In XrML 2.0, rights and conditions can be assigned different levels of granularity for individuals and groups. The most important concept in XrML is the license. Conceptually, a license is a container of permissions, or grants. Each grant conveys to a particular user, or principal, the ability to exercise some identified right against an identified resource. In turn, rights are subject to conditions that must precede the exercise of the right. Licenses can be interpreted and enforced by the application enabling the digital medium. In addition, a trust environment can be specified in the language to maintain the integrity of the license and the conditions.
For example, DMOD WorkSpace 2.0 uses XrML in tickets (see diagram). Tickets (read: licenses) secure workflow and control the distribution of media. This works in a Java-based, client-server architecture using four major components: the WorkSpace administration tool, gateway, desktop and an embedded QuickTime media player. The WorkSpace administration tool communicates with a gateway server to create licenses. The gateway is responsible for validating user identifications and maintaining an address book of active users. DMOD client software resides on the end user's desktop and facilitates access to the gateway using a PKI. Users authenticate to the gateway using a private key and public key exchange. Content owners use the desktop client to upload media and define access permissions using tickets.
Tickets are XML documents that accompany each file transfer and let intended recipients access the content. The WorkSpace desktop automatically generates a ticket when a content owner uploads a file to the gateway for secure distribution. The ticket contains an asymmetric key used to encrypt the file and its attributes, including the owner's public ID, digital signature and the media-access permissions in XrML. On the receiving end, the desktop interprets and enforces the ticket or permissions. Permissions available in version 2.0 include release dates, expiration date or full export to native media. Release and expiration dates are monitored by the gateway, which acts as a trusted time server. Content is played back on the desktop from an embedded QuickTime media player.
The Law
Although DRM systems promise a high degree of security for digital content, no security system is tamperproof or foolproof. For example, a Norwegian teenager defeated the entertainment industry's CSS, which encrypts DVDs to prevent their unauthorized use and duplication (see FYI, below). To increase the security of these systems, laws and regulations have been created to prohibit the circumvention of security measures for digital content. They also forbid the manufacturing and distribution of devices that can be used to circumvent security measures.
In the United States, the DMCA contains anticircumvention language that broadly protects technological access- and usage-control measures, as well as the metadata that identifies and secures content. In the European Union, The Copyright Directive of 2001 outlaws the circumvention of technological protection measures and guards the metadata associated with content. On a global scale, the WIPO (World Intellectual Property Organization) Copyright Treaty and the WIPO Performances and Phonograms Treaty prohibit circumvention measures.
The DMCA has come under heavy criticism for its affect on traditional limits to copyright in Fair Use and the First Sale Doctrine, as well as the First Amendment right to free speech. It is unclear how the DMCA will affect exceptions to the law for libraries and law-enforcement agencies and to allow reverse engineering and research in encryption, privacy and security.
Enterprises should monitor the law as it moves to a greater understanding of these issues. For now, the law acts as a fail-safe mechanism for DRM systems--if the DRM system fails, current law and regulations step in and operate to protect trade secrets and content that fall under copyright law. These laws can lead to the prosecution of anyone who defeats the technical specifications of the DRM or removes or modifies the metadata associated with protected content. But laws can change, just like technology.
Choosing DRM
Enterprise digital content requiring protection includes books, briefs, movies, patient data, research, software and songs as well as derivative works, like commentaries and reviews, and metadata describing content and the business rules, processes and user profiles that allow access to it. For much of this content, a DRM system makes sense in a digital world where relationships are virtual and loyalty lasts only as long as the length of a contract or license.
DRM solutions along with applicable laws can protect intellectual property and create a trusted environment for enterprises to share proprietary information with business partners. In addition, by providing a secure distribution medium, DRM has the potential to streamline business processes and reduce the costs to distribute content. If you look to a DRM solution, make sure it adheres to open standards and is flexible enough to change as laws evolve and to incorporate new technologies to bring ROI to enterprise content.
Sean Doherty is a technology editor and lawyer based at our Syracuse University Real-World Labs®. A former project manager and IT engineer at Syracuse University, he helped develop centrally supported applications and storage systems. Send your comments on this article to him at sdoherty@nwc.com.
|
 |
RSS
