Source: FileOpen

Standards and Interoperability

After a five-year-long debate on its approval, the World Wide Web Consortium
(W3C) passed a new DRM-related standard in July 2017. Called Encrypted Media
Extensions (EME) – and designed by software engineers from Google, Microsoft,
and Netflix – it allows DRM systems to hook directly into users’ browsers
without the use of plugins.

EME’s primary benefit is in its anti-piracy features, preventing copyright
infringement by eliminating theft of content from high-quality streams. It is
also touted as providing greater interoperability and improved online privacy.

However, not unexpectedly, the standard has its critics and objections.
Formal objections received by the W3C include:

• It does not provide adequate
  protection for users
• It will be hard to include in
  free software
• It doesn’t legally protect
  security researchers

Perhaps its most vocal critic is the Electronic Frontier Foundation (EFF), long an
opponent of DRM. Its main complaint about EME is that it gives too much power to
browser developers and content providers, and no protection to security
researchers. Other complaints include a lack of standardization for decryption,
meaning that companies developing browsers may have to license decryption
components.

Proponents and Opponents

DRM fans claim that it is necessary to prevent the
copying of intellectual property,
frequently employing the metaphor of using physical locks to prevent the
theft of personal property. Proponents further argue that DRM helps copyright
holders maintain artistic
control.

However,
many opponents to DRM contend there is no evidence that DRM helps prevent
copyright infringement, claiming that it serves only to inconvenience legitimate
customers. A frequent argument holds that DRM helps big
business stifle innovation and
competition. Furthermore, DRM
can also restrict users from exercising their legal
rights under copyright law, such
as backing up copies of CDs or DVDs, lending materials out through a library,
accessing works in the public domain, or using copyrighted materials for
research and education under the US fair
use law.

The
two most vocal DRM opponents are the aforementioned EFF and
the Free Software Foundation (FSF).

EFF

Founded in 1990, the EFF is a donor-funded nonprofit
organization with the "aim to improve the rights of free
expression, security, and privacy on the internet." Its current
projects include Bloggers’ Rights, Coders’ Rights, and even the rights of
those who purchase digital books. EFF’s concerns
for citizens privacy, freedom of expression, and fair use rights is well
founded: corporate zeal in developing DRM technologies frequently impact
consumers who fall into the category of "pirate," in spite of their
lack of such intentions.

DRM remains a problem in the area of ebooks. For example, some models of Amazon’s Kindle
e-reader device have DRM software built in that limit users to
"lending" an ebook only one time. Other restrictions include
the ability to re-sell or donate ebooks or even to move them to a new
device without the need to re-purchase them. These facts are viewed by
consumer rights organizations as unfair. The EFF is also concerned with
its tracking capabilities, allowing Amazon, for example, to track the
books purchased by users. Privacy is an important topic to the EFF, as
well as to other organizations.

The EFF had its first brush with DRM in May 2013, when the EFF
announced its formal objection to the inclusion of DRM in the first public
working draft of the HTML5 standard from the HTML working group of the
World Wide Web Consortium (W3C). The EFF became a full member in the W3C
in order to challenge DRM inclusion, stemming from the proposed Encrypted
Media Extensions (EME) document, which, according to the EFF, "only
exists to hard-wire the requirements of DRM vendors onto the emerging Web
standard."

In August 2016, EFF and a coalition of consumer groups, content creators, and
publishers asked the Federal Trade Commission (FTC) to require online retailers
to label the ebooks, songs, games, and apps that come with digital locks
restricting how consumers can use them. The coalition – which includes the
Consumer Federation of America, Public Knowledge, the Free Software Foundation,
McSweeney’s, and No Starch Press – said companies like Amazon, Google, and
Apple have a duty to inform consumers if products for sale are locked with DRM,
since DRM locks "can also block
you from watching the movie you bought in New York when you go to Asia on
vacation, or limit which devices can play the songs you purchased."

FSF

The
Free Software Foundation (FSF) is a nonprofit whose mission is "to promote
computer user freedom and to defend the rights of all free software users."
The foundation defines DRM as "Digital Restrictions Management," and
claims it "robs
us of control over the technology we use and the culture we live in."

FSF
has as a subset another foundation called Defective by Design. Its goal is
"to eliminate DRM as a threat to innovation in media, the privacy of
readers, and freedom for computer users."

According to the organization’s Web site, "DRM
restricts entirely different activities than copyright does, and serves an
entirely separate function. While Copyright restricts who can distribute media,
DRM restricts how users can access their media. Copyright already provides
leverage against illegal distribution, meaning that the largest distribution
platforms must already adhere to the demands of large publishers, studios, music
labels, and software companies. DRM provides "anti features" (features that exist
only to worsen the service for users) and charges for their removal. This gives
major media and technology companies much broader control over the use of media
than is enabled by copyright law, while copyright allows them to force all legal
media distribution services to use DRM."

American Library Association

The American Library Association (ALA) has
also stated its concerns for libraries and DRM. According to its
statement, "The purpose of DRM technology is to control access to,
track and limit uses of digital works. These controls are normally imbedded in the work and accompany it when it is
distributed to the consumer. DRM systems are intended to operate after a user has obtained access to
the work. It is in this ‘downstream’ control over
consumer use of legitimately acquired works that DRM presents
serious issues for libraries and users."

Gaming

In
May 2013 Microsoft revealed its Xbox One console, explaining that all Xbox One
games would need to be fully installed onto systems before play and that
each copy would then be watermarked to its owner. That translated to the
control by Microsoft of any attempt to re-sell or even give away the
boxed copy of the game. This resulted in a huge backlash against
Microsoft by the gaming community.

A
month later, Microsoft relented, claiming it had listened to
"candid feedback" from gamers. Upon release of the new console
in November 2013, restrictions on sales of pre-owned titles – and sharing
of games among friends – were canceled. In addition to removing limits on gifting, re-selling, sharing, or renting Xbox One game
titles, Microsoft also removed regional
locks on Xbox One games, which means titles bought in one global
territory will work in all others. Another change was the removal of a
requirement to
authenticate the system online every 24 hours, thought
to have been introduced as a DRM measure.

Legal Issues

The biggest legal issue surrounding DRM was in 2012, when the

US Department of
Justice (DOJ) filed a lawsuit against Apple – and five other publishers it accused of
colluding with Apple – over a scheme to fix ebook prices. The suit is said
to have stemmed from publishers’ dissatisfaction with Amazon’s Kindle ebook
pricing, which, at $9.99, was sometimes below cost; upon the iPad’s
2010 release, Apple and the five publishers (Simon & Schuster,
HarperCollins, Hachette Book Group, Penguin, and Macmillan) signed an
agreement to release books on the iBookstore for about $12.99 and giving
Apple 30 percent of proceeds. This resulted in Amazon allowing publishers
to set their own prices for Kindle ebooks.

The lawsuit accused the publishers of colluding with Apple to raise ebook prices. As the head of the DOJ’s antitrust division explained,
"Let me be clear: When companies enter agreements that prevent price
competition, that is illegal." Very quickly, three of the publishing
defendants – Hachette, HarperCollins, and Simon & Schuster – settled
with the DOJ; publishers Penguin and MacMillan settled later, in December
2012 and February 2013, respectively. That left only Apple, which was found
guilty of fixing ebook prices in July 2013. Apple is still in the process of
appealing the decision.

So what does all of this have to do with DRM? It resulted in a great
deal of speculation about whether this suit might encourage publishers to
ease their DRM requirements, giving individual publishers more flexibility
with their own content while letting consumers access device-independent
content. In fact, many publishers are said to be actually considering
removing DRM.

The DOJ lawsuit is not the only legal issue concerning DRM. Some legal experts feel that DRM systems (in general) have failed to meet the
challenge of protecting the rights of the copyright owner while also respecting
the rights of the purchaser of a copy. It is a good idea to understand
that different rules and rights attach to different categories of copyright
material.

Lexmark and The Chamberlain Group (a maker of garage door openers) used
the Digital Millennium Copyright Act (DMCA) to sue to prevent the sale of
compatible third-party products. The plaintiffs claimed that by bypassing
measures they’ve taken to prevent the creation of compatible products,
competitors have violated the DMCA.
(The Digital Millennium Copyright Act (DMCA) is a United States
copyright law which criminalizes production and dissemination of
technology, devices, or services that are used to circumvent measures
that control access to copyrighted works.It also heightens the
penalties for copyright infringement on the Internet. Passed on October
12, 1998 by a unanimous vote in the United States Senate and signed
into law by President Bill Clinton on October 28, 1998, the DMCA
amended title 17 of the US Code to extend the reach of copyright,
while limiting the liability of Online Providers from copyright
infringement by their users.)

In May 2015, the EFF testified at hearings on exemptions to Section 1201
of the Digital Millennium Copyright Act (DMCA). Congress allows the public
to petition the Copyright Office and Librarian of Congress – a long,
complex process that happens every three years – for exemptions to the 1201
clause. The EFF’s focus was on:

• Conducting security and safety research and performing repairs and
  customization on vehicles, where access to onboard computers is
  typically restricted.
• Creating fair use remixes of videos from locked sources, including
  DVDs and Blu-ray discs, as well as from online streaming sites.
• Jailbreaking phones and tablets to run operating systems and
  applications not specifically authorized by the manufacturer.
• Modifying older video games that require a centralized
  authentication or matchmaking server, after that server has been taken
  offline.

Continuing its efforts, the EFF sued the U.S. government in July 2016
"on behalf of technology creators and researchers" to overturn those
copyright law provisions "that violate the First Amendment."
Specifically, the EFF is challenging provisions contained in Section 1201 of the
the
Digital Millennium Copyright Act (DMCA that
"make it unlawful for people to get around the software that restricts
access to lawfully-purchased copyrighted material, such as films, songs, and the
computer code that controls vehicles, devices, and appliances. This ban applies
even where people want to make noninfringing [sic] fair uses of the materials
they are accessing."

The DMCA has made it illegal to reverse-engineer and distribute software that
exists solely for breaking copyright protection. In addition, the Electronic
Signatures Act has made electronic signatures legally binding. Furthermore,
recent federal legislation mandates access protection and audit trails for
electronically distributed information, especially when it relates to healthcare
and financial information, and makes it possible to fine physicians for
accidental disclosures that occur during transfers of patient records that they
have ordered.

Copyright enforcement must always be balanced with fair use. Fair use
allows copying and reuse of copyrighted works in limited circumstances: when the
use is noncommercial, when the work is factual rather than creative, when the
copied portion is not a substantial part of the work, and when the use will not
have a large effect upon the potential market for or value of the copyrighted
work.

Fair use complicates DRM. For example, fair use allows consumers to make
personal copies of purchased music to be played in the car or on the computer.
The challenge for the DRM system is to know when copying is allowed and when it
is not. Some systems resolve this by allowing copies of the original but not
copies of copies. Other systems allow a limited number of copies but no more.

Privacy

When choosing a DRM system, organizations should be sensitive to privacy issues
that may alienate its customers, partners, and others who will interact with the
system. The Electronic Privacy Information Center (EPIC) says that many DRM
technologies have little regard for privacy protection, requiring the user to
reveal his or her identity and preventing anonymous consumption of content.
Customs and laws that protect one’s privacy when renting videos or borrowing
books from the library do not exist in the electronic markets for music, books,
and other content. In fact, one of the selling points for DRM is its support for
collecting and profiting from information about the identities and usage
patterns of consumers. EPIC contends that DRM can be accomplished without
invasion of privacy but that those methods have not been investigated
thoroughly. Fears of invasion of privacy may slow acceptance of DRM and force
developers to investigate less invasive means of protecting and managing content
rights.

Other critics of the technology, including the Free Software Foundation, have
suggested that the use of the word "rights" is misleading and suggest that
people instead use the term Digital Restrictions Management. The position put
forth is that copyright holders are attempting to restrict use of copyrighted
material in ways already granted by statutory or common law applying to
copyright. Others, such as the Electronic Frontier Foundation, consider some DRM
schemes to be anti-competitive.

Ease of Use

Ideally, DRM should be transparent to the end user in normal use, becoming
visible only when there is a violation or a need to obtain a license. Especially
for e-commerce, the end-user experience should be hassle-free to avoid
alienating potential customers and losing them to a more convenient site or
system. It is important to balance content protection with usability. On the
other hand, the more valuable the content, the more hoops the user will be
willing to jump through to get it. The content simply has to be worth the
trouble and expense to the user. It will also be easier for an enterprise that
wants to protect confidential information to obtain compliance from its
employees if the DRM system is not too cumbersome.

When evaluating the usability of a DRM system, a company should ensure the
following:

• Users can use standard, familiar applications rather than a proprietary
  viewer.
• Know how many extra steps users must take to access or view protected
  content.

Is the content portable or tied to the original machine to which it was
downloaded?

Implementation Options

DRM functionality is available as a software platform, a hosted service, or a vertically focused
application that includes DRM capabilities.

A company can retain greater control by implementing and maintaining its own
DRM software. But if it does not have the skills and resources to manage,
maintain, and integrate the DRM system, it may prefer to outsource the DRM
function to a hosted service. A hosted service may be appropriate for a smaller
organization that lacks the economy of scale that would reduce the total cost of
ownership (TCO) of a DRM system. One prominent example of a hosted software licensing service is the Nalpeiron Licensing
Service (NLS). NLS enables clients to control, market, measure, and
manage their applications – from trial to end of life. 

Security

Algorithm. One way to determine security is by
identifying whether content has been modified. Some DRM systems accomplish
this by running a mathematical algorithm, creating a numeric value which
is unique to that content. Users can choose to run this algorithm at
frequent time intervals, comparing the latest result with the previous
one. As long as the results match, the document has not been modified and
has come from the authorized source.

Encryption. A DRM content package is an encrypted file containing content
and metadata about the content. Encryption protects content by requiring the
exchange of keys for decrypting content, licenses, or digital certificates.

Encryption works best when the sender and the receiver both trust each other,
but are worried about theft or tampering in transit. With easily redistributed
digital content, however, many content owners do not trust the consumers of
their products to respect their copyrights or confidentiality, so encryption
alone is not enough.

Still, encryption is a necessary component of DRM, and a company should
ensure that its DRM system uses strong encryption algorithms such as Advanced
Encryption Standards (AES) and Rivest Shamir Adleman (RSA) encryption, and that
the encryption algorithms can be upgraded and replaced if they are defeated. It
should also make sure that there are secure methods for managing, distributing,
authenticating, revoking, and renewing encryption keys.

End-to-End Security. For DRM to be effective, content must be securely
managed through its entire lifecycle, at each step from creation to whatever the
consumer does with it. Such end-to-end security is dependent on standards and
interoperability, and on the cooperation of all parties in the chain including
content creation, aggregation, distribution, retail, and fulfillment.

The best DRM solutions decrypt content at the last possible moment before
rendering it, to decrease the chance that a user could gain unauthorized access
to the decrypted version of a file.

In addition, a DRM system that allows fine-grained control over users’ access
to content – such as access that is limited to a certain time period, a certain
number of uses, or certain pages within a document – will offer higher security
because users will not be given any more access than is necessary.

Viability and Stability of Vendor

In an industry as young and volatile as the DRM industry, which has seen a
high number of vendors merge or go out of business in the last few years, it
is difficult to be sure of a vendor’s long-term stability. A vendor’s good
management and longevity, however, will be important for ensuring the
availability of ongoing technical support. If possible, it is best to choose a
vendor whose product has been on the market long enough for other companies to
be using it and to look into how the other companies’ experiences have been with
the product. An extensive patent portfolio can also show both a vendor’s ability
to innovate and the approval of a third-party government agency.

A company can further protect itself by choosing a DRM system that stores
data and rights in a standards format, so that the data will be more likely to
be compatible with a new system in case the original vendor ceases operations.

Outlook

[return to top of this report]

In July 2010, a New Orleans
circuit judge issued a ruling that could set a legal precedent that allows bypassing digital rights
management (DRM) for fair use purposes. He found that
General Electric had not violated the Digital Millennium Copyright Act
by using hacked security dongles to repair uninterruptible power supplies
from MGE UPS Systems – because the goal itself was legal. While a jury fined GE
$4.6 million for breaking copyright and misusing trade secrets, the judge
ruled that DMCA had not been broken, as using hacked items by
itself did not constitute violating protection at the same time.

"Merely
bypassing a technological protection that restricts a user from viewing or
using a work is insufficient to trigger the DMCA’s anti-circumvention
provision," he said. "’Without showing a link between access
and protection of the copyrighted work, the DMCA’s anti-circumvention
provision does not apply." 

The decision could impact the media industry as it may allow breaking DRM
for music, movies, and other formats as long as the material isn’t pirated.
The MPAA and RIAA together have insisted that any violation is piracy. Puncturing
the protection of the Digital Millennium Copyright Act may lead to a more
limited assertion of digital rights and require DRM software providers to
accordingly modify their software.

Another
consideration is that buying
rights-managed content means that the buyers now must depend on a specific
vendor’s future. For example, Microsoft announced in 2019 that it was
shuttering its ebook store – two years after it first opened. For those who
purchased reading material through Microsoft, they are now out of luck as the
vendor erased all ebooks and closed its servers where the ebooks resided.
Microsoft’s DRM can be thanked for this. However, readers were automatically
refunded for any ebooks purchased through Microsoft.

Recommendations

[return to top of this report]

DRM software is recommended for companies that produce and distribute digital
content, as well as enterprises and institutions that need to protect and
control confidential information. A variety of options exist, including software
platforms, hosted services, or vertically focused applications that include DRM
capabilities.

A company choosing a DRM system should look for the following features:

• Transparency to the end user in normal use, becoming visible only when
  there is a violation or a need to obtain a license.
• Compliance with industry standards such as eXtensible Rights Markup
  Language (XrML) and Digital Object Identifier (DOI).
• Support for multiple content types, file formats, devices, and operating
  systems, as required in the company’s situation.
• Open architecture and APIs that help it integrate with a company’s
  existing systems, such as content production, editorial, asset management,
  sales, marketing, and finance systems.
• End-to-end security processes such as decrypting at the last moment before
  rendering to the screen.
• Distributed architecture that stores content separately from rights to
  enable roaming, portability, super distribution, and persistent, revocable
  control at the point of consumption.
• Support for a wide variety of business models, such as trial access,
  pay-per-view, and subscriptions. Even companies that do not sell content may
  want to use the information barter model to obtain information from their
  customers.
• Context management to help understand and track the users’ preferences and
  buying habits, and to provide valuable information for targeted
  marketing.
• A stable vendor whose product has been on the market long enough to have a
  track record with other companies.

Security issues, fair use issues, and issues of creative expression are all
at the forefront of the ongoing DRM battle. The success of DRM will likely
depend on a number of factors including its role in providing a balance between
protection of rights holders interests and those of users and consumers who wish
to use and access materials.

Web Links

[return to top of this report]

• Amazon: https://www.amazon.com/ 
  American Library Association: http://www.ala.org/
• Apple: https://www.apple.com/ 
  Defective by Design: https://www.defectivebydesign.org/
• Digimarc: https://www.digimarc.com/
• Electronic Frontier Foundation: https://www.eff.org/
• Electronic Privacy Information Center (EPIC): https://www.epic.org/
• Free Software Foundation: https://www.fsf.org/
• Google: https://www.google.com/ 
  Microsoft: https://www.microsoft.com/ 
  Nalpeiron: https://www.nalpeiron.com/
• Netflix: https://www.netflix.com/ 
  US Department of Justice: https://www.justice.gov/
• World Wide Web Consortium: https://www.w3.org

[return to top of this report]