[Paper Overview] [DRM-Workshop Homepage]

Privacy and Digital Rights Management

A position paper for the W3C workshop on Digital Rights Management, January 2001

Poorvi Vora < poorvi_vora@hp.com>,
Dave Reynolds < der@hplb.hpl.hp.com>,
Ian Dickinson < Ian_J_Dickinson@hplb.hpl.hp.com>,
John Erickson < john_erickson@hp.com>,
Dave Banks < dmb@hplb.hpl.hp.com>

Publishing Systems and Solutions Lab.,
Hewlett-Packard Laboratories

1. Introduction

Electronic commerce and the Internet are changing the way information about customers is gathered and used. Information about individuals is collected and sold without their knowledge/consent. The ease of processing, obtaining and transmitting information makes easier both trading in data as well as collating information from different sources. The ease of breaking into data stores and wiretapping reduces security of stored and transmitted information. Transfer of data from one location to another with different laws complicates the problem further. The potential of e-commerce in digital assets makes the privacy problem even more acute.

Electronic tracking and user authentication make the gathering of extremely granular, personally-identifiable digital asset usage information a simple task, and increase the legal liability of the data collector. In particular, those who benefit from the collection of this information, as well as those who depend on the collection of this information to prevent contract circumvention and thus determine fraudulent use of digital assets, are vulnerable. It is not necessary to invade consumer privacy to prevent fraud, and, to be successful, DRM systems and frameworks should not assume it is.

The class action suit against Real Networks because the Real Media Jukebox has unique identifiers for each installation and corresponding tracking potential, and the tremendous negative publicity due to Intel for unique numerical identities to individual Pentium processors, are simply first examples of the impact of privacy concerns. A number of the attempts to break the security of rights enforcement schemes were initiated because of growing public awareness of being `watched' by rights enforcement schemes. DRM systems, which currently protect only the rights of content providers, need to also protect the rights of consumers to be freer from legal liability and to be successful among consumers whose privacy awareness is growing dramatically. The very technology used to protect content provider rights can, and should, be used symmetrically to protect consumer privacy.

Privacy concerns are extremely important for W3C. P3P is beginning to gain positive publicity, and both the major browser manufacturers (Microsoft, Netscape/AOL) have committed to implementing tools for choosing P3P preferences in the next versions of their browsers. A DRM standards effort from W3C that does not address privacy will have two-fold negative impact: it will handicap the DRM standard itself, and dilute the credibility of P3P. On the other hand, including privacy in a DRM effort will enhance the case of both P3P and the DRM standard.

Current rights management systems focus on the rights of the content provider. Privacy protection schemes exist that would enable the protection of consumer rights while allowing also the protection of content provider rights. We propose that the W3C provide a rights management framework that includes the consumer as a first class participant, and details of what this means follow. Section 2 of this paper addresses specific privacy infringement possibilities in DRM systems, and ways of addressing these concerns, in particular by treating the consumer as a first-class participant in the system. Section 3 briefly mentions existing privacy technologies that address some of the privacy issues mention in section 2, and section 4 describes a couple of example outcomes of a W3C DRM standard that would address privacy.

2. Privacy infringement and consumer as first-class participant

There are two essential steps in current rights management systems that violate the privacy of the consumer, or, in b2b situations, the commercial buyer. The first is the consumer/buyer authentication step. This step establishes who the buyer is, and also establishes a unique identifier for the buyer. The unique identifier can thereafter be used to collate information about the buyer obtained from the current transaction with all kinds of other information divulged by the buyer using the same identifier. The very requirement of this step prevents the possibility of anonymous browsing. The second step that violates privacy is the tracking step. The amount and quality of tracking information that can be generated for digital media differs by many orders of magnitude from that generated for physical media, and it can be very granular and accurate. A usage log for a single user can itself be a fairly valuable digital asset, often more valuable than the asset whose use it logs.

The justification provided for user authentication and tracking is that they form the fraud prevention mechanism of current rights management systems. If a user identifies herself and agrees to a contract, she can later be sued if tracking indicates she has violated the contract. While this is true, it is not the only way in which fraud can be prevented, and fraud need not be highly prevalent in systems with more privacy. The literature on electronic cash is rife with ways of preventing fraud while retaining anonymity - for a great overview, see [Brands].

There is no doubt that both user identification and the generation of user profiles can provide tremendous value, other than fraud prevention, to both the consumer and the content provider. For example, the detailed information can be used in pay-per-view business models. Usage information can be fed back into pricing models, used for highly directed marketing as well as for efficient classification and associated search and retrieval, providing dramatic benefits to both the consumers and the sellers of media assets and associated services. Tracking of digital media is also useful in a closed digital media publishing system (like a commercial printing workflow) where the players may be assumed to be trusted and payments are made based on the amount of usage of individual assets. In highly trusted, closed systems, this might be the only expression of rights management. The value of tracking and user identification is considerably diluted, however, when the consumer is not allowed to participate in the determination of the degree of tracking, and when he is not allowed to control the degree of anonymity allowed in the system. While we do not propose allowing only the consumer to determine these, they should not be established solely by the needs of the content provider as they are today.

The focus of DRM systems needs to change to include the consumer as a first-class participant. This implies the following:

3. Existing (relevant) privacy protection technology

Anonymity may be thought of as protection of the unique identifier associated with a user. Different degrees of anonymity are required for different applications, and by different users. It is important to allow varying degrees of anonymity. Example existing schemes are:

3.1 Trusted Third Party:

This kind of anonymity implies the use of a trusted screening party as a mediator. The trusted party strips information passing through it of any identifiers that can be used by outsiders. It is not very strong anonymity because all the information is indeed available to the third party. The third party may encrypt the information with the user?s public key so that only the user may access it thereafter, thus preventing even the third party itself from accessing the data. Even so, the third party knows that information was generated, when, and between what two parties. This kind of anonymity is broken if the third party reneges on the understanding that the information held is private, and shares/sells the unencrypted information.

3.2 Persona/Nyms:

This kind of anonymity is slightly stronger than screening and can be used in association with it. It prevents privacy violation by not allowing the composition of data from different sources/sessions to compile a composite personality. A user maintains a number of keys instead of simply one key and uses different keys for different transactions/merchants/sessions. There is no one unique identifier associated with the user. Hence, for example, the user?s profile with amazon.com cannot be merged with his profile at hp.com, preventing complete identities from being developed by collaboration among merchants. At the same time, this scheme allows the user to maintain a profile with an individual merchant ? the profile itself can be very beneficial to the user because it helps in the generation of targeted marketing that can be very consonant with the user?s tastes.

3.3 Strong Anonymity outside the existing Public Key Infrastructure (PKI):

Stefan Brands' of Zero Knowledge Systems has come up with a number of schemes that provide remarkably strong anonymity while helping prevent fraud. A very good review of these and other schemes may be found in [Brands]

In addition to the anonymity technologies of various degrees, usage information can be made available at different levels of granularity by the asset viewer.

4. Example outcomes of the workshop

To illustrate the use of the ideas discussed earlier in the paper, we present a couple of example outcomes.

4.1 A basic framework that consists of:

4.2 A fulfillment protocol including:


[Brands] Stefan Brands, Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy, August 2000, MIT Press