ABCs of DRM
Having discussed the concept of digital rights management or DRM with a number of people in recent months, it seems there are those who are very knowledgeable about DRM by virtue of their roles in their organizations and others who may not have the same in-depth information on the topic, but need to be better informed in order to assess where their organizations must take action.
This article, therefore, attempts to discuss the ABCs of DRM so that the latter group in particular may gain better insight into the DRM concept. It is not intended as the ultimate white paper on the topic, but rather a starting point leading to implementation of a DRM program which should include images and sound elements as well as important corporate documents. These are differentiated as Media DRM vs. Enterprise DRM.
Background – Earlier in my career I was working at one of the major studios at a time when the PC and the video/home entertainment market were both in their infancy. It was not unusual for people to “borrow” someone else’s software for their computers, even in the corporate environment. People’s eyes were opened when the Chairman sent a company wide memo indicating that the company did not want others to copy its software (movies) and therefore we should not be copying PC software. Well put. This instance is my earliest recollection of the piracy/illegal copying issue raised in my workplace.
Today, for example, Microsoft requires online authentication of its new software products as a means of minimizing its exposure to piracy. Generally speaking, its applications will not open more than 50 times without the authentication taking place.
The ABCs of DRM – DRM is all about digital content and protecting those who own it from having it stolen or used by someone not authorized to do so. It is about putting virtual locks on the content from audio and video material to documents created in Word, Excel or other software products. All are equally important and invaluable to their owners.
In its most basic form of protecting rights and access, consider how ATM cards and hotel keys with their magnetic stripes work, allowing or disallowing access, how smart cards afford protection or even PDF files which can be structured to prevent copying, printing and redistribution.
To begin, let’s look at the basic concepts of DRM, with the emphasis on media such as films and TV programs:
-
Content is valuable – by means of the trickle down theory, we are all impacted by unprotected content;
-
Protected content preserves value – if the product is free, there is no value to the owner other than perhaps some goodwill;
-
Rights to content must be controlled – authorized users only may be allowed access and only under the rights that the owners wish to convey.
With the forgoing in mind, it is important to understand the basic premise that digital delivery of content is prevalent and becoming progressively more so due to the increasing penetration of broadband.
There is currently an insatiable demand for digital content from the legal and illegal downloading of movies and music to the digital pictures consumers put on their web sites for all to see. This seemingly insatiable appetite for digital content will only increase as it becomes easier to satisfy users through their broadband connections, which 240 million households are expected to have by 2008 according to research from In-Stat/MDR.
New business models for content created and stored digitally demand the protections afforded by DRM due to the inherent risks created by digital delivery. Threats to content created digitally are due to the ability to send files seamlessly across the globe, authorized or unauthorized. With more PCs having DVD drives, a growing number of PCs with DVD-RW drives and digital video recorders/PVRs means that recorded content can achieve mass distribution easily if unprotected.
The inadvertent click of a mouse can send sensitive documents into the wrong hands. The purposeful click on that same mouse can cause even greater problems. With an “always on” world, it is as easy to access or send a file across the world as it is to open a file resident on our computers.
Organizations of all sizes should have document retention policies so that their employees may know the procedures related to document protection and retention. In the pre-digital days, it was often considered adequate to put locks on doors, filing cabinets, etc. to keep prying eyes out. The protection of that digital content now rests with DRM.
DRM in the news – The protection concept was in the press a lot in recent months, especially in Southern California and other areas where the banning of Academy screeners garnered strong reaction on both sides of the issue in print and on the many talk radio programs. The screener matter is important due to the ongoing fight against piracy of motion pictures, a problem pegged at more than $3 billion per year. The high profile nature of movies is the basis for the publicity surrounding this issue.
However, the challenge extends way beyond the use of screeners and monitoring of whom gets access to the films being considered for Academy Awards®. For those involved in the digital content creation business it starts on day one when storyboards are created as a basis for determining how and in which ways the end product will be created, necessitating that the storyboards and animatics created must be protected. The process should continue throughout the entire production process and on into the distribution cycle. Each distribution window has its own set of DRM requirements and rules that may apply throughout the product’s life cycle. Protecting content at all points in the value chain is of paramount importance.
Media DRM – One only needs to look at the music industry, over the past few years to understand the impact that not protecting content can have. According to the Recording Industry Association of America, sales in 2003 dropped 7.1% over 2002 which experienced an 8.9% decrease over the prior year.
So, what can be done? Having a firewall to protect against outsiders hacking in is insufficient. There are times when content that is created by the entertainment industry, including work in process, must be sent outside the creating organization’s facility as a fundamental part of the process, even if it gets set up on an FTP site for other legitimate users to see. For companies that are selling completed product, the protection is even more important to prevent unauthorized burning of movies, TV shows and other content on to DVDs where further distribution could occur.
To adequately protect themselves and their customers, content creation companies need to apply DRM rules to their content. The following should be considered as the rules are developed:
Rights need to be conveyed – i.e. providing the keys to the content. These rights may include unique identifiers to enhance the user audit trail;
-
Encryption alone is not sufficient – although it is an important tool as well;
-
DRM’s purpose is to allow content to be decrypted – by those who have the rights;
-
Rights must be renewed periodically and should not be set up in perpetuity;
-
Rights can be different on the same product for various reasons as determined by the owners – this is akin to sending someone a Word file and another a PDF file;
-
Rights may be withdrawn for whatever reason the content owner deems necessary.
The rules process begins with a determination as to what rights the owners want to convey. These may include, but are not limited to:
-
Viewing – including frequency of use and number of viewings allowed;
-
Copying – including subsequent distribution to other computers and/or portable devices;
-
Rules can be set to travel with the content and may at various times require authentication from a remote server in order to unlock the content;
-
Based on receipt of payment, if any;
-
Expiration of rights – at a date certain, upon reaching a certain number of viewings or on some other basis.
Enterprise DRM – Perhaps a more mundane side of DRM than Media DRM, Enterprise DRM is every bit as important. Corporations need to protect their information and control access to it. The American Society of CPAs recently listed Information Security as #1 on their list of Top 10 Technologies for 2004. The following are some of the issues to consider:
-
Authentication of users – determining who has access to which files;
-
Rights – what users can do with files to which they have access, i.e. read, modify, print, etc;
-
Prevention of access after termination of employee/employer relationship;
-
Maintain confidentiality of customer files – i.e. financial services, healthcare industries;
-
Maintain confidentiality of HR information;
-
Protect consumer information, including ecommerce transactions.
Benefits – Establishing a DRM policy for both Media DRM and Enterprise DRM results in the following benefits:
-
Preserves value of content;
-
Limits unauthorized access to information;
-
Audit trail of users – rules can be applied to track who has used the content;
-
Protects consumer information.
Due to the digital environment in which we work, digital content is a fundamental element in how we conduct business. Therefore, the protection of that content and the whole DRM process should not be taken lightly. It is important to understand the ABCs of DRM, the basics, in order to address the challenges. This is just the beginning as the process will evolve and become more sophisticated over time. Those who understand and implement DRM strategies will be ahead of the curve.
