Protective measures
Trying to keep digitial content in the box.
Paul G Schreier, Contributing Editor

Some people see entropy at work in the realm of digital content. In their eyes, the convergence universe is moving rapidly toward disorder. Digital content is tending toward unfettered distribution. As one industry participant says, "Trying to contain digital content is like trying to hold water between your fingers." While some people welcome this kind of entropy, others, notably copyright owners, don't appreciate it at all.

Humanity has long fought to overcome entropy, at least locally. We can create heat and generate motion by burning fuel. We can use medical technology to prolong life. I can clean up my office.

In the same spirit, content providers are battling content entropy. They're developing hardware and software to implement digital rights management (DRM), a system that aims to keep digital content under control.

Most discussions about protecting digital content revolve around security, in the form of cryptology and secure distribution. Although vitally important, security is only one small aspect of what makes e-commerce feasible and profitable. Security technologies evolved to protect computers and nets from outsiders. With digital commerce, the threat arises not only from outside, but also from within. For example, a user who is authorized to access the content might choose to use it in unauthorized ways, such as distributing copies.

And here's where a fast-growing number of DRM suppliers are stepping in. They sell "persistent protection" that allows owners to not only encrypt content but also control who can access it, how often they can access it, and where and on which devices or systems they can access it. Furthermore, these companies have set up clearinghouses that work with the DRM client software on user systems to ensure that all transaction partners—the artist, the content owner, the distributor, the DRM-software provider, and other parties—receive agreed-upon compensation, whether monetary or otherwise. Under this regime, users don't buy the content; they purchase the rights to use it in specified ways.

Buy a container

In simple conceptual terms, DRM systems put content into locked boxes (see figure). First, the content publisher creates an encrypted file (a box) that joins the content with a set of rules (a lock, if you will). These rules dictate who can access the content, when they can do so, and even how and with which devices. The rules can be flexible and can accommodate a variety of content types. They might dictate that an e-book be read only under certain applications or on certain approved players. They might dictate that you can listen to a song twice for free but then must submit payment for further playback. The rules might even dictate that a press release can't be read until 9 a.m. on a certain day. This flexibility is one of the most appealing aspects of the emerging e-commerce.

Before freeing up the content, though, the DRM client starts initiating back-office procedures, such as gathering user information or transferring funds. For instance, the client might require an immediate credit-card approval, or, for trusted consumers, might start keeping a tab for later payment. The clearinghouse divvies up the payments among the content owners and other participants.

Before leaving this model, consider a term that's got content producers drooling: superdistribution. With DRM protecting against piracy and ensuring payments, every end user becomes a potential distribution channel. Your daughter could pass along a hot new song to 23 of her closest friends, who likewise would be able to access it according to the rules enforced by a local DRM client.

Where's the money?

So, artists and their handlers will get paid. What might remain unclear is where the DRM providers make money. The scheme will follow the familiar credit-card model, where merchants pay a small percentage, perhaps hiding the cost in the article's sticker price. OEMs can generally get DRM development and client software at little or no charge. In fact, today you can download such software from several firms including InterTrust and Microsoft. However, when a user makes a transaction, the software adds a fee, which could be as small as a few pennies.

With this knowledge of the container-enabled DRM scheme, you're now able to compare it to other, simpler approaches that some vendors are trying. One DRM company, Reciprocal, categorizes the various approaches as follows.

The simplest scheme is the pay-per-burn model, in which the user can play content on standard devices and thus has the ability to make copies for personal use—or illegal distribution. This approach offers maximum content portability but sacrifices persistent protection.

Next in complexity is a model that resembles the previous approach, except that each copy incorporates a digital watermark. This makes copies traceable. It's effective against large-scale copying and redistribution but not against someone passing copies to friends.

Publishers gain persistent protection at the next level, which allows users to extract digital content to a play-only appliance, which provides only analog outputs for headphones or other approved devices but supplies no digital outputs. This restriction to certain types of hardware devices is also the scheme's major disadvantage, limiting the potential customer base.

One level higher in refinement, we find device-level content protection, where a dedicated read-only device comes with basic content protection. For example, a PC could contain a DRM client. When you want to download a song from the PC to your digital audio player, the client requests that the target player send back its unique ID. The client then encodes the digital content along with the device ID, so that only that particular device can play the content. This method ensures persistent protection, but eliminates content portability after extraction, thus cutting off the possibility of superdistribution.

At the highest level, as outlined in the figure, is a container-enabled device where the DRM client no longer resides solely on a PC but also on the player. To build such a client-equipped player, you need special chips now coming on the market.

A leader in this area is Cirrus Logic, whose EP7339 uses the firm's Maverick Lock technology and, in its first implementation, includes a DRM client from InterTrust in firmware. This device sells for $15 in volume and, according to VP and general manager Matthew Perry, "represents the first time somebody has produced a general-purpose processor with government-level security on a chip at consumer prices."

Because you can now download an encoded/DRM container file to an MP3 player, the PC becomes only one of many possible secure pipes, others being public kiosks or even floppy disks. The Maverick Lock technology includes on-chip security features such as a built-in SDMI (Secure Digital Music Initiative) ID, which ensures that content can be played only on the specified player. The technology also automatically verifies that the chip is booting in a secure environment, and automatically disables its debug and test interfaces, which blocks hackers from accessing the portions of the chip that store the private ID numbers and other secure information.

Partners and competitors

Cirrus Logic is only one of many firms that look upon DRM as an entry into the lucrative e-commerce market. It's sometimes difficult to distinguish among partners and competitors, especially when many are signing cooperation agreements and taking financial stakes in each other. But here's a rundown of some prominent players.

At the first level are technology suppliers, who provide software that encrypts usage rules along with content and who also provide client programs. Even Microsoft has gotten into this game with its Windows Media Rights Manager, for which you can download a development kit. You'll also recognize Adobe, which has created secure versions of PDF files as the base technology for firms such as Glassbook, which gained recent fame by providing the software necessary to read Stephen King's Internet-only novella, Riding the Bullet. Xerox is also getting involved in the publishing space. As for firms heavily involved in music, Sony is developing a proprietary technology dubbed MagicGate.

Also keep an eye out for less-familiar names. Examples include InterTrust and RightsMarket. These companies go beyond simple cryptography and security/rules enforcement. They are also getting involved in the next layer, implementing an e-commerce model based on DRM technology. This back-office phase involves setting up vendor accounts, handling customer support, and even getting involved in the clearinghouse activities.

For most companies, specialization has become the name of the game. You can more easily understand the DRM/e-commerce framework in existence today by noting that companies tend to fall into several broad categories. Some work with DRM technology and services from one company and focus on one market, such as music. Next are firms that rely on one technology but work in multiple markets such as publishing and music. Finally, broad-based companies deal in multiple technologies and markets. One of most prominent in this category is Reciprocal, which works with DRM technology from Microsoft, InterTrust, Xerox, Adobe, Preview, and IBM to serve multiple markets including music, publishing, software distribution, and even video distribution.

Finally, don't forget the clearinghouses. Big names here include Reciprocal as well as Magex (National Westminster Bank), Mitsubishi, and Price Waterhouse Coopers. Also note that content providers have choices to make. BMG Entertainment, for instance, has so far announced working relationships with three technology providers (InterTrust, Microsoft and IBM) and two clearinghouses (its own Digital World and Reciprocal).

Diving in

So far, direct digital delivery has been in an adolescent stage, where vendors have been trying to work out the bugs. For example, they've offered MP3 files by lesser-known musicians to users who were willing to fill out a marketing questionnaire. Or they've allowed free download of a single track to spur CD sales.

However, the day will soon be here where money changes hands and you take direct delivery. For instance, BMG and Liquid Audio have announced plans to sell digital music by artists such as the Backstreet Boys and Britney Spears through online retailers this summer. And by the time this article appears Sony might already be selling digital music.

Not everyone is enthusiastic about jumping in so quickly, given recent events. One trend that gives many people pause is the massive popularity of Napster, a freeware program that lets users easily trade MP3 files. The program has exploded in popularity, to the point where several universities have banned its use because it ate up too much network bandwidth. A newer utility, Wrapster, performs the same function for video and software files. Consider also that it only took hackers a day or two to break the 40-bit encryption key protecting King's novella and place a clear-text PDF on the Web.

Is the genie out for good?

Most experts agree that perfect security is impossible. So the question becomes, can content providers find a way to reduce piracy to an acceptable level?

Moreover, how will the public respond to various schemes? Almost everyone agrees that DRM technology must be transparent to the user, that ease of use is crucial. However, critics see the systems that are now springing up as far too cumbersome and complex.

Lindsay Moir

Given that situation, RightsMarket favors a rather radical idea. Why not accept the fact that clear-text copies of songs and books will escape the cryptology box? Instead devise a scheme that takes advantage of that fact. Because it's easy to make digital copies, let users make them, Moir argues. Copies aren't the issue—what matters is getting paid when somebody uses copies.

The RightsMarket scheme relies on a combination of unencrypted content and metering. For a flat fee—whatever the market will bear, perhaps $20 or $30/month—users would be free to download all the digital music, books, or videos they wanted. DRM client software would track which files the consumer played and would report these usage stats to a clearinghouse. The clearinghouse would apportion the flat fee among the content owners and others based on the percentage of usage. Your daughter only plays songs by 'N Sync? That group gets all of the monthly fee. If she also plays Christina Aguilera from time to time, she'll get her share too.

This model is frictionless and simple to implement, Moir argues, making it acceptable to consumers, who generally want to play by the rules and not steal. Users would download unencrypted songs, text, or videos, just as Napster allows today. Playing a song, whether on your PC, using software such as WinAmp, or on an MP3 player, would trigger a RightsMarket plug-in. The plug-in would identify the content and make a notation each time you play the song. Periodically, the DRM software would flush its queue of recent activity and send a message to a RightsServer, which collects your metering/usage data over the given timeframe.

How does the plug-in know which content you've played back or read? Even today, almost every document has some identification. For instance, Napster uses the ID tags built into MP3 files when it lists results from a search. Soon all songs in digital format coming from music publishers will have watermarks that provide identification data.

Now add the concept of superdistribution. What if a teenager passes the latest hit song along to his friends? No harm done—the system works just as if any of them had pulled the song off the Internet personally. The DRM plug-in on the friend's PC now records usage patterns for that song and passes that info on to the RightsServer. In the end, the friend's monthly fee also gets divvied up appropriately.

Moir acknowledges that the RightsMarket scheme must also accommodate high-value content that won't float around quite as freely. An example might be a market-research study that sells for $1000. Content owners will want direct compensation, not shares of metered revenues. Thus they'll distribute this kind of content in a cryptographic container that follows the DRM model presented earlier in this article.

This content will eventually escape too, but the market won't be quite as "liquid" and it will take longer for it to slip through. For one thing, buyers of expensive content will be less inclined to "set it free" after themselves shelling out big bucks. And by the time the content eventually does slip through as clear text, maybe several months or a year later, the information will have decreased in value.

RightsMarkets' radical concepts aren't yet implemented, but Moir feels that in a year or two consumers and content providers will become extremely dissatisfied and frustrated with the emerging batch of "high-friction" schemes. These models will break down. Suppliers will learn the lessons of the marketplace, and they'll realize that metering is the only viable alternative.

Scornful response

Like most radical ideas, this one generally elicits scorn and derision from competitors. Vendors of container-based DRM believe Moir is way off base. They agree that some content will escape, but they add that's always been the case. Copy machines are widespread, but book publishers are flourishing. You can buy CDs from a guy on the corner, yet most people continue to buy from legitimate bricks-and-mortar or online retailers. It doesn't take a degree in electronics to steal cable TV using a black box, yet few people bother.

So we return to our discussion of physics. Even when we claim small, local victories over disorder, entropy always wins on the grand scale. What kind of effects can we expect from these efforts to control digital entropy? As consumers get the chance to use and evaluate these DRM schemes, we'll see whether we end up with an orderly content universe, or total anarchy.

Author information

Contributing Editor Paul G Schreier is a writer and marketing consultant based in Rye, NH. You can reach him at aa1mi@ARRL.net. He generally lets entropy win in his office.