Consumers see digital rights management (DRM) systems primarily as a tool for piracy protection in digital content distribution. These DRM systems provide access to encrypted content only on the hardware identified in a digital license. This kind of hardware locking restricts fair use, e.g., when lending digital material from libraries or by preventing copying content for private use. There is common agreement on the need to design DRM systems and electronic commerce business models which allow fair use (ACM 2003). Various means have been proposed to implement fair use, e.g. by implementing it with licensing rules in DRM systems (Mulligan and Burstein 2002), by licensing protocols, by watermarking, by authorising protocols etc (see reviews of alternative designs in Bechtold 2004, and Tyrväinen 2005). However, the intelligence about contextual factors needed for interpreting the legal limits of fair use cannot be 100 % implemented in the licensing rules of DRM systems, especially in the US legal context (von Lohmann 2002).

Fair use, identification and privacy
In this paper we use the term fair use (or fair dealing) as a general concept referring to the legally protected right of people to use content based on exemptions and limitations of national copyright laws (EU2001/29/EC, US 2000). These variations in national legislation increase the complexity of implementing it within DRM systems. Nevertheless, approximating fair use by licensing would be a useful service for the customers. With such a service one could avoid the need for costly human evaluation of fairness of use in a vast number of cases and thus encourage content providers to support fair use cases – although a small percentage of the cases would still need human intervention. In both cases identification of the use context and of the persons or the organization in question is needed.

Identification is a double-sided problem with respect to fair use. Customers registering for a media provider’s service with their account identity or credit card identity can be traced and media distributors can link together all customer purchases, which threatens customer privacy. DRM systems connecting the right to use content products to a hardware identity enable the use of this hardware identity for tracing even when customers purchase their products from multiple vendors. However, media vendors would certainly like to identify the context in which they enable free use of products based on fair use exemptions. For example, they would like to identify the party claiming to be a library and requesting rights to lend copies to their customers. In case the library can be identified, the media provider may trust the library and let it identify the library customers, to the extent needed. Clearly, some fair use cases have higher requirements for identification of trusted second parties (such as the library) than what is expected from an individual (here the third party) borrowing content from the library.

From product copy management to license management
Prior to digitization, illegal content use could most easily be recognized at the point of creation of copies. This is mostly true also for digital products. But when DRM systems are used, the focus shifts from creating copies of protected content products to the creation of licenses enabling use of the content products. In superdistribution (Mori and Kawahara 1990) protected content is distributed freely, but requires purchasing a license for use. Thus creating the licenses enabling use of the content is the context where fair use should be evaluated.

The next question is, should the usage rights declared in the licenses be based on the identity of the person or on the identity of the hardware? Use of hardware identity is commonly considered less user-friendly. However, in the library customer case, linking all the content borrowed by a customer with the customer identity would be more likely to infringe privacy than linking the products with multiple hardware identities unknown to the library.

Proposed approach for fair use licensing
Supporting privacy with product copy managers
To improve privacy we propose an arrangement, where the customer is able to get a temporal digital license from another trusted party in order to use the content on his hardware. For this purpose, the customer needs to pass some information received from the trusted library to the other trusted party. The primary role of the new trusted party is thus to create digital licenses for the customer hardware. Secondly, the trusted party should keep record of the number of product copies lent by the library with the license of the library, to satisfy the requirements of media vendors. For this reason, we refer to this trusted party as a product copy manager (PCM). Although this particular PCM knows the hardware identities associated with the product, it will not be able to connect the data with any identification of the customers or to connect it with other data located at the various places of purchases (or other PCMs when multiple equipment is used).

By separating multiple places of purchases, multiple trusted PCMs and multiple hardware identities we avoid many problems encountered by related approaches. These include the single dongle problem (e.g. single hardware identity) and the problem of cumulating customer data by a trusted party as observed by Knopf (2005). Note that in the approach of Knopf there exists a role of a TTP (trusted third party), while we separate the roles of a trusted second party (a library) and the role of a trusted PCM. Knopf also uses watermarks for personalizing the content for consumers while we prefer carrying hardware identification information in licenses embedded in the content or transmitting separately from the content according to the superdistribution mode. Note also, that a PCM should not be mixed with the actual DRM systems controlling the use of content (for further details see Tyrväinen 2005).

Two-phase approach for fair use licensing
In the library case the library was the second trusted party, which was identified to the extent needed for the fair use license during the license acquisition process. The third party (a customer) communicated only with the trusted second party and the PCM binding the license to a specific hardware, in the context identified by the special library license granted to the second party. This can be generalized as a two-phase approach for fair use licensing.

  • In the first phase, the second party (the library) is identified to the extent needed for trusting it; the special license is purchased (e.g. a library license), and the second party will receive a license template (e.g. a library customer template), to be delivered to third parties. Special cases may require human judgement (for further details see Tyrväinen 2005 and Erickson 2003). Note that according to the EUCD fair use should be enabled only when content has been legally purchased.

  • In the second phase, the third party (a library customer) trusted by the second party receives the template and acquires the hardware locked digital licenses for his equipment from the PCM. This second process does not include monetary transactions or negotiations and can be automated.

Figure 1: Two-phase model for fair use licensing

The fair use exemptions included in national law define the kinds of license templates needed; library licenses, educational licenses, and personal copy licenses being probably the most common. Each of the exemptions may require a different level of identification of the second party at the point of sales and in the templates as well as in between the second and the third party. Also the conditions of the licenses vary.

Fortunately, the same content can be used with a multiplicity of license types each defined for a specific fair use case in each national context, and the same license types can be applied to large categories of products (e.g., to all songs) simplifying the product management problems of media distributors. However, fairness will have to be determined by human judgement in some percentage of the cases even when using this approach, depending on the national regulations. The following examples will demonstrate how the context of the process is captured.

Product copy owner identity supporting privacy of personal copies
In the case of personal copies the same person purchasing a content product in the role of a second party, can acquire hardware locked licenses for other equipment with personal copy templates from a PCM. In this case the media distributor trusts the person to use these personal copies for personal use only, within the legal limits of fair use. The PCM can limit the number of personal copies per person for each product, for example, using product copy owner identity in the templates. Still the PCM is unable to identify the person behind the product copy owner identity and unable to connect the data with other products purchased by that person. However, in some cases the customer might like to be identified as the distributor of license templates using customer identity rather than the product copy owner identity known only to the point of sales selling the license to the second party.

Customer rewarding in peer-to-peer marketing
Consider a case, where a customer (the second party) has purchased a content product for private use and receives, among others things, a promotion license and a distribution template, which the customer delivers to a third party with the protected content. Using the promotion license the third party is permitted a limited use of the content on any hardware, e.g. to play the first 15 seconds of a song.

If the third party decides to purchase a personal license and uses the distribution template containing the identity of the second party, the distributor can reward the second party for the sales activity. This type of rewarding can be considered fair, but requires disclosing identity of the second party, to some extent (for further details on delivery chain tracking in peer-to-peer marketing, see Tyrväinen, Järvi and Luoma 2004).
There exists a trade-off between privacy and identification of the parties. The level of customer identification needed for customer rewarding in the peer-to-peer marketing model is not necessary for content products purchased for private use without intent to receive reward for sharing it with friends. Thus the level of tracking applied for the delivery chains needs to follow the requirements of each fair use case or business model.

New business models for libraries and other public institutions
When libraries lend content to customers, whom they have identified (face to face), the proposed approach provides a high level of privacy for the customers, whose identity is not connected with the product data in any phase of the process, and whose one hardware identity is connected with the product copy identity of the library in one PCM. However, there are also situations, where the libraries and schools would like to disclose their identity to more than one point of license sales.

In libraries and in educational use we can envision cases, where a library customer or a student at school would like to purchase the content product after getting familiar with it. In these cases the library or the school would already have been identified properly, and would certainly be very happy to receive a share of the revenue, to prop up the restricted budget of a public administration entity. The impact of schools and libraries on the purchase of content products is well known, and being able to quantify the impact would contribute to the creation of business models. This closer interaction of public institutions and media vendors can be seen either as an opportunity for the institutions or as a threat to the independence of public services.

One possible future scenario includes increased revenue from media vendors to the libraries and schools. In this scenario the libraries and schools would still purchase the content products from media vendors with prices similar to those under current discount policies. In case some of the customers or students would like to purchase the product after using it with the special license, the second party identity would be used to direct sales provision to the library or school in question. This would probably guide the purchases of libraries to follow closely their customer demand, towards the content with most marketing effort.

Another scenario includes outsourcing of content product lending to external service providers. In this scenario the technical effort and market follow-up is outsourced while the control over selection provided is kept in the hands of the library or the school, with reasonable costs.

In a third scenario the service providers would not need public funding. It would suffice to get their income solely from the media companies in the form of sales revenue sharing. This scenario is somewhat similar to the use of promotional versions or pre-releases for product marketing used commonly in the software sector of content business. It is likely, that in this last scenario public libraries would be needed to maintain a balanced offering of content products for the public.

Bottom line
It is possible to support library exemptions while maintaining a high level of privacy and enabling use of personal copies with DRM systems. This includes an opportunity to gain shared revenue when lending is combined with content superdistribution and delivery chain tracking.

  • ACM (2003): Special issue on fair use, Communications of the ACM, Vol. 46, No. 4.
  • Bechtold, S. (2004), Value-centered design of Digital Rights Management, INDICARE Monitor Vol. 1, No. 4;
  • Erickson, J.S (2003). Fair use. DRM, and Trusted Computing. Communications of the ACM, Vol. 46, No. 4, pp. 34-39.
  • EU2001/29/EC. Directive 2001/29/Ec of the European Parliament and of the Council of 22 May 2001 on the Harmonisation of Certain Aspects of Copyright and Related Rights in the Information Society. Official Journal, L (167). (22/06/2001), 0010-0019.
  • Knopf, D. (2005): How to implement copyright exceptions in DRM systems. INDICARE Monitor Vol. 2, No. 1.
  • Mori, R. and Kawahara, M (1990): Superdistribution - the concept and the architecture. The Transactions of the IEICE, Vol. 73, No. 7.
  • Mulligan, D. and Burstein, A (2002): Implementing copyright limitations in rights expression languages. 2002 ACM Workshop on Digital Rights Management, Wyhdham, Washington DC, USA: ACM, 2002, pp. 15.
  • Tyrväinen, P. (2005): Concepts and a Design for Fair Use and Privacy in DRM. In D-Lib Magazine, Vol. 11, No. 2,
  • Tyrväinen, P., Järvi, J., and Luoma, E. (2004): Peer-to-Peer marketing for content products - Combining digital rights management and multilevel marketing, Proceedings of EC2004,
  • US (2000): Fair use, United States Code, Section 107, Chapter 1, Title 17,
  • von Lohmann, F. (2002): Fair use and digital rights management: Preliminary thoughts on the (irreconcilable?) Tension between them. Computers, Freedom & Privacy (April 12 2002), 9.

About the author: Dr. Pasi Tyrväinen is Professor of Digital Media at the Department of Computer Science and Information Systems at the University of Jyväskylä. He received his doctoral degree at Helsinki University of Technology in 1994. His previous affiliations include R&D management positions at Honeywell Industrial Control and Nokia Research Center. His research interests include digital rights management, enterprise content management, communication genres, and software business. Contact: or

Status: first posted 25/04/05; licensed under Creative Commons