I was reading the WSJ this morning and came across an op-ed piece entitled “Congress Must Make Clear Copyright Laws to Protect Consumers” written by Walter S. Mossberg. I enjoyed the article and especially liked his fair use comparison between print and video (you can reprint a small section of a publication in another without permission, yet you can’t post a short clip of the “Daily Show” on YouTube). The one issue I had with his article was referring to Apple’s FairPlay as a “DRM system for music that has worked” (it’s not the DRM, but rather the void in the marketplace that made Apple successful).
While I would love for Congress to fix our copyright laws, I regard the notion as fantasy. They don’t appear capable of fixing any complicated issue and tend to muddy the waters making any situation worse off than when they began. Secondly, the media industry will either collapse under the weight of their archaic business model or realize the impossibility of DRM and move in another direction. Either of which nullifies the issue.
DRM is impossible due to the fact that it falls under the BORA (break once run anywhere) principle. This principle is understood thoroughly by those of us in the security industry. When analyzing a threat, if it’s determined that an entity could be compromised once and then be exploited globally, you are faced with two choices: restrict access to the entity by limiting and hardening access points or decrease the exploitability of the entity once compromised.
Many industries have fought BORA, which is akin to fighting gravity. I can think of three this morning, namely the software, credit card, and media industries. It’s infuriating to think of all the revenue lost and the exorbitant externalities bore by an unassuming public all because these industries couldn’t understand simple logic. This is especially true when the solution requires only a trivial leap of faith.
The credit card industry is by far the clearest example of an industry that came to terms with the BORA principle. Quite frankly, they delayed the success of ecommerce by about 5 years. I’ll even go so far as to say that we would not have had a dotcom bubble if not for their foolishness.
In 1992, credit card fraud was at its peak (15.7 cents per $100 charged) due to fraudsters becoming more advanced. The internet allowed people with similar interests who would have never came into contact in the physical world to find one another digitally. Fraudsters were able to share information and increase the sophistication of scams long before e-commerce was a reality.
Faced with a bleak economic picture, the credit card industry became paralyzed by fear as they imagined credit card numbers floating unprotected through cyber space. For 6 years their agenda was to spread fear in the hopes consumers (and brick and mortar retailers) wouldn’t embrace ecommerce until they created a process by which credit card numbers couldn’t be stolen online.
Their fear clouded their ability to approach the problem logically. If a credit card can easily be cloned by your waiter at a restaurant, then why protect the same card during an online transaction? Or better yet, why protect individual transactions while every brick and mortar retailer has a record of each credit card used for purchases? As a criminal you target the warehouse, the delivery truck, the retailer, but never a single customer.
The history of ecommerce between 1992 through 1997 is fairly interesting and comical. The failure to realize what seems obvious today is not the fault of a single company. There were over 30 dotcom companies that were created during this period, all vying to be the payment processor for not only the web, but literally the future. In 1994, Visa and MasterCard turned to Microsoft and Netscape, respectively, for solutions. As any company would, these tech giants devised schemes that benefited them rather than serve the needs of their clients.
Fortunately for Visa and MasterCard, CNP (card not present) transactions were already allowed for mail order catalog purchases. Despite their fear campaign and merchant agreements that left stores 100% liable for fraud, companies like Amazon accepted the increased risk and allowed the credit card industry to ultimately be successful. By 1998, Visa’s sales volume had tripled which cut fraud as a percentage nearly in half.
Credit cards went from being used for credit to being used for convenience (what they were originally designed for in the 1950’s when the banking system was fractured). This was a massive shift in the financial industry. Comparing one’s own experiences in the checkout line at a grocery store in 1992 and 2002 tells the story. It went from checks and cash to plastic. Even the stigma of credit cards is completely different today. College students can’t survive without credit cards, a far cry from when they were counseled not to have one.
With this shift, credit card companies began focusing on preventing fraudulent transactions. By using two sets of data, one for CNP and the other for in-store transactions, they were able to prevent cards that were cloned from being used on the web, and card numbers stolen on the web from being used in person. The other advent was address verification, which among other things allowed retailers (who are liable for fraud) to prevent highly liquid assets from being shipped to any address other than where the statements are delivered.
They then began to promote ecommerce as if they never said anything bad about it in the first place. Consumers were given zero fraud guarantees which created a perception of little to no risk. It wasn’t long before traditional brick and mortar retailers rushed to the web, displacing overnight dotcom sensations which lacked feasible business models. Finally in 2003, we were at point that could have been accomplished in 1998.
There are many parallels between what the credit card industry went through and where the media industry finds itself today. Instead of focusing on preventing the Fair Use of their content, they should instead deliver it through open mediums creating additional revenue streams while increasing the popularity of their product. Piracy can be handily defeated, not through the legal system but rather through a firm understanding of the economics of the environment.
Today, credit card companies are at the peak of their success. In 2004, the fraud rate for credit cards dropped to an all time low of 4.7 cents per $100, while setting records for volume and profits. I know for a fact the same thing can be accomplished in the media industry because I’ve studied it. All it will take is a trivial leap of faith.
-Eric Marvets