Rights Management and Digital Library Requirements
It is common to hear members of the digital library community debating the relative merits of the two most common rights expression languages (RELs) - the Open Digital Rights Language (ODRL) and the rights language developed for the Motion Picture Expert Group (MPEG) and recently adopted by the International Organization for Standardization [1] - and which is preferable for digital library systems. Such debates are, in my opinion, premature and should be postponed until this community has developed a clear set of requirements for rights management in its environment, including rights expression, the encoding of license terms, and file protection.
This article is intended to provoke discussion of those requirements, and it attempts to do so by illustrating aspects of the current developments in rights management that may be problematic for digital libraries. This does not mean that the digital library community will need to develop its own rights language and rights management solution, separate from the existing standards in this area. It means that at this moment in time we do not have sufficient information about our own rights management needs to evaluate any particular solution nor to negotiate for extensions to accommodate digital library functionality.
DRM Today
'Many content owners fear that digital works are easy to use, duplicate and distribute without authorization or compensation.' [2]
The sharing of millions of music files over the peer-to-peer network Napster has become a symbol of the failure of copyright law to protect digital files. The solution to the problem is often referred to as Digital Rights Management (DRM), although that term means different things to different people. It is used in this article to refer to the general concept of expression of terms of access and use, as well as the enforcement of those terms through technology.
Work on the technology of Digital Rights Management is taking place primarily in the area of commercial content. The most active areas of development currently are media and entertainment [3] and enterprise systems. Enterprise systems serve individual companies and institutions that have a need to control the flow of information within their boundaries, and to make sure that only approved files leave the protected network. Media and entertainment have a particularly difficult task because their environment requires developers to find a way to protect digital content that is distributed to consumer devices and to a potentially uncooperative user base. After the experience with peer-to-peer networks in which millions of consumers wilfully violated the copyrights of media companies, that sector is understandably wary of releasing its products in digital form to the general consumer. Both of these areas are of interest to developers because they appear to be economically viable: entertainment because consumers have proven a willingness to pay well for entertainment, at least when no free alternative is available; and enterprise systems because some companies have a strong stake in protecting trade secrets and market strategies in order to be successful. The media and entertainment solution will have the greatest effect on libraries, both as consumers of commercially produced information products and as distributors of resources to the general public.
The requirements of rights management systems are complex, but there are certain requirements that are key to understanding the direction that DRM is taking today. Underlying the systems that are envisioned in the media and entertainment area are the following basic requirements:
- to support electronic commerce of digital resources
- to provide end-to-end control over those resources
- to implement machine-actionable licenses
To understand how these requirements affect decisions about DRM development, we will look at them in greater detail in the sections that follow.
The E-Commerce Solution
'By "digital publishing", we mean the on-line sale and distribution of digital works.' [4]
The implications of an e-commerce solution are fairly easy to intuit: the product focus is current, commercially viable materials; the customer focus is individual consumers; costs can be recovered through volume sales or increased prices. It also isn't difficult to see that these differ from the main goals of libraries
Focus on Commercial Materials
Libraries do purchase and lend current commercially produced materials. But they represent only a portion of the content disseminated by libraries; depending upon the type of library and its user base, popular commercial content may not be the predominant material in a given library. A primarily commercial market solution may not take into account materials whose copyright has expired, materials issued in the public domain, (as in the case with some government documents), and materials of low commercial value. The media and publishing industries have little interest in public domain materials and low-profit materials since the revenue from them is limited. Although it may be possible to maintain public domain materials outside the trusted environment, it may also be convenient to treat them like other materials in terms of delivery systems and rendering software. An example from today's technology is the Microsoft Reader format. The Microsoft Reader software can only process and display materials in its .lit format. There are different degrees of protection which can be applied to files, but even with the least amount of protection there is no capability to print from the Microsoft Reader software. Public domain materials in .lit format receive this minimal protection even though the printing of such materials is permitted by law.
The Individual Consumer
The focus on the consumer as an individual affects a number of design decisions for digital content delivery systems. When ebooks were first introduced, they could only be purchased through online bookstores using a credit card, a model that works well for consumers but not for libraries. Fortunately, some ebook producers saw the value in creating a sales model for libraries, but there are publishers who choose to sell ebooks to individual consumers but will not sell those same titles to libraries. This is a major change from the analogue world, where libraries are able to purchase the same titles as consumers even though they may do so through different retail methods.
The individual consumer model also affects the design of rendering systems and devices. Current versions of Microsoft Reader and Adobe Acrobat Reader are commonly used on general-purpose computers for the display of ebooks. Both require that the computer be identified through a unique hardware-based certificate, either a Microsoft .NET Passport account (used by both Microsoft and Adobe for their products) or an Adobe DRM activation account. The nature of this activation indicates an assumption that each machine is used by only one person, who can be identified with an email account. This is not the correct model for institutions with machines that are available for public use.
The Cost of Rights Management
'DRM tools and systems of wide application comprise highly sophisticated technologies which in turn require enormous resources to develop, the kind of resources that, in practice, only very big enterprises can muster.' [5]
In Hollywood movies everyone is lovely, slender, healthy, and young. In Hollywood's version of DRM every digital resource is a highly desirable best-seller that must be protected at all costs - and there is no question that there are costs associated with the effective management of digital rights. First, there are costs to early research and development activities, including the specification and standards effort. Additional costs can be expected for the creation of rights-managed content and for the devices which will conform to the requirements of the DRM solution [6]. What is still unknown is how those costs will be paid. One theory is that media companies will recuperate the cost of DRM through the reduction of piracy. If that does not pay the rights management costs, however, companies will most likely pass the costs along to their customers.
Any added costs that DRM imposes on products is clearly an issue for libraries: when your services are provided for free you cannot pass such costs on to your users. It could be difficult for libraries to afford popular protected publications. But libraries, especially academic libraries, are often focused on less popular materials. Economic theory would imply that materials that are less affected by piracy, such as research materials, would also have to bear less of the cost of any rights management technology that is applied. This, however, posits a sales and delivery environment that distinguishes between popular and less popular works, and assumes that 'less technology' means less cost. In fact we see today that public domain works are being sold in digital format using the same technology as copyrighted works. These public domain works are inexpensive, but they are not free, and we can assume that at least some of the cost is added by the rights management environment that is common across all products delivered in that particular electronic format. In other words, DRM could add costs to all digital materials regardless of whether piracy is a problem, and not in proportion to the risk of piracy.
End-to-End Control: Trusting the System
'A maker of generic computer systems cannot guarantee that their platform will not be used to make unauthorized copies.' [7]
The primary goal of rights management in the commercial environment is easy to state although much harder actually to realise: the protection of digital resources from unauthorised use. What it actually takes to achieve this goal is quite complex. In the case of resources that will be distributed to individual consumers, there are a number of challenges, most having to do with the creation of a hardware, software, and network environment in which content producers can be sure that their products will not be susceptible to piracy. The main requirement for these systems is security, and the systems that will achieve the required level of security are referred to as 'trusted systems.' Mark Stefik, one of the early developers of the rights management concept, defined trusted systems in this way:
'Trusted systems vary in their hardware and software security arrangements, but in general, they automatically enforce terms and conditions under which digital works can be used - . Trusted systems differentiate between different uses such as making a digital copy, rendering a work on a screen, printing a work on a color printer, or extracting a portion of a work for inclusion in a new work. When asked to perform an operation not licensed by a work's specific terms and conditions, a trusted system refuses to carry it out.' [8]
Although the rights that can be expressed in such a system can vary from one implementation to another and even from one transaction to another, there are some goals that the trusted systems being developed today have in common, and often these are expressed as system requirements. Some key requirements are:
- Only a trusted device (hardware and/or software) will be able to render (display or play) the digital content for the consumer.
- The trusted device must only allow those actions that are explicitly granted by the rights license.
- The rights license is issued to an identified individual; the universe of 'all consumers' cannot be a license target.
Trusted Device
In all likelihood, trusted systems will arrive on the desktop in future versions of operating systems, and like all software upgrades will take some years before trusted systems are viable on a majority of machines. There will also be specific software needed to render protected content and some features will be built into consumer devices like handheld computers and telephones. This imposes a burden on consumers to purchase specific devices or obtain specific software in order to make use of protected content. As we have seen with the ebook market, this does not necessarily mean that there will be only one kind of device on the market. In fact, companies seek to differentiate themselves from their competitors by producing proprietary and branded solutions [9]. For libraries this means that each user may need content delivered in a specific format, and that each format may represent a separate purchase for the library. We have some experience with this today with the many ebook formats: Adobe PDF, Microsoft Reader, MobiPocket, and at least a dozen others [10]. This will have an increasing impact on libraries as more content is produced in digital form.
Explicit Granting of Rights
'A Permission that is not specified in any Rights Expressions is not granted. That is, no assumptions should be made with regard to Permissions if they are not explicitly mentioned in the ODRL expression.' [11]
' The rights for a digital work are explicitly listed. Any right not in the list is not granted.' [12]
The rule in rights languages rendering systems is that all rights that are permitted must be expressly granted in the machine-readable license. This rule reduces the burden on software and device developers because it means that they do not have to anticipate any uses that are not in the rights language, and that each right is, or should be, clearly defined in the terms of the license. While such a rule may be necessary for system development, it shifts the burden to the person or entity that is assigning the rights, with the effect that the more rights that one wishes to grant, the more effort it will take to define and assign the rights. While this burden should be mitigated by the rights assignment system, it still has unfortunate implications for open access and public domain materials. The rights license for a public domain item must specify every conceivable use of the resource, today and in the future, in order to make those uses possible. Explicit specification of every such right is clearly not possible, so the choice may have to be made between isolating these materials in their own distribution systems or giving up some rights in their regard.
The other aspect of the rule that all rights must be explicitly granted has to do with the longevity of protected digital content. Over time we can assume that new capabilities will arise in our computing environment. These capabilities will not, of course, be explicitly granted by machine-readable licenses created in the past. This has an impact on innovation in the creator community and an impact on the ability of libraries and archives to provide long-term access to digital materials.
Licensing to Individuals
The use of individual contracts as the controlling mechanism for distribution makes, to a degree, even more fundamental changes than the purchase method. One of the great differences between law and contracts is that law refers to a broad class of persons generally known as 'the public.' This is as true for copyright law as it is for the laws that govern real property, the use of the roads, or civil rights. Dissemination of intellectual works to the public is known as 'publishing.' Publishers of hard-copy materials have no idea who has purchased their products, much less who has actually made use of them through re-sale or borrowing. Even publishers of subscription materials, although they deliver to a named subscriber, are aware that their works are consumed by unnamed members of households, friends, and those sitting in dentists' waiting rooms. The change from public dissemination to individual license means it may require a special effort to make materials available for anonymous reading, if that is possible at all, and could put reader privacy at risk.
Developing Requirements for Rights Management in Libraries
Development of a full set of rights management requirements for libraries will be a considerable task, but it is one that must be undertaken, ideally before there is extensive use of DRM in the consumer area and definitely before digital libraries can make decisions about rights management for content that they disseminate. Efforts to define requirements may begin with general principles (e.g. 'must allow archival copy to be made'), but to be effective they need to be informed by the capabilities of technology and information about the digital content market. It is precisely because the needs of libraries are not identical to those of the media and entertainment industries, currently dominating development of this technology, that a clear and public statement of library requirements is vital. That does not guarantee that the needs of digital libraries will be met, of course. In spite of library participation in the DRM requirements for ebooks through the Open eBook Forum, the Forum has proposed (and will soon pass) a standard based on the MPEG21 rights expression language that does not include the right to lend ebooks [13].
What follows are some examples of requirements that might be in the rights management requirements list for digital libraries. A statement of requirements does not mean that the requirements will be met; it is at best a clarification of issues that have to be discussed as technology is developed. A requirements statement will inform design and makes explicit the inevitable compromises that will be required as the law and practices of the analogue world are adjusted for digital content distribution.
Copyright Law
'An REL is a type of policy authorization language where the focus of the language is on expressing and transferring rights (capabilities) from one party to another in an interoperable level.' [14]
'Trusted systems can also respect the type of fair-use provisions that currently apply to libraries and some other institutions - Members of the public with special needs -- librarians, researchers and teachers -- could receive licenses from an organization representing publishers that let them make a certain number of free or discounted copies of a work - .' [15]
DRM can be many things, but it is not a digital expression of copyright law. Rights management is invariably presented as a license rather than an expression of law, and thus as a specific agreement between named parties for particular, identified resources. Indeed, it is quite common for discussion papers and standards documents in the area of rights management to make no mention of copyright law.
Library and education institutions and their users rely heavily on copyright law, which permits liberal use of copyrighted materials for education, research, and personal use. These uses are not authorised by the copyright holder and no permission need be requested. Unlike the assumptions in the quote by Stefik above, one need not be associated with an institution nor be certified as having 'special needs' in order to engage in the personal and educational use that copyright law allows; the permissions in the law pertain to all members of the general public. Unfortunately, 'general public' is not an easy concept for rights management systems using the trusted computing platform.
A general requirement for libraries will be that any rights management must not eliminate public, educational, and library user rights that copyright law allows. There is no possibility of a true technological implementation of fair use/fair dealing; copyright law's exceptions are relative, subjective and contextual in nature, and cannot be reduced to an algorithm in a computing device. It does seem plausible, however, to require open and unlimited use within personal space, and liberal use within educational environments, if such environments can be defined for the purposes of rights management. The experience academic libraries have already of reasonable access controls and no limits on usage should be promoted as a viable rights paradigm for some categories of materials.
Access and Use
Digital libraries today are already disseminating materials to users. The difference between those systems and the ones being developed for media and entertainment products is that digital library systems control access to materials but the digital materials themselves are not generally usage-controlled [16]. Once a user obtains a resource, such as a journal article, the resource is not protected by software or hardware controls. This would not be an acceptable solution for some types of content, but it appears to work within the academic and research market. This would indicate that, even within a digital library, different materials may need different types of controls, such as greater control over 'popular' materials than over research materials. This may also mean that library users are not always able to exercise their legal right to make personal, unauthorised use of some protected materials. The key point, however, is that the most strict control of rights management should only be applied to those materials that absolutely need it. And this means that there may not be a single rights management solution that is appropriate to all materials.
Technology Independence
It would be quite disadvantageous to libraries for content to be disseminated in proprietary packages that require particular software and hardware, or that are accessed through proprietary services. This trend has already begun for digital materials, in part because the market conditions are such that the greatest commercial advantage is gained from proprietary solutions.
Library Systems Independence
It should be possible for libraries or library vendors to develop and manage their own DRM solutions for libraries. This can only be achieved if the basis for rights management systems are open standards. It should also be possible for libraries to use a single solution for the dissemination of all library materials, regardless of their commercial value or provenance. While this may be technically difficult to achieve, it should not be forbidden by law or by the marketplace.
Lending
It may seem obvious that libraries will want to be able to lend digital materials, but we already have evidence that this is a right that we will need to promote. Lending is not just for libraries; all members of the public have the right to lend materials in the analogue world, and should be able to lend digital materials as well. The primary goal of DRM being developed in the media and entertainment sector is sales, of course. Lending may be seen as a simple loss of revenue.
Low Cost
For the dissemination of digital content to be possible for libraries, for educational institutions and for government and various non-governmental not-for-profit organisations, costs of participation in a rights management technology must be kept relatively low. Solutions that satisfy the needs of a few large media companies will probably not take these less profitable sectors into account. In this area, libraries can form partnerships with other organisations, such as government and education, to seek solutions appropriate to their budgets.
Accountability
Creators of technology protection for digital content are understandably reluctant to reveal details of their solutions or to make them available to public scrutiny for fear of being 'hacked.' Libraries, as well as members of the public, have a right to know that there is accountability behind digital content products, to understand exactly what rights they have as users, and to have recourse if or when such technology fails.
Confidentiality
Confidentiality in libraries generally refers to the rights of library users to make use of the library and its materials without that use being revealed to others. In the area of licensing and rights management, confidentiality is primarily a security consideration that protects the digital resource [17]. We have seen tensions between the commercial marketplace's interest in consumer data and the public's desire for privacy; this same tension will be present in DRM systems, especially if they are designed only to confer license terms on individuals. Libraries must insist on providing a privacy barrier between their users and content providers.
The Long Term
With the rapid evolution of technology, few technology solutions last for more than a few short years. Digital archives already struggle with the prospect of keeping content usable over decades, and much of that is content in open formats and which is unprotected. There seems to be no hope that files with technology protections will be usable over the passage of time, given likely changes in technology, and perhaps even the demise of the companies that hold the keys to unlock the content. If we are to continue the archival function of libraries for digital materials, we will need exit strategies to release protected content either at the end of its copyright term, or so that new entities can take over the custodial function when previous interests decline to do so.
Conclusion
The question is not whether digital libraries will disseminate materials with rights management information and technological protection measures; the question is whether digital libraries will be able to perform basic library functions like lending, archiving, and protecting the confidentiality of their users of rights-managed content. It is unreasonable to expect that solutions designed by and for other communities will happen to satisfy the requirements of digital libraries. There are two areas where libraries can have an influence over rights management technology: one is at the point where libraries will interact with the resources of other communities, for example as consumers of digital publishing; the other is where digital libraries are taking on the role of disseminators of digital works. The latter is an area where digital libraries can craft and promulgate their own solution to the issue of rights management, either in the place of or as an extension of existing industry standards. Work that has already begun in electronic resource management [18] and archival metadata [19] [20] is important in defining the rights environment as viewed from the library and archive perspective. Already the work being done in those projects shows that the management of rights in digital libraries may have a very different character from the developments being fostered by media and entertainment.
References
- Information Technology - Multimedia Framework - Part 5: Rights Expression Language. ISO/IEC FDIS 21000-5:2003(E). ISO/IEC JTC 1/SC 29. 2003
- XrML: the Technology Standard for Trusted Systems in the eContent Marketplace. ContentGuard. (2002?), p. 2
- A Committee for Economic Development report defined 'digital piracy' as: ' - the theft of entertainment products in digital form from the Internet - '. Promoting Innovation in the on-line world: the problem of digital intellectual property. Washington, DC, CED, 2004. p. viii
- Stefik, Mark and Alex Silverman. 'The Bit and the Pendulum: Balancing the Interests of Stakeholders in Digital Publishing'. 1997. p.2 http://www.xrml.org/reference/Pendulum97Jul29.pdf
- Digital Rights Management: Missing Links in the Broadband Value Chain. Broadband Stakeholder Group. July, 2003. p. 5 http://www.broadbanduk.org/reports/report03_appendix3.pdf
- Rosenblatt, Bill. 'Paying for DRM.' July 4, 2003 http://www.drmwatch.com/resources/whitepapers/article.php/3111851
- System For Controlling The Distribution And Use Of Digital Works Having Attached Usage Rights Where The Usage Rights Are Defined By A Usage Rights Grammar. U. S. Patent number 5,715,403. Feb. 3, 1998. p. 13
- Stefik and Silverman. 'The Bit and the Pendulum.' p. 2
- Coyle, Karen. 'Stakeholders and Standards in the Ebook Economy: or It's the Economics, Stupid!' Library Hi Tech, v. 19, n. 4, 2001. pp. 314-324
- Two sites that list current ebook reading and creation software are:
e-books.org http://e-books.org/software.htm and ebook news http://www.ebooknews.org/ - Open Digital Rights Language (ODRL), Version: 1.1, 2002-08-08. p. 9 http://odrl.net/1.1/ODRL-11.pdf and http://w3.org/TR/odrl/
- XrML: Extensible rights Markup Language, version 1.3, June 23, 2000. ContentGuard. p. 29
- Open eBook Forum http://www.openebook.org The OeBF extensions to the MPEG21 rights language are currently only available to OeBF members, but will be posted in the public area of the Web site once passed by the membership.
- LaMacchia, Brian. 'Key Challenges in DRM: An Industry Perspective.' Published in: Proceedings of the 2002 ACM Workshop on Digital Rights Management, J. Feigenbaum, ed., Lecture Notes in Computer Science 2696, Springer-Verlag, NY (2003). Also available at http://www.farcaster.com/papers/drm2002/index.htm
- Stefik, Mark. 'Trusted Systems.' Scientific American, March, 1997. p. 81
- Coyle, Karen. 'Rights Expression Languages: A Report for the Library of Congress.' February, 2004. http://www.loc.gov/standards/Coylereport_final1single.pdf p. 17
- However, for a view of individual confidentiality and privacy in rights language that is closer to the concerns of the library community, see the work of the OASIS Technical Committee on the eXtensible Access Control Markup Language
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml - The Digital Library Federation's Electronic Resource Management Initiative (ERMI), http://www.diglib.org/standards/dlf-erm02.htm
- The Metadata Coding & Transmission Standard (METS) http://www.loc.gov/standards/mets/
and the METS Rights schema
http://www.loc.gov/standards/rights/METSRights.xsd - RoMEO Rights Metadata for Open Archiving http://www.lboro.ac.uk/departments/ls/disresearch/romeo/
Editor's note: Karen produced a white paper [16] for the Library of Congress in February of this year. Her report uses four rights languages (CreativeCommons, METSRights, Open Digital Rights Language, and the MPEG21/Part5) to develop a taxonomy of purposes of RELs and to explore how they approach the goals she terms as "Copyright, Contract and Control."