On June 27, 2002, Microsoft posted a security update to the Windows Media Player (WMP). That update included an End User Licensing Agreement (EULA) covering, among other things, the Digital Rights Management (DRM) system. While we have designed our DRM system to be as secure as possible, no DRM system is impossible to breach. Therefore, we have designed "renewability" features into our DRM system which enable the security of the DRM system to be restored in the event of a breach.
The EULA included language designed to cover future updates of the DRM system in the event of a DRM security upgrade—and this language has been misunderstood in some reports. This document clarifies some misunderstandings about the EULA for WMP that was part of the security patch.
It is important to note that users have complete control over whether new DRM software components are downloaded onto their system at all times. If upgraded DRM software components are needed to play back secure content, the user will be notified and only after they have given consent, will these components be installed on their system.
We recognize that the EULA as currently written does not clearly explain the scenarios it covers and the control the user has. We will update the EULA for WMP as quickly as possible so that the three DRM scenarios it is designed to cover are clear. The three scenarios are
DRM Security Upgrade
A secure content provider may require the user to upgrade some of their DRM software components in order for them to access the content provider's secure content.
By license, DRM programs must first notify the user that an upgrade is required and then ask for their consent before downloading any new DRM software components from Microsoft.
If the user declines the upgrade, the user won't be able to play secure content that requires upgraded DRM. The user will still be able to play unprotected content and secure content that does not require the upgrade.
DRM Program Revocation
If a Microsoft technology or third-party program that utilizes Microsoft DRM is found to be compromised, secure content providers may request Microsoft to revoke the DRM program's right to manipulate secure content.
Revoked DRM programs will not be able access secure content. If the user attempts to access secure content with a revoked DRM program, the program should provide the user with instructions for obtaining a secure replacement if one is available. A revoked program is still able to play back unprotected content. Program revocation does not affect any DRM Licenses on the user's computer.
An up to date list of revoked DRM programs is sent to the user's system whenever they acquire a DRM License from a DRM License Server.
The new EULA will make it clear that if the user elects to download a license from a DRM License Server, the DRM License Server may, in conjunction with such license, also download the revocation list onto the user's computer.
DRM Program Revocation
To further protect their content, secure content providers have the ability to include in the DRM Licenses that cover their content (i) a list of DRM Programs that should be excluded from accessing their secure content ("Program Exclusion"); and (ii) a list of previously licensed content that should no longer be licensed ("Content Revocation").
It is the responsibility of the secure content provider to inform the user if and when they utilize these mechanisms and address any impact this may have on the user's ability to access their licensed content (e.g. disclose any license limitations or alternative licensing).
Additional information describing these Microsoft DRM features can be found on pages 21 to 22 of Microsoft's white paper "Managing Automatic Updating and Download Technologies in Windows XP" available for download.