The Many Faces of DRM - Delivering Secure Enterprise Content

Digital Rights Management (DRM) has been something of an enigma for the computer industry since it burst onto the scene in the late 1990s. DDigital Rights Management (DRM) has been something of an enigma for the computer industry since it burst onto the scene in the late 1990s.

Originally conceived as a way to lock and protect electronic content, such as music and ebooks, this vision never really materialized. A few years ago, Forrester Research published a report called Content Out of Control, in which they asked content owners what they thought the most important thing a DRM partner could provide. Fifty-eight percent chose "Rock Solid Security" as the most important feature. Yet Napster proved just how allusive this goal really was.

Forced to regroup, many DRM companies took a new tack. Rather than approaching DRM by trying to lock the content away and prevent users from getting at it, they decided instead to focus on making it easier to access material within a rights management framework that allows the customer to define, at increasingly granular levels, who can access the material and what they can do with it. Instead of targeting traditional media producers as they had done the first time around, they pursued the enterprise customer managing vast amounts of online data. The primary target industries included large publishers, science, and finance.

John Blossom, vice president and lead analyst at Outsell, Inc. describes DRM as entering its second generation in which it is moving beyond the lock box and going towards building relationships in a business model. He says, "in the first generation publishers were too concerned with how to protect the old models instead of recognizing the new opportunities available to them. As we move forward," says Blossom, "DRM will be about business relationships and facilitating commerce by integrating DRM into ecommerce solutions with a focus on the consumer's ability to purchase content in a highly customizable manner."

To illustrate the growth--and breadth--of the DRM market, let's take a look at four DRM companies that employ the model of controlling access, rather than the content itself. While it is clear that each of the given solutions could be applied to widely differing content models, these case studies illustrate their individual approaches, given a specific customer's needs, to describe their process.

It's clear that each DRM solution provider--along with their clients--have come up with a distinctly different methodology for helping control access to online information via the enterprise, with the given solution tailored for the industry and market being served:

DigitalOwl places a piece of software on the end-user's desktop that monitors and records what he does with the document even when not connected to the network.

Copyright Clearance Center allows customers to purchase reprint rights at the point of sale on the Web site based on rules the customer defines.

eMeta allows the customer to finely control the way information is presented to the end-user, then define different levels of access before they make content available on the Web site.

ContentGuard has developed a digital rights language, which they license to the customer, who then develop their own customized digital rights front end using open standards.

Delivering Digital Rights

Product: Kinetic Edge

Platform: Windows NT, Solaris

Price: Starts at $75,000

Customer Case: Conning Research & Consulting, a reinsurance industry research company

Patrick Keane, president of Conning Research and Consulting, a firm that supplies research reports for the reinsurance industry, was looking for a way to move his company from paper reports delivered by mail to a digital delivery system when he connected with DigitalOwl in the summer of 2001. Keane says he knew that electronic delivery was becoming the norm. "The best way we can serve our customers is to anticipate their needs," and among those needs is online delivery. Says Keane, "We knew we had to get online."

Keane says that "the initial impetus was to be able to control who gained access to our content," but over time he realized that "the role of security of our online product is not as crucial or critical as we once thought." Instead, Conning would prefer to be recognized as a leader in their market and deal with security later on. Keane says, "Just because you put a password and copyright on material doesn't mean it won't get out there illegally."

DigitalOwl's KineticEdge product uses a client server model to monitor digital content. The product relies on a check in-check out model similar to a library. The material can reside on a corporate server, an Information Provider's server (the ASP model), or DigitalOwl can host the material on its own servers. Customers define document rights, such as pricing, printing rules, cut and paste limitations, etc., which are written as encrypted metadata into the document before it gets posted to a server. The customer can apply a set of rights to a single document, apply a set of rights to a collection of documents in a batch process, or they can leverage rights from an existing system, such as Content Management. Kirstie Chadwick, president of DigitalOwl says, "We have to be able to integrate into the existing infrastructure."

The final piece is client software that sits on the end-user's desk and follows the document as long as it's on the user's computer. According to Chadwick, by moving the permission down to the client, it gives users the freedom to take the document away (on an airplane, for example) then update usage information to the server the next time they connect to the network. Says Chadwick, "We differentiate ourselves by following the material." This also allows them to generate reports based on the desktop tracking information.

Prior to purchasing KineticEdge, Conning mailed reports to an individual at a customer company. Once the report arrived, it could sit on the person's desk and never get distributed to the rest of the company (and if it did, the sender would really have no way of knowing this). Keane says, "If we put DigitalOwl on the intranet, by giving full access, the probability that more people will see it is higher. They can go in and access it as they see fit." Conning uses the KineticEdge software to mark the document with encrypted metadata granting the customer certain rights, such as printing and copy/paste. The end-user at the customer site can only use the document within the proscribed rules. The client software on the end-user's system enforces the security rules and tracks document usage even when the user is not connected to the network. Usage tracking allows Conning to track document usage throughout the customer organization. Says Keane, "DigitalOwl gave us the facility to more effectively distribute products to corporate customers in a way that we gained a better understanding of the utility."

When they began testing installations they were surprised to find that some Conning customers resisted putting the client software on the desktop because of security concerns. In the end, says Keane, "DigitalOwl helped us craft a solution by developing a less sophisticated version of the [client] software." This allowed Conning to roll out to these customers and incorporate a more fully integrated solution over time. The new solution allows customers to set permissions by taking advantage of security features in software used to view documents, such as the Adobe Acrobat Reader or Internet Explorer. DigitalOwl's Chadwick explains that, while these security features are not quite as robust or flexible in this scaled down version, they still allow Conning customers to read documents, even when they aren't connected to the network.

Keane says, for Conning, "DigitalOwl was a look to the future because it allowed more effective delivery and easier access to information for the customer."

Protecting Publishing Rights
Copyright Clearance Center

Product: RightsLink

Platform: Windows NT

Price: Starts at $12,500, plus no more than 35 percent of each transaction

Customer Case: Wall Street Journal Reprints Department

The Copyright Clearance Center (CCC) was established in the 1970s as a clearinghouse for permissions and reprints. In the mid-1990s, they started to move some of their reprints business to the Internet (and in fact were one of the earliest ecommerce sites on the Web). By the late 1990s, they started getting requests from publishers who wanted to set up business on the Internet, but didn't know how to go about it. Rick Miller, manager of the Market Analysis Department at CCC says, "We didn't just wake up one day and say we need to be on the Web. Publishers came to us," but Miller adds, they were worried about how to maintain control and get paid for their content.

In 1999, the Wall Street Journal (WSJ) was one such organization looking for a way to make it easy for customers to get permissions and order reprints directly at the point of sale on the Wall Street Journal Web site. "Our approach," says Joe Acevedo, director of reprints and permissions at WSJ, "was to make it easy to comply and do the right thing." Although they had been working with another vendor, they were unhappy with the pace of the project and were looking for someone who could provide the software, yet also handle a reprint request below 500 copies. It was at this time that Acevedo hooked up with CCC.

Although CCC didn't have a product yet, they knew they wanted to create one and the WSJ request fit right into their plans. Miller says, "We already had databases with information and knew how to structure the software to include this information. The trick was to develop it in-house." CCC told the WSJ if they need help posting material to the Web, they were ready to help. He calls this initial project more of a collaboration than a sale. They spent a year developing this product for the Wall Street Journal Online, which in the end turned to out to be the prototype for their RightsLink software.

The WSJ defines rules for content in the RightsLink software. For instance, they may want all articles written by a WSJ reporter to include a permissions link, but to exclude all wire service copy (because they don't own the rights to it). To allow RightsLink to make this determination, the WSJ marks each article with metadata that indicates who wrote the article, where it appeared in the paper, date of publication, and related information. When a user comes to an article and wants reprints, they click a link on the WSJ article page and the RightsLink window opens. From here, they can order reprints or permissions. If the order involves less than 500 reprints, it is sent to CCC where they scrape the article and graphics from the WSJ Web site, format it for printing on an 8-1/2 x 11 page and handle the reprints and mailing to the customer. The WSJ handles large orders or custom orders themselves. The customer can also buy just the rights to reuse the material (in a book, for example) from the same RightsLink window.

Acevedo says, "Publishers are control freaks by nature--and they should be--and RightsLink gives you control over the process. He says, publishers trust CCC and are comfortable with them. "We didn't have to beat them over the head. They got it together very quickly and made life a lot simpler for us." Even more important to Acevedo, they made it simple for the customer to comply without requiring them to understand the rules. He says, "The Rules are checked in the background. It's unrealistic to expect individuals to know all the rules."

For Miller and CCC, it's just good business. Says Miller, "We recognized that the Web is the primary vehicle for conveying information and we needed to be prepared for that.

Transforming the Genome into Digital Content

Product: eRights

Platform: Windows NT/2000 & Solaris

Price: $200,000 and up

Customer Case: Celera Genomics

eMeta comes from a publishing background. As such, according to Ethan Mollick, vice president of business development, they created a product "that was built by publishers for publishers." Says, Mollick, "We tried to generalize out all the problems of online access control." What they came up with was eRights, a digital rights management solution that deals with both commerce and security in a flexible and dynamic environment. Mollick says, "We encourage experimentation to see what works." The customer can try different packages, such as targeted offers to the user base, and see what works best to optimize business and increase revenue.

This is particularly attractive to companies that have to deal with large amounts of information in a heterogeneous computing environment because eRights offers open APIs, integration with any database, search engine integration, and the ability to expand upon their base product. In addition, they provide a Java (and more recently Web-enabled) front end or allow the customer to build its own depending on their needs.

When Celera Genomics mapped the human genome in the late 1990s, they knew they had information with tremendous commercial potential, but they needed a way to package and present it to their scientist customers. Ramin Cyrus, director of Internet strategy and alliances at Celera says, "Once you map the human genome, it doesn't tell you a darn thing. You need to make connections. You do this," says Cyrus, "by creating well-curated sets of Bio-Molecule reports." This allows the life science community, Celera's target market, to use the information in a way that's meaningful to them. He likens this kind of targeted research to legal information, which is freely available (as is raw human genome data), yet lawyers subscribe to services like Westlaw to access legal information in manageable chunks. He says his business is built on a similar model.

They needed software that would allow them to go from offering information for free to a pricing model (all the information available for a price) to a modularized system where customers could purchase only the information they needed. Celera began a vendor search and met with eMeta. Cyrus says, "They spoke our language and were well-attuned to what a true information company does."

Celera has a sophisticated IT department and according to Cyrus, they decided to use "the guts of eRights, such as access control, product hierarchy, and some system tools." However, they chose to build their own front-end interface because at the time (late 1999), says Cyrus, some pieces, such as the GUI, weren't in place. He praises eMeta for advances in the product since those early days saying, "They have made tremendous strides. I am amazed at the amount of additional functionality." In fact, later this year, Celera plans to migrate from their custom front end to eMeta's new Web model, which will relieve them from having to support their own GUI.

Celera uses eRights to build modularized packages of data, but they also use it to manage users on the site. Cyrus points that theirs is different from a conventional ecommerce site. On most sites, he explains, you may have thousands of users banging on the system, but each search is relatively simple (a book for instance). Celera researchers, on the other hand, are searching billions of biological data sets. They rely on eRights to manage people coming in and monitor system usage.

They also use eRights to manage their customer base. In the current system, they enter customer data manually (including who is allowed access and how much access they have). In the future, when the Web front end is in place, they hope to push the administrative tasks to the customer where they set up user accounts and decide who can gain access and maintain their list of qualified users themselves. Cyrus says in this future model he will let the master contract drive the parameters of what institutions can do with the information much like a site license and let the customer manage information control and access issues.

For now, eMeta has given Celera the tools to grow and develop their information business. Says Cyrus Ramin, "eMeta has kept pace with us."

DRM from the Inside Out

Product: XrML digital rights language

Platform: Platform-independent

Price: License fees negotiated with customer

Customer Case: Integrated Management Concepts

ContentGuard traces its origins to the Internet division of the legendary Xerox Palo Alto Research Center (PARC) where according to Rajan Samtani, ContentGuard's director of sales and marketing, they began seminal research as early as 1994 around the notion of digital delivery of files even before the Internet was widely used. During the intervening years, researchers patented what Samtani calls "the basic building blocks of digital rights technology." In 2000, with a substantial investment from Microsoft, they were spun off as ContentGuard. Like many DRM companies at the time, their early products were related to protecting content, but in August 2001, they decided to focus on interoperability and use their XrML to anchor the company. Theirs is a unique approach to the DRM market. Rather than focusing on a specific product, they want to license the use of XrML to companies who build their own custom applications much like Dolby licenses its audio technology to electronics manufacturers for a fee.

Samtani sees the current market as focused on "roles-based access control," but in the future he sees a different market where pervasive DRM is built into the technology infrastructure. To get to that point, he says, "We need interoperability and a single rights language." Their solution involves using the rights language in conjunction with encryption based on standard Public Key Infrastructure (PKI) and x.509 certification. This allows customers to authenticate users wherever they are in a standard browser without worrying about the firewall. Companies are free to build solutions that meet their unique needs and pay a license fee for using the XrML technology.

Integrated Management Concepts was looking for a way to upgrade their MicroFusion software--a middleware product used in enterprise project cost-value systems to manage huge projects, such as a dam or a bridge, with large budgets and long time frames. Chris Taylor, vice president of product development, says when they were planning their upgrade to version 5.0, they wanted to upgrade the architecture to allow for a scalable and open system and that had increased security. Taylor says, early on they decided to use standard Web addresses for every field and record in their database and XML and SOAP to allow for system components to talk to each other. They also decided to use PKI and X.509.

Their next move was to find an XML language that could help them achieve increased security in an open system. After a long search, they came across an article regarding Microsoft's investment in ContentGuard and its XML-based language. Taylor says, "It was immediately obvious this is what we were looking for." He says they downloaded the DTD for XrML and Taylor says, "The two matched quite nicely."

After reviewing the XrML DTD (at this point they hadn't developed a software development kit), the company decided to move forward and assigned development resources to design a front end based on XrML, but Taylor says, "It was quite a hard decision [since] this was not a core feature." Still they decided to move forward because they felt they had to build access control (above a simple password system) into the software.

Taylor says, they never had a problem with the idea of license model for the XrML. "We make use of a number of third-party components. Typically, you pay a fixed price without royalty or a lower price with royalty." He says, it's part of the cost of doing business to pay for another company's intellectual property.

Taylor says, "The project did go, in general, the way we envisioned. It took longer than we anticipated, but we never felt it was the wrong thing to do. We're happy with the result we achieved."