There’s a very fundamental problem facing many content creators in Virtual Worlds these days (such as Second Life™, IMVU™ and others), and that is the problem of Piracy - where one unscrupulous individual takes content from a designer or developer, and then attempts to resell it as their own.

It’s a problem - no-one can deny that, but the solution to the problem is not ‘deep’ DRM. There are a few reasons for this, especially when it comes to content (scripts and backend programming are another matter entirely and something I will get to in a moment)

Three reasons why this wont work for visual content

First, the obvious one - content must be displayed on the users screen. This means it must be presented to the video card in an unencrypted form. I’ve heard a few silly ideas to prevent this one, such as encrypting the texture and using a shader to decrypt it on the video card (just run the shader in a virtual machine).

At a very fundamental level, the laws of mathematics do not allow you to say “This number cannot be copied.”, computers which are based on very high level mathematics are still subject to these immutable laws. There’s a parallel law here which states that you can always modify something - sure you can make it a house of cards that breaks if you make a change, but someone can always employ superglue to prevent that.

It’s technical, but it’s worth reading the examination of the Skype binary (PDF) done by a security analysis team, the Skype developers know their stuff, exactly how to use cryptography properly, how to try prevent debuggers from being run, etc. Every single one of their protections has been examined and detailed specifically in that document - no matter how clever you think you are, there are cleverer people out there and not all of them have good motivations.

Second reason why this wont work - You hand the legitimate user both the content and the key to decrypt it to display it - there’s no way to avoid this without disallowing the user to view the item (which defeats the purpose of content). There’s nothing stopping them from making a copy of both parts, and once the schema is broken, there’s no going back - it’s out there. You cant revise the encryption scheme after it’s been broken, your content is now available unencrypted.

This has been a big problem with things like DVD encryption, because to release a new encryption scheme you need to get every user to update, and titles released under the old scheme are still broken. DRM used in popular products tends to have a life somewhere between a week and three months - assuming point #1 doesn’t hold, this still means you have to assume all your content more than at most 3 months old is piratable - how many content producers produce enough content every month to make their old lines completely redundant from a sales perspective?

Third reason - DRM tends to annoy customers. Consider the possibility where you want to teleport your avatar around a hypothetical super-grid the size of the internet. You enter a sim which hasnt been authorised (and I’d say in the long term, most will fall into this class - similar to only how a small % of sites have SSL certificates), and bam, your avatar vanishes.

Well, what can you do? Not much - but you arent likely to buy avatars from this user again that’s for certain. There is likely going to be a commercial incentive towards content which after you buy is free to do what you want with. (With copyright law enforcing violators and pirates).

So - how the hell do you protect your revenue/sales in an environment where anything goes?

This question is the real question that should be asked, the answer hasnt yet been determined (market forces will likely be the ones to figure out which models work, and which dont)

• Custom Content - in a world where everything is mass produced and cloned, unique content that has been hand crafted for what you want is a drawcard. It’s unique, it’s yours, it’s $50.00/hour design fees.
• Keep on keeping on - The current model is unlikely to collapse, brands seem to matter and people like being able to say they have legitimate content. Systems will likely appear that allow you to verify whether someone has paid for a piece of content or not. Piracy goes on in virtual worlds today, but sellers seem to keep making sales (I’d like to know more from specific sellers how their sales have gone when a piece of content has been pirated significantly).
• Mark your intent - Tying in with the above point is the idea that you can mark your intent - this is ’shallow’ DRM - it’s nothing that cannot be removed, but it does signify what the creator wanted you to do with this content and has licensed you to do. If someone violates these terms, you can deal with them the same way copyright infringement is handled in the real world, courts. For all the complaints that go on about the DMCA, the act does provide a relatively sane way to deal with IP infringement from a content creator perspective (however beware, filing a false DMCA claim IS perjury).

So what about scripts?

Well, if your script is going to be transmitted from host to host - you have the same problems that commercial web scripts have - and all of the above applies. With sufficient bandwidth and processor time however, it is possible to run scripts on your servers for other peoples (the “hosted” model). OpenSim supports this hosted model via the ScriptEngine that can be run as a grid server - hopefully these kinds of things will become easier to setup and maintain, and perhaps a giant such as Akamai will take to the role for other people.