The rise of peer-to-peer (P2P) networks has been an inevitable outgrowth of the rise of the Internet. Unfortunately, P2P networks have grown from useful tools in information sharing to havens for trafficking in unauthorized copies of intellectual property (IP). Owners of IP, meanwhile, have been pushing for digital rights management (DRM) technologies to control distribution of IP so that it does not fall into the wrong hands.

Supporters of P2P networks appear to be at odds with DRM-supporting IP owners, but P2P networks offer a lot to users as well as other participants in content business models, and they are here to stay. Integration of DRM into P2P architectures is inevitable, as IP owners try to walk the fine line between embracing functionality that users want and maintaining control over their IP.

This white paper explains the motivation for and inevitability of integrating DRM with P2P. After briefly reviewing how both DRM and P2P came into being, we explain the need and opportunity to integrate DRM functionality into P2P networks. We discuss features of DRM technology that make it especially appropriate for integration with P2P, and we summarize shortcomings of many existing DRM solutions with respect to those features. We conclude with some suggestions for how to develop the market for DRM solutions that are optimal for integration with P2P networks.

Background

Both DRM and P2P are creatures of the Internet era, but they came into being at different times and for different reasons. Here we will examine the origins of and motivations for each.

The Rise and Importance of Peer-to-Peer

Technologies for peer-to-peer data exchange over networks have been in existence virtually since the beginning of computer networking in the 1980s. Nowadays, in its most generic form, the term peer-to-peer is used to distinguish a network architecture from client-server, which has been a dominant architecture in both pre-Internet network applications and on the Internet itself.

The idea of client-server is that resources (such as files) are on a server computer, and clients can only obtain resources through servers. If Client C₁ wants to get Resource R from Client C₂, then it needs to go through a server to do so, thereby requiring the server to have a list of resources that includes Resource R and C₂ as its location. In contrast, peer-to-peer networks allow clients to exchange resources directly among each other.

Peer-to-peer architectures came into being in the pre-Internet age about ten years ago with technologies such as Microsoft's Windows for Workgroups (WFW), which enabled PC users to access files on each others' PCs. Sun Microsystems's Network File System (NFS), which emerged even earlier and enabled all computers on a network to make their file directories available in a network-wide hierarchy, can also be considered as a form of peer-to-peer. When the commercialization of the Internet began in the early-to-mid 1990s, File Transfer Protocol (FTP) -- particularly the variation called "anonymous FTP" that does not require a file user to identify itself to the file owner -- became the most important antecedent to P2P as we know it today.

Internet P2P networks provide services similar to the likes of NFS, WFW, and FTP, though with more sophisticated searching and browsing functionality, over the public Internet instead of institutional networks. Most of the early commercial development of the Internet centered on the World Wide Web, which is very much a client-server model. P2P networks needed to build on Internet-based protocols other than the HTTP protocol that powers the Web. The important thing to understand is that P2P networking is not a new model; at its core, it is simply an application of well-known networking models to the Internet.

The first well-known P2P service on the Internet was, of course, Napster, which came online in June 1999. Napster was actually not a pure P2P network, because it relied on a central server to act as a catalog of files on the network and their locations. (Napster's server-based architecture ultimately led to its shutdown by a judge a year after it started.)

The Napster phenomenon gave rise to post-Napster P2P networks, such as the proprietary FastTrack network used by KaZaA and Grokster, and the open-source Gnutella network used by LimeWire and Morpheus. Both of these networks were designed without central servers so as to avoid Napster's legal fate, but even FastTrack is not a pure peer-to-peer service: it relies on so-called supernodes, which constitute the first level of connectivity in the network and help make request routing decisions. Gnutella, in contrast, is purely peer-to-peer, with no clients having special distinctions of any kind.

Owners of copyrighted intellectual property (IP) have seized upon P2P networks because they embody a set of attributes that make them ideal for unfettered distribution of files:

• Unlike local-network file sharing technologies such as NFS, WFW, and their successors, they are accessible throughout the Internet, not just on an institutional network.
• Unlike sending file attachments in email messages, they do not require that the source of a file actually send it or even know the identity of the recipient.
• Unlike duplication of physical media such as CDs or DVDs, P2P networks allow files to be copied instantaneously, with maximum automation, and without the cost of physical media.

Of course, the same attributes that frighten IP owners make P2P networks attractive to those who genuinely want to publish information as easily and widely as possible.

The Rise and Importance of DRM

Although P2P on the Internet did not come into being until 1999, IP owners were concerned with digital networks as conduits for unauthorized file copying long beforehand. Most industry observers identify 1994 as the year when digital rights management began to emerge as a field on its own^[1] -- the same year as the beginning of the commercialization of the Internet, although early contributors to the DRM field did not necessarily see the Internet as being as dominant as it has become.

IP owners in the mid-1990s looked at online rights management primarily as a question of emulating business models from the offline world. As a crude example, the "rights management" properties of a printed book result directly from its physical characteristics, e.g., it is difficult to copy books in their entireties and virtually impossible to change their contents in place. Publishers sought technologies that would bring similar behavior to the online digital world, and early DRM solutions, such as IBM's Cryptolope and EPR's (later InterTrust's) DigiBox, attempted to provide this.

Just as P2P is an Internet application of preexisting network architectures, DRM technology is really an extension of techniques long used in operating systems to control users' access to system resources. There are many different types of DRM implementations, but they tend to conform to a common architecture^[2]. In this architecture, the user receives an encrypted file, containing the content, along with a license that stipulates what rights the user has to the content. A piece of software or hardware on the user's client device interprets the license and, if authorization is successful, decrypts the content and does what the user intends (play, view, print, copy, etc.).

Variations on the canonical DRM architecture involve such issues as:

• Whether the authorization is done on the basis of a user's identity, a device's identity, or both.
• Whether the software doing the authorization is built in to the playback device or software, built in to the platform on which it runs, or independent of those.
• Whether the license is bundled in with or separate from the content.
• How much fine-grained control the IP owner has over specification of rights.
• Whether or not the user is required to be connected to the network at all times.
• How financial transactions are integrated with the authorization process.

IP owners have been using DRM to implement new business models, which are not just analogs of existing offline models. Such models represent the brightest future for online content distribution. However, they have only been modestly successful, because it takes a lot of time and effort to get users comfortable with new ways of consuming content.

As a result, DRM is starting to take off as a component of online content models in niche markets, such as the online music distribution of Apple's iTunes, RealNetworks's Rhapsody, and Napster 2.0; eBooks and ePeriodicals from various publishers; and online film download services like MovieLink and CinemaNow.

DRM has had a hard time developing as a market, for several reasons. Online emulations of offline content models have been very rough from the perspectives of user convenience and support for some usage modes that are legally protected or that users have come to expect, which we will examine later. There is also an ingrained notion in consumer behavior (and, some feel, in legal precedent as well) that people should be allowed to do what they wish with digital content products, without fear of being controlled or monitored -- as DRM technology can do.

Yet at the same time, the networked digital paradigm has opened up the possibilities of "do what they wish" to include rampant, unrestricted, perfect copying, and IP owners need to be able to control that. Therefore, DRM continues to develop toward giving users convenient, seamless experiences along with guarantees of privacy.

The Gulf between P2P and DRM

The way various advocacy groups portray it, DRM and P2P are polar opposites. To IP owners, P2P offers open invitations to copyright infringement and rampant theft of intellectual property, while DRM is the only way to keep the Internet from killing the media industry. To consumer advocates and some others, P2P is natural outgrowth of the "open" functionality of the Internet, while DRM represents the media industry's attempts at playing "Big Brother" and controlling user behavior in ways that are inconsistent with the balance of interests embodied in intellectual property law.

As a result, there is a lot of posturing on both sides of the issue, as people from both sides work to get sympathetic ears from technology implementers, legislators, and the news media.

The reality, of course, is that both DRM and P2P are sets of capabilities, and they are far from mutually exclusive. As we will see, P2P functionality is key to implementing important new business models for content -- models that IP owners ignore at their long-term peril. At the same time, DRM is necessary to close at least the larger holes that P2P creates in IP owners' ability to profit from their IP. We can hope that once both sides finally get past the rhetoric, everyone will see both DRM and P2P for what they are and are not, and get on with the business of using both to their advantage.