www.idate.org The European way to think the Digital World IDATE – BP4167 – 34092 Montpellier cedex 5 – Tel : +33(0)467 144 444 – Fax : +33(0)467 144 400 – info@idate.org Film Music Software Video Video games Digital Rights Management (DRM) DRM and virtual content distribution Laurent Michaud Mathieu Massot Alain Puissochet M26705 -August 2005 Executive Summary 2005 Edition © IDATE 3 • IT and consumer electronics players often seem to be in conflict with rights holders. • The music sector, presented as the first victim of peer-to-peer exchange networks, is now a pioneer in virtual content distribution. • DRM cannot solve the problems that legislators have yet to clarify, such as the right to private copying. • DRM interoperability remains a difficult objective to achieve except, perhaps in the world of mobile telecommunications. Digital distribution and protection from unauthorised copying There are now several digital distribution channels: -Virtual distribution that includes: • Paying distribution with controlled access similar to that of digital pay TV via cable, satellite and ADSL • Paying distribution via the internet that uses a DRM system • Free distribution without content protection and without rights holders’ approval via peer-to-peer networks. -Physical distribution that mainly concerns CDs, SACD, DVDs, Audio DVDs and future supports such as HD DVDs and Blu-Ray, protected by technical and usually anticoppyin measures Technical protection measures for virtual and physical goods Technical protection measures (TPMs) consist of encoding contents with the help of encryption algorithms and secret and/or public keys. TPMs are related to access protection techniques (conditional access to television, CDs and DVDs) and content protection via the intrication of a tattoo or watermark . Most contents can be encrypted including television programmes via set-top boxes and/or chip cards, optical supports (CDs, DVDs, and now SACDs, Audio DVDs etc.) or virtual distribution via streaming or downloading. TPMs, access management and tattooing tools do not ensure rights management, but offer a necessary framework that rights management tools can be incorporated into. Access control This usually involves a set-top box incorporating a system that makes it possible to transmit rights (bouquets of channels to which a subscription has been taken out, for example) and to invoice eventual uses on a pay-per-view and video-on-demand basis. Initially video sequences could only be displayed on television sets or recorded using a video recorder. The growing possibility of interconnecting entertainment equipment (TV sets, PCs, mobile telephones, set-top boxes, PVRs, games consoles, MP3 players, internet access, video cameras, Hi-Fi stereos etc.) is creating anxiety on the part of content providers and broadcasters. DRM (Digital Right Management) DRM concerns the management of copies of virtual goods. It goes far beyond simple anticoppyin protection, but can notably make it possible to identify a work, rights holders and authorised uses, as well as making it possible to describe related rights such as simple and multiple playing, recording, simple and multiple copying, copying limited to selected pieces of equipment etc. It enables rights distribution and the collection of corresponding data (a function that it shares with access control). DRM can also be linked to access control. It can also be combined with a technical protection measure. In view of the various technical solutions on offer, as well as their implications for users, choices are far from fixed. A growing number of industry consortia between technology producers (Thomson, Philips, HP, NDS and many others) are offering solutions to different aspects of DRM, or taking part in various alliances. Unlike the organisations that aim to define protection systems, the Personal Technology Freedom Coalition unites most of the technology companies and public bodies, and notably aims to question the most restrictive measures. DRM offerings The DRM market is going to be confronted with players adopting highly diverse strategies. Microsoft has a very full DRM offering (management of recording, transfer to portable devices, validity duration, level of audio protection etc.) that is almost exclusively software based. This offering is mainly free, and may help to give Microsoft a monopoly in the DRM offering. It is helping to consolidate the place of Windows Media in the audiovisual industry and notably of the proprietary encryption system developed by Microsoft that is now in the process of being standardised under the name VC-1. DRM and virtual content distributionExecutive Summary DRM and virtual content distribution 4 2005 Edition © IDATE Apple, on the other hand, is primarily targeting a music downloading service linked to a device. Its proprietary DRM system "Fairplay" if for iTunes and iPod, and does not aim to be systematically open to other distributors without a prior agreement. Sony would seem to have opted for a similar strategy with its “Connect” offering, its compatible devices and its DRM “OpenMG X”. RealNetworks is one of Microsoft’s major competitors in DRM provision. The company is present with its Helix platform (a DRM solution compatible with mobile telephones, electronic agendas, hybrid devices and personal computers). It is also dynamic in content distribution via its Rhapsody offering. Players in content distribution via mobile telephone have joined forces to form the OMA (Open Mobile Alliance), which has developed an interoperable DRM solution and now offers specifications for rights management on mobile telephones. The combination of a single DRM system for mobiles and the emergence of hard discs in this equipment could pose a major threat to iPod and have an impact on portable video players. The example of virtual music distribution The field of music was the first victim of the growth of peer-to-peer, as well as the implementation of new business models for online distribution. The success of Apple with its iTunes Music Store and iPod shows that there is solvent demand, despite strong competition from P2P services authorising content downloading without the approval of rights holders. The Apple service has nevertheless only been profitable to-date thanks to the sale of iPod devices. Its online shop may recently have become profit-making. Other players like Roxio, renamed Napster and its eponymous service that is now authorised, is also posting strong results. With its Connect offering that is linked to several playing devices, Sony could make itself a place alongside Apple in the months to come. The major role played by DRM DRM plays a major role in the development of the online music market. For content providers, it guarantees the development of a reliable market for virtual distribution. It is DRM that enables operators to obtain tracks to include in their distribution catalogues. The legal offering has also increased significantly since 2003. The legal online content distribution offering is now abundant, and there are effectively over 20 major services of international standing. Against this background, peer-to-peer software has been adopted by record companies (Universal, EMI, BMG…), which are signing agreements with solution vendors enabling music distribution on a P2P basis, but in return for payment and integrated DRM systems. EMI and BMG have thus already signed up with Wippit, a service provider based in the UK and Universal is in negotiations with Snocap. The market is just as dynamic in the "Business to Business" mode. ISPs, broadcasters, retailers and several categories of players that do not hold rights are turning to intermediaries to be present in this promising niche. In this market segment, OD2 (On Demand Distribution, acquired by Loudeye), which uses Microsoft’s DRM and provides MSN Music Club, is now the European leader in unnamed music for companies. Virtual film distribution There are few offerings of film distribution via the internet and in the end are not very interesting given, their very small catalogue. MovieLink in the USA has 400 titles in its catalogue. However, there is no doubt that these offerings will be deployed in the near future due to the “generalisation” of broadband connections and the marketing of several portable video devices equipped with a hard disk in 2005 and 2006. However, this generalisation faces several obstacles: • The fear of piracy, the most commonly cited reason • The difficulty of compiling a catalogue, which requires rights negotiations that are always complex. These negotiations are all the more difficult because the major studios have not given up on the idea of moving into the online distribution of their content themselves. • The insertion of this distribution in the chronology of films, which goes from the cinema to free television via video and pay-per-view. Regulatory and legal context “Authors’ rights” versus the right to make private copies The impact of DRM system on virtual film distribution is major. Film producers are making very tough demands and are key players in the acceptance and choice of DRM systems. The “author’s rights and the rights to make private copies or “fair use” lie at the heart of DRM problems. Their definition and the way in which they are applied have anDRM and virtual content distribution Executive Summary 2005 Edition © IDATE 5 impact on technical protection measures and may even have implications for their deployment in the digital world. Yet DRM systems cannot compensate for the holes in the law dealing with the new situations that are arising or replace the law as producers and content vendors would like them to. The WIPO (World Intellectual Property Organisation) treaties passed in 1996 and effective as of 2002 and their transposition in the USA and in Europe would certainly seem to reinforce technical protection measures and DRM systems. However, the directive does not answer the question of whether a user that neutralises the protection of a physical support to make a private copy is breaking the law? The broadcast flag In November 2003 the FCC decided to make the ATSC flag or “broadcast flag” obligatory for all equipment capable of receiving digital terrestrial television as of July 2005. Its aim was to control the copying of digital works broadcast on freettoair channels and therefore a priori not encrypted. Selected U.S. channels threatened to withdraw their contents from free channels to reserve them for paying and encrypted channels if there was no protection system, notably citing the risk of a loss of resources related to secondary distribution internationally, via the internet, on DVD etc. However, this decision was rejected by the U.S. Court of Appeals, which considered that such a decision had to stem from a law. The private domain A concept recently introduced is that of the private domain. It caters for the growth of domestic networks, as well as nomad usages (in cars and second homes). It then becomes a question of defining a type of free reproduction space. This concept, notably studied by the DVB, has been incorporated into various projects like Thompson’s SmartRight and Viaccess’ PurpleDRM. A solution like that of SmartRight aims to accept all access control systems, even to the extent of using specific protection of the private domain by defining import and export rules. Rights holders, however, remain hostile. Towards the coexistence of multiple models The continued presence of several models looks likely: • The horizontal model of the CD r DVD should continue with the high definition CD and DVD, with a copying control system, which should enable private copying (in a form that will depend both on the power relations between the various players and legal decisions). The AACS (Advanced Access Content System) has established a more elaborate protection system than existing products that notably enables content owners to choose their own protection rules for high definition DVD players. • A vertical model linked to pay television, video and even music, whereby effective access control should also be linked to the possibility of copying to closed devices, partly or totally specified by the content distributor. We have seen that video players/recorders accommodate the existence of incompatible proprietary technologies. It is in this domain that new paying models could develop more easily. Moreover, a single model should probably continue to exist, namely that of MP3, and to a certain extent DIVX, which is not linked to any DRM. And another model will probably emerge, thanks to the OMA standard and facilitated by the possible identification of devices and their owners: a horizontal model linked to the mobile telephone. A universal system of products available to everyone, but which will be paying at the request of rights holders and will guarantee them usage-based compensation seems unlikely, at least in the short term. Executive Summary DRM and virtual content distribution 6 2005 Edition © IDATE Functions of the major DRM systems Streaming Downloading Recording on CD Transfer to portable player Service sharing Windows MediA DRM Streaming time management Downloading management on subscription Management of number of recordings on CD Management of number of transfers to compatible portable players Access management via another computer Apple Fair Play Streaming time management Management of number of downloads Unlimited number of recordings Unlimited number of transfers to iPod Access management via another computer RealNetworks DRM Streaming time management Management of number of downloads Unlimited number of recordings Management of unlimited number of transfers to compatible portable players Access management via another computer Sony Open MG Streaming time management Management of number of downloads Unlimited transfer to Sony products Unlimited transfer to Sony products Access management via another computer Source: IDATE Positioning of major DRM playersand their platforms Source : IDATE DRM and virtual content distribution Edition 2005 © IDATE 7 Table of contents Introduction..........................................................................................................................................11 1. Technical protection and legal background.................................................................................13 1.1. Technology update................................................................................................................. 13 1.1.1. Technical protection measures (TPM)......................................................................... 13 Cryptosystems............................................................................................................. 13 Watermarking and tattooing ........................................................................................ 18 Medium access management: the disc....................................................................... 19 1.1.2. Digital Rights Management.......................................................................................... 21 Programming language: an indispensable standard................................................... 21 Copyright integration ................................................................................................... 24 Application of rights and management of digital copying of artistic works.................. 29 1.2. Legal background................................................................................................................... 32 1.2.1. The protection of artists and their works...................................................................... 32 “Artists’ rights”.............................................................................................................. 32 Copyright ..................................................................................................................... 34 1.2.2. International legal frameworks..................................................................................... 36 WIPO (World Intellectual Property Organization) treaties........................................... 36 The Digital Millennium Copyright Act (DMCA) ............................................................ 37 The European Union Copyright Directive (EUCD)...................................................... 38 2. DRM players....................................................................................................................................41 2.1. Players present ...................................................................................................................... 41 2.1.1. Content providers......................................................................................................... 41 2.1.2. Technical protection measure (TPM) and DRM providers .......................................... 42 2.1.3. Rights aggregators or licence managers..................................................................... 42 2.1.4. Distributors................................................................................................................... 43 2.1.5. Consumer electronic manufacturers............................................................................ 43 2.1.6. IT manufacturers.......................................................................................................... 44 2.2. The value chain...................................................................................................................... 45 2.3. Monographs ........................................................................................................................... 48 2.3.1. Groups and consortia .................................................................................................. 48 Blu-Ray Disc Association ............................................................................................ 48 Content Reference Forum........................................................................................... 50 Coral ............................................................................................................................ 52 OMA DRM ................................................................................................................... 54 Trusted Computing Group........................................................................................... 56 2.3.2. Companies................................................................................................................... 58 Adobe Systems Incorporated...................................................................................... 58 Beep Science .............................................................................................................. 61 End2End...................................................................................................................... 64 Info2clear..................................................................................................................... 66 InterTrust Technologies Corporation........................................................................... 69 Macrovision ................................................................................................................. 72 Microsoft ...................................................................................................................... 76 DRM and virtual content distribution 8 2005 Edition © IDATE New Digital System (NDS) .......................................................................................... 80 Overdrive ..................................................................................................................... 83 Philips Electronics ....................................................................................................... 85 Real Networks ............................................................................................................. 88 RSA Security ............................................................................................................... 91 SealedMedia Inc.......................................................................................................... 94 SunnComm.................................................................................................................. 98 VeriSign ..................................................................................................................... 100 2.4. Overview .............................................................................................................................. 102 2.4.1. Industry players’ solutions ......................................................................................... 102 2.4.2. The activity of consortia ............................................................................................. 103 3. Analysis and outlook for content distribution .......................................................................... 105 3.1. Usages and the market ........................................................................................................ 105 3.1.1. New forms of cultural goods consumption................................................................. 105 The emergence of digital usages .............................................................................. 105 The age of nomadic usage and mobility ................................................................... 105 Digital entertainment and mobile devices ................................................................. 107 3.1.2. The case of the virtual music distribution market ...................................................... 110 Forms of market structure ......................................................................................... 110 Composition of the offering ....................................................................................... 110 The business model .................................................................................................. 111 Legal distribution on a peer-to-peer basis................................................................. 112 3.1.3. Other virtual distribution markets ............................................................................... 118 Virtual video games distribution: a slow take-off ....................................................... 118 Virtual distribution: the missing major........................................................................ 119 3.2. DRM and content distribution, a key coupling...................................................................... 122 3.2.1. Players’ strategy: service, DRM and codecs ............................................................. 122 DRM at the heart of virtual distribution strategies ..................................................... 122 DRM interoperability: industry incompatibility! .......................................................... 123 Are codecs and DRM indissociables?....................................................................... 125 Various rights............................................................................................................. 126 Functioning of the iTunes Music Store protection system ........................................ 128 3.2.2. The case of the mobile telephone.............................................................................. 128 3.2.3. Audiovisual programme protection and rights management ..................................... 129 Access control and domestic networks ..................................................................... 129 The broadcast flag..................................................................................................... 131 The protection technologies listed below had been registered with and approved by the FCC in August 2004: ........................................................................................... 132 3.3. Outlook and stakes .............................................................................................................. 133 3.3.1. Stakes for users......................................................................................................... 133 Accepting DRM.......................................................................................................... 133 The end of private copying ........................................................................................ 133 Interoperability ........................................................................................................... 133 A regulatory body for new usages............................................................................. 134 3.3.2. The stakes for content providers ............................................................................... 134 Solvency of demand.................................................................................................. 134 Not abandoning content distribution.......................................................................... 134 Consolidating a favourable business model.............................................................. 134 DRM and virtual content distribution Edition 2005 © IDATE 9 Rethinking or transposing a commercial policy to fixed or mobile internet ............... 135 Rethinking or retaining media chronology................................................................. 135 3.3.3. Stakes for technology providers ................................................................................ 135 Proving the effectiveness of existing offerings .......................................................... 135 Developing a distribution activity ............................................................................... 135 Adapting DRM systems to new, nomadic usages..................................................... 135 3.3.4. Stakes for online retailers/distributors........................................................................ 136 Making existing offerings profitable ........................................................................... 136 Optical medium versus virtualisation......................................................................... 136 DRM interoperability.................................................................................................. 136 3.3.5. What are the stakes for consumer electronics? ........................................................ 136 Implications related to the incorporation of TPMs in equipment ............................... 136 Industry organisations ............................................................................................... 137 4. IDATE presentation ...................................................................................................................... 139 4.1. Studies and consulting: present in all of the sectors’ strategic developments..................... 139 4.2. Reports and publications...................................................................................................... 140 4.3. A Forum focusing on Europe’s Information and Communication Technologies.................. 140 4.4. Main clients .......................................................................................................................... 141 4.5. 2005 DigiWorld Catalogue ................................................................................................... 142 DRM and virtual content distribution 10 2005 Edition © IDATE Table of illustrations Table 1: CSS ........................................................................................................................................ 17 Table 2: Examples of security system implementation ......................................................................... 29 Table 3: Comparison of two theoretical models .................................................................................... 35 Table 4: Online and offline hardware solutions ................................................................................... 102 Table 5: Software solutions ................................................................................................................. 102 Table 6: Destination of solutions ......................................................................................................... 103 Table 7: Summarising table on consortia ............................................................................................ 104 Table 8: Consortia and rights description languages .......................................................................... 104 Table 9: Example of revenue breakdown in France............................................................................ 111 Table 10: Major online music distribution offerings ............................................................................. 114 Table 11: Main online music distribution offerings in the major markets ............................................ 117 Table 12: Examples of video on demand services based on film scheduling..................................... 121 Table 13: Major audio codecs ............................................................................................................. 125 Table 14: Main services and their content management .................................................................... 126 Table 15: Microsoft system: rights related to file reading.................................................................... 126 Table 16: Microsoft system: expiry of licence to operating rights........................................................ 127 Table 17: Microsoft system: rights security ......................................................................................... 127 Table 18: Content protection technologies registered with the FCC................................................... 132 Table of figures Figure 1: Horizontal DRM...................................................................................................................... 22 Figure 2: Vertical DRM .......................................................................................................................... 23 Figure 3: Smartright system architecture .............................................................................................. 31 Figure 4: OD2 distribution infrastructure ............................................................................................... 45 Figure 5: Evolution of the music value chain......................................................................................... 47 Figure 6: Examples of multimedia mobile telephones......................................................................... 108 Figure 7: Physical and digital disc distribution..................................................................................... 111 Figure 8: Wippit protection system...................................................................................................... 112 Figure 9: Kryptomusic distribution system........................................................................................... 113 Figure 10: Media chronology in France............................................................................................... 120 Figure 11: Purple DRM architecture.................................................................................................... 130 Figure 12: Access control architecture ................................................................................................ 130 DRM and virtual content distribution Introduction 2005 Edition © IDATE 11 Introduction Digitisation became accessible to consumers with the birth of personal computing. This revolution, which started at the beginning of the 1980s, was given a new lease of life in the mid 1990s with the arrival of broadband internet in universities, companies and then households. Today internet users of all ages exchange all types of content including music, films, images, applications and texts. These exchanges are sometimes carried out in a legal environment, but often take place via outlawed peer-to-peer exchange networks, that is to say that content is exchanged without the approval of rights holders. Internet users acquire virtual content via the internet network, transfer it to a portable player, record it on a CD, copy, transform and decompress content. They also extract the contents of their optical media for the same purposes, namely copying, transferral and recording, decompression etc. In the space of a decade the way of acquiring, handling and consuming content has been completely transformed. Today exchange of content from the internet or derived from optical media escapes the complete and continuous control of producer vendors and rights holders. However, content and electronics players are trying to compensate for digital breaches for offering a legal alternative or by protecting access to content on optical media. On the internet, legal alternatives to peer-to-peer networks have emerged in the music sector, video games and in video. Moreover, optical media are increasingly subject to protection thanks to multi–support solutions. Nevertheless, changes in usage have outstripped advances in the field of technical protection measures (TPM) and digital rights management (DRM). Advances in protection are now very real and on the road to becoming effective. However, protection is a difficult and delicate task. It is difficult because the forms of protection adopted have to adapt to an open universe that has no standards, is constantly changing and benefits from the intervention of communities of developers, crackers and hackers all working in the name of liberty and free exchanges. The task of protection systems is delicate because they are governed by a vague legal framework that is sometimes ill-suited to the digital era. There are no laws dealing with peer-to-peer as such. Outlaw exchanges on peer-to-peer networks continue, despite the fact that the number of prosecutions is growing and that legal offerings are available. Content sharing via portable or fixed digital devices, authorising unrestricted copying, transfer and playing, have proved massively successful in the field of music. This success should be repeated with the advent and large-scale deployment of portable devices connected or not to the internet, incorporating a storage support, communicating with each other or not and dedicated to video. Mobile telephones, multi-functional games consoles, audiovisual programme players/recorders and nomadic devices are bringing consumer electronics into the portable digital age. Consumers seem to have (re) found a freedom of use of cultural goods by manipulating content without restrictions. For vendors, this freedom also means that content is free of charge, which does not favour fair economic development of the virtual content distribution sector. Outlaw peer-to-peer networks are consequently unpopular with vendors, but are not deemed illegal by the law. Similarly, several mobile and fixed devices do not manage the content rights that are stored on them, but are legal. Vendors prefer devices equipped with DRM systems to manage virtual content rights linked to TPMs. These solutions, if they could guarantee vendors total control, would certainly meet with the complete disapproval of consumers, who are not willing to buy devices that don’t offer unlimited access content and do not enable them to manage the devices as they please DRM systems and TMP consequently face an arduous task, namely to ensure fair rights management without infringing consumers’ freedom of use. DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 13 1. Technical protection and legal background A technology update is required to distinguish between the various technical protective mechanisms and types of digital rights management. The latter relies on technical protection measures, which cover hardware and software and can be applied to all digital content. 1.1. Technology update 1.1.1. Technical protection measures (TPM) The technical protection of artistic works is carried out via encryption of the work, its tattooing or protection of access to it. Cryptosystems Cryptography or “encoding” refers to all techniques that make it possible to scramble a message without taking any specific action. In the case of a text this means turning the letters that make up the message into a succession of figures, and subsequently making calculations based on these figures in order to: • Change the figures to make them incomprehensible. The result of this change (the encoded message) is called a cryptogram, versus the initial version called the unscrambled message • To ensure that recipients will be able to decrypt them. The act of encrypting a message to make it secret is called encryption. The inverse method, which consists of finding the original message, is called decoding. Encoding is generally carried out using an encoding key, while decoding requires a decoding key. There are generally two types of keys: • Symmetrical keys: these are keys used for both encoding and decoding. In such cases we refer to symmetrical keys or encoding with a secret key • Asymmetrical keys: these are keys used in cases of asymmetrical encoding (also called public key encoding). In this instance, a different key is used for encoding and decoding. Major symmetrical algorithms Symmetrical encoding (also called private key encoding or secret key encoding) consists of using the same key for encoding as for decoding. The weakness of symmetrical encoding lies in the secure transmission of the key. Vigenère encryption Vigenère encryption consists of giving the letters of the alphabet a code and combining the unscrambled message with a word encrypted using this method. DES or secret key encryption On May 15th 1973, the NBS (National Bureau of Standards, now called the NIST -National Institute of Standards and Technology) called by tender in the Federal Register (the U.S. equivalent to the Official Journal in France) for the creation of an encryption algorithm that satisfied the following criteria: • A high level of security combined with a small sized key to be used for encryption and decoding • Understandable • Not necessarily depending on the confidentiality of the algorithm • Adaptable and economic • Efficient and exportable Technical protection and legal background DRM and virtual content distribution 14 2005 Edition © IDATE At the end of 1974, IBM put forward Lucifer, which, thanks to the NSA (National Security Agency), was modified on November 23rd 1976 resulting in the DES (Data Encryption Standard). The DES was finally approved by the NBS in 1978. The DES was standardised by the ANSI (American National Standard Institute) under the name of ANSI X3.92, more widely known as the DEA (Data Encryption Algorithm). The algorithm consists of making combinations, substitutions and permutations between the text to be encrypted and the key, so that operations can be carried out in both directions (for decoding). At the beginning of 1999 100,000 networked PCs sharing a distributed calculation application, as well as a super calculator, the DES Cracker by the Electronic Frontier Foundation, cracked DES in almost 22 hours. However, DES is not obsolete if the key is regularly changed. TDES and AES TDES or triple DES consists of linking three DES encryptions using two 56 bit keys. TDES makes it possible to significantly increase the security of DES. However, it has the major disadvantage of also requiring more resources for encryption and decoding. The DES encoding system was updated every 5 years. In 2000, during the last revision, after an assessment process that lasted 3 years, the algorithm jointly conceived by two Belgian candidates, Vincent Rijmen and Joan Daemen, was chosen by the NIST as the new standard. This new algorithm, baptised RIJNDAEL by its inventors, will replace DES from now on. http://csrc.nist.gov/CryptoToolkit/tkencryption.html In 1997 the NIST called by tender for a project to elaborate on the AES (Advanced Encryption Standard), an encryption algorithm, to replace DES. Asymmetrical algorithm This algorithm functions with the help of two keys: a public and a private key. The principle of encryption by public/private key lies in the existence of a couple of keys for each interlocutor. These two keys are managed at the same time and linked. The private key is personal and should not be revealed. Inversely, the public key can be accessed by anyone, directly on the network for example. The principle of use is as follows: a message encoded with a public key can only be decrypted by the corresponding private key. Inversely, a message encrypted with a private key can only be decrypted using its public key. Problems related to the secure transmission of the decoding key are no longer an issue, as public keys alone are of no interest. On the other hand, it is worth ensuring that the recipient of the public key is the person for whom the message is destined. Asymmetrical encryption, which is far more secure than symmetrical encryption, requires a longer calculation time during the stages of encryption and decoding. Furthermore, the “digital envelope” system is used, namely the message is transmitted encrypted with a random symmetrical key “M” and the “M” key is sent encrypted with the recipient’s public key. Asymmetrical encryption algorithms are based on several users sharing a public key. Generally, this key is shared via an electronic directory or a web site. Public keys can thus be corrupted if intercepted by malevolent hackers. As a result, it is common practice to link the public key with a certificate. The latter establishes a link between the public key and an object or individual. The certificate is delivered by the certification authority. This authority is responsible for assigning a validity date and revoking keys if they seem corrupt. RSA algorithm (cf. monograph page 90) The public key algorithm was first developed by Rivest, Shamir and Adelman (RSA) in 1978. It is still widely used today. PGP (Pretty Good Privacy) or the hybrid algorithm PGP is an encryption system invented by IT expert Philip Zimmermann. The first version of this system was released in June 1991. It was produced using a technology patented by the RSA. DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 15 Principal and functioning PGP is a combination of public key and conventional encryption functions. When a user encrypts a text with PGP, the data are firstly compressed. This compression makes it possible to reduce the transmission time by modem, to save disk space and, above all, to strengthen encryption security. Encryption is carried out in two stages: 1. PGP randomly creates a secret IDEA key and encrypts the date with this key. 2. PGP encrypts the secret IDEA key and sends it using the recipient’s public RSA key. Decoding also takes place in two stages: 1. PGP decodes the IDEA secret key using the private RSA key. 2. PGP decodes the data with the previously obtained IDEA key. This method of encryption combines the user friendliness of public key encryption with the speed of conventional encryption. Conventional encryption is around 1,000 times more rapid than public key encryption. Public key encryption solves the problem of key distribution. Used together, these two methods improve key performance and management, without compromising security. PGP offers the following functions: • Electronic signature and verification of message integrity: function based on the simultaneous use of hashing1 (MD5) and the RSA system. MD5 hashes the message providing a result of 128 bits that is subsequently encrypted, thanks to RSA, by the sender’s private key. • Local file encryption: function using IDEA. • Public and private key creation: each user encrypts his/her messages using private IDEA keys. The transfer of electronic IDEA keys uses the RSA system. PGP thus offers mechanisms for creating keys adapted to this system. RSA keys are sized according to several different security levels: 512, 768, 1024 and 1280 bits. • Key management: a function that facilitates distribution of the user’s public key to correspondents that wish to send him/her encrypted messages. • Key certification: a function making it possible to add a digital seal guaranteeing the authenticity of public keys. This is an innovative feature of PGP, which bases its confidence on a notion of social proximity, rather than of a central certification authority. • Revocation, deactivation, key registration: a function that makes it possible to produce revocation certificates. PGP certification Certificates are small files that can be divided into two parts: • The part containing the information • The part containing the certification authority’s signature. The structure of certificates is standardised on the basis of the UIT’s X.509 standard (www.itu.int), which defines the information contained in the certificate, namely: • The name of the certification authority • The name of the certificate owner • The date of the certificate’s validity • The encoding algorithm used • The owner’s public key. 1 As the electronic signature uses asymmetrical algorithms that are fairly slow, the signature does not encrypt the entire message with its private key, but rather with a message “digest” obtained using a hashing function. To guarantee the integrity of the message attached to the condensed signature, it has to be very difficult to modify the original message without this leading to the calculation of a different digest. Technical protection and legal background DRM and virtual content distribution 16 2005 Edition © IDATE To produce a X.509 certificate that complies with the ITU’s (International Telecommunication Union) standard, it is advisable to use a certification authority. In a PGP environment any user can act as a certification authority. This individual can therefore validate another PGP user’s public key certificate. However, such a certificate can only be considered valid by another user if a third party recognises the individual that has validated this certificate as a trustworthy correspondent. Only the certificate holder (the corresponding private key holder), or another user designated as the revocation authority by the certificate holder, is able to revoke a PGP certificate. When a certificate is revoked it is important to warn potential users. The usual way of informing users of PGP certificate revocation is to place this information on a certificate server. Key storage and management The creation of keys poses no particular problem with regard to the security of the content it is attached to. Its distribution, in the case of a public key, is not problematic either since the key is useless alone. The private key is generally created locally and there is no reason for it to be transmitted. The storage key, on the other hand, can be considered as a security breach by pirates. The key storage solutions proposed by consumer electronics industry players are usually incorporated into electronic components. This heavily restricts piracy, but does not make systems inviolable. In the pay television sector operators use a chip card. This enables: • Users to create a key • Keys to be renewed, making piracy more difficult. The storage of a key on a card or an electronic component nevertheless does not make it possible to detect pirate systems. As a result, a large number of pirate decoders, equipped or not with a chip requiring monthly updating, are in circulation. IT sector players advocate storing the keys in software solutions. This manner of key management seems more simple and efficient: • Updates are possible without modifying the electronic components • It is less expensive to update software compared to a hardware update • Updating is more rapid. Connecting devices to the internet or managing keys via a software solution open up new control options, but nevertheless introduce new weaknesses: • Widespread and instant information in cases of a breach • Community encryption analysis. Use of software makes key management more fragile. Software programs are generally analysed and cracked rapidly by virtual communities of hackers who are dangerously effective. Jon Lech Johansen, a 22 year-old Norwegian nicknamed “DVD Jon,” together with another anonymous German internet user, cracked the CSS protection for DVDs. Their aim was to play video DVDs on the Linux operating system. Up until their work, carried out exclusively via the internet, playing was impossible. They developed the DeCSS application that was subsequently massively distributed on the internet, making CSS redundant. DeCSS is now widespread in applications that make it possible to copy DVDs. The Oslo court of appeal recently found DVD Jon innocent of the accusations brought against him by the Hollywood film studios, which claimed that he had broken the law by publishing a program capable of unlocking CSS on the internet. Internet introduces the risk of breaches, but several solutions are now on offer, notably for electronic commerce, that account for these risks. Online solutions for “ephemeral” key management are now available. In effect, keys can only circulate during the transaction and the key is revoked once it has been completed. DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 17 Table 1: CSS The DVD video was created in 1996 at the initiative of the industry, which saw it as a new product likely to prove popular with the public and thus to generate new business. The film industry, on the other hand, was not in favour of distributing its films in a digital format without protection against copying. The creation of a new format was the ideal opportunity to create a new protection system. As the DVD was destined to be read both in consumer electronic devices and in computers, the security objective was to create a system suited for both of these environments. Protection in computers called for recourse to cryptography. The consumer electronics industry was unwilling to adopt this approach, believing that an encryption system would add to the complexity and overall cost of its systems. The CPTWG (Copy Protection Technical Working Group), founded for this purpose, defined the security objectives as follows: • The system should offer adequate technical and legal protection to help honest people stay that way (“keep honest people honest”), i.e. it should be difficult for the average user to circumvent. • The system should offer adequate technical and legal protection against fatal piracy, namely against ways of bypassing protection. • The system should be able to be embedded in consumer electronics devices and computers, without being expensive or overly complex to use. • Licences should offer the system legal protection without being expensive. • The system should be transparent when DVDs are played by consumers. The CSS (Content Scramble System) was the global response to the CPTWG’s security specifications. It was first produced by Matsushita and Toshiba, who proposed a specific and patented system that satisfied security objectives and was subsequently streamlined to cater for the needs of the IT industry sector that wanted to be able to compress MPEG-2 signals with a microprocessor. The main features of the CSS are as follows: • A hierarchical key system: data are encoded with variable sector keys, themselves encoded with a disc key, which, in turn, is encoded with a sub-set of 400 keys. • A key length of 40 bits due to U.S. regulations restricting the export of encryption systems, with all encryptions carried out on the basis of the same algorithm • Encrypted key transmission: the DVD player transmits its keys to the playing application in an encrypted tunnel with a session key. The CSS has been patented and licence management entrusted to the DVD CCA (DVD Copy Control Association). Licences are granted free of charge, provided that the playing devices conform with the following rights protection features: • A technical measure for controlling digital copying: CGMS (Copy Generation Management System) including two bits that can take 4 values: copy_never (no copy), copy_once (one copy), copy_no_more (no more copying), copy_free (free copying), on a digital or analogue basis. This is the video equivalent of the SCMS (Serial Copy Management System). • A technical measure for controlling analogue copying and copy degradation, specifically of activation by a pbit system-alternative or cumulative – of protection developed by Macrovision: the APS (Analog Protection System), copy degradation by application of Colorstripe. • A technical identification measure: each DVD is provided with a unique identifier to control eventual copying • Management of geographical zoning. Source: Technical measures for the protection of artistic works and DRM – Ministry for Culture and Communication Technical protection and legal background DRM and virtual content distribution 18 2005 Edition © IDATE Watermarking and tattooing Watermarking consists of embedding an imperceptible mark inextricably linked to content in an audio, video, image or data file. This tattoo contains information on the nature of file usage, its origin and notably information on rights holders, as well as rights management. Fingerprinting is a watermarking technique that consists of creating a unique imprint on a file, an imprint attributed to a user and related to his/her rights, or to a form of data processing and usually to copying. Imprints and marks have to be encrypted. We apply encryption to watermarking and fingerprinting. Fingerprinting is a watermarking application. The functions of the two procedures are complementary: • Fingerprinting enables tracking of artistic works, as well as distribution control via identification. • Watermarking enables the administration of proofs regarding an artistic work’s integrity, its origin, its ownership, the fact that it belongs to the rights system, control over reproduction, checking of modifications to information and alterations to artistic works. Watermarking is not a technology that protects artistic works, yet the main applications initially developed pursued this objective. In spite of advances made in technical protection measures, watermarking continues to be used in combination with other protection measures, notably encryption. Operating principle Watermarking consists of adding a quantity of digital information to the digital signal (audio, video, image, text etc.) using an encryption algorithm called a "tattoo". These pieces of digital information are called digital watermarks. The digital watermarks should be able to withstand the various operations performed on video, audio, text and image films such as compression, decompression, stretching, rotation, addition of noise and re-sampling. Tattooing algorithms have undergone major changes to satisfy security objectives. The overall idea consists of introducing a bias in the statistical breakdown of the digital data of artistic works. This statistical bias serves to encrypt the information that is to be hidden almost invisibly. Methods for introducing statistical bias vary and notably depend on the nature of a work, namely whether it consists of images, audio or video flows. However, these developments are not enough to ensure technical protection of the medium itself. This is why watermarking techniques are also related to both technical measures stemming from encryption and the protection of secret key systems: • A secret tattooing key, which enables the content vendor to embed the tattoo in the artistic work • A reading key that makes it possible to decode the tattoo Use The tattooing technique is used to control recording, playing, identification of the rights system and rights use. Use of watermarking involves the deployment of a watermarking detector in audio, video, text and image recording and playing tools. These tools must themselves be particularly well protected because communities of hackers can easily get hold of such a system, “dissect” it and find a computer security counter measure through close analysis. Watermarking projects include: • Secure Digital Music Initiative (RIAA and 200 companies), • Certimark (INA, Netimage, Thomson CSF, Eurecom and the SACD), • TALISMAN -Tracing Authors’ rights by Labelling Image Services and Monitoring Access Network (Programme IST). Tattooing techniques make it possible to carry out digital rights management by describing the rights in the artistic work’s tattoo. Rights management via watermarking must nevertheless be linked to the technical solutions introduced in recording and playing devices. These solutions have to implement the recommendations of the management system (counting of the number of authorised copies, DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 19 prohibition of playing etc.). For media already in circulation whose playing devices are already widely deployed (audio CD players, DVD recorders/players), it would seem too late to implement tattooing. The protection and consumer electronics industry is certainly thinking of the next generations of media devices that will be able to incorporate tattoos and that may possibly be managed via the internet. Users may nevertheless prove reluctant to equip themselves with restrictive devices. Watermarking, in rights management, can also be used as digital evidence potentially linked with digital management and blocking or unblocking technical solutions. This digital evidence should authorise the work, date it, verify its integrity, count the number of times it is played, its recordings etc. Against this background, fingerprinting is an effective tracking tool. It consists of integrating a login identifying the work holder in the digital watermark. Once systematic, fingerprinting could make it possible to discover who authorises the distribution of a work without the agreement of the rights holders. Fingerprinting is easier to implement on closed players like television sets. Introduced at source and combined with an encryption system, it constitutes an ideal solution. In the framework of digital cinema in particular, fingerprinting should consist of embedding identification elements at each stage of the distribution chain. If fingerprinting were to be introduced from a private key uniquely linked to each device and secured so that it could not be circumvented, it would be likely to constitute evidence. Medium access management: the disc Faced with growth in the piracy of music CDs, giving rise to internet based exchanges via peer-to-peer sharing services, several companies have looked at technical solutions that prohibit playing an audio CD on a computer. If the content of a disc cannot be played on a computer, audio tracks cannot be saved and made available on the network. Similarly, if an audio CD cannot be played by a computer it is then impossible to make a copy using a CD burner, a very widespread piece of equipment on PCs and MacIntosh. Midbar (acquired by Macrovision), SunnComm and Key2Audio (a Sony subsidiary) have developed this kind of solution. The record majors equipped their discs with protection without taking the trouble of communicating this fact to consumers. The latter were caught off-guard in many cases and were not able to use their right to copy privately, or even play the CDs. Labels were subsequently stuck onto CDs as a warning to consumers. These practices have often proved unpopular and have further damaged the majors’ image that with their clients. Furthermore, several protection systems make it impossible to play a disc on certain devices, including car radios and home stereos. The impossibility of playing an audio CD on computer would have been very effective if: • A common standard had existed when the record majors committed to CD protection in 2001. None of the existing technologies has achieved dominance among the record majors or smaller independent labels. • It had been implemented by all industry players (in the record industry, consumer electronics and IT), regardless of their territory. In the age of the internet, when we talk of implementing a technical anti-piracy solution, this must be applied on a global level. • There had been no compatibility with certain car radios, DVD players compatible with audio CDs and even some home audio CD players. • The robustness of certain solutions had not been tested so simply. To break the protective mechanisms of some discs, it was sufficient in some cases to make a felt tip mark or stick adhesive tape onto the easily identifiable protection area. Technical protection and legal background DRM and virtual content distribution 20 2005 Edition © IDATE Technically the protection of audio CDs and even of certain video games involves introducing errors that CD players in personal computers do not know how to correct. The PC, as an open platform, reads data, audio and hybrid CDs (audio and data) whose encryption is different. Furthermore, it manages a multi-session system that consists of recording contents in several sessions. At each recording a table of content (TOC) is inscribed by the recording software on the CD. The TOC provides players with information on the location of contents (beginning and end of the audio track, for example). Protection then consists of introducing errors in the TOC. The placing of tracks can thus be falsified, a solution selected by Midbar and Key2Audio, or the track format can seem false, a solution implemented by SunnComm. Other mechanisms consist of including errors in the audio encoding, which home players can correct by interpolation, but which generate errors or bugs in PCs.. Most PCs cannot correct these errors, regardless of their simplicity. However, software has been developed by the developer community to get around these protective measures. Thus a small application called Cloony XXL is responsible for detecting the type of protection on a CD and proposes to configure the recording software CloneCD. Moreover, some manufacturers of CD players for PCs are developing drivers for their equipment so that it can process errors and enable playing like home players. In Japan, audio CDs are protected by Copy Control CD. More than 10% of new CDs use this protection. In South Korea, producers have adopted a technical solution proposed by the company Settec. Nearly 30% of new audio CDs are now protected in South Korea. Korean companies wish to adopt non-Microsoft solutions. Many players are working on protection solutions: • Dreamintech Corporation (www.dreamintech.com), • Hanmaro Co. Ltd. (www.hanmaro.com), • DigiCaps Inc. (www.digicaps.co.kr), • Markany Inc. (www.markany.com), • Coretrust Inc. (www.coretrust.com), • Teruten Co. Ltd. (www.teruten.com). In China, video content on physical support is protected by EVD technology. The successors to the DVD Work has already started on a replacement for the DVD. This new support will offer a greater storage capacity, a longer life time and improved security. Two consortia are competing to try and set the future video standard. The first consortium is backing the HD DVD format, which is being developed by Toshiba, Nec and Sanyo. At the end of 2004, it received the backing of 4 U.S. film studios: Paramount Pictures (Viacom), Universal Pictures (General Electric), Warner Bros (Time Warner) and New Line Cinema (Time Warner). This group accounts for almost 45% of DVD sales in the USA. Although they support the initiative, this does not oblige these studios to adopt the new format. The second consortium is at the origin of the Blu-Ray format. Formed by Sony and 12 other industry players (Dell, Hewlett-Packard, Hitachi, LG Electronics, Matsushita Electric, (Panasonic, JVC), Mitsubishi Electric, Pioneer, Royal Philips Electronics, Samsung Electronics, Sharp, TDK and Thomson), the Blu-Ray Disc Association has 200 members. This format naturally enjoys the backing of Sony Pictures, as well as other content providers like Metro-Goldwyn-Mayer and Twentieth Century Fox (News Corp). The two founders of both consortia have attempted to form an alliance, but have not been successful to-date. In terms of anti-copying protection systems, players in production have high expectations of the Advanced Access Content System (AACS). This system aims to replace the CSS protection system cracked by the hacker DVD Jon. AACS seems to have won unanimous support. It is backed by IBM, Microsoft, Intel and Disney, as well as supporters of the HD DVD (Warner Bros and Toshiba) and Blu-Ray (Sony and Panasonic). DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 21 1.1.2. Digital Rights Management Programming language: an indispensable standard There are currently several DRM programming languages. They are mostly proprietary and each is trying to dominate as the standard. However, two languages based on XML eXtensible Markup Language), ODRL and XrML are seeing major developments and could mark two paths to standardisation, or at least the beginning of a turning point that will lead to standardisation. Objectives of the DRM programming language Functional objectives The programming language should make it possible: • To identify the work • To identify rights holders • To identify users • To describe rights. Strategic objectives The DRM programming language should be perennial. To achieve this, it must be accepted by all consumer electronics industry players, IT specialists, content vendors and distributors. As a result, it must arise from a consensus, which is likely to emerge in a consortium. To be accepted by all players, it has to be simple, transportable, easy to parameter and robust. To be perennial it has to be independent of the platform on which it operates, which does not prevent it from being able to develop. It will have to operate on different platforms or platforms will have to be made compatible with the programming language. Two languages seem to satisfy these conditions: ORDL and XrML. These two languages are based on XML. XML is a simple, open language. It uses the semantics of tags whose field remains largely extensible. XML is enriching itself. Tags make it possible to structure information and to ensure its conformity with predefined schemas. The markers of the XML language offer the option of tagging information while remaining comprehensible and clear. As a result ODRL and XrML directly enjoy the advantages of XML. These two meta-languages (language of expression of other languages) would seem bound to achieve dominance. ODRL (Open Digital Rights Language) ODRL 1.0 (http://odrl.net) was born of the fusion of the languages XMCL (eXtensible Media Commerce Language) by Real Networks and Nokia’s Mobile Rights Voucher (MRV). Its objective is clear: to offer a language compatible with existing DRM systems without a licence and free-of-charge by identifying objects and encryption. While it aims to bridge the interoperability gap between existing DRM systems, it may also be used in a specific DRM. It plans to achieve dominance by promoting its universality. Its role consists of ensuring universal understanding of commercial transactions. Its vision of DRM is described as horizontal. Technical protection and legal background DRM and virtual content distribution 22 2005 Edition © IDATE Figure 1: Horizontal DRM Source: Rights representation language– ENST Paris ODRL is supported by Nokia (CE and mobile telephone manufacturer), Octalis, ViruosoMedia, Aegis DRM, Vienna University of Economics, Open IPMP, Metasoft, PurpleCast (content distribution), MarkTek (Watermarking), Arpasec (rights management), Simpsons Solicitors (legal service), Pipers (patents, copyright, authors’ rights) and OZAuthors (eBook contents). During the year 2003, ODRL was adopted by the OMA DRM and by DRM solution providers for mobile devices including BeepScience (Norway), End2End (Denmark) and Bertelsmann DWS (Germany). XrML (eXtensible Rights Markup Language) Presentation of XrML DPRL (Digital Property Rights Language), which has become XrML, was conceived by Mark Stefik in 1994. This engineer is the head of research at Xerox’s Palo Alto Research Center. The language developed by him makes it possible to define the restrictions attached to a digital file. It was the first significant initiative in the field of "Digital Rights Language", which gives DPRL the added advantage of being the first product on the market. In 2000, Xerox created the company ContentGuard, which took over responsibility for its engineers’ work on DRM. Microsoft, a ContentGUard shareholder, mainly uses XrML. The Redmond company, together with Thompson, ended up acquiring ContentGuard under the suspicious gaze of the European Commission. Like its competitor, XrML offers an extensible dictionary. On the other hand, XrML is not available free of charge. Technically, XrML is a universal method of specifying and managing rights, regardless of the digital resource. Unlike its competitor, it incorporates the possibility of recourse to an entrusted third party whose aim is to ensure that each fulfils party fulfils its obligations. That involves the implementation of a universal identification process of third parties authorised to intervene in commercial exchanges. XrML operates on a vertical DRM model. DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 23 Figure 2: Vertical DRM Source: Rights representation language– ENST Paris XrML was adopted as a component of the emerging standard MPEG 21, which gives it a clear advantage over its competitor. Other consortia, such as OASIS or the Content Reference Forum, are opting for these specifications. The list of XrML’s partners speaks for itself and includes Microsoft, Zinio Systems (eBook player), OverDrive (electronic publishing), Adobe Systems, Hewlett-Packard, Xerox, Dushkin McGraw-Hill (content aggregator), Barnes & Nobles, John Wiley & Sons, RoweCom. These partners support the XrML project and are using its results. They are in the operational phase. Functioning of XrML As far as the identification of persons and resources is concerned, XrML ensures that this is based: • Mainly on public key mechanisms. This system means that language users set up key management infrastructures. • The authentication of persons and resources. Authentication aims to verify that the identity given by an individual or a resource corresponds to reality. In the identification process the same types of procedures are used to ensure authentication. A public key is required for these individuals, a digest or a signature for digital resources. • The signature and encoding are based on the W3C standards currently being developed: XMLEEN for encoding and XML-SIG for the signature. By way of example, XrML incorporates the following options: • Management of playing, copying (including the generation of perfect sterile copies, a function available in the operations performed by Microsoft on its Windows Media Right Manager portal) and the printing of text documents. • Management of pay-per-use and notably of Pay per View. Technical protection and legal background DRM and virtual content distribution 24 2005 Edition © IDATE • Management of the loan of a work and, for example, of a book: after acquiring an electronic book a user can loan this book to a third party for a limited period of time. When this period expires, the user can automatically re-use the book, while the third party no longer has access to it. This function of e-book loaning (Adobe or e-book) is notably implanted using software implanted by the company Info2Clear. The company Medialive also has plans to extend the loaning of artistic works to films. Copyright integration Content integration In order to manage the rights related to a piece of content, it is worth identifying what the content is and, subsequently, who holds the rights to it. In the field of music, the company Gracenote has developed a tool for recognising music tracks based on notes. It is also developing a product in the field of video. Its vocation nevertheless remains recognition, not digital rights management: • ISO numbers, like the ISBN (International Standard Book Number), an international standardised number that makes it possible to identify the title of a book or ISWC and ISAN numbers etc. • The DOI (Digital Object Identifier), an international electronic document identification system developed by the AAP (Association of American Publishers) to protect copyright. The DOI is now oriented towards a single and permanent referencing system. • The system for registering fixed digital images (photos, drawings, paintings, illustrations etc.). The number reveals the type of work in question, the country in which it was recorded according to ISA norms, the number of the registration authority and the sequence number of the file that the registration authority delivers. The number is inserted into the original file of digital content. • Proprietary systems. Content vendors and distributors are free to use their own referencing system, in some cases jointly with the use of a standardised system facilitating exchanges. The MPEG standardisation committee is working on the description and identification of digital artistic works, notably via the MPEG-7 groups dealing with meta-data and MPEG 21 part 2, dealing with the declaration of digital resources. Embedding The registration number of a work should be inextricable from the work. In the framework of embedding the identifier is always accessible by the identifier’s player after the digital file has been processed (analogue conversion/digital re-conversion, compression/decompression: to print an image then to scan it, film with a digital camera a film projected on screen, to record a piece of music played on a stereo with a microphone connected to a PC, to edit extracts of an image, video image or sound). Two methods are used to embed identifiers in content: • Tattooing: this consists of tattooing the content with the identifier or tattooing an identifier reference on the content. The identifying player has the key to access the tattoo present on the content, to read it and go on to identify the work, in some cases by connecting to a reference data base. • The signature: The rights holder calculates a signature for each work, purely from the information contained in the work. An identifier is attached to each signature. A modified piece of content does not generate the same signature as the original piece of content, but a signature that resembles this. The identifier player calculates the signature of the work, compares this signature with a base of signatures created upstream and looks for the signature that is the closest match, making it possible to subsequently access an identifier. Two categories of signature exist. The statistic signature is based on a mathematical approach to the analysis of the digital signature. The semantic signature is calculated by taking content components as a basis (the number or timbre of instruments, the tempo, the melody for music, the corner position of objects in a video etc.) Embedding by signature would seem to be a more robust solution than embedding by tattoo. A wellinfoorme pirate can effectively eliminate a tattoo regardless of how difficult this may be. Pirating a signature, on the other hand, is equivalent to modifying the very nature of the content, of altering it, which finally makes the act pointless. DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 25 Should all content be made available digitally, identifiers could constitute significant catalogues that may prove difficult to manage in terms of access to and identification of protected content. As a result, the bigger the catalogue of artistic works and the longer identification, the greater the incentive for rights managers to reduce the signature’s size to the detriment of the system’s robustness. The same applies to identification by tattoo technology, which is also subject to catalogue size, but nevertheless requires less calculation. The signature has one key advantage over tattooing technology. All artistic works can be subject to a calculation of ex-post signature with the attribution of an ex post identifier. To tattoo a work, on the other hand, it is necessary to tamper with it before attributing an identifier. Content encryption Distribution, and notably distribution via the internet, of artistic works requiring DRM involves distributing two components. The first is the work and the second is composed of information on the rights related to the work to which the decoding key is attached. In general, the content itself is illegible or partly legible for commercial marketing reasons. The main point of this separation is that should rights be updated, it is not necessary for the distributor to resend the work a second time. For the process to be efficient, the work must be encoded efficiently based on the hypothesis that no solution is completely reliable. Today’s trend consists of mechanically and randomly combining encoding possibilities with symmetrical and asymmetrical keys. Delivery conditions Delivery of concessions to the consumer in return for payment is generally centralised at the level of a rights server. This is owned by the rights holder or the distributor by delegation. The server receives all of the licences defined from the rights holders, with a language to describe the rights, in a generic manner for each work. It receives requests for concessions from users, accompanied by a payment in some cases. It communicates the number of requests for concessions for each work and the total of the corresponding sums collected to rights holders and concession users. In the case of deliveries of artistic works, the problem of personal data management arises. PRM (Privacy Rights Management) and DRM have to converge to find common ground as is already the case in the e-commerce sector. However, the digital distribution of artistic works, and notably of video content, comes under the category of audiovisual communication by law and involves respecting the privacy of individual’s choices. In this respect it could be difficult to distribute content without guaranteeing the anonymity of clients. The concession management system must meet this requirement. It may be wise to call upon an independent authority that can certify the level of protection of personal data coming from a rights server and linked to the client data base of a rights holder. Technically we can distinguish between three modes of personal data management in DRM: • Decentralised systems: they do not possess a user data base and therefore preclude all risk of creation of file naming users. As with the Smartright system (www.smartright.org), personal data can be collected, but not passed onto the rights holder. They can be partially passed on, as recommended in the TCPA project. • Partially centralised systems: they consolidate information related to purchases at an intermediate level or at the level of the end consumer. For example, VOD services by cable or satellite consolidate decoder data on the chip card. . • Centralised systems: these systems are incarnated by the Janus technology or Microsoft’s Palladium project, renamed Next Generation Secure Computing Base. The NGSCB is a physical system. If this system should be integrated with forthcoming computers and Microsoft operating systems, an independent body should intervene to guarantee the conditions of use of personal data. Consumer associations should look unfavourably on the world’s office software and operating systems leader positioning itself at the heart of the centralised management system of data on business and usage by individuals. Technical protection and legal background DRM and virtual content distribution 26 2005 Edition © IDATE Artistic works and rights distribution Providers of DRM solutions are faced with a network and/or support problem. Contents are now distributed on several networks and optical supports. Two types of telecommunications network exist, closed networks (cable networks, satellite, terrestrial, fixed and mobile networks) and open telecommunications networks incarnated by the internet. Distribution via networks Closed networks seem to break all the rules as far as the categories of players involved are concerned. These categories include bouquet operators, television channels, telecommunications operators and more broadly, content providers, aggregators, vendors, distributors etc. The work is sent via a non secured network on a closed device. The existence of a closed device authorises the incorporation of technical access measures in the device, which take the form of an electronic component and/or a chip card. Industry players link this technical access measure with technical protection measures and mainly with anti-copying measures. The encryption of measures caters for this double requirement. Depending on the network, the devices are as follows: • TV in the framework of a free television offering via the terrestrial network • The decoder integrated or not in the case of a paying audiovisual offering (bouquet or channel) via cable network, satellite or terrestrial • Mobile telephones and hybrid devices for GSM, GPRS and UMTS networks. Audiovisual distribution The players involved, of which some are present at different stages of the value chain in different business sectors, have a vested interest in opting for an interoperable solution given the convergence and nomadic nature of content. Furthermore, significant cost savings could be made in the production of electronic chips. Video distribution is primarily concerned because it is present on all devices mentioned above and is enjoying strong growth due to its attractiveness to the public. On cable and satellite digital networks, programme security is ensured by a decoder and a chip card. Programmes are encrypted using the DVB algorithm. This key is itself encoded with an asymmetrical key. The chip card decodes the message containing the symmetrical key that represents the user’s rights to programmes. The system offered by Medialive consists of cutting a piece of audiovisual content into two separate parts. The first part contains 90% of the content, but is illegible without the second. The second part of the content is not delivered unless the acquirer has made a payment. The player device compatible with Medialive verifies the validity if the Internet distribution The internet network is an open network whose major access device, the personal computer, is an open platform. This freedom enjoyed by internet users constitutes the richness of the network, but still prohibits the set up of a unique hardware protection and access system common to all players present. As a result, rights are procured via software solutions. In the music sector it is particularly difficult to impose rights management upon users. Thanks to free tools that are easily available, these users can manipulate audio files as they wish and without any restriction linked to rights management. The possibility of exporting files via identical copies, legally (MP3 players, recording on CD) or illegally (peer-to-peer exchange networks) from a personal computer (online exchange, recording, transfer) adds to the complexity of the problem. The solution consists of trying to close a system designed to be open. As far as the PC is concerned, that is compromised because each closed, restrictive and paying solution corresponds to an open and free solution developed by a freeware community. However, these free solutions do not always respect rights holders and their users are aware of this. Content distributors have to double their efforts to divert internet users from such illegal uses. That is not impossible as shown by the economically efficient offers that are emerging. These are closed commercial offerings in an open DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 27 system. The Windows Media Player by Microsoft is an excellent example of a closed system that is fighting its way through a jungle of open systems (cf. Microsoft monograph page 75). Distribution on mobile telecommunications networks With the advent of GPRS, EDGE and UMTS telecommunications networks, digital content distributors are going to have new business opportunities. Issues of content protection are going to arise when online content acquisition offerings emerge and already plague the distribution of ring tones, images and logos. Like decoders, mobile telephones have a chip card. Content distribution and the rights management for this content on mobile telephones may well follow the example of the solutions implemented on the audiovisual distribution network. In the case of a purely software solution, the operator is neutral in terms of the protection system. Standardising work on this topic is being carried out by the Open Mobile Alliance. Distribution on optical media The optical media in question are those that host music (Audio CDs), video (DVDs) and software (CDROMMs) The case of music The audio CD, created by Sony and Philips, has no innate protective mechanisms. It can consequently be endlessly copied without any technical restrictions and without the authorisation of rights holders. The audio standard came from the "Red book", which notably stipulates that its usable capacity is 750 Mb. Definition in the standard of this useable capacity limits industry players’ margin for manoeuvre to protect their disc. They are sometime forced to go beyond the standard to insert a technical protection measure. This is the abusive practice that leads to the incompatibilities seen on certain devices. The SACD (Super Audio Compact Disc), created by Sony and Philips, is trying to achieve dominance and replace the audio CD. The advantage of this optical support lies in 3 points: • Thanks to the Direct Stream Digital (DSD) technology, it reconstitutes a high definition sound • It has 6 recording channels equivalent to the sound bands of a DVD • It has a storage capacity of 4.7 Gb • It is protected. The data inscribed on a SACD are encrypted. Contents cannot be interpreted unless the user has a decryption key. This key includes a part common to all SACD disc and a part appropriate to each track. The common part is found in the SACD players, physically inscribed in the player chip. The part specific to the track is inscribed on the disc in the form of a digital watermark with encrypted header data. These data that are necessary to play the disc indicate the number of tracks present, their duration and their position on the disc. SACDs are only compatible with licensed SACD players. A SACD cannot be copied with a classic burner, as the latter is nit capable of inscribing imprints on a blank support. There are SACD burners, but no plans to sell them to the public. Lastly, in all events, audio data remain encoded. As a result, without the key inscribed partly on the SACD’s digital watermark and partly in the decoding chip of the player, the audio data are illegible. The Audio DVD (DVD-A) is a standard published by the DVD Forum in 1999. It was deliberately made incompatible with video DVD players. The advantage for DVD-A player manufacturers was that households would have to purchase new devices. To interest consumers in this device, incompatibility was finally lifted at the same time as its protection mode. The effect was immediate and DVD-A sales took off. DVD-As are innately protected by CPPM technology (Content Protection for Prerecorded Media) developed by the consortium “4C entity.” It replaces the CSS2 technology that was initially planned for audio DVDs before CSS was cracked. Technical protection and legal background DRM and virtual content distribution 28 2005 Edition © IDATE Video games It is possible to combine an optical support and a DRM. Although it already exists in the music sector, it can be adapted to other types of content such as video games. The developer Valve Software created the game Half-Life. The second opus of this game, very popular with hardcore gamers, was recently released worldwide. Produced by Vivendi Universal Games, the game has a draconian protection system conceived by Valve. The development studio has improvised as a secure content distribution solution publisher. It conceived a procedure called Steam. Steam is an application that is installed on the hard disc of the PC that will host the game. It manages distribution of the game via the internet, its installation and launch. An internet connection is required to install the game. It is even preferable to play on a computer that is continuously connected to the internet, because Steam checks the validity of the product, the player’s identity and rights each time the game is launched. Players can play on an unconnected computer, but this procedure is laborious and fastidious. Steam operates on an asymmetric key system. On installation of the game, players have to register with a rights procurement server. This communicates an identifier, a password and the key delivered with the game. The server identifies the content, authenticates the user, calculates his/her rights and communicates the key that decodes the game and enables its launch. If the registration phase is repeated by mistake, it automatically leads blocking of the key and prohibits access to the game. Unblocking requires the creation of a new key by the Steam team. In the music sector, MTP and DRM are also offered simultaneously. For example the rap group IAM has sold a disc that gave access to an additional track available on the internet. Rights authentication Authentication can be carried out thanks to hardware, the chip card, integrated circuits or software. Card-based authentication systems are widespread in pay television and mobile telephony. The advantage of the chip card versus circuits incorporated in a device not connected to the internet lies in the possibility of modifying its content. Hardware solutions provide more robust protection from the average pirate because they are more complex to thwart. Breaking hardware protection involves accessing the imprinted circuit and intervening in the latter. This calls for expert knowledge and specific equipment. To penetrate a software programme, on the other hand, it is easy to use a decompiler and carry out reverse community engineering. Once the rights server has authenticated the user, it has to communicate the representation of the rights acquired by the user. The process of sending and storing the representation of rights is subject to the same restrictions as user authentication. As a result, proxy encoding can take place via hardware or software. It can also be incorporated into the authentication procedure. Authentication and the secure transmission of rights representation lie at the core of security. The following variants have been observed. DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 29 Table 2: Examples of security system implementation Distribution on optical supports Distribution on closed telecommunications networks Distribution via internet Hardware implementation at the core of security Home DVD player Home SACD or DVD-A player Television decoder by cable or satellite equipped with a chip card Player installed on a PC equipped with TCPA and Palladium Software implementation at the core of security DVD player installed on a PC Selected multimedia mobile telephones Player installed on a PC, generally the case Source: Work protection measures – Ministry for Culture and Education Application of rights and management of digital copying of artistic works Rights procuration Once the phases of content identification, user authentication and transmission of rights and/or of the work, the DRM system should enable the purchaser to apply his/her rights. That mainly consists of interpreting the rights acquired by the user and transforming them into playing instructions (decryption of the artistic work), copying (number of copies authorised), transfer and/or recording (recording right) etc. It is the decoder that interprets and transcribers rights into instructions. It can be hardware or software. In the case of an optical support, the decoder consists of a technical protection measure. It manages access to content depending on the player device, as well as the copy. A decoder receives and compares the representation of a user’s rights stored in its memory or in a data base on a rights server with an action that the user intends to carry out (playing, copying or transferring). If the action matches the representation, the action is validated and the decryption module decodes the artistic work. The connection of devices to a network would seem to suggest real-time rights management and multiple procuration, depending on use, the time of usage, the number of usages and the nature of playing and the player. Rights procuration via equipment interoperability The digitisation of equipment leads to their interconnection and therefore to the possibility of carrying out identical copies of content. It involves the interconnection of consumer electronic equipment and the interconnection of IT equipment with consumer electronics equipment. The classic TV/video recorder combination is shattering and combinations are now multiple and fluid depending on the nature of the content (video/television programmes, games, music and software): • TV/Home stereo • PC/TV • Camera/TV • Decoder/Personal Video Recorder/TV • Portable audio player/or video/PC/TV • Mobile telephone /PC • Home console /PC/TV • PC/TV/Stereo system etc. Technical protection and legal background DRM and virtual content distribution 30 2005 Edition © IDATE The PC plays a central role in these associations. As an open platform, it is potentially capable of connecting to all existing digital devices. It constitutes an open gate for content exchange thanks to its connection to the internet network and to content sharing software. The PC and internet network incarnate the risk for rights holders. Interoperability, which for some companies including Sony constitutes at least a commercial argument if not a strong strategic positioning, makes it possible to set up a domestic equipment network. There are several connection standards that enable branded devices to connect. The USB and especially IEE 1394 connectors, which formed the basis of the Fire Wire broadband transfer technology, authorises data transfer from one digital device to another for playing, storage, recording storage or burning. In this scenario, all types of combination must be anticipated and potentially secured. Each new gateway presents the risk of a new breach. Effective management of rights to content can be ensured via the control of protocol transfers. To achieve this, the CE and IT worlds need to voluntarily and concertedly move towards implementing standards. In fact, only one device or piece of software needs to be insecure or compatible with other secure devices to cause a security breach in the network. Moreover, it is futile to want to block the route that leads towards the compatibility of digital equipment, a sign of technical progress. Audio and video formats are paving the way for such compatibility. MP3 is achieving dominance, despite the initial lack of interest on the part of record producers in the Frauenhofer Institut’s code. Sony has now decided to make its equipment compatible with MP3, despite the fact that it has an in-house code. Similarly, the Divx and Xvid formats are becoming widely used and consumer electronics manufacturers are adapting to these usages born of IT. Protetcting the content in a domestic network means incorporating the means (hardware or software) of identifying content, authenticating users, instructing rights, renewing and even updating rights in each piece of equipment. This calls for: • The introduction of a communication standard between equipment coming from different industries (CE or IT) in some cases • Connection of one of the pieces of equipment to a network via which the representation of right is administrated • A DRM system that is understood and accepted by all players. A system accepted by all pieces of equipment. The Smartright case SmartRight is based on the idea that the content protection chain is not broken at any time. To this end, content is always encrypted on the domestic network (while it is stored or transferred from one device to another), until it is watched to heard by the consumer on a “restitution device” (such as a television set). Decoding is enabled by a removable security module, such as a chip card inserted in the restitution device. We call this an end-to-end protection system, from content entering the digital home network to its restitution, via its possible storage. The SmartRight system creates a secure environment. It makes it possible to record encrypted content, but prohibits playing if the content is not legal. Illegal content is a copy that is not authorised by the holder of the rights to this content. Smartright is neutral with regard to conditional access systems or digital rights management and accepts content distributed free-of-charge. It respects U.S., European and Japanese standards. It defines a common syntax for SmartRight content in order to ensure interoperability and defines an applications interface (API-Application on Program Interface) with today’s major conditional access and digital rights management systems. There are several digital interfaces, available as standards for interconnection between standards. The SmartRight system can be used with any bi-directional interface, in the present or the future. The SmartRight system can co-exist and interoperate with all current content protection systems: “import” and “export” are defined between SmartRight and the other content protection systems that co-exist with Smartright on the same digital domestic network in order to respect rules of use related to content. These rules are defined by the content owners and distributors. For example, in the case of content distributed free-of-charge terrestrially, the operator can decide that its contents will be designated as “impossible to copy” content once it leaves the SmartRight domain, or that it will not be DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 31 able to leave this domain at all. Furthermore, all watermarking systems can be used as a complement to the SmartRight system. Devices can be equipped with removable modules, such as chip cards, that conform to international standards. Given that any content protection system can be pirated in time and with sufficient resources, renewal of the module is particularly apt and preferable to other alternative using secrets directly incorporated into devices and which thus involve the revocation of onerous devices in cases of piracy. The diagram below represents a basic SmartRight architecture. There are 2 main fields of protection: • In the first domain contents are protected by a private conditional access system or digital rights management, while they are distributed to consumers. In this context, pre-recorded encrypted media (such as DVDs) are considered as a source of conditional access. • In the second domain the SmartRight system protects content once it is on the domestic digital network via the intermediary of an “access device” (such as a decoder or DVD player, for example). Figure 3: Smartright system architecture Source: www.smartright.org All SmartRight content that is not free is associated with a given domestic network and, as a result, can only be used on this network. However, a domestic SmartRight network can also include external mobile devices related to this network, such as a portable music player or a device in a car, as well as devices in a second home that belong to the initial network owner. In other words, the SmartRight system protects the content used in a second home, as well as the mobile devices (such as a MP3 Technical protection and legal background DRM and virtual content distribution 32 2005 Edition © IDATE player) that have been connected at least once to the reference network. It is not necessary to have a permanent connection. All of these devices that share the same secret constitute a private domestic network on which content is available for private use, but only according to the rights attributed. A SmartRight device can only belong to one private home network at any given time. The 5C entity consortium has developed the DTCP standard (www.dtcp.com). 1.2. Legal background This chapter aims to offer a concise overview of the various legal concepts often associated with DRM issues, piracy, content distribution etc. We will primarily cover “artists’ rights” and copyright. These are the two most common systems of protecting artists and their works. We will subsequently present the various treaties, laws and directives related to the protection of artistic works in the information society that are already in effect or in the course of being passed. This introduction is vital in the framework of a study on DRM and technical protection measures. “Artists’ rights” lie at the heart of DRM issues. Their variable nature according to circumstances, as well as the way in which the copyright concept is applied, impacts the nature of DRM, technical protection measures and thus their deployment in the digital world. The loopholes and/or irregularities in the law in terms of accounting for wild and massive exchanges on the internet, notably via peer-to-peer software, does not promote consumers’ acceptance of DRM. DRM cannot compensate for the shortfalls of the law and replace the law as content producers and vendors would like it to. The legislator therefore plans to modify laws governing artistic works, their publication, performance and reproduction in the digital world, without necessarily calling into question consumers’ existing rights, while protecting authors and rights holders. However, the treaties of the OMPI, their transposition in the USA and Europe, seem to want to legitimise technical protection measures and DRM as insurmountable obstacles that take precedence over any exceptions to the rules. 1.2.1. The protection of artists and their works The protection of a work differs from one nation to another. We can nevertheless identify common international principles based on the Bern convention (1886). This convention lays the foundation for the protection of artistic works that leads to the construction of the WIPO (World Intellectual Property Organisation). It offers a protective framework for literary and artistic works including writing and literary works, architectural works, graphic and applied arts. In the end Anglo-Saxon law privileges the notion of copyright, whereas other including France privilege the notion of “artists’ rights.” “Artists’ rights” In France, the Intellectual property code2 defines artists’ rights. This legislation conforms with the Directive 2001/29/CE that harmonises the protection of artists’ rights in the European Union. Definition • Artists’ rights refer to all laws for creators governing their literary and artistic output. • Artistic works protected by “artists’ rights” include: • Books, brochures and other literary, artistic and scientific writing • Dramatic works or musical dramas; • Choreographies, circus acts and tours and pantomimes whose enactment is set out in writing or otherwise 2 The intellectual property code is a French legal document created by law Nr. 92-597 of July 1st 1992 related to the intellectual property code published in the Official Journal of July 3rd 1992. It covers most of the old laws governing the two branches of intellectual property, which constitute industrial property and literary and artistic property. It is regularly updated by the French parliament. http://www.legifrance.gouv.fr/WAspad/VisuArticleCode?commun=&code=&h0=CPROINTL.rcv&h1=1&h3=8 DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 33 • Musical compositions with or without words • Films and other works consisting of animated sequences of images, with sound or silent, collectively referred to as audiovisual works • Drawings, paintings, architectural projects, sculptures, engravings and lithography • Graphic and typographic works • Photographs and works carried out using techniques similar to photography • Applied arts • Software, including preparatory design work. Moral and patrimonial rights Artists possess two types of rights, moral and patrimonial rights. Moral rights Moral rights protect the artist’s “personality” as well as his/her work. • The right to disclosure: this recognises the artist’s right to decide when s/he wishes to disclose his/her work to the public • The right to authorship: the artist has the right to claim authorship of his/her work. • The work’s right to integrity: the artist can oppose any modification, deformation or changes to his/her work • The artist’s right to oppose any stain on his/her honour or reputation. The moral right to an artistic work belongs to its author and cannot be bought or sold. It can nevertheless be bequeathed to a benefactor. Moral rights are subject to no time limits. Patrimonial rights Patrimonial rights concern the commercial use of an artistic work. The “artists’ rights” belonging to the artist include the rights to performance and reproduction. Performance consists of the communication of the work to the public by any means and especially: • By public recital, poetry reading, dramatic performance, public presentation, public screening and transmission of an artistic work broadcast in a public place • By broadcasting, including all telecommunication processes involving sounds, images, documents, data and messages of all types including the emission of an artistic work to a satellite. Reproduction involves the material fixing of the artistic work by all procedures making it possible to communicate the work to the public indirectly. This can notably be carried out by printing, drawing, engraving, photography, moulding and any graphic or plastic arts procedure, mechanical recording either on film or record. Any complete or partial performance or reproduction of an artistic work without the consent of its author, rights holders or assignees is illegal. The same applies to the translation, adaptation, transformation, arrangement or reproduction using an artistic medium or any type of procedure. Performance and reproduction rights can be sold free-of-charge or subject to payment. The sale of performance rights does not override that of reproduction rights. The sale of reproductions rights does not override that of performance rights. When a contract includes the full sale of one of the two rights referred to in this article of the law, its scope is limited to the modes of distribution specified in the contract. Patrimonial rights last for 70 years after the artist’s death. In the case of an audiovisual work, a collaborative work, the same rule applies but collaborators are individually named: the script writer, the author of the words, the author of musical compositions and the main director. Technical protection and legal background DRM and virtual content distribution 34 2005 Edition © IDATE In the case of recordings (such as songs), the expiry date is only 50 years after recording. Exceptions to “artist’s rights” The law provides for a certain number of exceptions to the principles of “artists’ rights” including: • Private and free performances made in a family context only. • Copies or reproductions strictly reserved for the copier’s private use and not destined for collective use, with the exception of copies of works of art destined to be used for ends identical to those of the original work and copies of software other than the back-up copy established in the conditions specified by article L 122-6-1, as well copies or reproductions from an electronic data base. Provided that the artist’s name and source are clearly acknowledged: • Analyses and short quotations justified by the critical, polemical, educational, scientific or informative nature of the work in which they are incorporated. • Current affairs magazines • The distribution, even in their entirety, of public speeches given at political, administrative, judicial and academic gatherings, as well public meetings of a political nature and official ceremonies via the press or broadcasting with a view to informing the public of current affairs. • Entire or partial reproductions of graphic or plastic art works to figure in the catalogue of a sale by order of the court in France for examples made available to the public prior to the sale with the sole aim of describing the works of art for sale. • Parody, pastiche and caricature within the rules of the genre. • Actions necessary to access content from an electronic data base for the needs and within the limits of usage specified by contract. Neighbouring rights Since the law of July 3rd 1985, literary and artistic property has been extended to activities related to “artists’ rights.” So-called neighbouring rights for performers, producers and audiovisual communication companies have been recognised. These are autonomous that can be exercised without impacting “artists’ rights.” The duration of the protection granted is 50 years as of January 1st of the calendar year following the first communication of the work to the public. Copyright Definition and nature of protection Legislation on U.S. copyright comes from the Copyright Act (http://www.copyright.gov/title17/). In Anglo-Saxon countries the notion of copyright replaces the concept of “artists’ rights.” It protects the authors of original literary, dramatic, musical and artistic works. Copyright applies to artistic works captured on a material medium, a legacy of the Berne convention. Copyright legislation recognises the artist’s paternity as creator of a work, but does not consider other moral rights as presented in French law on “artists’ rights.” As far as distribution of an artistic work is concerned, copyright gives rights holders the exclusive right to exercise and authorise third parties to carry out the following acts: • Reproduce the work • Prepare projects based on the original work • Distribute copies of the artistic work to the public (sale, rental, loan) in any form • Perform the work in public. DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 35 Exceptions to exclusive rights from copyright "Fair use" Use of an artistic work in the form of reproduction by copying or a recording cannot be considered illegal in the following cases: • Criticism • Commentary • Journalistic information • Teaching (including multiple copies for a class) • University studies and research. The list below is not exhaustive. Furthermore, it is not enough to use an artistic work in one of these contexts for this usage to be classed as "fair use". Table 3: Comparison of two theoretical models Naturalist laws (royalties) Positivist laws (copyright) Natural property Legal monopoly Moral justification Economic justification Primacy of the artist’s private interests Pre-eminence of public interest Assumed conformity with public interest Conflict with public interest Justice of automatic protection Security of formalities Rights of creator (physical individual) Rights of the entrepreneur (moral individual) -Limitation of protected works -Subjective originality -Personality and creativity -Large range of works -Objective originality -Work and skill Moral and economic prerogatives Exclusively economic prerogatives Long duration of protection calculated on the basis of the creator’s death Short duration of protection calculated from the publication of the work -Exclusive rights -Absence of involuntary licence -Right to compensation -Several involuntary licences Source: CEPV Four criteria are used to validate the proper use of a work: • The aim and nature of the usage: a commercial usage can more easily be judged as a violation of copyright law. An educational use can more easily be considered as loyal usage. • The nature of the artistic work protected: this involves appreciating the proportion of creativity in a work. The greater the proportion of creativity, the more the work has to be protected. • The quantity and the importance of this proportion versus the entirety of the work: a quotation from a text may be deemed loyal, as may a clip from a film. As far as audio recording is concerned, the authorisation of rights holders is required regardless of the duration of the copy. Lastly, a poor quality copy of an image can be deemed loyal. • The consequences of this usage on the potential market and on the value of the work of art protected. This involves estimating the direct and indirect impact of the use of copying on the economic and financial resources of rights holders. There are other exceptions to and restrictions on exclusive rights involving libraries and not for profit public archives, the reproduction of an artistic work in a new form for a handicapped public and the visible architectural reproduction of a public place. Technical protection and legal background DRM and virtual content distribution 36 2005 Edition © IDATE 1.2.2. International legal frameworks WIPO (World Intellectual Property Organization) treaties On December 20th 1996, the World Intellectual Property Organisation drew up 2 texts: • The WCT (http://www.wipo.int/treaties/fr/ip/wct/index.html) • And the WPPT (http://www.wipo.int/treaties/fr/ip/wppt/index.html). 51 countries have ratified the WCT and 49 the WPPT to-date. The former concerns the protection of artists and their works, while the latter covers the protection of performers and producers. The treaties include suitable international standards both for “artists’ rights” and the protection of performers and phonogram producers. They meet the challenges created by the use of new technologies and networks. "The treaties do not take precedence over national laws, but require the countries that sign up to them to accord a minimum of certain specific rights on a non-discriminatory basis." The two treaties came into power in 2002 after 30 countries had ratified them. The WIPO Copyright Treaty In order to ensure uniformity and efficient protection of artists, the WIPO suggests international rules that take into account the major changes occurring in the information society and telecommunications regarding the use of literary and artistic works. . The WCT is a special settlement based on the Bern convention for the protection of literary and artistic works. Two of its articles state the need, and the obligation, to implement tools to fight the neutralisation of technical measures to protect artistic works, the distribution of works without the agreement of the rights holders and the modification of information related to the rights system pertaining to an artistic work in a digital format. Article 11 Obligations related to technical measures: "The contracting parties must make provision for suitable and effective legal sanctions against any person that commits one of the following acts in the knowledge, or as far as civil sanctions are concerned, having good reason to believe that this act will lead to, enable, facilitate or hide the impeachment of a law set down by this treaty or the Bern Convention." Article 12 Obligations related to information on the legal system: 1) The contracting parties must make provision for suitable and effective legal sanctions against any person that commits one of the following acts in the knowledge, or as far as civil sanctions are concerned, having good reason to believe that this act will lead to, enable, facilitate or hide the impeachment of a law set down by this treaty or the Bern Convention: i) To delete or modify any information relating to the rights system presented in an electronic format without authorisation ii) To distribute, import with a view to distribute, broadcast or communicate to the public works of art or examples of these works without authorisation and in the knowledge that information related to the rights system presented in an electronic form have been deleted or changed without authorisation. 2) In this article, the expression “information on the rights system” means information enabling identification of the artistic work, its author, the rights holder to the work or information on the terms and conditions of use of the work and any number or code representing such information, when any of these pieces of information is attached to an example of the work or appears in relation to the communication of a work to the public. 9 A declaration by all member states of the WIPO in the WCT confirms that the storage of a protected work on an electronic medium is a reproduction. DRM and virtual content distribution Technical protection and legal background 2005 Edition © IDATE 37 "The right to reproduction stated in article 9 of the Bern Convention and the exceptions to which it may be subject are fully applicable in a digital environment, especially to the use of works in a digital format. It is understood that the storage of a protected work in a digital form on an electronic medium constitutes a reproduction in the sense of article 9 of the Bern Convention." WIPO treaty on performances and phonograms or the WPPT (WIPO Performances and Phonograms Treaty) The WPPT is based on the Rome Convention (1961) on the protection of performers, phonogram producers and broadcasting organisations. Two articles of the WPPT deal with technical measures and their circumvention. Article 18 Obligations related to technical measures: “The contracting parties must make provision for suitable and effective legal sanctions against the neutralisation of the effective technical measures implemented by performers or phonogram producers in the context of them exercising their rights accorded by this treaty and which restrict the committal of acts pertaining to their performances or phonograms that are not authorised by the performers or phonogram producers in question or permitted by the law.” Article 19 Obligations related to information On the rights system 1) The contracting parties must make provision for suitable and effective legal sanctions against any person that commits one of the following acts in the knowledge, or as far as civil sanctions are concerned, having good reason to believe that this act will lead to, enable, facilitate or hide the impeachment of a law set down by this treaty i) To delete or modify any information relating to the rights system presented in an electronic format without authorisation ii) To distribute, import with a view to distribute, broadcast or communicate to the public works of art or examples of these works without authorisation and in the knowledge that information related to the rights system presented in an electronic form have been deleted or changed without authorisation. 2) In this article, the expression “information on the rights system” extends to information making it possible to identify the performer, the performance, the phonogram producer, the phonogram, the rights holder for the performance or phonogram and any number or code representing such information when one or any of these elements is attached to the copy of a performance or an example of a phonogram or appears in relation to communication to the public or the making public a performance or a phonogram. 16 The Digital Millennium Copyright Act (DMCA) http://www.copyright.gov/legislation/dmca.pdf The DMCA is a federal law. It was passed on October 28th 1998. The DCMA amended the Copyright Act and adapted it to meet the challenges of new technologies and the obligations imposed by the treaties of the WIPO adopted by the diplomatic conference on certain “artists’ rights” and neighbouring rights issues on December 20th 1996. The DMCA protects the technical and technological means of “artists’ rights” management by: • Sanctioning of all neutralisation of technical measures implemented by artists in order to ensure the protection of their works • Sanctioning of the deletion or modification of mentions related to the ownership of rights to the work • Prohibition of the manufacture of certain products enabling the circumvention of digital protection.. Technical protection and legal background DRM and virtual content distribution 38 2005 Edition © IDATE These aspects of the DMCA contradict with the exceptions to copyright, namely “fair use.” Furthermore, the DMCA’s provisions concerning the neutralisation of the technical measures implemented to protect digital content make this exception obsol