Currently DRMs are yet unable to reconcile the conflict between rightsholders' interests and public access interests. They restrict use possibilities and thus curtail the freedom granted to users under exceptions to the exclusive rights of copyright holders. Not surprisingly, consumers have begun to develop distrust to any new invention regarding content and rights management.

So how can trust be regained? To begin with, consumers must be assured that their personal data are as safe as they would be in a normal store in the "real" world. Only very few consumers would supply information on how often and when they hear a piece of music. In addition, there is more personal and private information at stake, e.g. information about a handicap someone has. Next consumers will not accept a new system if they feel unnecessarily intruded, i.e. if they are limited to freely use content once they have bought it. Thirdly the ability of DRMs to override legal provision, in particular the exceptions granted, creates further distrust. Obviously there is no easy solution to implement DRMs fulfilling these consumer requirements.

The approach outlined here starts from a paradigm shift: from object-oriented DRMs to user-specific DRMs. It is proposed to link the content to the person, who acquired the rights to use the content, and not to the object the content is used with. Due to this switch in perspective, the implementation of copyright exceptions becomes possible.

The main elements of the approach
Trusted third parties
This approach is based on an infrastructure which includes a set of trusted third parties (TTP). These TTPs work as mediators between the consumers and the companies. Their tasks are:
  • anonymization of the consumers’ data
  • bearing witness to the consumers’ characteristics regarding copyright exceptions (e.g. “person A is a student”)
To guarantee the TTPs’ impartiality, TTPs should be state-run or they should be run by an independent commission. Exactly which TTP is chosen depends on the particular exception.

Dongle for identification
The second part of the infrastructure would be a safe way to identify the consumer sitting in front of the computer. A system which could work well would be a combination of a computer dongle as a physical component (e.g. an USB device with cryptographic capabilities) and a personal code to access the private key on the dongle. Every dongle is unique and can essentially not be copied.

Technical Protection Measures (TPM) / watermarks
It should be noted that watermarks – as a safe way for linking content to the consumer – are also an essential part of the user specific DRMs. Watermarks fulfil an important function in this approach. It is assumed that watermarks can be integrated in every format the consumer wants to use, even in already existing standard data formats. Watermarks are the essential way to maintain the link between the consumer and the content he controls.

How it could work for different kinds of exceptions
The concept outlined above will be demonstrated by the following three examples. The first of these examples describes its realization with respect to § 45a UrhG. This exception was introduced into the German Copyright Act in order to protect the access to information for handicapped people. The second example describes the implementation of § 52a UrhG which protects the access to content for scientific use and use in teaching. The third example is about the implementation of the much discussed private copy exception contained in § 53 UrhG. Ideally all examples described will become fully automated.

Implementation of § 45 UrhG (exception for disabled people)
For this scenario a public office should be chosen as TTP, which has already access to information regarding the degree and the kind of the handicap of the consumer. Consumers, who fall under this exception normally buy content and contact the TTP afterwards and supply a certificate of the content provider which proves that they bought the rights to use the content. The TTP verifies this certificate and asks the content owner for a copy of the content, which can be used by the consumer. The copy gets personalized to a new ID and is resent to the TTP, which also resends it to the consumer. The consumer can now use the content. In the case of a copyright infringement, the TTP has a connection between the new ID and the personal data of the consumer.

Implementation of § 52a UrhG (exception for scientific use and the use in teaching)
Other TTPs are universities and comparable institutions, which have access to information regarding students, teachers and lessons held. Students are required to register for lectures at the TTP to minimize the efforts for the participants. The teacher giving the lecture registers all relevant content at the TTP. When a student needs access to content, he contacts the TTP, which then contacts the content owner. The procedure then follows the steps as set out with regard to the implementation of § 45 UrhG.

A second way of implementation is to add the watermark of the student – if he has one – to the watermarked version of the professor. This can be done by the DRM-application itself and there would be no need for a TTP. So, students presumably would not distribute their copy with their personal data in the watermark.

Implementation of § 53 UrhG (exception regarding the private copy)
This implementation of the private copying exception is a little bit more sophisticated. Before even implementing this exception, a preliminary question has to be asked: Why should this exception get implemented at all? Well, users have become accustomed to making copies of the copyrighted material they have bought or accessed for purposes of time and place shifting, for format change and also for archiving and security reasons. By implementing the private copy directly in the DRMs, a private copy continues to be possible for the consumers and is used more reasonably.

In general, consumers obtain the data protected by DRM over the internet or in a store. In the first case, in the model proposed, data gets marked with a personalized watermark at the moment of the sale. In the second case, data gets personalized when it is used for the first time. When a consumer would like to copy his data within the limits of the private copying exception, depending of the use of the data, the consumer uses his or her DRMs to generate a copy, which supports the intended use. For example, if the user wants to hear a song in a DRM-protected format on his MP3-player, his DRM-application converts the data, embeds a watermark and copies it on the MP3-players, tagging it in such a way that it can’t get copied back. If the MP3-player already supports a proprietary DRMs, the application should be able to convert the data to this format.

A way to use the internet in the last scenario could again involve a TTP, which requests a DRM-protected, newly watermarked copy of the content from the content owner. Consequently there is no need to change watermarks.

For the consumer, the private copy still exists, but in the case of copyright infringement, his name or ID is on the copy. This will limit the consumer’s interest in distributing the content. But the consumer is still able to use his content like he was used to, when it wasn’t DRM-protected.

As with all DRM-approaches, there are some advantages and some disadvantages. The most evident problem of the present proposal is the creation of the infrastructure. The implementation will only be affordable if there is a standard system which is usable for a broad variety of services. Most likely the infrastructure required has to make use of other infrastructures being build up, e.g. the infrastructure for the German health system relying on a health card (Gesundheitskarte) with cryptographic abilities. However, if a combined system can be violated, the damage would be much greater. Therefore a safeguard has to be available.

A second problem is the dongle. The dongle provides more security for the content owner and makes content mobile for the consumer, but it is also a cost factor. Moreover, the consumers’ comfort is somewhat limited by a dongle. It may generate technical problems and consumers would have to attach it to the computer every time they want to use their data.

A third and minor problem is the fact that under the model proposed, the TTP gets information about consumers’ access to the services of the content owner. Therefore it must be ensured that the TTP adheres to data protection and privacy policies.

Finally, there is a problem that all DRMs have in common: The system works only as long as cryptographic security (including watermarks) can be warranted and if consumers use the system in a responsible way. But if, e.g. a dongle gets lost, this will be like losing a credit card. This, users will have to understand.

However, as already mentioned in the introduction, there are also some positive elements in this approach, which compensate for the negative ones.

First of all, because of the effort which the content owner undertakes with such a system, he demonstrates that he does not really want to limit the rights of the consumer any further than defined by statutory provisions. This brings at least some credibility back and should increase the trust on the part of the consumers. A certification of such a DRM system could further increase this effect. Also, consumers’ personal data regarding handicaps or relationships between consumers remain safe at the TTPs. Finally the content owner can be sure that his content never leaves the protected circle even if private copying is allowed.

While it is doubtful, that the system will be implemented very soon due to the high cost factor, it may be an option in the near future, when an identification infrastructure exists. As more and more people, companies and public offices are relying on the new digital technologies, the cost of adding TTP-capabilities in an office or a commission will be reduced. It is also imaginable that future laws will require the implementation of copyright exceptions in DRMs as a prerequisite to the granting of legal protection.

While this approach has been discussed with respect to the German copyright exceptions, it is possible to use it with minor changes for other national transpositions of the European copyright directive too.

Bottom line
Intellectual property entails rights and responsibilities. At the moment code tends to substitute law. Therefore, code – in this case code of DRMs – cannot stay uncontrolled. There will be a control instance, either by law or by self-regulation. The approach presented here can be a way to allow for a well-balanced technical regulation. The paradigm shift proposed should help to represent the law more correctly, because the law in fact links rights to persons and not to objects. Any technology should enable consumers to enjoy their rights on whichever device they like. DRMs are a great opportunity to solve the problem of intellectual property if it is used right. But it must work for both sides. Due to today’s (dis)abilities of TPMs, the natural way of using the content is blocked.


About the author: Dominik Knopf finished his studies in information engineering and management at the University of Karlsruhe by the end of 2004. Currently he is working with Prof. Thomas Dreier at the Institute of Information Law at the University of Karlsruhe, and is preparing his doctoral thesis.

Status: first posted 21/03/05; licensed under Creative Commons