One year ago I had a column in this space, The Impossible DRM. I made the case that DRM is impossible, but I left a loophole there saying I was talking about single-player only games, and that MMO games operated under a different set of rules.
And now we have Assassins Creed 2, a game which blurs the line between MMO and single player. As I’m sure you’re read elsewhere, you must be online in order to play this single-player game. If you disconnect, you drop out of the game. The game came out for the PC at the beginning of March, and if rumors are true then the game wasn’t cracked until this week. So the DRM lasted for six weeks. While probably not a record, it’s certainly one of the longest-lived DRM systems of the last several years. While I think the system is offensively anti-consumer, this whole sad business has given us a look at just how much damage piracy is (not actually) doing to the industry.
Publishers have been bemoaning that 90% of their sales have been lost to piracy. While I pretty much agree that 9 out of 10 PC players are pirates, it’s important to remember that not every download is a lost sale. The skulls of
John Riccitiello and Bobby Kotick (heads of EA and Activision) are particularly well-armored against this concept. But here we have a well-reviewed, high-profile, AAA title, with incredibly dense coverage that was ostensibly impossible to pirate for six entire weeks. (Which is when the bulk of sales take place.) If every download was a lost sale, then a piracy-proof game should have somewhere in the ballpark of ten times the usual sales. Assassins Creed 2 should be burning up the PC sales charts, dwarfing the sales numbers for its predecessor. Looking around at the sales charts on VGChartz, it would appear that this is not the case.
Laying aside the fact that the system is reprehensible, and that it’s probably done little for the Ubisoft bottom line, I do think what they’re trying to do is possible. They failed this time (again, assuming rumors are true – I don’t mess with pirate sites and I haven’t tested any of this first-hand) but the concept is feasible. You really can get an exceptionally strong DRM system like this.
Traditional DRM systems work (roughly) by encrypting the game in various sneaky ways and then un-encrypting it when the customer wants to play. Crackers then either nab the now un-encrypted data, or look at the exact actions the software took to unlock the game and write their own software to do the exact same thing. As I said in the earlier article, it’s impossible to stop this. If someone can run the program on a machine they control, they can copy it. End of story.
But this new system isn’t trying to protect data sitting on your hard drive. It’s protecting data (and perhaps even game logic) sitting on a remote server, which is orders of magnitude more difficult to overcome. This can still be broken with time, but in a well-designed system (that is, a system a lot better than the one Ubisoft just rolled out) you can make it take incredibly long to reverse-engineer the server behavior. (Note that I’m simplifying this to make it as non-technical as possible. There’s no need to comment and tell me I’m failing to account for asymmetric key encryption and such.)
How it could work is like this: Your local copy of the game is missing key bits of game logic. Out of the box, the game doesn’t know where characters are standing, where the cutscenes are triggered, what items are in the area, or even where the player should appear. All of that is on the server, and the server doesn’t send it until the moment that you need it. That information is small (easy and lightweight to transmit) and if it’s wrong the game will break. You can’t very well progress if the guy you’re supposed to interact with is missing. Or stuck in a wall or underground. So, any hopeful cracker would need to play through the full, complete game at least once to harvest all of that information. Once they know exactly how the server behaves, they can write their own server. Private (pirate) World of Warcraft servers work this way. It’s not a foolproof system, but it’s tedious and time-consuming for the cracker because it involves days of testing followed by days of coding.
But it’s possible to make this process a gigantic and time-consuming pain in the ass. For example, if the triggers all behave slightly differently on different difficulty levels, then the cracker will need to play through the full game on every difficulty to get all the information they need to make a complete server.
Then the killing blow: Make the various triggers dependent on branching player behavior. If you kill A before B, then the server will send you one thing. If you perform action C before doing the main quest, then this key NPC is moved from one location to the other. If the pirate server doesn’t respond with the right data, then the game can fail silently in a lot of annoying ways. The boss you’re supposed to fight won’t show up, a door won’t open, or you won’t get a key item you need to progress. Suddenly the cracker needs to play the game all the way through on every difficulty and following all of the possible branching paths if they want all the data they need to make the game work.
Cracking is fun and exciting now because the cracker can get the game a day or two before release and have it cracked before launch. They get to “defeat” the DRM-authoring numbskulls at SecuROM and feel like heroes. The adventure becomes a lot less fun if they have to wait until the servers go live at launch, and then they have to labor for weeks or months and play the game until they’re sick of it. And when they’re done, they’ll have a crack for an old game that nobody cares about anymore.
Of course, if publishers did this it would be a case of destroying the industry in order to save it. They would stop the pirates, but they would also stop quite a few consumers. The system would be slow to develop and expensive to produce, all so that they could (maybe) slightly increase sales on the PC, which is already the smallest platform on the market.
So I give Ubisoft credit: They have come up with a system that can eventually work. But it’s still a waste of money, abusive to legitimate customers, and criminally short-sighted. It’s a dumb idea, but they’re doing a great job at it.