little thought there are many things that your PC tells the publisher about yourself.

Now, he can do all that and more but he wouldn't, would he?

Ever read the so-called "privacy statement" of EA for instance? I know I have. Let me show you some especially nice terms in that document (I marked the interesting ones with emphasised writing):

EA collects personal information from our online visitors during (1) contests (registration or claiming a prize), (2) warranty registration and/or during customer support or technical service requests, (3) player match up or other online services, (4) registration for games or special game-specific event participation, (5) newsletter subscriptions, referral services, and other marketing surveys and email campaigns, (6) registration for membership on our sites, (7) when you order products or subscriptions from us online, or (8) when you request services from third party service providers on our site or (9) through use of our software or online services.

Now, just using their DRM server would allow them to collect your personal information according to (4), (6) and (9). Getting additional content (like "Bring Down The Sky" for "Mass Effect") allows it, too, by (7) or (9). And of course, any use of the support (which will be unavoidably as soon as you run out of activations) grants them the right to collect your data, too (this is item (2)).

Information collected will vary depending upon the activity and may include your name, e-mail address, phone number, mobile number, home address, birth date, and credit card information. In addition, we may collect demographic information such as gender, zip code, information about your computer, hardware, software, platform, media, Internet IP address and connection, information about online activity such as feature usage, game play statistics and scores, user rankings and click paths and other data that you may provide in surveys or online profiles, for instance. We may combine demographic information with personal information, such as email address

That paragraph would have been much shorter if they simply told you what data they don't collect and combine it to create a profile of you in their database.

We do not require personal information to obtain access to any of our sites; however, you will not be able to access areas that require registration.

Yeah, right. You don't need to give them anything but if you don't, your game won't work. It's a free choice, isn't it?

When you play our games on your PC or console, we may retrieve information about your hardware system and how your game is used, including your Internet Protocol Address.

In other words: As soon as you start your EA game, they have the right to watch everything you do. If you have a webcam plugged into your PC I suggest you turn it towards the wall when you play...

We also use this information to better understand the behavior and preferences of our customers, so that we can improve our products and services.

Meaning: You're going to get personalised advertising.

We will never use this information to personally identify you without your knowledge or consent.

Well, you have been informed about this when you agreed to their terms of service, right? So no need for them to tell you anything beyond that.

We may link cookie information to personal information. Cookies link to information regarding what items you have selected for purchase at our store, pages you have viewed, or games you have played. [...] Also, we use cookies to deliver content specific to your interest and to monitor website or game usage. We collect information on what games are played, how much time is spent playing the games and which ads or links are clicked.. [...] You can disable cookies or set your browser to alert you when cookies are being sent. However some areas of our sites will not function properly if you do so.

Total surveillance on the website, too.

DoubleClick, the company that serves many of the ads that appear on the pogo.com site, may also collect information

Well, I'm sure we can trust them...

Other technologies used include clear GIFs and IP address logging. [...] However, we may use clear GIFs capture statistical usage information for our web pages, features or other elements on a web page. We may correlate this information to a user [...]

Yes, with cookies you cannot keep track of everything. You need the GIFs.

in the event of a merger, acquisition, or the unlikely event of bankruptcy, management of Electronic Arts’ customer information may be transferred to its successor or assign

So, you never know who's going to get your data. Fantastic!

From time to time, Electronic Arts may employ third-party contractors to collect personal information on our behalf

Not only do they collect almost all information about you but they also get others to collect it. We call that a data kraken in Germany.

We may use third party contractors, such as credit agencies or market research firms, to supplement personal information that you provide to us [...]. To enrich our profiles of individual customers, we tie this information to the personally identifiable information they have provided to us.

Same as above.

Now, that were all the problematic issues I could find in the english version of this document just by browsing it once! Perhaps there's more hidden in that legal mumbo-jumbo.

I heard that many people especially in the US do not have a problem with giving their information to some private companies as long as the government does not get it. The logic of that fails me because information can be misused everywhere. But even so, keep in mind that the EA privacy declaration also contains this passage:

To enforce legal rights and comply with the law, or to comply with an order from a government entity or other competent authority, or when we have reason to believe that a disclosure is necessary to address potential or actual injury or interference with our rights, property, operations, users or others who may be harmed or may suffer loss or damage, we may also disclose personal information to law enforcement, or the appropriate civil authorities when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served on our site.

Note that the entire paragraph is one long setence so that it's hard to follow it through. But as I read it, it basically says that they can give your info to anyone whenever they want to. All they need is some far-fetched reasoning that someone might suffer damage or their own rights may be affected.

So you should assume that whenever some government institution talks to EA about you, they will get whatever they ask for.

Of course, EA is just one company using DRM but I cannot check them all. You still believe that DRM is anonymous and safe?

Myth: Games with DRM are owned by you

Formally yes, technically and practically no. You pay the full price for a game and then it is just rented for an undefined amount of time. The publisher can prevent you from using this game whenever he wishes. In fact, the game is still owned by him. You just paid for it.

Now, rent-a-game might be some interesting thing but only if the price is correct. Would you rent a car for 40,000 dollars? Probably not because for that price you can just buy one. If the publisher wants me to rent his game then the price has to fit that. Let me pay just 5 or 10 Euro a month and I'll think about it.

Of course, this will never happen. Because the publisher knows as good as you that DRM can be cracked away and a lot of people would "rent" the game for 10 Euro, crack it and use it for a lifetime. The fact that this business model is not practised anywhere proves that publishers know pretty well that copy protection in general and specifically DRM does not work and is in fact used for other purposes.

Myth: DRM is necessary to prevent that the game will be on the net before its official release

If you encrypt (in a cryptographically secure way) key components of the game on the gold master which you give to the DVD pressing plant and only release the decryption key on your DRM servers upon release - yes, then DRM can protect you as publisher against leaks in the pressing plant or retail chain. So why is this a myth? Because DRM can do that but it is not necessary to use DRM for that. There are several other options to prevent such a leakage.

For example, you can encrypt the components with a (secure) password which you then publish on your website on the release date. There is no need to use DRM to tie the copy of the game to an individual customer and/or PC. One password for all buyers would be enough to prevent leakage of the game before release - as long as you keep that password secret. After the official release date, you can publish it everywhere. There is no need to keep it secret anymore. If you want to make it comfortable for the customers, you can write an installer that looks that password up on your servers. But once it is published, a buyer can write the password down on a piece of paper and put in the game's box. Then he can use it even ten years later on a new and different PC to install his game.

A more effective approach - in my opinion - would be to simply make sure that the pressing plant does not leak the game. If the publisher makes a contract with his plant so that the plant can file for bankruptcy if an employee leaks the game, they will surely take the necessary measures to prevent that. How can the publisher prove that someone from the plant leaked the game? Simple. A trusted third party (i.e. notary) can put a secure watermark on the goldmaster and hand that copy over to the plant's representative.

And is it not possible to insure oneself against such a leakage? If copies on the net before the release are such a problem, it would seem more than natural to me that a publisher gets himself an insurance policy for that event. Then he has sold the risk and does not need to fear it anymore. It is the problem of the insurance company to make sure the pressing plant does not screw up.

Myth(?): DRM is necessary because it prevents second-hand trade which harms the publishers business.

That is not really a myth, I think. That is the true purpose of DRM in my opinion. You may think that it is necessary for you to accept this because the poor publisher would otherwise go bankrupt.

First of all, why should this be your concern? Does the publisher give you a discount on his games when you are in financial need? No? Then why should you help him?

Publishers have tried (very successfully) to lull people into believing that they do not own the games. This is not true. I can only speak for Germany, again, but here, you own the volume. That is because any other form of contract (like rental, contract for work or service) gives the customer much more rights than a simple one-time purchase. Publishers could be held responsible for bugs in games and somesuch. They wanted the sales contract because that is the one with the least obligations for them. That means you own the disc and you have the right to sell it whenever you wish.

The publisher cannot choose the sales contract because it is the best choice for him and then wind himself half way out of it. All or nothing. If he does not like it he must offer other kinds of contract or change business. He can always trade in bananas if he thinks that games don't wear out fast enough.

It is our right to sell the games we bought. If you think that is bad for the publisher then simply don't do it. But let others handle their own affairs as they see fit. If a publisher really wants to prevent people from selling games there is a very simple and very legal way to do it: Create better games. Don't churn out "Kleenex games" (use once, throw away).

Myth (?): DRM is good for managers because it raises their income.

That again is not really a myth, I think. It's one of the real reasons why DRM is really used.

As I mentioned before, having total control of how and when your customers can play their games is a valuable financial asset.The new game does not sell as well as you hoped because everyone is still playing the version from the year before? Just shut off the servers for the old version and force people to buy the new one. Or whenever you get into financial trouble, you can change the DRM model and charge people for game usage or additional functions. You do not need to develop a new product but can instead turn the old ones into a new source of revenue. Money without actual work, who would not dream of that?

Sure, it might hurt your reputation to "abuse" the DRM system like that but that can always be bought back. That's what marketing and PR are there for.

Note one very important fact: It does not matter if the publisher really intends to do this! All that matters is that he can do it.

In the eyes of potential investors, this reduces the investment risk because the company is less likely to go bankrupt. That raises the so called "shareholder value", the perceived market value of the company (which does not necessarily have to be equal to the real market value). The stock prices go up and the executive manager who has decided upon DRM will get a nice bonus for that. If people protest, he will just increase the marketing budget and place a few more ads with half-naked women on them or something like that. Contrary to the bonus he gets for using DRM, the money put into marketing is not his own money. In the end it's the money of the stock holders and, hey, they wanted it this way.

If you were an executive in a publisher, would you not spend other people's money to increase you own income?

Page Actions

Recent Changes

Group & Page

Back Links