DRM – Digital Rights Management

Traditionally, in the print industry, the author (or publisher) of a book asserted their right to be able to control what the purchaser could (or could not) do when they had purchased the work.

DRM is an approach that lets authors and publishers exert more appropriate rights over digital (or dematerialized) than they were able to in the physical print era.

What one has to remember is that the balance of power has changed in the last ten or so years.  Prior to that, copying and re-printing a physical book was non-trivial.  If you wanted to steal someone else’s work you needed to find someone who was willing to publish the copy, and the publisher knew they would be sued without mercy.  So there were some really obvious physical controls in the physical print industry.

But the digital age has spawned the ability – the computer – to make copies at near zero cost, and to do so without detection.  So the rules of the ancient world do not apply.  The use of web sites to facilitate pirated film, music and PDF documents demonstrates that the ability to copy works that do not have digital rights management applied to them is unlimited and files can be shared and transmitted without any control at all.

So digital rights management is a critical feature if you are making confidential information available to others, whether it is a price list, a contract specification, an analyst’s report, a newsletter or a book.  Without DRM you have no way of preventing people who have access to your intellectual property from doing just exactly what they want with it.   So that’s why it is important.

Who uses Digital Rights Management?

1. DRM is used by a number of industries to control use of paid digital content.  It is popular in the music, movie, and ebook industries to control content distribution, prevent unauthorized use, and protect revenue streams.  Whilst many end users paying a few dollars for a song, movie, or ebook, are against the use of DRM (many users say if they have paid for something they should be able to do with it as they wish – this of course if not the content owners view), it is more readily acceptable in the business world protecting high value reports and content available to members only.  This is because if someone has paid $1000 for a report they would not necessarily be happy if other users were to receive the same document for free.
2. DRM is used by many organizations internally to protect confidential information, share documents securely with third parties, and audit documents to identify leaks.  DRM within an organization is also known as Enterprise Rights Management or Information Rights Management.  Some online systems where document controls and access can be altered in real time are sometimes referred to as Active Rights Management systems, but essentially they are all the same thing.

Digital Rights Management enables publishers to control not only who receives their content but what they can do with it.  Such controls include:

• Preventing editing and saving
• Preventing forwarding and sharing
• Preventing printing (or limiting the number of prints available)
• Preventing screen grabbing
• Document expiry
• Document revocation
• Locking documents to devices, IP addresses, and country locations
• Watermarking documents with unique user information to establish an identity

In addition, DRM enables publishers to log use so they can view data on when content was used (i.e. when documents were viewed and printed), by whom and when.

How is DRM implemented?

To apply Digital Rights Management controls to content, Publishers use a ‘Writer’ application.  This encrypts the content so it can only be viewed by someone with the correct decryption key (see document encryption), and lets Publishers choose which DRM controls they want to apply (i.e. stopping printing or making the content expire after a certain length of time).

Users can view protected content in a native application by installing a plug-in (common for browser applications and music/movies) or may need to download a dedicated ‘Reader’ application.  Plug-ins have an inherent security weakness in that other plugins can be used to bypass them, and often an update to the native application can render them useless.  Standalone reader applications are the most reliable and secure but mean that users must download an additional application to process the protected content.  Web based readers are becoming increasingly common but these have their drawbacks – since no software is installed on the client computer some facilities that take control over the Operating System are not available, so users may be able to screen grab content and print it to unprotected formats (PDF, XPS, etc.).

A licensing system is used to transparently relay decryption keys to the ‘Reader’ application and these keys are locked to authorized devices.  It is vital that decryption keys are not exposed to users (i.e. passwords) and are locked to devices (so they will not work on other devices) otherwise they could be given to other users along with the protected content.  The ‘Reader’ application checks that it has the necessary decryption key to decrypt the content, and if it does, it loads the content with the appropriated DRM controls applied.  If the ‘Reader’ application does not have the correct decryption key(s) it will check with the licensing server to see if the user is allowed access to the protected content.