Downes.ca ~ Stephen's Web ~ DRM and P2P

DRM and P2P

Nov 25, 2003
By Stephen Downes

Re: Integrating DRM with P2P Networks: Enabling the Future of Online Content Business Models

This is a very interesting little paper with wider implications. First, some background. Digital Rights Management (DRM) involves three major components:

The expression of digital rights (analagous the copyright notice in a book, or the deed to a house)
Authorization (by password or machine identity) to access or otherwise use the content (analagous to a library card, a cash register receipt, or a key to the front door)
And enforcement mechanisms such as encryption and file locking (analagous to a coded book, or a burglar alarm system).

Now what's significant is that each of these three mechanisms ought to be applied at different levels of a content network (such as the internet, or such as a Peer to Peer network). The expression of rights should be supported by the network as a whole. Authorization, on the other hand, should be restricted to only those servers that need it. And enforcement should be document specific. The reason is that each level of DRM imposes a greater level of overhead (such as costs to the producer, access time required, computer power required), and the more overhead a DRM mechanism requires, the more limited its application should be. After all, it would be foolish to require a public bulletin board to use the same security as an automatic teller, right? And it would be foolish to require people to use a passkey to walk down a public sidewalk, right?

OK, that's the background. Onto the article. The author proposes, with (given the history of Peer to Peer) good cause, that digital rights technology be integrated into peer to peer networks. I agree with this, so far as it goes, because we need DRM to protect the users of free content from frivolous lawsuits, and because Peer to Peer is probably our best hope for widely distributed broadband content. But consider the issues:

Whether the authorization is done on the basis of a user's identity, a device's identity, or both.
Whether the software doing the authorization is built in to the playback device or software, built in to the platform on which it runs, or independent of those.
Whether the license is bundled in with or separate from the content.
How much fine-grained control the IP owner has over specification of rights.
Whether or not the user is required to be connected to the network at all times.
How financial transactions are integrated with the authorization process.

Now what you should notice is how messed up all those issues are. Authorization, for example, should not be a network properly of P2P DRM, it should remain a server property. Authorization, moreover, should not be built into the playback, but into the distribution. The specification of rights, by contrast, is something that should be supported by the network, and therefore, using a common format such as ODRL or MPEG-REL.

See, the author is probably thinking of Microsoft's Rights Management Server system or the concept of trusted computing, which embodies all three levels of DRM at the network level. Under such systems, the entire network becomes secure - but at the cost of such overhead that only major commercial publishers can afford to distribute content at all. But if that is the model of DRM being considered, who needs P2P? The internet becomes just another cable channel (a pay-per-view channel).

DRM and P2P are, as the author asserts, far from mutually exclusive. But there's a trade-off. Is a distributed network, such as P2P (or other content syndication systems, such as RSS), you need a distributed digital rights management, which embodies the three layers of DRM discussed above. But the big players in DRM today aren't interested. After all, what benefit to them to see an environment where just anyone can produce and distribute content?