www.drmwatch.com/resources/whitepapers/article.php/3112631

Back to Article

Integrating DRM with P2P Networks: Enabling the Future of Online Content Business Models
By Bill Rosenblatt
November 18, 2003

DRM Technology Features for P2P Networks

DRM technology has been around for almost a decade. There are many types of DRM solutions on the market today, some of which have found success in niche markets, as mentioned above. What are the specific features of DRM solutions that make them attractive for integrating with P2P networks? Here we suggest several.

Reasonable Usage Support

The term "fair use" is a loaded one; it has a specific meaning under U.S. copyright law (its analog in the U.K., Canada, and Australia is "fair dealing"), but consumer advocates and others have extended it to stand for content consumers' reasonable expectations of usage rights. The legal term refers to uses of content that are valid defenses to charges of copyright infringement. Uses must conform to broad legal guidelines, but ultimately a judge and jury make decisions about whether uses are fair. Therefore it is impossible to create any kind of automated system that proactively decides whether to allow a use based on legal fair-use criteria.

However, reasonable usage expectations are another matter. If a user buys a piece of content, she may well expect to be able to render (display, play, or print) that content on any device she owns[5]. The paradigmatic example of reasonable usage expectations in the analog world is to play a music CD in one's car in addition to one's home stereo, perhaps by taping it onto a cassette.

DRM systems should be able to support a user's reasonable content usage expectations; this should include acting independently of individual formats and playback software or devices, and facilitating any necessarily format conversions or transcoding. DigitalContainers is an example of a DRM system that facilitates reasonable usage support: it is cross-platform, works with a multitude of media formats, and does not require a client application that the user must download and install.

DRM systems should be able to support a user's reasonable content usage expectations.

The most important precondition to supporting reasonable usage expectations is interoperability of identification schemes for both users and devices. Currently, and with few exceptions, each DRM scheme has its own notion of identity and its own way of authenticating identities. A user's identity in one scheme (e.g., for an Adobe eBook) is only coincidentally related to her identity in another scheme (e.g., for an online music subscription service). Attempts to create universal online identification schemes have been thwarted by a combination of technical complexity and concerns over privacy.

An ideal DRM scheme for integration with P2P networks should at least offer some degree of identity interoperability among popular formats, devices, and services; existing technology for aggregating personal information online (such as Yodlee in financial services) might apply. Yet consumer rights advocates tend to concur that identity schemes -- such as DigitalContainers' -- that are based on users, not devices, offer a first approximation to reasonable usage support.

Lightweight Superdistribution

Superdistribution has been mentioned in the same breath as DRM since the early days of DRM, when a few DRM technology vendors attempted to support it. The complexity of a DRM and e-commerce scheme that allows every participant in a content Superdistribution scheme to make its own economic offers is prohibitive. For example, one peer may want to sell content items individually at a profit, while another may want to sell them at cost, another may want to loan them, and yet another may want to make a repository of items available on a monthly subscription basis.

The nearest that most DRM schemes have gotten to "Superdistribution" is a URL included in encrypted files that takes users who are not authorized to access the content to a website where they can purchase rights. This is inadequate to the needs of a P2P network, in which peers should be able to define their own business models, as suggested above. At the same time, peers should not be expected to deploy cumbersome, expensive e-commerce systems in order to implement their chosen business models.

For Superdistribution to work well with P2P networks, DRM systems should provide simple ways to define and implement content business models, including rights specifications and commerce terms. Emphasis on defining individual users or classes of users for authentication purposes should be minimized, because one of the most important aspects of P2P, as mentioned above, is that the identities of participants in P2P networks are not known in advance.

DRM systems should provide simple ways to define and implement content business models.

DRM schemes can also facilitate Superdistribution by providing as much business model support as possible integrated with content objects, to minimize implementation complexity. This implies the ability to precisely specify details of content rights being offered, such as number and type of renderings, time limits, and so on; see Rights Expression Languages below. It also means the ability to handle certain functions directly onboard content items, and to interface with web services that handle external functions that make it easy for participants to implement their business models -- such as billing, usage tracking, and subscription management.

For example, DigitalContainers is a DRM technology that supports lightweight Superdistribution through its Hybrid P2P architecture, which supports the ability to describe content rights in a fine-grained manner, the ability to facilitate on-the-fly server-based user authentication, and rich functionality for supporting a wide variety of business models, including payment processing, onboard the encrypted content objects rather than on a server.

For Superdistribution support that is too complex to handle onboard encrypted content objects, DRM schemes should support integration with web services through standard interfaces so that they can be developed by a multitude of vendors. Ease of integration with web services will encourage the development of such services and their adoption by P2P participants.

For example: assume peer P1 makes content item C available as part of a repository though a paid-subscription service. When user P2 obtains the object, it should have self-contained functionality to retrieve P2's identity, send it to a service for verification that P2 is a subscriber to P1's service, and then receive a license L from that subscription service that enumerates the rights to which P2 is entitled. This is shown in Figure 1.


Figure 1: Two peers in a peer-to-peer architecture with DRM-packaged content. The content C has functionality for accessing web services. The Authentication Service authenticates P2's identity, and the License Service issues a License L for P1's content C.

Standards Support

Rights Expression Languages

To implement flexible, interoperable content distribution schemes on P2P networks, DRM schemes need to embrace standards for creating content rights specifications; these are usually known as Rights Expression Languages (RELs). RELs provide standard semantics for elements of rights specifications, such as those that would be stored in a rights database such as the one labeled P1 Rights in Figure 1, including:

  • The right being granted, such as Play or another render right.
  • The entity to which the right is being granted, such a user or device.
  • The terms under which the right is granted, such as payment or presentation of credentials (e.g., a valid subscription to a service).

The most prevalent standards in the REL area are MPEG REL[6], from the Moving Picture Experts Group, which derives from XrML[7] (eXtensible Rights Markup Language) from ContentGuard, Inc.; and OMA DRM[8] from the Open Mobile Alliance, which derives from ODRL[9] (Open Digital Rights Language) from IPR Systems Ltd. Other standards bodies, including OASIS (the XML and SGML standards body) and the Open eBook Forum, are also defining RELs.

RELs are especially important in Superdistribution networks. If P1 passes some content to P2, then P2's rights to that content need to be a subset of P1's rights, and if P2 passes the same content to P3, then P3's rights need to be a subset of P2's -- or, if P2 or P3 want additional rights, they need to be able to define them with precision and acquire them from the original IP owners. A properly designed REL enables this.

Network Identification

As mentioned above, universal -- or at least interoperable -- identification of users and devices is a critical factor in supporting DRM ease of use and consumers' reasonable content usage expectations. The concept of a universal ID implies that a single entity controls all such IDs, which concerns privacy advocates and others. Microsoft's .NET Passport[10] identification scheme, which allows users to use a single ID to access many different online services (including Microsoft's own services as well as many others), is the closest thing there is today to a universal ID scheme.

Universal -- or at least interoperable -- identification of users and devices is a critical factor in supporting DRM ease of use and consumers' reasonable content usage expectations.

Short of a universal ID scheme, the next best possibility is a standard for interoperability of ID schemes, sometimes known as federated network identity. In a federated ID scheme, there is no single repository of IDs, but organizations can use each others' IDs on a per-transaction or per-service basis as long as users give permission to do so. The Liberty Alliance[11], a consortium originated by Sun Microsystems, has defined a specification for a federated ID scheme based on the SAML[12] (Security Assertion Markup Language) standard from OASIS.

Meanwhile, Microsoft has announced that it will create a new version of .NET Passport that provides federated ID capability and uses the older Kerberos[13] distributed authentication standard from MIT.

Web Services

Web services are the ideal way to foster the development of services that P2P network participants can use in conjunction with DRM schemes to create new types of content-related value added services with minimized cost and complexity. Two examples of web services related to DRM shown in Figure 1 are the Authentication Server and the License Server; if P1 gets these through service providers instead of through licensed software, then P1's implementation can be much cheaper and simpler.

Web services are the ideal way to foster the development of services that P2P network participants can use in conjunction with DRM schemes to create new types of content-related services with minimized cost and complexity.

There are several emerging standards in the web services area, the most important of which is WSDL[14] (Web Service Description Language), from IBM, Microsoft, and Ariba, currently a draft W3C (World Wide Web consortium) specification. WSDL enables the definition of service descriptions through messages that service requesters pass to service providers and vice versa.

Other important web services-related standards include the W3C standard SOAP[15] (Simple Object Access Protocol), for describing data objects, and the OASIS standard UDDI[16] (Universal Description, Discovery and Integration), a directory service that enables listing and finding web services. There are many other web services related standards in various stages of development; these are beyond the scope of this white paper.

User Experience

Above all, a DRM scheme that is suitable for integration with P2P networks has to preserve a seamless user experience. In addition to providing for reasonably expected usage rights, such as time and space shifting, as mentioned above, the following are aspects of DRM that contribute to user experience:

  • Installation of the DRM has to be seamless, including the initial installation of the software as well as maintenance. Ideally, the user should not do or even notice anything about the installation. This should be true for all platforms. Java, XML, and other cross-platform technologies, such as are used in DigitalContainers' Hybrid P2P architecture, should help achieve this.
  • Payment processing should be integrated with ISPs and other service providers, so that users don't have their experiences disrupted by requests for payment information. Universal or interoperable ID schemes will go a long way towards facilitating this.
  • The DRM should track content usage but do so in a way that respects privacy. This is a well-known problem -- tracking software is often referred to as "spyware" -- and solving it is largely the responsibility of service providers that process usage information. Service providers need to take steps to give users confidence that tracking information is not being abused.

[5] This is sometimes known as "space shifting" content, a term that is related to "time shifting," i.e., playing broadcast content after it was originally broadcast. The U.S. Supreme Court upheld the right to time shifting in Sony v. Universal, 1984 (the landmark "Betamax" decision); the legal right to space shifting is still being contested.

[6] See http://www.chiariglione.org/mpeg/standards/mpeg-21/mpeg-21.htm#_Toc23297977.

[7] See http://www.xrml.org.

[8] See http://www.openmobilealliance.org/tech/docs/index.htm.

[9] See http://odrl.net.

[10] See http://www.microsoft.com/net/services/passport/developer.asp.

[11] See http://www.projectliberty.org.

[12] See http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security.

[13] See http://web.mit.edu/kerberos/www/.

[14] See http://www.w3.org/2002/ws/desc/.

[15] See http://www.w3.org/TR/SOAP/.

[16] See http://www.oasis-open.org/committees/uddi-spec/tcspecs.shtml.

  Go to page: Prev  1  2  3  4  Next