Last year when I was traveling in Europe, I used Skype — and their SkypeOut feature — to keep in touch with home. At the time, SkypeOut was free when used to place calls to North America, so it was a perfect fit. Other than that one experiment, though, I tend to stick to my cell phone; I’m normally calling a set list of people, and my cell plan gives me more than enough minutes to handle the calls I need to make. I think maybe I’m glad, now.
It seems that recently Skype was caught using a Windows DRM framework that attempted to directly access the BIOS of the Windows machine it was running on — and they were caught because the 64-bit versions of Windows don’t allow this functionality.
Since that time, Skype’s Chief Security Officer has posted a wishy-washy explanation of why they’d included the DRM framework in Skype, and tried to downplay the privacy violation angle.
Now, I’m not one of these folks who thinks that DRM as a concept is inherently evil. There’s a time and a place for it, such as helping to protect confidential or sensitive data (think patient information in healthcare, or other data that falls under legally manadated protection regimes). There’s a place for DRM products such as the Windows Rights Management Server. I do, however, think that in many cases, the people who design and inmplement DRM schemes are guilty of poor thinking. No DRM scheme is going to be fool-proof; people are just too damn clever at finding ways around restrictions if they really want to.
The key for a DRM system, then, is to make a reasonable enough effort to protect the data so that it takes deliberate intent to circumvent the protection. It’s yet another application of the 90/10 rule — you’ll spend 90% of your work to address 10% of the threat. Someone who is sufficiently determined will break any DRM/copy-protection scheme, so at some point you need to draw a line and say, “This is sufficient to keep accidental exposures from happening.” It’s the equivalent of locks on a car door; you’re helping keep honest people honest. Any determined thief will simply break the window and jack your ride. Well, in any DRM scheme, there’s a way to break the window and jack the ride. The trick is to make it so that you can show that the person had to take sufficient steps to do so that you can demonstrate an intent to violate the DRM.
Tying this back to Skype, I think their mistake was in tying the DRM into the framework of the application, rather than embedding it in the specific plug-ins that require it. From what I’ve seen, the most effective DRM implementations are those that tie the protection to the data being protected. Put the protection in the wrong place, and you get into the hot water Skype is finding themselves in. All it takes is one moment to destroy your users’ trust, and in this industry, that’s often a killer blow. I know I’m far less likely to use Skype in the near future.
