Content protection was never an easy problem. Contemporary computing platforms mostly enable their users to exercise a high level of control over their devices. Open systems do that purposely, allowing a privileged user (by the Operating System) to have full visibility and control over the internals of the Operating System and the underlying hardware (the “platform”, essentially). Other Operating Systems do not allow a privileged user complete access, but often cannot prevent it either. Two factors make it occasionally possible for the savvy user to gain more control over the platform than intended by the Operating System:

• the Operating System may contain vulnerabilities that can be exploited for privilege escalation, and

• the hardware often does not deploy measures against alteration of the Operating System, nor against its exploitation.

Content protection applications suffer from users obtaining elevated access to their platforms because content protection is all about restricting the availability of content (such as video files or streams) to the user who owns the device on which the content is consumed. There is just no way to process (e.g., display) a video stream on a device that the user has full control over, without having the user capable of making a copy. Accordingly, all content protection systems are based on somehow restricting the control the user has on her device.

So if platforms are effectively open already, what difference does the open Android Operating System bring in?

The difference is that with Android, the user has supervisory access without having to break anything to get it. An iPhone user who wishes to run his own code on the device, needs to go through the process of “jail-breaking” it. This can be done, but may fail, may require efforts to allow full exploitation, and might trigger revocation or remedial actions of the device upon the next update. Hacks are usually possible, but given the updating and renewing nature of such Operating Systems, the hack is always temporary. Since the hack goes against the interest of the Operating System provider, it can never be done in a way that guarantees longevity, e.g., throughout new releases, or fixes of the Operating System. If devices are broken today — they (or new ones) may not be broken tomorrow; maybe the day after, or the month after.

Content owners, and the providers of content protection solutions, are for years used to such break-fix loops, ever since the early days of analog pay-TV. It is not a game they like, but it is a game they know how to play and retain their business models throughout. An Operating System that is open by design, i.e., one for which “totally hacked” is the legal constant state, rather than an illegal fixable situation, is harder to cope with.

A solution is not easy to come by. There is probably no way to protect against a user reading data on a platform she has complete control over. The only approach, now as before, is by somehow restricting the control the user has of her device. The same solution that is effective on occasionally-broken closed systems, if indeed effective, will apply to open systems, such as Android, as well.

The main question to ask now is how can we on one hand keep a platform open, and on the other hand protect content on it, realizing that protecting content from the owning user requires violation of the openness property. One approach is by splitting the system into two: defining a closed sub-system within the open one, as long the following conditions are met:

• Keeping (only) that sub-system closed, on the otherwise open platform, is enough for the concealment of the content during its entire lifetime.

• For most users, the expected level of openness of the platform is retained, at least enough so they keep adopting it rather than shift to alternatives.

Experiments with hardware-based secure content path sub-systems are underway. If the resulting work succeeds in meeting the above criteria, then that could solve both issues with open platforms as Android, as well as issues with closed platforms when these are broken. If it cannot achieve this goal — a protected closed sub-system that protects content autonomously, and that is not rejected by the relevant user community — then the content owners’ dilemma with Android is likely to remain.

Edited to add: This applies now (March 29th, 2011) more than before, thanks to Sony Ericsson’s Xperia joining the list of devices on which the savvy user can exercise full control.