Resolving Digital Rights Management

HEADNOTE

Usage Drives Protection

IMAGE ILLUSTRATION1

There's a decided lack of either concern or enthusiasm over digital rights management (DRM) these days. Perhaps its initial presentation as a form of control over

users provoked resentment. Or perhaps the lack of agreement over basic system requirements and standards quieted the buzz about DRM, outside of large consumer or mass-market circles. Yet the concerns that gave rise to digital rights management have not gone away. Gaps still exist. No fail-safe mechanism or technology has emerged. Yet, even with potential problems under close examination and various groups of stakeholders still monitoring user behavior in digital environments, no one seems to be panicking.

Digital rights management (DRM) centers around three core considerations:

* authorized access of a user to digital content

* mutual agreement by rightsholder and user on the parameters for interacting with that content

* the environmental context of the user that determines the type of use needed

Far from wanting to impose barriers to productivity, the emphasis in current discussions of digital rights management among content providers, organizations, and system vendors focuses on how rapidly systems can facilitate use of content for users.

Different subsets of users employ content differently. Digital rights management must make clear what constitutes appropriate use within a specific setting, whether corporate, academic, or personal. It can never be a one-size-fits-all technology or practice. In each decision to implement or not implement DRM, the entities involved must examine and assess the practical aspects of use, the individual roles or tasks within a specific environment, and attendant risks.

Recent Shifts

Four years ago, most discussions of digital rights management focused on the publishing community's need for a sense of security in permitting dissemination of intellectual property in an electronic environment (1). As publishers saw the ease with which content could be perfectly copied and rapidly transferred, particularly within a Web environment, they focused more on the potential risks inherent to this fluid form than on how to help users work and interact with information. Now, however, corporations (rather than traditional publishers) tend to be the target of DRM system vendors. As corporations increasingly depend on electronic processes for most daily workflow and documentation of that workflow, there is an interest in ensuring protection of corporate materials from inadvertent loss or unwarranted intrusions.

Although concerns have not entirely dissipated for certain classes of digital content (for example, the digital entertainment content still perceived as high risk by some providers), many organizations, particularly those involved with text-based content, have adopted business practices that outline appropriate usage via contractual language rather than technological means. Businesses or other enterprise organizations use relatively simple DRM mechanisms to protect individual documents for purposes of security or confidentiality. And those organizations, such as Japanese electronics manufacturer Sony, that formerly tried to tightly control the access and use of digital content, now acknowledge that the better strategy might have been to step back and promote use rather than tighten proprietary guards (2).

Only in very specific instances in which either the workflow process of the client or the environmental context of the user demands a particular and customized implementation of DRM do content holders consider complex technological systems these days. Instead, current DRM discussions emphasize the elimination of barriers to immediate access and flexible use of content.

What Is Meant By "Digital Rights Management"?

Ideally, DRM delineate the set of permitted uses, the constraints on use, the conditions under which certain entitlements of use may be exercised, and the secure presentation of the content as authorized by the rightsholder. This delineation is achieved in two ways; (a) through licensing agreements with contractual language that outlines the scope of permissible access to and use of material, and (b) through technological means (a combination of software and hardware). In the context of an academic library or similar open environment where users may need access to all types of seemingly unrelated material, a license or contract may provide the least intrusive form of control over content while still supporting the widest variety of uses. In the context of an commercial enterprise in which access to information is usually closely aligned to an individual's predictable workflow, technological systems may provide the best solution.

In the latter case, technological systems operate either by embedding rights information in the content during the production process or by overlaying some form of protection after creation of the content. Regardless of how the digital rights are conveyed, both the rightsholder and the end user are eager to minimize the time required to negotiate the process of access, use, and enforcement. In the corporate or enterprise environment, DRM may also be called "enterprise rights management," but both phrases encompass all activities that protect the integrity of content and/or data while governing the users' activities in working with the content.

The User Context

Users want to read, copy, forward, edit, and annotate information as they share it with others. Digital information offers the great advantage of allowing ready sharing with others, but that activity is still governed by intellectual property law. In actual practice, most users don't consider whether simple activities such as printing or forwarding a document falls within the bounds of the law because such tasks are so fundamental to the daily workflow. DRM tries to maintain organizational compliance with such laws without unduly impeding practical and lawful activities by individuals within the organization. [For the purposes of this article, we will not address personal use of or access to digital information.]

A brief list of statistics from the Copyright Clearance Center report entitled "Copyrighted Material in the Digital Workspace" illuminates how employees of an enterprise routinely disseminate digital information as a part of the daily workflow:

* More than 70 percent of employees need to share copyrighted information with co-workers or business associates. Another 84 percent share information within their organization, and 37 percent distribute information externally.

* Employees report sharing content an average of 13 times per week.

* Executives share copyright-protected information at almost twice the rate of their employees (3).

Sharing within a business setting is not limited to news clippings or full-text articles. Electronic dissemination of internal memos and reports is routine. Sales personnel send bids to prospective customers by email. Enterprise rights management is implemented logically in those situations in which information is highly confidential, deemed proprietary, or where, as in the wake of the 2002 Sarbanes-Oxley Act, restricted accessibility to certain types of data has become a legal requirement. Other forms of "digital leakage" may occur through a range of activities - malicious behavior of an individual, systematic corporate espionage, or the simple inadvertent loss of a laptop computer - any of which can have expensive implications for the organization.

In this environment, organizations may turn to DRM system vendors, such as SealedMedia [http://www. sealedmedia.com/]. Sealed Media offers a system that seals or encrypts files during the course of the production process. Upon receipt of a sealed PDF document, the recipient employs a client-side plug-in that prompts the user for a username and password. The system transmits this information to a server at the document supplier's end for authentication of the user's right to access the material. The system works with a variety of document formats (Word, PDF, PowerPoint, HTML, etc.), making it ideal for corporate workflow documents as well as traditional publications.

Congressional Quarterly, publisher of a print-based legislative tracking service of the same name in daily and weekly formats, was concerned with the erosion observed in subscription sales by pass-along distribution of the print at a time when subscribers also looked to online versions of the publication. Serving a subscriber base significantly based in the Washington Beltway, the move to delivering protected PDF files provided the most efficient distribution of CQ publications to security-conscious institutional customers, while still supporting user desire for convenience and computerized accessibility. According to Larry Tunks, CIO of CQ, the decision to use Sealed Media ensured protection of content in a way that satisfied both publisher and user requirements (4).

The same thinking served the major scientific publisher, Elsevier, in meeting the needs of pharmaceutical clientele who purchased reprints of journal articles. In that instance, Elsevier turned to Cadmus Communications [http://www.cadmus.com/], which uses a similar type of protective technology in its RapidRights product. Elsevier wanted to protect the appearance and distribution of its content while still encouraging pharmaceutical companies to purchase reprints for further dissemination. The pharmaceutical companies wanted to rapidly disseminate journal content electronically to physicians in support of product sales. Both rightsholder and distributor sought to track subsequent usage. The RapidRights solution allowed recipients to open, read, and even pass along a reprint within the parameters of use licensed by the pharmaceutical firm from Elsevier in purchasing the reprint. It's interesting to note that Elsevier's interest in digital rights management is confined to this type of niche market requirement where the purchasing party was driving the use of DRM.

Such approaches circumvent the lack of a widely accepted, standardized rights expression language that would enable systems to exchange rights information and fulfill authentication requirements in general. Unfortunately, for some work environments, this approach to digital rights management is frankly inadequate.

Open Collaborative Environments

Because open sharing of information is deeply embedded in instructional practice, the security of a DRM implementation is valued when it facilitates appropriate access to very large heterogeneous collections of digital learning objects, primary research data, and other research and teaching materials. As mission-critical as providing that access is, however, the academic environment also highly prizes the individual's intellectual contribution. For a variety of reasons, academic settings need to protect and acknowledge those contributions. In the case of a faculty-developed test bank, it may be desirable to provide access for faculty in remote areas but not to students while still crediting the work of the original faculty who created content and developed the tool. In the case of the library catalog, maximizing public access to the full record is desirable, while it may still be necessary to restrict rights to the content of individual records. This type of highly collaborative environment demands a very flexible and customized approach to digital rights management.

Such situations are further complicated with the lack of interoperability between multiple systems often found within academic institutional networks, e.g., course management systems, administrative systems, and third-party content platforms. A variety of machine-actionable, rights expression languages have emerged from different groups of stakeholders, but none have received widespread acceptance, as no single language addresses the needs of both system vendors and the diverse populations within institutions (i.e., information professionals, IT staff, faculty, and students).

In a preface to a report prepared for the Library of Congress on the topic of rights expression languages, Sally McCallum, chief, Network Development and MARC Standards Office, pointed out the following:

Rights expression languages (RELs) are emerging in the information community that support different aspects of the digital access environment - licensing, payments, Web material, use control, access, etc. They go to different depths in the data they specify and they take different approaches vis-?-vis machine manipulation. These variations make it difficult to select the appropriate one for a particular situation or a cooperative venture (5).

Another study of digital rights management within this kind of open collaborative environment made this observation about the circumstances under which DRM seems most useful and most applicable:

DRM will be of the most value in the environment where there are simple, small and frequent transactions involving the use or exchange of intellectual property. If the transactions are infrequent, then automation is not cost-effective. If the transactions are overly complex, then automation may not be feasible. If the transactions are more suitably handled via traditional negotiations and contracts, then automation is not called for (6).

Conclusion

Given that the key advantage of the digital environment is the ability of the user to be more productive in rapidly pinpointing critical or relevant information and using that information to complete the task at hand, digital rights management requires a truly delicate social balance.

The copyright industries generate billions of dollars in national economies around the globe, even as these industries facilitate exchange of ideas and knowledge. Protection of specific expressions of ideas and/or protection of marketable formats that carry those ideas is a legitimate concern for the creators and rightsholders who drive that exchange. Outside of the copyright industries, corporations have legitimate reasons for protecting proprietary data and information, even while seeking to enhance productivity by automating processes wherever possible and using electronic dissemination for purposes of communication and documentation.

However, use of content is too individualized, even within the most routine workflow, to be tidily automated in all instances. Users will ignore barriers or find ways to circumvent them if protections become too obstructive to use. Flexibility in constructing a protective shield for all forms of data, content, or other forms of information is required. Trust will ultimately have to enter into the interaction between rightsholder and users.

Therein lays the real solution for the future. The very untidiness of our current implementations of digital protection may constitute the most successful means of making users aware that not all content is available to them for all uses, regardless of setting. Simultaneously, providers of content may build a better understanding of users' practical needs, as well as recognize real-world behavior patterns via digital rights mechanisms. Both outcomes promote trust, so that the functionality of DRM recedes and the exchange becomes one of mutual understanding.

SIDEBAR

Sharing within a business setting is not limited to news clippings or full-text articles.

FOOTNOTE

Endnotes

1. Seybold Research Industry Survey, Digital Rights Management: Usage, Attitudes and Profile of Users, Executive Summary, September 2001. Accessed on 01/24/05 [http://www.seyboldreports.com/Specials/ DRM survey/].

2. "Sony Video Chief Admits Strategic Mistake," Y. Kageyama, Associated Press. Accessed on 01/21/05 [http://news.yahoo.com/nwes?tmpl=story&cid=528&u =/ap/20050120/ap_on_hi_te/sony&pr].

3. "Copyright in the Digital Workspace: Content Use and Attitudes Toward Copyright in Corporate America," Copyright Clearance Center, Dec. 2004, pp. 2-3.

4. Telephone interview with Larry Tunks, CIO, Congressional Quarterly, Inc., Feb. 4, 2005.

5. "Rights Expression Languages: A Report for the Library of Congress," Karen Coyle, February 2004. Quote from "Preface" by Sally McCallum, p. 3. Accessed at http://www.loc.gov/standards/ Coylereport_finallsingle.pdf

6. "A Digital Rights Management Ecosystem Model for the Education Community," Geoff Collier, Harry Piccariello, and Robby Robson, May 10, 2004, p. 16. Accessed at http://www.contentguard.com/ whitepapers/DRM_Ecosystem_2004_05_10.pdf.

REFERENCE

Bibliography

Numerous white papers, studies, and news articles on the rationale behind and the implementation of digital rights management are available to the reader. In addition to those referenced in this article, the ones shown below provide a useful background for further investigations. All are available via the Web.

Digital Rights Management: Final Report

Study carried out by lntraliect Ltd. on behalf of the U.K. Joint Information Systems Committee

By Charles Duncan, Ed Barker, Peter Douglas, Martin Morrey, Charlotte Waelde

November 22, 2004 [http://www.intrallect.com/drmstudy/DRMFinalReport.pdf]

Driving Content Management with Digital Rights Management

White Paper Series 2003, IPR Systems [http://www.iprsystems.com]

By Dr. Renato Iannella, Peter Higgs

April 9, 2003 [http://www.iprsystems.com/whitepapers/ CM-DRM-WP.pdf]

Integrating Content Management with Digital Rights Management: Imperatives and Opportunities for Digital Content Lifecycles

By Bill Rosenblatt and Gail Dykstra

May 14, 2003 [http://www.xrml.org/reference/CM-DRM whitepaper.pdf]

"2004 Year in Review: Online Content Services"

DRM Watch [http://www.drmwatch.com]

By Bill Rosenblatt

Dec. 30, 2004 [http://www.drmwatch.com/ocr/ article.php/3453041]

Effective Internal Control of Sensitive Information: Implications of the Sarbanes-Oxley Act for CEOs, CFOs, and Other Corporate Directors

White Paper, SealedMedia

SealedMedia [http://www.sealedmedia.com]

2004 [http://www.sealedmedia.com/products/Sarbanes-Oxley.asp]

What Consumers Want in Digital Rights Management (DRM): Making Content as Widely Available as Possible in Ways that Satisfy Consumer Preferences

Executive Summary, AAP/ALA White Paper

F. Hill Slowinski, Worthington International

March 2003 [http://www.dx.doi.org/10.1003/whitepaperl]

AUTHOR_AFFILIATION

by Jill O'Neill

Director of Planning and Communication

National Federation of Abstracting and Information Services (NFAIS)

AUTHOR_AFFILIATION

Jill O'Neill has worn a variety of hats in the information community, working with libraries, content providers and users over the past 18 years. She is currently director of planning and communication for NFAIS, an international membership association of libraries and content and technology providers.