[Paper Overview] [DRM-Workshop Homepage]
Andy Barlow
Phocis Limited
mailto:andy.barlow@phocis.com
A digital commerce revolution is underway, fuelled by the use of the Internet, including intranets and extranets. As this use continues to grow, enterprises are increasing the breadth and depth of their Internet dependencies to encompass all aspects of their business including internal content distribution, external content distribution, retail and service offerings. Around the world, businesses from many arenas are looking to leverage the new business opportunities that the Internet offers and are racing to establish an efficient, cost effective, quality, reliable, flexible, highly available and secure means of managing and distributing all their of digital content.
This presents many challenges not only for those companies whose content, products and information are already digital, but also for those businesses that wish to repurpose the vast archives of analogue content they own, creating new revenue opportunities and routes to market.
A whole new industry - termed Digital Rights Management (DRM) - has sprung up in the last two years to satisfy the demands for intellectual property protection of digital content.
DRM is a necessary evil: almost no content exists naturally in a DRM-ready format, and it generally has to be converted into proprietary formats in order to protect the publishers' rights, plunging the world into a format war an order of magnitude larger than the original VHS-Betamax skirmish.
It is a matter of fact that no single DRM technology can - or will ever - deliver what the world wants: adequate intellectual property protection of digital content delivered to a device - and in a format - of the consumer's choice. Devices and formats come and go, DRM gets hacked, and consumers just get hacked off: no organisation should want to bet its future on a single DRM technology.
Content owners have to choose and use a combination of incompatible DRM technologies to achieve adequate protection across their digital content portfolio: if it is to deliver on its promises, DRM should rise to the challenge of providing unobtrusive but effective control wherever - and in whatever form - digital content may be published.
DRM should enable the publication of generic digital content in secure form, and pro-actively manage licences controlling the usage of this content in a diverse range of usage scenarios and operating environments.
Currently, the process of deciding whether to grant a customer access to a protected digital product does not take account of licensing rules, because no generic mechanism is available for expressing the terms and conditions of a specific licensing agreement in a digital format. Most license terms and conditions are still paper-bound and not even represented electronically. Hence, at present either very simplistic rules are applied (for example, "if the customer's credit card clears then unlock the product", or rules are by-passed altogether and a licence is automatically granted; either scenario is unacceptable to those who place value on IPR.
In the real world, the rules and regulations governing licensing are often highly complex and their terms and conditions simply cannot be enforced by existing technologies. This prevents many publishers of digital information from using the Internet as a market for their products; the main commercial use of the Internet today is for low-value, high-volume consumer products, which represents only about 20% of the potential marketplace for digital content.
DRM must be capable of enforcing real-world licensing models, and should not place any artificial restrictions on the way that publishers choose to license their content; publishers should be able to define the licensing process when they publish their digital content, and must subsequently be able to dynamically update it to incorporate new licensing requirements.
There is a plethora of current and emerging client devices and technologies for which DRM is an important factor in enabling digital content trading (e.g. Windows, Mac, Linux, PalmOS, Epoc32, WAP, etc). For example, in Japan the mobile 'phone has overtaken the PC as the primary mode of access to the Internet; there are now 10m Japanese WAP-based Internet users.
With the shift away from the traditional Windows/PC-based client set to increase over the coming years, DRM must be present wherever - and however - users are accessing content. Each client environment has its own set of hardware / software capabilities and supported data / file formats, thus necessitating a certain degree of platform-specific implementation. DRM must maximise ease of use in each case, providing the user with a secure, unobtrusive yet effective interface to digital content.
DRM infrastructure should maximise the capability for content publishers to adapt to shifts in the client-user environment, readily incorporating new digital content formats and client platforms into their secure digital trading solution.
The DRM platform primarily uses encryption as the underlying mechanism for securing access to digital content. A number of third-party technologies exist which could be utilised, and a combination of factors affects the suitability of each technology for use in a given scenario. These include target client platform, security, licensing and pricing requirements.
DRM should provide publishers with the freedom to choose from a range of encryption technologies to suit their specific requirements for a particular publishing scenario; a single piece of raw digital content could be secured for different client platforms using different encryption technologies, thus providing the most suitable configuration for each client environment. Encryption independence will provide content publishers with the flexibility and platform-coverage they require.
The last thing the world wants is a plethora of competing proprietary DRM technogies that cannot co-exist. In order for DRM to fulfil its promise, consumers must be re-assured that DRM systems are interoperable, and that a licence bought one month using one DRM technology, is valid the next month when the publisher changes DRM technology.
A range of mechanisms and protocols can be employed for delivering digital content to end-users; for example, Internet download (via various protocols), CD distribution or direct streaming. In particular, the requirement for wide cross-platform support almost inevitably leads to the necessity of supporting multiple content delivery mechanisms, since not all platforms share the same capabilities. For example, a PC might permit file download via HTTP, whereas a mobile phone might only support WAP and provide no means for persistently storing downloaded content. Indeed, a mobile phone might preclude the possibility of conventional file download, but could potentially accept streamed content.
As broadband access increases, so users will demand greater flexibility of delivery, and streaming may well become the prevalent mechanism, particularly in the music and entertainment industries. DRM must integrate with the range of content delivery mechanisms, protecting publisher's rights and providing a smooth end-user experience.
Typically, DRM solutions focus on protecting just a single format of digital content - most popularly audio and software. If a content publisher wishes to protect more than one content type, several technologies must be used. DRM must be capable of providing a broader solution, simultaneously supporting multiple content formats, thus providing publishers with a unified solution capable of protecting all their content.
Additionally, current protection mechanisms generally require that content be converted from its original format (e.g. MP3 audio) to a proprietary one. Consequently, rendering software applications must have support for this new format implicitly built into their capabilities, requiring intrusive source code changes. Typically the new format may only be supported by a single rendering application.
Pre-packaging content instantly builds in obsolescence and restricts the potential target client domain; for example, wrapping in an Acrobat PDF file currently makes it impossible to deliver to a mobile phone. DRM should package secure distributable content on-the-fly, instantly building a protected package from the original content, the publisher's licensing terms and conditions, and the consumer's individual circumstances so that both content delivery and protection are optimised no matter how or where the content is accessed.
Trust is an essential factor in enabling business in e-Commerce and Enterprise systems. For example, a consumer engaged in an e-Commerce purchase transaction must submit personal details, such as their credit card number, over the Internet; they must be assured that a malicious third party cannot intercept the transaction, and the clearing house must be assured that the clearance request came from a trusted source.
Public Key Infrastructure (PKI) is an important part of the evolving trust domain, and the value of companies such as RSA and Baltimore Technology rests largely upon their support of it. Furthermore, emerging technologies such as smartcards and biometrics are set to play an increasingly important role in the trust domain. DRM should work alongside these technologies, providing content providers and consumers alike with the secure environment they require to maximise the business benefit of digital commerce.
DRM can control access to and use of digital content, primarily via the use of strong third-party encryption. However, there are certain scenarios in which content providers may require an additional level of protection since, once content has been authorised for use, certain scenarios may permit unencrypted copies to be generated (though these may be in an entirely different format). Some of the reasons are due to the content provider wishing to provide additional capabilities to end-users, which require unencrypted copies, while some are due to limitations in the format of the protected content. For example:
Watermarking technologies can alleviate this type of problem; they provide a mechanism for embedding a 'signature' of additional information into the raw digital content itself (prior to protection) in such a way as to be either undetectable or unobtrusive during normal use, but nevertheless provide the content publisher with traceability, for example printed copies of a PDF document may be overlaid with the ID of the requesting user. DRM should integrate third-party watermarking technologies, providing traceability outside the secure DRM domain.
Many enterprises already have e-Commerce, ERP or Content Management systems; DRM must integrate with existing infrastructure, supporting the effective flow of data between the systems in order to enable rapid publishing of secure content according to the publisher's licensing requirements. Importantly, DRM must not be prescriptive in an enterprise's choice of in-house technology.
DRM should support B2B standards such as ebXML, cXML and Biztalk, and emerging web-services standards such as UDDI and WSDL, so that digital-commerce services can become a natural part of the evolving e-business infrastructure.
DRM must be straightforward to use. From the consumer / end-user side, it must be very easy to get 'up and running' with DRM, and the solution must be as unobtrusive as possible. On the publishing side, while the complexity of the licensing domain and the wide range of services provided by DRM will necessitate a certain degree of complexity, it is important that the user experience is again kept as intuitive and straightforward as possible. Wherever possible, existing thin-client web-based technologies (e.g. HTML/HTTP, WML/WAP) will be employed to minimise the requirement for custom software installations and to provide familiar user interface styles.
Publishers and consumers must be provided with transparency of information, so that for example a publisher can produce weekly sales reports, or a consumer can view their current licence status. Storage and use of information must be in accordance with relevant data protection legislation and/or privacy standards.
Wherever practicable, DRM must be capable of integration with open Internet standards, including those related to digital rights management in all its manifestations (e.g. SOAP, XrML, SDMI, Open e-Book, etc), to facilitate maximum integration and interoperability with third-party systems and DRM technologies.