a DRM solution

Shamus has long been a gamers’ advocate with regards to prohibitive DRM on computer games, and even has a common-sense 5 point solution to the problem. Unfortunately, since his plan (which treats customers as customers instead of potential pirates) does nothing to actually prevent pirates from pirating games, his solution is likely to be ignored. It seems to me that any solution to ease the DRM load on the end user will need to at least make a token effort to reduce or otherwise inhibit piracy, for it to be taken seriously. Obviously, the common-sense argument that Shamus makes, namely that good business practices which treat customers like a scarce resource instead of a bitter enemy will result in higher revenue despite piracy, is simply not going to penetrate. Even Penny Arcade, a longtime gaming fansite, fell prey to DRM’s allure in their own game, after all.

Somewhat related to all of this is the lesser issue of CD keys, about which Shamus draws a distinction to DRM with. If all DRM was just CD keys, then DRM wouldn’t be that much of a pain, but the problem with CD keys from the manufacturer perspective is that they can be written down, cut and pasted, emailed, etc. I’ll readily admit that I’ve used CD keys for various software in the past that were “borrowed” – its no different (apart from being less annoying) than the old “whats the 10th word on page 4 of the game manual” routine. So, again, as far as preventing piracy, or even mitigating it, CD keys just can’t solve the problem.

However, in considering CD keys, a possible solution to piracy does present itself. What is needed is something that is both dynamic and tied to the specific user. For example, imagine a software download service wherein:

1. game can be downloaded if user sets up an account and registers a credit card for payment. game can also be mailed out on physical media for nominal extra charge.

2. user is asked to set a password to their account. This account is treated like a bank acct password, ie you have the little picture for verification, you have security questions about your mom’s maiden name etc, the whole bit.

3. upon download, game can be activated for installation (not play!) by entering a key that is generated via a standard one-way function in real-time by several inputs:
a. the license number emailed to the user (or printed on the back of the physical disk).
b. the user’s username and password to their online account
c. the current date and time (automatically slurped from public date/time servers).

4. the game itself can be played anytime, but still requires username and password (not CD key).

the advantage of the scheme is that the activation code for installation is not a static string but something that changes in a consistent way. The one-way function should be something very well-known (like MD5). The only way that the game can then be shared would be for the user to share his account password and login, which presumably they’d be incentivized NOT to do, because their account represents private data including payment information for future game purchases.

The user would be happy because the code is easy and really just requires a simple login, and then the game is fully unencumbered for play. The game company would be happy because they are tying each copy of the game to a specific consumer, and they can leverage that for marketing purposes as well (for example, offering good customers a buy 10 get one free deal, or a points system to redeem games, or the option to download exclusive minigames or other freebies). The problem for pirates who want to distribute the game should be pretty clear – especially if the encryption on the actual game software is pretty high.

What do you think? would this work? does it meet all of Shamus’ criteria for a solution to the problem?

4 thoughts on “a DRM solution”

  1. 1. Zip up the game after installation; if it runs on Windows, also grab any registry keys it installs.

    2. Change the password on the activation site after you install.

    3. Remove the credit card from the activation site after the install, use your bank’s handy one-time card number system, or use someone else’s card.

    4. Optionally, patch out the code that verifies the username and password.

    Personally, there are very few web sites that I’m willing to leave a credit card on file with “for later use”, and no game company is on the list. Unless the game is being published by Amazon, I’m probably not going to be a customer.


  2. Er, except for the encryption, isn’t that basically how Steam works?

    Additionally, I don’t think any major publisher would want to limit sales of their game to credit card holders. Even subscription-based MMORPGs sell point cards in brick and mortar stores, as do the console download services (XBox Live, Wii Shop Channel, whatever Sony calls theirs).

  3. J, if the entire games’ files are stored in an encrypted file and the game is actually run by a “client” that decrypts files in real time, it would probably be harder (but still not impossible) to do the (complex) workaround you describe. Still, my point is not that a solution to reduce the DRM burden on end users must completely prevent piracy, my point was that a solution to reduce the DRM burden on end users must at least make some practical progress in reducing piracy, which I think it would. Otherwise the likeliuhood of adoption by the industry is simply zero rather than negligible.

    Andrew, to be honest I am not a PC gamer so I have absolutely no experience with Steam.

  4. I’ve spent the last forty minutes trying to figure out exactly how you want this to work, and I’m not getting it. If, after installation, the game can be played without ever talking to a server, then it can easily be copied to a hundred other machines. This isn’t a complex workaround, it’s about the simplest “crack” there is. Sharing the username and password is only a problem if the password is correct and it protects something of value.

    It looks to me like the only thing “keeping people honest” in your system is the threat of having their credit card number disclosed to the people they share the game with. And that threat is the only reason the publisher is keeping the card on file in the first place. Not a company I’d do business with.


Comments are closed.