Breaking Microsoft's e-Book Code
An anonymous programmer has found a way to decrypt Microsoft Reader e-books, spurring digital-rights debate.
It’s easy to load a small library of electronic books into your laptop or handheld organizer and take it on the bus or to the beach. But try to make backup copies of those e-books or loan one to a friend, and you’ll run smack into the digital equivalent of an electrified fence. The problem is that once a literary work has been liberated from the printed page, it’s potentially vulnerable to unlimited digital piracy-a danger that makes most e-book publishers insist on strict software controls to prevent anyone but the purchaser from opening an e-book file.
Competing “digital rights management” systems offered by companies such as Adobe Systems, Microsoft, Reciprocal and ContentGuard allow publishers to outfit e-books and other forms of electronic content with customized usage rules. The companies naturally strive to make these systems as hacker-proof as possible. But this summer Technology Review learned of a home-brewed decryption program that defeats the most advanced antipiracy features built into Microsoft Reader, a leading e-book program downloaded by over a million people since its debut in August 2000.
The decryption program lets purchasers of “owner-exclusive” Reader titles-Microsoft’s most protected e-book-convert the titles to unencrypted files viewable on any Web browser. The program’s creator, a U.S. cryptography expert who asked not to be identified, says he wanted to circumvent the “two-persona” limit, a rule built into Reader at the behest of publishers that allows purchasers to read each e-book on no more than two devices. (In October Microsoft announced it would increase that limit to four devices, as part of a software upgrade planned before the cracking episode.)
Though the decryption program works on any Windows PC, the programmer hasn’t released it, saying he developed it for his personal use. But the program’s existence, together with decryption efforts directed against e-book formats from other companies, such as Adobe, illustrates the vulnerabilities in digital rights management schemes. It also promises to fuel the ongoing debate over the 1998 Digital Millennium Copyright Act, under which it is legal in certain circumstances to use-but, paradoxically, not to make or distribute-software that circumvents technological copyright protections.
Microsoft controls access to copyright-protected e-books through Reader, a free program that can be installed on any Windows laptop or PC. When you purchase a Reader e-book from a retailer such as Amazon.com, special server software equips your title with one of three levels of copy protection, as specified by the publisher. E-books with owner-exclusive protection, the level used for premium titles such as current bestsellers, are encrypted during download using a unique mathematical key contained in your copy of the Reader software. You obtain this key by “activating” your copy of Reader, which requires you to register for a Microsoft Passport account and supply Microsoft with an e-mail address and other identifying information. Until October, only two copies of Reader could be activated under the same Passport account-now four copies can be activated-and access to owner-exclusive e-books is limited to the devices on which those copies of the software are installed.
Such rules irritate many e-book readers, who feel that once they’ve purchased a book, they should be able to read it wherever they want. “I like to read e-books at my desk, when I’m traveling, lying on the sofa and when I’m eating lunch. I use different computers for these things, so I need more than two activations,” said Roger Sperberg, publishing consultant and columnist for the industry site eBookWeb.org, in August. Some also complain that Microsoft’s limitation makes it difficult to recover e-books after a hardware upgrade, which can invalidate the activation key. The anonymous programmer says he wrote his decryption software partly to sidestep such practical problems, and partly so he could extract the text of his e-books for display on additional devices such as the REB1100, a reading device manufactured by RCA.
The programmer’s software works by recovering a series of well-hidden encryption keys specific to each activated copy of Reader and to each owner-exclusive e-book. It essentially reverses the process publishers follow when they assemble source files such as text and images into an e-book. The software dumps unprotected copies of these files into a new folder on the user’s computer-as the programmer demonstrated to Technology Review using an owner-exclusive e-book purchased from an online bookstore.
Approached for comment, Jeff Ramos, director of worldwide marketing for Microsoft’s “eMerging Technologies” group, said, “We do not comment on alleged security violations of our software. In general, if necessary in response to such incidents, we take appropriate measures.”
So far, programmers intent on exposing e-book security weaknesses haven’t been deterred, even by the possibility of legal action. Indeed, the publicity surrounding the prosecution of Dmitry Sklyarov, a Russian cryptographer who wrote similar software that strips copy protection from Adobe e-book files, has only added to widespread criticism of digital rights management technologies and the laws designed to bolster them. FBI agents arrested Sklyarov at a July hacker convention in Las Vegas after a tip-off from Adobe that Sklyarov’s employer, ElcomSoft, had been selling the protection-removing software from its Web site. The arrest-the first criminal case brought under the Digital Millennium Copyright Act-spurred a boycott against Adobe products and protests against the company in more than 20 cities around the world. (Adobe quickly withdrew its support for the prosecution, and Sklyarov was released from custody in August. The U.S. Department of Justice continues to pursue the case.)
One issue in the Adobe debate is a conflict in the copyright act. An exemption to the legislation makes it legal to circumvent technological protections when an e-book is malfunctioning, damaged or obsolete. Civil-liberties groups such as the Electronic Frontier Foundation say such exemptions are necessary to protect traditional rights of “fair use” of copyrighted materials. But the act outlaws the manufacture, distribution or sale of software or devices that would allow consumers to exploit the exemption-a provision supported by publishers. “There is no device that can currently distinguish between a fair use and an illegal use of a copyrighted work,” explains Allan Adler, vice president for legal and government affairs at the Association of American Publishers.
But unless publishers give readers the leeway to use e-books the way they use print books, say critics, few will buy into the technology. EBookWeb’s Sperberg applauds Microsoft’s decision to raise the activation limit, and says getting rid of the “crazy catch-22” in the copyright law would be another good step. The fact that Microsoft has joined Adobe as a victim of e-book decryption efforts, he says, should make it clear that “digital rights management doesn’t make things harder for the professional pirate or the black-market publisher; it makes things harder for me, the reader.” Until software firms and publishers figure out how to protect e-books without treating all readers like thieves, the summer of beach-blanket e-books may never materialize.
Become an Insider to get the story behind the story — and before anyone else.