[mycatsnameis]

I was trying to explain how wonderful Apple's digital rights management compromise was to a skeptical music lover when I began to realize that I must not have gotten it quite right. I started to do some digging and was surprised by what I found because a) Apple is not at all forthcoming about exactly how the scheme works and b) the more I learned, the more my friend's suspicions seemed to be borne out.

Did you know that:

1) You must have an internet connection to authorize or deauthorize a computer? Each computer that needs to be authorized must be able to connect to the net. Nowhere in the TILs that I found was this noted. The reason?:

2) Apple stores unique machine identifying information on a central server in order to maintain a record of which computer's you've authorized. I had (the erroneous) impression that the downloaded file somehow had a watermark embedded in it that allowed you to access it but, of course this wouldn't allow for changing authorized machines after purchasing music.

3) The identifying info used seems to be the MAC address on your ethernet card (i.e. it appears possible to authorize a bunch of of machines from behind a router or Airport base station). This coupled with,

4) Apple's insistence that machine authorization is entirely the responsibility of the user (if you sell a machine and fail to deauthorize it, Apple says you're out of luck) and that,

5) Apple's lisence agreement stipulates that they can discontinue or alter their service at any time leaves a number of unanswered questions.

What happens if your machine gets fubared and requires a mobo replacement? No deauthorization possible.

What happens if your machine gets stolen? No deauthorization possible.

What happens if your router gets fried? No deauthorization possible.

What happens if Apple decides to get out of the music business or alter the service (think about the whole .Mac debacle)? You may end up in a situation where you will not be able to authorize any new machines to legally transfer music to.

Yes of course you can get around much of this by converting to AIFFs and burning discs of every track you buy but, especially if you end up buying a lot of music it's a big kludge IMHO. Not only that but running an AAC => AIFF => mp3/AAC loop may result in poorer quality audio in the end product.

The thing that bothers me the most about all this, however, is exactly how careful Apple has been to not reveal this information publicly. Having centralized DRM, storing unique machine identifiers, necessitating calls to the mothership for users to make changes. This sounds an awful lot like a M$ solution to me than an Apple one.

... sigh ... there I've said it. Flame away.

P.S. we'll leave the debate about audio quality of 128k AAC files to another day.

 

[used to be jwoodget]

Compared with DRM on Windows (or using SD cards), Fairplay is a relative breeze. The limitations are significant and I think there should be a way to de-authorize without the machine with relevant documentation (i.e. police or insurance report of theft). Even if the victim has to pay for the privilege. As for Apple getting out of the authorization business, it's a real issue given the flux of media change.

Apple should be more forthright but it's counting on ignorance, just like the rest of the business.

I don't worry too much about the compression issue. It depends on how you use the music. On an iPod, 128 kbps AAC is pretty darn good, although mine's encoded at 192 kbps AAC because I've got plenty of space.

 

[jfpoole]

I've thought about the concerns you've expressed about Fairplay[1], and after thinking about it for a bit, I'm not sure how Apple could have done things differently without seriously crippling Fairplay itself.

I can't think of a way, for example, to allow users to authorize and deauthorize computers without connecting to the internet. An offline scheme would probaby be far easier to circumvent or far more cumbersome than the current online scheme. Plus, we are talking about an internet music service, so assuming computers are connected to the internet is probably a safe assumption.

I'd also imagine that the files are uniquely encrypted for each iTMS account (done on-demand, of course) so if Alice and Bob download the same song, then Alice won't be able to play Bob's songs and vice versa. If this were the case, then each time Bob authorized a machine, that machine would receive the necessary information on how to decrypt Bob's files and play them properly, and deauthorizing that computer would remove that information.

If your machine gets stolen or your motherboard dies then that is a problem, but I'd imagine Apple will probably set up some system which will alleviate these concerns. I can't see how you'll be out of luck if your router dies, though.

All this said, if you are truly concerned about losing the music you've purchased you can create backup copies on CD. That way, should something happen to your machine or to the service, you'll have a backup copy that is unencumbered, and you'll still be able to enjoy the music you've purchased.

[1] Is Fairplay the name for Apple's DRM scheme?

 

[used to be jwoodget]

Yes, its called Fairplay and it was devised by Veridisc. The actual AAC file is apparently not encrypted on the fly for every authorized client. Instead, there appears to be some indexing which is an integral part of AAC such that machine identity can be embedded or not. People are trying to reverse engineer the DRM (of course) (e.g. see here, but it is unlikely to be straightforward.

I think mcni was referring to the router MAC address being the info that the encoder embeds if you download through a router attached to a cable or DSL modem (depending on the authentication method used by your ISP). I don't understand the process though. I thought you authenticated a machine, not a download address.

 

[mycatsnameis]

This is part of the problem, Apple is just not forthcoming about how this works. I had to wade through hundreds of forum posts to put together my initial post. My conclusions about the use of the MAC address came after reading a post where one user authorized a computer using a direct connection (auth. count = 1) followed by another using an Airport base station (auth. count = 2) followed by another machine connecting through the same base station (auth. count remained at 2). (He did not try to deauthorize one of the machines on the base station and then check whether the other one still worked which would have been a useful experiment.)

The info out there is very, very sketchy and that is down to Apple in my books.

JFP, yes you can back up your AACs on disk but that does not change anything w.r.t authorized comupters. If you lose one you lose one. I haven't yet seen any account of someone having to deal with a fried mobo or router but Apple there have been hassles with people who've needed to redownload files etc. (which Apple also refuses to support). Given Apple's carefully studied refusal to acknowledge certain problems with h/w and s/w in the past (go to virtually any of their discussion forums and look for a thread with >50 posts for an e.g.) I have my doubts that Apple will be quick to "probably set up some system which will alleviate these concerns".

Of course you can de-rip your files to AIFFs bt I already commented on that kludge.

My main concerns are the continued interest of Apple in the music business (required to maintain the integrity/utility of the system) and privacy concerns inherent in the current scheme. Given the latter point I feel that, at the very least, Apple should be completely up front about what they're doing. I was disappointed that I had to dig as hard as I did in order to try to understand what Fairplay was all about.

In addition, the "worst case scenarios" I outlined above should (and likely have) been anticipated by Apple. They should address these issues in TILs and offer possible solutions (but again that speaks to their reluctance to detail how the system works at all).