Digital Rights Management

The term Digital Rights Management (DRM) has been defined by various parties on many occasions. To better elaborate on the variety of DRM definitions, sample definitions from different disciplines are presented as follows:

Cambridge Business English Dictionary (2015) defines DRM as “the way that a company controls how users pay for music, films, books, etc. that are available on the Internet or on electronic equipment in a digital form.”

Rosenblatt et al., (2001) referred to DRM as “a set of business models and technologies that enable you to protect and profit from your text, image, music, or video content in today’s digital world.”

Open Mobile Alliance (2011) refers to the scope of DRM (OMA DRM 2011) as “to enable the distribution and consumption of digital content in a controlled manner. The content is distributed and consumed on authenticated devices per the usage rights expressed by the content owners.”

Microsoft (2015) refers to DRM as “technology that content owners can use to protect digital media files by encrypting them with a key (a piece of data that locks and unlocks the content).”

The author tends to agree more on the DRM definition from Rosenblatt et al. (2001).

DRM does utilize a set of technologies, such as encryption. However, all the technologies serve DRM as tools to realize the business models that DRM was designed to enable. Therefore, as an enabler of new business models for the content industry, DRM has more than just the technology perspective, such as business and legal perspectives. The different perspectives of DRM are discussed in Section 1.2.

On the other hand, the author of this dissertation does not want to limit the scope of DRM to a fixed set of content as Rosenblatt et al. (2001) do. The Internet assigned

numbers authority (IANA 2016) categorizes digital content according to media types, such as application, audio, example, image, message, model, multipart, text, and video. New types of digital content are emerging all the time, e.g. virtual reality content. DRM should apply to any digital content that needs to be distributed and consumed in a controlled manner. DRM should act as a bridge between rights holders of the digital content and consumers in digital marketing.

DRM differs from traditional access control. Park and Sandhu (2002) point out that traditional access control and trust management focused on the control of access primarily on server-side objects while DRM embraces client side objects as content needs to be distributed and consumed on the client side. Moreover, DRM governs the consumption of the content and not necessarily the access rights of the encrypted file e.g. whether the encrypted content file is read-only or not. Jamkhedkar et al.

(2010) have discussed in depth the differences between access control, usage control, and DRM. According to them, access control manages the controlled access to resources. Usage control is a combination of usage rules and access control. They claim that DRM includes content management, license management, the specification of usage rules, and a simplified subset of access control. In Figure 1, Jamkhedkar et al. (2010) summarize the relationships among DRM, access control, and usage control.

presented the functional architecture of a generic DRM system in Figure 2. (Lu 2007). The typical roles of different entities in a DRM system are enumerated below:

Billing Service Provider provides services that rights issuers use to charge the end users for the usage rights of the selected content.

Content Issuer is the authorized entity that creates protected content and distributes it to DRM agents.

Content Encryption Key (CEK) is the binary data used by content issuers to encrypt the original content and later delivered as part of rights object from rights issuers to DRM agents.

Content Provider is the rights holder of the digital content.

DRM agent is a trusted entity that enforces usage rights and controls access to DRM content on the client side.

End User is the entity who consumes the protected content on a client-side application integrated with a DRM agent.

Protected Content is the encrypted content that can be distributed safely through public channels to the DRM agent the end user prefers, and it cannot be decrypted without the content encryption key.

Rights Issuer is the authorized entity that issues and distributes rights objects to DRM agents.

Rights Object is the binary that holds the usage rules purchased by the user and the content encryption key which is required to consume protected content.

Figure 2. Functional architecture of a generic DRM system (Lu 2007)

Based on the reference architecture illustrated in Figure 2, once copyrighted content is created by a content provider the content is then encrypted by a content issuer with a CEK and made ready for store publishing and distribution to users.

Meanwhile, the rights issuer can pack a variety of usage rules as well as the CEK into rights objects ready for users to purchase. On the user’s side, if a user decides to purchase any rights of the content through a client-side application, the integrated DRM agent of the application on the user’s device will trigger a purchase request to a billing service. After a successful transaction, the rights issuer will deliver the rights object to the DRM agent. The encrypted content can be delivered either with rights object or separately. The user can then use the application integrated with the DRM agent to render and consume the encrypted content. The rights object will be governed by the DRM agent.