Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now


Cloak, No Dagger

This month, I'm talking about a controversial subject, the ephemeral rights-management chimera composed of equal parts copy control, cryptography and steganography (hiding information within apparent information). Each is distinct but part of a virtual wrapper, swaddling the content and protecting the content holder from loss of sales revenues.

This month, I’m talking about a controversial subject, the ephemeral rights-management chimera composed of equal parts copy control, cryptography and steganography (hiding information within apparent information). Each is distinct but part of a virtual wrapper, swaddling the content and protecting the content holder from loss of sales revenues. When implemented well, DRM, or digital rights management, is effective when out of sight. When botched, it’s intrusive at best, and a product killer at worst.

Though the underlying technology of DRM is complex and multifaceted, the basic concept of copy control is familiar; lock it up and control who gets the keys. This premise revolves around trusted systems, because once a digital asset leaves the content creator’s hands, it is open to a variety of “attacks,” which can destroy the entire concept of controlling the product and, hopefully, profiting from it.

The basis for authentication of most trusted systems is itself a trusted mechanism, typically the public/private key-encryption standard first commercialized in 1977 by RSA Security and commonly used throughout modern e-commerce and banking. RSA’s standard, to quote its tech notes, “…describes a method for implementing [a] Diffie-Hellman key agreement, whereby two parties, without any prior arrangements, can agree upon a secret key that is known only to them and, in particular, is not known to an eavesdropper listening to the dialog by which the parties agree on the key. This secret key can then be used, for example, to encrypt further communications between the parties. The intended application of this standard is in protocols for establishing secure connections, such as those proposed for OSI’s transport and network layers.” The SSL, or Secure Sockets Layer, Web protocol is a common use of public key encryption. If you look in your browser (Win IE5.5: Tools, Internet Options, Content, Certificates; Mac IE5.1: Preferences, Security), then you’ll find public key certificates from Thawte, Verisign and many other certificate service providers that sell digital authentication. These certificates, used as part of verification requests to unlock or access information, are used to ensure that the responding entity matches the “real” brick-and-mortar version and is not being spoofed or sidetracked.

Attacks on protected data can take various forms, from sophisticated to simple. With some serious computing power or a great deal of time, highly motivated individuals can usually overcome most encryption schemes, given enough resources; the basic premise of most trusted systems is that a reasonable amount of protection is afforded against the time and energy of a casual attacker. However, once an asset is in the analog domain, copying is simplicity and circumvents all digital controls.


For those instances when controls may have been avoided, as in an analog copy, there’s always watermarking. Watermarking is a form of steganography, the science of data hiding. Though development began in ancient times, the idea of steganography is to hide information rather than encrypt it. The classic “Paul is dead…” backward-masking message on Beatles records is a good example of information “in plain sight,” but not readily apparent to the average listener. Digital implementations of watermarking for audio and video provide a low-bandwidth channel for data to any receiver designed to “understand” the hidden message, typically about information concerning the content holder and the date and recipient of some individual copy. This allows the source of pirated material, even via analog copying, to be traced back to the offender in the event of legal proceedings.

The DVD-Audio standard includes the use of watermarking. Some DVD-Audio titles, especially those from Warner Music, have been watermarked prior to MLP encoding. One senior record label executive allegedly said during the brouhaha surrounding the first DVD-A watermark listening tests, “Sooner or later, any encryption system can be broken. We need watermarking technologies to tell us who did it.” Unfortunately, the license to use the sanctioned DVD-A watermarking mechanism is prohibitively expensive. Along with questions about survivability, audibility and resultant degradation of quality, the cost keeps most smaller record labels from using the watermarking technique.

Another, perhaps better, use for watermarking, part of a holistic approach to managing content rather than just locking it up, is monitoring the deployment and usage of an asset. Verance, the same licensors of the 4C-approved watermarking mechanism for DVD-A, offers ConfirMedia, a complete package to broadcasters that allows music to be tagged prior to transmission and monitored after it’s been broadcast. ConfirMedia can “accurately monitor and track television and radio commercials, music, programs and program promos whenever and wherever they air…[and you] receive reliable, detailed broadcast detection reports the very next day. Plus, [its] free software-based encoding process is simple to use and will not interfere with the sound quality of your final audio mix.” If you live in one of the top 100 U.S. media markets, as I do, then perhaps your fave FM station is watermarking its feed.

Many times, you implicitly trust the party at the other end of a transaction and need only “harden” the transport mechanism itself. There are several solutions to that problem, from basic file-transport programs such as SFTP (secure FTP) to complete turnkey systems from vendors like WAM!NET. Warner Music, along with Vivendi Universal and others, use WAM!NET’s Optical Media Solution to move files from one remote point to another during its production process.

Speaking of complete B2B (Business-to-Business) packages, the solution offered by DMOD, a vendor of media access-control products, “packages” all content on-the-fly for each individual recipient and every transaction. This individualized wrapping means that even if one recipient breaks the key and compromises a file, other recipients cannot gain access, as was the case with the CSS encryption standard used in the DVD-Video format. Other DRM vendors use, as DMOD says, “…a pre-packaged digital rights-management model, where the content is encrypted once for every recipient, and access is controlled through a license server.” One of those other DRM vendors, WebWare offers complete Web-based management products that integrate all stages of production and delivery to the end-user.


An interesting event in the DRM space occurred last December, when Microsoft was awarded a patent for what the company describes as a “digital rights-management operating system.” The patent appears to deal specifically with antipiracy technology as an integrated part of its operating system, which brings us to what is often the weak link in the whole rights-management chain: the consumer. The B2C (Business-to-Consumer) market, what we think of as distribution, tends to be conceptually different from content creation. DRM has seen very little success in that marketplace, but that doesn’t seem to have discouraged certain special-interest groups such as SDMI and 4C.

Okay, so what examples are there of a successful approach to end-user DRM? Actually, I can’t think of one — our industry’s track record has been ridiculous! Also, no new distribution format has gone live that builds DRM in at the start. DataPlay’s fundamental concept — start with a proprietary medium and wed it to recorders that always include imbedded DRM — is sound. They’ve also worked hard to garner buy-in from the majors, which should allow pre-recorded, read-only discs to appear at the product rollout without worries of piracy. Rights management must be a cradle-to-grave approach for the content, or all bets are off. There are too many potential attack methods for a step-by-step protocol to work. Unfortunately, it’s the pioneers who often get the arrows in their backs, while the second or third wave of settlers reap the full rewards of this new endeavor. Old-school pioneers, like A2B and Liquid Audio, have found that revenues don’t cover the cost of purchasing infrastructure while buying mind share in both business alliances and consumer confidence. And, because traditional distribution channels have amortized these factors long ago, they continue to serve the public just fine.

As an example of a poorly conceived and executed end-user DRM solution, what better than the SDMI, the Secure Digital Music Initiative? Pah-leeze…How about pay-for-play downloadable music? If any of you out there have actually spent more than $10 on music downloads, please write and tell me what the value is to you. While not approving of wholesale trading via P2P or other mechanisms, I do download a good deal of noncommercial, no-cost music to explore new material that I probably would have missed out on; it helps me make informed decisions at my local record store. But I can’t, for the life of me, figure out why any adult would sign up for a service like Pressplay or MusicNet. What they were thinking of when they dreamed up their tariff schedules is beyond me. The only pay-for-play content schemes that I see making sense are rich-media channels delivering either time-critical business intelligence or fetish entertainment, whether it be cooking, sex or sports. But audio-only stuff? I think not. There are too many alternative distribution channels, thank the Gods, and I’m certainly happy with those prior offerings in optical, downloadable and streaming channels.

OMas looks forward to fall colors and this month’s Linux World Conference and Expo here in the Pueblo by the Bay. The digital assets for this column, all 49 of them, were managed while under the influence of The Swimming Hour from Andrew Bird and his Bowl of Fire, along with the classic strains of Rudy Van Gelder’s reissue of Lee Morgan’s The Sidewinder. Links and other useful info relating to “Bitstream” August are hanging out for your perusal