Friday, September 2. 2005
Good Uses for DRM
I know you never thought you would see an article with this title on our site, but surprise, here it is. As we have argued over and over again, digital rights management only serves to restrict and remove rights from innocent users. With that in mind, there may still be places where limiting a persons rights is acceptable. Generally these are only acceptable in business to business areas where the information is confidential.
Consider a situation where I want to send a business proposal to a potential investor. I want this investor to be able to read the proposal but I do not want him to be able to print the document or send it to anyone else. In other words I want to restrict what he can do with the document I send him. If this document is wrapped in a good DRM then I could easily accomplish this. Historically I would just encrypt the document and send it securely over email; however, once the document is decrypted the user can do whatever he wants with it.
This B2B document management is generally referred to as Enterprise Rights Management (ERM). We here at DRM Blog do not have a problem with this type of restrictive technology in principal. However, we still have doubts that it will work as advertised, and the ability to implement this technology is beyond most small entities.
So what would we want to accomplish by using DRM or ERM?
Let us consider the phone-home method. To accomplish this you must have three pieces of software: a server, a client, and a producer. The server software would run on a publicly available machine that can be connected to across the internet; think specialized web server. The client is designed to run on the end-user’s computer. This software allows the end-user to read and print the documents but will always connect to the server to make sure the person has the proper rights to do so; think Media Player 10 for documents. Finally there is the producer software which is used to actually create the document. The document would be uploaded to the server and the server would wrap the document in DRM and serve it to the end-user.
Now let us consider the stand-alone option. To accomplish this you need only two pieces of software: a client and a producer. The producer would create the document and embed all of the DRM information into the document. The client would read the document and allow the user to access the document according to these embedded rules. To get a document to an end-user, a person would just email it or send a disk. This system is simpler than the phone-home system but does not allow for changing DRM rules after the document is created. Also, to lock the document to one end-user, the producer would have to have that end-user’s client access key. Without this access key then anyone with a client could access the document.
We do not see any reason that ERM or DRM could not be used for sending business documents between users. However, the problems and limitations of the technology must be fully understood before it is embraced. As with all DRM schemes, there are holes in the security, and no DRM will protect against someone who is determined to exploit those holes. DRM is like a locked door; it will not keep out the real criminal, but it will convince honest people to stay out. A determined person with rights to read the document could just use a pencil and paper to copy the protected document. In this regard, the file is safe but the content is not protected. A determined person without any rights would just find a way to crack the DRM encryption scheme. In the end if a digital copy of a document exists, even if it's protected with enterprise rights management, it is susceptible to being read, printed, and shared.
Author - Jimmy Palmer
Consider a situation where I want to send a business proposal to a potential investor. I want this investor to be able to read the proposal but I do not want him to be able to print the document or send it to anyone else. In other words I want to restrict what he can do with the document I send him. If this document is wrapped in a good DRM then I could easily accomplish this. Historically I would just encrypt the document and send it securely over email; however, once the document is decrypted the user can do whatever he wants with it.
This B2B document management is generally referred to as Enterprise Rights Management (ERM). We here at DRM Blog do not have a problem with this type of restrictive technology in principal. However, we still have doubts that it will work as advertised, and the ability to implement this technology is beyond most small entities.
So what would we want to accomplish by using DRM or ERM?
- To control who can read or print a document.
- To control when a person can read or print a document.
- To control how many times a person can read or print a document.
Let us consider the phone-home method. To accomplish this you must have three pieces of software: a server, a client, and a producer. The server software would run on a publicly available machine that can be connected to across the internet; think specialized web server. The client is designed to run on the end-user’s computer. This software allows the end-user to read and print the documents but will always connect to the server to make sure the person has the proper rights to do so; think Media Player 10 for documents. Finally there is the producer software which is used to actually create the document. The document would be uploaded to the server and the server would wrap the document in DRM and serve it to the end-user.
Now let us consider the stand-alone option. To accomplish this you need only two pieces of software: a client and a producer. The producer would create the document and embed all of the DRM information into the document. The client would read the document and allow the user to access the document according to these embedded rules. To get a document to an end-user, a person would just email it or send a disk. This system is simpler than the phone-home system but does not allow for changing DRM rules after the document is created. Also, to lock the document to one end-user, the producer would have to have that end-user’s client access key. Without this access key then anyone with a client could access the document.
We do not see any reason that ERM or DRM could not be used for sending business documents between users. However, the problems and limitations of the technology must be fully understood before it is embraced. As with all DRM schemes, there are holes in the security, and no DRM will protect against someone who is determined to exploit those holes. DRM is like a locked door; it will not keep out the real criminal, but it will convince honest people to stay out. A determined person with rights to read the document could just use a pencil and paper to copy the protected document. In this regard, the file is safe but the content is not protected. A determined person without any rights would just find a way to crack the DRM encryption scheme. In the end if a digital copy of a document exists, even if it's protected with enterprise rights management, it is susceptible to being read, printed, and shared.
Author - Jimmy Palmer
Comments
What is to stop a person photocopying the document once it has been printed?
This would be another variation of the analog hole.
Cheers!
Michael.
This would be another variation of the analog hole.
Cheers!
Michael.
Well yes that's true, of course if you were concerned about that you could just prevent printing too.
What we need to remember with document DRM software, is that it is meant to mitigate risk and allow an enterprise to retain as much control as possible. Document DRM needs to work within the confines of the normal working environment of its users, which in general is Microsoft Office running on a Windows OS. Creating software that is totally unhackable both within this environment, and that is still easy to use (thus mitigating the risk of human error due to forgeting to use the software in the first place) is a difficult task for designers of dDRM software. If you can create a peice of software that prevents the vast majority of users from accessing protected information (and that even those few that try to, find it immensely difficult) and is easy to use, ideally it can be set so that restrictions are applied automatically with no user intervention, then that is a million times better than having no control at all.
What we need to remember with document DRM software, is that it is meant to mitigate risk and allow an enterprise to retain as much control as possible. Document DRM needs to work within the confines of the normal working environment of its users, which in general is Microsoft Office running on a Windows OS. Creating software that is totally unhackable both within this environment, and that is still easy to use (thus mitigating the risk of human error due to forgeting to use the software in the first place) is a difficult task for designers of dDRM software. If you can create a peice of software that prevents the vast majority of users from accessing protected information (and that even those few that try to, find it immensely difficult) and is easy to use, ideally it can be set so that restrictions are applied automatically with no user intervention, then that is a million times better than having no control at all.
#2
Susan Morrow on Sep 26 2005, 12:25
So let me see if i understand your point, its a good use of DRM to protect your IP, but its a poor use of DRM protect someone else's. If you replace business proposal with music/movie, print with rip, and share with distribute via internet, you have what the Music and Movie industry are doing.
The only difference between good and bad in your argument is whether you are on the producing or receiving side. It would be good for the whole world to learn of your business proposal, people would modify it and make it better, the best business people would be better able to make the most money out of it, students could learn from it.
The only difference between good and bad in your argument is whether you are on the producing or receiving side. It would be good for the whole world to learn of your business proposal, people would modify it and make it better, the best business people would be better able to make the most money out of it, students could learn from it.
#3
dave bailey on Sep 28 2005, 11:29
...and the very dangerous pirate uses a good old camera and takes a picture of the screen and spread it to the world....
"This B2B document management is generally referred to as Enterprise Rights Management (ERM). We here at DRM Blog do not have a problem with this type of restrictive technology in principal. However, we still have doubts that it will work as advertised, and the ability to implement this technology is beyond most small entities."
-----
I was struck by this snippet in your post, and also by Susan Morrow's comment above about ease of use. The startup I work for, Essential Security Software, is on the cusp of releasing a product that is secure, affordable to small entities, and easy to use. I would invite anyone interested to take a look at our website to see how it will work. From my point of view, the market is responding to this emerging need for document and email DRM that small businesses have.
-----
I was struck by this snippet in your post, and also by Susan Morrow's comment above about ease of use. The startup I work for, Essential Security Software, is on the cusp of releasing a product that is secure, affordable to small entities, and easy to use. I would invite anyone interested to take a look at our website to see how it will work. From my point of view, the market is responding to this emerging need for document and email DRM that small businesses have.
#5
Michael Grimm on Oct 3 2005, 11:37
I don't understand how document DRM helps anyone. I can understand why one would encrypt something across an insecure network, but after that, what's the point? If you can't trust the person you're sending it to, then just don't send it. Once you press 'send' and give the recipient the means to open your document, your security is gone. They can retype it, read it aloud into a recorder or over the phone, take a screenshot, or even just photograph the screen. All you do with document DRM is make the "bad guy" work a wee bit harder. Thanks, but I'll save my money.
#6
damon on Oct 4 2005, 09:54
I guess this photo type argument is quite common amongst people who are visualizing the ‘secret information’ as single formula that some James Bond character can snap off the screen. More realistically in my experience the types of documents that get protected by document DRM are things like 70,000 page accident or incident reports which are shuttling between a dozen teams of investigators.
The aim is for the outside consultant to encourage the maximum openness and freedom of information – within the process - so that the correct action can be taken to solve the problem quickly without the parties involved just clamming up. One think then need to feel happier about is that their information isn’t forwarded out of context. Its true the alternative is never to call in independent experts or consultants and to try to keep all ‘incidents’ secret within the organization – at least the DRM approach gives another option.
Other common uses for document DRM are things like your health or legal records. Setting these up so that an intern can’t walk on to his next job with them (and say 30,000 others like them) is becoming more common. Its great for our intern to start his next job with a list of 2500 prospects with such-and-such an ECG irregularity but not so great for you if you are one of them. Of course he or she might want to set up his Nikon in an open office to photograph these records but . . .
The aim is for the outside consultant to encourage the maximum openness and freedom of information – within the process - so that the correct action can be taken to solve the problem quickly without the parties involved just clamming up. One think then need to feel happier about is that their information isn’t forwarded out of context. Its true the alternative is never to call in independent experts or consultants and to try to keep all ‘incidents’ secret within the organization – at least the DRM approach gives another option.
Other common uses for document DRM are things like your health or legal records. Setting these up so that an intern can’t walk on to his next job with them (and say 30,000 others like them) is becoming more common. Its great for our intern to start his next job with a list of 2500 prospects with such-and-such an ECG irregularity but not so great for you if you are one of them. Of course he or she might want to set up his Nikon in an open office to photograph these records but . . .
The author has not allowed comments to this entry
