We at Public Knowledge along with many others in the public interest community have always said that content owners have abused DRM to harm consumers. So when the FTC announced its decision to hold a hearing on the issue, we expected that at least some consumer protection measures would finally emerge. Our expectations might have been too high, because towards the end of the hearing it seemed like the agency might not do much in this area. The hearing was held in Seattle, went from 8:30 in the morning till about 5 in the evening, and the FTC heard from a number of experts about both the benefit and the harm from DRM, as well as what could be done to address the harm. A consensus seemed to emerge that a notice of DRM to consumers would be a way to address some consumer harm. Before I talk about how a notice might solve these concerns, let me discuss what was said about the benefit or harm from DRM.
True to form, content owner representatives extolled the virtues of DRM arguing that it actually increases consumer access to content. How? By protecting content, DRM encourages owners to make more content available. In addition, it permits business models such as online rentals and subscriptions to flourish.
Of course, it fell upon consumer interest representatives to point out the many harms DRM has caused to consumers: inability to make back up copies, inability to excerpt from movies or songs to create their own content, devices that do not work with each other, harm to the security of devices, inability to access content if authentication servers go down, …. the list goes on. So what could the FTC do to address these harms?
Several speakers, including me, suggested that providing notice of DRM to the consumers before purchase would be one way to reduce some of these harms. The idea is that a notice would allow consumers to make informed choices about products they purchase and lead them to reject unfair DRM. For example, think of how nutritional labels influence what food products you buy.
So what harm would a notice system address? That would depend on what’s in the notice. Many suggested that notice should at least inform the consumers of security vulnerabilities that DRM might expose their devices to. Mattew Schruers, Senior Counsel for Litigation and Legislative Affairs at the Computer and Communications Industry Association (CCIA) and I recommended the most detailed form of notice including requirements that the notice inform consumers of the presence of DRM, that their devices might not operate with other devices, and that certain limitations may be placed on their use. Schruers went further and recommended that the notice should inform consumers about their rights under the law.
Assuming a notice would be this extensive (there was a lot of push back on this from content owner representatives who questioned the need for a notice in the first place), would it address all consumer concerns? I think not. For example, if DRM exposes a user’s computer to security vulnerabilities like, Sony’s Rootkit did, notice would be insufficient to solve the problem.
Also where DRM prevents effective competition among devices by creating lock-in (lock-in may occur when a devices’ ability to interact with complementary devices is artificially crippled using DRM), the presence of notice does nothing to help the consumer. For example, where Lexmark used DRM to ensure that only its toners worked with its printers, notice would merely ensure that consumers knew to purchase only Lexmark toners for their Lexmark printers. It would not help promote competition in the after market for toners.
So for all its beneficial effects, a notice regime alone would not help consumers or competition. Yet it would be an important step in reducing the harmful effects of DRM first, by preventing consumers from buying products that would be harmful or useless and second by preventing companies from employing harmful DRM in the first place. After all, what company, would acknowledge that because of DRM its product is not safe or useful for the consumer to purchase? Thus, while the FTC should institute an effective notice regime, as an agency charged with protecting consumers and preserving competition, it should also do more to contain the harmful effects of DRM.
We need a system in place to punish those who deploy harmful DRM on consumer devices. In the Sony Rootkit case, the FTC entered into a settlement with Sony requiring it to pay up to $150 to each consumer to help repair damage to her computer. It also required the company to provide consumers with reasonable means to uninstall the DRM. While, the decision was good in providing relief to consumers, it did not prevent other companies from deploying similarly harmful DRM on their products. In order to protect consumers effectively, the FTC should use its rulemaking authority to institute rules for dealing with those who install harmful software in the name of protecting content.
In cases of lock-in the FTC should investigate whether such practices harm competition and if necessary institute a policy of treating them as unfair trade practices.
Mary K. Engle, Acting Deputy Director of the Bureau of Consumer Protection at the FTC opened the hearing by explaining that the FTC understands that consumers are affected by DRM and need to be educated and informed about its use. On the last panel of the day, we heard from FTC staff who answered questions from the audience. The staff seemed unsure about how the FTC would proceed now that they had had this hearing. In fact, Engle explained that although the FTC has rulemaking authority, the agency did not exercise that authority unless Congress told them to. This left me wondering what the purpose of holding the hearing was. After hearing about consumer harm caused by DRM for a whole day, the agency should realize that it has both the power and the obligation to act. If the agency does not act on its own accord, let us also hope that Congress prevails upon the FTC to act.