Digital Right Management

Let's track the typical path of a piece of accounting software. It is sold through a website or on a CD-ROM to an accountant. The accountant installs the software not only on his machine but also on the machines of 10 different clients. This is just one of the thousands of instances of copyright, license or IPR (Intellectual Property Right) infringements that we come across on a daily basis. The same happens to other digital content like music and video.

More commonly known as DRM, Digital Rights Management symbolizes a set of tools and techniques that are used to manage and protect copyrights and IPRs of the owners of digital-content creators. It is used to restrict the duplication of digital content and to implement access rules based on a system that ensures only valid, authenticated users can use the content.

DRM can be implemented in different ways for different kinds of content and scenarios. In your daily activities, you may have seen DRM in action in a PDF document where you are not allowed to print or select the text for copying, while your colleague in the next cubicle can do so. This is an instance where different users have been given different rights to the file. Though a simplistic example, this is an apt implementation of

DRM.

Thus, unlike copyrights or disclaimers, which are a passive form of controlling the distribution of content using the hand of law, DRM aims to be an active approach. It not only serves the law but also gives the content creator the power to control the content even when it is on the machine of a user. DRM aims to achieve this kind of protection by employing different techniques for different kinds of content.

The drivers of the technology since its inception have been original content creators. By original content creators we mean a software developer, a musician, a writer, a multimedia developer, an artist or a photographer, amongst others. More than the people who create the content it is the marketing institutions that are behind the DRM movement. For instance, Sony music is driving the DRM movement on behalf of the musicians. On one hand, they are aiming to save the artists' royalties, while on the other they are concerned about the ever-falling bottom line because of high proliferation of profits down the piracy drain.

Along with IPR protection, DRM offers a lot of features that make sustainable business models in themselves. Some of the business models are:

Personalization: Using this model the content provider can tailor the content according to the users' need and restrict the content to be used by only that user. One example of such customization can be the activation of Win XP on a machine. The usage of Win XP is restricted only to that machine.

Granulation: Using this model the customer can be provided with parts of the actual product. Though similar to personalization, it can be differentiated in the sense that it can also offer a combination of more than one product.



An example can be a website that offers a collection of services, as opted by the user. Per instance/view or installation: The content provider can bundle the product in such a manner that it can be used for a limited number of times. For example, using a DVD-writing technique Disney is planning to rent DVDs that would self-destruct in five days.

Unfortunately, most DRM technologies that have been used till now haven't been successful for long. They've been cracked in no time and the piracy of digital content continues. Of course, that's where stricter laws come in.

During the course of this story we will see how DRM is affecting various part of the industry, namely music, video and software. We would also look at some of the legal implications of digital rights to get a better perspective on the issue.

PREVENT

MUSIC VIDEO PIRACY



In India, the process of buying music online is no different from going to the music store and picking up an album, except, of course, here you do it through a Web browser and pay by a credit card. There are also sites such as hamaracd.com, where you to pick and choose the songs you want and they create a CD of those songs and send it to you. There is no real DRM involved in this online process, nor are the audio CDs protected with DRM. So, technically, anybody could easily rip an audio CD and burn as many copies as he wants.

So, what would it take a site like hamaracd to DRM enable its content? It can do one of two things: One is to provide online distribution of music, wherein users are allowed to download whatever they want, with all the content DRM enabled. Second is to continue distributing the audio CDs, but with DRM techniques applied to the media. In the first case, there are some successful examples in the US that can be followed. While for the second, various vendors are promoting DRM technologies.

In the world of online music distribution, a number of models are being followed in the US. There's Apple's limited music-sharing model, while Microsoft is getting ready to launch its subscription-based model codenamed Janus. Then there's a Real Networks' supported site named www.listen.com, branded as Rhapsody, which is a mish-mash of both models, allowing you to subscribe and download tracks.

Apple's music-sharing model, iTunes, offers thousands of songs for download through its online music store to be used with its own software and its iPod music player. It uses Apple's proprietary Fairplay technique for encrypting its songs to be played either on the PC or the

iPod.

Using this process the user pays 99¢ for each song downloaded. In these 99¢ the user can copy a single unchanged playlist upto 10 times on a CD, unlimited times on the iPod music player and authorize upto three computers for usage. Though it is quite an open model, it does have its share of problems. The user can simply burn a CD, rip it and have an unencrypted copy of the song. Yes, there would be substantial loss of quality because the file would have gone through the encoding process at least twice. But, does that matter all that much? Also, there are Linux projects like 'playfair' that have cracked the Apple code and let the user convert Fairplay tracks to transferable media files.

The Real Networks' online model, Rhapsody, is good if you have a broadband connect. It is a mixture of the subscription and buy once model. You can subscribe to the site by paying about $10 per month and listen to the songs you want from the site itself. If you like a particular song you can download it with a flat fee of 79¢. You may think that it is similar to online radio. Yes it is, but the difference lies in the fact that you are able to make your own playlist and there are no irritating ads between the songs.

Microsoft's Windows Media Player also has DRM features that let the content provider encrypt songs at the time of production and the player obtains the license while playing it. This model is being used by walmart.com for selling music online.

Note that all these online sites are using proprietary setups, which use their own media players at the desktop. So, if a site like hamaracd.com were to use a similar model, either it would have to license the technology from them, which would be an expensive affair. There's another solution from Microsoft called the Windows Media Rights Manager, which is a downloadble SDK. It allows content owners to generate protected digital media content, or even issue licenses to use such content. We've even given this and some other DRM software from Microsoft on this month's CD for you to try out.

Another soon to be released option is from Fraunhofer Institute, Germany, for applying DRM to MP3 files. It's called LWDRM (Light Weight Digital Rights Management), and it will use two formats, called LMF (Local Media Format), and SMF (Secure Media format) This doesn't secure, but controls the way people distribute their music. Using this method the user would be required to attach a certificate to a file that he wants to transfer to a portable music player or to another user. This certificate contains a signed public key as well as user information. Thus, whosoever wants to transfer the files must register once with the certifying authority. This would help in tracing the file back to the user if it is found on a peer-to-peer network and he may face prosecution. Though this method does not stop transferring of data from one person to the other, it prevents mass abuse.

The other way of applying DRM is to do it on CDs. Today, this is only possible at the CD manufacturing or glass-mastering stage. It can't be done while burning CDRs. At the manufacturing stage, various solutions are available. One is Sony's Key2Audio,which claims to protect the disk from unauthorized copying and ripping. The technique is still being developed and has come out with a new version named Key2Audio XS. This gives some value-added features like access to a hidden website and some more multimedia content like video that can be played on the PC. All this can be done only with the original disk. This is done by using a multi-session disk that holds music and data on different tracks, and the data track is also copy protected.

Some other systems available for CD protection include Cactus Data Shield, Media CloQ, Media Max CD3, Music Guard and Safe Audio. Some of these methods of CD replication deliberately create errors on the disks while writing the CDs. Thus, these disks become unplayable on the PC. On the other hand most CD/DVD players, that are less harsh on errors skip that part of the track and keep playing. But this technique can be easily defeated by using a post-it or a clever mark made by a permanent marker on the CD.

Though audio always takes the limelight, video is also one of the biggest arenas where DRM is stretched to the limits.



Video piracy has been stretched out of limits because of the virtually absent measures of DRM available in video CDs. Thus, when DVD was introduced it came built in with encryption and security measures such as region locks that attempted to curb the video-piracy onslaught. This was done by using the framework called the CPSA (Content Protection System Architecture) developed by the 4C entity-Intel, IBM, Matsushita and Toshiba-(www.4centity.com) along with the CPTWG (Copy Protection Technical Workgroup) with technologies like the CSS (Content Scrambling System) that encrypts and authenticates the contents of a
DVD.

You could call it a weakness of the encryption algorithm or brilliance of the hackers of this world, but it was cracked in no time. The region locks remained just a meager formality and region-free pirated DVDs have become a commonality. Instead of the original artists, the piracy kings have been having a hay day.

If this was not enough, along came DeCSS that allowed the people to easily convert their DVDs into various types and watch them on the PC. Thus, the video industry is still in search for a reliable DRM solution that can free them from piracy issues. Now there are various video watermarking technologies in development that would help curb the video piracy onslaught.

PREVENT

SOFTWARE PIRACY



From the beginning there have been efforts by software vendors to protect their software from piracy. In fact, software protection measures also known as TPM or Technical Protection Measures have been common since the 1980s. The famous dongle is a classic example of this. The dongle is a hardware device that must be connected to a port on the PC for the software to work. Today, software protection has moved far beyond this sort of copy protection and into a broader domain called DRM. This includes everything from techniques used to protect software distribution media such as CDs to controlling what users can run on their PCs, such as Microsoft's Trusted Computing initiative. On one side, it gives software developers more choices for controlling their software from being duplicated or shared. On the other side, DRM technologies can be misused to force users to submit their personal information before they're given access to content. This is a much broader issue, which we'll not get in to in this article; instead, we'll focus on the DRM techniques available that can be used by software companies to protect their content.

SecuROM



This is a copy-protection technology from Sony. It uses a key code on the original disc, which is nothing but an electronic fingerprint to uniquely identify the original disc from copied ones. There's a software part of SecuROM as well, which authenticates the CD. This authentication software works with the main application defined by the software creator. Another solution based on SecuROM is Key2data, which is smart-card based. Using this you can encrypt your program with a SecROM online encryption toolkit. Then to access the encrypted program distributed on CD-Rs or the Internet, authorized users get a key2data smart card containing a built-in microchip and a PIN code to access the content. Using the smart card and smart-card reader, you can establish an online link to the key2data Digital Rights Management server. The server stores the necessary details about users like individual access rights for each user as defined by the software company. The DRM server verifies whether the user is authorized to run the protected program, and once verified, a unique key is released, which enables the program to start automatically.

Bongles



We just talked about the dongle. Unfortunately, not everyone can use the dongle because it increases the cost of distributing the software, since the developer also has to invest in buying the hardware and necessary software to customize it. That's why dongles are mostly restricted to expensive software. Plus, it's also easier to loose a dongle, because it's a small hardware device. Another solution here is the Bongle, which is put into a CD-ROM drive and enables access to the content on Bongled CDs. Bongled CDs can also be used in a network, where authorized users have to be given Bongles that they can insert into their CD-drives to access the data/software contained on the CD.

Tamper-resistance techniques



Another popular technique being practiced by software companies is tamper resistance. Two techniques have become popular for this. One is Cryptoswitch, which is a tool that's applied to a program so that at run time only a small part of the program is in the clear at any one time, while everything else is encrypted. Only those that are required by the program are decrypted. Another tamper-resistance technique is Digital Signets, which is similar to digital signature. It's used to detect unauthorized modifications to a program.

Safe disc



This technology has been developed by Macrovision, which they claim is used on over 250 million discs worldwide. It's used to encrypt the exe and dll files only. In this, first the publisher or software house prepares the content and encrypts it with the safedisc toolkit on a gold disc. This CD is sent to the mastering house, where a special laser beam recorder adds a unique digital signature to the Glass master. Finally, a special replicator is used to produce the silver discs with the digital signature and encrypted content on it. Now every time the application is run from these replicated CDs, there's a SAFEDISC authenticator program that performs security checks to verify the digital signature on the disc. Only upon successful verification does it allow the application to run. This takes about 10 to 20 sec. A duplicate copy of such a disc will not contain the digital signatures, thereby preventing the software from running.

There is another interesting technology by Microvision called Silent Alarm, which is being used for protecting game CDs. The technology silently detects the protected parts of the program for modifications while it's running. If any modifications are found, the quality of the game is degraded in a minor but effective way. For instance, guns will jam up, car wheels will fall off or continuous scene loops will happen making the game difficult if not impossible to play.

Trusted computing



This is a larger project that's happening on the DRM front, being backed by biggies such as Microsoft, Intel, IBM, HP and AMD. It lays out specifications for an enhanced hardware and OS-based trusted computing platform. It is known by names like Trusted Computing, Trustworthy computing, TCPA (Trusted Computing Platform Alliance), Next Generation Secure Computing Based (earlier known as Palladium).

This is a computing platform on which one won't be able to tamper with the application software and on which these applications will be able to interact securely with their authors and with each other. TC will make it hard for you to run unlicensed software. In the first version of TC, pirated software could be detected and deleted remotely.

DRM in music MUSIC PRODUCTION Production houses can protect music in whatever way they distribute it Online distribution It faces the challenge of protecting the data while keeping the system hassle free for the user Microsoft Windows Media Player DRM Light Weight Digital Rights Management (LWDRM) Fraunhofer, Germany Other models: iTunes - Fairplay, Rhapsody Audio cds There are various media protection techniques available that can be used to protect audio CDs Sony Key2Audio, Data Shield Media CloQ, Media Max CD3 Music Guard, Safe Audio

How does TC work? It has five components: the Fritz chip, which is a curtained memory feature in the CPU, a security kernel in the operating system (Microsoft calls it Nexus), a security kernel in each TC application (NCA as Microsoft calls it) and a back-end infrastructure of online security servers maintained by the hardware an software vendors.

Fritz chip is a monitoring component, which keeps details of computer hardware and the software. On startup the details are compared and if everything goes fine the Fritz chip release cryptographic keys, which are helpful in decrypting TC applications. If there is some mismatch in the data stored in the Fritz chip and the present state of the computer, the machine must go online to be recertified. This part is managed by the OS kernel 'Nexus', the net result of all this is that PC is booted in the known state with an approved combination of hardware and software. Finally, Nexus works with the curtained memory features in the CPU to stop any TC app from reading or writing another TC app's data. These technologies are called Lagrande Technology for Intel CPUs. Once the machine boots in the safe state, with TC app loaded and shielded form interference by other software, Fritz will certify this to third parties. For example it will tell the software vendor that the PC is running in a certified state and it's safe to run the application in case of software or if it's music, it will inform the music vendor that the machine is running an authenticated copy of the Media player and it's safe to play the movie or music. The music company's server will then send the encrypted data with a key to the machine. The Fritz chip will use the key to unseal the data and then supply it only to authorized applications. It can also be used to define access rules like whether premium content is available to a certain user or not.

LEGAL

IMPLICATIONS



The piracy of digital content, whether it's music or software, has become a major issue for all digital content creators and distributors. It's fairly easy to find and obtain pirated copies of software in the market and the Internet is full of sites putting up free MP3 downloads of pirated music. While different DRM techniques are being evolved to combat this issue, there's some action happening on the legal front in India as well.

For one, amendments have been made to the Copyright Act of 1957 to bring sectors such as satellite broadcasting, computer software and digital technology under copyright protection. This has made our copyright act in full accordance with international laws. According to this, someone found guilty of producing illegal copies of music or software or someone using illegal software is liable for prosecution. For music, the punishment could be imprisonment for at least one year, extendable to three, along with a fine of at least Rs 1 lakh, extendable to Rs 2 lakh. For software, the minimum imprisonment term is seven days and the maximum is three years, while the minimum fine is Rs 50,000 and extendable to Rs 2 lakh. These laws have been effective to some extent. For instance, in 1999, the MPA (Motion Pictures Association) filed three civil actions against three Indian cable networks and got relief covering 45 cities and 8 million cable homes. MPA has also estimated that by these injunctions alone, cable piracy has been brought down by 50 percent.

That's not all. Organizations such as NASSCOM and Business Software Alliance have been running a campaign in India against the illegal use of software within companies. They are conducting seminars throughout the country to educate companies on the benefits of using legal software, the dangers of using illegal software and the legal dangers of not observing the Copyright Act. They are also calling on organizations to review their use of software and ensure that they use legal software on their PCs. They also have a toll-free anti-piracy hotline number (1-600-334455) to report piracy. A reward of up to Rs 50,000 (under terms and conditions) is also offered to those who report instances of piracy.

The Indian Government has taken a number of measures to strengthen the enforcement of the copyright law. You can check out a summary of these measures at

www.indianembassy.org/policy/ipr/ipr_2000.htm.

By Geetaj Channana and Siddharth Sharma