foobar on computers, software and the rest of the world

Bruce Schneier on vendor lock-in

, posted: 9-Feb-2008 08:25

Bruce Schneier, the famed security researcher, has commented on the dangers of vendor lock-in strategies in this article. The title is a bit misleading, since it mentiones the iPhone. But in the article itself the iPhone is just one example. He addresses vendor lock-in in general. I have commented on vendor lock-in before on several occasions here, here, here and here.

From his article:
With enough lock-in, a company can protect its market share even as it reduces customer service, raises prices, refuses to innovate and otherwise abuses its customer base. It should be no surprise that this sounds like pretty much every experience you've had with IT companies: Once the industry discovered lock-in, everyone started figuring out how to get as much of it as they can.
Almost all proprietary software vendors are guilty of this, with Apple and Microsoft being the true 'champions' of this practice.

Schneier comments on how DRM is marketed as a 'security feature', but that instead it is just used to give vendors control over us:
Mostly, companies increase their lock-in through security mechanisms. Sometimes patents preserve lock-in, but more often it's copy protection, digital rights management (DRM), code signing or other security mechanisms. These security features aren't what we normally think of as security: They don't protect us from some outside threat, they protect the companies from us.
The last sentence is what's really important: Everytime you knowingly purchase a DRM infected product, or a DRM supporting operating system, you are willingly trading away part of your freedom, for pretty much nothing in return. DRM is there to protect vendor bottom lines, not your security or your free will.
... I talked [in the past] about the security-versus-privacy debate, and how it's actually a debate about liberty versus control. Here we see the same dynamic, but in a commercial setting. By confusing control and security, companies are able to force control measures that work against our interests by convincing us they are doing it for our own safety.
DRM is bad for you and me, any way you turn it or look at it. But there is a way out: Free, open source software (FOSS) cannot implememt DRM that can't be trivially circumvented. Imagine: If Linux would suddenly come with DRM built-in, over night someone would have made a fork of the project, which had all those features removed. In the open source world, DRM would be nothing more than a bug, which would quickly be fixed (removed). With proprietary, closed source software you never know what you are going to get, and you certainly cannot 'fix' the problem by removing any DRM related components. It's closed. You have no control.

The operating system of our computers, and the systems that maintain our personal data should not be closed sourced for exactly that reason: You loose control over what happens with your data and what you can do on your own computer. Computers have become too important in our lives to give up our control over them just like that.

I don't have an iPhone, since I can make phone calls just fine with my $40 pre-paid mobile. I don't have an iPod, because there are plenty of non-DRM encumbered mp3 players out there, which work just as well. I don't run Windows, because Linux satisfies all my computing and application needs. As a result, I can keep more of my money and my freedom.

Other related posts:
UK government supports open source
25 open source projects for software development
Dabbling in OpenSolaris

Comment by tonyhughes, on 9-Feb-2008 11:49

Good article.

I have an iPod, with no DRM encumbered music on it...

Comment by freitasm, on 9-Feb-2008 12:43

Itneresting but I don't agree with "Almost all proprietary software vendors are guilty of this, with Apple and Microsoft being the true 'champions' of this practice." when in context with the quote "With enough lock-in, a company can protect its market share even as it reduces customer service, raises prices, refuses to innovate and otherwise abuses its customer base"

I see both Microsoft and Apple creating innovative software, with new versions always bringing more functionality. Windows Home Server? Apple Time Machine? Windows Media Center? Apple Frontrow?

What about research in user interfaces? I met a few people from Redmond and had sessions on how user interfaces are designed from their point of view - with research data collected from users, designers creating and testing new metaphors, even feature usage data collected (with user approval) being used to determine which features are used most, etc.

That's why Office 2007 doesn't have those long menus we used to see in Office 2003 and before.

As for customer service, a couple of times I contacted Micosoft to have problems fixed and the service was excellent, with one occasion even having some of their technicians using LogMeIn (note, not their remote desktop tool!) to connect to one of my machines.

In another occasion I wrote about a problem in my blog, and a day later someone from their server team cotacted me to see if the problem was solved - even though I had not created a ticket or contacted their support!

Author's note by foobar, on 9-Feb-2008 12:55

@freitasm: I think the 'innovation' we see from Microsoft and Apple takes place for three reasons: Remaining competition (somewhat), engaging new markets and fanning the desire or preceived need in the already locked-in user base to upgrade (spend more money). Without added niceties and functionalities, there wouldn't be a reason for anyone to upgrade.

Media Center was released to ensure that no other platform would capture significant share in a new and developing market. But what is actually so innovative about it? Apple's Time Mashine is a very nice tool, and is an example of two of those motivations: Give users a reason to upgrade, and compete against Microsoft by offering something nice that you might not get on Windows, thus enticing users to switch.

Innovation is a good thing, even though it may happen out of the above mentioned motives. However, take the story of IE as an example: After taking care of Netscape, Microsoft essentially stopped working on it, until Firefox had emerged as a viable alternative and they started to loose market share. There was no alternative, no competition and thus no reason to continue to innovate.

I think the biggest concern is that after lock-in has happened, the vendor will do only what's necessary to maximise profits. And because of lock-in the 'necessary' level is much more easily reached. Ongoing changes are mostly of cosmetic nature Office 2007 menus, for example, and are aimed to entice upgrades.

Comment by freitasm, on 9-Feb-2008 12:59

I think people should read this then:

"if it were up to Torvalds, beauty and intuition would take a backseat to functionality. But when you look at distributions like Ubuntu or OpenSuse, it looks like no one is paying attention. 'An OS should never have been something that people (in general) really care about: it should be completely invisible and nobody should give a flying [expletive] about it except the technical people.' Sure, that statement makes some sense, but in the grand scheme of things, it's the design and usability factor that makes the operating system much easier to use. And while both Mac OS X and Windows have their issues, for the average person, it makes more sense to use those than Linux."

There you go...

Author's note by foobar, on 9-Feb-2008 13:11

@freitasm: Oh dear, looks like the CNET people forgot the fact that Linux is an OS, not a Windows manager. I think if they want to talk about usability and pretty design and such, they should talk about Gnome or KDE or whatnot, not about Linux. Linus' points are completely valid: The kernel should not have anything to do with the user interface. Tying the two together guarantees a ton of problems (as demonstrated very 'well' by Windows).

I think people should read the comments section of link you posted. Wink

There you go...

Comment by BarneyC, on 9-Feb-2008 13:49

Oh dear. Another cracking example of where the conflation of DRM and LockIn just serve to help the incumbents in maintaining their poorly implemented models. To label DRM as evil or bad, based on the lack of “fair use” by the recording industry demonstrates a poor understanding of rights, be they digital or otherwise.

DRM is a good thing. It actually does nothing more than lay down a contractual agreement that is both human and machine readable (and therefore machine enforceable) as to how a work of art should or should not be used.

As a keen photographer and frequent poster to Flickr I want to be assured that my photos are used in only the way in which I intended. I don’t want a large corporate using a photo of my kids to promote their products or business – at least not without i) my express permission, ii) some assurance of privacy for my kids and iii) a monetary consideration where appropriate. That as the artist is my right, I own the works.

DRM merely sets out to enforce those rights. So for Flickr and me this is handled under the Creative Commons license.

The rights therefore need to be afforded to say the recording industry that “owns” the rights to or distributes an artist’s music. The have a right to recompense if they so wish along with a right to dictate by whom and how that music can be used.

So when you buy a CD you purchase a license that allows you the individual to listen to the music personally (what personally means is a whole different argument), but not to publically perform or claim the works in any way as your own. Fair stuff most reasonable people would agree.

The problem is that technology has afforded users the ability to easily break that license and redistribute those works without any part compensating the company or artist.

And this is where DRM comes in to play. DRM is there to enforce those rights preventing uncompensated distribution. BUT (and it’s a big but) in my opinion the current implementations of DRM are too restrictive on the reasonable user. If I purchase a license for music I believe I should have the right to use it in a personal environment upon any device I choose; so I should be able to copy it to my home media server, my phone, my pc or iPod as I choose.

Current DRM often restricts this “fair use” to a single or limited group of devices. This is NOT LockIn in the product sense, rather Lock Down in the capability sense.

There are plenty of good examples of where DRM is implemented in sensible ways, such as in a recent Aboriginal heritage archive project detailed by the BBC (

As a further note, the notion that Free Open Source Software is the antithesis to DRM is a flawed argument. Open Source software is created and distributed under a license, GPL, Apache etc… DRM again is not about enforcing payment, it is about enforcing rights – something which the Open Source community is all to good at doing when works are redistributed without due consideration of said license.


Author's note by foobar, on 9-Feb-2008 14:18

@BarneyC: Actually, I wasn't labeling anyting based on anything related to the recording industry. Not quite sure where that came from?

The FOSS movement decided to use copyright law to ensure freedom of the GPL (or otherwise) licensed software. This has nothing to do with DRM.

DRM is a (flawed) technology, not a set of rights. The problem is that DRM is technically impossible to implement on a free system, and therefore the creators of DRM systems need to threaten legal action against anyone even looking at how it works. This leads to the famous argument that because DRM (as a technology) is so fundamentally flawed it can only be enforced with the help of laws and surveillance techniques which are those of a police state. Since as a free society we should reject such methods under all circumstances, DRM by default is unethical.

This in itself has nothing to do with how you as an artist feel your works should be handled or distributed. I completely understand that you would like to have some control over how this is done. Just like you, I would also not want anyone to use any picture of me or my family without my consent.

However, DRM (as a technology) is not going to give you that control. Only the illusion of control. So far every DRM system has been quickly broken, which is no surprise since DRM on a free system is technically impossible. Therefore, DRM serves at nothing more than keeping the honest honest. But for everyone, DRM technology terribly inconvenient at best and incredibly intrusive and rights limiting at worst, which due to its deeply flawed nature requires radical, invasive and thus unacceptable laws as a backup.

Comment by BarneyC, on 9-Feb-2008 20:25

@foobar: In all fairness I will admit that you did not level anything at the recording industry per se, however if one was to take DRM as a concept it’s most prevalent and abhorrent implementation has been in the use of trying to control the distribution of digital media – the recording industry being the most common example. Therefore please see my use of the recording industry as merely a representative of the usage.

DRM is not a technology it is a philosophy of being able to enforce copyright law and licensing terms through machine readable and therefore actionable contracts. It may have a technical implementation and I suspect it is with particular implementations that you and many others (including myself in several cases) take issue.

This is in essence no different to the manual process that the FOSS movement employs when chasing down license miscreants – and it always has been most vociferous in its efforts to name, shame and where at all possible litigate license infringements. Just to be certain though the FOSS movement is NOT free, this is a terrible misnomer – it is at now financial cost to purchase. Be very sure there is a real cost in financial and attention terms in adhering to any license.

Therefore to state that DRM is a flawed technology that is technically impossible on a free system is factually incorrect. It is eminently possible to create a rights management system, digital or otherwise, on an open source system. What is not possible to do without ramifications, and fairly so, is to reverse engineer the IP that sits behind a proprietary and non-open source technical implementation of DRM – this is a companies “art” and as you say “[you] would also not want anyone to use any picture of [you] or[your] family without [your] consent.” Ergo you actually agree with their rights to pursue those who breach their copyright – as does the Open Source movement as a whole.


Now as to whether or not current technical implementations of DRM are intrusive and flawed I would whole heartidly agree with you. They suck. They suck because the processes of “fair use” are actually quite hard to define in a digital rights agreement and therefore the current exponents of DRM have taken a very heavy handed approach to the whole issue.

Can this be solved – most definitely. Creative Commons and indeed Privacy Commons are two of the founding “technologies” I believe will have a huge impact upon how DRM is implemented in the future. When combined with Digital Identity, in particular User Centric Identity, through which the User can clearly define those places in which they and they alone are using the works then I believe mainstream DRM will become acceptable.


As a thought to ponder upon. Ignore the digital part of DRM and just look at the rights management. After all rights management is merely about being able to control who has access and for what purpose to your stuff. You manage your car keys, only lending them to people you trust would not then in turn lend them to someone else. Is that such an abhorrent concept to 99.99999999% of the population, I suspect not.


Author's note by foobar, on 12-Feb-2008 06:47

@BarneyC: I think where we differ in our understanding of DRM. While you see it as a philosophy related to the enforcement of contractual agreements, I see it clearly as a technology only. That's why the word 'digital' is part of the name. I believe that it refers to the means of implementation, and thus the whole thing relates to a technology. Here's the definition from Wikipedia: "Digital rights management (DRM) is an umbrella term that refers to access control technologies used by publishers and copyright holders to limit usage of digital media or devices." So, I don't think I'm alone with my interpretation.

With DRM being a technology (rather than a philosophy or legal process), it is therefore fundamentally different from the manual process the FOSS community employs when "chasing down license miscreants".

You say that the FOSS moevement is not free, and that there is always a cost associated with adhering to any license. But here, I think, you make the fundamental mistake of equating the 'Free' in FOSS with 'no cost', rather than with 'free as in freedom'. FOSS is not about no cost or even low cost. From the very beginning, the FOSS movement was quite clear that everyone should have the right to charge for their software (and related services) as much as they wish. The only thing that the 'free' here refers to is the freedom of the code and the freedom of the user. The code must not be limited, and it must always be accessible to anyone, and modifiable and distributable. And to ensure this freedom, the FOSS movement decided to use a currently existing legal construct - the copyright.

Richard Stallman doesn't like copyright, but saw that it was "... impractical in the short term to eliminate current copyright law and the wrongs he perceived it perpetuating, he decided to work within the framework of existing law." (also from Wikipedia).

You say: Therefore to state that DRM is a flawed technology that is technically impossible on a free system is factually incorrect. It is eminently possible to create a rights management system, digital or otherwise, on an open source system.

While you can implement on a free system whatever you want, the same freedom that this free system provides will ensure that someone will come along and remove any DRM component from the free system. This will happen because DRM technology provides zero benefit to the user of these systems. Thus, these users have no interest in voluntarily running such a component. Consequently, it will be removed. So, yeah, it can be implemented, but it will not survive. Again, I think you believe it to be factually incorrect because you see the FOSS movement itself as practicing DRM, which I believe is caused by a fundamental misunderstanding on your part about the nature and reason for the FOSS movement and the definition of 'free' as far as FOSS is concerned.

In the end you say that creative and private commons are technologies, which I would already disagree with. Secondly, you compare the right of the publisher to control the access with how you would handle your car keys. Yet, this comparison is flawed. Firstly, car keys are physical objects not pieces of information. Bits. Restricting distribution of physical objects is easy. Just don't give it to someone. Restricting distribution of bits, however, is only possible with a massive effort in legal and technical terms, both being intrusive and downright opressive. Basically - if I may quote Stallman here - the method of a 'police state' are needed to restrict the distribution of information. Thus, this is already unethical.

Secondly, you correctly mentioned DRM's heavy handed approach to fair use. Let's say we were able to define fair use correctly, though. In the past, I could buy information completely anonymously. I can still buy a newspaper, for example. I hand over a few coins and I get a newspaper in return. No need for 'Digital Identity' or 'User Centric Identity'. What a nightmare! Am I only supposed to get information if I identifty myself? Do you realise how incredibly intrusive this is?

So, I guess I can try to summarise my points:

 * DRM is a technology, not a philosophy or contractual issue.
 * DRM is designed to take rights away from users.
 * DRM can be implemented on any system, but will be quickly removed if done so on a free system.
 * The FOSS movement is about "free as in freedom, not free as in free beer". Copyright is used to ensure the continued freedom of the code, and to prevent people from restricting other users' freedom.
 * Digital information is fundamentally different than physical objects, thus any attempt limit its distribution is always going to be unreasonably heavy handed.

foobar's profile

New Zealand

  • Who I am: Software developer and consultant.
  • What I do: System level programming, Linux/Unix. C, C++, Java, Python, and a long time ago even Assembler.
  • What I like: I'm a big fan of free and open source software. I'm Windows-free, running Ubuntu on my laptop. To a somewhat lesser degree, I also follow the SaaS industry.
  • Where I have been: Here and there, all over the place.

Google Search

Recent posts

Attack on net neutrality right...
Munich already saved millions ...
Iceland's public administratio...
More Apple madness (follow up)...
Apple demonstrates: With great...
Smooth sailing with the Karmic...
Censorship in New Zealand: Wid...
Image roll-over effects withou...
How about: Three strikes and Y...
UK government supports open so...

Top 10

How to write a Linux virus in ...
(11-Feb-2009 06:33, 468112 views)
Follow up: How to write a Linu...
(12-Feb-2009 08:10, 65897 views)
A truly light-weight OS: Writt...
(3-Feb-2009 10:39, 47026 views)
The 'Verified by Visa' fiasco ...
(20-Jun-2008 09:59, 33133 views)
EEE PC with XP is cheaper than...
(9-May-2008 06:50, 20577 views)
11 reasons to switch to Linux...
(4-Feb-2009 09:24, 20509 views)
Would you use Google App Engin...
(8-Apr-2008 20:02, 19991 views)
Censorship in New Zealand: Wid...
(16-Jul-2009 12:11, 19500 views)
Django Plugables: Tons of plug...
(11-Apr-2008 03:24, 17086 views)
Clippy for VI: What we all hav...
(22-Aug-2008 08:52, 16371 views)