Executive Summary

Many different types of organizations, including media companies, large corporations, government agencies, and others, have been adopting content management systems (CMSs) to help them organize digital content and create content-based products for their customers, employees, and partners. CMSs are intended to be control centers for entire content lifecycles, including content creation, management, production, and distribution, but the increasing complexities and interdependencies of these processes result in CMSs falling short of their ideal responsibilities.

One of the most important elements of complexity in content processes is content rights. The processes of tracking rights, controlling, and managing access to content based on rights information are increasingly necessary nowadays due to various business imperatives. Adding persistent protection to content is the most effective way to control and track access. Vendors of content management and related content-handling systems should integrate their solutions with persistent content protection by including rights and licensing information in the metadata that their systems track and by ensuring that their products are interoperable using standards-based persistent protection technologies. The result will be integrated content-handling systems that meet their customers' current and future needs.

In this paper, after brief introductions of content management and digital rights management terms, we explore many of the business and legal imperatives that have led to content processes that are more complex from a rights perspective. Then we discuss some of the ways in which vendors of content-handling systems should integrate rights information handling into their products in order to offer more complete solutions to customers' content management and distribution problems, at lower costs and with faster, lower-risk deployments.

We conclude by explaining how adoption of a standard Rights Expression Language (REL), such as the RELs being defined by MPEG, the Open EBook Forum, and OASIS, goes a long way towards ensuring that integration of content-processing systems through rights information is seamless, predictable, and cost-effective for all types of content producing organizations.

Overview of Content Management Systems and Processes

The term "content management" originated in the mid-1990s, and it has several different meanings in today's marketplace. At its most generic, a content management system is one that stores digital content for search, browsing, access, and retrieval by users in a workgroup or enterprise. The most prevalent types of content management systems are:

• Digital Asset Management (DAM): systems that manage rich media assets, often including digital audio and video clips, for retrieval and repurposing in media production environments. These systems are sometimes also called Media Asset Management (MAM).
• Web Content Management (WCM): tools that provide page template design, editorial workflow, and publishing environments specifically for Web sites and other forms of Internet content delivery.
• Enterprise Content Management (ECM): systems that facilitate management of corporate documents and other types of information for use internally as well as externally with a company's business partners, customers, regulators, and the general public.

In this paper, we will use the term Content Management System (CMS) to encompass all of the above, although we will occasionally distinguish among those three types. All of those types of systems -- plus those few that straddle the boundaries among them -- have common technology elements as well as common processes associated with their use. Some of the common technology elements are:

• Database management systems for managing metadata (information describing content) and sometimes the content itself.
• Content storage systems, including disk drives, storage area networks (SANs), and nearline/offline storage, particularly for storage-intensive assets such as high-resolution still images and digital video.
• Content indexing and search technologies, such as inverted text indexes, to promote searching and browsing of content.
• Metadata creation technologies, including text categorization, entity extraction, and image understanding.
• Workflow capabilities, which include check-in and check-out, version control, and approval routing.

Although the following is not meant to be an exhaustive list of processes that CMSs support, here are the most important ones:

• Metadata creation: Some types of metadata (e.g., date and time of creation, image resolution) can be automatically extracted from file formats. Other types can be inferred from the content by automated tools (e.g., categorization engines that analyze text and generate keywords). Other types of metadata, such as information about asset creators or detailed descriptions, must be entered manually. As we will see, rights metadata is another important type of metadata that can be created automatically if rights information is captured upstream from the CMS.
• Asset storage: A CMS can store content in a native format, an output-neutral format (e.g., XML), or a format specific to an output medium (e.g., HTML for web pages). The term ingestion is often used to comprise metadata creation and asset storage.
• Workflow: Many CMSs provide for the identification of roles (e.g., author, editor, producer) and their association with specific privileges on an asset, which could include reading, editing, or the ability to change the asset's metadata. Users can check content out for editing and check it back in again, and they can often use the CMS to send (route) content to other users, whether in an ad hoc manner or according to fixed, predefined routing schemes.
• Search and browse: CMSs have interfaces for users to enter query terms to search for assets whose metadata fit those terms. Many also have browsing interfaces, where a user can scan a collection of asset descriptions (e.g., text abstracts, image thumbnails, short audio clips) to find assets of interest.
• Distribution: the final process that most types of CMS support is making assets available through some channel(s) outside of the domain of the CMS. This could mean publishing HTML pages to a Web site, sending files to a business partner over FTP or a syndication protocol, or persistently protecting assets with a DRM packager.

Overview of Digital Rights Management

Digital rights management (DRM) is a popular term for a field that (like content management) also came into being in the mid-1990s^[1], when content providers, technology firms, and policymakers began to confront the effect of ubiquitous computer networks on the distribution of copyrighted material in digital form. There are two basic definitions of DRM: a narrow one and a broader one.

The narrower definition of DRM focuses on persistent protection of digital content. This refers to technology for protecting files via encryption and allowing access to them only after the entity desiring access (a user or a device) has had its identity authenticated and its rights to that specific type of access verified. Protection in such DRM systems is persistent because it remains in force wherever the content goes; in contrast, a file that sits on a server behind the server's access control mechanism loses its protection once it is moved from the server.

Persistent protection solutions consist of these primary technology components^[2]:

• Packagers assemble content and metadata into secure files that are variously called packages, containers, envelopes, etc.^[3]
• Controllers reside on client devices (PCs, music players, ebook readers, etc.). They authenticate the identities of the devices and/or users that request access to content, verify the nature of the access requested, decrypt the content, and provide the access. Controllers may also initiate financial transactions where necessary.
• Some persistent protection solutions, particularly newer ones, also include license servers. These create and distribute encrypted licenses (sometimes called tickets, permits, or vouchers) that describe rights to content, the identities of the users or devices to whom the rights are granted, and the conditions (e.g., payment) under which they are granted. DRM solutions that do not include separate license servers install rights descriptions directly into each content file at packaging time.

A broader definition of DRM encompasses everything that can be done to define, manage, and track rights to digital content. In addition to persistent protection, this definition includes these other elements:

• Business rights (a/k/a contract rights): an item of content can have rights associated with it by contract, such as an author's rights to a magazine article or a musician's rights to a song recording. Such rights are often very complex and have financial terms attached to them that depend on the content's use (e.g., royalties).
• Access tracking: DRM solutions in the broader sense can be capable of tracking access to and operations on content. Information about access is often inherently valuable to content providers, even if they do not charge for access to content.
• Rights licensing: content providers can define specific rights to content and make them available by contract. It is often not possible to track rights licensing by technological means: for example, a book publisher may offer language translation rights to a novel, and in general there's no technological way to ensure that the licensee's translation is either faithful or distributed according to the same terms as the original book.