Tuesday, December 18, 2007 - 09:59

eBooks and DRM

One of the things I miss most about London are the libraries. Maybe they're not all that good, but the libraries I used were excellent, compared to those in SA. They not only have books that have been published in the last ten years, but new best sellers! And they have a range of books... And they're actually open over the weekends, and at times when people aren't at work! (And, as a bonus, you can access their inventory list on the net, so you know if they have the book you're looking for, at which branch, and whether or not it's out. )

Books are just so much more expensive here that libraries can't afford to buy new books; but neither can readers. I'd love to get the whole Harry Potter series, and I started reading the Agatha Raisin books while I was in London, and I'd like to read more of those. But books are really expensive here, and they're not books that I want to own - I just want to read them. While libraries here do have some of the HP books, they're so popular that they're always out - and I always feel bad taking out a 'kids' book, since I feel like I'm depriving some kid of a chance to read.

So, to get to the point of the post, I turned to eBooks. Now eBooks aren't my preferred method of reading - it's hard to snuggle up with a laptop - but if it's cheaper than buying the physical product, it can be worth it. Unfortunately, I ran slap bang into eReader DRM.

Firstly, eBooks aren't cheap. The Agatha Raisin books go for about 6USD on fictionwise, which is fairly hefty when you convert it into ZAR - especially considering that you aren't getting a physical book that you can hold in your hands. But it's still possible, except that the 6 USD books are eReader, whereas the only MS Reader version that they have costs 23USD! So unfortunately, I will not - can not - buy any Agatha Raisin eBooks.

Why not? Well, 23 USD is waaay too much for an eBook. And eReader is a particularly nasty form of DRM that I won't support. (And just to add insult to injury - I know that the HP books, and probably the AR books as well, are available online, illegally, if you know where to look. I don't. And that's not an invitation to tell me, because even if I did know, I don't want to download illegally. I want to pay a reasonable amount, and get a reasonable product in return). So instead, I sit with nothing, and a writer has lost a reader.

So why is eReader DRM so bad? Well, all the usual arguments against DRM still apply here (do a search on boingboing.net for DRM, if you want to know more). And fictionwise have already experienced how DRM can lock you out of your legitimate purchases - they changed DRM supplier in 2004, and had to put a lot of effort into maintaining customers' purchases; even so, you still can't do everything with an eBook you bought before 2004 that you can do with one you've bought since.

eReader DRM I particularly dislike, since it uses your credit card number as the token to unlock your eBooks. Apart from anything else, I don't want to use my credit card number for anything other than buying via credit card. It also locks out anyone without a credit card, and apparently it can have problems with unlocking books purchased with an international credit card.

You see, it works like this. You buy an eBook, and you can read it on your PC or on your PDA (using the appropriate versions of the eReader software). When you load an eBook onto your PDA, you need to enter your 'unlock code' - the credit card number you used to buy the eBook. I think, although I'm not sure, that this then gets sent (or rather, a hash of it is sent) to the eReader verification server, and if it checks out, the eBook is unlocked. Which means that you have to have internet connectivity on your PDA. (As I said, I'm not sure about this - nowhere is it explicitly stated, but there are hints here and there that this is how it works. But I could be wrong; maybe it's all done on the device. ) You also need to enter the unlock code every time you want to read the eBook on your PC.

One of the reasons why I think it connects to the server is because your credit card must be active to unlock a book - if it's expired, and you've been issued a new credit card, you need to switch the unlock code to the new credit card. Now there are two ways of doing this with eReader - buy a new eBook, and then you'll get an option to add a new credit card, and you'll have to download all your eBooks again (which would imply that the hash is stored in the eBook itself, not requiring server verification); if you don't want to buy a new book, you have to phone them. Yup - really helpful for international customers, isn't it? In a way, it's fair enough - they don't want you to send credit card info via email. But surely the best way to avoid that is for them to assign you a unique unlock code when you create an account, rather than using your credit card number?

Those are the big problems I have with eReader DRM, and it's enough to put me off using them. But you also can't print your eBooks, not even little sections of them (and I'm guessing that they've disabled the 'select -> copy' functionality as well). And oddly, hardback/paperback pricing still affects eBooks (although presumably this isn't specific to eReader) - eBooks are priced as hardback until the paperback comes out, at which point the price comes down. And this is purely to avoid competition with physical books, since the cost of producing the eBook (and the value of the eBook to the 'owner') don't change. Just another sign that the business model is outdated and has to change!



At 19/12/07 16:11, Blogger steve said...


I'm Steve Pendergrast, one of the founders of Fictionwise.

To correct two small problems with your blog: first, you do not need internet connectivity to unlock your books. There is no server hit coming from the PDA. As proof that this is true, eReader has been used for many years, long before most PDAs had any kind of internet connectivity, and it works just fine from PDAs that have no connectivity right now.

Second, it is not true that the credit card unlock stops working when the card expires. When you register a new card with us to re-encrypt an ebook, that new card does have to be good at the time you register it. This is a security precaution to stop people from just making up fake card numbers and using them as unlock codes.

Your card number is not stored anywhere, only a hash consisting of your card number plus your name information is stored. It is literally impossible to reconstruct your card number or name from this one-way hash. Again, this is for security reasons.

Take care,
Steve Pendergrast

At 19/12/07 16:20, Blogger CJ said...

Cool, thanks for clearing up those points. As I said, I wasn't sure on the point about verifying against a server, and I must have misinterpreted the FAQ on the point about needing a current/active credit card.

I do understand that the credit card number itself isn't stored (and I wish more online merchants would use hashes instead of storing passwords and credit cards!), but I still don't like to use it anywhere that it isn't necessary for purchases. Shoulder surfing is a concern, as are key loggers.

But again, thanks for correcting me on those points. I do appreciate it!


Post a Comment

Links to this post:

Create a Link

<< Home