June 2004
It may not be immediately obvious what Digital Rights Management (DRM) has to do with the current combination of fear and frantic activity resulting from the Sarbanes-Oxley Act, the Health Insurance and Portability Act (HIPAA), and other compliance requirements, but it is both relevant, and arguably required, as part of a compliance solution. Why?
The short answer is that while DRM technology was originally focused on copyrights, much of the technology can be generalized to manage all sorts of business rules and document policies – think “Digital Rules Management”. Compliance is all about rules and policies, as well as permissions, usage, tracking and security. Content management systems play a crucial role in helping companies meet internal and external compliance requirements, but there are some necessary capabilities CMSs don’t have, that DRM technology does. Just comparing the functions of each type of technology in the context of compliance will help clarify your thinking about a comprehensive compliance strategy.
This month we are pleased to welcome Attorney Glen Secor as a Senior Contributing Analyst and Consultant. Glen ran a business for 20 years, has a background in publishing, and his legal focus includes intellectual property and business planning. Glen examines the general problem of compliance, and explains how DRM and ECM systems relate to each other, and how DRM requirements map to compliance requirements.
Frank Gilbane
Download a complete version of this issue that includes industry news and additional information (PDF)
Compliance. The word strikes fear in hearts of corporate executives and sends visions of dollar signs dancing through the minds of solution providers. Legal regulations, internal policies, and the need to build information systems that comply with both have been part of the business landscape forever. However, a growing body of new legal regulations, most notably the Sarbanes-Oxley Act (“SarbOx”) and the Health Insurance and Portability Act (“HIPAA”), have brought compliance to the forefront. The requirements of SarbOx are looming even larger with the impending 11/15/04 deadline for compliance with Section 404, the primary financial reporting section of the Act.
But what is compliance, beyond the very broad definition of meeting a set of requirements or staying within a set of rules? A review of the business literature regarding compliance, including vendor white papers, reveals orientations so narrow (i.e. just Sarbanes-Oxley or just HIPAA) as to miss the real compliance challenge, or so broad that the term compliance is in danger of losing its meaning. In this latter regard, an online search for compliance-related documents produces results that include the following concepts:
Information Management, Transparency, Accountability, Business Documentation, Policy Administration, Enterprise Content Management (“ECM”), Document Management, Business Process Management (“BPM”), Internal Controls, Data Integrity, Security Information Management, Information Security Management, IT System Auditability, Corporate Operational Performance, Data Security, Records Management, And Business Rule Management.
One way to look at this litany of business functions is to conclude that compliance is everything and that everything is compliance. Another way to look at it is that compliance involves so many business functions that it truly is an enterprise-wide problem that requires an enterprise-wide solution. This latter perspective is the view that will be taken in this article. More specifically, emphasis will be place on ECM and a business function not included in the above list, Digital Rights Management (“DRM”), and on the interplay between ECM and DRM. While DRM technology was originally focused on copyrights, it can be generalized to manage all sorts of business rules – think “Digital Rules Management”.
According to a recent PricewaterhouseCooper survey, only 15% of the companies surveyed had fully automated their reporting function, with the remaining 85% being either partially automated or completely manual. These are rather surprising statistics, given that half of the corporate executives surveyed describe SOX compliance as a “major challenge.”
There is no doubt that compliance is a significant challenge, but it would be short-sighted to think of compliance only in terms of SOX, HIPAA or other recently passed, high-profile legal regulations. Compliance is a wide-ranging business requirement and definition of this requirement is a key to finding successful compliance management solutions.
Enterprise Content Management (“ECM”) is correctly viewed as a critical element of compliance solutions. Indeed, some are characterizing ECM as the complete solution to the compliance needs of today’s corporation. But, as Rick Taylor writes in the 6/14/04 issue of ECM Report, the relationship between ECM and compliance is not quite so simple. As will be argued here, compliance needs, once defined, will in most cases require the integration of multiple technologies, particularly ECM and DRM technologies.
A good solution to any problem begins with effective analysis and definition of the problem. We tend to speak of compliance as a singular requirement, a view which lends itself to a “one size fits all” solution mentality. Compliance means many things (perhaps too many things, given the length of the above list) and the compliance needs of a given business are likely to differ from the needs of any other business. Thus, definition of the problem or requirement is the first step to finding an effective solution.
Open, two-way communication throughout the process is critical to finding and implementing an effective compliance solution. Having defined the compliance needs of the business, those needs must be communicated to and discussed with appropriate personnel. This requirement seems particularly acute in the case of complex legal regulations, such as SOX, but is also important in the area of internal policies. Simply put, people cannot work to meet requirements they do not understand.
One result of the definition and education processes will be the development of specifications for the automated compliance management system, with ECM at its core. This is where a company must recognize its unique requirements and resist the aforementioned “one size fits all” mentality. For instance, different ECM systems have different strengths and weaknesses. The trick is to match the strengths of a given ECM solution with the specific needs of the business.
The final step, which is really more a part of the automation process than a phase unto itself, is technology integration. In most circumstances, ECM does not provide a complete compliance solution. Other technologies, particularly DRM for content that leaves the central control of the company, must be considered. This brings us back to the first step – definition. The ultimate compliance management solution should be determined by who has access to compliance-related content and how they are allowed to use it. Chances are good that this solution will involve multiple technologies.
Definition
Compliance requirements arise essentially from two sources: legal regulations and internal policies. Legal regulations, particularly SOX, HIPAA, and various other privacy-related laws, are currently the objects of intense interest and activity. Of course, the business landscape is replete with government regulations that are either information-based or heavily dependent upon information. These include laws relating to taxation, occupational safety, the environment, financial transactions, et al. The point here is not that the latest round of legal compliance regulations do not merit the intense attention they are being paid, but rather that they do not exist in a vacuum. The compliance management system developed for SOX, HIPAA, et al. should be integrated with the compliance system(s) used to manage the information related to other government regulations.
This may seem like an odd statement at first, in that information pertaining, say, to OSHA regulations and a company’s occupational safety record would seem to bear little relation to the information required to comply with SOX. Ultimately, though, the two share certain core content management requirements, namely:
- how the information is stored,
- who has access to the information and how they gain that access, and
- how the information can be used once accessed.
In other words, while the nature of the two types of information may be different, they can and should share a common content management strategy.
Internal policies are another source of compliance needs. Information itself can be the subject of an internal policy, such as a policy governing access to employee performance reviews. Policies can also reflect physical measurements or restrictions, such as the maximum number of days an item may remain in inventory before being shipped to a customer or returned to the vendor. Our concern here would be the information measuring actual performance against this policy, which would be reflected by information in the inventory management system. The fact that the policy deals with a physical measurement is irrelevant for content management purposes – we are interested in information about the measurement.
There are, of course, many other types of business information which are governed by content management systems and practices. These include competitive intelligence, market data, human resources data, et al. Again, regardless of the specific type of content involved, the same content management issues must be addressed: access and usage. These access and usage controls are frequently referred to together as “business rules.” In order to determine the makeup of business rules, i.e. the parameters for access and usage, questions of access and usage of content, the exact nature of the information and the requirements for reporting and/or protection need to be defined.
Note that this process is the same for ECM and DRM systems. In fact, it at the development and enforcement of business rules that the functional lines between ECM and DRM truly begin to blur.
In ECM and DRM systems, content is maintained in some sort of content repository (or database). The ECM system is relied upon to manage internal business rules governing access to and usage of content from the database. But the difference between ECM and DRM systems cannot be stated simply in terms of internal vs. external content flow: both involve the management of content that leaves the enterprise. Indeed, for some compliance needs, such as the sharing of financial data between a company and its outside auditors or the sharing of test results between a hospital lab and a remote clinic, secure information exchange is required for compliance purposes. We should not allow ourselves to get hung up on the differences between content sharing, such as the electronic communication of specifications to a vendor working on a piece of a technology product, and content distribution, such as the sale or licensing of MP3 files through an online music store. Both involve the movement of content from within the enterprise to users outside the enterprise and both require that the content outside the enterprise be secure, i.e. that access and usage be controlled.
Whatever difference exists in the nature of ECM and DRM, then, can be found in the fact that ECM systems deal with content both within and outside of the enterprise, while DRM deals primarily with distributed content. This difference aside, each must be able to address the three core needs expressed above (how the information is stored, who has access to the information and how they gain that access, and how the information can be used once accessed.)
In other words, each must be able to articulate and enforce the business rules that the enterprise applies to its content. If a system can do this, then it can handle any compliance need that arises: the key is in the effective writing of business rules to meet the compliance standard.
Given these conclusions, we can look to the makeup and principles of DRM systems to guide us in meeting the complex business compliance needs of today, including for such regulations at SarbOx and HIPAA. The remainder of this article will be devoted to a discussion of DRM principles as applied to compliance-based business rules. In this case, though, compliance will be defined in terms of how distributed content is used, as opposed to how a particular provision of, say, SarbOx can be met.
DRM Defined
Copyright protection technologies have been the subject of much business investment, legislation, and controversy in recent years. When traditional content security technologies, such as encryption or password protection, are combined with e-commerce capabilities, the result can be called a digital rights management (DRM) system. In this section, we will consider the basic elements and features of DRM systems and their impact of various information access models.
ContentGuard, on its XrML.org site, defines DRM as “a system that is used to manage rights” and offers the following examples of rights management:
- A system that is used to secure and distribute protected e-books or protected media files. The rights are defined during the protection step and issued as a usage license to consumers;
- A system that is used to control access to an online service. For example a web service. Applications will need to have access to a license in order to invoke the web service;
- A [sic] accounting system that can track the rights issued and the royalties that are associated/due with those rights.[1.]
DRM involves a system (hardware and software, services and technologies), differentiation between authorized and unauthorized uses, control sufficient to allow only authorized uses, and some form of payment mechanism (consequences or royalties) arising from authorized uses. It is important to note that each definition acknowledges that DRM applies to “content” or “protected media files,” not merely digital music or electronic books and journals, DRM can and will be applied to any form of digital content.
Access control through DRM can be accomplished through the application of encryption-based software to a protected work, possibly along with such tools as digital signatures and watermarking. DRM can be applied at the system level or at the object level. A password-protected website is an example of system-centric DRM – the user needs a password to gain entry, but is not limited in terms of how she uses the content on the site once she gains access to the site.[2.] Object-centric DRM is applied to individual files – the object is encrypted and coded with access and/or usage rules.[3.]
The Power of Generalized DRM: Specificity of Business Rules
Security in the DRM context means that activities are limited to authorized access and usage by authorized users. Content is first protected through the application of encryption, or password protection, or some other form of technology. The efficacy of these technologies, including their susceptibility to hacking, is a matter of legitimate practical concern, though we will not dwell on those concerns here. Instead, we will presume that digital content can be effectively secured.
When access controls include authentication of both content and parties, we have a “trusted system.” We often think of content protection as simply a matter of locking up (encrypting) the content, but true access control, which is dependent upon reliable authentication, is much more complicated and powerful than that. This is especially important considering that access control and use control are often bundled, if not inseparable, within a DRM application.
The following examples, taken from a report by the Association of American Publishers (“AAP”), demonstrate the interdependencies of access and usage controls, as well as the granularity of business rules that are expected to be possible (and in fact are possible) using DRM technology. These particular business rules, designed for content distribution, are the functional equivalent of rules to govern access to and usage of content, both internally and externally, in the regulatory compliance setting. In other words, instead of controlling where or for how long a document can be stored in a content distribution scenario, DRM principles could also be applied to control who sees and can modify financial statements for SarbOx Section 404 compliance purposes.
In its report, titled Digital Rights Management for E-books: Publisher Requirements,[4.] (“AAP Report”), the AAP provides a helpful foundation for considering DRM in the context of e-books. The AAP Report also provides somewhat detailed requirements for specific aspects of e-book rights management, including requirements for a Rights Specification Language (RSL). These are paraphrased below.
Benefits of DRM in Digital Commerce
The AAP Report recognizes that, at least from the publishers’ perspective, the purpose of DRM is to facilitate digital commerce in digital content. It does this in the following ways:
Protection of digital content: encryption, which provides the first level of security and trust as publishers launch digital content.
Secure e-book distribution: controlled access through the management of decryption keys.
Content authenticity: encryption makes it difficult to access a file to alter it and other features of the secured container can be used to indicate whether a file has been altered.
Transaction non-repudiation: use of a private key to decrypt a file indicates that the private keyholder participated in the initial download transaction.
Market participant identification: through the use of digital certificates, the identities of participants in an e-book transaction can be verified.
Technical Elements of a DRM System
The AAP Report assumes that a DRM system will contain some or all of the following technical elements or capabilities: encryption, public/private key decryption, digital certificates, watermarks, access control, authentication, secure communication protocols, secure content storage, a trust infrastructure, and a rights specification language (RSL). The AAP Report includes an appendix describing XrML, one of the leading RSL candidates.
AAP Requirement Categories
The AAP is pushing for standards in the following areas:
Rights Specification Language: defined in the first instance rather narrowly as “the mechanism for describing the author/publisher rights associated with an ebook.” The definition expands, though, to include a language that can specify digital rights and is “sufficiently flexible to support new and emerging business models that may change over time.” We will examine specific RSL requirements shortly.
Electronic Package Control: relates primarily to encryption and security technology.
File Format: refers to a variety of format types, including media (text, audio, graphic, video), specific e-book reader formats, file compression formats, et al. The AAP’s position is that DRM standards should develop and exist independent of specific file content formats.
Trust Infrastructure: the Report describes the trust infrastructure as “the digital pipes and pumps of DRM.” This analogy may or may not be helpful, but the essence of the trust infrastructure is the degree of system-to-system interaction that can be conducted within the parameters set by the parties to the transaction and without the human intervention of those parties. The trust infrastructure deals with a variety of functions, including: Interoperability – especially relating to cross-platform compatibility for sharing and reading e-book files, Security, Key management, Off-line usage – asynchronous access to licensed or purchased ebook content, Rights persistence – continuation of acquired access rights, regardless of changes in technology, financial status, or other characteristics of parties further up the value/distribution chain, and Consumer privacy.
The elements outlined above essentially comprise a trusted system. It requires encrypted content, authentication of both content and parties to any transaction, and access and usage controls based upon business rules (i.e., terms and conditions or licensing terms) specified by the content producer or distributor.
The AAP Report lists a range of use scenarios involving the pricing, distribution, usage, and management of e-book content.
Pricing Scenarios
Free – Protected content, but no charge for all or certain uses. The free content could be an excerpt, provided for marketing purposes (or in an attempt to mimic fair use of printed books?), or the entire work; Pay-per-view, Pay-per-use, Subscription, Time-based, Metered, Unlimited usage, Limited usage, Site licensing, and Differential pricing based on specific uses, types of users, etc.
Distribution Scenarios
Personal lending: allowing a consumer to transfer a file and access to that file for a period of time. During this time, the lender would not have access to the book, similar to the situation when a printed book is loaned. Preserves the first sale doctrine for consumers, even though book is more likely to have been licensed than purchased.
Institutional lending: same principles as personal lending above and similar to interlibrary loan of books today.
Giving: full and permanent transfer of the e-book file and access to it.
Superdistribution: also referred to as “viral distribution,” in which a consumer passes the book along to one or more of his friends with all the protections intact. The recipients, who cannot access the file as sent, thus become potential licensees/customers of the publisher or distributor.
Distributor copies: this is a big one, as most books today are sold not directly by the publisher to the consumer or purchasing institution, but rather through some intermediary or reseller. It would be rather silly for the distributor to have to store multiple copies of an e-book the way that multiple copies of printed books must be maintained in inventory. Rather, the distributor should be able to make copies from a master copy, with appropriate accounting back to the publisher for copies made and sold. The RSL should support this.
Usage Scenarios
Personal copies: the right to make copies for personal use.
Composite works: the right to combine the books with other content.
Derivative works
Printing: all or part of a book.
Grant subordinate rights: this seems a poor choice of terminology, since subordinate rights or “sub rights” already has a meaning in publishing (generally relating to translations, alternative formats, and other rights not part of the bundle of primary rights transferred by the author to the publisher in the publishing agreement. Here, the AAP is using the term to mean maintenance of multiple revenue streams (revenue to publisher, royalty to author, etc.) through downstream transactions.
Content Management Scenarios
Authentication of the content
Create backups
Delete e-books: appears to be only an issue in the institutional context, where authority to delete an e-book from the archive may be limited to certain individuals (such as a designated member of the library staff).
The specificity of use scenarios expressed above matches the complexity of the information compliance requirements of SarbOx, HIPAA, internal policies, et al. Through the application of technology which protects the content (encryption) and which expresses and enforces business rules (see Bill Trippe, XrML and Emerging Models of Content Development and Distribution, The Gilbane Report, 4/23/02), we are able to achieve extremely high levels of access and usage control. The key is to develop and implement business rules that reflect the compliance needs of the enterprise. Again, the first and most important step in the development of an effective compliance program is to comprehensively and accurately define those needs.
Summary
The line between content management and content distribution is blurring and may in fact already have disappeared. DRM technology can be used to facilitate compliance by managing content which leaves the enterprise or department. Moreover, DRM principles can be applied to ECM systems to manage access and usage of internal information for compliance and non-compliance purposes.
Glen Secor, glen@gilbane.com
[1.] Digital Rights Management Terms, at http://www.xrml.org/reference/xrml_terms.asp
[2.] Sandra Payette and Carl Lagoze, Policy-Carrying, Policy-Enforcing Digital Objects, linked to via http://link.springer.de/link/service/series/0558/bibs/1923/19230144.htm(passworded access).
[4.] Digital Rights Management for Ebooks: Publisher Requirements (hereinafter AAP Report), at http://www.publishers.org/digital/drm.pdf (last visited Aug. 21, 2004).
