New White Paper: Content Security Requirements for Multi-Screen Video Services January 9, 2012
Posted by Bill Rosenblatt in Conditional Access, DRM, Technologies, Video, Watermarking, White Papers.add a comment
I have released a new white paper on content security requirements for video services that distribute content to multiple devices. This white paper discusses copyright owners’ requirements for security in today’s world of proliferating devices and delivery channels.
So-called managed networks (cable, satellite, and telco TV) are under increasing pressure to compete with “over the top” (OTT) video services that can run on any IP-based (unmanaged) network to a variety of devices — services like Netflix and Hulu. In the US, in fact, total subscriberships of OTT services are fast approaching the total subscriberships of cable, satellite, and telco TV.
Therefore pay-TV operators have to respond by making their content available on a similar variety of devices and even through unmanaged networks. While some major pay-TV providers like Comcast and Time Warner Cable are launching “TV Everywhere” services, many more pay-TV operators are trying to keep up by building their own service extensions onto mobile phones, tablets, and home devices other than traditional set-top boxes (STBs).
Content security is one of the many requirements that operators have to meet in order to license content from studios, TV networks, sports leagues, and other major content sources. Life for pay-TV operators used to be relatively simple: adopt a conditional access (CA) technology that was equally effective in thwarting signal theft as it was in thwarting content piracy. Economic and security goals were aligned between operators and copyright owners. Now life is considerably more complicated, as operators have to support home networks and branch out into mobile services. Content security requirements are more complicated as well.
This white paper gathers security requirements from major content owners and describes them in a single document. The intent is to help pay-TV operators and other video service providers that are looking to launch multi-screen video services, so that they know what to expect and avoid any unpleasant surprises with regard to security requirements when licensing content to offer through their services.
I spoke to representatives from most of the major Hollywood studios to get their requirements. Although it is not possible to build a gigantic table that an operator can use to look up DRM or conditional access requirements for any given delivery modality and client device — among other things, such a table would become obsolete very quickly — I was able to create a set of guidelines that should be useful for operators.
Content security guidelines do depend on certain factors, including release windows (how long after a film’s theatrical release or a TV show’s first airing), display quality, and the usage rules granted to users and their devices. In the white paper, I map these factors to certain specific content security requirements, such as roots of trust, watermarks, software hardening, and DRM robustness rules. Security guidelines also depend on external market factors that the white paper also describes.
Many thanks to Verimatrix for commissioning this white paper. To obtain it, follow this link and fill out the form for a PDF download. Feel free to contact me with any questions or other follow-up.
Public Library E-Book Lending Must Change to Survive December 4, 2011
Posted by Bill Rosenblatt in DRM, Law, Publishing, Uncategorized.9 comments
A few events over the past few weeks illustrate the downward arc that I have suggested is in store for public libraries in the e-book age. First, Amazon introduced its own e-book “lending library” for members of its $79/year Amazon Prime service, which allows users to “borrow” one e-book at a time, with no due dates. Second, yet another major trade book publisher, Penguin, got into a spat with public libraries over e-book lending. Penguin stopped offering new titles and withheld Kindle access to all titles, out of unspecified security concerns with OverDrive (the service that powers most U.S. e-book library lending) and Amazon. (Penguin subsequently restored access for existing titles, but not for new ones.)
The Penguin incident is only the latest in what will undoubtedly be a long series of squabbles between publishers and libraries over e-book lending. In fact, five of the “Big Six” U.S. trade book publishers are now either limiting their e-book licensing to libraries or not licensing at all — and the sixth (and largest), Random House, is reportedly reconsidering its library e-book licensing policies. Such spats may well lead to a world of off-putting restrictions and confusion for libraries and their patrons.
Libraries have two fundamental problems here: they have less control over the situation than publishers do, and they are about to get some serious competition from the private sector. An article in Publishers Weekly gives an overview of Amazon’s e-book lending feature and its implications for publishers and authors. In a nutshell, the program is currently limited to a few thousand titles that originate either from Amazon itself or from smaller publishers that still sell e-books to Amazon under a wholesale model, as opposed to the “agent” model used by most major trade publishers, which forbids such activity.
But the Publishers Weekly piece only covers the impact of e-book lending on publishers and authors, many of whom are raising a fuss about Amazon’s program. It says nothing about the program’s impact on public libraries. The executive director of the American Library Association (ALA), Keith Fiels, has publicly expressed a lack of concern over the impact of Amazon’s lending program, given its limited range of titles and that it’s part of a subscription program that includes other features such as streaming video and free expedited shipping. The ALA is more concerned about major-publisher moves like Penguin’s.
Indeed, public libraries are experiencing major growth in e-book lending, especially since Amazon joined the e-lending world by opening up its DRM to enable lending and integrating it with OverDrive’s library lending service. Another piece of evidence that library e-lending is expanding is the entry of a Seattle-based startup called BlueFire Productions as the first serious competitor to OverDrive in the public library space.
At bottom, this is about two things: ways to make e-books available legally for free, and the promotional value of free distribution. That’s why libraries should be worried. First, consumers generally don’t care where they get free legal e-books, as long as they are available conveniently and can be read on their favorite devices. Second, what Amazon has started as a limited service that’s only available to an elite tier of customers will surely become more widely available and with more titles, especially with competitors like Barnes & Noble constantly looking for ways to differentiate themselves from the market leader.
Amazon subsidizes the wholesale cost of e-books that it lends to Amazon Prime members. It does this to make its own services and devices more attractive, not to spur sales of those e-books. If and when B&N offers an equivalent feature, it will undoubtedly do the same.
If I were Keith Fiels at the ALA, I would be very, very afraid. The e-book publishing world may be about to split up into the equivalent of the music industry’s major and indie labels: major labels tend to make deals that maximize revenue and limit free promotion, while indies try for maximum promotion in hopes of getting revenue later. When you apply this dichotomy to publishers and e-books, you will see that libraries will inevitably get squeezed out.
The majors will make life increasingly difficult for public libraries through refusal to license or restrictive and confusing licensing terms. Meanwhile, smaller publishers will “lend” their titles through Amazon and other e-book services — and will most likely be happy with the arrangement for the promotional value it gets them. And some indie publishers will give their e-books away outright — through e-book retailers or through sites like Facebook — in hopes of getting exposure for their authors and selling hardcopy titles, just as thousands of indie musicians used to give away MP3s on MySpace. And let’s not forget that e-book prices are often much lower than their hardcopy counterparts to begin with.
Then it will only be a matter of time until some publishing industry equivalent of Michael Robertson (the music industry’s digital provocateur) will create a search engine for finding free e-books from all of these sources in a single convenient place, storing them in an online locker, sharing them with friends, etc.
If you extrapolate from these changes, you can see how public libraries could become virtually irrelevant for e-book readers.
It’s all because publishers get to decide what e-book titles libraries may lend and (to some extent) under what terms. Again, think of this in music terms: radio stations get the right to play whatever music they want under a license granted by law — a so-called statutory license. Online equivalents of radio (e.g., Pandora, iHeartRadio) get similar rights. Library lending of digital music is virtually nonexistent; radio remains the primary promotional channel for record companies. Perhaps it’s time to think more carefully about public libraries in this light for e-books, as I’ll explain.
There is no equivalent of a statutory license for e-books that would allow libraries to lend them without explicit, title-by-title permission from publishers. As I’ve discussed previously, libraries do get rights under Section 108 of the copyright law to lend e-books under certain conditions. But because most publishers only give libraries e-books to lend as DRM-protected files with license terms attached to them, and Section 108 requires libraries to abide by those license terms, libraries can’t exercise those rights. In effect, those rights have no value for libraries.
Libraries simply do not have enough leverage against major publishers and retailers to improve this situation in the private sector. If they are to remain relevant in the e-book age, they are going to need to push for significant legal reforms, which both publishers and retailers will undoubtedly resist.
I previously suggested one option, albeit in a somewhat tongue-in-cheek manner: push for the Copyright Office to define an exemption to the law that criminalizes hacking of DRMs (Section 1201 of the Copyright Act) so that public libraries can legally remove DRM for the purpose of lending e-books if they repackage them with DRM to enforce lending terms. However, this has two disadvantages: exemptions to Section 1201 only last for three years, until the Copyright Office considers a new set of exemptions, and publishers could push for stronger DRMs that are harder to hack.
The “cleanest” solution to this problem would be to enact Digital First Sale, i.e., an extension to Section 109 of the copyright law that lets anyone do whatever they want with digital downloads once they have acquired them legally. (We had a great discussion on this subject at last week’s conference.) Public libraries owe their existence to First Sale (on physical goods) in the first place. But that won’t help for e-books as long as publishers distribute them with DRM and DRM hacking is still illegal; and anyway, as I discussed recently, Digital First Sale isn’t likely to happen anytime soon. Therefore it would be worth libraries’ while to investigate changes to the law that help them lend e-books while leaving Digital First Sale off the table.
One option would be to push for additional rights for libraries under Section 108. At a minimum, Subsection (f)(4) would have to be relaxed so that publishers may lend e-books even if the licenses they come with forbid this activity. This would be tantamount to a statutory license for libraries to lend e-books without explicit permission from publishers.
As a practical matter, this wouldn’t really change the way things are done today. Libraries lend e-books through third parties like OverDrive, which already get e-books from publishers without DRM and package them with DRM — just like music and video retail services. And provisions already exist in Section 108 that hold libraries liable if they make their own unauthorized copies of e-books. OverDrive and its ilk use DRM to enforce one-copy-at-a time lending as well as the lending time limits that are in libraries’ own best interests.
This change in the law would improve the situation for libraries substantially. However, the economics may have to change to make it palatable to publishers. For example, libraries acquire e-books for their collections by paying for them title by title, just as they pay for printed books. Radio stations, on the other hand, typically get free copies of recordings from record labels but pay royalties to the music industry for playing them on the air.
If publishers acknowledge the promotional value of library e-book lending, then they might be willing to accept a statutory license to lend e-books if they can negotiate a per-loan royalty rate in lieu of upfront purchase prices. The Copyright Clearance Center, for example, would be in a good position to manage these payments and royalty disbursements, just as ASCAP, BMI, and SoundExchange do for music.
This type of arrangement would enable libraries to maintain huge collections of e-books (through service providers like OverDrive and BlueFire, which would actually house and distribute the e-books) and thus serve the public well. At the same time, the negotiations would have to resolve questions of how many copies of an e-book a given library could lend out concurrently; one copy per library doesn’t reflect the fact that big libraries acquire multiple copies of popular titles. Is it possible for the numbers to defined so as to be fair to both publishers and libraries? That would be a good question for the Section 108 Study Group, the venue for recommending changes to that section of the copyright law, which used to convene every five years but was disbanded by Congress after its last report in 2008.
A limited form of just such a statutory license-type solution has actually been suggested in the private sector already, in the proposed settlement to publishers’ and authors’ lawsuits against Google. It includes giving public libraries rights to make every book scanned on Google’s behalf — over 12 million titles at last count — available on a single terminal within each library. Libraries would not even have to pay for this. However, this doesn’t allow e-books to be available outside of libraries’ physical confines, it doesn’t allow libraries to acquire multiple copies of e-books they want to make available to more than one patron at a time, and Google can withhold up to 15% of its scanned titles at its discretion.
The Google book settlement is still unresolved, but the terms in it show that publishers may be willing to grant libraries some limited e-book lending rights. Libraries have complained about the “table crumbs” offered to them in the Google book settlement. But unless they take action similar to what I’ve described here, those rights may be the best that public libraries can hope for as the e-book market expands.
Amazon Kindle Cloud Reader Lowers the Speed Bump for E-Books August 31, 2011
Posted by Bill Rosenblatt in DRM, Publishing, Services.7 comments
Amazon launched Kindle Cloud Reader a few weeks ago. This version of the Kindle e-reader app runs within web browsers and therefore on a wider variety of platforms than its hardware Kindle devices and pre-existing e-reader apps for platforms such as Apple iOS and Android.
The main intent of Kindle Cloud Reader is to get around app stores, so that Amazon can make e-books available on iPads, iPhones, and Android devices without having to pay Apple or Google — both competitors in the e-book space — a percentage of its revenues. Yet Kindle Cloud Reader is different from the others in a way that could turn out to be just as important as its interoperability: it doesn’t encrypt e-book files.
Various people have discovered that Kindle Cloud Reader is a straight HTML5 app and that the server sends it unencrypted content a chapter at a time. It would be fairly easy to build a program that captures the HTML and stores it locally. This would be roughly equivalent to “stream capture” for audio and video, except that the result would be a perfect browser-renderable copy of the e-book.
This means that Kindle Cloud Reader does not operate in the same way as other web-based e-readers, such as Google Editions or Amazon’s older Amazon Pages technology. These display page images that would have to be fed sequentially to an OCR engine in order to capture the text – a higher “speed bump” than Kindle Cloud Reader uses.
E-book DRM technologies have generally been hacked, but this move by Amazon lowers the e-book copying “speed bump” significantly — not as low as DRM-free music downloads, but getting there.
Furthermore, Kindle Cloud Reader lacks certain functionality that other e-readers have, such as copy-to-clipboard. Google Editions allows copy-to-clipboard with limits. Ironically, the lack of copy-to-clipboard in Kindle Cloud Reader has inspired hackers to figure out how to add this functionality and thereby stumble upon the fact that the content is not encrypted.
Three questions arise out of this development. First, why is Amazon doing this? Second, do the publishers that license material to Amazon know about it? Third, would a program that captures e-book content in Kindle Cloud Reader be illegal under anticircumvention law (DMCA 1201 in the United States)?
The first question is most likely answerable. This development indicates that Amazon is confident enough about its leadership position in the e-book market that it does not feel as much need to lock customers into its platform, as it has done (more strongly) with its DRM.
It also shows that Amazon intends to make its e-book money more on e-books themselves than on reader devices. This is in line with analysts’ projections that the tablet market will grow faster than e-reader devices and therefore that e-readers will come under increasing price pressure. Amazon’s intention to launch a tablet device of its own by the end of this year corroborates this.
The third question is an interesting one. The anticircumvention law was designed to place liability for hacks to “technical protection measures” (TPMs) on hackers themselves rather than on the suppliers of the TPMs. This has led to the question of how strong a TPM has to be in order to qualify for protection under this law.
The 7th Circuit appeals court addressed this question in Universal v. Reimerdes (2000) regarding the hacked CSS encryption scheme for DVDs: the defendants in the case suggested that CSS shouldn’t qualify for legal protection because it was so easily hacked. The court did not want to establish a test for TPM effectiveness, so it declined to address that issue.
More recently, a company called SunnComm that made CD copy protection technology threatened to sue a researcher for discovering that its technology was trivially easy to circumvent: just press the Shift key on a PC when inserting a protected CD into the PC’s drive and the copy protection mechanism could be bypassed. SunnComm withdrew the lawsuit. One reason for this could have been fear of the repercussions of an adverse court decision — which would most likely have resulted in just such a test for TPM effectiveness.
If a publisher sues someone under the anticircumvention law for making a program available that extracts e-book content from Kindle Cloud Reader, then we’ll see what the answer to the third question above is (if the suit goes to trial). Or, if a publisher sues Amazon for breach of licensing agreement over the lack of encryption, we’ll know the answer to question number two.
Of course, there is also a fourth question: is this the beginning of the end of DRM for e-books? I suspect the answer is yes, although this should happen more slowly (or not at all) for certain segments of the publishing market, such as higher education and expensive professional/technical content. In general, I don’t believe it will happen as quickly as it did for music.
The digital music industry is moving from a model based on file ownership to one based on cloud storage. Storage of content on servers instead of on users’ devices goes hand-in-hand with elimination of file encryption. This transition is just beginning and will take years to complete. Even so, cloud-based e-reading seems like more of a stretch than cloud-based music: although the “celestial jukebox” model has been available for several years, its uptake has been slow. People are only just now starting to envision a world without physical music ownership. It will take them considerably longer to envision a world without physical books.
New White Paper: The New Technologies for Pay TV Content Security August 18, 2011
Posted by Bill Rosenblatt in DRM, Fingerprinting, Technologies, Video, Watermarking, White Papers.add a comment
I have just published a new white paper: The New Technologies for Pay TV Content Security. This white paper was commissioned by Irdeto.
The 28-page paper describes the current state of the art of techniques for protecting video content delivered over pay television networks such as cable and satellite. The two primary theses of the white paper are:
- Pay TV often leads in content protection innovation over other media types and delivery modalities. That is because, among other reasons, it is a fairly rare case where the economic interests of content owners and service providers are aligned: content owners don’t want their content used without authorization, and pay-TV operators don’t want their signals stolen. Therefore pay-TV operators have incentives to implement strong and innovative content security solutions.
- Before today, many content security schemes could be described as hack-it-and-it’s-broken (such as CSS for DVDs) or a cycle of hack-patch-hack-patch-etc. (such as AACS for Blu-ray or FairPlay for iTunes). Now technologies are available that break the hack-patch-hack-patch cycle, thereby decreasing long-term costs (TCO) and complexity.
The white paper starts with a brief history of content protection technologies for digital pay TV, starting with the adoption of the Digital Video Broadcasting (DVB) standard in 1994. Then it describes various newer technologies, including building blocks like ECC (elliptical curve cryptography), flash memory, and secure silicon; and it describes new techniques such as individualization, renewability, diversity, and whitebox cryptography. It ties these techniques together into the concept of security lifecycle services, which include breach response and monitoring.
The final section of the paper discusses fingerprinting and watermarking as two techniques that complement encryption as ways of finding unauthorized content “in the wild.”
My thanks to Irdeto for sponsoring this paper.
Irdeto Acquires BD+ Technology from Rovi July 7, 2011
Posted by Bill Rosenblatt in DRM, Economics, Technologies, Video.add a comment
Irdeto announced that it has acquired the BD+ content protection technology for Blu-ray discs from Rovi Corp. (formerly Macrovision). This includes the team and patents related to Cryptography Research Inc.’s Self Protecting Digital Content (SPDC), which Rovi acquired in 2007.
Given the string of recent acquisitions that Rovi has unwound (eMeta, InstallShield, FlexNet, TryMedia, and others), most of which have to do with content security or license management, this deal would seem to be yet another in the same vein; and in fact, BD+ was the last content security asset that Rovi owned, apart from its legacy serial copy management technology. Rovi is apparently paring assets to focus on its metadata (acquired from All Media Guide and Muze) and Electronic Program Guide (Gemstar) businesses; Rovi has dominant market shares or IP positions in both areas.
But a conversation I had with Irdeto revealed an entirely different purpose for this deal: one of the major Hollywood studios brokered it in an attempt to fix Blu-ray security, which has been seriously hacked. Irdeto did not name the studio, but those who follow the industry closely can probably guess which one it is.
BD+ is one of two sets of security technologies used in the Blu-ray disc format. The other, AACS, has been hacked — but the impact of the hack is not as severe as that of other hacks, such as the hack to CSS for DVDs. Nevertheless, the security of Blu-ray discs is apparently so poor that Hollywood is concerned enough to find a solution.
The idea in this deal is that Irdeto will bolster the security of Blu-ray by applying the Cloakware software-security technology that it acquired in 2007. According to Irdeto, this is a nontrivial engineering challenge but one that it believes it can solve in a few months’ time.
When Blu-ray first hit the market, with its multiple layers of content security, I had thought it was a real breakthrough for Hollywood. It looked as though Hollywood had not only learned its lesson about approving content security schemes that are too easy to hack (such as CSS for DVDs) but also had figured out a way to get downstream entities, such as consumer electronics makers, to pay for truly superior security.
Yet now we know that Hollywood has, once again, gotten what it paid for. Now that the latest intelligence about the Blu-ray format says that rumors of its demise are exaggerated, Hollywood wants to shore up the format’s security and protect its release windows. It wants to rely Irdeto’s Cloakware technology to plug the holes.
This is a great vote of confidence in Irdeto. But relative to the bigger picture, one must ask: does it really change Hollywood’s behavior so that this kind of thing doesn’t happen again? To put the question another way: what does Irdeto get out of this deal that would create incentives for it and other vendors to produce truly superior content protection — technology that is secure and affords a decent user experience?
Irdeto isn’t offering an answer. The terms of the acquisition from Rovi are undisclosed. It is unlikely that Blu-ray equipment and software makers will pay more for a license to Cloakware-enhanced BD+ technology than they pay now. Irdeto says that it will get “something” if it completes the Blu-ray fix successfully, but it won’t say what that something is.
I get the feeling that it will mostly be bragging rights. Irdeto will get the cachet of having “fixed Blu-ray,” which will (so the logic goes) lead to other opportunities with future formats; such is the power of Hollywood studio endorsement of content protection technology. And there is certainly some value in the elegant SPDC technology and the patents and engineering team that came with Irdeto’s acquisition.
But — putting aside the price of the acquisition vis-à-vis the value of the Blu-ray revenue stream that comes with it — the value of this deal strikes me as illusory. It’s the analog of user advocates who say that Hollywood studios should give away their content online so that consumers can “engage with the brands.” Both Hollywood studios and content protection vendors are in business to make money from their products. The major studios generally operate on the proposition that more money makes for a better product. Why can’t they apply the same principle to content protection?
Book Industry Bodies Consider DRM… Again May 26, 2011
Posted by Bill Rosenblatt in DRM, Publishing, Standards.2 comments
This week at Book Expo America in New York, the Book Industry Study Group (BISG) and the International Digital Publishing forum (IDPF) held an open meeting to discuss what the two industry bodies should do about DRM standardization.
Although this meeting wasn’t all that well attended — it was hampered by a hard-to-find location in the remote reaches of the cavernous Javits Center — it did provide good insight into book publishers’ attitudes about DRM, now that e-books have a much bigger impact on the industry than they did a few years ago.
Angela Bole of BISG kicked off the meeting by explaining the research and standards body’s role in the process. She emphasized that the reason for BISG’s interest in DRM standardization was to “take friction out of the supply chain” for publishers, retailers, and users. BISG has been successful in promoting other supply-chain-oriented initiatives, such as the ONIX standard for book product metadata.
Then Bill McCoy, Executive Director of the IDPF (and former e-publishing executive at Adobe), laid out a few possible choices for direction that the IDPF could help facilitate, and discussed their pros and cons (mostly the latter):
- Rely on e-books migrating to browser-based delivery on connected devices, meaning that users will no longer need to download e-books, making file-based DRM unnecessary (instead relying on what I call “screenshot DRM,” as currently practiced by Google Editions and Amazon’s “Look Inside” feature). This option isn’t practical because the technology won’t be in place for years, and people still want to own their e-books permanently.
- Go DRM-free. One of the advocates of this approach, Andrew Savikas from O’Reilly & Associates, argued for DRM-free and cited his company’s research to prove that “piracy helps sales” [see note below]. But few major publishers are interested in giving up DRM at this time.
- Gravitate towards a single-vendor solution, as the music industry effectively did with Apple and iTunes. This would improve the user experience, but it would result in a single entity with a stranglehold on supply chain economics; publishers would lose.
- Advance an interoperable DRM standard. By process of elimination, McCoy expressed interest in pushing this model.
The IDPF, and its predecessor organization the Open e-Book Forum (OeBF), have muffed the DRM issue twice already over the past decade. When it developed the highly successful EPUB format, IDPF opted not to include DRM in the specification. This happened primarily because the technology vendors that hold sway at the IDPF did not want a DRM standard: they either wanted to do without DRM entirely or to stick with their proprietary DRM; adopting a standard DRM would be an expense and hassle they would rather do without.
Before that, around 2003, the OeBF tried to define a standard rights expression language (REL) that publishers and retailers could use to express rights that they wanted to grant to consumers as part of a DRM system. The MPEG standards body adopted an REL standard (MPEG-REL) as part of its MPEG-21 suite of standards for digital multimedia. The OeBF decided to create an e-book-specific version of MPEG-REL. (I participated in this effort on behalf of the Association of American Publishers.) MPEG-REL has had negligible impact on the market, and the OeBF’s e-book REL effort went nowhere.
The current state of the e-book market makes any DRM standardization strategy challenging. There are now three dominant platform vendors, each with their own DRM: Amazon, Apple, and Adobe (used in virtually all other e-readers, including the Barnes & Noble Nooks and Sony and Kobo Readers). Any DRM standard would have to either promote interoperability among these or replace them. But the major players are already well established and therefore have little incentive to cooperate. Contrast this with Hollywood, where the market for digital video downloads is arguably less mature.
With that in mind, McCoy posited three possible approaches to interoperable DRM:
- Standardize on a single DRM, the way Hollywood did with AACS for Blu-ray (and HD-DVD).
- Instead of using file encryption, use a type of technique that McCoy has dubbed “Social DRM”: insert watermarks into e-books that contain personal information related to the user, such as a credit card number.
- Adopt a rights locker approach similar to that of Hollywood’s DECE (a/k/a UltraViolet), in which users pay for the right to download a title to one or more e-reading devices of their choice, as long as each device supports one of the approved DRMs.
The first of these options is a virtual impossibility with three platform vendors already established in the market. The “social DRM” technique has been tried in both e-books (by Microsoft in the previous decade) and music, with little success. Furthermore, it’s unclear how such a system would work with the EPUB text-markup format: for one thing, I don’t see how to avoid simple tools for stripping the watermark data from EPUB files without reverting to “regular” DRM.
That leaves the third option, which was the subject of some discussion at the meeting at BEA. The advantage of a DECE-type model for e-books is that it makes it unlikely that any of the platform vendors would need to scrap and replace their existing DRMs. DECE-approved DRMs must merely share certain basic technical characteristics, such as using the same crypto algorithm, so that the central rights locker can store encryption keys that work with all compliant DRMs.
But I don’t see how adopting DECE would be particularly helpful in reducing the number of e-book platforms or promoting interoperability. Of the three major platform providers, at least two (Apple and Amazon) have no history of cooperating with others. The latest market share statistics for e-book retailers, from Goldman Sachs in February, gives Amazon 58% of the market, Barnes & Noble 27%, and Apple’s iBooks 9%. If we assume that the remaining 6% consists of other retailers that use the Adobe platform (such as Sony), then we have Amazon and Adobe fighting it out at a reasonably competitive 58% vs. 33%.
Market forces alone may well reduce the number of dominant platforms to two, by marginalizing Apple as a DRM platform provider for e-books. Both Amazon and B&N have apps that run on popular mobile devices. So one way to achieve “interoperability” is simply to use an iPad, iPhone, Android, or BlackBerry (not to mention Windows or Mac) with both Kindle and Nook apps, and live with two e-bookstores. Apple’s iBooks, which only runs on Apple iOS devices, will isolate itself into irrelevance. And its dependence on the iTunes retail infrastructure hampers Apple from doing the previously unthinkable and switching iBooks to Adobe’s DRM (thereby joining B&N and others to weaken Amazon).
If the book industry really wants to achieve e-book interoperability among dedicated e-readers, then a fourth alternative, beyond those that Bill McCoy suggested, may be worth investigating: Coral. Coral was a consortium led by Intertrust that had developed a framework for actual interoperation among DRMs through trusted intermediary services. This approach makes it possible for a user to call a service to “translate” content from one DRM to another while maintaining security.
Coral still technically exists but has been quiescent over the last several years as Hollywood rejected it in favor of the DECE multi-DRM approach. DECE depends on online retailers building infrastructure to support all compliant DRMs — currently five of them — and agreeing to let users migrate from one retailer to another like GSM mobile subscribers do with their SIM cards. This is unlikely to fly with Amazon or Barnes & Noble.
Instead, Coral would enable users to use their e-books on other devices while letting retailers retain control of their users’ purchase information. This alternative seems more palatable to e-book retailers than the DECE approach, and it would help users.
Technical and licensing issues must be investigated in order to determine whether Coral might be suitable for current e-book platforms. As various participants stated at the BEA meeting, book publishers are far more likely to be successful in pushing for DRM interoperability through industry-wide vehicles than one publisher at a time. The major e-book retailers need incentives to adopt interoperability that will enhance the user experience and help the market grow faster. Publishers can push for such incentives in licensing deals. As long as their actions fall on the correct side of antitrust law, the IDPF has a way forward.
*O’Reilly commissioned my colleague Brian O’Leary to do a study on piracy’s effect on sales in 2008. O’Leary’s findings encouraged O’Reilly to stay away from DRM. When I asked Savikas what the study measured, he stressed that it was a limited study that was only relevant to the way O’Reilly sells and markets its content.
As the author of books published by O’Reilly myself, I would like to assert that O’Reilly is an outlier, and the research results should not be taken as representative of the book industry as a whole. I maintain that both piracy’s effect on sales and DRM’s effect on piracy (or sales) have yet to be measured with any degree of confidence for book publishing (or any other media industry segment) — and perhaps never will.
Here’s why O’Reilly is atypical: first, it is much more active and sophisticated than other book publishers at using online techniques to market and distribute content, thereby making it easier for O’Reilly to monetize content online. Second, this redounds doubly to O’Reilly’s benefit because of the tech-savvy of O’Reilly’s core audience of IT professionals. Finally, O’Reilly’s content attracts an open-source-oriented crowd that has a particular antipathy towards DRM, making a backlash more likely than for other publishers if O’Reilly were to implement it. O’Reilly & Associates is a superb publisher, but its study on piracy and DRM has limited meaning for the industry at large.
Amazon To Enter Library Lending Market April 20, 2011
Posted by Bill Rosenblatt in Devices, DRM, Publishing, Services, United States.1 comment so far
Amazon announced today that it is launching Kindle Library Lending, working with OverDrive to support Kindles and Kindle apps on other platforms on OverDrive’s digital lending platform for public libraries. The timing of the announcement was unclear, given that the service won’t be available until “later this year.”
OverDrive is apparently adding server-side support for Amazon’s Kindle DRM technology, so that it can distribute e-books that are readable on all Kindle devices and apps. This will make OverDrive the first third-party service provider to support the Kindle DRM
This announcement throws an interesting twist into the recent controversy over lending of e-books from public libraries. One of the complaints that library and user advocates have made about digital lending is that DRM has prevented e-books from being readable on and portable across different reading devices and software. The distinction between the two is important, so let’s examine them.
Currently, patrons of libraries that use the OverDrive service can borrow e-books and read them on just about any popular device except Amazon Kindles. OverDrive uses the Adobe Content Server/Digital Editions platform, which runs on just about every e-reader devices except Kindles, as well as on software apps for Windows, Mac, Linux, Android, iOS (iPhone, iPad, etc.), and BlackBerry. When Kindle Library Lending launches, that limitation will be removed.
Instead, library patrons will most likely have to choose which e-book format they want based on what device they have. This will, ironically, lead to overlap: you will be able to choose either format if you have a PC, Mac, Android device, or Apple iOS device. If you have a Nook, Sony Reader, Kobo Reader, or IREX, you’ll choose the Adobe format; if you have a Kindle, you’ll choose the Kindle format. As far as portability is concerned, e-books will be readable across these two highly overlapping subsets of devices. Amazon’s Whispersync feature will even preserve margin notes you write on borrowed e-books without revealing them to other borrowers.
You still won’t be able to “re-lend” your e-book to a friend or family member unless they use your reading device or your user account, and you still won’t be able to move your e-book from a device in one of the ecosystems to one in the other ecosystem — for example, from a Nook to a Kindle or vice versa. But that’s a pretty low number of restrictions, given that this is library lending we’re talking about, not purchase and ownership.
Given the recent price drops, it looks like the Kindle is on its way to being a loss-leader product for Amazon — which will make up the revenue through its margins on e-book sales. So why would Amazon want to support library lending? Apparently because library e-book borrowing is popular, and the Kindle’s lack of support for it gives Amazon’s competitors a differentiating feature that consumers consider to be important. As Amazon’s press release suggests, the Kindles’ ability to read library e-books is up there with their display quality, battery life, and other features in the ultra-competitive e-book reader race.
PlayReady on Android and iOS Shines at NAB April 14, 2011
Posted by Bill Rosenblatt in DRM, Mobile, Technologies.1 comment so far
Three vendors of DRM technology made announcements timed to this week’s huge NAB conference in Las Vegas: AuthenTec, BuyDRM, and Discretix. The common theme among these announcements was support for Microsoft’ PlayReady DRM on the Android and Apple iOS platforms.
AuthenTec, a company based in Florida whose main business is fingerprint readers (as in human fingerprints, not digital ones), acquired DRM assets from SafeNet a year ago. These assets included a multi-DRM framework called DRM Fusion and OMA DRM software — acquired respectively from DMDSecure of the Netherlands in 2005 and Beep Science of Norway in 2008.
Usually this many acquisitions in so short a time implies deals that are euphemistically called “asset sales” and an acquiring company that lets the technology wither and die. I had serious doubts that AuthenTec was going to do anything with the SafeNet DRM product lines other than support existing customers, but this announcement dispels that doubt. DRM Fusion enables service providers to distribute content packaged in several different DRM formats; it originally supported Windows Media DRM (Microsoft’s older technology), then added OMA DRM support. Now it has added support for PlayReady in a downloadable application for Android and Apple iOS clients called DRM Fusion Agent.
BuyDRM of Austin, TX, is a longtime Microsoft partner that has built its DRM service infrastructure, KeyOS, around Windows Media DRM. It announced KeyOS: Cloud Edition, a version of KeyOS that uses Microsoft’s Windows Azure cloud-based service platform. Along with the support for Windows Azure, BuyDRM will be offering PlayReady for Android and iOS. BuyDRM has HBO Eastern Europe as a launch customer, and general release is planned for June.
Discretix of Israel has also been known for multi-DRM support, focusing on mobile clients. It too had been supporting Windows Media DRM and OMA DRM implementations. But its new product, SecurePlayer, focuses exclusively on PlayReady for Android and iOS. SecurePlayer is a downloadable application that combines a port of PlayReady to the target device along with a video player that is tightly coupled to the DRM. This is more secure than a DRM implementation that merely relies on a device’s native video player, where content can be exposed in the clear.
All of these DRMs focus on delivery of video to “app phones” and tablets, whether through download or streaming. This ties in with the more general trend of providing a given set of video content on any device — via a service like Hulu, the cable industry’s TV Everywhere initiative, or other channels. Services like these need cross-platform DRM support in order to comply with studio and network licensing requirements. Meanwhile, Microsoft is doing little by itself — other than making an SDK available — to help enable porting of its DRM onto non-Microsoft platforms. Thus the opportunity for these third-party vendors.
Another trend that these announcements indicate is further indication of OMA DRM 2.x’s fade into irrelevance. The number of services using this DRM has been small enough as it is. In the music market, its demise was hastened last year with the news that Vodafone was phasing out its OMA DRM 2.1-based mobile music subscription service in favor of paid MP3 downloads. The number of vendors offering OMA DRM implementations has dwindled.
Of course, other cross-platform DRMs for portable video-capable devices are available, such as Marlin (Intertrust) and NDS VideoGuard. (The fate of Widevine’s DRM technology after its acquisition by Google late last year is uncertain.) But PlayReady is the hot technology of the moment.
Now, on a completely different subject:
Personal Appeal for Aid to Japan
I have heard people say that the crisis unfolding in Japan is horrible but they aren’t sure how to help. Many organizations are collecting money, but it’s hard to know how it will be used or where it will go. Now here’s a more targeted and personal way to help:
My brother-in-law has lived in Japan for several years. He lives in Tokyo now, but he started out teaching English in a village called Kawauchi, which is within the evacuation zone in Fukushima Prefecture near the stricken Daiichi nuclear plant. He has deep personal relationships with people in the village and is organizing aid for its few thousand residents, who are currently in a facility analogous to the New Orleans Superdome after Hurricane Katrina here in the U.S. He says:
Please send:
Toys and activities for children, school supplies, paper products including tampons, diapers for children and adults, personal wipes, tissues, toothpaste and toothbrushes (including for dentures) make-up, shampoo, games, new clothes, music, books and magazines (in Japanese only).
Sending along special foods and snacks will definitely be appreciated. Rations at the evacuation center are not particularly pleasant!
Aside from the basics, please feel free to send anything you think might cheer the villagers up. It is unlikely that any of them will be able to see their homes for many years, if ever.
Please note that people of Kawauchi Village cannot read English past a first grade level. Many of the evacuees are elderly, too.
Pass this note on and feel free to contact me directly if you have any questions. Thank you! – Barry Lustig, barry_lustig@hotmail.com
Here is the address:
Yoshinobu Ishii from Kawauchi Village
South 2-52, Koriyama City
Fukushima Prefecture
963-0115 JAPAN
telephone: (+82) 09022773557
〒963-0115 福島県郡山市南二丁目52番地
川内村教育長石井芳信 様
Irdeto Sets Next Level in Video Content Protection March 7, 2011
Posted by Bill Rosenblatt in DRM, Technologies, Video.3 comments
Last week, Irdeto of the Netherlands announced its new ActiveCloak for Media content protection technology for video. This is a real, bona fide breakthrough technique. It’s also revolutionary, in that it starts with a a bold statement for the DRM industry: an admission that it has a problem.
A long, long time ago, there was a myth: that DRM was hack-proof. Most knowledgeable people stopped believing this myth years ago, especially since it came to light that many DRMs were designed to be cheap to implement rather than strongly protective of content. But somehow the myth persisted and was very hard to eradicate.
The media industry responded to weak DRM in a couple of ways. First, they got a law passed that made hacking DRMs illegal. This law — the DMCA — placed liability for hacking solely on the hacker. The idea was to deter hackers through criminal penalties rather than to give incentives to technology vendors to create stronger DRMs, or to make the vendors liable for hacks.
Next, the industry created licensing frameworks for DRM technologies that bolstered them by imposing additional technical obligations on implementers. If you wanted to implement a system using a certain DRM technology, you had to agree to so-called robustness rules, which were designed to prevent the software “around” the DRM from leaving doors open to hackers. Robustness rules cover things like how to hide keys in software and how to “harden” software so that it can’t be reverse engineered.
As we know, DRMs are still routinely hacked.
Yet in some quiet corners of the industry, hacking is treated as a given. One example: the CEO of a software antipiracy technology company recently boasted about his company’s success in the gaming market. He measures success by the length of time until a game is hacked. The game publisher is pleased, he says, because his technology works well enough that games aren’t hacked until after their “new and hot” period is over. By this point, the game company has made the bulk of its money; it’s happy for the hacked game to “go viral” and generate demand for the next version of the game.
Try telling this to a Hollywood studio.
Meanwhile, DRM technologies have advanced by limiting the impact of hacks, through techniques such as key revocation (preventing the offending device from doing any more damage) and field-upgradeable encryption (changing the encryption algorithm so that a specific hack no longer works). But these techniques are analogous to making air passengers take their shoes off at security because someone tried to hide a bomb in his shoe once: they don’t prevent the damage from happening in the first place.
With last week’s announcement of ActiveCloak, Irdeto has taken the next logical step. Instead of trying to design DRMs so that they are hack-proof, or even so that they take as long as possible until they are hacked, assume they are going to be hacked and act before they are.
ActiveCloak enables network operators and service providers to change the content protection software proactively as well as reactively. Instead of upgrading the encryption or revoking keys after a hack — or as we Americans say, locking the barn door after the horse has escaped — ActiveCloak lets operators change the client configuration on a regular basis at intervals shorter than the time to expected hack. (Service providers could do this on their own, but ActiveCloak makes the process automated and much more straightforward.)
Irdeto doesn’t just do this by changing encryption keys or even random seeds used in code obfuscation algorithms. ActiveCloak represents a synergy between Irdeto’s legacy content protection technology for digital TV and the software hardening and key hiding technologies of Cloakware, which Irdeto acquired in late 2007.
Cloakware’s main offering in the digital media industry is tools and techniques for hardening DRM implementations so that they meet robustness rules. Many implementers of several different DRMs use Cloakware to harden their code; its only real competition in the digital media market is the smaller Arxan Technologies.
In fact, when the acquisition was announced three years ago, I had assumed that Irdeto’s objective was to collect a “toll” from those who implement content protection solutions from its competitors.
Now we have a product that embodies true synergies between the legacy Irdeto and Cloakware technologies. The system renews itself with respect to the key hiding and code hardening as well as the content protection itself, and it does so on a proactive basis. ActiveCloak gives new meaning to the term “race against the hackers”: hackers must do their thing before the clock runs out and the system is renewed. The integration of Cloakware’s technology makes outwitting this system that much more difficult — assuming, of course, that no one figures out a way to disable the overall scheme.
As Irdeto admits, ActiveCloak will be more expensive than comparable video content protection technologies — in terms of both upfront cost and operational complexity. The company argues that the total cost of ownership is lower than that of a system that has to be patched or replaced due to hacks.
With pay TV operators (cable or satellite), this may well be a reasonable sales proposition. Pay TV operators are somewhat unique among content service providers in that their economic incentives are aligned with those of TV networks, movie studios, and other content owners: none of these entities want their signals to be stolen. The same is emphatically not true for, say, an Internet content retailer or consumer device maker.
ActiveCloak for Media is initially targeted toward OTT (over-the-top or IP-based) content delivery to tablet, Google TV, and other devices. Ports to Apple iOS, Android, and Intel’s “Sodaville” chipset for set-top boxes exist. The technology is running on three Google TV platforms, Boxee, and tablet and PC implementations with unnamed operators.
Although ActiveCloak is a real step forward in content protection technology, it still presupposes that Hollywood is dissatisfied enough with current technologies — and the various legal backstops — to make its content licensees pay a premium for the new technology. It’s doubtful that Hollywood studios will take other content protection technologies off their “approved lists,” but it may make robustness rules more stringent with respect to renewability.
At the same time, I’ll hazard a guess that if this approach catches on — if the rest of the industry is willing to admit that it has a problem — then Irdeto’s competitors will be looking to emulate ActiveCloak. If I were Arxan, I’d have investment bankers ready and waiting to field the incoming acquisition offers. And if I were Irdeto, I’d have my patent lawyers working overtime to protect the technology.
E-Book Lending: The Serpent in the Garden of Eden March 3, 2011
Posted by Bill Rosenblatt in Business models, DRM, Law, Publishing, Services, United States.22 comments
I wrote my previous article about e-books and libraries in response to an article by my colleague Thad McIlroy on his Future of Publishing site. The news that HarperCollins had put restrictions into its e-book licenses for lending library services so that each “acquired” title could only be loaned out 26 times was fresh and appeared as a side note in my article. HarperCollins (a division of Rupert Murdoch’s News Corp) is one of the world’s largest trade book publishers. So, what about this major development?
First, let’s quickly review the technical and legal backdrop to what HarperCollins is doing. Libraries normally buy (acquire) books to lend to library patrons. This is made possible through the copyright law, specifically section 109, which is known as First Sale. Section 109 says that anyone who legitimately obtains a copy of a copyrighted work (e.g., a book) can do whatever she wants with it, including resell it, lend it, or give it away. Eventually physical books in lending libraries become worn and damaged; libraries may repair them or dispose of them. Libraries control lending abuses by collecting fines from patrons who return books late or not at all.
In the world of e-books, libraries don’t buy titles; they license e-books in order to license them to patrons. A license is a contract, the terms of which are ultimately up to the publisher. Copyright law allows libraries to lend digital works to their members, but DRM-packaged e-books are governed by licenses, and thus contract law, not copyright law.
Of course, it takes no effort to make a copy of an e-book. That’s why library services use DRM to ensure that e-books are loaned only to properly credentialed users (i.e. members of the library) and that those users can’t make copies for their million best friends. Service providers like Overdrive and NetLibrary have arisen to make it possible for libraries to “lend” e-books in a way that is very similar to the way they lend hardcopy books: you get access to the e-book for the library’s lending period (perhaps a couple of weeks, or for a reference work, a few hours), and then it “disappears” from your device and becomes available to another library member. Libraries can license multiple copies of popular works so that more than one patron at a time can borrow them.
The noted library technologist Eric Hellman calls this the “Pretend It’s Print” model — a characterization I don’t quite agree with, but leave that aside for the moment. Hellman characterizes “Pretend It’s Print” as a reasonable model, at least for the time being. But HarperCollins appears to be taking “Pretend It’s Print” quite literally: they seem to be trying to emulate physical wear and tear on a book that leads some libraries to discard books after a while. Still, Hellman’s blog post on the subject drips with contempt for HarperCollins.
I also believe that HarperCollins has done the wrong thing, but for a different set of reasons. Let me preface my reasons with a couple of caveats: I have no access to statistics on the expected lifespans of library books, though I found a couple of data points that expect between 20 and 35 loans until a book must be either discarded or repaired at a cost that may exceed its value — thus making HarperCollins’s 26 seem like an appropriate number (or did they find the same two articles I did?). I also have no insight into a library book’s promotional value to a publisher, but I suspect it’s not very high.
HarperCollins’s 26- loan limit is just a bad decision. It is bound to please absolutely no one. It is a lose-lose-lose proposition. The library community is up in arms on Twitter and elsewhere about the decision. Many are calling for libraries to boycott HarperCollins material in hardcopy as well as e-book format.
Yet at the same time, two other major publishers, Macmillan and Simon & Schuster, never licensed e-books for library lending in the first place. Librarians complain about this, but not very much.
As I said previously, I had heretofore considered e-book lending to be one of the real success stories of DRM. Libraries get to lend e-books, publishers get paid for those e-books, and library patrons can read them on a wide range of devices (pretty much anything but a Kindle) without leaving their homes or offices. Everybody wins.
Furthermore, let me be clear that some form of content protection is absolutely necessary for library e-book lending. To allow library patrons to make additional copies of “borrowed” digital materials with even relative impunity is just plain unfair to publishers and authors. (Yes, DRMs can be hacked; people can make digital scans of hardcopy books too.)
Yet HarperCollins is making two serious mistakes in DRM implementation. One is to try – too literally – to use DRM emulate a physical product in the digital domain. This has never worked, because a digital emulation will always contain one or more shortcomings with respect to the original physical model that will not meet user expectations. ”Pretend It’s Print” may be a convenient point of reference for consumers, but it is more effective to focus on the content access model rather than the physical product in designing digital content services. (As far as I know, record labels aren’t experimenting with DRMs that gradually introduce clicks, pops, and skips into digital music files.)
In this case, the HarperCollins model will fail to meet “user expectations” by angering librarians, who don’t like DRM in principle. Either the e-book will suddenly become unlendable without warning or the DRM system will warn librarians that they will soon have to pay for another license to keep lending the e-book. How many libraries will re-up? Not many, I suspect.
Furthermore, this move defies logic regarding publishers’ strategies for their backlists (catalogs of older content). Publishers believe that their backlist titles have less value than frontlist titles, and they constantly seek ways to invigorate sales of their backlists. By making it unlikely that e-books will be available for library lending after a year or so, HarperCollins is both cutting off access to products that it presumably does not value highly in the first place and hurting its ability to invigorate its backlist. This makes no sense at all.
The other mistake that HarperCollins has made is to introduce complexity into a DRM implementation in a way that adds no value for users. Many early digital music services failed to gain user acceptance because they were too complex for users to understand. Some, for example, had Byzantine pricing plans – X permanent downloads, Y timed downloads, and Z streams per month – that resembled the bad old days of confusing cell phone plans. iTunes won because it kept things simple. Nowadays, as music services take on more and more new features in their attempts to unseat the iTunes juggernaut, they risk similar user confusion and alienation (most egregious current example: the feature-overloaded MOG).
If HarperCollins wanted to try something different with licensing terms, it should have done something that offered value or choice. It could, for example, have offered a choice of limited-loan titles for less money or unlimited-loan for full price. (Eric Hellman tried polling this question; the responses he got prove little more than how emotional everyone is over this issue — which is exactly my point.)
If HarperCollins does not get value from e-book lending, then why not just pull its catalog entirely and join Simon & Schuster and Macmillan as library holdouts? If they do that instead, librarians need not bother boycotting HarperCollins’s e-books; and any threats to boycott the publisher’s hardcopy releases will surely ring hollow.
The end result of a move like this can only be the slow and painful death of library e-book lending. HarperCollins may hope that other publishers will follow its model – though not so closely as to invite antitrust scrutiny. This will only lead to further confusion for librarians and users alike: HarperCollins allows 26 loans, Random House allows 35, Penguin allows 20, etc. There is no way that a model like this can lead to the growth in library e-book lending that libraries need to survive as e-reading grows in popularity. `
Libraries are highly unlikely to reverse the tide in the market alone. Boycotts may be emotionally satisfying but will have no practical impact. Instead, the library community’s best hopes lie in the legal system.
The most likely route would be to try to get the Copyright Office, at its next DMCA rulemaking in 2013, to approve an exemption that would allow libraries to circumvent (hack) DRMs in order to lend e-books as long as they re-package them for the library patron with the same type or strength of DRM. This would be a more elaborate exception than any that the Copyright Office has granted in its four DMCA rulemakings to date. It also has various disadvantages: it could only last three years under the DMCA rulemaking rules (every exception only lasts until the next triennial rulemaking); it could cost libraries more money to support than they pay Overdrive or NetLibrary, which benefit from scale economies; and it could induce publishers to demand (and perhaps even pay for!) DRM that is more difficult to hack.
But perhaps it’s worth a try. Unlike the Section 108 Study Group — a body that recommends changes to the part of copyright law that covers libraries, which ironically has little bearing on the issue at hand — it is possible for anyone to submit a request for a DMCA exemption to the Copyright Office without first having to run a gauntlet of copyright industry lobbyists.
If the Copyright Office were to grant such an exemption, it would mean that a library could be free to purchase any e-book — not just those that the publisher decides to license — and lend it to its members on its own terms while respecting copyright. The result would be a better version of “Pretend It’s Print” — in the business model sense, where it counts.
Bill Rosenblatt
Azita Arvani
Bill Jones
Niels Thorwirth
