Digital Rights Management - Part 4. By Karen Coyle


Trusted Systems

A rights expression language just expresses; it has no enforcement ability on its own. To gain that enforcement the REL must be used in the context of a system. Since the rights can include distribution of protected works from one party to another in the form of sales or lending, the system must encompass all parties and all means of interaction. And this system must be secure from end to end. It must be what is called a "trusted system."

The development of trusted systems is occupying the attention of computer scientists and companies in the computer area. Trusted systems will be necessarily complex. Although there's probably sufficient theory to understand how they should work, creating trusted systems that actually work and are economical is another matter. John Erickson, of HP Laboratories, has spoken frequently of trusted systems and digital rights management, and this diagram is his illustration of the necessary parts and interactions for a trusted system for DRM:

Trusted systems diagram

This is a very high level diagram, in that it doesn't give detail, but you can see from it that the interaction for a rights management transaction will require a lot of parts working together. Included in those parts is the computer of the end user, the one on your desk at home, and part of the trusted system is that this computer must be made trustworthy. Trustworthy in this context means that the system must be able to trust that your computer will obey the rules of the rights management software, regardless of what you instruct it to do. As a simple illustration, let's say that you have paid a fee for a book and you can read it for two weeks starting December 1, 2003. Time passes and it's now December 13 and you're not very far along in the book. However, date and time are settings on your computer that you have control over. You can simply reset the clock to December 1 and continue reading. There are a number of ways that this can be "fixed" but the upshot is that timekeeping has to be part of the trusted system and not a function of your individual computer. As a matter of fact, a future operating system for personal computers will have the ability to participate in rights management built in to the operating system itself. This is the system under development at Microsoft, originally called Palladium but now known as the Next-Generation Secure Computing Base. Among other functions, this operating system will not allow you to run non-trusted programs when protected content is present on your computer. This is intended to prevent piracy, because a program that would break the encryption on a protected file simply would not be allowed to run. As one speaker at a DRM conference that I attended said, trusted computing means that content owners can trust that the computer will obey the DRM instead of you, the computer's owner.

Even without the full scale of trusted computing, systems that will put users together with digital content in a way that respects license agreements will be far from simple. A group of researchers working on a system that will authenticate users for licensed content in a university library setting have come up with this high level diagram. Note that this system does not include any protection of the digital content, only the aspect of getting authenticated users to the digital content:

Martin/Agnew federated rights diagram

DRM and the Law

The question that generally arises at this point is: Will I still have fair use rights? The answer is: Yes, copyright law will still recognize your rights to fair use. However, with DRM in place, you may not be able to exercise those rights. DRM is not an implementation of copyright law, it is a system for the protection of digital works. While the debate over fair use and first sale rights for digital materials goes on, most creators of DRM systems are careful to avoid any reference to copyright law in their products. DRM will implement licenses through software controls. The rights or grants in these licenses will not look like the rights we have under copyright law; they will look like the grants that can be expressed in a computer environment. A particular license may allow you to make copies of up to five pages in a book. If you need to copy six pages, and if you feel that the copying of those pages would be allowed under the doctrine of fair use, the software will still only allow you to copy five pages. Where the law allows some flexibility and asks us to make judgments, DRM implementations will be quantitative in nature.

Another important difference between DRM and copyright law, and one that causes me some particular consternation, is this: copyright law sets down a few rules about copying and performances. It gives the exclusive right to make copies to the rights holder. It sets out some exceptions to that right. But in general it doesn't attempt to anticipate every possible use of a copyrighted work. A digital rights management system functions in exactly the opposite way. Where copyright law is an expression of "everything that is not forbidden is permitted," DRM takes the approach of "everything that is not permitted is forbidden." Under a system of DRM, any action you wish to take, such as being able to print from a work, has to be explicitly granted. If there is no stated right to print, then the rights management system will not allow printing. This is seen as a necessary requirement to create secure software by those developing DRM systems, but it has great implications for future uses of protected works. Imagine that a decade or so from today there is some new feature in our computer systems; let's say that computers no longer have screens but instead project displays onto any surface. If this isn't recognized by the DRM system under rights that it already allows for a particular digital resource, then it will not be possible to view that resource on this future computer. And that means that it may not be possible to view it at all because a change in technology isn't recognized by the particular controls that are protecting the resource. The future interaction of DRM and innovation could be stifling, both of innovation and of access to certain intellectual resources. In addition, as we saw above with the Microsoft Reader and its lack of a print function, the approach that requires all possible activities to be actively permitted is not compatible with the public domain, where nothing is forbidden.

DRM and Libraries

There is no doubt that DRM has the potential to have a tremendous impact on libraries and how they do their work. Exactly what the impact will be is hard to predict today because of this is a technology in the early stages of its potential development. But it is possible to present some general cautions based on current experience with protected works.

The good news is that there is nothing about DRM that would inherently prevent library lending. As a matter of fact, the systems that have been and are being developed for the sale of works can be transformed into systems for lending, since lending is virtually identical to a short-term sales transaction. We already have lending of digital works in systems like netLibrary's for ebooks and in recently developed systems for libraries by FictionWise and OverDrive. More sophisticated DRM systems may allow libraries to provide additional services beyond lending, such as integrating digital library materials into courseware at educational institutions.

But DRM is likely to provide significant challenges as well, especially in these areas:

Local Control
Rights management systems, especially when embedded in trusted computing systems, will be on the cutting edge of computer technology for at least some time. These systems require strong security end-to-end, from the producer of the digital product to the end user. Because of their technical requirements it is unlikely that a fully trusted digital rights management function will be included in library computer systems, at least not in a way that is affordable to most libraries. This means that the content and the control of the content will remain in vendor systems, and libraries will "outsource" access to the digital materials to these vendors. This is not unlike the situation in libraries today in relation to online databases and digital reference materials, but the impact of this model should be expected to increase as the technology grows in complexity and expense. Implications of this model range from the library's right to archive materials to issues of patron privacy.
Contracts and User Support
With hard copy works, there is one set of rights that pertains to all. A digital rights management system with a fully developed rights expression language could provide a different set of rights for each publication, and if not for each publication than at least for each publisher. At the extreme, libraries could find themselves negotiating for user rights on a title-by-title basis. More realistically, there will be classes of works with different sets of rights, and classes of users who can exercise different rights. Some amount of time will be spent by library staff mediating between the users and the rights packages, especially as users gain experience with the restrictions imposed by DRM. You can imagine a time when a user comes to the reference desk looking for a book on a topic but specifying that it must be one that allows some printing, or that can be rendered in large type on a particular device. The user support overhead for libraries must be calculated into the cost of purchasing and managing these materials.
Archiving and Future Use
There's an interesting contradiction taking place today when it comes to digital materials. Although some titles are available on a term-limited licensing basis, many titles are being offered for sale to libraries. Sale in this case meaning a permanent acquisition. Sale is what makes sense to libraries, who insist on the ability to purchase electronic materials even if they do not physically acquire the digital files. Sale also makes sense to publishers whose entire business model is based on units sold. But we are not even sure how to archive and provide some guarantee of future access to digital files that have no rights management controls applied to them, and the addition of DRM into this future makes matters much worse. If it takes an entire complex system to allow a user to open and read a book, what happens twenty or fifty or a hundred years from now when that system no longer exists? When the default is that usage rights must be positively granted, a loss of that granting system means that no use can take place. DRM in itself does not make digital archiving impossible, but it does compound the problem.

The bottom line is that digital works are in our future, and that digital works need protection because they can be easily copied. This we cannot change. But librarians can have an impact on the development of DRM technologies by participating in the discussions taking place in standards organizations and the research arena. It is our professional duty to take part in the development of technologies that will affect the future of reading and information access.

Some Useful Links

Standards Organizations
Open eBook Forum
Motion Picture Experts Group
Oasis
World Wide Web Consortium
Standards
ODRL
XrML
PRISM
Ideas and Discussion
OCLC's DRM Readings Page
Electronic Frontier Foundation DRM Page
Law and Technology of DRM Conference Page

©Karen Coyle, 2003
Creative Commons License
This work is licensed under a Creative Commons License.