Verification and Application of Conceptual Model and Security Requirements on Practical DRM Systems in E-Learning

The paper represents a verification of a previously developed conceptual model of security related processes in DRM implementation. The applicability of established security requirements in practice is checked as well by comparing these requirements to four real DRM implementations (Microsoft Media DRM, Apple's iTunes, SunnComm Technologies’s MediaMax DRM and First4Internet’s XCP DRM). The exploited weaknesses of these systems resulting from the violation of specific security requirements are explained and the possibilities to avoid the attacks by implementing the requirements in designing step are discussed

Digital Rights Management and Consumer Acceptability: A Multi-Disciplinary Discussion of Consumer Concerns and Expectations

The INDICARE project – the Informed Dialogue about Consumer Acceptability of DRM Solutions in Europe – has been set up to raise awareness about consumer and user issues of Digital Rights Management (DRM) solutions. One of the main goals of the INDICARE project is to contribute to the consensus-building among multiple players with heterogeneous interests in the digital environment. To promote this process and to contribute to the creation of a common level of understanding is the aim of the present report. It provides an overview of consumer concerns and expectations regarding DRMs, and discusses the findings from a social, legal, technical and business perspective. A general overview of the existing EC initiatives shows that questions of consumer acceptability of DRM have only recently begun to draw wider attention. A review of the relevant statements, studies and reports confirms that awareness of consumer concerns is still at a low level. Five major categories of concerns have been distinguished so far: (1) fair conditions of use and access to digital content, (2) privacy, (3) interoperability, (4) transparency and (5) various aspects of consumer friendliness. From the legal point of view, many of the identified issues go beyond the scope of copyright law, i.e. the field of law where DRM was traditionally discussed. Often they are a matter of general or sector-specific consumer protection law. Furthermore, it is still unclear to what extent technology and an appropriate design of technical solutions can provide an answer to some of the concerns of consumers. One goal of the technical chapter was exactly to highlight some of these technical possibilities. Finally, it is shown that consumer acceptability of DRM is important for the economic success of different business models based on DRM. Fair and responsive DRM design can be a profitable strategy, however DRM-free alternatives do exist too.Digital Rights Management; consumers; Intellectual property; business models

Using web-services to manage and control access to multimedia content

In a largely interconnected World, the Web-Services (WS) computing paradigm is gaining momentum. Most Web Services applications existing today are being developed in the E-Business or E-Commerce context, mainly for Enterprise Application Integration (EAI) [12]. This paper describes a distributed architecture that largely uses WS technology to control and manage the access to multimedia content and that represents the new and emerging market of Digital Rights Management (DRM). This architecture deploys some critical DRM elements, in a service-oriented architecture, such as device and user identification and authentication, content registration and protection, license representation and production and payment. This paper presents the conceptual architecture, referred to as OpenSDRM [3], and provides some technical details about its development and deployment.info:eu-repo/semantics/acceptedVersio

SOFTWARE INTEROPERABILITY: Issues at the Intersection between Intellectual Property and Competition Policy

The dissertation project proceeds through three papers, analyzing issues related to software interoperability and respectively pertaining to one of the three following interdependent levels of analysis. The first level addresses the legal status of software interoperability information under current intellectual property law (focusing on copyright law, which is the main legal tool for the protection of these pieces of code), trying to clarify if, how and to what extent theses pieces of code (and the associated pieces of information) are protected erga omnes by the law. The second level complements the first one, analyzing legal and economic issues related to the technical possibility of actually accessing this interoperability information through reverse engineering (and software decompilation in particular). Once a de facto standard gains the favor of the market, reverse engineering is the main self-help tool available to competitors in order to achieve interoperability and compete “inside this standard”. The third step consists in recognizing that – in a limited number of cases, but which are potentially of great economic relevance – market failures could arise, despite any care taken in devising checks and balances in the legal setting concerning both the legal status of interoperability information and the legal rules governing software reverse engineering. When this is the case, some undertakings may stably gain a dominant position in software markets, and possibly abuse it. Hence, at this level of analysis, competition policy intervention is taken into account. The first paper of the present dissertation shows that interoperability specifications are not protected by copyright. In the paper, I argue that existing doubts and uncertainty are typically related to a poor understanding of the technical nature of software interfaces. To remedy such misunderstanding, the paper focuses on the distinction between interface specifications and implementations and stresses the difference between the steps needed to access to the ideas and principle constituting an interfaces specification and the re-implementation of a functionally equivalent interface through new software code. At the normative level, the paper shows that no major modifications to the existing model of legal protection of software (and software interfaces) are needed; however, it suggests that policymakers could reduce the Fear of legal actions, other forms of legal Uncertainty and several residual Doubts (FUD) by explicitly stating that interface specifications are unprotectable and freely appropriable. In the second paper, I offer a critique of legal restraints on software reverse engineering, focusing in particular on Europe, but considering also similar restraints in the US, in particular in the context of the Digital Millennium Copyright Act. Through an analysis of entry conditions for late comers and of the comparative costs of developing programs in the first place or reverse engineering them, the paper shows that limitations on decompilation imposed by article 6 of the Software Directive were mostly superfluous and basically non-binding at the time of drafting. What is more, the paper shows that nowadays new – and largely unanticipated – developments in software development models (e.g. open source) make these restraints an obstacle to competition against dominant incumbent controlling software platforms. In fact, limitations on the freedom to decompile obstacle major reverse engineering projects performed in a decentralized way, as in the context of an open source community. Hence, since open source projects are the most credible tools to recreate some competitive pressure in a number of crucial software markets, the paper recommends creating a simpler and clear-cut safe harbor for software reverse engineering. The third paper claims that, in software markets, refusal-to-deal (or “information-withholding”) strategies are normally complementary with tying (or “predatory-innovation”) strategies, and that this complementarity is so relevant that dominant platform controllers need to couple both in order to create significant anti- competitive effects. Hence, the paper argues that mandatory unbundling (i.e. mandating a certain degree of modularity in software development) could be an appropriate – and frequently preferable – alternative to mandatory disclosure of interoperability information. However, considering the critiques moved from part of the literature to the Commission’s Decision in the recent European Microsoft antitrust case, an objection to the previous argument could be that – also in the case of mandatory unbundling – one should still determine the minimum price for the unbundled product. The last part of the paper applies some intuitions coming from the literature concerning complementary oligopoly to demonstrate that this objection is not well grounded and that – in software markets – mandatory unbundling (modularity) may be a useful policy even if the only constraint on the price of the unbundled good is the one of non-negativity

A framework for usage management

This thesis proposes a formal framework for usage management in distributed systems. The principles of system design are applied in order to standardize certain features of the framework, such as the operational semantics, and leave free of standards areas that necessitate choice and innovation. The framework enables use of multiple policy languages, and dynamic interpretation of usage policies in different computing environments. In addition, the framework provides formal semantics to reason about interoperability of policies with respect to computing environments. The use of this framework in different usage management scenarios is demonstrated including multi-level security, cloud computing and digital rights management (DRM) systems. Furthermore, DRM is cast in a setting that allows the modeling of a number of current approaches within a game theoretic setting. Current strategies that attempt to influence the outcome of such games are analyzed, and a new type of architectural infrastructure that makes novel use of a trust authority is considered in order to create a suitable environment for constructing DRM games that may prove useful in the future

Usage Management Enforcement in Cloud Computing Virtual Machines

Many are interested in adopting cloud computing technology, but have concerns about the security of their data. This issue has motivated extensive research to address potential vulnerabilities, with a major focus on access control. A related cloud computing concern is controlling what users can do with data to which they have been granted access. This control is needed to prevent accidental loss or deliberate theft of data by users who have been granted legitimate access. The need for this control, called usage management, has led to a number of conceptual approaches for both conventional and cloud computing, all of which will require an enforcement mechanism within the processors domain. The goal of this research is to prove that it is possible to implement a completely software-based enforcement mechanism that can operate independently of the application software. The implementation is based on a formal operational model. A number of implementation approaches were considered in formulating the enforcement strategy. Then, leveraging software instrumentation capabilities and extending tools developed for taint analysis, we developed a software-based usage management enforcement mechanism that uses dynamic data flow tracking. Based on usage flow policies that are specified in machine readable licenses, the enforcement mechanism can permit or inhibit data flows to standard interfaces, data files, and network sockets. The enforcement mechanism does not require direct hardware access, so it can be used very effectively in a cloud computing environment. This demonstrated capability now provides information owners an ability to control what authorized users can do with the information.\u2

R&D Management challenges for the desing and development of an E2E-DRM content business integration platform

Current studies on Digital Rights Management (DRM) have focused on controlling access to and copies of contents, centered exclusively on the end of the value chain (end users). This focus has been oriented towards security and encryption as a means of solving the issue of illegal copying by purchasers. In this paper, we propose End-toEnd Digital Rights Management (E2E DRM) that involves the protection of the content throughout the entire value chain. This concept is given form in the new technologies for representing intellectual property (IP) which, in a secure and unequivocal manner, identify the content at each point in the value chain: from the author to the end user, the content is identifiable in any of the transactions and statuses through which it passes. The key concept which E2E DRM must provide is not only the governability of access and copying, but also that of all the processes associated with the content business. We establish an E2E DRM model and architecture, and propose the R&D management of its design and implementation that makes it possible to protect content from content creator to purchaser. Finally, the paper also analyzes their impact from a global perspective. The research was financed by the Autonomous Region of Madrid through the program “Aid to Promote Technological Innovation in the ICT sector

Rough Consensus and Running Code: Integrating Engineering Principles into Internet Policy Debates

Symposium: Rough Consensus and Running Code: Integrating Engineering Principles into Internet Policy Debates, held at the University of Pennsylvania\u27s Center for Technology Innovation and Competition on May 6-7, 2010