DRM for Mobiles by fjzhangm


Jani Suomalainen Post-Graduate Student Telecommunications Software and Multimedia Laboratory Helsinki University of Technology Jani.Suomalainen@iki.fi

Mobile terminals with advanced multimedia and networking capabilities introduce new business opportunities by enabling provisioning of rich content such as games and multimedia for mobile users. However, content piracy is seen as a major obstacle when realizing these business prospects. Different mechanisms have been proposed to prevent uncontrolled use of content. This paper takes a look on economical environment and business strategies for content provisioning in mobile environment as well as surveys standardization work and existing solutions for protection. The paper notices that existing technical and social protection solutions are insufficient to completely weed piracy. However, with widely adopted and flexible digital rights management mechanisms, targeted to make use of pirated content more awkward, it is possible to achieve additional piracy-free time and guide honest users towards user-friendly legitimate content.

2. Provisioning of Copyrighted Content 2.1. Digital Rights Management
Digital rights management refers to technologies, which are used to provide and store content in such a manner that use and copying is authorized and controlled. Key issues for DRM are provisioning strategies for copyrighted content as well as security issues for mandating copyrights to be followed. Respectively, these issues will be discussed in the following subsections and in Section 3.

2.2. Distribution Models
Users may have diverse needs for using content with their mobiles. DRM systems should not preferably limit too much ways content can be consumed. To analyze ways to use content with mobile terminals, de-facto standardization body Open Mobile Alliance (OMA) has identified several models for distributing content (OMA 2004a): Basic download model is use case where content is downloaded form a network server. Download can be initiated from a terminal and content pulled. Alternatively download can be based on subscription where a server pushes content to a terminal. After download content can used in a terminal to which it was loaded according to rights set by content providers. Rights are tied to device and can limit time of content usage. For instance, a forward-locked game cannot be shared with other devices and may be used for some evaluation period only until additional rights are purchased. Super distribution is a content delivery strategy where content objects can be passed from mobile devices to mobile devices through any channel. However, associated rights may limit the use of content. For example, a user might receive a music clip from a friend and be able to listen it once, after that more playing time would have to be purchased to play it again. Streaming of protected content is a scenario where content is consumed directly from a server without storing permanent copies of content to terminal's memory. Domain delivery enables user to use same content object with a group of devices. For example, same media clip could be used in every terminal and appliance owned by the user. This scenario also enables user to download content objects through intermediate devices such as personal computers.

Key Words
Mobile business, copyrighted content, DRM

1. Introduction
Emergence of advanced mobile terminals with open platforms and multimedia output capabilities has brought a rich set of applications the reach of mobile users. Terminals open for ring tones, to music and video tracks as well as to programs and games have opened new business opportunities for content producers and providers. In order to utilize these promises in full scale, the mobile industry must face the challenge, which started to harm the PC industry earlier: how to manage digital rights so that content cannot be used in uncontrolled manner. To solve this problem i.e. to handle copyrighted digital work according to restrictions set by the owner of the rights to the work, various digital rights management (DRM) mechanisms have been proposed. This paper takes a look on DRM from mobile terminal's point of view. Section 2 presents main elements of mobile content distribution and DRM. Section 3 presents a literature survey on different solutions for protecting DRM systems from identified attacks. In Section 4, economical drivers of the DRM field are analyzed using the system of innovation framework (Edquist 2003) in order to identify actors and their relationships. Conclusions provides a summary and predictions of mobile DRM's present and future.

2.3. Delivery Channel
Content can be delivered to terminals through various channels. There exists industry and standardization efforts specifying means to deliver DRM content on hardware modules. For instance, 4C Entity has defined Content Protection System Architecture (4C 2000) for comprehensive DRM system. Within this framework they have included standards for delivering content on pre-recorded media and on recordable media such as optical disks and flash memories as well as standards for delivering content over networks. The OMA standardization work has concentrated on over the air delivery of content. However, in addition to delivering new content to devices, OMA identifies some special needs for handling content. These include the backup of content as well as exporting content to other DRM systems, enabling e.g. over the air downloaded content to be written into removable memory.

3. Building Blocks for Protection 3.1. Protection for Mobile DRM Systems
DRM systems limit use of content and, consequently, must survive in a hostile environment. Attackers may take copies of transport medium (like media cards). Copies can be stolen also from terminals local memory or from analog channel when consumed. This stolen content can then be reverse engineered and tampered (in order to remove copy protection mechanisms or to utilize program design intent in competitive programs) and distributed to other users through darknets (like peer-topeer networks or pirate memory card manufacturers). In essence, threats for mobile terminals are the same as for fixed Internet field. Differences to PC field are mainly related to implementation limitations caused by resource limitations in mobile terminals. The end-to-end solution for content protection can be based on different combinations of various mechanisms i.e. building blocks. Figure 2 lists identified building blocks and some threats they can be used to defend against. Further, these building blocks have been described in the following subsections and categorized according to time when the protection applies i.e. is a mechanism proactive, does it protect content delivery, does it protect content usage or is it targeted against phase when content has been stolen.

2.4. Content and Rights
In addition to delivering content, DRM systems should be capable to handle mandatory policies, i.e. rights, associated with content and set by content owners. In essence, terminals must enforce rights, which can be delivered to terminals either with content or separately. Therefore, DRM data consists of two principal elements: contents and right information. The OMA architecture version 2 (OMA 2004b), illustrated in Figure 1, separates content objects from right objects enabling distribution use cases, which were presented before. Usage rights are expressed with an XML based language and content is delivered using specific payload type identifying object to be DRM data.

3.2. Society and Legislation
Content producers have the benefit of ethical principles commonly accepted by society in their side and they are given legislative monopoly to produce copies of their creations. In general, most people respect others' properties and in response they get same protection for their own properties. Unfortunately, digital copyrights are not directly seen as comparable to material properties since common people do not have their own intellectual properties (Scott 2001). Consequently, legislation, particularly, threat of punishment of copy protection violations is commonly used as a proactive mean to restrict copyright violations.

3.3. Secure Delivery
DRM delivery mechanisms should enforce that content cannot be used or copied without rights. Users access to DRM content can be based, e.g., on two delivery related strategies:
 

possession of trusted hardware module, possession of decrypting keys.

Figure 1. OMA DRM Functional Architecture In 4C Entity's content protection system architecture, rights are embedded to content by utilizing information hiding technologies (watermarks) and thus making rights invisible for end-users.

Mobile users may want to minimize the amount of external hardware modules. Hence, encrypted over-the-air delivery is seen as prominent for networked mobile devices and this mechanism is used also in OMA. Implementing cryptographic means into mobile terminals may, however, be problematic due to limited processing and memory capacities. Key management is a mean to control access to encrypted content. Encryption keys should be distributed

for content providers and mobile terminals should have corresponding decryption keys. Content Management License Administrator (CMLA), cooperative body of manufacturers and content providers, implements key management of OMA version 2 by taking care of key distribution. (CMLA 2004) A new proposal for content protection is to embed executable code within content. With this scenario content can be used only, if the terminal proves that it can be trusted e.g. by presenting system information like player or speaker identifications. After giving satisfying proves, decryption key are released. (Cravotta 2003)

Trusted Computing Group (TCG) has specified security services for PCs and planning specifications also for mobile platforms. In TCG a special hardware is used as a root of trust to ensure the integrity and correctness of overlaying applications. The platform enforces mandatory policies implying that device owner might now have complete control over it. Essential components for DRM applications are a protected storage, a memory area accessible only for authorized entities, and attestation, a mean for a client device to send proves to server on what software it is running. Using attestation content providers can make sure that content is send only to those devices, which are respecting rights. (TCG 2004)

3.4. Terminal Security
Mobile terminals and, particularly, DRM agents, i.e. software used to handle DRM data, must enforce that rights and rules associated with content are applied. In general, DRM solution designs should fulfill the following requirements:

3.5. Reactive Means Against Pirates
After content has been attacked and copy protection means cracked, it redistributed without limits to other users through Darknet i.e. through different channels like peer-to-peer networks or by manufacturing and selling pirate hardware. There are three means to defend against such copying (Brendan & Traw 2003):

Enforce mandatory access control, according to rights. This means that even terminal owners are prevented from accessing control without authorization. Protect themselves against malicious users, with physical access to device, trying to modify or circumvent access control mechanism. Circumvention can be based, e.g., on resolving secret keys, on stealing clear text content from memory or on modifying DRM software. Prove their trustworthiness (i.e. sufficiently protection) enabling content providers to risk to provide content for them.



Content can carry identifying information, fingerprints, which can be used to locate the source of leak. Unlike in fixed Internet, current mobile terminals provide more reliable information about the identity of the user. Therefore, a distributing server could add a fingerprint to every content file before it is delivered to customer (Hartun & Ramme 2000). However, threat against individual pirate can be circumvented and fingerprints like watermarks can be removed. Content providers can also try real-time interdiction of unauthorized content distribution. With this strategy, networks are scanned and, when incriminating watermarks are found, sources are blocked. Content owners can also try impeding content sharing with technical self-help techniques. These include releasing corrupted decoy content and denial of service attacks.


DRM enabled software can enforce access control to protected data. However, attacker might me able to circumvent software protection by accessing content with own or modified DRM software clients. Therefore, content must be stored to place, which is protected e.g. with platform access control or cryptography. Protecting software itself against tampering attacks can be done through software means such as integrity checking or obfuscation (Naumovich & Memon 2003).


Figure 2. Building Blocks of Defense Barrier for DRM Data

Figure 3. Key Actors and Motivations in Mobile DRM

4. DRM in Mobile System of Innovation 4.1. Actors Influencing Mobile Economy
Mobile economic field consists of several actors each having own motivations and affecting how mobile content and DRM business environment develops. Figure 3 illustrates these actors and their relationships to each other. Actor classes are further described in the following subsections and examples of instances of these actors are given in the attached tables.

Table 2. Examples of Usability Limitations Caused by DRM Solutions
DRM Solution Tying content to a hardware module/device (forward lock) Requiring downloading of rights through network Content must be bought from a specific place Disadvantage for Users Users cannot take back ups, use content with different devices or share content with friends Network connection is required, costs cannot be know in advance Lots of channels (web-sites, networks), which would provide more convenient access to content, are out of reach Users do not have afford to consume as much music as they would like to and are accustomed to Large amount of content (some even legitimate) is out of users reach

4.2. Darknet
It seems inevitable, that the protection mechanisms presented in the previous section cannot exterminate the availability of pirated content completely. A particular problem is that attacker can with different mechanisms remove DRM identification from content making it look like free content. Therefore, Darknet - an actor consisting of different pirate networks, like peer-to-peer file sharing networks in Internet and pirated memory card distribution rings - will remain part of information society for years to come. (Biddle et al. 2002) Table 1. Examples of Pirate Networks
Pirate Network Type Unlicensed content media manufacturing Peer-to-peer networks Examples Prerecorded memories (DVDs, memory cards) in pirate factories, recordable memories in homes Kazaa, eDonkey, gnutella, websites

Users must pay to get content

Terminal can be used only with DRM content

4.4. Content providers
Content providers i.e. content producers, network service providers as well as hardware media manufacturers want that their content can be used with as large terminal base as possible. However, content providers also require terminal manufacturers to protect their rights so that there is no risk that implemented content will be stolen. Currently, the industry seems to consider protection as a most promising mean to enforce DRM. There are, however, reasons implying that strong DRM enforcement might not provide best results: 1. Consumers are accustomed to receive content freely from Internet. According to old governance rules, trying to control people and change people who are accustomed to freedom with external pres-

4.3. Users
Internet has taught users to get digital content for free and they might be expecting the same in mobile environment. Therefore, mobile users want to consume content easily without limitations on usage and that content is available as much and as cheap price as possible even though most users would want to obey rules.

sure leads often to failure, instead cooperative means will provide better and long lasting results (Machiavelli 1513). For instance, since users are accustomed to pay for network connection and storage media, revenue sharing (from transport providers to content producers) have been utilized as an alternative business scheme. 2. Economic theory implies that profits caused by large user (legitimate and pirate) space might be larger than the losts from piracy, at least for certain types of content e.g. software. This is because most pirates would not had bought content anyhow and because large user space will provide the benefits through networking effects such as easier learning and changing of data with other users. (Conner & Rumelt 1991) Table 3. Examples of Content Providers
Role in Content Provisioning Content producers Network service providers Hardware media manufacturers Company Examples Time Warner, Electronic Arts, EMI TeliaSonera, Radiolinja, DNA, Vodafone Sandisk, Toshiba, Sony Related Product / Technology Examples News, games, music GSM, UMTS, W-LAN access Multi Media Cards, Secure Digital cards 

Table 4. Examples of Manufacturers Providing OMA DRM Compatible Products (Smith 2004)
Role in DRM Terminal hardware manufacturers Terminal software Server manufacturers Examples of Companies Providing OMA DRM 1.0 Compatible Products Nokia, Motorola, Siemens, Sony Ericsson Nokia (Series 60 platform), Philips, Ericsson Nokia, Ericsson, NEC, DMD, NDS, Openwave

4.6. Regulators
Authorities control DRM actors according to principles accepted by society. These controlling relationships have the following characteristics:

Content providers have been granted copyright (monopoly to produce copies) for digital creations and regulators protect content providers against users with legislation in order to support innovativeness. Regulators protect users by controlling that content producers or manufacturers are not able to hinder free competition. There have been proposals demanding that regulators should mandate manufacturers to implement DRM support into terminals (Hollings 2002). Table 5. Examples of Regulative Actors
Regulator Type Rule setting institutions (legislators e.g. national parliaments) Executive and judicial institutions (e.g. European commission, Ficora, police, courts) Action Examples Copyrights, patents, legislation against monopolies and trusts Actions against companies abusing markets (affecting free trade); actions against pirate individuals and against pirate networks


4.5. Manufacturers
Terminal manufacturers have contradictory incentives when considering content and DRM: 1. 2. 3. Implementing DRM solutions will make terminals more complex and costly. Devices are more attractive in markets if they are open also for widely available pirated content. Manufacturers want content providers, demanding DRM implementations, to make content available for their devices.

4.7. Industry alliances
In order to enable large markets for mobile content, compatibility of content and protection is desirable. To achieve this, work in mobile DRM field has concentrated on industry alliances. The goal of some alliances is to combine intellectual properties of several companies to one licensable technology and the goal of some alliances is to gain large amount of adopters to achieve critical mass. A potential problem with open but propriety DRM schemes is that large companies could lock smaller ones out by making the price of market entry high.

Consequently, manufacturers must find a balance between these requirements. Typically, the compromise has been to provide some sort of DRM support but also being open for other content. Implementation and deployment of trusted mobiles where content is digitally managed might be an easier task in mobile field than within PC industry. This is because hardware is not based on open standards and devices are in manufacturers control instead of being build using components from various sources.

Table 6. Examples of Industry Alliances
Organization Open Mobile Alliance Role Provide guidelines for content and DRM compatibility Guarantees trustworthy terminals and OMA compatible content by handling key distribution (only trusted manufacturers and providers implementing security and compliance specs are given keys) Specifies technology for trusted platforms and attestation Specifies licensable secure hardware technologies Contributors Terminal manufacturers and content producers Terminal manufacturers and content producers

Brendan, C. Traw, S. 2003. Technical Challenges of Protecting Digital Entertainment Content. Computer, volume 36, issue 7. Conner, K. Rumelt, R. 1991. Software Piracy: An Analysis of Protection Strategies. Management Science, volume 37, issue 2, pp 125-139. CMLA. 2004. Content Management License Administrator. Web-site: http://www.cm-la.com/. Cravotta, N. 2003. The war on copying. EDN. October 16, 2003. Available: http://www.reed-electronics.com /ednmag/contents/images/326913.pdf. Edquist, C. 2003. The Internet and mobile telecommunications system of innovation: developments in equipment, access, and content. Edward Elgar Publishing Ltd, pp. 1-10. Hartung, F. Ramme, F. 2000. Digital Rights Management and Watermarking of Multimedia Content for MCommerce Applications. IEEE Communications Magazine, volume 38, issue 11, pp. 78-84. Hollings, E. 2002. Consumer Broadband and Digital Television Promotion Act. US Congress, bill S.2048. Machiavelli, N. 1513. The Prince. Bantam Books, Chapter 5. Naumovich, G. Memon, N. 2003. Preventing Piracy, Reverse Engineering and Tampering. Computer, volume 36, issue 7, pp 64-71. OMA. 2004a. OMA DRM Specification V 2.0. Draft Version - 8 January 2004. Open Mobile Alliance. Available: http://member.openmobilealliance.org/ftp/ Public_documents/BAC/DLDRM/ OMA. 2004b. DRM Architecture V 2.0. Draft Version 15 March 2004. Open Mobile Alliance. Available: http://member.openmobilealliance.org/ftp/Public_docu ments/BAC/DLDRM/ Scott, B. 2001. Copyright in a Frictionless World: Toward a Rhetoric of Responsibility. First Monday, volume 6, issue 9. Smith, B. 2004. Music Industry Eager To Exploit Wireless. Wireless Week, February 15, 2004. Available: http://www.wirelessweek.com/article/CA381615 TCG. 2004. Trusted Computing Group. Web-site: http://www.trustedcomputinggroup.org/

Content Management License Administrator

Trusted Computing Group 4C Entity

Terminal manufacturers Hardware media manufacturers

5. Conclusions
Mobile terminals with open platforms are facing the same challenges, which personal computer side has experienced for decades when trying to prevent uncontrolled copying of content. As a result of battle against pirates, there exists lot of tools for content protection. In mobile industry, the DRM work has concentrated to OMA, which provides a framework for DRM enabling compatibility between terminals and content providers. However, piracy is not going to be removed completely in near future since users reject closed terminals, which would be open only for DRM content, and since technical means to mark copyrighted content are not unbreakable. Therefore, the role of protection should be seen as extending piracy free time for content releases, as making consumption of pirated content more awkward and, hence, directing honest and financial solvent customers to pay reasonable prices for user-friendly access to fresh content.

4C. 2000. Content Protection System Architecture. A Comprehensive Framework for Content Protection. Revision 0.81. 4C Entity. Biddle, P. England, P. Peinado, M. Willman, B. 2002. The Darknet and the Future of Content Distribution. ACM Workshop on DRM.

To top