| |
|
|
 |
 |
5870 West Jefferson Blvd., Suite A
Los Angeles, CA 90016
Tel: 310.815.8855
Fax: 310.815.8808
info@OnlineSecurity.com
© 2010 Online Security
All rights reserved.
|
|
|
Forum : E-Commerce Law
| Posted: 03/31/2003 | Deciphering the Value of Open Digital Rights Management (DRM)
| | By Deciphering the Value of Open Digital Rights Management (DRM) | The ongoing debate as to whether the cause of Internet security is better served by open or proprietary standards opened on a new front in January when Microsoft, in a characteristically subtle but potentially far-reaching move, introduced a new music CD toolkit for record labels. Part of the Windows Media DRM 9 Framework, the toolkit enables labels to include a second session on a protected audio CD containing Windows Media Audio format tracks that can be played on a computer or compliant portable player, but are protected by Microsoft’s digital rights management (DRM) technology. This enables labels to specify copy and usage restrictions, in particular to prevent the sharing of the files over the Internet. The deal for record labels sounds hard to resist: the toolkit is supported by the number one media player in the world, and it’s free.
On hearing this news, Microsoft’s critics reported a wide-spread sense of déjà vu. They wasted no time in accusing the software giant of repeating its highly effective “browser war” tactic of binding critical new application software to its operating system and giving it away to users in order to drive competitors out of an emerging market and extend its Windows monopoly. In this case, the role once played by Netscape is filled by Real Networks, which recently put its RealOne-based DRM system, part of Helix, in the open source domain, and MPEG-4, the heir apparent to the prevalent consumer electronics standards family. MPEG-4, a sprawling standard based in part on Apple’s QuickTime technology, has struggled with perceived steep licensing costs. It thus appears by this analysis to have played right into Microsoft’s hand. After much debate, the MPEG-4 group agreed in November to reduce their licensing fees, only to be dramatically undercut by Microsoft’s Windows Media 9 Series licensing a short time later. Along with this gambit, Microsoft, in a reversal, announced that it would not support MPEG-4 in future releases of Windows Media Player. Instead Microsoft is aggressively licensing Windows Media Player for use on non-Windows operating systems, set-tops, and new mobile devices, the same silicon battlegrounds that MPEG-4 has been targeting.”
This struggle clearly has important implications for the Media and Entertainment industry, but its significance to the broader world of IT security is less apparent. In fact, these moves might be dismissed by skeptics as attempts to dominate a protected media market that remains highly speculative. Ironically, Microsoft itself last fall released a research report written by four of its employees that cast serious doubt on the ultimate efficacy of DRM, concluding that “a vendor will probably make more money by selling unprotected objects than protected objects.” And yet Microsoft reportedly spent $500 million developing what many analysts believe to be the best DRM system on the market, and certainly the most widely deployed. Why?
Part of the reason is that the ultimate value of DRM may lie as much in the corporate market as in Media and Entertainment. To date corporate applications have received only limited attention from analysts. This is in large part due to the framing of the DRM viability question as, “can it really be effective at preventing Internet piracy of music, movies, and games?” The answer may well be “no,” but not for the reasons most often assumed. Although the theoretical robustness of specific DRM-based encryption schemes may be interesting fodder for debate, the fact is that few if any copyright violations on the Internet result from the defeat of a DRM encryption scheme. Rather, the prevailing cause is the weakness of entrenched legacy media distribution formats (such as CD and DVD), combined with the intrinsic insecurity of the analog perimeter through which mass audiences experience media, both at home and in theaters. These are conditions that DRM access control is not in a position to address (although many look to watermarking technology to provide a long-term answer to the problem of the “analog hole”). But is it possible that corporate applications that have nothing to do with mass media can justify the investment in today’s encryption-based DRM technology?
The answer lies in part in the capabilities DRM brings to the extended enterprise to protect and control its critical information assets. In a pervasively connected world where control of information is increasingly seen as a critical source of competitive advantage, the capabilities delivered by DRM appear to be vital tools enabling centralized control of globally distributed information assets. For widely disseminated content like music files ripped from unprotected consumer CDs and traded on peer-to-peer networks, DRM cannot reconstitute a secure container. However, for information that is secure and centralized to begin with, DRM offers the powerful capability to securely bind business rules and actions to content in a device- and application-independent way, much as physical envelopes bind distribution rules to paper communication.
The envelope analogy bears closer examination. A paper envelope does not purport to securely lock out unintended access, although by convention and law it tends to limit access to intended recipients and minimize casual spying. DRM may be appropriately viewed as an intelligent envelop technology which, in addition to specifying a sender and receiver address, a transport mode (such as “air mail”), and a potential disposition (such as “urgent” or “personal and confidential” or “bulk”), can specify many more complex usage rules. Examples are: “this file can be read once but not copied or moved” or “this file will self-destruct twenty-four hours after being opened, or 30 days after being received, which ever comes first.” Note that envelopes also support a secure method of conveying payment to the courier system in the form of stamps.
The significant value is not that the container is necessarily unbreakable (although that goal may be both important and achievable in corporate ebusiness conditions), but that the instructions and conventions are universal among all compliant platforms and applications.
This universal capability to bind usage rules to content is of tremendous significance to the future architecture of electronic business. In terms of security models, it portends a shift in emphasis from the firewall/VPN model of secure containment to an object-based model, offering greatly enhanced flexibility and control over information. To invoke but one example, imagine the disgruntled employee who, discovering the password to an HR server on a scrap of paper, manages to gain access to his company’s personnel file listing management salaries. If his company has applied a DRM-style security model, the file itself, rather than just its server, is protected, not just by a password (which is of course available today in databases and applications like Excel), but by an active procedure that, prior to issuing a decryption key over the network, sends a secure priority request (along with the date, time, and physical location of the requestor) by pager to the head of HR for authorization. In short, DRM empowers IT managers to support sophisticated information control policies with automated procedures that are simply beyond the reach of current database-, server-, network-, or application-based security protocols.
But if DRM is so powerful and pervasive, why then has its scope been so limited? There are a few reasons for this. First, the widespread application of DRM to textual data has been predominantly limited to the Adobe PDF format, which has implemented a fairly modest (though valuable) capability. Microsoft, for its part, has not traditionally focused on security applications (although much has been made of its commitment to the “Trustworthy Computing platform”), and other DRM vendors have focused, to their apparent detriment, on the industries that would appear to value content control the most: the content industries, particularly those whose products involve so-called “rich” media (music and movies) and whose troubles with services like Napster and KaZaA have been so widely exposed. As we’ve seen, the irony of these applications is that DRM’s strength (the ability to specify complex business rules and bind them to modular content) fails to address the issue of greatest concern to these businesses, which is preventing their valuable content from appearing on the Internet in unprotected form in the first place.
Corporate DRM proponents gamble on three trends: that rich media formats (especially audio and video) will continue to be of increasing importance to general business communication, that more diverse rich-media-enabled broadband and mobile devices and appliances will appear on the Internet (but the PC will remain a crucial part of the mix), and that the content industry (being desperate for an answer to Internet piracy) still has the capacity and inclination to drive DRM solutions into the marketplace. Microsoft has clearly demonstrated how consumer platform adoption can propel solutions into the business market. And it understands well the power of network effects when it comes to adoption of application standards, whether open or proprietary.
The question remains, however, whether Microsoft’s proprietary approach, or an open-standard competitor, can marshal trust and support from a suspicious copyright industry that still tends to hold Internet distribution in low regard. In a tacit acknowledgement of the issue, early last year Microsoft and ContentGuard, who created its selected rights management language XrML, put the language in OASIS, an open standards consortium. (Meanwhile, RealNetworks’ competing standard known as XMCL fell by the wayside.) Opening the language, however, doesn’t guarantee the interoperability of protected formats. An application may be perfectly capable of interpreting business rules expressed in a standard language, yet, lacking a decryption algorithm or codec, utterly unable to comply. So there remains a potential corner to the market, with a lively competitive profile.
To date, DRM remains a controversial entertainment-industry-specific technology searching for a market. The rich content industry applications in which it has made an appearance (specifically, Internet services like MusicNet and Pressplay for music, and Movielink and CinemaNow for movies) have yet to achieve significant commercial impact, nor have they demonstrated why DRM might be important to other industries. It remains to be seen whether the technology can gain traction in its initial market, much less mature into an important innovation enabler of the information enterprise.
Even so, with the possible exception of identity services like .Net Passport, in principle there is no more important Internet security technology in the offing today. It may behoove today’s forward-thinking IT executives to turn their attention to the issue and evaluate how the current debate might affect their future options. After all, how many IT executives in 1996 considered how central a browser war might be to their long-term security infrastructure?
|
>> All E-Commerce Law Forum Articles
|
|
|
|
