 Well, hello everybody. I'm Jonathan Zitrin. This is Corey Doctorow. The zero thing to do is to give you a warning that this is being recorded, transcribed, webcast, et cetera, et cetera. So anything you say can and likely will be used against you in the court of public opinion. And Corey, we are so pleased to have you back at the Berkman Center. You were just pointing out it's been over a decade since you visited. Nothing really has changed in the intervening time, but we'll come up with some stuff to talk about. Well, they got rid of the blink tag since then. That's a victory for the good folks. And I guess by way of introduction, I guess I would describe Corey as a true polymath, an entrepreneur, a writer, fiction and nonfiction, somebody with kind of academic values, somebody with a compass who has a clear vision of various futures and which ones are preferable to which. And I don't know if you'd want to be described as a spokesperson for anyone. I saw on Wikipedia you're listed in a genre of post-cyberpunk. So that's 10 years we've gone from cyberpunk to post-cyberpunk. I was in an anthology called the post-cyberpunk. I thought actually probably two now. So I think that might be where that comes from, but those are just marketing categories. And as we know, everything is miscellaneous now. So says David Weinberger. And we're probably ready for the post-post-cyberpunk. Actually, I just read a science fiction novel that unlike the science fiction of the 80s, which was largely about people who grew up reading science fiction. The protagonist was always someone who grew up reading science fiction. This was a science fiction novel about someone who grew up reading science fiction about people who grew up reading science fiction. That was beautifully reflexive. Yes, yes. So you've chosen to title your presentation today Kill All DRM Within 5 or 10 years? 10 years. Hence Apollo, Apollo 1201. We do this not because it is easy, but because it's hard. Very good. So this is your moon shot. And Corey had planned to sort of possibly be ready to do kind of an opening lecture of sorts. But we actually decided we're going to just start and continue conversationally. And he'll get the points worked in. And we've got a great brain trust in this room. And we'll find a way to make a conversational quickly. So maybe we should just open with having you unpack that very gravid title. So I'll start with the why and then move on to the how. So the why is that what had started as a pretty cabined off original sin, which was saying, well, if you have a thing that you use to entertain you and someone has designed it to only entertain you in some ways, that we're going to make it a felony to figure out how to be entertained in other ways. So if you've got a DVD that's only supposed to work in Europe, we're going to make it a felony to make it work in America. And as bad as that was and as much as that was a ripoff, it seemed like it was pretty thoroughly contained. But a funny thing happened on the way to the 21st century, which is that the distraction rectangle in your pocket became something beyond a thing to throw birds at pigs and also became a distraction rectangle who knows who all your friends are and everything you say to them and has a camera and a microphone and you discuss sensitive things in front of it and take it into the toilet and the bathroom and it knows how to get into your bank account and talk to your doctor. And we've made it a felony to do stuff to that device to change or inspect its workings. And because any flaw in that device is a thing that would help you jailbreak it to let you do stuff that's not permitted, pointing out those flaws has also become a felony. So if you read the 1201 docket at the Copyright Office this year where they entertain suggestions for exceptions to this rule, we heard from people who said, my tractor won't let me drive it because it has a lock on it and that lock protects the copyrighted software in the tractor. And people who said I have decided to take the risk of taking five years off my life as a type one diabetic and I'm going to stick myself and take my own blood assays rather than wearing an insulin pump because I looked at the source code on this thing and while it's a felony for me to tell you what I found, I think that you could kill me in my boots from 30 feet and so I'm not going to wear this insulin pump and we heard from people who worked on voting machines and cars and we've seen lots since. And you know, the thing is that if you can felonize changing a device's configuration, there's lots of business model opportunities and as computers have gotten into everything, those business model opportunities have become increasingly tempting. So you may ask yourself why does John Deere care if you jailbreak your tractor? Well tractors have got torque sensors on their wheels that do centimeter accurate soil surveys while they go around the farmer's field. That information is not copyrighted nor copyrightable because it's factual but the module that you have to break to get into that data is also a module that protects the operating system which is clearly a copyrighted work. And so Monsanto won't let the farmer see that and it's a felony to try and see it on your own and what Deere does is they sell it to Monsanto. So the farmer doesn't get it but Monsanto does and Monsanto will sell it back to the farmer in a package with their seed. But that's only like the kind of the mustache twirl of the evil plan. The full pinky beside the corner of the mouth is that they have insight into entire regions likely coming agricultural yields and they use it to play futures markets. So it's kind of a 10 figure bet on a new line of business for them and you can kind of see this rippling out through the whole world of internet of things. Computers are everywhere. We're more and more devices that are more and more critical to us are covered by these TPMs that are felony to remove and we therefore can't discuss the security dimensions of those and that's a huge problem and we're doubling down on that problem every day. So TPPs, Intellectual Property Chapter leak this week. Yesterday Motherboard had a great article on one dimension of that which is that it has an obligation on signatories to allow for court orders that order the seizure and destruction of circumvention devices. And so that's a requirement. Every legal system under TPP must have that and then they may have an exemption for security and what we know about those musts and mays in Intellectual Property Treaties and Trade Agreements is the musts always get implemented and the mays almost never do. And so all those tools that were used to find the flaws in the voting machines and the cars and the tractors and the implants are all going to be things that are liable to seizure and destruction. So that's the musts. Now that's the why, the what is how we're gonna get rid of the 1201 and all of its analogs are in the world is through the kind of Larry Lessig theory of change which is that the world is driven by code law norms and markets. So the law part is that there are lots of people who violate 1201 all the time in the normal course of their security research and it's the love that dare not speak its name. So people don't talk about it in public fora because they don't wanna get clobbered for it and when they do talk about it the industry gets to decide who they sue and who they don't. So when Ed Felton breaks music DRM, they send a threat to him but as soon as they realized who he was they not only rescinded the threat they covenanted never to come after him for breaking that DRM because they can afford to just not have jurisprudence made where it's likely to go the wrong way. I love the theory that Ed Felton has diplomatic immunity. That's right, yeah. I mean one of the plans for getting rid of 1201 was just to just identify every noxious TPM and just have Ed break it, right? That's like, it's the Ed Felton plan. It's like getting Superman to sort of solve all of your problems for you but we have a more scalable solution. So the reason we've never been able to challenge 1201 with the right facts is because the only way to bring that challenge is to get sued and getting sued is not a thing you get to choose and everybody who used TPMs was playing an iterated game where they could afford to let one TPM go because they needed the rest of them. But you look at DEAR. DEAR has one TPM and if it doesn't work, they don't need the DMCA. So we now have a target rich environment where someone who's got the right facts who goes public with them in a way that threatens one of those businesses is likely to attract litigation from a party who doesn't care if losing destroys the DMCA because they don't need the DMCA if they can't use it in this one instance. And so I think we're gonna attract litigation. And over the 10 years that that litigation proceeds we're gonna do the norms, we're gonna do the code, we're gonna do the markets. So once the DMCA is non-determinant, once we don't know whether it's gonna be legal or not legal to jailbreak, we enter a zone where people who have an appetite for risk can think about making investments in technologies that jailbreak other technologies, right? People who make third-party inkjet cartridges for the entire Internet of Things. And the reason that companies use TPMs is to command monopoly rents, right? It's to charge extra for service and parts and to charge extra for consumables. And so every one of those markets is an opportunity that someone else can unlock. You know, as Jeff Bezos once said in a remarkably candid moment to the publishers your margin is my opportunity. And if we can get firms to start those businesses then we enter a zone that looks a lot like the VCR fight. Where in 76, nobody knew what the VCR was gonna do to the film industry. By 84, there were six million VCRs in the field. The judges had all seen and used VCRs. And when you go to the Supreme Court and you say the VCR is the Boston Strangler, the American film industry, you just sound like an idiot. And so we have 10 years on the way to the Supreme Court to get lots of firms to start lots of equivalents to the VCR, right? Lots of things that jailbreak that command, that create businesses that do good things for the public. Remember that service and repair are three to 4% of the US GDP. And it's intrinsically local and SME oriented because you don't send your phone to China to get it fixed and you don't take your car to Mexico to get it fixed. It all has to be onshore and local to you. And so all of those businesses will spring up and they will all be an opportunity for us to show the sky doesn't fall. All of America's international trade partners who now have 1201 equivalents because the USTR is patient zero in the 1201 infection and has required all of America's trading partners to have it, every one of those has effectively a suicide pact with America. We will force our industry not to do this profitable line of work because America won't either. And once America starts doing it, every one of those countries is ripe to change their own laws because suicide packs are mutual. If the other guy's not gonna jump off the bridge, why would you, right? And so activists and industry in all of those countries can pick it off and by the time we get to the Supreme Court, the USTR won't be able to say you're gonna make us breach our trade agreements because those obligations will already be dead letters thanks to the repeal all around the world. So that's the normative and the technical and the market-based way that we're gonna solve this. Wow, so. Thank you for that incredibly high signal to noise ratio presentation, which I think some people are probably like, yes, and others are like still unpacking it and Googling various acronyms that you've used. But it's wonderful. Let me just back up a second. Starting with the observation that I think I've never seen anybody so thrilled and excited at the prospect of 10 years of litigation. Especially when there's no prospect of money at the end of it. You're like doing this to strike down a lot. And of course the law you've been talking about is a part of the Digital Millennium Copyright Act of 1998, section 12.01, which put somewhat crudely makes a felony, among other things, hacking certain systems that contain material covered by the copyright statute. But let me ask you a more theoretical question and a big picture because you're not just wanting to eliminate a law that makes a felony the act of hacking a system that protects copyrighted materials for one reason or another. Especially when a lot of the mustache twirling you point out isn't because the hacking would be to get to copyrighted materials. The copyrighted thing is just a hook to hang. Yeah, in fact in DRM standards bodies they call it the hook IP. It's the thing that you hang the restriction on. Yes. So, but let me ask you then a more theoretical question because do you actually want to eliminate all DRM? The ideal world you would see one in which basically companies putting products out cannot encrypt their Osses, their data, having that all be affirmatively visible to and possibly writable by the user? Is that the world you're wanting? So, I guess that's the part that I usually gloss over because I take it as a given that DRM doesn't work, right? So like normally you have Alice and Bob and Carol, right? And Alice and Bob assume that Carol can see their message in transit and know how they scrambled it because you don't make up your own ciphers, right? For the same reason you don't make up your own physics to calculate the joy strength in this building, right? I hope so. Well no, I really hope they didn't, right? Like if you saw a firm of engineers who are going to renovate your house and take out some walls and put in reinforcing steel joists and they said we have proprietary math that we use to calculate the load stresses. Don't hire that firm of engineers, right? Because your building will fall on your head. We have like one methodology for figuring out whether something is true and that's peer review. And so it has to be non-proprietary. So Alice and Bob assume Carol knows how they scrambled the message and they assume that she can get a copy of the message because it's going over the public internet over a satellite or whatever, right? So how do Alice and Bob keep a secret from Carol? Because they have a key and Carol doesn't. And if the ciphers are good and we think the ciphers are good, then with the key, Carol will never ever be able to extract the data, right? She'll never be able to render a clear text. That's awesome, right? The distraction rectangle in your pocket doesn't just throw pigs at birds. It can also scramble a message so thoroughly that if every hydrogen atom in the universe were a computer and it did nothing between now and the universe running cold but guess keys, it would run out of universe before running of keys. So the ciphers, if they work, they work and- That's called excellence. That's a high quality cipher, right? And so what we assume is that Carol doesn't have the key. But the DRM model, which the simplest case is Netflix, I send you a movie. I send you a secret to decrypt the movie. I don't want you to make a player that has a save button. And to make the player, you would have to get that secret and then you could very easily make that player. And so I've hidden the key somewhere in the player that I gave you. That model doesn't work because it's just Alice and Bob, right? Like, Alice has a thing, Bob has a thing he doesn't want Alice to know and then Bob tells Alice. So far I hear you saying that there's kind of a theoretical problem in digital rights management. Namely, it's not just keeping a secret between two people which is something that you think can work and is very important to preserve for individual freedom but trying to keep a secret between a company and 10 million consumers, showing them a little bit but not the rest, that that has structural problems. So let me put it this way. You cannot give secrets to people you adverse to and expect them to remain secret, right? I mean, that just seems tautological. Like, you also can't put safes in bank robbers' living rooms. Like, it doesn't matter how good the safe is. But this is getting to my question then. It's not as if safes don't work. And safes really are about keeping stuff away from third parties. That's not an Alice and Bob configuration. Even though, again, you don't leave it in the living room of a robber, but safes still work. And the way to invoke Larry again, and it's funny, I thought that Larry's method of social change is going to be run for president. That's right, version 2.0. Yeah, right. So you heard it here first, folks. That's right. He's gonna run for president. The first foreign-born president since George Washington. But I guess my question, though, was if Larry once said small fences can keep in large mammals. Right. And so DRM can, in fact, be good enough for corporate purposes in that people like you and maybe people with stickers on their laptops are going to figure out how to see the deleted scenes they're not supposed to see without pain in the movie. But 90% of the people are gonna stay within the lines. That's kind of the iTunes story, isn't it? The problem is break once, break everywhere. So if I figure out where the key is in Netflix, I can make a player, and that player is, to all intents and purposes, better than Netflix player. The reason it's better than Netflix player is that nobody wants a Netflix without a Save As button. They may be indifferent to whether there's a Save As button, but nobody woke up and said, I really wanna find that Netflix client that I'm sure doesn't have a Save As button. And so once I can distribute my tool, the fact that there's another tool that's inferior to it that's floating around out there. So there's two possible models, right? One is that Netflix doesn't need DRM at all because everybody only wants to stream. And then there's the other one, which is that there are enough people who don't wanna stream and wanna save their videos that it's an actual existential crisis for Netflix. If the first case is true, then we don't need DRM. And if the second case is true, then DRM won't help them. And yet, when you present this argument to them, I suspect they're not like, you're right. No, what they say is, well, that sounds right, except our studio partners don't like this, right? And then when you go to the studios, they say those eggheads know how to do this. They just don't want to, right? And I've heard variations on that argument a hundred million times in standards bodies and in treaty-making bodies and everywhere else. But also this argument maybe had its apogee in 2002, 2004, basically pre-rectangular device that distracts you because it's when we happened to have, through historical accident, general purpose computers for which, as you say, crack once available anywhere, all you have to do is double click on the hamster icon and we're off to the races. That's harder to do these days, given that the platforms we run are mediated by app stores and our services rather than products because they can be, because there is saturating network so that something can be withdrawn from an iPhone. You can land in China and your Apple news app stops working because China told Apple it had better. So another way of saying that is you land in China and your news app stops working because you can't buy a news app from a company that hasn't made promises to the Chinese government because there's DRM that stops you from installing a second software store and not like I went to Saadia and I found this elaborate jailbreak and I got it, but like I was at Walmart the other day and hanging in the point of sale was a free dongle that you plug into your phone that auto jail breaks it and installs another software store that has gone out and cherry-picked the top 10% of ISVs who sell into the iTunes store and offered them a 15% instead of a 30% commission. This dongle does not exist, correct? The only reason it doesn't exist is 1201. And if 1201 wasn't there, that dongle would be in the point of sale at every retailer. And now just popping up through the stack to my original question, that's the world you want. And your point when you said you gloss over whether every manufacturer should basically be required to share everything freely, you say you're kind of indifferent to that because so long as you get rid of 1201, de facto the market will push that anyway. Yeah, I- Don't mind the arms race, you're like, yeah, no, no, no, I don't want to have compelled software manufacturing standards, right? Where you're not allowed to put DRM in. I just don't think that that dimension or that decision takes on a new dimension where programmers who report security vulnerabilities in your product can go to jail. That's why it's an ethical decision, right? That's why it has this ethical legal fraught dimension. The decision to make dumb commercial choices, right? To put anti-features in your devices is one I may argue against as a kind of normative question. I don't think we need a law against it. But the reason you don't think you need a law against it is because of the contingent fact that Walmart will offer dongles that cracks everything so long as it's not against 1201. Yeah, yeah, yeah, I mean, ISVs hate being tenant farmers in Apple's store. ISVs being independent software vendors. You know, if you look at like the top 10 games in the Apple game store, they haven't changed, the manufacturers haven't changed in five years. There's one business model to become a game seller into the iTunes store or to the App Store, and that's to get bought by one of those five companies because they have a lock on the distribution channel and on the marketing into that store, right? Everybody except those five companies who makes mobile games hates Apple's store model. And every one of them could end up in a different store with different characteristics for different kinds of marketing. And if it turns out that Apple store model where you get this thing where only five companies are allowed to make games from mobile platforms the rest of time is the one that people want. I'll be disappointed, but at least we'll have a means to change it that doesn't involve risking criminal prosecution. Your argument still depends on kind of a difference between server and clients. And by that I mean way back in the day when Captain Midnight hijacked HBO for 20 minutes. And I think just had a screen that said Captain Midnight instead of HBO, which was slightly better received than what was showing at HBO at the time. My guess is you'd be okay saying that's not okay. Yeah, sure. And my question about server and client is to the extent that you can start to stream everything. You can stream the data, you can stream the service. The colloquial notion that you lean on of once you've got something in your custody, the idea that if you take a soldering gun to it and a digital equivalent you could go to jail seems crazy, you're in your shed, you've got it in your mits, you're paid for it, you own it. But if it's more and more a service and in order to effectuate the hacking you're talking about is not a dongle in the phone, suppose the phone is just completely a client and all of the action is happening at apple.com for which now no dongle makes any difference. You've got to hack apple.com to allow those extra. Or run another server and then change the phone so it trusts your server and not a third party server. The idea that I have to, that I can't know when do it. That's why Facebook is facing such competition from diaspora. Well, so there are other factors, right? And it's like that line from the Woody Guthrie song. Why did Joe Lewis join the army? There's plenty of things wrong with America but Hitler won't help him, right? Like Godwin in one, there's plenty of things wrong with the way markets work. But having a mechanism whereby firms who take this like minimal technological step can sue and criminalize anyone who can see them. I get it. That's your strongest base. Right? So one of the problems with Facebook is CFAA. And once we figured out how to kill 1201 or maybe a parallel fraud and abuse act which make criminalizes breaking license agreements even if they have unconscionable terms even if they're not negotiated otherwise not, wouldn't rise normally to the threshold of enforcement by the person who imposed the agreement on you but may rise to the threshold of enforcement once the government agrees to pay the bill to enforce your ULA's for you. So if you were making a diaspora that was genuinely adverse to Facebook and was able to violate its ULA you could do things like crawl people's walls. Import all your friends. Import all your friends and their updates. And you would like to see that possibility which also means though... That's a CFAA thing. Bad folks that could crawl Facebook and steal all your friends' data or something. I would like maybe some principle where, let me think, how would this work? So I don't work on CFAA because it's a whole different set of issues. There's only one of me but as a gedonkin experiment like how would you construct a statute? You would say, okay, so the data that you generated is a thing that you have an affirmative right to and you have the affirmative right to use a tool that can extract that data from a third party who won't give it to you if you ask nicely. And that third party loses a cause of action provided that they can't show material damages from the extraction. So in other words, if you didn't crash their servers repeatedly in a way that cost them a lot of money. Like I think there's some wiggle room in there and it's like I just thought that up now. But I think that's not a terrible. And probably the theoretical answer rather than the practical answer and I expect you're trying to practical one to the question would just be stuff that is raining on Facebook's parade shouldn't be a big deal. Stuff that maybe ruins the user's privacy or experience is something you'd be ready to protect. Sure and I think that I firmly believe that markets have a place in enabling speech, right? Like I am able to make a video but I'm not able to make a YouTube and I believe that people make YouTubes in part because of commercial impetus. We may be able to do it over time also in non-commercial ways. So I don't think we... Can you say make a YouTube because often when people say YouTube. No, I mean video. You mean make a YouTube. Make YouTube, yeah. So that like Venn diagram of everyone who has a video to make with everybody who can make a video hosting service has a really small intersection. And so without some mechanism whereby we can expand the size of that intersection, right? People have access to tools like YouTube. We will limit speech, right? So we need to have commercial actors that host things and so on. I think that what we see in computer law is a microcosm of wider problems of laws that favor and compensate and firms at scale that are redound through lots of other areas. And I've said a lot that like I don't believe in saving the internet because I think the internet's the most important thing, right? Like we have climate change and we have pandemics and refugee crises, all of these being related. But the way that we're gonna fight those fights and the terrain on which they'll be won or lost is on the internet, right? So that's the only reason really to care about the internet is because of all the fights we'll win or lose on it. We should open it up. And I've just kind of worked to try to establish the boundaries of your thinking, where you're, what you're calling for, what you're not. But let's open it up to brief comments, questions, thoughts. We have a microphone that you should wait to arrive to you so it gets on the webcast. Wow, this is the- Well, I understand that it was all like really self-explanatory and not controversial. Let's let the lawsuit begin. And feel free to tell us who you are. Hi, my name is Eric Skase. You've written a book recently under this environment that you describe. It sounds like the book could be digitally distributed by anybody who cares too. And you potentially would receive no compensation. How is that the environment you really want to see? Or what happens to authors in general? I realize you intended this if not a hardball, a medium ball. I think it turns out to be a softball, but go ahead. Yeah, so I don't know if you know this, but my first novel was the first book ever distributed under a Creative Commons license, simultaneous with its commercial publication. This dog food you're eating, you realize it's dog food. And over the last 12 years, I've published something like 24 books under various CC licenses and free distribution licenses. I've had multiple New York Times bestsellers in that time and just drew, I think, my fifth six-figure advance from a major commercial publisher. So I feel okay about that proposition. I guess the thing is that there's a kind of rail politics. So going back to hiding keys in devices that you give to adversaries is no good. And that means, and break once, break everywhere, means that anything, any book of mine, any book that is popular that you want to read for free, regardless of whether it has a CC license, and regardless of what happens with 1201 in the future is today in the world in which you can go to jail for five years for breaking 1201, is today available for free without DRM because someone's cracked it and put it online in about as many clicks as it takes to buy it. And so every single payment made for a book is in some sense voluntary. Voluntary, yeah. And so if you're gonna make the case for voluntary payments, there's kind of two things you can do. There's a carrot and there's a stick. And the carrot is, I'm a nice guy, you wanna support me, a bunch of normative propositions, right? Like you like my art, I like you, we're all in this together. And then the stick is, I'm gonna put you in jail, right? Or cost you your kid's college fund if you are entertained by my books in a way that I don't like. And the carrot and the stick are antithetical to each other. And I think that there's a lot more potential dividend from the carrot, energy in, dividend out than there is from the stick. I think the stick has been like pretty unsuccessful. And I think like the empirical research on this supports it. Like market propositions that seem fair seem to really take a huge bite out of piracy, right? Like streaming services have been amazing for piracy. Even though they have DRM and even though there's lots of things I don't like about them and even though they have unfair compensation schemes and even though they deal with the big four labels and the big five publishers at the expense of the artists who's worked those publishers control, nevertheless those streaming services have been hugely successful at reducing piracy. Whereas suing 19,000 music fans like didn't stop music piracy from growing ahead of the rate that the internet was growing. That's interesting. This gets back to small fences keeping large mammals because we're trying to figure out whether it's a fence. You're saying it's like a suggested line. No, I don't even think it's that. I think the only reason that they use DRM is because it stops people from making services that compete with them. All it does is stop someone from building a Metastreamer that lets you subscribe to five of them and get the one that's free here and figure out how to beat the geo wall there and do whatever, right? And also skip the ads, right? Like that's what they want DRM for. So that's small fences keep out large shepherds. You're actually thinking that the mammals are- We are headed into a tragedy of the commons and whether or not the sheep can be made to shit grass. Which is the Napster model, right? That's funny. I thought the metaphor was overextended even before you said that. I don't know about shepherds and mammals. I think that this is that maybe this is T-Boom Pickens and the poor country lawyer talking about how he's just a shepherd with some mammals when really he's big agribusiness. But I'm, it is, it does call to mind John Perry Barlow's amazing Wired article in like I think the second volume of Wired, 1994, called The Economy of Ideas, in which he took a grim joy in dancing on the grave of the content industries as he projected out what the digital revolution would do. And the way that you were describing how you've had perfectly good success opening up the books voluntarily rather than waiting for them to get cracked. He was talking about the Grateful Dead model of collecting all sorts of money from live shows rather than having to confine the use of the music. Now there are bands that don't like to tour. So yeah, there's two rejoinders. One is what if you don't perform live well and the other one is you're an outlier, right? So what if you don't perform live well every technological era because the entertainment industry, industrial activity related to entertainment is always technological. That's the part that makes it industrial as opposed to just sort of standing on a corner declaiming stories. The industry is the printing press, the telegraph, the telephone, the TV, whatever. That's the industry part. Every technological era has favored different characteristics when it was all about live stage performance and the technology was a microphone and a proscenium and a door with a lock on it that you could use to exclude people who hadn't paid for tickets. The thing that it favored were people who had virtuosity or who had charisma, not necessarily virtuosity, right? People who... So the point there is there's no baseline that is in... Right, there's no artist who gets... So all of those artists who couldn't, who weren't charismatic but really rocked with their axes, those artists got careers as recording artists largely at the expense of a lot of aliens who had a great show but it didn't carry on... For which you're like, given that there's no baseline... Yeah, I mean, is the job of entertainment policy or communications policy to ensure that last year's lottery winners go on winning the lottery forever at the expense of next year's potential lottery winners or is it to just make sure that we have a plurality of media produced by the largest plurality of artists and the largest plurality of formats for the largest plurality of audiences? Whereas Evan Moglen once said and then denied ever having said it, he said the cultural, economic and legal circumstances that produced the Egyptian pyramids haven't obtained for several thousand years but there was a set of circumstances for which that was the sensible thing to do. You don't have to go back to Egypt. You can go to the first copyright fight which was the Protestant Reformation, right? Cathedral, one church let cathedrals get built, right? Diffuse church which arose out of the printing press and copying and copying without permission at the expense of and against the wishes of the most powerful, important people who built all the most beautiful things in the world resulted in lots of weak irks, right? And that was a different world and cathedrals are an unequivocal good. We still visit them today. Who would roll back the Protestant Reformation? Now, from the sublime to the ridiculous, can I ask, can I just mention the outliers? Everybody who succeeds in the arts is an outlier. Take all the people who funnel into the arts, like everybody who ever bought a guitar and thought, someday I'll earn my living from this and compare the other end of the funnel and it's a Six Sigma event, right? It's such a hopeless crapshoot that anybody should just figure they did. And when you look closely at every successful artist in every successful moment, every one of them was an outlier in their own way. Every one of them made things that were distinct. There's no uniform, perfectly spherical artist on a uniform density on a frictionless surface, right? Like the artists are all, they are all the coins that fell all the way to the bottom of the very long staircase. I was going to ask about HTML5. Tim's ears just grew points. So, how can we unpack that briefly for a general audience? Sure, so there's a question, and Tim, you can tell me whether this is a fair version of it. So, some of the media companies and some of the browser vendors have asked the W3C to begin standardizing means by which technical protection measures can end up in browsers, as a standardized way to avoid some of the problems because making DRM work is really hard because it is by definition, like kind of trying to avoid, trying to stop people from doing things that they want which means that when it goes wrong, when you try to troubleshoot it, it actually like works against you. And anyone who's ever used TPMs and DRM knows this, like one of my co-editors on Boing Boing this week configured his iCloud wrong and took too many attempts to try to get it right and all of his media is now locked out for the next 90 days. And this is like a common thing because the DRM thinks that you're, the reason for DRM is that the vendor doesn't trust you, so anything you do that's unusual like escalates the thing. And so DRM is really hard to get right and hard to make work across multiple platforms. So there's this project underway, EME encrypted media extensions that's gonna be baked into HTML that if it goes forward that will in theory make this easier. But the problem from my perspective is not whether people make DRM or don't make DRM. The problem from my perspective is whether that makes browsers into products covered by section 12.01 of the DMCA and therefore reservoirs of long live vulnerabilities. And if the idea of HTML5 is to replace apps and native code with interoperable bytecode that allows us to control everything from pacemakers to cars so that we're not in app silos anymore, then what that means is that the user interface for your HVAC system and your implanted defibrillator will be a cover product presumptively if it's using HTML5 to organize it. And I have a proposal that I've taken the W3C with, it must be said a fair bit of welcome and I think we're moving forward with it and if any of you are involved in the W3C and wanna work on this with me, I'd be very happy to talk to you that I think solves this problem. And what it is is it's a covenant or at least solve some of the problem. It's a covenant on the part of people who participate in standard setting for DRM at the World Wide Web Consortium through which they promise not to bring actions under 12.01 or it's international analogs for people who implement browsers or for people who report vulnerabilities and make tools that demonstrate vulnerabilities to browsers. So you don't have an upstream problem with a framework as part of the web to have a channel for DRM to happen. It's just the 12.01 piece. It's the 12.01 piece. I would argue that browsers would be better if they didn't have that but I also think that browsers that do have that will very quickly have defeat devices made for them that get around it and all the negative consequences of that being in the browser will go away. I think that designing devices to attack their owners, which is to say refuse to do their owners bidding is a bad idea, not just like on its face but also because to make that happen you must perforce design systems that obfuscate their workings from their owners. So if the owner says like, is there a process running called how 9,000? I can't let you do that Dave EXE. The operating system, if it says yes there is and here's its process ID then the owner will every time they try to get their computer to do something that they think is legitimate and the computer won't do it they'll just kill that process. And so you have to have some mechanism. That's a safe with the robber where all the robber has to do is delete the safe. That's right. And so where the combination is written underneath it. So you have to have some way whereby the operating system can be made to detect whether it is talking to the owner and when it's talking to the owner in some cases it gives unreliable answers to questions about what files are in its operating system or what processes are running on its processor. And I think that's a bad idea for malware reasons. The Sony Rootkit in 2005, they distributed software on audio CDs that was supposed to block you from ripping CDs. And the way that it did that is it ran a program that checked to see if you were ripping CDs and if you were it would try and stop that program. And to stop you from deleting the thing that watched for CDs, they changed your operating system so it could no longer see processes that began with the string dollar sign, SYS dollar sign. So if that string was there your process manager in your file system would no longer see those files. And so if you said is there a program running called no CD rip, dollar sign SYS dollar sign, nocdrip.exe, your computer would say no even if there was. And your claim again is the only way to implement DRM in the absence especially of 1201 is to have to resort to increasingly baroque tricks like that. Yeah, you have to hide what the computer is doing. Because otherwise you say there's the Walmart dongle or it's equivalent. Yeah, I mean there's a difference here between an are you sure dialogue and I can't let you do that dialogue. The are you sure dialogue if it says like if the answer is no and no then you will find or source or make a bypass for that are you sure dialogue. But the I can't let you do that Dave where the only answer is cancel is one that is a different model. You have to be adverse to the user. So what happened with Sony was virus writers started writing viruses that were prepended with dollar sign SYS dollar sign because there were 300,000 computer networks in the US government and military that were already infected with the Sony root kit and their antivirus software would no longer be able to see this, right? So like we exist in a hostile technological environment where many people are adverse to our interests who are criminals or spies, right? And we want our computers to tell us what our computers are doing so that we can figure out if those computers are operating on our behalf. It is funny, I think at the end of the day even Sony agreed that the entire incident was regrettable and not an example of best practices. That was after the FTC judgment though, right? Like before the FTC judgment, the CEO Sony, because it was just the 10th anniversary. My guess is that the Sony people once like the people in charge found out what had happened. Oh no, no, no, no, the CEO Sony at the FTC hearings said most people don't even know what a root kit is. What's the big deal? After the judgment, he was like that was a regrettable incident. Right up until the judgment, he was like you don't even know what a root kit is. Why do you care if you have one? Your claim is that Sony found the judgment regrettable. Yeah, I think that's right. Well, and evidenced by the fact that they sued a bunch of firms and individuals who jail broke their stuff later. Yes. Reactions either to this or more generally, Ed, you've got the mic. Or you've got the mic. I've got the mic. I've got Christian Murthy. So you've said the magic words defeat device which had me think of Volkswagen. I screwed it. And that talks to the problem of companies doing things that are adverse to the interests of their consumers. The one thing I haven't heard in your talk though is what do we do in the internet of things world to prevent attack, right? So one could argue that encrypting source code is a good thing because it makes it more than trivially difficult for someone to interfere with a mission critical system. I don't know what penalties we need to back that up with but what would you propose as a solution to that problem? Oh, I think encrypting source code so that the owner or user of the system can see it but third parties who are adverse to them can't is a great idea. I just think that encrypting source code so that the person who owns the system doesn't have the keys is a terrible idea. I totally agree. And I think that if you look at VW, what VW had going for it was that it was a felony to get into the CAN bus and figure out what its emission system was doing. That's also why GM has, it was Ford rather, had all these cars where you can defeat their keyless fob entry systems with a $15 defeat device and that's why Chrysler was able to field 1.4 million cars that they subsequently had to recall that can be remote controlled over the internet. You were saying implicitly then, possibly about to be explicit, that if there weren't a 1201 barrier to really trying to interrogate that key fob, the result would be a stronger key fob. Plenty wrong with the world, but Hitler won't help, right? It's still hard, like we know this from open SSL, it is still hard to find phones in technology that you can audit. I don't think anyone seriously argues that it's easier to find phones and code you can't audit though. Which does possibly mean that DRM would get stronger if there weren't the legal protection because it would have to be all technical protection but you say DRM doesn't work. I mean, that's like, so like I have chronic low back pain and if there was localized anti-gravity devices, my back would feel better. People have made localized anti-gravity devices but every single one of them was a charlatan who made a fraud, right? I was not expecting the answer to go in that direction. The argument that if only they were subject to more rigorous peer review, the anti-gravity devices would get better seems to me to be unlikely. DRM is an anti-gravity device. Yeah, it's snake oil, right? So snake oil doesn't get better with peer review. That's what peer review does is it separates snake oil from things that are promising. Yes. Over here. George Mokre, independent scholar from Central Square. To go back to the tragedy of the unregulated comments, Eleanor Ostrom, Eleanor Ostrom, Eleanor Ostrom. Does she appear now? She's dead, she's dead, but her work lives on and she figured out a lot of ways to regulate the comments so that it can last for a sustainable period of time. So I just wanted to bring her name. Couple of weeks ago, I was at a conference that Berkeley College put together called Rethink Music. And Imogene Heap, Skyped In, from London. And the same day, she was releasing a new piece of music with blockchain, right? And so this conference, Rethinking Music, was all about how do we, what's the business model now that the business model is broken? And they were looking towards blockchain. So this is a coming- So are you violently agreeing with Corey? I don't know enough about this stuff to agree with anyone. I'm just bringing stuff up that I saw happen, that I know is on the horizon, because I was there. So these people from the music industry were looking at blockchain. Next week, this group will be discussing blockchain from what I understand. So could you talk a little bit about blockchain and what that might mean in relationship to DRM? So I'm a giant fan of Pend-only logs maintained by entrusted third parties that we can nevertheless interrogate and reconcile. I think that is a groundbreaking, amazing thing. I think blockchains are really, really inefficient, computationally inefficient ways of doing them. I think they're deliberately computationally inefficient. I like Merkle trees better. If you're interested in that, I wrote a cover story with Ben Lorre in Nature Magazine a couple of years ago about Merkle trees. They're already in technology that you use every day if you use Chrome. It's how certificate transparency works. Way more computationally intensive. It would suck if the only way we could make currency and entertainment and lots of other things work is to burn all the coal left in the ground. So I'm skeptical of blockchain. I also don't know about the currency project. The currency project seems to me to be, to kind of smack of bubble nomics and I don't know what to make of it. Can we be great if the proof of work could be applied to hard problems that people actually need to solve? So there's an underlying problem with proof of work that I'm cribbing from Ben Lorre on here which is that proof of work rests on the idea that the cost of doing the proof is less than the cost of generating the work. Of the work, yeah. So in the case of blockchain and Bitcoin, this is really hard because the cost of computing is highly variable. We have new chips all the time. We have new GPUs. We have new breakthroughs. The cost of the value of all of the Bitcoin is highly variable as well. It goes up and down. And we've already had moments in which 51% of the computation in the blockchain was controlled by one person. But the thing that nobody talks about is the moments in which the blockchain is worth so much and computing gets so cheap that buying 51% of all the computing in the blockchain also becomes cost effective. And you can have localized cheap computing because I once gave a talk to the Oxford Computer Science Club about five years ago and these three frothy undergraduates came up and they were so hyped because there was no charge for electricity in their dorm. And they were never gonna pay for beer again because they were like Bitcoin mining. They couldn't close the windows in December because there was so much heat in their dorm room. And that's how Worcester College burned down. Yeah, exactly. Can we vary the gender of the interlocutors? We've had two dudes in a row. It requires a group effort, right? They'm on board with all of this and I'm like, okay, I'm gonna make some technologies that deal with this. John Deere's engine control unit sounds like a totally hackable thing. I hack it, I extract data from it. I write a great paper with all of these data driven insights about how y'all can be better farmers because of this data. Then I want to know more about this decade that follows. So what I would hope you would do if you were thinking about doing that is come talk to us at EFF about how to structure your research to litigation hardening, right? To set it out so that the questions that you're asking and the way that you're asking them are as clear to an eventual court as possible about what your intentions are and the legality of it. Having done that, if in the event that you get sued, one of the things that I'm doing is spending a bunch of time going around talking to investor conferences. That's how I started this trip at a conference in Park City, Utah. And I'm going on to two more of those talks on this trip to get them thinking about those market opportunities. Once that lawsuit is in play, I think that you'll see lots of analysts saying, there's, you know, it's one thing to create like subprime vehicles that try to extract the last pennies that the poorest in America have. But if you could figure out how to extract the margins from the richest in America then you really have something. And so we start going after those with businesses. Meanwhile, you're going through the courts and you're going through the lower court and the appellate division and so on. But we're also, we will be scurrying around to all the organizations in the world that work with the EFF on issues like this to think about how they can frame this for their own legislative debates. I think the thing that we saw with SOPA and with the net neutrality fight is that while usually in a kind of late capitalist democracy you can handicap who's gonna win any kind of legislative fight over who's spending the most, right? Which industry is spending the most? That when activists are in, it's just a wild card. And so we can get industry, all the firms that want to start those SMEs or those tool vendors to enable the SMEs and activists to work together to start repealing this. But let me just ask, was your question about litigation risk or was it a more theoretical question about the kind of world? How this wouldn't, how this like, because it seems like you have an ideal scenario in which this is gonna unfold. Say I'm also a diverse researcher and I also do a Save As button for Netflix because I'm doing some kind of computer vision project. And then I've created a Save As button for that as well. And what if I lose that and I win my John Deere litigation then like at what point can you say, oh, you know, actually we should overturn the DMCA? It just seems like there's a lot more to do. Oh, well we might be able to overturn the DMCA legislatively, but I'm not counting on that, right? I'm not counting on that because the case can't be made well and not even because I don't think that we might find a plurality of Congress people who are interested in it. But I just don't think Congress makes laws anymore, right? I mean, they can't even make budgets. So, like I- But you're looking for a Sony case for the DMCA. That's the gray election that you're taking here. So remember, at the end of Sony, right, the Supreme Court said, unless Congress amends 17 USC, the VCR is legal. And then they were like, hey Congress, do you wanna criminalize America's dominant form of entertainment? And Congress said, no, we wanna get real- Well, in fairness, the starting point of that was judge made law already, a theory of conservatory or vicarious infringement. There wasn't a specific statute that Jack Valenti, if he'd had presence of mind, would have rushed through that said VCRs are illegal, at which point the courts would have been like- Well, he had eight years to try, right? He didn't manage it, right? But he got the DMCA. He did get the DMCA. That's true. And- So do you have a theory yet as to why the DMCA is, is it unconstitutional or some other way? Yeah, I think we just, I think it's, well, I think that there's multiple theories. One is to raise questions of fair use with better defendants. So all the fair use questions about whether or not circumvention for fair use is lawful have not had great clear cut cases. And then the other one is to look at Bernstein's coda speech defense, right? In Bernstein, you know, before 1992, the NSA criminalized the distribution of crypto for civilian use, strong crypto, working crypto. We say strong crypto. We should say working crypto for civilian use. And they claimed that what they were allowing civilians to use was working crypto, but it wasn't. It was, the cipher lengths were too short and it was really easy to break. And they said, no, it's not. All the PhD mathematicians worked for us shut up. And we, like, we tried to demonstrate that they were wrong. We did stuff like John Gilmore built a computer for a quarter million dollars that in under three hours could brute force the entire key space for the cipher that the entire American banking industry was supposed to be reliant on. And nobody cared. And we had economists write brief and technologists write briefs and nobody cared. But John got rich. John, no, John didn't get rich making Desk Crackers. Yeah. And then we, and then we- He's just mining coins. That's right. No, he's not even mining coins. Then we found DJB, right? Daniel J. Bernstein is still an eminent cryptographer. He was then a grad student at UC Berkeley who was publishing ciphers on Usenat, source code for ciphers on Usenat. And we argued that his code was a form of expressive speech protected by the First Amendment. And the Ninth Circuit upheld us at the lower and the appella division. And the NSA went away, right? And strong crypto came into existence. We tried it once more, right? We tried it in 2000 and 2003 with Ramirdas, right? With 2600 magazine. And the problem, it was the difference between defending the right of mathematicians to talk about math and defending the right of the hacker quarterly to publish hacks. And from my perspective- To DVDs. To DVDs. From my perspective, they are indistinguishable. But from the perspective of a judge in New York, as opposed to a judge in California in 2000, as opposed to now in 2015, those were easily distinguishable cases. And our judge said that 2600 was not a case about free speech, it was a case about stealing things. And we had our butts handed to us. We have a very different climate now. Every time that we've had a good client since, the other side has run away. But as I said, we have a target rich environment now. We have a lot more people who depend on the DMCA. And those people don't care if the DMCA is intact, if their use isn't intact. And so we can provoke them. There was a woman back there who- I think we're at time, unfortunately. So we should just thank you for your visit for the provocative title. It was interesting to me that the 10 years turned out to be extremely concrete as to why it was 10 years. I mean, we don't know what this thing was. Right, right, but you had a specific tactic in mind that they hadn't anticipated. And that KillRDRM actually meant 1201. That that, and I've come to appreciation of your argument that you're really talking about 1201 as a lynchpin of a system that I confess, I'm not even yet sure if I agree with it, but that that is really what you're talking about. And that's something that most people, probably if they thought of it at all, have thought of as, oh, that was so 1998 or 2000. It's the original sin of dumb computer law. Actually, CFA was, but it's the original, it's the other original sin. We have mission patches at EFF now, which I don't know if we're gonna be making them like membership premiums, but they're pretty cool. It's like a rocket ship breaking chains. And it says Apollo 1201 and all DRM in the world. I'm waiting for Apollo 1301. Right. But I hope you'll stick around afterwards to chat with people, but we just owe you a big thank you. And I will, there's copies of my book. Oh yes, and outside. I will make them non-returnable for you if you'd like. Thank you very much. Thank you.