• Dealing with DRM
  • November 1, 2006
  • Law Firm: DLA Piper US LLP - Washington Office
  • This note will cover four elements of the world of digital rights management or DRM.

    First, to provide some important background to and a description of DRM.  Secondly, to recap on some of the challenges for DRM: covering the big picture issues in the UK, EU and internationally.  Thirdly, to look briefly at some more practical considerations of implementation, before finishing with comments on the future.

    The Analogue Background

    We need to go back to the 1960s, 70s and 80s to fully understand the issues involved.  Even before digital technology reached our homes and desktops, developments in consumer electronics, from the reel-to-reel tape to the photocopier, were forcing content owners and law makers to take note.

    The Whitford Report, an influential 4 year study into UK copyright law published in 1977, quoted statistics that showed, even then, that over 60% of the public were regularly copying from the radio or from friends' record collections.  A very worried music business - still waiting for its saviour in the form of the Compact Disc - soon launched its "Home Taping Is Killing Music" campaign complete with iconic "cassette and cross bones" logo.

    It is, though, easy to forget the impact of these technologies and the vociferous debates that they stimulated at the time.  By 1982, the rise of the home video recorder led Jack Valenti, then President of the US trade body the Motion Picture Association of America, to make the following statement to a US Congressional Committee:

    "I say to you that the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone".

    Those now infamous words represented an analogue solution to new technology.  To simply try and ban it.  However neither courts nor lawmakers nor consumers were persuaded that home taping was on a par with the activities of Jack The Ripper.  Of course, the case law that developed at that time: notably Sony in the US and Amstrad in the UK, which effectively permitted the sales of videos and tape to tape decks, have been important in more recent fights over digital services.

    Indeed in the US in particular, content owners have continued to try and use the law to outlaw or restrict new technology from the first MP3 players at the end of the 1990s to last year's high profile Supreme Court decision in Grokster.

    Elsewhere, however, a very different analogue solution was being developed.  The idea of a copyright levy was first introduced in Germany in 1965 but was subsequently adopted in many European countries and others around the world.  Essentially, in return for a copyright exception to allow consumers to make private copies, the law placed a levy - or tax - on the equipment or media used to make them.  The money raised is paid to collecting societies for distribution to the rights owners.

    It should be stressed of course that not all European countries adopted this solution.  In particular, and despite a recommendation to do so by the Whitford Report, UK copyright law does not, in general terms, permit private copying and we have no levy.  Of course, music fans in London were just as keen on home taping as music fans in Frankfurt and no record company ever tried to sue anyone making tape cassettes for use in the family Ford Cortina.

    Like the law, however, levies have continued to be used with digital media, and that analogue background is crucial to understanding the development of today's digital solutions.  One of the key differences in emphasis for content owners in the last ten years has been the belief that whatever the challenges of digital technology, that technology might also provide a response.  Or in the well known phrase of Charles Clark, Copyright Counsel to the Publishers Association, "The Answer to the Machine is in the Machine".  That answer was DRM.

    Digital Rights Management

    In very simple terms, DRM systems come in two parts.  The European Commission, which has spent many millions of Euros in recent years encouraging the development and adoption of DRM, has identified these two elements as the "management of digital rights" and the "digital management of rights".  That sounds like a distinction without a difference and copyright law itself talks instead of rights management information and technical protection measures or TPMs.  Whatever we call them both aspects are crucial, although it tends to be the second which receives more attention.

    First, DRM systems need to be able to identify individual pieces of content, in a similar way to ISBN numbers on the back of a printed book.  Then they must describe it (its author, its date of publication etc.) and its uses, trying to break down what we do with that content.  These numbering systems, meta data and expression languages then allow the content owner to set usage rules for the particular content.  Obviously the more sophisticated this identification and description process the more sophisticated the rules that can be set.

    The second element of a DRM system is the provision of the content in such a way that those rules can be enforced.  This is often achieved through encryption technology which effectively tries to lock and unlock content as the content owner allows.  Digital watermarking i.e. the use of a permanent technical label marked invisibly on the content, or similar so-called fingerprinting technology, are also important techniques which can be used to help identify and track the content and enforce the rules which have been set.

    There are, of course, many aspects to these broad elements so confusingly DRM can often mean different things to different people.  To many it is largely a technical issue, a question of competing systems and the attendant assessments as to usability, integrity and interoperability.  In other forums DRM is discussed in purely commercial terms - as a shorthand for the business models being proposed for digital content distribution.  Unsurprisingly, these issues have led to controversy and argument which has also made DRM a political issue.  Consumer groups, privacy campaigners, free speech activists, and others often talk about DRM in terms of power and control.

    The Big Picture

    Clearly many of these technical, commercial and political considerations extend beyond the remit of lawyers and the law.  There are however a number of core legal themes running throughout this "bigger picture" and it is important that lawyers play a prominent role in the development of those aspects.  This note groups them into four areas.

    National rules

    The first point to stress is that we are still dealing with largely national rules.  Copyright is the lifeblood of content licensing and is therefore at the heart of DRM too.  It is however a national right and the underlying legal rules remain stubbornly national.  There has been much work on attempted harmonisation for the digital age, both at an international level through WIPO, the World Intellectual Property Organisation, and at a regional level including the European Commission.

    We don't need to go into chapter and verse on the relevant legislation but in many countries, currently 58 of them from Albania to Venezuela, and certainly in the US and all of the EU, there is now an obligation for the law to have some "digital basics" in place.

    First, to provide for a technology-neutral "communication to the public" right to make it possible for content owners to license new digital content services just as they can traditional media.  But also, to give explicit legal protection for DRM systems by making it unlawful to circumvent effective TPMs applied to content or to remove rights management information from content or to distribute content from which such rights information has been removed or altered without permission.

    However, as always with the law, the devil is in the detail.  And there is significant variance in the timing and scope of national implementation - even within Europe.  But whilst those national differences remain crucial, we can identify the following issues of general application.

    Fair Use

    One of the biggest issues for DRM is what we'll call "fair use".  This can involve a range of principles and situations but the basic concern is straightforward.  Copyright law always includes exceptions.  Exceptions when copyright works can be used without permission.  Some are obvious, say when the term of copyright protection has ended.  Others are more technical such as those for use in news reporting, for libraries, in scientific research or even religious celebrations.

    The big question is how far these exceptions can be respected by DRM.  For example, if I buy a book in print on paper format it is very easy to exercise those exception rights. I can copy it, share it with friends, amend it, perhaps even do many things I don't have the right to do,  but if I download that same text in a DRM protected format I may only be able to do so if the rights-owner actively lets me.  If he doesn't would it be legitimate for me to circumvent the TPM?

    The EU Copyright Directive of 2002 required that Member States should encourage rightsholders to provide for voluntary measures and agreements to accommodate certain of the fair use exceptions but if within a reasonable period no such provision was made the Member State should take appropriate measures themselves including allowing modifications to any TPM.  Notably, on-demand works supplied under contract terms were excepted from this requirement.  Many would  argue that was a serious weakness for a measure aimed at digital media, whilst others see it as entirely necessary to allow new interactive distribution models to develop.

    This was implemented into UK law by means of a procedure whereby if one of the specified exceptions listed in a schedule now appended to our Copyright Act is not permitted by a TPM, a notice of complaint can be made to the Secretary of State who is able to take appropriate action.  This has been compared unfavourably with procedures developed in the US and Australia which though appearing more formal, do seem to have proved effective.

    In the US, every 3 years under powers granted under the Digital Millennium Copyright Act there is a 'Rulemaking on Exemptions from Prohibition on Circumvention of Technological Measures that Control Access to Copyrighted Works', and in Australia there has been a recent Parliamentary "Review of technological protection measures exceptions".  These have both produced a more detailed set of circumstances where they think that DRM technology could be circumvented.  These included for obsolete and unsupported software or other so-called "abandonware", software installed without permission, disabled access and material handled by libraries.

    Accessibility - the ability for people with disabilities to use and access services without discrimination - is an important point.  Many countries including the UK now have laws making it unlawful not to take account of accessibility in all areas of life.  Bodies like the RNIB in the UK have continually stressed that this should include online content and DRM.  Libraries too have led a vociferous campaign over access - that TPMs should not be permitted to lock up content.  For example effectively extending the copyright term by making it difficult to remove TPM from public domain material where the same system is being used for copyright content.

    It has to be said however that to date no one has made a complaint to the Secretary of State under the UK rules and for the moment at least interested parties seem to be active in steps toward voluntary measures.

    Private copying

    Of more practical impact in the short term is the linked issue of private copying.  As mentioned earlier, many EU States permitted private copying in return for a levy payment on analogue systems.  Those countries now have to decide whether computer hard drives, scanners, Mp3 players, mobile phones and set top boxes should also be included.  A recent review by the European Commission suggests that many Member States are choosing to do so.

    Of course, the whole thrust of DRM technology is that it allows private copying to be controlled and individual acts of a user to be permitted and paid for directly.  The Copyright Directive permits Member States to continue private copying exceptions in return for the rightsholder receiving fair compensation but this must take into account the application of TPMs.  Clearly if DRM is combined with levies consumers can end up paying twice and/or not being able to make their permitted copies.

    Thus, the European Commission remains very keen to phase out what it sees as the blunt analogue instrument of levies, in favour of DRM technology - indeed it has just issued another consultation paper on the topic.  But Member States have proved slow to react.  Local collecting societies are unwilling to turn off an important revenue source in favour of an arguably untried digital replacement and consumers are unwilling to accept less freedom to copy.

    It must also be stressed that even in countries without a levy, such as the UK and US, consumers have still been used to making private copies.  As a result, for DRM systems to be successful they must also take account of TRUs - Traditional Rights Usages - content usages that consumers have enjoyed in the pre-digital era and therefore have come to expect in the digital world, irrespective of whether or not those usages are guaranteed by law.  We'll come to this again in a moment.

    Let's first return to our book example.  If I buy a book in a bookshop and pay in cash no one has a record of my purchase.  If I download it to a digital device using my credit card for payment the relevant DRM system could begin to compile a detailed record of when and what and how I consume that content including who I forwarded it on to.  EU law specifically makes clear that support for DRM technology does NOT override the need to comply with data protection law,  which in very simple terms means DRM operators have to say what they are going to do with consumers' data and only do what they say.  The EU's Article 29 Working Party has already pushed for more transparency in DRM implementation and we may see further statements on this.

    Interoperability

    The final big picture issue is interoperability.  Anyone who has downloaded a music track to their ipod with Apple's proprietary DRM may have experienced the frustration of being unable to transfer and play that on a device with Microsoft DRM.  This is exactly the situation that the European Commission has been seeking to avoid in its support for DRM systems.

    The ideal is for the industry to develop open standards - agreed formats for DRM technology that ensure interoperability between different systems.  In the mobile sector that has been partially delivered through the OMA - Open Mobile Alliance - initiative.  This is an ambitious scheme to develop and implement DRM on mobile phones and other wireless devices from a simple lock preventing the forwarding of a ringtone to more complex licensing terms, discussed below.

    However with a host of vendors ready to promote competing proprietary solutions it remains to be seen whether the OMA can sustain momentum.  Elsewhere the few open standards initiatives that do exist have been even less successful.  Despite many workshops and position papers the European Commission has so far resisted any formal intervention in the market.  But as a few strong players emerge, such as Apple and Microsoft who now dominate music DRM, open standards seem less important than interoperability between proprietary ones.

    There have been a number of attempts to achieve this.  One solution was presented by rival supplier Real Networks which reverse engineered Apple's DRM to produce its own interoperability solution.  Apple cried foul and accused RealNetworks of straying into infringement but encouraging a consensual industry-wide version of this approach may well have to be the basis for future EU policy.

    In such a fledgling market courts will be reluctant to apply competition law and not so long ago Virgin Mega failed in such a claim against Apple in France.  As the French also discovered this year, enshrining specific mandatory interoperability requirements into copyright law is also something of a non-starter given the technical and commercial sensitivities involved.

    One other problem is patent law.  One of the factors that has continually plagued the development of DRM solutions has been the patent rights claimed over component parts of the technology.  Before a technology can be adopted as part of an industry-wide solution the licensing arrangements with any patent owners must be agreed.  Sorting out licence terms for the relevant patent pools is, in part, the cause of delays in the roll-out of OMA.

    Implementation

    Which gets us into the nuts and bolts of implementation and DRM in practice.

    Business models

    As mentioned earlier, DRM is often discussed in terms of business models.

    The transfer to digital distribution methods is requiring each part of the content and creative industries to reassess the way in which they buy and sell.  Commercial contractual terms can define content usage as much as technology.

    Take music.  For many years delivery has largely been based around an LP model, with radio airplay and singles releases promoting album sales.  Now digital distribution and DRM allow different ways of delivering music with single track downloads, web-casts, rental and subscription services, ad-funded models and many other variants.

    One of the much talked about concepts has been super-distribution.  Which is one of those terrible buzzwords which simply means sharing content.  If you sell one piece of music to one listener for one dollar and use DRM to lock that content to that listener's device you only make one dollar.  If however you allow that listener to forward that track to ten friends and they to ten more but the DRM still gets the friends to pay then you have made considerably more than one dollar.  This concept is at the heart of the more complex OMA standard I mentioned earlier.

    It may even allow you to charge the friends less than the first listener.  Differential payments may become increasingly important in the content business with content not converging but actually diverging onto different platforms and devices at different price points.  Ringtones are a great example - fans are happily downloading what is effectively part of a music track to their phone for up to 5 dollars - when they could download the whole thing to their PC for less than 1.

    Whatever the commercial arrangements however, lawyers still have to ensure that the underlying rights and licensing structures put in place are able to support them.  To date most content providers have been trying to fit new digital distribution methods into their existing distribution structures.  The aim is to develop a non-disruptive rights template that introduces new markets without harming existing ones.

    For example, take the traditional windowing approach taken in the film and the sports rights markets.  In film the impact of new media through both the downside of piracy and the possibility of DRM is squeezing these release windows so that new models like electronic sell thru might actually transform rather than sustain this template.  And in sports a truly integrated digital media strategy may already be taking a different direction.

    That's partly because technology is making it increasingly difficult to distinguish between, say, wireless rights and existing television and radio markets.  Mobile TV, particularly when DAB, DVB-H or other mobile broadcast standards are used, makes it much harder to draft robust rights definitions that avoid market disruption.  And yesterday's SMS alerts and wallpapers are far easier to distinguish than tomorrow's services that look and feel the same on a mobile as a PC or a TV.

    What's more the competition law regulators in the EU have taken a very close interest in sports markets generally and new media rights in particular.  They are keen to ensure that rights are "unbundled", in other words that television broadcasters will not necessarily hoover up new rights alongside their traditional media packages.  The upshot of this is that as lawyers we have to work harder to draft technology neutral agreements offering rights distinguished by form rather than format.

    Of course some business models are DRM-free.  For less well known content providers obscurity often seems more of a danger than uncontrolled distribution and digital piracy.  Others in the media industry are choosing to focus on time sensitive or "disposable" content precisely because it is less susceptible to longer term misuse.  Others are choosing to focus on certain aspects of DRM.  Even if content providers decide - whether for technical or commercial reasons - not to apply encryption technology that locks up content, they very often still rely on watermarking or fingerprinting technology to be able to identify and trace the use of that content.  Recently high profile video-sharing site YouTube was reportedly only able to sign a deal with one of the major music groups because it promises to launch a form of "advanced content identification and royalty reporting system" for their platform.

    This so-called forensic DRM seems likely to have an increasingly important role.  The newly formed Digital Watermarking Alliance has a website setting out a range of other case studies describing its use in both physical and online distribution.  At the very least we probably need to start looking to update our auditing clauses to take account of these sort of developments.

    Consumer Experience

    What we also have to be aware of is that, regardless of what copyright exceptions are in our statutes, consumers are unhappy when DRM stops them doing what they always used to.  One solution being proposed is so-called domain licensing - allowing users of digital content more flexible licence terms that don't lock content to one copy or even one device but allow it to be transferred to a certain number of devices in that user's personal domain - not just their car, but their laptop, their home hi-fi and their mobile.

    In any case, the consumer must understand clearly what exactly it is a DRM protected product is delivering.  This has all become a labelling and consumer misrepresentation issue as courts in many countries have heard and generally found in favour of unhappy users, often backed by consumer groups, arguing that content distributed with copy control and other DRM restrictions must clearly be sold as such.  This of course applies to online content as much as CDs or DVDs.  No one will want to repeat the experience of one of the major record labels that introduced a copy-protection device on its CDs which allegedly uploaded software onto the users' PC even if they refused permission, installed itself invisibly and also secretly contacted a website every time the CD was played.

    In such cases legal compliance goes way beyond labelling but actually ensuring that data protection and computer misuse legislation is not infringed.  Indeed we all know that a range of legislation applies to consumer contracts and as the OFT is continuously picking up on most suppliers in this country need to do more to improve their drafting of consumer terms.  Those stringent EU controls are likely to be tightened further so content providers will have to be more careful than ever with DRM.  Which brings us to contracts and licensing generally.

    Rights and Licensing

    DRM provisions in contracts vary a great deal.  The distribution of lower value content, perhaps with a promotional as much as a revenue generating purpose, will not require the levels of DRM protection that more sophisticated content demands.  For the film and TV studios there is a world of difference between a licensing deal for wallpapers, clips and simple games and one for the movies and shows themselves.

    That is not to say that major content owners will not take every licensing deal very seriously.  We can expect to find DRM provisions in all content contracts.  Some will actually be in great detail to the level of specific technology and approved solutions.

    There may be reference to standards like OMA, or to detailed testing, acceptance and approval procedures.

    But in many deals those provisions are still little more than "placeholders", clauses that are intended to be increased in scope and significance as the content develops.  A typical clause from a US film studio contract might read, in plain English - rather than legalese - "we'll cooperate on DRM; you'll consider solutions that we endorse; if an industry standard emerges, you'll use it; if we get too uncomfortable with your DRM or lack thereof, we can pull our content".

    Of course sometimes the need to be seen to get content on what is thought to be a hot platform - be it one from Apple, Nintendo or Nokia - means that content owners will be prepared to be more flexible.

    Other Applications

    Two other practical applications for DRM are worth mentioning.  The first is Enterprise DRM.  This is touted to be an increasingly prominent technology by taking DRM know-how of the type we've been discussing to address security problems in mainstream corporations, governments, and other institutions.  It aims to complement existing document management systems, perimeter security, and other methods of restricting access to sensitive information.

    In this form of DRM, protection is likely to be provided to Microsoft Office and PDF documents rather than music, video, or e-books.  It may also require stronger authentication techniques to change or revoke rights after they are granted to deal with changing business and office environments.  Internal and external control of document circulation is something that most organizations of whatever type still spend surprisingly little time on.  Increased compliance requirements - from industry regulators through to data protection - may start to change that.

    Mention should also be made as to how DRM technology can be used for controlling content not just in support of content rights but also content regulation.  The regime for controlling what is considered suitable or unsuitable online is currently under scrutiny at both national and EU level.  Online content has so far been regulated separately from television content - with essentially what is viewed over on the PC being distinguished from the content received over the other side of the living room on the TV.  Pulled Internet content was considered different to pushed broadcast content.

    Even when rich media content began to appear on mobile, along with the first emergence of video on demand and interactive TV, this approach was maintained.  Industry has been expected to take some protective steps, and we've seen special codes emerge in each of those content areas.  But this was light touch regulation with much left up to the individual user.  As someone at the UK regulator OFCOM famously commented there were two types of regulation OFCOM and the OFF switch.

    Now for the first time that consensus is open to challenge.  The relevant EU legislation - The Television Without Frontiers Directive - is again being considered for updating and replacement with a new technology-neutral "Audiovisual Directive".  This has introduced the controversial idea of television syle regulation potentially being applied to certain new media services.  The latest panics about unsuitable content on Myspace and other community sites will only fan the flames of tighter regulation.

    Now is not the time to get into the detail of those provisions or the industry initiatives in the fixed and mobile internet sectors.  But it is worth stressing that the value of a technology that helps to ensure that content only reaches those who are supposed to access it may mean that DRM proves as important in dealing with regulators as it does with rights-holders.

    The Future

    So, in summary, there are four areas to watch in the future.

    First, that the phasing out of the levies will prove crucial.  The UK does not have them but they will be a key factor in the European Commission's digital rights policy, which certainly does affect us, and it is of course something to be aware of when launching services across the EU.  Suggestions that the UK might actually introduce a levy will surely receive the same fate as those suggestions did 30 years ago.

    Secondly, that European digital rights policy, and national initiatives such as the recent UK Parliamentary report on DRM, are pushing for active intervention in the market to deal with some of the big picture issues mentioned.  Initially that is most likely to take the form of consultation and voluntary measures so the pressure will be on industry to get involved in those stakeholder discussions as soon as possible.

    Thirdly, DRM technology will continue to have a role in the development of new services in particular the much hyped user-generated content sites.  Some rights owners have begun to grumble that these are little more that user stolen content sites and have issued veiled threats of litigation.  DRM could be crucial in dealing with these concerns, and those regarding content regulation above.

    Finally, we should understand the power of the user in all of this.  From the wisdom of crowds in terms of overall sales and market success, through to the importance of complying with consumer law and regulation, the consumer is key.