Loading ...
For reference, the Virtual Trust paper Richard cites is here.
In One for Ken Belva, Richard writes:
I refrained from pointing a finger at Ken’s Apple DRM example after Steve Jobs posted his Thoughts on Music, where DRM won’t apply to Apple music (thereby depriving Ken of one of his case studies and questioning his logic).
Actually Steve Jobs agrees with me when he writes in his Thoughts on Music:
Since Apple does not own or control any music itself, it must license the rights to distribute music from others, primarily the “big four” music companies: Universal, Sony BMG, Warner and EMI. These four companies control the distribution of over 70% of the world’s music. When Apple approached these companies to license their music to distribute legally over the Internet, they were extremely cautious and required Apple to protect their music from being illegally copied. The solution was to create a DRM system, which envelopes each song purchased from the iTunes store in special and secret software so that it cannot be played on unauthorized devices.
That was the purpose of DRM: to create trust, virtual trust. That was the point of my example. Jobs’ letter was dated: February 6, 2007. Our paper was July 4, 2006, 7 months before Jobs’ public letter. In our paper we write:
Apple’s iTunes employed Digital Rights Management (DRM) technologies to create a new product and, hence, a new revenue stream. Over 1 billion songs have been downloaded from iTunes [1]. In the case of iTunes, DRM works by restricting the number of CPUs on which the .mp3 will play. The songs are also stored in a proprietary, encrypted format. These two factors, at minimum, erect a prohibitive barrier and thereby reduce the likelihood that an end user will trade songs.2 The various security mechanisms used by Apple’s iTunes DRM created the Virtual Trust necessary to persuade the music industry that their rights will be protected digitally and be profitable. (emphasis added, page 22)
Without this trust, by Jobs own admission, iTunes could not have come into being without DRM. Now it’s true Steve Jobs calls for DRM free music. The iTunes structure is already in place. Jobs must believe that people will still buy from iTunes. Here the arguments turn murky: Did DRM change customer behavior to the point where now they will purchase instead of use P2P like Napster in the old days? Will the higher price for non-DRM music cover the loss from fraud? All of this remains to be seen. What is the new structure of virtual trust, using only watermarks embedded in the .mp3?
As for the PCI compliance retail example, you cite:
Robert Fort, director of IT at Virgin Entertainment Group Inc. in Los Angeles… contended that meeting the requirements doesn’t boost a retailer’s bottom line. “There’s no direct return on investment,” he said. “It will not help us sell CDs.
This may be true but is does not contradict the paper. PCI requirements are ways of strengthening existing processes and data handling: it does not really cover the creation of new cash flow via authentication and other security mechanisms. In the paper we focus on authentication mechanisms which help to create business processes. The authentication mechanisms are virtual guaranteers of trust which thereby help to create a process for data/cash flow. If Fort were to be asked whether or not the consumer’s credit card should be authenticated at point of sale, I think he would say Yes. Authentication allows the credit cards to be used as tokens of payment. Ask Fort if he would like to go back to accepting cash only: highly unlikely. It’s the strengthening of controls, not the accepting of valid/authenticated credit card data, to which Fort is opposed.
In the same article, Krickzky states:
“It’s the customer we have to be concerned about,” Kriczky said. He added that from the perspective of store owners, data security is “only important when something happens.”
Richard, would you agree with that? That security is “only important when something happens”?
3 Comments
Interesting - while PCI may not directly boost the bottom line, lack of compliance could hurt it. Very much.
Not only is the PCI Consortium actively fining those not in compliance, (some companies are choosing to take the hit), but they are now removing repeat offenders’ ability to process cards for long periods of time.
The problem is because the fines and the rights revocation is a private relationship between a credit card company and a vendor, the PCI Consortium is not publicly disclosing the information about them. Thus a) consumers don’t know who is being deemed insecure and b) vendors don’t realize that the PCI co *is* taking action against those not in compliance.
Hi Ken,
Thanks for your answer. I think security is only *appreciated* “when something happens”. A world without security would be no world at all.
Hi B.K. DeLong,
Our paper does not argue against the validity of PCI. Our paper deals with whether or not security mechanisms may be used as enabling mechanisms.
In our paper we argue they can and we cite examples of how security enables processes, hence the apple DRM example.
Richard was arguing against the enablement perspective by saying that PCI compliance does not contribute to the bottom line and it does not have a ROI.
Sincerely,
Ken