7 November 02005

More usability nightmares with DRM

Leaving aside the moral, legal or economic arguments about Digital Rights Management (DRM), how does it affect usability and the user experience?

Last week a new form of DRM used by Sony BMG CDs came to light — though it has apparently been in use since March [source] — which installs a 'rootkit' on Windows-based computers. A rootkit hides software both from the user and from security or virus-protection software (hence its existence going undetected by users for months). The software, which controls what you can and can't do with the music files on the CD, is correspondingly difficult to remove. Here's an article that gives an overview of the case, and here's the original discovery.

Sony BMG have a mini web-site on their content protection systems. Let's see what this and other sources can tell us about how the DRM measures match up to four usability criteria.

1. Simplicity/minimum user effort. Have a look at the how to use this disk page. The first thing you notice is just how long it is. Then there are the restrictive details such as "you must use the software provided on this disc to copy the tracks to your computer" (my emphasis), not "your normal media player" — and "on some CDs" some extra little routines involving searching your BIN and WIN32 files.

Let's imagine a user whose normal media player is iTunes and compare her experience when performing an identical task using a CD which doesn't have DRM. She would: insert the CD; see iTunes launch and recognises the CD; click 'import'; and she's done. Literally one click. (And if she has an iPod, simply connecting it to the computer will update it with the tracks on the CD.) That's what the Sony BMG CDs are competing with in the market.

2. Consistency. The comparison above shows how users' expectations — that the same task, copying music files from a CD onto a computer, should follow consistent steps for different CDs — will be confounded. Sony BMG's DRM is related to Sony's proprietary format (ATRAC) and hardware. That means other record labels that choose to follow Sony BMG's example in using DRM will use different approaches, which may operate in different ways, with varying degrees of 'visibility' to users. Hence, if Sony's example became common, users might have to go through one of four or five different sets of steps to achieve the same task, depending on a consideration (what label the CD is on) that most of them neither know nor care about.

The situation is further complicated by the fact that the Sony BMG rootkit is Windows-specific, so Mac OS or Linux computers will behave differently — see the equipment compatibility FAQs. Apparently, although Macs are not listed in the minimum system requirements, "this disc will behave like a traditional CD in a Mac". However, the inference from other parts of the documentation that this "traditional behaviour" does not extend as far as being able to transfer tracks from your Mac to an iPod. On this point, Sony says, "If you believe that you should be able to easily move tracks from your protected CD to your iPod then we encourage you to… contact Apple directly and tell them so."

This is where the different competitors in digital music are trying to use their elbows: none of the DRM systems is fully open (almost by definition); some are more open than others, but only for tactical reasons so that they can achieve pre-eminence in the market and then exploit the benefits of path dependence (as, say, Microsoft did when their .doc format became the standard for exchanging word processing documents, notwithstanding its drawbacks). The Big Picture has some caustic comments on DRM suppliers pointing the figure at Apple and seeking to promote alternative formats, including the allegation that the primary purpose of the DRM is not in fact to make the CDs immune to piracy, but "is designed to put pressure on Apple to open the iPod to other music services, rather than making it dependent on the iTunes Music Store for downloads".

3. Minimise needs for documentation and support. A key indicator of the usability of a system is how many pages it needs to explain how to do straightforward tasks. Users want to be able to do what they want to do without having to refer to extensive guidance. Just skim the Sony BMG FAQs to see how many multi-step tasks there are included. Several of these require particular versions of software (e.g. Internet Explorer rather than alternative browsers) and/or ask you to contact Sony for further details of how to proceed. Not only is this costing Sony BMG's customers extra time and hassle; it's costing the company directly as well.

4. Ability to undo. Ability to undo steps in a task is a key usability criterion (see, for example, Jakob Nielsen's heuristics for user interface design). If users don't like Sony BMG's rootkit, however, they will find it a struggle to get rid of it. This article quotes a security expert saying of the Sony BMG CDs that a license agreement is displayed, "and then it will seem [to] install a song player software". However, what's really happening is a rootkit is being planted in the system and "there's no direct way to uninstall it".

Usability is one way of differentiating a product in the market, and is particularly important for consumer digital media. It remains to be seen whether the 'unique' usability characteristics of the new Sony BMG CDs (only available in North America so far) will take off in a market where there is both pressure on CD sales and rapidly rising use of CD tracks on computers…

More generally, the rootkit seems to mark a further step in escalating mistrust between record labels and consumers. When they started using it, Sony BMG were not open about the fact that their CDs contained this rootkit. The fact that the rootkit hides the software 'inside' it raises further suspicions. And in the face of a tactic that suggests Sony BMG do not trust their customers, it's hardly surprising that a reciprocal backlash has emerged. Technical commentators suggested the rootkit could be used by others to hide virus software (according to this article one security firm initially held back from mentioning the rootkit in public to minimise the risk of copycat viruses), leading the DRM suppliers to release a patch to antivirus companies that will eliminate the copy-protection software's ability to hide (see this article).

When I wrote about DRM and usability last year, I concluded "the ideal, most usable DRM should be invisible to users". The rootkit approach wasn't the kind of invisibility I had in mind!

Update, 11 November 02005: This BBC article describes some developments since I wrote the above, including the prospect of lawsuits against Sony BMG.

Update, 12 November 02005: According to this article, Sony BMG "stands by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP [rootkit] technology."

Update, 13 November 02005: Even the US Government seems to have drawn a line on what counts as too much protection, provoked by the rootkit example, giving a terse but clear message at a Chamber of Commerce event, "It's very important to remember that it's your intellectual property — it's not your computer" [source].

Update, 14 November 02005: Not just government, but now Microsoft has come out against the Sony BMG rootkit strategy, saying it "plans to update Windows AntiSpyware and the Malicious Software Removal Tool as well as the online scanner on Windows Live Safety Center to detect and remove the Sony BMG software" according to this article. There's a priceless comment in response Microsoft's blog announcing this development, which says, "Good job! Thanks for sticking up for the little guys!" Yeah, right — like they always do. With friends like the Bush administration and Microsoft, who needs enemies?

Update, 21 November 02005: last week Sony BMG recalled the 2.1 million CDs with the 'rootkit' DRM, according to this Wired article.

Posted by David Jennings in section(s) Human-Computer Interaction on 7 November 02005 | TrackBack
Post a comment

Remember personal info?