Microsoft has announced its upcoming release of a Windows Rights Management Services (RMS) technology for Windows Server 2003 that "will work with applications to support a platform-based approach to providing persistent policy rights for Web content and sensitive corporate documents of all types." The RMS technology uses "tested and proven security technologies, including encryption, digital certificates, and authentication. Putting persistent protections in the documents themselves helps customers control and protect digital information both online and offline, inside and outside the perimeter of the firewall. Because Rights Management policy expressions can remain within files during and after transit, rather than residing on a corporate network, usage policies can be enforced even when rights-managed information leaves the network. Policies can be used to control forwarding, copying and printing, as well as establishing time-based expiration rules. Permissions can be set to expire at a specific point in time, such as a number of days after publishing or at regular intervals, requiring acquisition of a new license. Using Windows Rights Management Services, applications such as information portals, word processors, or e-mail clients can be built so that users will be able to easily designate both who can have access to specific content and what kinds of access rights they can have." RMS technology uses ContentGuard's XrML (Extensible Rights Markup Language). "Microsoft will release two software development kits in the second quarter of 2003 to enable developers to begin to build rights management capabilities into a broad range of intra-enterprise solutions and applications for Windows clients."

Some of the RMS documentation released by Microsoft on February 21, 2003 envisions the use of RMS technology to support privacy and safe information handling within corporate intranets. Windows Rights Management in this context "adds value to any organization's security mix by providing enterprise users with a flexible, easy way to control most of the types of digital information they typically create and use. For online information (such as database-backed dynamic content data on benefits and payroll intranet sites or enterprise information portals), as well as e-mail communications and documents, RMS can help enforce policies such as restricting the ability to print, forward and edit data."

Add-on for Internet Explorer

A key feature in RMS consumption and policy enforcement is the notion of a "trusted client." What happens when Windows RMS-protected content is created by a Microsoft Office application (e.g., Word, Excel, or PowerPoint) and then delivered to an external user not running hardware (?) and software recognized as trusted?

"For recipients of RM-protected content who do not have a program that uses RMS, the Rights Management Add-on for Internet Explorer, scheduled to be available for download in 2003, will add RM features to the browser so Windows can be used to view rights-managed documents including e-mail and other HTML information that is protected. The Rights Management Add-on will enable broad intranet and Internet portal scenarios by presenting rights-protected HTML to clients." (from the 2003-02-20 white paper "Microsoft Rights Management Solutions for the Enterprise")

The Rights Management Add-on for Internet Explorer: How It Works. "The Rights Management Add-on for Internet Explorer is a way that Windows users can view files with restricted permission. These restrictions help people to prevent sensitive documents, Web-based information, and e-mail messages from being forwarded, edited, or copied by unauthorized individuals... Authors can set restricted permission to limit what a reader can do with the content they receive. These restrictions are customizable, that is, one person may view the document but not print it, another may do both, and a third person may view and print the document, but only for five days. Authors can restrict permission to Web-based information as they create it, and then save the content as a rights-managed HTML file (with the file name extension .rmh). If the readers have installed the Rights Management Add-on, they can open the file and use the contents, based on the permission that the author has given them..." (from the software pre-release description 2003-02-21 in "Rights Management Add-on for Internet Explorer")

Commentary

Reaction to the Microsoft announcements for RMS has been mixed in the published analyses. On the one hand, supporting a single fine-grained solution for content protection across all product lines seems like a smart strategy for a company that has a recognized monopoly. On the other hand, some analysts are concerned that deploying this proprietary privacy solution on a massive scale will increase the potential for vendor lock-in, lead to a violation of constitutional rights, and violate cultural norms regarding the longevity of digital information -- including loss of information that should be archivable for research purposes and legal requirements.

In Ziff Davis Microsoft Watch, Mary Jo Foley writes: "If you are a big company or organization with lots of correspondence and documents you want to keep secret, Windows RM is, indeed, a blessing. If you are a whistleblower, a journalist, a lawyer, a cop -- or anyone who has the audacity to want to use software other than Microsoft Windows or Office -- you should be very afraid... To me, RM, first and foremost, is an attempt by Microsoft to further lock customers in by requiring them to use Windows clients, Windows servers, Microsoft Office and Internet Explorer in order to create and consume documents. RM has another benefit, which I am not the first to note: It will eliminate the e-mail and document trails that hurt Microsoft in antitrust court..." See "Rights Management? Or Restriction? Don't Be Fooled. Windows Rights Management Isn't About Safeguarding Your Rights."

In Bill Rosenblatt's Technologies column for DRM Watch: "WRMS will initially be available as server-side software and a software development kit (SDK) for writing client applications; soon afterwards, Microsoft plans to release a plug-in to Internet Explorer that will embed rights management functionality into the Web browser, and then versions of Microsoft Office applications with the functionality built in. As with other rights management technology from Microsoft, WRMS will support ContentGuard's XrML rights expression language. WRMS is the latest expression of Microsoft's 'Unified DRM' technology roadmap, which it has been developing for about two years... This WRMS announcement is not a product release, and Microsoft is well known for changing both feature sets and release schedules. But this has to be worrisome for the increasing number of DRM vendors who are targeting the corporate space -- particularly those who started out with technology intended for the publishing market and are recently attempting to retool their solutions for the corporate market. Well-entrenched corporate DRM vendors can cite their additional functionality (not to mention existing installed base). Others should be concerned, to say the least..."

A troubling issue related to interoperability is raised by the comments from Mike Nash (Microsoft Corporate Vice President, Security Business Unit), as reported in a CNET News.com article:

Other issues affecting the portability of rights associated with documents could cause other problems. Nash claimed that RMS is 'platform agnostic' -- meaning it will work with any operating system -- in that 'Windows Rights Management supports industry standards.' But for people to be able to access RMS-protected documents on, say, Mac OS X or Linux, the operating systems must use XrML (Extensible Rights Markup Language) in the same way Microsoft does. In that case, 'there is the opportunity for interoperability of document interchange,' Nash said. Otherwise, the document could not be opened on the non-Windows operating system..."

The Microsoft announcements refer to XrML as an "emerging standard," and the White Paper dedicates part of an Appendix to "How XrML Works." Microsoft has been promoting XrML since it joined with Xerox in 2000 to form the spinoff company ContentGuard, and became a minority investor in ContentGuard, Inc. Different versions of XrML have been "contributed" to standards groups (e.g., MPEG, OeBF, OASIS) with a recommendation from ContentGuard "to the standards organizations that they agree on a process to maintain a single core and single SX extension set, and thereby improve interoperability and reduce redundancy," but XrML (officially 2.0) is still proprietary. The suggestion of Nash that [non-Microsoft] "operating systems must use XrML (Extensible Rights Markup Language) in the same way Microsoft does" hints at some thorny problems regarding the layered/partitioned architecture of XrML (e.g., the OASIS RLTC work is scoped to simply work on part of a Rights Expression Language, not a complete REL) and the continuing control Microsoft exercises through ContentGuard.

In the Seybold Bulletin: "RMS is still at the application level (Windows Server, Office and Internet Explorer), but the move from media-specific applications to business applications hints at the scale and scope that Microsoft has in mind. DRM developers in the corporate space will be forced to become supporting ISVs to avoid being driven out of this market. In media markets, though RMS is not aimed at media applications, media companies-particularly publishers that serve professional markets-should also take notice: This is only the latest Microsoft DRM technology, and it won't be the last..." ["Microsoft Readies Corporate-Centric DRM," The Bulletin: Seybold News and Views On Electronic PublishingVolume 8, Number 21 (February 26, 2003)]

The Mercury News reported: "The new [Microsoft] technology, announced Friday, would let companies decide who can see, copy, print or forward e-mail and other digital materials. Access to documents could even be set to expire, so older files would remain encrypted and unreadable by anyone. Called Windows Rights Management Services, the new technology is meant to protect confidential or competitive data... Hundreds of corporate clients have complained about private information being leaked intentionally or by accident, said Mike Nash, corporate vice president of Microsoft's security business unit. 'The company does have a right and expectation for their platform to be trusted,' Nash said. But others see the technology as a threat to some of the best watchdogs of corporations -- their own employees. After two years of corporate scandals -- made public in part by employees' exposing wrongdoing -- whistleblower groups said they worry limited access to information could let companies get away with breaking the law. 'It sounds to me like just another way to restrict the free flow of information,' said Joanne Royce, a senior attorney with the Government Accountability Project... Microsoft contends the technology won't affect whistleblowing on corporate fraud or other matters. Amy Carroll, group manager of the Windows Trusted Platform Group, said people can still photograph a computer screen..."