50 shades of DRM

“We had to encrypt EPUB in order to save it”

In presentations, published research and a range of consulting projects, I’ve consistently encouraged the use of EPUB as an open format for digital books. I believe in an open standard, so I have supported EPUB even though some high percentage (70%? 90%?) of the eBooks sold in the United States are read on a platform (Kindle) that uses a proprietary format.

In blog posts, I’ve also encouraged publishers to re-think their stance on the use of digital rights management (DRM) schemes. The current DRM patchwork is used largely to create platform lock-in for Amazon, Apple, Barnes & Noble and others. As it limits utility, DRM also may have had the perverse effect of depressing price.

I have even been cautiously optimistic (with an underscore on “cautiously”) as several Macmillan imprints announced plans to stop using DRM on their titles.

This (brief) history gives me a perspective on the International Digital Publishers Forum (IDPF) proposed plan to develop (or lease) its own version of DRM, which it calls “Lightweight Content Protection”. The association published a position paper on May 18 and is soliciting comments through June 8.

Here's my comment: Don't do this. Here's why:

  • DRM does not stop piracy. Even if the technology used is advanced enough to discourage the casual reader, it takes only one sophisticated user to crack and post a file on a sharing web site.
  • While DRM discourages peer-to-peer file sharing (in the physical book world, we call that "lending"), I'd argue that it does the job so well it is suppressing price, something the IDPF could study before hitching its wagon to another eBook DRM.

Moreover, the use-case document, written by Bill Rosenblatt on behalf of IDPF, claims that a "key objective in providing 'some level of protection' is to take advantage of anticircumvention law, which is enacted in many countries including signatories to the Anti-Counterfeiting Trade Agreement (ACTA)." It goes on to note:

"Anticircumvention law makes it a criminal offense to circumvent an 'effective technical protection measure.' The law does a poor job of defining this term.  While courts have refused to set a bar for 'effectiveness' such that any technology below the bar is not entitled to protection under the law, there is some evidence to suggest that a technology that is particularly ineffective could face such a challenge… If a technology is protected under anticircumvention law, then it’s illegal to distribute or use cracking tools for that technology.  To be very clear on this point: we expect that a lightweight DRM (in reality, any DRM) will be cracked, and we are relying on anticircumvention law for some level of crack protection."

Translated: We have to make the roadblocks noticeable enough to convince a court of law to sanction a reader for having broken them.

For the moment, put aside the practical question of who will fund this legal crusade. Just try to imagine media coverage of the first trial of someone busted for breaking book DRM.

Worse, the IDPF proposal isn't even an antidote to platform lock-in. The use-case overview later adds that:

"... there is no recommendation to remove or deprecate the extensibility in the EPUB format that enables a multiplicity of proprietary heavyweight DRM mechanisms to be provided by vendors. That 'ship has sailed' and there are applications where heavyweight DRM may be required."

Translated: Amazon, Apple and other vendors with proprietary DRM schemes get to keep them in place. The IDPF will add their own DRM, call it open and hope that publishers specify it.

I get the idea that reflowable EPUB files are a credible cross-platform alternative to PDF. I also get that some current (STM, corporate) PDF use-cases rely on various forms of DRM.

But it's not the lack of DRM that keeps document owners (some of whom are publishers) from using EPUB files. They could encrypt them now. It's a function of workflow and in some cases a misplaced desire to control the look and feel of the final result.

If the IDPF wants to do something to help grow the use of EPUB, it could start by studying the impact of DRM on competition and price. The results might give the organization better arguments for maintaining an open standard throughout the digital book industry.

But adding another flavor of DRM to an already crowded field? That ship has sailed. If you want to compete with Amazon, try being (and remaining) open.

A bit of disclosure: I've worked on a consulting assignment and co-presented on a panel with Bill Rosenblatt. While our views differ on some of these topics, he is well-known for his experience with rights technologies.


Posted by Blue Tyson
May 30, 2012  at  07:17 AM

DRM does its job so well it doesn’t just suppress price, it suppresses sales.

Posted by Brian O'Leary
May 30, 2012  at  08:48 AM

That’s also worth studying. The strongest argument for DRM-free formats may be growth in the size of the pie.

Posted by Raphael
May 30, 2012  at  10:03 AM

DRM does not work, is expensive to maintain and cheats the customer. DRM has to go.

Music industry got there, so I am confident book publishers will get there, too—by sheer market pressure.

If you doubt or are afraid, go talk to the guys of dito.se (ebook platform of one of the biggest book chains in Sweden). They sell their books DRM-free and watermarked all over the world. No platform lock-in, no customer cheating, no “Not available in your country” bogus, and still they can catch (stupid) pirates. Go talk to the guys on smashwords.com who sell indie books, all DRM-free. Go talk to the guys from baenebooks.com who sell their ebooks DRM-free. And go talk to Tor, a major US publisher, who have announced to get rid on DRM. They all live.

Posted by bowerbird
May 30, 2012  at  11:31 AM

the i.d.p.f. has always had one mission—
to stall e-books for as long as possible,
to prop up the old p-book business-model.

it’s as if we had the r.i.a.a. controlling
development of the digital music revolution.

the only way out is to stop supporting .epub.


Posted by Eric Hellman
May 30, 2012  at  12:05 PM

Do you have any ideas for how to avoid eliminate DRM in the library market (as applied to bestsellers)? Or has that boat sailed, too?

Posted by Brian O'Leary
May 30, 2012  at  03:10 PM

@bowerbird ... You know, I’m not much for conspiracies, but that’s a pretty good one smile

@eric.. I like what Ann Arbor Public Library is doing with just giving patrons the files, under a set of publishing arrangements that publishers can opt into. We have a chapter in the final section of “Futurist’s Manifesto”, which should be out soon. I’ll post about it when it is accessible.

Posted by bowerbird
May 30, 2012  at  04:05 PM

brian said:
>  conspiracies

oh, please, don’t get me wrong…

most of the time, these guys
couldn’t collude their way
out of a wet paper bag…

(i mean, face it, if you have to
send your co-conspirators e-mail
instructing them to double-delete
all the e-mails, you _will_ fail.)

the thing is, all they have to do
in the current case is sow chaos,
and any group of fools can do that.
it takes no smarts or coordination.

all you have to do is keep introducing
more and more wrinkles without removing
any of the older ones, and… bingo!

take a good hard look at their actions,
at any point in time along the line,
and see if you don’t observe “wrinkles”.

a head-fake doesn’t have to take your
opponent completely out of the play…
it can still work even if it’s merely
a momentary and fleeting distraction…

now take a good hard look at your actions,
brian, and see if you do not observe that
you have been distracted _a_lot_, even if
each time it was momentary and fleeting…

you’re a smart guy, who’s spending his time
railing against a stupidity.  whatupwitdat?


Posted by Brian O'Leary
May 30, 2012  at  04:12 PM

Best question of my day, bar none! Thanks. I will give it a lot of thought smile

Posted by Bill McCoy
May 30, 2012  at  04:56 PM


How is it that publishers “could encrypt [EPUB files] now”, without spending the $10K on proprietary DRM servers (that you have pointed out elsewhere doesn’t make much sense for them to do) or having to write custom reading SW (which would cost even more)?  Unlike PDF there is no standard encryption algorithm defined for EPUB (a framework yes but not the details that would make it interoperable, other than for the very limited special case of font obfuscation). That is one of the things a solution as outlined would address.

Posted by Brian F. O'Leary
May 30, 2012  at  08:04 PM

I think you’re so committed to DRM that you miss the obvious answer: no DRM. Try that first and measure the results first. That’s my point.

With respect to STM and corporate uses, I argue that they can bear the development and implementation cost. If they want to salt their food without tasting it, so be it. But associations should try to be more even-handed.

I absolutely understand that many publishers insist on DRM. They also accept .azw as a de facto standard. Neither is a well-advised position. I don’t agree that creating a new closed format is the answer.

Posted by Bill McCoy
May 30, 2012  at  09:21 PM


IDPF has tried no standard DRM for EPUB for its entire history to date. The result to date is a little bit of DRM free content - more of late, but I’d be surprised if it’s even 2% of eBook sales - but mainly an increasing number of fragmented silos of proprietary DRM schemes for EPUB. Regardless of whether we think publishers are taking well-advised stances (and BISG’s promised some research on this), the vast majority of publishers are requiring DRM. That’s the factual situation, and as an organization IDPF has to deal with that: even-handedly, as you say. And even O’Reilly et. al. are requiring DRM with library lending.

As far as STM and corporate publishers, if you are arguing that EPUB can have encryption for these use cases, but that a different organization should do it besides the one responsible for EPUB I don’t understand your logic. These folks are IDPF members too (recent new members include, just for example, Cisco and the United States GAO). IDPF doesn’t stand for North American Trade eBook Forum!

Posted by Raphael
May 31, 2012  at  03:55 AM

As for libraries: to my knowledge, nothing about lended paper books prevents me from copying them. On the contrary, my teachers may expect me to copy relevant parts! There simply is some license I agree to by lending that says I am not allowed to copy and sell whole books. Were I to do that (and caught), I would be charged.

I can get student Windows licenses the same way: I sign that I won’t give the license away and then I get it, for free, without restrictions. They would charge me were my key to end up where it is not supposed to be.

So why can ebooks not work in the perfectly same way? Surely publishers can survive some private, small-scale sharing—not everybody buys the paper book, either, they are shared among people (completely legally). The same act is made illegal and as hard as possible with ebooks. Why?

Publishers are protecting their turf in an unhealthy manner; they have been trying to solve a problem they had not yet observed. As I said, music industry caught the wind of change: trusting your customers and catch those who betray that trust performs better than suspecting and restricting everybody.

As for the position of IDPF: well, you are skrewed if you don’t want to lose touch which the publishers (which you probably can’t afford to). I agree that *one* DRM implementation beats fifteen, but maybe the money would be better spent on offering the publishers other solutions, such as reliable watermarking.

It might also help to remind them that there is more market than the US. I won’t buy DRMed books, and that stance is more wide spread here in Germany than in the US (one of the reasons why ebooks have yet to take off seriously here). Every time I see a “not in your country” message I swear at the publisher and become a little less inclined to support them.

Publishers have to realise that their markets have irrevocably become global (that was even true for paper books, but you could pretend the opposite more easily by long distribution chains). They can own that market, or watch while cracked files are shared in the majority of the world where people can not affort expensive DRMed ebooks or licensed reading hardware.

Posted by Eric Hellman
May 31, 2012  at  08:15 AM

This post raises a bunch of questions which I look forward to exploring in my copious spare time.

What is it about DRM that we object to?

Is it the concept of a software-defined product that is objectionable?

Is a license-defined product such as a pay-per-copy non-DRM ebook not objectionable if it carries exactly the same legal restrictions as a software-defined DRM-monitored ebook?

Is there any difference in relying on anti-circumvention law to enforce product definitions from using legal license restrictions from enforcing product definitions?

Or is the entire concept of defining products with restrictions on copying or sharing a bankrupt one in the digital age? If so, then we need to jettison pay-per-copy along with DRM. Just sayin’.

Posted by Brian O'Leary
May 31, 2012  at  08:30 AM

In writing about STM and corporate markets, my post said:

“But it’s not the lack of DRM that keeps document owners (some of whom are publishers) from using EPUB files. They could encrypt them now. It’s a function of workflow and in some cases a misplaced desire to control the look and feel of the final result.”

The DRM proposal argued that these markets needed DRM to move ahead with a reflow able format. I made that counter-argument that there are larger impediments (workflow and a commitment to format that emulates print) than the absence of a standard DRM.

Even though we have arguments on the table that DRM doesn’t stop piracy, may result in lower prices and may reduce sales, the development of a “standard” DRM sophisticated enough to go to court over is a priority because “that’s what publishers want”. I’d rather we start by asking what readers want - that might be a stronger path toward greater sales.

Posted by John Erickson
May 31, 2012  at  08:50 AM

In my DRM-related experience—- dating back to the early 1990s—- most stakeholders have continually lost the forest for the trees. In their concern or sometimes fetish for technical protection they have ignored or dismissed the value of (a) unambiguously identifying content and (b) linking that identity to rights metadata.

There have been numerous opportunities over the past two decades to capitalize on emerging Web standards to create a robust, sustainable rights ecosystem, but attention has been diverted and money has been wasted in the unsustainable pursuit of perfect technical protection. Stakeholders’ silver would be invested to much greater effect in supporting efforts to build infrastructure and community around highly efficient rights exchange.

Initiatives such as Creative Commons that employed light-weight techniques for rights notification coupled with uniform rights expression have shown how simple can be effective; readers who have been around a while will see the connection between CC’s methods and the “permissions headers” of Henry Perritt, ca 1993.

More recent efforts such as the Linked Content Coalition <http://bit.ly/JP7L7j> are promising and seem to have the right mix of stakeholders and right-thinkers, but even sensible models such as LCC will fail without investment upstream, especially rightsholders spending money to create high-quality metadata published at Linked Data <http://linkeddata.org>.

We need to be building a rights data infrastructure that facilitates discovery, and discourse, not a security infrastructure that shuts off conversation before it begins…

Posted by John Erickson
May 31, 2012  at  08:55 AM

In my previous post I meant, “More recent efforts such as the Linked Content Coalition are promising and seem to have the right mix of stakeholders and right-thinkers, but even sensible models such as LCC will fail without investment upstream, especially rightsholders spending money to create high-quality metadata published as Linked Data.

Mistake was the word “at” vs the correct “as…”

Posted by Kevin Franco
May 31, 2012  at  09:09 AM

When we built our distribution system it was clear that publishers wanted some level of protection. We came up with Packaged Digital Rights Messaging (PackaDRM) as a way to give readers more versatility with the file while offering the publisher some level of comfort on the security of the file. The messaging we include is a full page at the beginning and end of the book that reminds the reader of their contractual obligations (in a nice way) that also includes their personal information. While this may not be the answer to all issues regarding DRM (we dont promote it as such), we believe it’s the best approach for social DRM and it has been well received by both publishers and other distributors. It also works on both epub and mobi files. From what i could see, the IDPF seeks an epub only solution. I am still very interested in seeing what comes of their RFP, perhaps there will be some surprise innovations.

Posted by Bill McCoy
May 31, 2012  at  11:07 AM


“nothing about lended paper books prevents me from copying them” is true, but it costs significant time and possibly money. That’s at least a “speed bump” against piracy. If digital content is loaned it’s almost universally DRM-protected, whether it’s libraries loaning DVDs, games, and SW programs or music subscription services like Spotify. The exception is physical CD lending but the music business put itself in that situation by making its digital format DRM-free, and print publishers aren’t exactly looking at the music industry as the ideal pattern to follow. And again even historically anti-DRM folks like O’Reilly aren’t asking that libraries go DRM-free.

As far as their being more market than U.S. that’s a key point for IDPF as we are global. In the developing world there’s different cultural norms. I was in Brasil earlier this month and was told that no publisher will go DRM free, “why” being illustrated by the following anecdote: a Paulista is in Geneva during an election and sees people going into a polling place, signing their name, then going to the voting booth, with no check of ID or anything. He asks the election monitor what’s to stop someone from voting at several different places and is told “It’s not allowed!”. This doesn’t sound very funny but it’s a laugh line there - the point is just saying something “is not allowed” and expecting it not to happen is itself a sign of a “Northern” bias. Brasilian publishers know for sure that they can’t *prevent* piracy but feel that a “speed bump” to help keep more-or-less honest people honest is an absolute requirement. Who are we to say they can’t have it?

Posted by Brian O'Leary
May 31, 2012  at  11:17 AM

There’s a difference between saying someone “can’t have it” and making it for them. Assumptions that publishers and others make about piracy, DRM and paid content are untested, not facts. You can call that reality, but it is still a set of assumptions and gut reactions. IDPF can lead, or it can follow. Here, it is following.

The IDPF proposal asked for comments, but you’re responding only to those that are critical of the idea. That’s not even-handed. As well, you’re free to invoke libraries, but you might want to look at emerging models in places like Ann Arbor, where publishers and the local public library are moving past DRM to create fixed-term contracts with unrestricted downloads. Alternatives are being tested there and elsewhere.

Posted by Brian O'Leary
May 31, 2012  at  11:21 AM

@John Erickson - thanks for the additional background; I will look at the Coalition link.

Posted by Bill McCoy
May 31, 2012  at  11:56 AM


First of all my responses on your blog are personal, unofficial, and in the context of a public discussion. We haven’t responded to any official comments from members and other industry stakeholders yet. After the comment period an official IDPF response, approved by the IDPF Board, will be forthcoming. I’m sure it will encompass all comments received, pro and con.

Anyway, I think you misunderstood my earlier point. There are features that a subset of IDPF members care about. Manga, for example, is critical in some regions, less so in others. Dictionaries and indexes are of critical interest to some publishers, not so to others. Metadata approaches differ significantly between trade book, professional, magazine, and journal publishing. IDPF’s mission is to serve all of our members and we’ve agreed that to advance EPUB appropriately as a universal global standard to meet the collective needs for digital publications based on the Open Web we need to do so in a modular manner. That means creating optional capabilities that can be used by communities of interest without impinging on those who don’t care about particular uses. Dictionaries is an example of a currently active WG of specialized interest.  So my point was only that even if all publishers in U.S. and Europe were ready to abandon DRM today that does not mean that IDPF shouldn’t work on it. I.e. if a particular set of IDPF members need something in EPUB, “making it for them” (which generally means providing a context where that can happen in a member-driven WG) is IDPF’s core responsibility.

Posted by bowerbird
May 31, 2012  at  04:51 PM

brian, you’re biting for the head-fake again.

you and i and everyone who thinks about it
knows no d.r.m. can ever stop this scenario:

screenshot, o.c.r., turn the page, until done.

automate that process (i suggest that you
could use a computer for that), and bingo!

so d.r.m. will never work, and they know it.
still, it _does_ do what they intend it to do,
which is to bamboozle us into distraction…

but only if we _allow_ it to…


so i’ll say it once again, brian, but i must add
that i am getting kind of tired of repeating it…

there is something more important that you
_could_ be doing with your time and energy,
something involving the _future_, rather than
trying to educate the dinosaurs from the past.

it would be really neat if you did that instead.

i don’t know what _your_ “something” is, but
if you focus your attention, you’ll figure it out.


Posted by Peter Turner
Jun 01, 2012  at  12:14 PM

Great conversation! I’ll throw one other thought into the mix. While there’s no doubt *readers* would benefit from a DRM-free world, the folks that stand a chance of diminishing the value of there assets are authors and publishers. (Not consultants and wise guys like me.) The argument that file sharing and/or piracy would not hurt book sales is proposition that can’t be truly tested. (Unless you know of any parallel universes I’ve overlooked.)

I say this, however, with the strong feeling and belief that DRM is silly and that dumping it would most likely not hurt anyone’s revenue—as well as having the added advantage of removing the leverage now given over to locked-in eBook platforms.

But I don’t have a horse in this race, I’m sitting in the stands.

Posted by Brian O'Leary
Jun 01, 2012  at  12:50 PM

Thanks, Peter. I think my perspective on the IDPF proposal is fully covered, above.

In my comments, I’m not arguing that file sharing and piracy don’t hurt book sales. I claim that we don’t know the answer, and that trying to better understand the impact of DRM on paid book sales is worth the effort, particularly before undertaking an effort to create a new DRM strand.

We can establish the impact. I’ve structured a limited study of the instance and impact of piracy, and I think it illustrates a potential methodology. Testing the impact of DRM is even more manageable (A/B samples, etc.)

I appreciate the distinction between authors, publishers and consultants, While I think we risk dismissing what might be a valid point of view because someone doesn’t have what might be seen as skin in the game, I don’t need to win you over on that. So, credentials:

Magellan invested about $20,000 in the piracy research in advance of royalties (from an O’Reilly research paper) that total $500 to date. That project taught me that piracy can be measured, if you are wiling to do the work. I didn’t come out of that research claiming “Magellan is right”, only that we need broader data to determine the answer. Almost all of my piracy writing comes back to that idea.

I am also an author of four research papers, all for sale; two pay royalties. A fifth paper, also for sale, will be published by BISG next month. Finally, I am a co-editor with Hugh McGuire of “Book:A Futurists Manifesto”, which was released both as a free web book and paid download. I think of myself as an author as much as I do a consultant, these days.

Posted by Peter Turner
Jun 01, 2012  at  01:11 PM

Brian, my apologies, I wasn’t intending to specifically direct my comments at you at all. I should have been more explicit. Part of the point I was trying to make, to those who are sometimes a bit cavalier about the potential impact of going DRM-free, is that there is, potential at least, something at risk.

I do understand and appreciate the value of A/B testing, I’m not as clear how such tests can demonstrate the pros and cons of DRM with the same product and the same market. But, I freely admit that you know more about this than I do.

Posted by Brian O'Leary
Jun 01, 2012  at  01:47 PM

No apologies; I absolutely agree that it’s easy enough to be offhand or cavalier in recommending that someone else do something. That’s why I favor data first.

Commenting is no longer available for this article.