Coupon Hacker Beats Bad Trusted Client Security

A man named John Stottlemire has found himself in some legal trouble for developing a piece of software that bypasses the coupon-protection DRM used by Coupons.com. Essentially, to keep users from printing dozens of copies of one of their free online coupons, Coupons.com forces you to install some client-side software which assigns a unique ID to your computer, which the server uses to verify that you’ve printed the coupon only once.

This is a rather pitiful way to enforce security, because it relies on a trusted client. Never trust the client — anything on the end-user’s PC is totally under the end-user’s control, and thus can’t be relied on to enforce security policy. What Coupons.com has done here is no different from websites putting their input validation in JavaScript running on the user’s browser — as if the user couldn’t disable JavaScript, or even save the page to their own hard drive and edit it.

Stottlemire’s hack simply deletes the unique ID, so every visit to Coupons.com is your “first” visit. He’s now being sued, on the grounds that this is bypassing digital rights management, and thus illegal under the Digital Millenium Copyright Act. The DMCA is very broad, and does prohibit any kind of encryption-cracking for the purpose of defeating copyright protection, even if what you do with your encryption-cracking is otherwise completely legal.

However, this is a pretty dubious legal claim. No encryption was bypassed — all his hack does is delete files off your own computer. Essentially, it’s no different from deleting your cookies to make ad networks forget who you are. As Stottlemire says, “I honestly think there are big problems when you are not allowed to delete files off of your computer.” In addition, he’s cracking a system whose purpose is to give away free coupons, so it’s going to be pretty hard to demonstrate monetary harm here.

The DMCA is often ridiculous in that it attaches legal protections to systems that are painfully weak. After all, Stottlemire wouldn’t be in any trouble for, say, printing out Coupons.com’s coupon, and then making 1000 photocopies of it. Nor if he just used their printer app, but told it to print to an image writer (thus creating a binary file rather than a piece of paper) and then printed that repeatedly. But when he writes software to perform these simple and obvious tasks, suddenly he’s a criminal?

In Coupons.com’s defense, the reason that their security is so bad is that their problem is impossible. You can’t send an image to someone’s machine, then trust that the machine will do only what you want (print one copy) and not what you don’t (print 1000 copies.) Someday, DRM vendors may even figure this out.

dmca, legal, trusted client

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.