DRM, the California Consumer Privacy Act & data protection

DRM, the California Consumer Privacy Act & data protection.

As more regulations are introduced concerning the use of personal data it is important to understand how it can be accessed and used securely. DRM can help with tightly controlling use, ensuring it is not exposed or misused.

Never before have we had so much interest in the securing of personal information that is being carried over the web (Internet). It has exercised both politicians and pundits.

Not so long ago the European Union politicians upped their game for requiring data protection for their citizens personal data, by setting higher standards, requirements and fines for non-compliance with regulations specifying adequate security measures to protect data that are collected, and restricting the authority to collect personal data, by introducing the General Data Protection Regulation (GDPR) which came into effect in May 2018.

In 2016 Tim Berners -Lee expressed dismay at the subversion of the ethics of the Internet following allegations that Russian hackers had interfered with the US 2016 election, and the Facebook-Cambridge Analytica data sandal became public. His response was to indicate that the Internet was in need of repair, and created the Solid project as the first step to give individual users full control over the usage of their data. This project is gaining serious traction in the technical world.

Finally, in 2020 The State of California brings into force the California Consumer Privacy Act (CCPA) which among other things protects and limits the sale of the personal data of California citizens, allowing opt-out from sale of their personal data and requiring collectors to declare what data are shared and with whom. This comes on top of data privacy regulation.

Does this have anything to do with Digital Rights Management?

The obvious answer is yes – and no.

GDPR considers the protection of data that is collected and stored for some valid reason. CCPA is slightly more biased towards forbidding or controlling the sale of personal data and providing links to identify personal data users.

Tim Berners-Lee appears at the moment to be more focused on authenticating the source of information and granting rights to authorized recipients of those data. This requires some means of certifying users and their identification (perhaps preventing the British Conservative Party changing its Twitter account name from @CCHQ to @factcheck UK, potentially misleading users, something he condemned as bad practice).

Where does Digital Rights Management help provide control

Identifying the correct recipient of information

One thing DRM systems have had to sort out is a cheap and reliable method for identifying users where there are no generally accepted standards.

The most effective and cheapest approach to identification is to use self-identification by locating the machine identity of the device the user is using and linking that to their claimed identity. This is because the manufacturers allocate unique identity numbers so they can identify them. This can be backed up by the IP address/location of the device if necessary.

An identity formed in this way has the advantage that it does not need any administration. It can be set up dynamically, reducing cost and complexity. What it does do is link a personal identity to a machine that is fixed. So the DRM controls use an identity issued by the DRM owner that need not be understood by the DRM engine itself. People don’t often give away their mobile or tablet or laptop, so the approach is reasonably reliable.

There are other schemes available for identification using a registered identity – bringing together a postal trading address, an individual’s identity and a bank or credit card reference and registering them in a publicly accessible registry. The commonest scheme used today is the Public Key Identity (PKI) scheme used in Secure Sockets Layer (SSL) – much favoured by Internet web sites but is relatively expensive to run and would not be attractive to private users. Also, it requires a lot of validation and management to make sure that the authorized identities link together and are valid, or the scheme falls to bits.

Identifying information publishers

Good DRM makes use of SSL as part of the process of secure conversations with authority servers to prevent attacks on data in transmission, protecting the confidentiality of information being transmitted and ensuring that the connection is valid. These do use PKI because it is appropriate server class technology and does not involve end users spending money to process DRM protected information.

Information publishers are effectively prevented from changing their identification because the licensing schemes bind the source of the information to the information publisher.

Preventing information being passed on

DRM technologies are used to prevent recipients from being able to pass on information that has been protected and stops them from being able to process it – see restricting and locking document access. This can be very helpful in proving protected data could only have been disclosed to authorized users and that it cannot have been sold on. CCPA states that “Consumers may bring a private right of action against Covered Businesses in connection with “certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information” if the Covered Business has failed to implement and maintain reasonable security measures to protect such information.”

The DRM approach is a simpler mechanism than trying to create a protection system that allows each authorized user of protected information from being able to grant that authority to someone new. The idea has been around a while but could become a nightmare under data protection regulations or potential patent litigation. It allows anyone to forward anything, which is not the plan of the regulators.

Stopping information being altered

DRM uses encryption to prevent unauthorised users from using protected information. This has the additional benefit of meaning that forgery and misrepresentation become very difficult indeed – something that does not appear to have been addressed by IT regulations even though they are part of the criminal law.

But encryption only goes so far. Once an authorized user has access to a document, DRM automatically prevents it from being modified since no edit functionality is made available. As the document publisher you can also decide whether to allow annotations or not (markups and notes).

Preventing use outside of authorized locations

When sharing data with trusted third parties it can be important to control the locations in which sensitive and confidential data can be viewed. This could be as broad as a country location or down to a specific office or building.

DRM can help enforce who sees information, from where and when, effectively controlling BYOD use.

Ceasing or revoking authorized access

DRM usually incorporates the ability to cease access to protected information – documents can be instantly revoked or revoked when a check with a licensing server has been scheduled. This can be a valuable facility where it is believed that an authorized user has been compromised or is behaving improperly.

It can be very difficult to cease access using domain level controls and it is impractical to try and recall documents that may have been synchronised to several devices unless this DRM control has been implemented.

DRM can also be used to enforce automatic document expiry once data has reached the end of its life and should no longer be kept.

Logging document use

When dealing with sensitive information it can be important to know who used it, whether it was printed, and what date/time the information was accessed. DRM can be used to retrieve and log all of this information for accountability purposes ensuring an accurate record is kept of access and use. See tracking and logging document use.

Locklizard – protecting data from unauthorized use and misuse

Locklizard is a specialist DRM provider working for over 15 years on developing and providing high quality document security products that prevent protected information from being passed on or being misrepresented. Safeguard PDF Security is a valuable tool that can be used to demonstrate compliance with regulation, and can be implemented today.

Personal information collectors and re-sellers still have to manage the administration and reporting requirements more recently introduced, but DRM technologies allow them to demonstrate that protected information cannot have been redistributed without their permission, and therefore they have taken adequate care of that information.