INFORMATION SERIES #1: DRM
The term Digital Rights Management (DRM) defines technology used to protect the rights of copyright holders with regards to the dissemination of digital content.
The World Intellectual Property Organisation (WIPO) works with governments to, in the words of European law (2001/29/EC(4)), 'protect and stimulate the development and marketing of new products and services and the creation and exploitation of their creative contents.'
The protection demanded by the law was, at the time of its conception (post 1994) beyond most technologies that were available. Indeed, the cost of high bandwidth and the relatively low compression that could be applied to data meant that the practicalities of piracy (particularly with software and music) would involve mechanised reproduction of CD and video and all the expense associated resulting in risky investments for an 'illegitimate' business.
At this time networks were not accessible to the man in the street. The concept of using gigabytes of bandwidth to transfer entire music collections was inconceivable in the days when a 1.4GB hard disk drive was considered excessive expense.
The home CD-R caused considerable upset, and since a report (Koranteng - FT - 1997) claimed that the internet would facilitate a boom in online ordering of CDs, the music industry and associated organisations formed their five-year strategies on close monopoly of the CD mass-manufacture and distribution processes. There was a lot of investment at stake.
Then, in 1999, they finally had to address the possibility that the contents of their product could be distributed many times more efficiently on the internet. In fact their key market - the US college market -- had worked this out sometime before. The resulting mp3.com floated for billions. That turned the heads of the music industry sharply -- they called in the cannons and set the RIAA to work.
No clear legal position could be taken with mp3.com since they had never actively promoted themselves - 'we never paid a penny on promotion': said Sean Kean of mp3.com in March 2000 - they even obligingly took their my.mp3.com site down when it was questioned. Another target had to be found.
Napster -- the big debate at the end of 2000. Like mp3.com, their reputation snowballed because everyone used it -- including its critics. It was targeted because it could only really be used to find music the user already knew the name of -- usually that which had been promoted by a CD promoter. The promoters and record companies found a case for arguing that Napster's revolution would be the undoing of THEIR industry and so they decided to use some amassed capital to protect their copyright assets.
Thousands of other repositories of music began to emerge. In fact, an 'un-policeable' number. Piracy was, and remains, rife, but mixed in with entirely legitimate amateur content. Thus, it became laughable of the CD company to ask the general public to hand their mp3 software back to try to protect their Copyright Protected portion of the available content and effectively state that, 'from now people in their homes will only be able to send audio and video to each other using IT if they are officially releasing that audio and video through a record label.'
For the first time in its history the cartels and monopolies, and indeed the very economic model that traditionally controlled vinyl, CD and fixated media were under threat.
This argument then developed two sides:
* Copyright licensees and holders had previously raised large amounts of funding to produce media to sell on a unit by unit basis, maintaining tight control of the production and distribution process and thus ensured revenues against the investment needed to produce the media, including paying the artists and creatives at the heart of the process.
These artists had an expectation (after 70 years of the industry establishing itself) that they would seek an advance ('record deal') and then see royalties once the cost of CD or vinyl productions had been recovered.
* Once mp3 arrived the issues changed. Now the artist could not only master their music on their home PC, but also distribute it directly to the fans and end users from the same PC with no more cost than their internet access bill.
The 'middle man' of the CD industry was now NOT the only way to get musical artistry and content from the artist to the audience.
The CD industry suddenly had to work really hard to add value to their product. This meant that more concentrated focus had to be made on the production and promotion of fewer artists. The unsigned artists lost out.
Along the way the phrase 'Digital Rights Management' was emerging. This is the utopian solution to the problem. In effect, DRM technology aims to support the WIPO and relevant government treaties in their aim to 'protect and stimulate the development and marketing of new products and services and the creation and exploitation of their creative contents.'
The idea is to create a technology that audits a particular copy of copyright data and ensures that due rights are collected for each use of that data.
While CD has a definable 'scope' limited to its physical existence, data does not exist in any tangible form. At first, data within the concept of a word processor document is easy to consider as being much like a CD. If you make a copy of the document you have two copies. Copyright Legislation in this circumstance looks very similar between the two systems.
However DRM immediately becomes more complex when you look at data on networks.
Should I publish a document on the internet, and email a link to that document to a third party am I breaching copyright? In this case the answer is governed not by technology but by agreement with the copyright holder.
Clearly publishing an unlicensed copy of the content on the net is a breach of copyright, but finding such a copy and then publishing its URL is much more a complex scenario. Technically access to the URL can be controlled by administrator control on the web server where the document exists.
In this way only 'authenticated users' can access the copyright content.
If the content is published on a public (anonymous) web server no amount of licensing and threats will prevent anonymous users copying that information and re-distributing it from another place.
Indeed, when it comes to streaming there are a whole new swathe of issues. While one streams content from a US web server back to a PC the stream itself will pass over a variety of different networks, and since data is passed around a network in a 'store and forward' manner (think pass-the-parcel) it is conceivable that the stream you finally see has reached you not from the source server, but from a 'relay' within your own ISP. As such, if that original file is a pirate stream your ISP could be accused of providing you with copyright data that the ISP isn't licensed to distribute.
In European legislation there is a provision that makes transient, incidental and essential technological processes between two third parties exempt from copyright infringement. While this goes some way to protecting the ISPs the copyright holders still have no solutions.
What they need is a technology that is ubiquitously accepted. The technology needs to only let authenticated users gain access to the content, and needs to prevent copies being made. It also must be 'lightweight' in the amount of DRM data added to the original content to ensure that, particularly with regard to bandwidth-sensitive streaming, the delivery of the core content was unaffected.
Why was mp3 the nemesis then? After all mp3's header file contains an ID tag. It includes a categorisation of its type (jazz / rock / classical etc), its title, the author's name, some basic compression data (the bit rate and sample frequency) and all the information to identify the person who could give you the rights to use the copy.
The only problem was that all this information could be changed easily - mainly to give the end user the ability to archive their audio files as they needed for their own purposes.
There is no security system as part of the mp3. Any one with a copy can play that copy and copy that copy in turn, identifying it as they please.
The reason? The audio codec (Compression / Decompression software) and application developers were utterly relying on the network layer organisations (those who usually deal with access rights and billing) to deal with protecting access to audio and video content and the network guys were relying on the application guys to solve the problem.
The technology was out and fashionable too.
With no way to prevent the existence of an mp3 file and to recall all the software that produced it, the loophole around the distribution monopoly was firmly blown open.
A strong desire to close this loophole launched several initiatives, both commercial and standards-based. Thomas Dolby (of Dolby Stereo) put his name to Liquid Audio. Liquid Audio promoted itself as being better than mp3. Truth was it was a little too heavyweight with its security payload to be truly better than mp3. The perception at the time was that 8kbps streaming was as good as it would get (largely due to early RealAudio projects that gave the earliest streams news-worthy profile), and as such Dolby was onto a good thing. Liquid Audio worked if your media player had the relevant codec, so simply finding a liquid audio file was not sufficient - you had to fit your player up with the ability to decode it. Indeed this is the fundamental reason for the ubiquity of the mp3 file - it was shipped as standard.
The second initiative was a project called the Secure Digital Music Initiative (SDMI). This was a rally by the music industry to finance the development of a common standard. Overseen by the RIAA, the SDMI attempted to address the key security issues. It then produced a range of technologies that claimed to offer DRM.
They produced secure 'wrappers' that (a bit like a password-locked .zip file) compressed and encrypted the audio file. They also produced a watermark idea of interest.
What they missed was a public document from AT&T's research labs asking for public input on their development of secure DRM technology. SDMI's programmers must have been reading this report since, at the time the SDMI was launched in a competition (where the public was invited to 'hack SDMI'), the AT&T Document read like a how-to-build SDMI manual and meant that (along with a multitude of other reasons) it was cracked only hours into the competition.
What were the faults? Well, a simple logic operation between any two legally purchased copies of the data would instantly reveal the watermark, which could then be subtracted from the file, and the encryption was, as ever, a matter of having a very fast computer (or lots of time) to spin the combination lock until it sprung open.
After that a wide variety of DRM 'solutions' arrived on the market.
Windows Media decided to incorporate a DRM system into their Windows Media 7 release, and RealAudio was quick to follow. Their systems relied on Public Key technology. The theory behind key encryption is often made more mysterious than need be. At the point of purchase of a piece of music from an online provider, I send the provider my public key. This is basically a string of seemingly random numbers and letters. It has a twin - my so-called 'private key' that only I have a copy of. Any one can have the public key - it is not particularly confidential so it can be safely sent anywhere.
When the online provider prepares to ship the music I have brought he encrypts it using encryption software and my public key.
The encrypted file is then sent to me, perhaps by email or by being made available from a download point at a given URL.
Once I have this file my media player then uses my private key to un-lock the encrypted data. It can only decrypt source files that have been encrypted with MY public key. A really nice plan.
Also one that works, hence the reason the big media movers (Windows and Real) are on the case.
Picture a new single release. If the only point copies of the data ever meet the rest of the world is through a single key-encrypted portal then only rights-paid consumers will receive copies from the portal when they have paid and submitted their public key to identify them. DRM is apparently complete. No one could steal copies, because if the data is not sent to you using your key it will be meaningless. From the point of source to the point of purchase there is a full 'audit trail.' Each owner of a copy of the original content is guaranteed to have paid.
From the point of view of a music publisher making a deal with a technology provider to distribute their content from source to end user it looks like a solution has been found.
However there is one remaining problem, which has been largely brushed under the carpet. That of 're-broadcasting' or 're-formatting.'
Suppose I buy my single as a key encrypted file from an online supplier.
I listen to the tune and really like it - so much so that I play it to my friends for a non-commercial private playing in a private residence, and thus remain exempt from EU legislation. One of my friends has a laptop but no internet connection. He really likes the tune and wants a copy of his own. Since he cannot buy this music offline we collude and use a floppy disk to transfer the file to his machine. The media player lacks my private key and so cannot play the direct copy. In this case the DRM has worked.
Out of desperation my friend then asks me to play the file out of my soundcard and into his. This results in a new copy of the music on his machine in an unprotected file format. However, there is a certain amount of quality loss, much as in the home taping situation. This is because there is an analogue stage (the wire between our soundcards). Then my friend realises that his new audio editor package can resample the original file and out put it in an unprotected format without any analogue stages in at all. The new version is both unprotected and of perfect quality.
The DRM solution has lost its audit trail. From now on no matter how many copies of the new unprotected file are made there is no quality loss and no re-tracing back to the perpetrator.
Indeed, the only real security in this environment is obscurity. While you are unknown you will find little problem with internet piracy. The more profile you gain as an artist the more your content is at risk.
If, that is, you consider proliferation of your artistry to an ever wider audience a 'risk.' Some artists, famously Chuck D and Courtney Love, have spoken out. They believe in the live performance. If people like to hear free recordings they will pay for the pleasure of seeing a live performance. This is where the revenue of the future lies for them.
The days are gone where an artist can write one piece of music and live forever on its successes. The consumer is not limited to buying from monopoly suppliers, thus there is no wealth concentration with which to retain or patronise artists.
Here too is the reason why there is yet to be a 'proof' DRM technology. There is no such thing. It is legislation legislating technology that doesn't exist yet, and it doesn't exist because the 'information society' isn't so sure that the music industry executives have a better taste in music than them.
At its peak Napster was 'enabling throughput' of around 2.8 billion illegally copied tunes a month. It is estimated that now, six months later, there are some 3 billion tunes traded each month internet-wide on non-Napster sites.
Certainly, when you look at it from a human point of view, there is already enough music available on the net that you could listen to music for the rest of your life without ever needing to listen to a repeat. Be it legally or illegally distributed content the fact remains, where will the demand for purchasing any particular content arise when the consumer is so spoilt for choice?
With all these complex issues at hand it will be some time before a truly effective DRM system is introduced which does any more than pays lip service to rights holders.
As we have seen, in specialised circumstances DRM can be effected. Yet we should not be lulled into a false sense of security. Despite the 'content is king' and 'cash for content' economies there is a long way to go before your expensive live or on-demand content becomes secure to the point where you as the provider know that there isn't a third party quietly re-formatting or re-broadcasting your copyright material and passing it on to an unlicensed audience.