"Windows Rights Management Services (RMS) is a security service for Windows that works with applications to help safeguard confidential and sensitive enterprise information—no matter where it goes.”
I was wondering when you'd get around to IRM. Now you're deep in my wheelhouse. :)
Any discussion about engineering on the topic is remiss without calling out PavelK, the true genius behind what was one of the most difficult aspects of the feature... How do you encrypt a file format that was designed for random access, dynamic block size, ubiquitous for many applications across the Office suite when the requirements for encryption require some level of sequential and fixed block sizes? While making it agnostic to which application was loading the file? Pavel's solution was one of the most impressive feats of design I can recall. Sadly Pavel passed a few short years later, still one of the smartest people I've ever worked with.
The DRM vs IRM debate was a fun one. Took months of debate across multiple fronts. In addition to the public perception (mostly negative) about DRM, unlike Windows Media Player and other music/video protection, Office was never going to fully protect content just as described above. We had to be distinct and yet trustworthy. Lauren and Jason Cahill eventually won people over with the tagline "Keeping honest people honest". Much of our research had shown that majority of leaked information was accidental, not intentional. The base design precept of the user experience was two-fold: 1) Simple and 2) Help honest people stay honest.
Yes, you could pull out your fancy new digital camera (still in infancy) and take screenshots, there was never going to be a way to protect against that just as you could video record a screen. But the Office guarantee was that if you weren't trusted to open it, you couldn't open it. We'd help you not make mistakes once you did open it, but if you intentionally subverted the intention of IRM, ultimately you could.
Similarly not only was there a scramble to block "print screen", there was a furious debate whether we should. Originally Windows and WRMS teams said it wasn't required for all the reasons above. We finally negotiated an ability to turn off print screen for applications with a Windows API call... which had to be ref counted which of course caused issues if the app crashed.
On a side note, print screen didn't help with DRM and Windows Media Player because WMP wrote directly to graphics memory and bypassed the GDI layer in Windows. Office did not.
One fun internal debate was which applications we'd put IRM into. We had broad and bold plans to have it everywhere, but of course being in Office Shared we had no ship vehicle or application, those were owned by a consortium of separate managers. Each one we had to convince. Word was all in, Excel was mostly all in. PowerPoint was in passively, they were ok with it but the shared team did much of the UX work for PowerPoint. Outlook was the resistant application for good reason, they had other huge bets in Office 2003 and in order to reduce risk they drew the line at IRM. It wasn't until very late in the cycle when the shared team had all but given up on Outlook for Office 2003 that they were persuaded. And good thing because most people don't even realize when they're inside Word or Excel or PowerPoint that they can rights protect the document directly, Outlook and "Do Not Forward" became the "killer application" of the technology. All this coding was 20 years ago, the feature is almost old enough to buy alcohol, it is old enough to vote, it's used heavily still and almost didn't happen.
Looping back around to what Steven, Kurt, Jon and many other leaders called "brutal prioritization", IRM in SharePoint was a fascinating exercise. During Office 2003, InfoPath was the leading focus of IRM on SharePoint. The thinking was you'd build a template and apply a use rights label to the template and when the template was instantiated into a form, the use rights would be transformed into enforced licenses based on the properties of the folder it was in. We realized very late in the project that the way we'd built the feature would be expensive to maintain. We knew only a couple of months from shipping that the next version we'd re-write the underlying architecture fundamentally. I still remember sitting in large meetings explaining why we had to throw away about a person-year of coding and start over next version. Ultimately it was the right decision, the Office 2007 SharePoint integration was more deeply embedded, extensible and flexible than what we had. And interestingly InfoPath forms never became a high use case for IRM anyway. Phew.
There are some fun behind the scenes stories, I could go on for days... The keys to protect files when we shipped were generated in the Microsoft vault which of course is highly secure including being a Faraday cage or sorts. But we had to allow multiple developers to debug the feature by building their own local copies including the keys needed to build the app. How? Well, there was a secret second set of keys that only worked on debug builds that were kept under lock and key. I remember handing that keyfob to the new owners of IRM when we reorged post Office 2007. I always wondered what happened to it.
Another really fun challenge was how do you verify the Office app itself hasn't been tampered with? It'd be pretty easy to tamper with the application, once you open a file the file contents are in the computer's memory unencrypted so it'd be trivial therefore to simply save it to an unprotected clone file. But CRC-checking the entire executable and all DLLs it loads would take far too long from boot speed. That was a fun problem for us to solve.
Another fun one was the Outlook "file format" which of course wasn't Office owned, it was MIME. How do you encrypt a file format you don't own? Turns out Outlook IRM mails aren't actually the MIME message. The message is a simple MIME mail with the text something like "this is a protected mail, open it with a rights protection enabled app"... The actual mail is an attachment. IRM enabled Outlook would recognize this, ignore the outer mail and open the inner attachment as if it were the mail. Attachments to the mail were actually Russian Doll-like attachments inside the attachment. They themselves were also IRM protected with the same use license as the mail, if possible.
I could go on for days... I'll leave it with this... I think our proudest moment (I can't drain the full list, but in addition to who you called out, Pavel and Jason I have to call out JulieMad...) is that in the 10 years after we released IRM in Office 2003 there was only one support ticket that required the support team to release an update... The certificate for the keys expired. Oops... We forgot to set a reminder to renew the certificate 10 years later. I'm so glad we have Key Vaults now...
A few years before all of this, Ed Johns worked on Multiplan's import of 1-2-3 files. Lotus had a very simple password-protect ability, which Ed promptly cracked. He suggested a feature, where if you gave Multiplan a protected 1-2-3 file, it'd prompt for the password. If you entered the wrong one, it'd say "no that's not right, try <this one> instead". He then had to explain to ProgMgmt that he was only joking.
On reflection, it seems like there was a lot of over-thinking too. Some desire for a magic technical bulletproof sandbox for private communications. This has me think about the confusion of trustworthiness with not having to trust, no trust required. Seems like an over-constrained problem with lots to struggle with in arriving at a mutually understood and understandable conception.
Of course that is easy for me to say. I didn't have to live through that one. Thanks for the account Steven.
As user, I was dismayed when my licensed Microsoft Music became unusable as Microsoft abandoned that approach and the format, and then lost it all when I needed to upgrade my computer. So now I only purchase MP3s, mostly from Amazon (although they are pushing hard to stream instead now). That Microsoft's (consumer?) attention span falls far short of usage life cycles is now firmly established in my mind. (And I still use Microsoft Money because the alternatives are simply awful. Still run Media Player for that matter. My wife still runs Photo Gallery. That my systems will not run Windows 11 is now something I will have to face. Still on Microsoft 365 Home though.)
I was wondering when you'd get around to IRM. Now you're deep in my wheelhouse. :)
Any discussion about engineering on the topic is remiss without calling out PavelK, the true genius behind what was one of the most difficult aspects of the feature... How do you encrypt a file format that was designed for random access, dynamic block size, ubiquitous for many applications across the Office suite when the requirements for encryption require some level of sequential and fixed block sizes? While making it agnostic to which application was loading the file? Pavel's solution was one of the most impressive feats of design I can recall. Sadly Pavel passed a few short years later, still one of the smartest people I've ever worked with.
The DRM vs IRM debate was a fun one. Took months of debate across multiple fronts. In addition to the public perception (mostly negative) about DRM, unlike Windows Media Player and other music/video protection, Office was never going to fully protect content just as described above. We had to be distinct and yet trustworthy. Lauren and Jason Cahill eventually won people over with the tagline "Keeping honest people honest". Much of our research had shown that majority of leaked information was accidental, not intentional. The base design precept of the user experience was two-fold: 1) Simple and 2) Help honest people stay honest.
Yes, you could pull out your fancy new digital camera (still in infancy) and take screenshots, there was never going to be a way to protect against that just as you could video record a screen. But the Office guarantee was that if you weren't trusted to open it, you couldn't open it. We'd help you not make mistakes once you did open it, but if you intentionally subverted the intention of IRM, ultimately you could.
Similarly not only was there a scramble to block "print screen", there was a furious debate whether we should. Originally Windows and WRMS teams said it wasn't required for all the reasons above. We finally negotiated an ability to turn off print screen for applications with a Windows API call... which had to be ref counted which of course caused issues if the app crashed.
On a side note, print screen didn't help with DRM and Windows Media Player because WMP wrote directly to graphics memory and bypassed the GDI layer in Windows. Office did not.
One fun internal debate was which applications we'd put IRM into. We had broad and bold plans to have it everywhere, but of course being in Office Shared we had no ship vehicle or application, those were owned by a consortium of separate managers. Each one we had to convince. Word was all in, Excel was mostly all in. PowerPoint was in passively, they were ok with it but the shared team did much of the UX work for PowerPoint. Outlook was the resistant application for good reason, they had other huge bets in Office 2003 and in order to reduce risk they drew the line at IRM. It wasn't until very late in the cycle when the shared team had all but given up on Outlook for Office 2003 that they were persuaded. And good thing because most people don't even realize when they're inside Word or Excel or PowerPoint that they can rights protect the document directly, Outlook and "Do Not Forward" became the "killer application" of the technology. All this coding was 20 years ago, the feature is almost old enough to buy alcohol, it is old enough to vote, it's used heavily still and almost didn't happen.
Looping back around to what Steven, Kurt, Jon and many other leaders called "brutal prioritization", IRM in SharePoint was a fascinating exercise. During Office 2003, InfoPath was the leading focus of IRM on SharePoint. The thinking was you'd build a template and apply a use rights label to the template and when the template was instantiated into a form, the use rights would be transformed into enforced licenses based on the properties of the folder it was in. We realized very late in the project that the way we'd built the feature would be expensive to maintain. We knew only a couple of months from shipping that the next version we'd re-write the underlying architecture fundamentally. I still remember sitting in large meetings explaining why we had to throw away about a person-year of coding and start over next version. Ultimately it was the right decision, the Office 2007 SharePoint integration was more deeply embedded, extensible and flexible than what we had. And interestingly InfoPath forms never became a high use case for IRM anyway. Phew.
There are some fun behind the scenes stories, I could go on for days... The keys to protect files when we shipped were generated in the Microsoft vault which of course is highly secure including being a Faraday cage or sorts. But we had to allow multiple developers to debug the feature by building their own local copies including the keys needed to build the app. How? Well, there was a secret second set of keys that only worked on debug builds that were kept under lock and key. I remember handing that keyfob to the new owners of IRM when we reorged post Office 2007. I always wondered what happened to it.
Another really fun challenge was how do you verify the Office app itself hasn't been tampered with? It'd be pretty easy to tamper with the application, once you open a file the file contents are in the computer's memory unencrypted so it'd be trivial therefore to simply save it to an unprotected clone file. But CRC-checking the entire executable and all DLLs it loads would take far too long from boot speed. That was a fun problem for us to solve.
Another fun one was the Outlook "file format" which of course wasn't Office owned, it was MIME. How do you encrypt a file format you don't own? Turns out Outlook IRM mails aren't actually the MIME message. The message is a simple MIME mail with the text something like "this is a protected mail, open it with a rights protection enabled app"... The actual mail is an attachment. IRM enabled Outlook would recognize this, ignore the outer mail and open the inner attachment as if it were the mail. Attachments to the mail were actually Russian Doll-like attachments inside the attachment. They themselves were also IRM protected with the same use license as the mail, if possible.
I could go on for days... I'll leave it with this... I think our proudest moment (I can't drain the full list, but in addition to who you called out, Pavel and Jason I have to call out JulieMad...) is that in the 10 years after we released IRM in Office 2003 there was only one support ticket that required the support team to release an update... The certificate for the keys expired. Oops... We forgot to set a reminder to renew the certificate 10 years later. I'm so glad we have Key Vaults now...
Kevin, thank you for sharing your memories and calling out other members of the team.
A few years before all of this, Ed Johns worked on Multiplan's import of 1-2-3 files. Lotus had a very simple password-protect ability, which Ed promptly cracked. He suggested a feature, where if you gave Multiplan a protected 1-2-3 file, it'd prompt for the password. If you entered the wrong one, it'd say "no that's not right, try <this one> instead". He then had to explain to ProgMgmt that he was only joking.
On reflection, it seems like there was a lot of over-thinking too. Some desire for a magic technical bulletproof sandbox for private communications. This has me think about the confusion of trustworthiness with not having to trust, no trust required. Seems like an over-constrained problem with lots to struggle with in arriving at a mutually understood and understandable conception.
Of course that is easy for me to say. I didn't have to live through that one. Thanks for the account Steven.
As user, I was dismayed when my licensed Microsoft Music became unusable as Microsoft abandoned that approach and the format, and then lost it all when I needed to upgrade my computer. So now I only purchase MP3s, mostly from Amazon (although they are pushing hard to stream instead now). That Microsoft's (consumer?) attention span falls far short of usage life cycles is now firmly established in my mind. (And I still use Microsoft Money because the alternatives are simply awful. Still run Media Player for that matter. My wife still runs Photo Gallery. That my systems will not run Windows 11 is now something I will have to face. Still on Microsoft 365 Home though.)