Technological Protection Systems

The 1996 World Intellectual Property Organization (WIPO) Copyright Treaty (WCT) and the WIPO Performances and Phonograms Treaty (WPPT) (collectively the WIPO Treaties) require signatories to provide “adequate legal protection and effective legal remedies against the circumvention of effective technological measures.

The U.S. legislation implementing the WIPO Treaties, the 1998 Digital Millennium Copyright Act (DMCA), generally divides technological measures into measures that prevent unauthorized access to a copyrighted work and measures that prevent infringement of a work. Although the term technological protection system is not defined in the TEACH Act or in the DMCA, it is generally used in this report to refer to a range of technological methods to control unauthorized access to and copying of digitized copyrighted works. This section briefly introduces some of the core technologies that underlie such technological protection systems.

Core Technologies

Encryption

Although encryption is an important tool to control access to and transmission of content, encryption alone does not solve all digital copy protection and prevention problems. At the receiver’s end, for example, decrypted content is subject to unauthorized use, manipulation and further distribution. One approach to addressing this problem is to directly embed control information into the media itself, a process commonly referred to as “digital watermarking.” Originally, digital watermarking was the term used only for techniques to embed copyright markings (the “originator’s mark”) into a digitized work. The term “fingerprinting” generally is used for watermarking techniques that reveal the identity of the recipient of the protected content (the “recipient’s mark”). More broadly, digital watermarking today refers to any technology aimed at concealing data in media content.

In its basic form, a digital watermark contains information about the origin, status or destination of the host data. A digital watermark may be embedded in almost any kind of digitized visual or audio data, including broadcast data, without perceptibly degrading or interfering with its quality. The hidden information cannot be removed from the associated data without introducing perceptible distortions or significantly reducing data quality. Thus, digital watermarks can be an important mechanism for content owners to monitor, audit, and index works in the digital environment. Digital watermarks also can be used to identify the source and destination of data, thereby providing rights owners with a useful tool to authenticate content when copyright infringement is suspected. Finally, digital watermarks can be used to detect the unauthorized manipulation of content, thereby providing a means to control the integrity of digital content.

Public key encryption uses an algorithm requiring two keys – a "public" key and a "private" key. The data is encrypted using the public key, which is then made widely available to the public. The private key is kept secret by individuals. The fundamental point is that the encrypted content or secret message can only be decrypted using the corresponding private key. For example, a copyright owner could encrypt a work using the public key of the intended recipient. Once the recipient receives the encrypted transmission, he or she could use the private key to decrypt the transmission. No private keys need to be exchanged in this transaction. Without the private key of the intended recipient, the work cannot be read, manipulated or otherwise deciphered easily by casual users.

The Content Scrambling System (CSS) illustrates how encryption technology is integrated into a technological protection system. First, using CSS, digital audiovisual content (including the keys that enable a DVD player to access that content) is encrypted on a DVD disk. Second, only DVD players licensed by the DVD Copy Control Association (DVD CCA), a private industry-led non-profit organization that is discussed later in this report, may decrypt the encrypted content. Third, under DVD CCA’s license requirements, licensed players must, among other things, protect against copying, protect against disclosure of the decryption keys, and not pass the content over unprotected digital outputs.

Digital Watermarking

Although encryption is an important tool to control access to and transmission of content, encryption alone does not solve all digital copy protection and prevention problems. At the receiver’s end, for example, decrypted content is subject to unauthorized use, manipulation and further distribution. One approach to addressing this problem is to directly embed control information into the media itself, a process commonly referred to as “digital watermarking.” Originally, digital watermarking was the term used only for techniques to embed copyright markings (the “originator’s mark”) into a digitized work. The term “fingerprinting” generally is used for watermarking techniques that reveal the identity of the recipient of the protected content (the “recipient’s mark”). More broadly, digital watermarking today refers to any technology aimed at concealing data in media content.

In its basic form, a digital watermark contains information about the origin, status or destination of the host data. A digital watermark may be embedded in almost any kind of digitized visual or audio data, including broadcast data, without perceptibly degrading or interfering with its quality. The hidden information cannot be removed from the associated data without introducing perceptible distortions or significantly reducing data quality. Thus, digital watermarks can be an important mechanism for content owners to monitor, audit, and index works in the digital environment. Digital watermarks also can be used to identify the source and destination of data, thereby providing rights owners with a useful tool to authenticate content when copyright infringement is suspected. Finally, digital watermarks can be used to detect the unauthorized manipulation of content, thereby providing a means to control the integrity of digital content.

Authentication

Technologies used to identify devices and authenticate the identity of users are important elements of modern technological protection systems. One method to control user access to protected resources in a centralized network is through the use of IP (Internet Protocol) addresses, commonly referred to as “IP authentication.” To facilitate access to protect content from off-site locations, however, a resource provider may need to provide password accounts to users. User information (such as user names and passwords) also may be stored in a cookie, a text string or small file that is placed on an end user’s hard drive. The use of digital certificates is another tool to authenticate the identity of users. Under this approach, a certificate authority (CA) issues a personal digital certificate, which contains the name of the owner of the certificate, the owner’s public key, the expiration of the public key, the name of the certificate issuer, the serial number of the certificate, and the digital signature of the certificate issuer.

Technologies to authenticate the integrity and source of digital content are also important components of technological protection systems. As it has become easier and easier to tamper with digital works without detection, techniques to ensure the integrity of digital content have become more important. For example, a publisher of a medical text may depend on content authentication techniques to ensure that textual data (such as dosage amounts) or visual data (such as medical illustration) have not been altered. One common cryptographic solution to the problem is the use of digital signatures, a technique that authenticates both the contents of a message and the person who signed it. Digital signatures may be transmitted along with the work as “metadata” (encoded identifying information about the content, discussed more fully below) or embedded directly into the work as watermarks. More broadly, encryption technology may be used to authenticate the integrity of license terms and conditions associated with copyrighted digitized work.

Digital Rights Management (DRM) Systems

Today advances in technology (both hardware and software) permit content owners to assert much finer- grained control over digital media embodying copyrighted works, authenticating users and the integrity of content, and developing new business models for digital content in addition to simply deterring piracy. The general term Digital Rights Management (DRM) is commonly used to refer to technologies or systems used to achieve these objectives. Although there is no generally accepted definition for DRM, such technological protection systems typically incorporate the following controls or functions: access controls, use controls, and tracking functions. For purposes of this report, the term DRM is used to refer to a broad range of technical, legal and business issues pertaining to copyright management and control of works in a digital format. This section briefly introduces some of the key concepts and elements underlying DRM systems and technologies.

Trusted Computing

A trusted computer system combines hardware and software (meeting certain security specifications approved by the content provider) to create a secure trusted platform for the exchange of digital content and information. The conceptual underpinnings of trusted computing technologies trace back to Dr. Mark Stefik’s pioneering work at Xerox PARC. In very general terms, Stefik defined a trusted system as a system that can be relied on to follow certain rules. In the DRM context, a trusted system is a computer (or other device) that can be relied on to follow and enforce rules governing the access and use of protected digital content. The server relies on “trusted” elements of the recipient’s device to identify the recipient, to transmit only accurate information about the recipient, and to limit the recipient’s ability to manipulate any content it receives from the server in ways that exceed its authorization.

Rights Models and Rights Expression Languages

Rights models and rights expression languages are two mechanisms that can be used to facilitate transactions involving copyrighted works in the digital environment. In broad outline, a rights model specifies the types of rights, types of users, extent of rights, and associated costs. The rights model may specify such rights types as print, view, or play. Examples of users that can be specified in a rights model include subscribers, enrolled students, or site licensees. The extent of rights may be specified either as a period of time or number of times (for example, print 5 times, view for 10 days, or play for 48 hours). The rights model also expresses costs associated with the exercise of specific rights. In practice, the rights model is implemented through a “rights expression language” (REL), which defines a structure for expressing permissions in machine (and human readable form) and a “rights data dictionary,” which precisely defines the meaning of the permissions and conditions expressed. An example of a modern REL is Extensible Rights Markup Language (XrML), which is discussed later in this report. Electronic rights transactions also require the unique identification of each item of digital content. Such encoded information about a digital work (such as author, title, date of creation, and other identifying information) is commonly referred to as “metadata.”

DRM Architecture

Although DRM systems vary widely depending on their purpose and function, the overall architecture of a DRM consists of three major components. First, the “content server” consists of the actual digital content, along with information about the products and/or services that the content provider wants to distribute digitally after secure packaging. The content server typically includes a “content repository,” a file server or a database that holds the content, along with associated metadata. The content server also usually includes a “DRM packager,” which is used to prepare the content for secure distribution (for example, by encrypting the content and/or inserting metadata), create specifications of rights associated with content, and create encryption keys to authenticate users and decrypt content, before passing the information along to the license server.

Second, the “license server” contains information that identifies the digital content, specifies the rights associated with that content (for example, “play” or “copy”), and establishes the terms and conditions for the exercise of those rights (such as an expiration date), whether by a user or a device. Third, on the “client” side of a DRM, the “DRM controller” receives the user’s request to exercise rights with respect to specific content, gathers information about the identity of the user, obtains a license from the license server, authenticates the application that performs the rights exercise, retrieves the encryption keys, decrypts the content for the appropriate “rendering” application (such as playing a song or viewing a movie).

Types of DRM Systems

A wide range of DRM options are available in the marketplace today, probably reflecting the fact that no single technology or solution can fulfill the remarkably diverse requirements of the digital marketplace. In broad outline, DRM systems may be hardware-based, software-based, or hybrid systems combining software and hardware elements. Hardware-based DRM solutions embed the technological protection in the hardware itself. Examples of hardware-based DRM systems are DirecTV, smartcards and many conditional access systems, which are used in a variety of delivery systems, including direct broadcast satellite, digital cable television, and digital terrestrial television.

Software-based DRM technologies have been and are being developed to provide for secure delivery of content over the Internet and adherence to copy control instructions and usage rules in the PC and home-network environments. Many companies have developed such software-based DRM solutions, including ContentGuard, Intertrust Technologies, Liquid Audio, Microsoft, and Real Networks, which are discussed in the next section. A number of these products (such as Microsoft’s “Windows Media Rights Manager”) include a built- in renewability feature, which enables the content owner to respond quickly to security breaches by renewing the protections that apply to all other copies of the content. Finally, the CSS system, discussed above, is an example of hybrid DRM solution, using CSS-enabled DVD players to inspect DVDs for embedded code.