What is Digital Rights Management (DRM) and why should the Global 2000 be interested?
Byrnes: DRM is a set of technologies that provide execution-time control of IT-based resources at a granular level. The resources might be multimedia, such as movies or music, or they might be document or spreadsheet files. By granular execution-time control I mean that the operations that can be performed on the resource are determined to be allowed or forbidden at the time the end user tries to do them. So, in the case of a movie the DRM technologies might test whether payment had been received by the movie vendor before allowing the movie to play. For a Microsoft Word document the DRM technology might be set to allow one part of a document to be updated (say, the signature area) while preventing update to any other part.
Traditionally many corporate application programs have had similar controls built into them. One user running a server-based HR application, for instance, is allowed to increase employee salaries by up to 10 percent, while their supervisor, running the same program, is allowed to enter 20 percent increases. This is the “authorization” component of the program. Some application systems, such as SAP R/3 have complex authorization subsystems known as “Role Based Access” controls that determine what each user can or cannot do based on the role they have been assigned. There have been no standards for how authorization should be handled, and few companies have succeeded in centralizing authorization control other than within the context of a major ERP system such as SAP.
Why was adoption of DRM slow and what are the drivers now?
Byrnes: The business value of various forms and locations of stored data has shifted over the years. In early IT days, all stored data was formally defined and structured by the application programs. Later we abstracted the formal definitions from the application and placed that data into databases. Databases became less formal over the years as relational data management became possible. Authorization controls were added to each of these capabilities within a few years of the storage system becoming valuable to the business.
During the 90’s most organizations became dependent on desktop applications and email. Today there is a tremendous amount of business value tied up in, for example, Word, Excel or Exchange files. These are considered informal data stores as the information in them follows no well-defined structure and therefore it is difficult to create automated control systems either to use or to protect the contents. Building tools to use the information has been a major trend in IT. Creating the control systems has taken a back seat until now.
DRM relies on encryption for its strength. A non-encrypting DRM technology would be easily bypassed. Unluckily, cryptography has been a specialty knowledge area with few expert practitioners available on the open market. As a result many early DRM implementations simply did not work. The gradual maturation of crypto tools, spreading understanding of crypto technology and the rising value of informal data stores have combines to drive the current interest in DRM in corporations.
Concurrently, large media conglomerates have decided that piracy of digital materials is somehow more damaging to them than piracy of the same material in analog format. This has driven them to find DRM protective mechanisms for their digital distributions. Unluckily, DRM can only fully protect a multimedia work that is never played. Once it is played, it can be captured and re-digitized or distributed in analog form.
How is DRM important in a B2B scenario?
Byrnes: Contract signing, any negotiation in which a single document is passed among numerous people for update, limiting distribution of information to a named list of people at the partner organization, or a limited number of unnamed people. Providing business data for a limited time period, for instance, a one year license to use a parts list.
Explain how it can play an important role in compliance with legislation such as the Health Insurance Portability and Accountability Act (HIPAA)?
Byrnes: HIPAA is structured to control the distribution of information on a need-to-know basis connected to the role of each person in the chain of health care. So an X-ray tech may need to know who the patient is and what areas and angles are needed, but should not have access to the patient’s medical history or current drug regimen.
DRM can control which pieces of information are available to each person. Currently, that would need to be done by extensive application program logic in every application used in the hospital. While there will always be some need for dedicated application logic, lots of information is stored in the informal places described above. The law applies to those just as much as it does to a database.
Skeptics sometimes call DRM “digital restriction management”. Why would you say they do that?
Byrnes: DRM stops actions that are not authorized. Its intent is to restrict.
To ask a little bit more precise: Many people think that DRM restricts basic democratic rights. Could you please give some examples and comment on them?
Byrnes: When DRM is used to control the use of assets – documents, movies, music – that individuals (not corporations) have licensed or purchased there can be controversy. This statement excludes corporations because corporations and other large organizations typically negotiate the terms of their contract with the original asset owner or creator. This, in theory, eliminates any controversy.
Licenses by individuals are typically considered to be negotiated contracts entered into in good faith by both original owner and licensee. This little fiction really means that a licensee must know what they are licensing, including all of the terms and restrictions of the license.
CD’s and DVD’s are sold. Making copies for personal use was perfectly legal until the Digital Millennium Copyright Act (DMCA) was passed. This made it illegal to do research that would lead to the ability to break copy protection schemes, or to distribute anything that performs such breakage, thus allowing a seller to enforce any restriction on rights that they desired.
The result of all this would seem to be: It is legal to make a backup copy of a DVD you buy, but illegal to buy the tool that makes the copy because all commercial DVDs are copy protected.
Would you talk about how DRM may soon become part of the architecture rather than a standalone technology?
Byrnes: Because DRM relies on encryption it has some weak points. Encryption takes lots of computer power and depends on keys. Keys are only useful if they are kept secret. Commercial DVDs are protected by a DRM tool called CSS. A young programmer discovered one of the keys used by CSS and created a bypass mechanism called DeCSS, which is freely available on the Internet. As a result anyone can remove the copy protection from commercial DVDs. Also as a result, people that use Linux as their operating system can play DVDs. That was the purpose that DeCSS was created to serve.
Both drivers, needing lots of processor power and needing to keep keys secret, are best served, at least in part, by hardware rather than software. Microsoft, Intel, IBM, nVidia and lots of other vendors have worked together to find the best hardware implementation to support DRM in computers. As a result, DRM hardware support should be widely available by the time Microsoft’s Longhorn operating system is released in 2006. Other operating systems and computing platforms can be expected to join in.
Are industry giants like Sony, Microsoft and RealNetworks, which are investing in their own proprietary DRM technology, helping or hurting the deployment?
Byrnes: These companies are creating media player protections. While they use the same technology underpinnings as corporate DRM, they have no direct impact.
Even though the advent of DRM systems has generated high expectations, is interoperability and acceptance, a pre-condition of its success or is the DRM picture getting more fragmented?
Byrnes: Common hardware support in 2006 will help bring some focus, but the software layers on top will stay varied for at least another computing generation – approximately 2010 and later.
Costs have been holding back DRM. Do they need to come down?
Byrnes: They will come down because of competition and maturity. As they come down the list of uses for which they are cost effective will grow, just as the understanding of how to make use of and manage them grows. The cost decline will accelerate between 2006 to 2008 after the hardware components are broadly installed.