Radiohead knows more than Microsoft about security

Music fans, recording artists, journalists, the RIAA, and digital rights activists have at least one thing in common right now. I'm speaking of the intense interests some people from each group have in the outcome of Radiohead's recent experiment in business models for musicians, of course.

There are people on every side of the issue of how the Internet affects content publishing industries making all kinds of wild claims about what is going to happen as more and more ease of duplication and distribution comes to the end user. There are those who point to examples of book authors who have gained a following and a foothold in the market by offering their books online, self-publishing essentially for free, and ended up making a tidy profit and attracting book deals from major New York publishing houses. There are those such as the RIAA, MPAA, and Microsoft who claim that copyright violation -- or "piracy", as they are so fond of calling it -- is materially damaging their business and is morally equivalent to theft, even if a court of law does not consider it equivalent. There are also those, such as the Free Software Foundation and the OpenBSD project, who see the Internet as the single most effective tool for improving the state of the art of software ever discovered.

Finally, there are those like Radiohead who see a tremendous opportunity for the actual content producers, the artists at the root of the entire music industry. By extension, what Radiohead is doing may have important implications for producers of every form of copyrightable material that can be distributed over the Internet. That includes software, both fiction and nonfiction prose, movies, music, and photography, among other things.

What Radiohead is doing is bold and -- at least at their level of prominence -- unprecedented. The critically acclaimed band's newest album, In Rainbows, can be ordered as an impressive collector's edition including lots of extras from the Website, of course -- and for the impressive (i.e. not cheap) price of forty British pounds. That comes out to about US$80 at the current exchange rate, give or take a few. It's being produced and sold without help or funding by any major RIAA record label, but that's not the controversial part of the deal.

What has everyone up in arms is the other purchase you can make at the In Rainbows website: a digital download of the album, in a simple compressed ZIP archive, with no DRM. The most surprising thing about it is the price, which is whatever you want to pay. No, really. Radiohead charges whatever you want to pay. If you want to download it for free, that's fine. If you want to pay thirty British pounds for it, great. Radiohead seems to be banking on the idea that saving all the RIAA marketing, distribution, and other overhead expenses, combined with what RIAA spokespeople would surely call unrealistic optimism, will lead to greater personal profits for the band than they could ever hope to achieve via the traditional recording industry business model.

How's it working out?

According to a report presenting statistics gathered by comScore, 38% of people worldwide who downloaded In Rainbows paid something for it, which leaves about 62% who "freeloaded". The numbers vary a bit based on location, of course: in the United States, the reported numbers are 40% and 60%, respectively, showing a slightly higher likelihood for US residents to pay than downloaders in the rest of the world.

Keep in mind that only Radiohead and its affiliates know for sure how many downloads there have been, how much money has been paid for them, and so on -- and Radiohead disputes the data, suggesting instead that most fans that have ordered the download chose to pay at least some money for it. Some estimates range higher than US$9,000,000 of revenue generated by In Rainbows for the month of October alone, but the band itself isn't talking. For the sake of argument, I'll just assume that comScore is working with a statistically significant sample, and has arrived at roughly accurate results. Any following statistics, as with those in the previous paragraph, are based on comScore's numbers.

Average payment per download, for all those "freeloaders" and paying customers, comes out to over two British pounds, with about a 52% higher average for US downloaders than those elsewhere in the world. Considering that it costs Radiohead effectively nothing per person who downloads it for free, every single dollar beyond the basic costs for producing the album and the infrastructure to offer it as downloads is pure profit. Of course, there are people, most of whom have a vested interest in maintaining the status quo in the record industry, who see this all as some inescapable portent of doom.

As quoted in the comScore report, the CEO of TAXI (one of the world's most prominent independent A&R companies) said "Radiohead has been bankrolled by their former label for the last 15 years. They've built a fan base in the millions with their label, and now they're able to cash in on that fan base with none of the income or profit going to the label this time around. That's great for the band and for fans who paid less than they would under the old school model. But at some point in the not too distant future, the music industry will run out of artists who have had major label support in helping them build a huge fan base. The question is: how will new artists be able to use this model in the future if they haven't built a fan base in the millions in the years leading up to the release of their album under the pay what you'd like model?"

Of course, the obvious answer to this is that artists will be able to build their fan base by doing exactly what Radiohead is doing -- and the more people value their music as it becomes more popular, the more money it will make for the band. It would at least in theory be an inexorable, organic growth of revenue for any band that is good enough or appealing enough to warrant increasing popularity and income. It's like a guaranteed raise every year, assuming you're actually worth the money you get when you receive your raise, but without the uncertainties of office politics getting in the way.

In theory, theory and practice are the same thing. In practice, things are rarely that simple. Only time will tell whose interpretation of events will hold true in the long run, whose hopes or fears will be most relevant to the future of the record industry. One thing is certain, however: the better Radiohead's business model experiment goes, the worse the implications for any corporations and industry associations whose business model prompts them to use measures like DRM software to centralize control over content distribution.

What does this have to do with security?

The entire rest of the article up to this point was, in effect, laying the ground work for a single, simple point. That point is that security is, among other things, a matter of picking your battles well. There are some things that just cannot be protected in the long run and ultimately, if your business model depends on protecting such things, either your business model will change or your business will fail. It's really that simple.

Radiohead is demonstrating a desire and ability to take chances on new business models when the band sees what appears to be the writing on the wall with regard to the demise of the record industry's traditional business model. Ironically, this fantastic new business model isn't new at all. It's more like a return to what may be the oldest musician's business model known to man, where the musician plays music and listeners who like what they hear drop money in his hat. Such a return to old form would make the RIAA's model a recent aberration based on duplication aspects of the technology temporarily leaping ahead of the distribution aspects. Reaching the point we see now, where duplication, distribution, and even playback have become almost indistinguishable applications of technology, we discover that centralized control of distribution of copyrightable works may fall into the category of things we just can't protect in the long run.

Microsoft is not the only content and software vendor in the world whose entire business model inherently depends on protecting centralized control of distribution. I could have as easily used Sony as my example, considering the faux pas Sony/BMG has made with DRM lately. I need to pick an example, however, to make a point, and I've chosen Microsoft.

Critically acclaimed, internationally successful band Radiohead has apparently learned the lesson that selling the product of the intellect as though it were a physical commodity that cannot be reproduced outside of the record industry is an unsustainable practice, a business model that cannot be protected for long, and has begun pursuing other means of making a living from the same process of creation. Meanwhile, internationally successful software vendor Microsoft has reacted to similar circumstances and lessons in the software industry by trying desperately to tighten control of its empire, including ever more DRM software with its offerings both for the protection of its own software's restricted distribution business model, as well as for software and content provided by its business partners.

Maybe Microsoft has a long term plan that involves ultimately changing its business model to leverage the market forces that exist regardless of centralized control of distribution, and its current protectionist tactics are only a holding action until the corporation can make the transition. Maybe almost every technologist with a meaningful understanding of the nature of bits, of the basics of information technology, is simply wrong about the ultimate impossibility of maintaining centralized control of distribution for any product of the intellect once it is recorded.

From what I can see, though, it looks more like Radiohead knows more than Microsoft about a fundamental principle of security -- that a necessity of successful security practice is recognizing the difference between what can be effectively protected and what can't. It's a principle that applies just as well to the security of your business model as to the integrity of your network.

What did I pay?

I've never been Radiohead's biggest fan, but in my opinion their music is far better than most of what I hear on the radio. I figured it was fair to pay about three British pounds.

It was worth every penny.