Jeremy Allison, hacker extraordinaire and one of the primary developers of Samba has written an excellent essay about why DRM can never work. In the essay, Jeremy points out the simple underlying weakness of DRM — you cannot have access to the content and protect it at the same time.

I have had numerous discussions with a friend of mine who is not technically inclined about why protection of content is simply not possible. Security through obscurity does not work. Current DRM technologies require the content supplier to provide the decryption key with the content and it only takes one skilled hacker and one poor implementation to get at the decryption key and all locks are broken. The high-profile AACS system used by HD-DVD and Blu-Ray have the provision for revoking keys for software and changing the key for the content. However, this is still limited by how often the keys can be changed. Another option could be to encrypt every single disk with a different key and have the user obtain the key online to use the content. However, producing a separate image for every copy of a disk is not possible. Even if it were possible, it would be a nightmare trying to explain to a regular user why he needs to be connected to the Internet to view the content that he legally obtained. Even if we do assume that users are willing to put up with such a solution, it will still only take one person to get access to the decrypted bits and make them available to everyone.

Why is DRM different from something like secure online banking? Any sort of security mechanism used over the Internet uses encryption based on a key that is known only to the provider (the bank) and the user whereas DRM uses a key that is given to everyone with the content that it is intended to protect. What Jeremy doesn’t point out in his essay is that even if it were possible to have a unique key only known to the content provider and the content consumer, security only exists because the consumer has an incentive to keep things private. Surely, no one has any reason to reveal their own bank account information to the world. However, there are enough people in the world who have an incentive to make the latest HD movie available for free for the rest of the world to consume.

How can the content providers avoid losing business because of piracy? The simple answer is, they can’t. They just have to accept the fact that technology has changed and the rules of the physical world do not apply to the digital world. You cannot take a desk and replicate it and give it away for free, but you can replicate digital data very easily with minimal cost. Once you accept the reality, you have to fit it into your business model and consider piracy as just another cost of doing business. Not every person is dishonest and going to obtain content for free. You have to give an incentive to people to pay for content — free tickets to the theatre or a poster that comes with physical disk. As people have pointed out endlessly in the past, DRM only hurts the honest person who does not have the technical skills to figure out how to use their legally obtained content in whatever way he sees fit. The pirate will always find a way to get content for free — DRM or not.

Update: As hAckz0r points out in the comments, DRM makes it even more rewarding for the pirate to break it. In the cracker/pirate community, what wins you brownie points is the ability to subvert the system. If there is no DRM, there is very little incentive for the pirate to make the content available freely.