I spent a lot of time yesterday thinking about Digital Rights Management. Call it anything you like, but DRM is proprietary, limited, painful-to-use, and fundamentally ineffective. Liquid Machines (”Enterprise Rights Management” — did no one tell their marketing team that “ERM” has been taken as an acronym since before they were founded?), Adobe (Adobe Policy Server), and Microsoft (Windows Rights Management Services (RMS)) are all trying to be solutions for an impossible problem, which is that people make poor decisions about what is appropriate to do with information.

Further irritating me is the fact that it depends on closed-source, binary-only software to ensure that the use policies (read-only, no printing, no save-as, etc.) are followed once the information is decrypted. I’m sure that Microsoft is counting on RMS to keep people from defecting to Open Office or, even worse, some server-based Ajax office suite (*cough*Googleoffice*cough*).

DRM may stop a few people from leaking data in some formats, but it’s not a solution to the fundamental problem of human nature. People want to want to share information, the more valuable, the better–access to sensitive data equates to prestige, but only if you can prove it. Sure, DRM can make that harder, but the the greater the value of the information, the more likely that someone will bypass the DRM protections at either the technical or social levels. Consider how Hollywood, Apple, and the RIAA have been immortalizing themselves as Bad Examples of the limitations of DRM for years now.

Once deployed, I expect that DRM will fail in one of two ways. I call the first one the Command Economy failure. Fixed policies will be set and managed centrally, then assigned to documents as they are created. In the same way that Soviet central planners tried (and failed miserably) to predict the number of pairs of shoes or rolls of toilet paper the country would need, so we will fail miserably to predict the appropriate DRM boundaries for information, usually erring on the side of caution and acting as a drag on the business when people can’t get the information the need to do their jobs.

The other failure I think of as the Doorstop Failure, named for the traditional security example of the (usually data center) door that gets propped open because it’s too inconvenient to authenticate to it every time someone needs to go in. If people are granted the ability to set their own access policies and they will very soon begin setting extremely broad policies to ensure that anyone who might need access to the information has it.

What it comes down to is that if someone is going to share information inappropriately, all you’re doing is making it a little more inconvenient. If someone can see it, they can share it. Even if they can’t share it, they can summarize its value and share that.

DRM increases the technical barriers to inappropriate disclosure, but I strongly suspect the cost of increased friction it introduces to conducting business (even ignoring the cost of implementation) will outweigh the benefits.

That’s not to say that I won’t give DRM a chance–I’ve actually got a DRM pilot running right now, and what we’re finding is that the product’s user interface and stability are the biggest limitations. It’s so cumbersome and inflexible that it takes minutes to set policy for a document. Then the recipient needs a plug-in, which requires a re-boot if they don’t have it. Even then, it only works with MS Office. And when the plug-in fails, it takes down every Office app. All-in-all, not something that I’m going to roll out and poison the well for any future efforts.

So at this point, I think it’s too early to say if corporate DRM is going to work or not. If I didn’t feel like it was mainly a tool for ensuring vendor lock-in, I’d be a lot more interesting in finding a balancing point between effectiveness and friction in the business, but for the time being, I am definitely skeptical.