PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download.
Digital Rights Management Software
Copyright 2019, Faulkner Information Services. All Rights Reserved.
Docid: 00018541
Publication Date: 1909
Publication Type: TUTORIAL
Preview
Digital Rights Management (DRM) is access control software used to impose
limitations on the usage of digital content. The security of proprietary and
sensitive data is increasingly threatened by the ease with which digital information can be redistributed via the
Internet, resulting in the rise of DRM systems. Although DRM systems have achieved a certain degree of maturity, the legal framework surrounding these systems remains in flux and continues to be a thorny
issue, with a counter-industry protesting and even demanding its
elimination. This report discusses DRM software’s origins and current usage.
Report Contents:
Executive Summary
[return to top of this report]
Because digital content is easy and inexpensive to duplicate with no loss of quality,
the Internet has provided a powerful and inexpensive means to widely distribute
it. DRM software was initially developed to combat digital piracy and copyright
infringement, chiefly in the entertainment field. DRM, however, is not just for
entertainment companies as digital content also includes research reports,
confidential enterprise information, and email communications. In other words,
any information represented in digital form is vulnerable and can benefit from
DRM software. It is not just a new way to protect copyrights but also a means to
reach new markets and offer new benefits to both consumers and providers.
DRM software’s purpose is to prevent illegal
distribution of paid content over the Internet. DRM products were
developed in response to the rapid increase in online piracy of
commercially marketed material, which proliferated through the
widespread use of peer-to-peer file exchange programs. Although online
content is protected by copyright laws, policing the
Web and catching law-breakers is very difficult. DRM technology focuses
on making it impossible to steal Web content in the first place, a much
surer approach to the problem than the hit-and-miss strategies aimed at
apprehending online poachers after the fact.
DRM software is available as a software platform, a hosted service, or a
vertically focused-application that includes DRM capabilities.
Description
[return to top of this report]
DRM is the trusted exchange of digital information over the intranet,
extranet, or Internet. DRM controls users rights once they have a file as
users are granted only the privileges the media sender allows.
A DRM system allows organizations to define the rights and policies that will
govern the content it wants to protect. An organization can specify usage rights for
each file, category, or content set, including time-limited and concurrent usage
restrictions that enable commercial usage models such as preview, and
pay-per-view.
A rights model is a specification of who can do what with a file.
Rights include permissions, constraints, and obligations between the user and
the content, such as information on price, allowed duration of access, number of
allowed accesses, type and number of allowed renderings (save, copy, store on
CD, print), and whether forwarding or transferring to other users or devices is
allowed. This is where DRM technology attempts to strike the necessary balance
In a distributed DRM system, these rights are stored
separately from the
content on network-hosted rights servers that are owned and operated by
an organization. While sealed content is distributed to the end
user, the rights to that
content remain stored in personal, password-protected accounts on the
organization’s license server. User rights can be modified or revoked
even after the content
has been downloaded and accessed. It is also easy to recover rights
after an
end-user device fails or a password is lost, and roaming access
allows the end
user to access content from any device. Licenses are tied to the
metadata that is
sealed with the content rather than specific files, so a single license
can
apply to multiple files, media formats, and devices
A protected file is useless on its own, without a license for decrypting it.
Its security is not dependent on any storage or distribution mechanism, so it
can be freely distributed and copied across the Internet via an e-mail
attachment, or posting on a web server or delivered on CD-ROM. Users who try to
access the file will be sent to a Web page where they can obtain a
license.
Watermarking
Watermarking (also known as digital watermarking) is a pattern of bits inserted into
a digital file that is designed to identify that file’s copyright
information (author, rights, etc.). The name, watermarking, comes from
the faintly visible watermarks imprinted on stationery that identify
the manufacturer of the stationery.
Unlike printed watermarks, which are intended to be somewhat visible,
digital watermarks are designed to be completely invisible, or in the
case of audio clips, inaudible. Moreover, the actual bits representing
the watermark must be scattered throughout the file in such a way that
they cannot be identified and manipulated. And finally, the digital
watermark must be robust enough so that it can withstand normal changes
to the file, such as reductions from glossy compression algorithms.
A digital watermark is applied by passing a content file through a
programmatic filter that embeds the watermark information to the file. The watermark does not affect the
usability of the content and is invisible (or inaudible, in the case or an audio
file) in normal use. Watermarks contain information about the content that can
help companies deter piracy, detect unauthorized copies or alterations of data,
and covertly track counterfeits. The metadata stays with the content through most analog conversions.
Digital watermarking provider Digimarc’s security-class digital watermarking includes cryptography,
encryption, and anti-hacking features. It can differentiate copies from
originals, control the behavior of machines and equipment, contribute to
authentication, detect alteration, and uniquely identify data for tracking.
Digimarc’s tracking system searches the Internet to discover copyright and
license infringements, then reports where the unauthorized copies were found to
make it easier to take action against them. Watermarks can be encrypted to
prevent the metadata in them from being altered, and files can be both encrypted
and watermarked.
Digital
watermarking was first used to keep tabs on media such as digital
images, but then the technology was applied to different identification
schemes, including driver licenses and government-issued IDs.
When
it comes down to it, digital watermarks can help authenticate almost
anything. They can be used to authenticate most types of identification
documents, as well as almost all forms of content. The key value of
digital watermarking is that organizations can consistently
identify content.
Distribution
In distributed DRM, content files carry their own security with them wherever
they go and however they are delivered. It is not necessary to control access to
the encrypted files, which can be distributed by any means, including Internet
downloads, e-mail attachments, and physical media (CD-ROM, DVD, and Flash
memory).
Such systems can be configured for various distribution scenarios. For
example, songs downloaded from a music service may only be played as long as the
user maintains a subscription. Titles can be configured to expire after they
have been played some number of times or on a particular date. In the music
world, a DRM system provides a container format that includes album and track
titles and a set of rules for enforcing copyright compliance that software and
hardware players must support in order to play back the material.
Multiple-level super distribution is also possible, in which secure content
is passed safely from user to user to user in a legal P2P content exchange.
There is no risk of a company losing control of its data, because each user who
wants to use the content must obtain separate rights to do so.
DRM-protected content files can circulate freely on the Internet or through
another pass-along mechanism. Protected files can be copied and shared with
others, but the content is protected and cannot be fully accessed unless the
recipients of the copies themselves obtain or purchase access.
This security allows a company to use "viral" marketing without
losing control of its product, and yields revenues directly to the owner of the
content. The protected file can serve as an advertisement for itself by allowing
users to view a description or sample of the content, and then linking them to a
Web site with information and a prompt to register for access.
Authentication
Authentication is the process of identifying an individual, usually based on
a username and password. In security systems it is distinct from authorization,
which is the process of giving individuals access to system objects based on
their identity. Authentication merely ensures that the individual is who he or
she claims to be, but says nothing about the access rights of the individual.
Authentication is necessary in DRM to verify the identity of a license holder.
Authentication schemes can also employ unique anatomical identifiers, or biometrics, such
as people’s physical characteristics and habits. Biometric authentication
includes iris scans, retinal scans, voice verification, finger scans, signature
verification, hand geometry, face recognition, and, increasingly, multi-modal
recognition. Biometric identification methods can be both more secure and more
convenient than passwords and encryption keys, which can be shared, forgotten,
lost, or stolen. Biometrics interoperability and data exchange standards are
evolving, such as the Common Biometric Exchange File Format.
Rendering
Rendering is the process of converting the digital content into a form that
can be used by the consumer playing a song or a movie, displaying or printing a
document or image. Rendering must be done in a way that allows the consumer to
use the content without allowing the consumer to circumvent the rights agreement
or copyright law.
The DRM system checks and validates (authenticates) the user’s identity and
rights to the content upon each rendering, and enforces the terms of the rights
agreement. Some rights agreements limit the user to a certain number of accesses
or a fixed cumulative time of access, in which case tracking management is also
required to monitor and record usage, and to record transactions if there is a
payment due for each usage.
In most cases, DRM client software resides on the end-user’s device and links
into the content provider’s license server across the Internet. Client software
can be built into the operating system or applications, or downloaded from the
vendor’s Web site.
In distributed DRM, when the user obtains the content package via a digital
delivery service such as the Internet or a CD-ROM and tries to play or view it,
the user’s DRM client application dials into the content-provider’s site on the
Internet and verifies the user’s identity and rights to use the content, or
prompts the user to register and pay for the content. When a user has a valid
license, the DRM license handler collects the user and content information and
produces a license to decrypt the content on the end user’s device. The content
can then be displayed using standard applications such as Acrobat Reader, an
Internet browser, or a set top box.
New Business Models and Revenue Opportunities
The initial purpose of DRM was simply to protect digital content from
unauthorized use by blocking unauthorized users’ ability to see it, hear it,
change it, print it, play it, copy it, and so on. While DRM came primarily out
of the media sector, it is an increasingly important technology for protecting corporate
information and complying with regulatory requirements in industries such as
financial services, healthcare, and government.
But as the DRM industry developed, it became apparent that anti-piracy may
not be the most important or the most lucrative function of DRM. Companies found
that they needed to protect intellectual property from inappropriate copying and
distribution when made available on the Internet. They also discovered that when
the rights to digital intellectual property are not just limited, but are
controlled and managed on the company’s terms, for the company’s benefit, new
business models and new opportunities emerge.
DRM helps package, price, distribute, and sell content in new ways, creating
new revenue opportunities. For example, DRM software makes it feasible to sell
rights instead of the actual content, and even to sell fractions of rights:
portions of a work, time-limited access, rights to see but not print. DRM
software lets a company create access rules for each user and it checks users’
rights when they attempt to do something with a file. Some of the new business
models depend on usage metering to count or time the user’s access to the
content.
DRM makes possible a large variety of paid download services.
A company
should make sure the DRM software it chooses supports the company’s
business
model and either provides or integrates with a system for managing
transactions
and collecting payments. Better business models are the Holy Grail of
the digital age and the following is a list of some business
models made possible by DRM technology:
- Pay-per-view (or -listen or -read) is the oldest content model. Each piece
of media is paid for at the time the consumer chooses to access the content. - Limited rights models specify what actions a user can take with the
digital product, such as reading, printing, copying, or forwarding.
Additional rights can be offered for an additional fee. - Token-based systems allow consumers to open a prepaid wallet of tokens
that are spent to access the content. - Subscription services offer users access for a certain time period.
Another time-limited service is content renting. - On-demand services allow users to view movies, live broadcasts, sports
events, and distance education live – or store them for later viewing. - A la carte services allow users to purchase segments of a work, such as a
single song instead of an entire album, a chapter of a book, or an article
instead of a magazine subscription. - Promotional or sample-size services allow users to try a product or a
portion of a product at no cost, but then they have to pay to see it again
or to obtain the entire product. - Information barter services or marketing models let users receive content
in return for providing information about themselves and their usage
patterns. - Free distribution models track or limit the play of media but do not
require the consumer to do anything to obtain the files. - Geographic bounding enables distribution only to regions specified in the
distribution rights agreement. - Dynamic, adaptive pricing can be matched to the buying habits of
consumers. - Mix of the above models.
A DRM system should also be flexible enough to handle new business models.
There are still many opportunities in the DRM market, especially in
personal electronic devices, including (but not limited to) Apple’s iPhone
and iPad. Developers of solutions providing seamless access to cloud data
may also find success in this market.
Tracking Royalties
A distributor has to ensure that everyone gets paid fairly for the use of the
content. DRM software makes it easier to manage the complicated chain of rights
holders, content creators, manufacturers, publishers, and distributors – and
still keep track of all the rights and royalties, even when content is
repackaged and aggregated.
The networked digital technology of DRM allows organizations to track
authorized usage and learn more about the context in which its content is used
such as who uses it, which articles they read, which ads they look at, and with whom they
share the content. This context management helps an organization better
understand and track its customers’ preferences and buying habits, and, at the
same time, provides valuable information for targeted marketing. Targeted
marketing allows an organization to up-sell, cross-sell, or suggest other
products or services tailored to the information it has about its customers.
This information also makes it possible to give customers targeted access to
specific content, so they don’t have to pay for unwanted content. The
information obtained via context management can be more valuable than the
content the user receives. This is the basis for the information barter business
model, in which a company provides content at no charge in exchange for
information about the consumer. A company should choose a DRM system that not
only protects its content, but also allows it to use and profit from the context
information about its customers’ use of the content.
Current View
[return to top of this report]
Many issues for DRM software revolve around legality, privacy, ease of
use, standards and interoperability, implementation, vendor stability and
viability, and security. Enterprise DRM is one of the many approaches being
promoted by various technology vendors as a way for companies to better handle
how their workers share and interact with important data.
Some DRM vendors claim to have end-to-end solutions that make content safe
while others predict the demise of content-based business once information is
"set free." Some say that the DRM industry may find that DRM naysayers might
be more likely to change their view if DRM recognizes the importance of both
enhancing the consumer experience and providing adequate technical and legal
protection to the intellectual property rights of authors and publishers.
DRM Uses
DRM software vendor FileOpen Systems discusses the use of
its products separated by industry and business need, as illustrated in Tables 1
and 2.
Industry | Use |
---|---|
Publishing and Document Delivery |
Standards publishing, libraries, research, and media. |
Banking and Financial Services |
Investment banking, venture capital, and other financial institutions. |
Corporate and Professional |
Manufacturing, insurance, aerospace, technology, and legal. |
Healthcare and Life Sciences |
Clinical, pharmaceutical, insurance, and related industries. |
Education and Training |
Digital textbooks/materials, research, and e-learning. |
Government | Federal, state, and local departments. |
Business Need | Use |
---|---|
Intellectual Property Protection |
Protect IP assets from piracy, copying, and unauthorized sharing. |
Data Loss Prevention |
Retain sensitive and proprietary information within an organization. |
Subscription Protection |
Prevent piracy and protect paid subscription revenue streams. |
Document Sharing Security |
Enforce corporate usage policies at the document level, inside and outside the firewall. |
Mobile Device Publishing |
Publish documents securely on smart phones and tablets. |
Compliance Adherence |
Ensure adherence to government, industry, and corporate regulations. |
Source: FileOpen
Standards and Interoperability
After a five-year-long debate on its approval, the World Wide Web Consortium
(W3C) passed a new DRM-related standard in July 2017. Called Encrypted Media
Extensions (EME) – and designed by software engineers from Google, Microsoft,
and Netflix – it allows DRM systems to hook directly into users’ browsers
without the use of plugins.
EME’s primary benefit is in its anti-piracy features, preventing copyright
infringement by eliminating theft of content from high-quality streams. It is
also touted as providing greater interoperability and improved online privacy.
However, not unexpectedly, the standard has its critics and objections.
Formal objections received by the W3C include:
- It does not provide adequate
protection for users - It will be hard to include in
free software - It doesn’t legally protect
security researchers
Perhaps its most vocal critic is the Electronic Frontier Foundation (EFF), long an
opponent of DRM. Its main complaint about EME is that it gives too much power to
browser developers and content providers, and no protection to security
researchers. Other complaints include a lack of standardization for decryption,
meaning that companies developing browsers may have to license decryption
components.
Proponents and Opponents
DRM fans claim that it is necessary to prevent the
copying of intellectual property,
frequently employing the metaphor of using physical locks to prevent the
theft of personal property. Proponents further argue that DRM helps copyright
holders maintain artistic
control.
However,
many opponents to DRM contend there is no evidence that DRM helps prevent
copyright infringement, claiming that it serves only to inconvenience legitimate
customers. A frequent argument holds that DRM helps big
business stifle innovation and
competition. Furthermore, DRM
can also restrict users from exercising their legal
rights under copyright law, such
as backing up copies of CDs or DVDs, lending materials out through a library,
accessing works in the public domain, or using copyrighted materials for
research and education under the US fair
use law.
The
two most vocal DRM opponents are the aforementioned EFF and
the Free Software Foundation (FSF).
EFF
Founded in 1990, the EFF is a donor-funded nonprofit
organization with the "aim to improve the rights of free
expression, security, and privacy on the internet." Its current
projects include Bloggers’ Rights, Coders’ Rights, and even the rights of
those who purchase digital books. EFF’s concerns
for citizens privacy, freedom of expression, and fair use rights is well
founded: corporate zeal in developing DRM technologies frequently impact
consumers who fall into the category of "pirate," in spite of their
lack of such intentions.
DRM remains a problem in the area of ebooks. For example, some models of Amazon’s Kindle
e-reader device have DRM software built in that limit users to
"lending" an ebook only one time. Other restrictions include
the ability to re-sell or donate ebooks or even to move them to a new
device without the need to re-purchase them. These facts are viewed by
consumer rights organizations as unfair. The EFF is also concerned with
its tracking capabilities, allowing Amazon, for example, to track the
books purchased by users. Privacy is an important topic to the EFF, as
well as to other organizations.
The EFF had its first brush with DRM in May 2013, when the EFF
announced its formal objection to the inclusion of DRM in the first public
working draft of the HTML5 standard from the HTML working group of the
World Wide Web Consortium (W3C). The EFF became a full member in the W3C
in order to challenge DRM inclusion, stemming from the proposed Encrypted
Media Extensions (EME) document, which, according to the EFF, "only
exists to hard-wire the requirements of DRM vendors onto the emerging Web
standard."
In August 2016, EFF and a coalition of consumer groups, content creators, and
publishers asked the Federal Trade Commission (FTC) to require online retailers
to label the ebooks, songs, games, and apps that come with digital locks
restricting how consumers can use them. The coalition – which includes the
Consumer Federation of America, Public Knowledge, the Free Software Foundation,
McSweeney’s, and No Starch Press – said companies like Amazon, Google, and
Apple have a duty to inform consumers if products for sale are locked with DRM,
since DRM locks "can also block
you from watching the movie you bought in New York when you go to Asia on
vacation, or limit which devices can play the songs you purchased."
FSF
The
Free Software Foundation (FSF) is a nonprofit whose mission is "to promote
computer user freedom and to defend the rights of all free software users."
The foundation defines DRM as "Digital Restrictions Management," and
claims it "robs
us of control over the technology we use and the culture we live in."
FSF
has as a subset another foundation called Defective by Design. Its goal is
"to eliminate DRM as a threat to innovation in media, the privacy of
readers, and freedom for computer users."
According to the organization’s Web site, "DRM
restricts entirely different activities than copyright does, and serves an
entirely separate function. While Copyright restricts who can distribute media,
DRM restricts how users can access their media. Copyright already provides
leverage against illegal distribution, meaning that the largest distribution
platforms must already adhere to the demands of large publishers, studios, music
labels, and software companies. DRM provides "anti features" (features that exist
only to worsen the service for users) and charges for their removal. This gives
major media and technology companies much broader control over the use of media
than is enabled by copyright law, while copyright allows them to force all legal
media distribution services to use DRM."
American Library Association
The American Library Association (ALA) has
also stated its concerns for libraries and DRM. According to its
statement, "The purpose of DRM technology is to control access to,
track and limit uses of digital works. These controls are normally imbedded in the work and accompany it when it is
distributed to the consumer. DRM systems are intended to operate after a user has obtained access to
the work. It is in this ‘downstream’ control over
consumer use of legitimately acquired works that DRM presents
serious issues for libraries and users."
Gaming
In
May 2013 Microsoft revealed its Xbox One console, explaining that all Xbox One
games would need to be fully installed onto systems before play and that
each copy would then be watermarked to its owner. That translated to the
control by Microsoft of any attempt to re-sell or even give away the
boxed copy of the game. This resulted in a huge backlash against
Microsoft by the gaming community.
A
month later, Microsoft relented, claiming it had listened to
"candid feedback" from gamers. Upon release of the new console
in November 2013, restrictions on sales of pre-owned titles – and sharing
of games among friends – were canceled. In addition to removing limits on gifting, re-selling, sharing, or renting Xbox One game
titles, Microsoft also removed regional
locks on Xbox One games, which means titles bought in one global
territory will work in all others. Another change was the removal of a
requirement to
authenticate the system online every 24 hours, thought
to have been introduced as a DRM measure.
Legal Issues
The biggest legal issue surrounding DRM was in 2012, when the
US Department of
Justice (DOJ) filed a lawsuit against Apple – and five other publishers it accused of
colluding with Apple – over a scheme to fix ebook prices. The suit is said
to have stemmed from publishers’ dissatisfaction with Amazon’s Kindle ebook
pricing, which, at $9.99, was sometimes below cost; upon the iPad’s
2010 release, Apple and the five publishers (Simon & Schuster,
HarperCollins, Hachette Book Group, Penguin, and Macmillan) signed an
agreement to release books on the iBookstore for about $12.99 and giving
Apple 30 percent of proceeds. This resulted in Amazon allowing publishers
to set their own prices for Kindle ebooks.
The lawsuit accused the publishers of colluding with Apple to raise ebook prices. As the head of the DOJ’s antitrust division explained,
"Let me be clear: When companies enter agreements that prevent price
competition, that is illegal." Very quickly, three of the publishing
defendants – Hachette, HarperCollins, and Simon & Schuster – settled
with the DOJ; publishers Penguin and MacMillan settled later, in December
2012 and February 2013, respectively. That left only Apple, which was found
guilty of fixing ebook prices in July 2013. Apple is still in the process of
appealing the decision.
So what does all of this have to do with DRM? It resulted in a great
deal of speculation about whether this suit might encourage publishers to
ease their DRM requirements, giving individual publishers more flexibility
with their own content while letting consumers access device-independent
content. In fact, many publishers are said to be actually considering
removing DRM.
The DOJ lawsuit is not the only legal issue concerning DRM. Some legal experts feel that DRM systems (in general) have failed to meet the
challenge of protecting the rights of the copyright owner while also respecting
the rights of the purchaser of a copy. It is a good idea to understand
that different rules and rights attach to different categories of copyright
material.
Lexmark and The Chamberlain Group (a maker of garage door openers) used
the Digital Millennium Copyright Act (DMCA) to sue to prevent the sale of
compatible third-party products. The plaintiffs claimed that by bypassing
measures they’ve taken to prevent the creation of compatible products,
competitors have violated the DMCA.
(The Digital Millennium Copyright Act (DMCA) is a United States
copyright law which criminalizes production and dissemination of
technology, devices, or services that are used to circumvent measures
that control access to copyrighted works.It also heightens the
penalties for copyright infringement on the Internet. Passed on October
12, 1998 by a unanimous vote in the United States Senate and signed
into law by President Bill Clinton on October 28, 1998, the DMCA
amended title 17 of the US Code to extend the reach of copyright,
while limiting the liability of Online Providers from copyright
infringement by their users.)
In May 2015, the EFF testified at hearings on exemptions to Section 1201
of the Digital Millennium Copyright Act (DMCA). Congress allows the public
to petition the Copyright Office and Librarian of Congress – a long,
complex process that happens every three years – for exemptions to the 1201
clause. The EFF’s focus was on:
- Conducting security and safety research and performing repairs and
customization on vehicles, where access to onboard computers is
typically restricted. - Creating fair use remixes of videos from locked sources, including
DVDs and Blu-ray discs, as well as from online streaming sites. - Jailbreaking phones and tablets to run operating systems and
applications not specifically authorized by the manufacturer. - Modifying older video games that require a centralized
authentication or matchmaking server, after that server has been taken
offline.
Continuing its efforts, the EFF sued the U.S. government in July 2016
"on behalf of technology creators and researchers" to overturn those
copyright law provisions "that violate the First Amendment."
Specifically, the EFF is challenging provisions contained in Section 1201 of the
the
Digital Millennium Copyright Act (DMCA that
"make it unlawful for people to get around the software that restricts
access to lawfully-purchased copyrighted material, such as films, songs, and the
computer code that controls vehicles, devices, and appliances. This ban applies
even where people want to make noninfringing [sic] fair uses of the materials
they are accessing."
The DMCA has made it illegal to reverse-engineer and distribute software that
exists solely for breaking copyright protection. In addition, the Electronic
Signatures Act has made electronic signatures legally binding. Furthermore,
recent federal legislation mandates access protection and audit trails for
electronically distributed information, especially when it relates to healthcare
and financial information, and makes it possible to fine physicians for
accidental disclosures that occur during transfers of patient records that they
have ordered.
Copyright enforcement must always be balanced with fair use. Fair use
allows copying and reuse of copyrighted works in limited circumstances: when the
use is noncommercial, when the work is factual rather than creative, when the
copied portion is not a substantial part of the work, and when the use will not
have a large effect upon the potential market for or value of the copyrighted
work.
Fair use complicates DRM. For example, fair use allows consumers to make
personal copies of purchased music to be played in the car or on the computer.
The challenge for the DRM system is to know when copying is allowed and when it
is not. Some systems resolve this by allowing copies of the original but not
copies of copies. Other systems allow a limited number of copies but no more.
Privacy
When choosing a DRM system, organizations should be sensitive to privacy issues
that may alienate its customers, partners, and others who will interact with the
system. The Electronic Privacy Information Center (EPIC) says that many DRM
technologies have little regard for privacy protection, requiring the user to
reveal his or her identity and preventing anonymous consumption of content.
Customs and laws that protect one’s privacy when renting videos or borrowing
books from the library do not exist in the electronic markets for music, books,
and other content. In fact, one of the selling points for DRM is its support for
collecting and profiting from information about the identities and usage
patterns of consumers. EPIC contends that DRM can be accomplished without
invasion of privacy but that those methods have not been investigated
thoroughly. Fears of invasion of privacy may slow acceptance of DRM and force
developers to investigate less invasive means of protecting and managing content
rights.
Other critics of the technology, including the Free Software Foundation, have
suggested that the use of the word "rights" is misleading and suggest that
people instead use the term Digital Restrictions Management. The position put
forth is that copyright holders are attempting to restrict use of copyrighted
material in ways already granted by statutory or common law applying to
copyright. Others, such as the Electronic Frontier Foundation, consider some DRM
schemes to be anti-competitive.
Ease of Use
Ideally, DRM should be transparent to the end user in normal use, becoming
visible only when there is a violation or a need to obtain a license. Especially
for e-commerce, the end-user experience should be hassle-free to avoid
alienating potential customers and losing them to a more convenient site or
system. It is important to balance content protection with usability. On the
other hand, the more valuable the content, the more hoops the user will be
willing to jump through to get it. The content simply has to be worth the
trouble and expense to the user. It will also be easier for an enterprise that
wants to protect confidential information to obtain compliance from its
employees if the DRM system is not too cumbersome.
When evaluating the usability of a DRM system, a company should ensure the
following:
- Users can use standard, familiar applications rather than a proprietary
viewer. - Know how many extra steps users must take to access or view protected
content.
Is the content portable or tied to the original machine to which it was
downloaded?
Implementation Options
DRM functionality is available as a software platform, a hosted service, or a vertically focused
application that includes DRM capabilities.
A company can retain greater control by implementing and maintaining its own
DRM software. But if it does not have the skills and resources to manage,
maintain, and integrate the DRM system, it may prefer to outsource the DRM
function to a hosted service. A hosted service may be appropriate for a smaller
organization that lacks the economy of scale that would reduce the total cost of
ownership (TCO) of a DRM system. One prominent example of a hosted software licensing service is the Nalpeiron Licensing
Service (NLS). NLS enables clients to control, market, measure, and
manage their applications – from trial to end of life.
Security
Algorithm. One way to determine security is by
identifying whether content has been modified. Some DRM systems accomplish
this by running a mathematical algorithm, creating a numeric value which
is unique to that content. Users can choose to run this algorithm at
frequent time intervals, comparing the latest result with the previous
one. As long as the results match, the document has not been modified and
has come from the authorized source.
Encryption. A DRM content package is an encrypted file containing content
and metadata about the content. Encryption protects content by requiring the
exchange of keys for decrypting content, licenses, or digital certificates.
Encryption works best when the sender and the receiver both trust each other,
but are worried about theft or tampering in transit. With easily redistributed
digital content, however, many content owners do not trust the consumers of
their products to respect their copyrights or confidentiality, so encryption
alone is not enough.
Still, encryption is a necessary component of DRM, and a company should
ensure that its DRM system uses strong encryption algorithms such as Advanced
Encryption Standards (AES) and Rivest Shamir Adleman (RSA) encryption, and that
the encryption algorithms can be upgraded and replaced if they are defeated. It
should also make sure that there are secure methods for managing, distributing,
authenticating, revoking, and renewing encryption keys.
End-to-End Security. For DRM to be effective, content must be securely
managed through its entire lifecycle, at each step from creation to whatever the
consumer does with it. Such end-to-end security is dependent on standards and
interoperability, and on the cooperation of all parties in the chain including
content creation, aggregation, distribution, retail, and fulfillment.
The best DRM solutions decrypt content at the last possible moment before
rendering it, to decrease the chance that a user could gain unauthorized access
to the decrypted version of a file.
In addition, a DRM system that allows fine-grained control over users’ access
to content – such as access that is limited to a certain time period, a certain
number of uses, or certain pages within a document – will offer higher security
because users will not be given any more access than is necessary.
Viability and Stability of Vendor
In an industry as young and volatile as the DRM industry, which has seen a
high number of vendors merge or go out of business in the last few years, it
is difficult to be sure of a vendor’s long-term stability. A vendor’s good
management and longevity, however, will be important for ensuring the
availability of ongoing technical support. If possible, it is best to choose a
vendor whose product has been on the market long enough for other companies to
be using it and to look into how the other companies’ experiences have been with
the product. An extensive patent portfolio can also show both a vendor’s ability
to innovate and the approval of a third-party government agency.
A company can further protect itself by choosing a DRM system that stores
data and rights in a standards format, so that the data will be more likely to
be compatible with a new system in case the original vendor ceases operations.
Outlook
[return to top of this report]
In July 2010, a New Orleans
circuit judge issued a ruling that could set a legal precedent that allows bypassing digital rights
management (DRM) for fair use purposes. He found that
General Electric had not violated the Digital Millennium Copyright Act
by using hacked security dongles to repair uninterruptible power supplies
from MGE UPS Systems – because the goal itself was legal. While a jury fined GE
$4.6 million for breaking copyright and misusing trade secrets, the judge
ruled that DMCA had not been broken, as using hacked items by
itself did not constitute violating protection at the same time.
"Merely
bypassing a technological protection that restricts a user from viewing or
using a work is insufficient to trigger the DMCA’s anti-circumvention
provision," he said. "’Without showing a link between access
and protection of the copyrighted work, the DMCA’s anti-circumvention
provision does not apply."
The decision could impact the media industry as it may allow breaking DRM
for music, movies, and other formats as long as the material isn’t pirated.
The MPAA and RIAA together have insisted that any violation is piracy. Puncturing
the protection of the Digital Millennium Copyright Act may lead to a more
limited assertion of digital rights and require DRM software providers to
accordingly modify their software.
Another
consideration is that buying
rights-managed content means that the buyers now must depend on a specific
vendor’s future. For example, Microsoft announced in 2019 that it was
shuttering its ebook store – two years after it first opened. For those who
purchased reading material through Microsoft, they are now out of luck as the
vendor erased all ebooks and closed its servers where the ebooks resided.
Microsoft’s DRM can be thanked for this. However, readers were automatically
refunded for any ebooks purchased through Microsoft.
Recommendations
[return to top of this report]
DRM software is recommended for companies that produce and distribute digital
content, as well as enterprises and institutions that need to protect and
control confidential information. A variety of options exist, including software
platforms, hosted services, or vertically focused applications that include DRM
capabilities.
A company choosing a DRM system should look for the following features:
-
Transparency to the end user in normal use, becoming visible only when
there is a violation or a need to obtain a license. - Compliance with industry standards such as eXtensible Rights Markup
Language (XrML) and Digital Object Identifier (DOI). - Support for multiple content types, file formats, devices, and operating
systems, as required in the company’s situation. - Open architecture and APIs that help it integrate with a company’s
existing systems, such as content production, editorial, asset management,
sales, marketing, and finance systems. - End-to-end security processes such as decrypting at the last moment before
rendering to the screen. - Distributed architecture that stores content separately from rights to
enable roaming, portability, super distribution, and persistent, revocable
control at the point of consumption. - Support for a wide variety of business models, such as trial access,
pay-per-view, and subscriptions. Even companies that do not sell content may
want to use the information barter model to obtain information from their
customers. - Context management to help understand and track the users’ preferences and
buying habits, and to provide valuable information for targeted
marketing. - A stable vendor whose product has been on the market long enough to have a
track record with other companies.
Security issues, fair use issues, and issues of creative expression are all
at the forefront of the ongoing DRM battle. The success of DRM will likely
depend on a number of factors including its role in providing a balance between
protection of rights holders interests and those of users and consumers who wish
to use and access materials.
Web Links
[return to top of this report]
- Amazon: https://www.amazon.com/
American Library Association: http://www.ala.org/ - Apple: https://www.apple.com/
Defective by Design: https://www.defectivebydesign.org/ - Digimarc: https://www.digimarc.com/
- Electronic Frontier Foundation: https://www.eff.org/
- Electronic Privacy Information Center (EPIC): https://www.epic.org/
- Free Software Foundation: https://www.fsf.org/
- Google: https://www.google.com/
Microsoft: https://www.microsoft.com/
Nalpeiron: https://www.nalpeiron.com/ - Netflix: https://www.netflix.com/
US Department of Justice: https://www.justice.gov/ - World Wide Web Consortium: https://www.w3.org
[return to top of this report]