eBook DRM and unDRM

14 Feb 2013 in Technology / ePublishing on Epub3, Drm

A couple of days ago (on my birthday, no less!) I had the honour of moderating a session at the inaugural W3C and IDPF workshop on eBooks and the Open Web Platform, “eBooks: Great Expectations for Web Standards.” Due to a little something I wrote a while ago, I was asked to provide a position paper to the conference which naturally I was quite happy to do. One thing led to another, and there I was on Tuesday in New York, talking about DRM technology in a workshop hosted by O’Reilly, one of the most ardently anti-DRM companies you might name.

…not exactly a situation I’d anticipated when I started this job, certainly.

I decided to focus on the technology components behind such a system and the relevant standards, including their adoption and how user benefits can be built from the same components traditionally used to implement restrictions. I think, from discussions which took place later on, that I was broadly successful in achieving my aims; time will tell, I’m sure, if that impression is correct.

The slides and notes from my presentation are available from the W3C; here I’ll go into some more detail on the topics I covered and some of the other output from the session. You can also find minutes from both days of the conference from the workshop’s agenda page– here are direct links from day one and from day two.

All in all, it was fantastic to be involved, and I’m extremely thankful to the chairs and hosts for letting me be a part of it.

DRM System Components

There are four primary components in any DRM system:

1. User authentication.
2. Device (reading system) authentication.
3. Content Authentication.
4. Action authorization.

These really boil down to two concepts, both of which will be familiar to anyone working in the realm of security software: authentication and authorization. These two terms are often used interchangeably, much to the chagrin of seasoned security developers. In actuality, they represent two distinct yet interconnected operations:

• Authentication determines an identity, and proves that this identity correctly represents an actor.
• Authorization determines whether a particular action may be undertaken by an actor.

Typically an authentication step will precede any authorization; it is only with the identity obtained through authentication that any authority to perform a task can be determined.

Authentication

Authentication provides a guaranteed identity to the software. As such, it is a vital component of any sort of rights-management or capability-management software. Its use in DRM schemes (and in purchasing schemes, social connectivity, and so on) is to ascertain the identity of either a purchaser or a user. Collectively we might simply say a consumer.

In DRM as applied to store-fronts and paid content, the aim is to recognise a purchaser. The prime aim of DRM in the eBook market (really, in any market) is simply to ensure that no ‘shoplifting’ occurs: If content is only made available for sale (on any basis), has that sale been completed? A secondary aim is to identify Bad Actors— people who go beyond whatever rights they might have in the content that they’ve purchased, for instance by making additional copies for the purpose of further dissemination (i.e. breaking copyright law).

A lot of DRM schemes try to surpass these two aims by attempting to provide an impassable technological barrier to such copying. This is what leads to the general disdain of the technology, as it attempts to step beyond the bounds of the relevant laws; instead the producers of content should be prepared to exercise the rights these laws have given them, and go no further. This becomes especially important when you consider the different laws in different countries: the USA has ‘fair use’ exemptions to copyright laws which allow for things like excerpts and parodies, while Canada’s copyright laws explicitly enshrine a consumer’s right to make copies of any work for personal use. Everywhere that copyrights exist, however, there is a clear understanding that reproduction for dissemination (particularly for-profit dissemination) is Wrong, and the fact that technology may be able to prevent such actions should not be an excuse to ignore the standard legal channels, however tempting it might seem.

Another identity commonly ascertained for use in DRM is that of the device or software that comprises the reading system itself. This is rarely if ever used for anything other than laying down restrictions on the actions a purchaser might take– typically by attempting to limit the number of devices on which content may be viewed. This information can instead be put to much better use, as we will see a little later.

The last remaining identity you would want to have is that of the content being viewed. For a number of reasons it is useful to be able to determine when that content has been modified from its original form, and whether such modifications were permitted. This is usually implemented by creating a digital signature for a given item which can later be validated. With the addition of X.509 digital certificates the identity of the signing authority can also be ascertained, thus providing guidance on whether such modifications were made by an authorized party such as the copyright holder, distributor, or vendor, or whether by an unauthorized actor attempting to strip identifying marks.

Watermarks

Digital watermarking, also called fingerprinting or sometimes social DRM, offers another, simpler way to work with the concept of identity as applied to the sale or licensing of copyrighted works. In effect, a product is given a hidden fingerprint corresponding to a particular consumer, and thus if that content is found to be disseminated without permission later then the copyright owner will be able to trace it back to its source. This forms the core of the system used by Benetech and outlined by Gerardo Capiel in his presentation at the W3C workshop this week, and is used by Pottermore on the eBook editions of all the Harry Potter books.

With a watermarking system, the consumer is not restricted from doing anything beyond the limitations of a license, copyright, or purchase agreement. No technology steps in to prevent any action which they might take at any point. Instead it leaves the policing of such details up to the copyright holders, who are able to search for unlicensed copying online as is anyone else, but now have the ability to contact the point of origin and determine whether any further action is warranted. As it turns out, copyright violations have been few and far between, as pointed out by Gerardo Capiel:

With 1.3 million downloads of ebooks per year using the social DRM scheme (fingerprinting only, no digital locks), we see about 10 instances of unauthorized copies available on the web, and almost all of those still have the name of our user in plain text in the file.

Authorization

Authorization is normally provided on an action-by-action basis, although it should naturally be a guiding principle of reading system design that each authorization does not necessitate corresponding user input. When considering authorizations it is usually the copyright holder and the vendor that impose any requirements or restrictions. In the interest of not driving away your audience entirely, it is highly recommended that any authorizable actions are kept to a minimum, with any others considered implicitly authorized.

Common actions which would depend on authorization would include:

• Read Content – actually opening an eBook and displaying its contents.
• Excerpt or Share – copying ranges of text for dissemination as permitted under Fair Use rules or similar.
• Download Again – fetching content from a central repository more than once, whether from a new device or to obtain updates to the content itself.
• Loans – whether by a library or by an individual.

Book-lending is a key element in the discoverability of new content. I myself would likely not have read anything by Harry Harrison had I not been lent a copy of Bill, the Galactic Hero by a high-school friend some twenty years ago. Identity and authorization techniques can be used to monitor (and to expressly permit) the sharing of content between individuals.

Libraries would also make use of authorization, as they do today: a member of a library may take any book and read it at their leisure during a period decided upon by the library in agreement with the copyright holders. At the end of that period a reader would return the book to the library or can frequently choose to extend the term of the loan– which may or may not be permitted based on the library’s own policies or requests for the book from other library members.

Authorization and identity technology can be put to similar use here– an individual can obtain an eBook whose ‘read’ authorization is limited to a certain period, which is then enforced by their reading system. The user might obtain a new copy from the library if they choose to extend the loan, and the library can keep track (or keep control) of the number of on-loan copies of an individual item. Additionally, a loaned copy may lack certain affordances common to purchased copies of a book, such as the ability to make notes or highlights inline within the book (cf. the work of the Open Annotation Community Group at the W3C). While the imposition of restrictions on content is not to be much encouraged, the fact that an item is considered loaned rather than owned should count for some difference as it does for printed works today.

One important fact to consider when devising a standard means of identifying and differentiating loaned content is that it is unduly burdensome to define a for-loan and a for-purchase eBook as two separate items. Instead, the publisher should be able to produce a single eBook, with libraries being able to encode the details of a loan agreement into the content afterward in a way which does not break other forms of content protection. Modifications of content for library-added watermarking might be re-signed using a certificate which identifies the library, thus keeping the content identity well-known and verifiable.

Denying Authorization

When it comes to a failed authorization we have a single, well-known solution: encryption. The act of authorization or authentication may result in the production of an encryption key (or a key-encryption key), or it may be separate. I would recommend that authentication be used to produce a key-encryption key, with a lack of authentication simply leading to an incorrect key and thus unreadable data.

Identities

There are four identities which pertain to the consumption of eBooks:

1. The consumer– the person reading right now.
2. The purchaser– this may or may not be the same as 1.
3. The reading system– the software and/or hardware being used to access content.
4. The content itself– to ascertain whether modifications have been made; if unlicensed dissemination has taken place, any attempt to modify the source may be a strong indicator of intent, whether good or bad.

These are used to a greater or lesser extent by the three primary categories of DRM:

Social DRM/Watermarking

This format usually cares only about identifying the purchaser (or perhaps licensee) of the content. Being able to validate the identity of the content here would also be useful, to better detect whether watermarks have been removed (or whether someone has tried to remove them).

Lightweight Content Protection

So-called ‘light’ DRM again doesn’t attempt to use technology to enforce copyrights beyond that enshrined in the relevant local laws. It may use encryption to protect content, but it likely doesn’t care about the reading system, nor meter all of a user’s actions. Instead it will direct its efforts towards the identities of the consumer and the purchaser, thus determining whether they are one and the same, or that they are at least close enough that the consumer is able to provide some identifying information of the purchaser. Barnes & Noble’s pass-hash authentication system makes use of this, tying the content access to a purchaser’s account including their credit card details. The idea here is that someone is unlikely to give their credit card information to a friend, so anyone able to provide that information is accessing the content under the applicable Fair Use rules.

Strong DRM

String DRM wants to know about everything, all the time. At this level, you’re likely prohibited from accessing content on more than a limited number of devices, so the identity of the device itself comes into play. Additionally, if access is being tightly tied to physical devices and metered out by a central authority, it is highly likely that other actions are being similarly policed, whether excerpting via copy & paste, quoting through social services, and more. Many such systems, utilizing as they must a central repository of access rights information, have the ability to cut off access to content as easily as they grant it.

Technology Standards

There are a number of standards which will provide the foundations of the technology outlined above. The ePub container format in fact already specifies the use of the W3C’s XML Encryption and XML Digital Signature standards to encode such information into an eBook. Both of these specifications refer to mature technology which has easily-accessible implementations in a number of different languages. They both interoperate with the X.509 Certificates defined in IETF RFC 2459, which can be used to create and validate secure digital identities.

When it comes to enumerating rights, the eBook industry is currently dominated by proprietary technology. The most widely-adopted is that used by the Adobe Content Server product, which implements a strong DRM mechanism governed by a central server. Each eBook vendor will also very likely have their own schemes, as well.

An industry-standard alternative might be found in the Open Rights Definition Language (ODRL). While that standard is broad, it can be adapted to suit specific requirements as shown by the IPTC’s RightsML effort.

The IDPF, meanwhile, has some thoughts on the subject, but at present is not taking a definitive stance.

There is, at present, no viable open standard discussing the encoding of authentication information beyond some form of X.509 signature or the use of X.509 public-key cryptography.

There is an opportunity here to encourage the adoption of a less-restrictive means of ensuring the protection of copyright and of content sales. After all, as I mentioned earlier, the prime aim is to ensure that if something has a price, that the price was indeed paid. We can ensure that a rights-description mechanism exists and that an authentication-description mechanism exists, and everyone in the publishing community ought to come forward to work with the W3C and the IDPF to see that their needs are fulfilled as we move forward.

UnDRM

I started my talk on Tuesday with the following quote from Cory Doctorow

DRM is not a selling point. There’s no one who’s ever bought a book because it had DRM.

The point here is that, if the technology described above is implemented in order to help police potential copyright violations, what else can it be used for? If a reading system has access to information on identity, and has the means to authenticate that identity, how can that information be used for the benefit of the end user?

Buy Once, Sync Anywhere

Oliver Brooks of Valobox on Tuesday outlined a system whereby a user’s purchases from one content vendor might be understood and recognized by another. You can find the slides from his talk here.

By being aware of and able to validate the identities of both the purchaser and the content, it becomes possible to prove that a given user has purchased the rights to a given digital work. With that information in hand, then, it should be possible to take this proof-of-purchase to any possible fulfillment center to obtain copies of the work. This is in fact similar to the way in which the UltraViolet system operates, with the exception that UltraViolet makes use of a centralized ‘rights locker’ while Valobox’s would be entirely distributed (and thus more analogous to producing a receipt or other proof-of-purchase).

UltraViolet originally intended to use a distributed system but moved to a centralized approach when difficulties arose with that approach. Perhaps the W3C and the publishing industry can together find a way to solve these problems and give us a free-to-implement distributed proof-of-purchase verification system in the future.

Identities and Capabilities

Where identities are concerned, one of the simplest to make use of is that of a device or reading system. Perhaps any standardized infrastructure we create to provide a system’s identity could also carry information about a system’s capabilities, which can then be used in a number of different ways. This is a topic raised by Hachette Book Group’s Dave Cramer in his presentation on Monday.

One example would be as a parameter for publication manifestations listed in an OCX file. With this, a comics vendor might provide a high-quality, scalable SVG manifestation of a work as the default, while also providing alternatives based on device capabilities. For instance, for eInk-based readers an 8-bit grayscale manifestation might be provided, consisting of grayscale images hand-tuned for best presentation in this format. They might also have a non-SVG manifestation using 32-bit colour images for devices with little processing power with which to draw complex SVG documents.

Device capabilities and identities can be exposed to JavaScripts, or to processing via CSS @-rules. A script which normally performs some animation might choose to operate differently on a device with a slow eInk screen, and coloured links might be eschewed in favour of underlines or other text decorations on grayscale screens.

Authentication and Authorization

Device identity isn’t the only thing that can prove useful. We’ve all seen the rise of the ‘freemium’ model in the mobile applications industry–predominantly in games–and the same ideas might be used in electronic publishing.

Imagine purchasing an eBook and being able to upgrade it into an audiobook – complete with read-along text highlighting – through an in-book purchase?

How about offering consumers the ability to lend books as a longer form of preview? You lend someone a book and they can read 60% of it, after which they can directly purchase their own copy, maybe even at a discount.

Will it never end?

DRM is, unfortunately, going to be with us for a while yet. My own aims in joining the conversation are simple: only by being in a position to collect data can I hope to obtain the evidence that will convince publishers that it’s no longer needed. Thus here I am– proposing DRM technology which can ultimately provide that evidence, whether for or against the continued deployment of DRM.

As to this article, however– yes, it ends. There’s a large conversation to be had here, and it’s my hope that the publishing industry will begin to make its voice heard in the standards committee meetings at the W3C and their like, and that we will have a better ecosystem for digital media as a result.