How will this get resolved?
The studios are rightly upset that these companies are not spending as much money as they should to solve their security problems. But is it my job to keep your house from getting broken into? The way that I believe that it should work instead is that the studio should put some security code on the disk, and the player should run it.
The studios have a pretty powerful incentive to protect these materials, so how come this system isn't in place now?
It turns out that there are some very complicated technical problems in making this work. And fixing the problem from an economic perspective is not the way most engineers look at it. Most people look at security as this binary thing: either it is insecure, or it is secure. If you take that kind of a perspective, this whole notion of apportioning risk does not even really apply.
One of the advantages our research group has is a lot of experience in working with credit card industries. The philosophy you learn there is really valuable, because there is this notion of risk. You can copy your average credit card with a piece of VCR tape and an iron. It is completely insecure technology, and you are always going to have fraud.
But what matters is not whether you have fraud; it is what your fraud rate is. So, Visa's published numbers are 0.07 percent and 0.08 percent. Overall, it is profitable for the different participants. If the fraud rates went up by a factor of 10, it would not be.
I think it has to be applied to other unsolvable problems like spam, like PC security, like piracy. Your goal here is to keep the rate of compromise low but to recognise that you cannot get rid of piracy completely or get rid of spam completely. But if piracy is below 1 percent of your revenues, it is the cost of doing business.
