Rights Management: Business and Technology. New York:
Hungry Minds/John Wiley & Sons, 2001.
book is about a subject that has been lurking in the
underbrush of the digital information world for many
years and is finally coming to the forefront. Rights
management is, in some ways, the ugly beast that content
providers — publishers, broadcasters, market researchers,
consultancies, major corporations, and others — have
wanted to keep in the closet. The Internet has forced
the closet door open; really, it has eliminated the door
itself. What used to be relatively simple is now uncomfortably
complex. What used to be a source of moderate business
overhead is now a significant undertaking. What used
to be the province of lawyers, agents, and administrators
is now also the domain of technologists. Content providers
need to understand and embrace rights management in order
to play in the Internet age.
Is Digital Rights Management?
The term digital rights management (DRM) was coined by some combination
of vendors, their marketers, and industry analysts in the late 1990s.
Thus it’s less relevant to ask, “What does DRM mean?” than
to ask, “What is it that has come to be called DRM?”
take a broad view of the meaning and scope of DRM. When
you create content (information), you inherently control
a set of rights to that content — to see it, change
it, print it, play it, copy it, excerpt it, translate
it into another language, and so on. Traditionally, those
rights have accrued from three sources:
Rights that you get either automatically under law
(such as inherent copyright) or by some legal procedure
(such as applying for a patent)
Rights that you get or give up by buying or selling
them, such as buying a book or selling a manuscript
to a publisher
Rights defined by the medium that the information is
most important thing to remember about DRM is that the
first two sources of rights haven’t changed much
with the advent of technologies such as the Internet,
cell phones, and MP3 files. Various parties have called
for a complete gutting and replacement of the standing
intellectual property (IP) law, but this hasn’t
happened and isn’t going to. As discussed in Chapter
3 of this book, legislators have responded to new technologies
by adding a couple of new laws instead, such as the Electronic
Signatures Act and the Digital Millennium Copyright Act.
haven’t changed much, either — regardless
of the fact that they can be performed over the Internet.
The same laws apply, the same money is used, and the
same goods can be bought and sold. What’s really
changed is the implicit nature of rights when applied
to traditional media. The Internet has made these implicit
rights explicit. This engenders problems as well as opportunities
for content providers as well as for consumers.
understand what we mean by the implicit rights of traditional
media types, consider this: If you buy a book at a bookstore,
you’re given some rights to the content in the
book. Some are legal: It’s a breach of copyright
law to make copies of the book and sell them. Some are
transactional: You paid some money for the right to read
the book, to lend it, or to give it away. But most of
the rights derive from what’s easy and what’s
hard to do with the technology of a printed book.
easy to read a book; that’s what books were designed
for. It’s also easy to give a book to someone else
(in most cases). However, it’s not that easy to
make a copy of the book; it’s even harder to change
the contents of the book — regardless of whether
those activities are legal. For that reason, publishers
haven’t been too worried about people doing these
Changing Attitude Toward DRM
Although publishing has been around for centuries, publishers’ attitudes
towards rights have changed dramatically in the last decade. Technology
has imposed two inflection points on the industry: The first was putting
content in digital format, as opposed to physical forms such as print,
vinyl, and videotape. Digital content can be copied with perfect fidelity:
Unlike in legacy media, a copy of a copy of a copy of a copy is just
as good as the original. The second inflection point is the Internet,
which eliminates the need for physical media to distribute digital content.
Instead of distributing it on floppy disks, CDs, DATs, MiniDiscs, or
Zip drives, digital content can be sent from place to place instantaneously
and extremely cheaply.
other words, digital network technologies have dramatically
decreased the cost of manipulating, copying, and distributing
content. There are all kinds of things that you can do
to content in digital form now that were too time-consuming
or expensive to do before. This makes content production
and distribution easier for publishers and other content
providers, but it also makes piracy easier for pirates.
rights management refers to controlling and managing
rights to digital intellectual property. The need for
control and management has increased now that digital
network technologies have taken away the implicit control
that publishers get with legacy media.
first, unsurprisingly, content providers were concerned
with digital network technologies’ effects on piracy.
They became interested in technologies — mostly
borrowed from the world of commercial software distribution — that
would take digital content and reintroduce the types
of limitations on manipulation, copying, and distribution
that physical media contain.
early DRM technologies didn’t catch on, mainly
because they were too cumbersome to use. At one level,
they merely replaced one data distribution problem — the
content — with another — the software required
to use the content. In other words, vendors produced
software that effectively gave digital content on the
Internet some of the same properties as physical content
with regard to the ease of exercising rights such as
view, copy, and change. But the software brought new
problems: distributing, maintaining, and getting consumers
to install and use it. So the software introduced a level
of complexity that users didn’t welcome.
type of DRM technology still exists today; in fact, recent
developments in the music industry are making it potentially
more important than ever. As this book goes to press,
the five major recording labels are preparing to roll
out the MusicNet and pressplay services, which offer
digital music to consumers through subscription services
that involve DRM technology. With the weight of legal
victories against the likes of Napster and MP3.com behind
them, the record companies are hoping that consumers
will accept by fiat two flavors of proprietary DRM technology,
from Microsoft and RealNetworks, as opposed to the single
SDMI standard that the music industry attempted to float
but has largely abandoned. It will take some time for
the market to decide.
As content providers have begun to be more familiar with the Internet
and with rights issues, they are coming to realize three things: First,
rights management concerns much more than the distribution of content
to consumers. A publisher or content provider is only one link in a chain
that also includes content creators (authors, photographers, musicians,
and so on), manufacturers, distributors, and so on. Managing rights really
means managing them throughout the entire chain.
and more importantly, content providers have begun to
understand that rights management is as much about the
opportunity inherent in new business models as it is
about preserving the business of old ones. They are realizing
that physical media formats have defined limits on opportunity,
not just piracy. For example, people may not want to
purchase an annual subscription to an expensive scientific
journal, but they may be interested in one or two articles.
It’s hard to do that with print journal publishing,
but network digital technology makes it much easier.
Publishers can increase revenue by adding this type of
capability, of which rights management is a necessary
there are many music fans (like one of us) who are fed
up with the homogeneity of broadcast radio and would
pay a monthly fee to listen to good, commercial-free
music in their favorite genres, but have little interest
in owning lots of albums and even less in going to the
trouble of picking them and putting them on a music-playing
device. It takes rights management technology to provide
this type of service.
can also provide their content to third parties that
add value to the content by repackaging it, adding it
to larger collections of content, and so on. In the world
of legacy publishing, these so-called secondary publishers
have had to set up very expensive operations to serve
this market opportunity. Networked digital technology
dramatically lowers barriers to entry — as long
as rights are managed properly. In today’s environment,
publishers are learning that content brands transcend
location and delivery media: It pays to get content in
front of your intended audience, wherever they may be.
If part of that audience is best served by another venue — another
publication, another Web site, another service — then
the best thing to do is to license content to that other
venue. This, once again, is a rights management issue.
third thing that content providers have come to realize
is the opportunity inherent in learning more about the
audiences for their content. There’s only so much
that you can learn about readers of physical media. If
they buy books at bookstores, they can do so using anonymous
cash, so you have no idea who they are. In the world
of magazines, you know something about your subscribers,
but there’s no way of knowing which articles they
read, which ads they look at, and with whom they share
the magazines. And, of course, television networks sometimes
go to extraordinary lengths to find out who’s watching.
digital technology makes it possible to find out with
unprecedented precision who is consuming what content
and when. In fact, sometimes the information on content
use is worth more than the content itself. If you manage
and control rights to content, it’s only a small
step beyond that to tracking its usage.
management also applies to businesses that don’t
sell content as their primary source of revenue. More
and more types of businesses depend on information as
an accompaniment to the products and services that they
sell — from management consulting and banking to
manufacturing. The construction industry, for example,
depends on plans and specifications for buildings, roads,
and bridges that someone wants built. Construction firms
bid on projects, and documents are created and shared
among different participants in the process. It’s
important to distribute these artifacts digitally while
ensuring that only authorized parties get access. The
same is true in the aviation industry for building today’s
complex aircraft, in financial services for research
documents that are sent only to top customers, in pharmaceutics
for managing drug regulatory documentation processes,
and in many other fields.
feel strongly that DRM solutions will eventually spill
over from pure content industries to all these other
fields. In fact, some noncontent industries already use
document management systems that have certain aspects
of DRM built in.
rights management differs from traditional rights management
because it needs to be proactive instead of reactive,
and it needs to be explicit and comprehensive instead
of letting the medium determine the rights.
entire industry is emerging of technologies that perform
digital rights management. These comprise several different
types of functionality, such as the following:
that content providers can use internally for defining,
organizing, and managing rights
for distributing content to consumers in a controlled
way (the original types of DRM solutions and the ones
that get the most press because they are meant to address
for managing access to content within an enterprise,
such as a corporation or educational institution.
for licensing and distributing content to other publishers
in a controlled way
for measuring content usage
market for these technologies came into focus in the
mid-1990s and has been growing slowly ever since. Many
vendors have come and gone; leaders have yet to emerge.
But most people agree that even though the Internet was
built with an “information wants to be free” environment
in mind, DRM is becoming a more and more fundamental
idea in the evolution of digital content; because of
this, the market should grow rapidly. Recent (June 2001)
research by IDC predicts that the market for DRM technology
and services, which it measures as $96 million in 2000,
will be $200 million in 2001 and ultimately $3.5 billion
in 2005 — an annual growth rate of over 100 percent.
Origins of DRM Technology
As mentioned earlier, the identification of a type of technology for
controlling the copying of content in digital form came about with the
rise of the Internet. Before that, making unauthorized copies of digital
files was a problem that originated in the software industry.
piracy continues to be a problem for vendors to this
day. Yet it wasn’t much of an issue in the days
before the PC (pre-1980s), when computers were mostly
large machines for multiple users — minicomputers
and mainframes. Yet ironically, key components of what
we now call DRM technology arose out of the mini/mainframe
environment. On every large computer system, individual
users maintain their own sets of files. Each of those
files has permissions on them, allowing different users
the rights to do certain things with those files, such
as read them, write (change) them, run them (for files
that are themselves programs), and delete them. On the
most sophisticated systems, each of those permissions
could be assigned (or not assigned) to different classes
of users, including the creator of the file, members
of a defined group of users, and “everyone.”
Chapter 4 (and throughout this book), we call this specification
of who can do what to or with a file a rights model.
Developers of rights models for DRM certainly took their
inspiration from file permission schemes for multiuser
operating systems. Incidentally, this technology didn’t
go away with the advent of PCs: On the contrary, every
Web and database server that you use today has it. The
computers themselves just got smaller and more powerful.
personal computers came out in the late 1970s through
the early 1980s, software was distributed on floppy disks.
Nowadays, with most software packages too large to fit
on 1.44MB floppies, CD-ROM is the most popular physical
medium for software distribution. Floppies were easily
duplicated, and today’s cheap CD-RW (writeable
CD) drives have made CD-ROM software relatively easy
to pirate as well. Software vendors have devised various
schemes, including warning messages (“guiltware” or “scareware”),
product ID keys stickered onto the CD-ROM boxes (“naziware”),
and the infamous dongles (hardware device that attach
to PCs’ printer ports) to stem the tide of piracy,
with mixed success.
area networks (LANs), which became widespread in the
late 1980s, engendered new possibilities for piracy.
Now, instead of making copies of floppy disks, it was
possible to make copies of files on other people’s
machines or on central file servers. Certainly it was
easy to copy software that way. Software vendors tried
hard to create tools that would administer software licenses
among the dozens, hundreds, or even thousands of users
in a corporation or other institution. This proved to
be extremely difficult in the Microsoft Windows environment,
although it was easier in the UNIX environment.
access to digital files via encryption came up around
this time. On mini and mainframe computer systems, it
was often possible to encrypt files in an ad hoc manner
(for example, through the UNIX crypt command). Encryption
provided an extra measure of protection: You needed to
know a password in order to unencrypt the file. File
compression programs such as PKZIP also provided encryption,
which supposedly helped software vendors copy-protect
their distributions (although PKZIP’s particular
type of encryption has been judged to be weak).
first well-known application of encryption for what you
could call “content” was for type fonts.
Fonts used to be expensive: They would cost up to a few
hundred dollars apiece. (This was before Microsoft began
to throw a few dozen of them in with every version of
Microsoft Office.) When a font file was on a server on
a LAN, everyone could use it — either by copying
it or by referring to it on the server. In the early
1990s, fonts were typically distributed on CD-ROMs. Two
vendors, InfoSafe and CDMax, responded to this by inventing
technology that encrypted files on CD-ROMs, required
users to have decryption keys to use them, and charged
users according to what they used.
was a relatively small step from encrypted files on CD-ROMs
to encrypted files on the Internet. Although the Internet
had been around for much longer, most people identify
1994 as the year when it started on its meteoric rise
to commercial prominence. The threat of piracy became
all too clear to publishers.
developments took place within the two years after 1994
to create the paradigm that we now know as digital rights
management. Two of these were the first well-known DRM
systems from commercial vendors: infoMarket from IBM
and a system from the startup company Electronic Publishing
Resources (EPR). IBM’s infoMarket was a combination
of two things: One was a technology for strictly controlling
content rights and distribution called Cryptolope. As
its name implies, Cryptolope was an “envelope” that
used encryption to keep content inaccessible to those
who didn’t provide the proper consideration, such
as paying for it. The other was a set of software that
enabled IBM’s customers to create marketplaces
on the Web for content distributed in that way.
took a slightly different approach. Whereas IBM’s
infoMarket was all software, EPR designed an entire end-to-end
system for distributing digital content that included
hardware devices on the client side. They spent an alleged
$25 million in research and development to invent this
technology and, just as importantly, apply for many patents
on it. Neither IBM’s infoMarket nor EPR’s
hardware devices were very successful, but the technologies
live on: Bits of infoMarket have survived in IBM’s
Electronic Media Management System (EMMS; see Chapter
11), and EPR moved its technology from hardware to software
and renamed itself InterTrust — now one of the
biggest names in DRM.
third major development that catalyzed the DRM paradigm
was the publication of the paper “Letting Loose
the Light: Igniting Commerce in Electronic Publication,” by
Dr. Mark Stefik, a researcher at Xerox PARC research
labs. This landmark paper defined what you could call
the “techie’s view” of DRM for all
time. It said, in essence, that it should always be possible
to strictly define and control who can do what to a piece
of content, when, on what devices, and for how much money
or other form of consideration.
Loose the Light” defined something called a trusted
system. A trusted system is a device that holds some
data and implements a precisely defined set of behaviors
on that data. There is no way to access or modify the
data other than to go through the trusted system. Trusted
systems, Stefik said, would be the only feasible way
to implement digital rights management because general-purpose
computers have too many security holes. Stefik left some
room for interpretation about the form of the trusted
system, but he implied that it should take the form of
a convenient, dedicated device, such as a smart card
that plugs into a PC, music player, or other device.
addition to defining the trusted system, Stefik defined
a programming language for expressing rights to content,
who gets them, what they cost, and so on — what
we call a rights model in this book. This language was
called Digital Property Rights Language (DPRL).
call Stefik’s paper the “techie’s view” of
DRM because it envisions a world where all content rights
are defined and controlled by automated processes. It
doesn’t allow for any ad-hoc content rights transactions
among humans that publishers may want to allow, or may
even depend on, such as passthrough (making a few copies
of a magazine article for colleagues around the office)
and fair use (see Chapter 3). On the contrary, Stefik
says, in his 1999 book The Internet Edge: Social, Technical,
and Legal Challenges for a Networked World, that even
these types of content “transactions” can
and should be covered under rights management technology.
Some intellectual property law experts disagree, suggesting
that the idea of tight control of content access rights
runs counter to copyright law – in particular,
to the First Sale Doctrine (see Chapter 3).
publishing “Letting Loose the Light” (which
appeared, among other places, in Stefik’s 1996
book Internet Dreams: Archetypes, Myths, and Metaphors),
Stefik and colleagues from Xerox traveled around and
talked to publishers, record companies, and consumer
electronics manufacturers about implementing DPRL and
the trusted systems concept.
people within Xerox entertained the idea of implementing
DPRL language interpreters in the company’s printers,
copiers, and scanners so that their tasks could be performed
in a way that respects copyright. Although no vendor
of a media-producing or media-consuming technology wants
to build devices that restrict their own actions, Xerox
may have been “inspired” by legal actions
such as the 1991 lawsuit that the Association of American
Publishers coordinated of seven publishers against Kinko’s
for unauthorized copying of academic materials.
never did follow through on DPRL-enabling their devices,
but they did create a division called Xerox Rights Management
to build software around the DPRL technology. Xerox eventually
spun Xerox Rights Management out, and after a change
in management, it became ContentGuard, Inc. As discussed
in Chapter 6, ContentGuard modified and commercialized
the DPRL technology, naming its variation XrML (Extensible
Rights Markup Language).
1996, many DRM vendors have come and gone. Most have
targeted the publishing industry and have implemented
technology designed to run on standard PCs and over the
Internet. One early exception was Wave Systems, of Lee,
MA, which implemented DRM technology in hardware. Wave
Systems invented the EMBASSY processor, sort of a “DRM
on a chip,” and tried without much success to sell
it to PC manufacturers, who would then build the chip
into their PCs.
as shown in this book, the DRM market is dominated by
software players because of the total dominance of PCs
and their ilk (for example, Macintoshes) as devices that
access the Internet. Grafting DRM technology onto these
technologically mature platforms has its problems. But
as more and more post-PC Internet access devices are
invented, such as PDAs, cell phones, and Internet music
devices, DRM technology will have more opportunities
to be integrated at the ground floor. Meanwhile, the
software vendors aren’t standing still, either.
DRM has come a long way from its origins in operating
system file protection.
This Book for You?
This book was designed to help you chart a confident course through the
technologies, business issues, and solutions in an industry in a constant
state of flux. We show you the principles behind digital rights management:
the existing content provider environments in which the industry was
born, the new business models that are possible through DRM solutions,
the fundamentals of the relevant technologies, and how to combine it
all into solutions that make sense for your business.
you are looking for a Consumer Reports-style guide to
various DRM vendors’ solutions, this may not be
the best place to look. We do examine specific vendors’ technologies,
to be sure, but because vendors and their offerings change
so frequently, we feel that you should consider supplementing
this book with some of the more frequently updated periodicals
and research journals that touch on the subject. [One
such service is DRM Watch].
you read this book first, you can place vendor hype,
as well as industry news and analysis, into a unique
framework of understanding and cut through biases and
temporalities. You’ll be able to compare apples
primary target audience for Digital Rights Management:
Business and Technology is business and technology decision
makers at content-providing businesses, including publishers,
broadcasters, consultancies, investment firms, market
researchers, and many other types of businesses that
generate or handle a lot of information. We wrote this
book because there is no other place to get comprehensive
information about the principles underlying DRM, as opposed
to the latest vendor hype or technology fads.
book will also be of interest to people who work on the
technology side of the industry. If you are a technologist,
you will find this book useful for learning about the
business issues that concern content providers. Publishing
people are a tightly knit community with a reputation
for not trusting technology vendors unless they “talk
the talk” and demonstrate that they have “been
there and done that.” They tend not to buy technology
solutions unless and until they are proven in the field.
After reading this book, you will be able to fine-tune
your technology offerings for your target market and
be better able to explain their value to potential customers.
You may even also find out more about what your existing
and potential competition is doing.
this book will appeal to those third parties with a vested
interest in the world of digital content technology:
investors, analysts, venture capitalists, consultants,
and so on. Read this book to get more insight about DRM
in one place than has heretofore been available, at any
all, you will find that this book offers analysis and
opinions borne of the decades of content business and
technology experience of its authors. Collectively, we
have worked both sides of the fence — as publishers
and as technology vendors — and as third-party
consultants, analysts, and investment advisors. You will
find no vendor hype, no publishers’ paranoia, or
pipe dreams here — just information analysis that
you can trust, with implicit emphasis on the wheat rather
than the chaff.
a technical standpoint, this book doesn’t presuppose
deep technical expertise in areas such as encryption,
security, XML, Internet technologies, and content formats.
It will help you, but isn’t strictly required,
to have a high-level understanding of processes for content
publishing in any format, intellectual property rights,
Internet fundamentals, and the essentials of system architecture
and integration. The legal- and technology-oriented chapters
contain pointers to more detailed information, as does
This Book Is Organized
Digital Rights Management: Business and Technology is organized into
three parts. Here are descriptions of each part and of the chapters in
I: The Business of DRM
Chapter 1: Where We Came From: Content Rights
in the Predigital World
This chapter is an overview of how intellectual property rights have
been handled in the world of physical media, with examples from the publishing,
music, and film industries. Chapter 1 describes legacy rights clearance
organizations such as the CCC, ASCAP, and BMI.
2: Bits and Nets: New Businesses, New Possibilities
This chapter discusses new business models that the networked digital
technology makes possible. These include paid downloads, subscriptions,
pay-per-view and pay-per-listen, usage metering, peer-to-peer, superdistribution,
and selling rights instead of the actual content.
3: Help from the Government: Law and Technology
Chapter 3 is a summary of the various types of intellectual property
law, with an emphasis on copyright and licensing and an explanation of
how the law relates to rights management. This chapter also contains
descriptions of recent relevant legislation, including the UCITA, DMCA,
European Copyright Directive, and Electronic Signatures Act, as well
as some of the important recent court decisions related to content rights
II: The Technology of DRM
Chapter 4: Rights Models: Representing Rights
In this chapter, we present the fundamentals of rights models, which
are frameworks for describing intellectual property rights in computer
systems that support rights transactions. Chapter 4 explores how rights
models support new Internet-based business models as well as how they
fall short of being able to support some content business models from
the physical world.
5: DRM Building Blocks: Protecting and Tracking Content
Chapter 5 contains explanations of our DRM reference architecture and
primary technology components of digital rights management systems, with
an emphasis on consumer-oriented DRM. Chapter 5 includes discussions
of encryption and watermarking technologies.
6: Technology Standards: Leveling the Playing Field
This chapter discusses the role of open standards in DRM, with detailed
information on the most important emerging standards, including the Digital
Object Identifier (DOI), Extensible Rights Markup Language (XrML), Information
and Content Exchange (ICE), and the Secure Digital Music Initiative (SDMI).
7: Proprietary Core Technologies: The Heavyweights
Chapter 7 is a look at the most prevalent core technologies in the DRM
world today, including offerings from InterTrust, Verance, Digimarc,
Preview Systems, Reciprocal, Adobe, and the heaviest of them all, Microsoft.
III: DRM Solutions: Putting It All Together
Chapter 8: Get What You Need: Determining Requirements
This chapter shows you how to gather requirements for your digital rights
management application: It includes some general thoughts about requirements
definition, along with laundry lists of the types of decisions that you
will need to make when choosing a DRM approach.
9: Implementation Options: Build, Buy, Integrate, and
In this chapter, we explore the differences between raw DRM technology
and DRM solutions, including options for buying off-the-shelf packages;
integrating components; building your own DRM solution from scratch,
and outsourcing all or part of your DRM technology. Chapter 9 also includes
advice on how to choose the best approach for your needs.
10: Plug and Play: Integrating DRM
Chapter 10 discusses how to integrate digital rights management technology
with various types of content production processes and systems that you
may already have in place, such as editorial systems, content management,
sales, marketing, and finance.
11: Additional DRM Solutions
Chapter 11 contains descriptions of many of the vendors of digital rights
management solutions, beyond those discussed in Chapter 7, whose technologies
are based on the DRM reference architecture discussed in Chapter 5. We
examine DRM solutions for text and PDF, corporate documents and e-mail,
music, and multiple media.
12: DRM-Related Solutions
Chapter 12 is a survey of solutions that are related to DRM but do not
conform to the DRM reference architecture. We discuss internal rights
management systems for publishers and entertainment companies, online
rights exchanges, DRM-enabled search technologies, syndication software
packages, syndication hubs, and content distribution services.
13: Epilogue: The Future of DRM
In Chapter 13, we offer some final thoughts on the future of digital
rights management, discussing business models that will and won’t
work, technologies that still need to be built, and perspectives on the
development of the DRM market.