ACM's flagship journal Communications of the ACM dedicated a special issue to the theme "Digital Rights Management and Fair Use by Design." The April 2003 issue of CACM (ISSN: 0001-0782; Volume 46, Number 4) contains seven feature articles on the need to reconcile competing interests in the creation of DRM rules that govern fair use of copyrighted digital works. "Guest editor Deirdre Mulligan, Director of the Samuelson Law, Technology, and Public Policy Clinic at UC Berkeley, contends that content owners and policymakers have taken technology firms to task for their inability to enforce rules about access to copyrighted works. She calls on some of the most noted legal voices in the DRM debate to help provide technologists some answers, clarifications, and technical options." The articles document how "the public and its advocates, along with many copyright scholars, are voicing their concern that DRM -- whether legally mandated or privately adopted -- will lock up information in ways that thwart individuals' and institutions' rights to read, lend, resell, mix, and build on copyrighted works. A growing number of technology firms are deeply concerned over the dumbing down and locking up of the desktop computer."
Abstracts/Excerpts for the Feature Articles
"Introduction: Digital Rights Management and Fair Use by Design." By Deirdre K. Mulligan (Acting clinical professor and Director of the Samuelson Law, Technology, and Public Policy Clinic in Boalt Hall at the University of California, Berkeley). In Communications of the ACM (CACM) Volume 46, Number 4 (April 2003), pages 30-33. The fair-use exceptions in U.S. copyright law are being undermined by rules programmed into consumer electronics and computers that reflect the exclusive interest of rights holders alone. [subscription URL]
That privately constructed rules may circumvent or conflict with societal values and public policy is well known and has many manifestations, many predating the Internet and computers. The question of whose rules should govern and the space in which private rules can constrain or contradict democratically instituted social policies is a long-standing one. The use of, for example, property rights, states' rights, and other proxies for private interests has a long legacy in law and social practice. Today, while the law allows average citizens to time-and-device shift music and movies they own, and the First Amendment of the U.S. Constitution allows them to engage in parody, the medium of delivery or device may independently limit their ability to do so.
Such default limitations arise in part because the security model underlying DRM architecture is a poor fit for modeling copyright policy. DRM architecture, which is based on binary permit/deny schemas, envisions copyright holders unilaterally setting the terms under which their products are used. Copyright law is, however, multidirectional...
Are today's DRM systems poised to give rights holders too much control over the use of copyrighted works? Machine-readable rules that control access to digital works are likely to inhibit, restrict, or altogether prevent many legally authorized uses. Written by rights holders and offered on an accept/reject basis to purchasers, these rules are likely to supplant copyright law in many contexts. As a result, the balance remaining in copyright policy -- reflecting the interests of many groups, including copyright holders, creators, and purchasers of that content -- stands to be replaced with contracts and machine-readable, machine-enforceable "code constraints" reflecting and upholding the interest of the rights holders alone.
Technologists have an opportunity to change this outcome. As writers of code, believers in the multipurpose computer, voters, and pundits, they may be most able to do so. Whether DRM is mandated or privately developed, its inability to accurately reflect the rights and responsibilities of copyright holders and users alike urges caution and care in their development and implementation.
"Fair Use, DRM, and Trusted Computing." By John S. Erickson (Principal Scientist, Digital Media Systems Program, Hewlett-Packard Laboratories, Norwich, VT). In Communications of the ACM (CACM) Volume 46, Number 4 (April 2003), pages 34-39. With 12 references. [subscription URL]
How can DRM architectures protect historical copyright limitations like fair use while ensuring the security and property interests of copyright owners? In this article, "Erickson explores DRM architecture and its relation to trusted computing platforms, as well as the disconnect between the security paradigm from which today's DRM systems originate and the exception-riddled, context-laden nature of copyright law. He suggests a DRM architecture that would provide enough space for the exercise of fair use-like rights."
The ability of providers to reliably and deterministically impose rules on the end-user experience raises the question of who sets the rules dictating how users interact with digital information on their personal systems. Will the social policies and common practices that have traditionally influenced the copyright process be replaced by rules privately constructed by content owners and software providers? Will they be privately enforced by operating systems and DRM technologies? Conversely, can these emerging architectures help protect the limitations on copyright owners' exclusive rights, preserving the flexible fair use doctrine?
Here, I explore how access-control policies are evaluated, especially in the case of two rights expression languages -- the eXtensible rights Markup Language (XrML; see xrml.org) and the eXtensible Access Control Markup Language (XACML; see www.xacml.org). Since the expression and interpretation of policies is but one layer of the general problem of asserting and protecting copyright with computer code, I emphasize the role of trusted systems in ensuring that computing agents interpret policies in reliable and deterministic ways. I also weigh the challenges inherent in expressing and enforcing policies that mimic social policies. Engineers often seek to simplify problems, but when the problem involves implementing legal statutes (such as copyright) with executable code, simplifications might actually do damage, especially if the solution gives either party more power to assert control than the law entitles...
The inevitable adoption of trusted computing principles in end-user systems (such as personal communication devices, consumer electronics, digital media players, and library PCs) promises to increase the commercial appeal and use of sophisticated DRM technologies. Trusted computing platforms and the migration of DRM components into the operating system are likely to make controlled, conditional access to content a more attractive alternative to information providers and an increasingly common aspect of the end-user experience.
My purpose here has been to consider where policy-enforcing trusted systems are headed, examine how the emergence of trusted computing environments will affect our personal use of information, and address some of the problems technologists will face as they implement public policy through computing systems. I have emphasized the challenges and potentially negative effects of using these emerging architectures to enforce copyright restrictions, especially how to ensure that fair use and the related limitations of copyright law stay accessible to users of information. Responsible development of DRM requires that technologists understand the legal and social contexts in which these systems will operate.
"DRM {and, or, vs.} the Law." By Pamela Samuelson (Chancellor's Professor of Law and Information Management at the University of California at Berkeley and Director of the Berkeley Center for Law & Technology). In Communications of the ACM (CACM) Volume 46, Number 4 (April 2003), pages 41-45. With 7 references. The main purpose of DRM is not to prevent copyright infringement but to change consumer expectations about what they are entitled to do with digital content. [subscription URL]
"Samuelson covers the varied relationships between DRM and the law, explaining that DRM provides potentially far more control to copyright holders than the law provides or permits and that, in its current legal interpretation, the Digital Millennium Copyright Act (DMCA) of 1998 provides nearly unlimited protection to DRM. This special status, she writes, creates a risky environment for those who wish to circumvent DRM to exercise historically protected rights to use information. Warning that DRM, whether through technical standards or congressional mandate, threatens to further erode the public side of the copyright balance, she calls on computing professionals to defend general-purpose computing technologies and support legislative consumer-protection measures related to DRM-protected content."
DRM is sometimes said to be a mechanism for enforcing copyrights. While DRM systems can certainly prevent illegal copying and public distribution of copyrighted works, they can do far more; they can as easily prevent the copying and distribution of public-domain works as copyrighted works. Moreover, even though copyright law confers on copyright owners the right to control only public performances and displays of these works, DRM systems can also be used to control private performances and displays of digital content. DRM systems can thwart the exercise of fair use rights and other copyright privileges. DRM can be used to compel users to view content they would prefer to avoid (such as commercials and FBI warning notices), thus exceeding copyright's bounds.
Given that DRM permits content owners to exercise far more control over uses of copyrighted works than copyright law provides, the moniker "DRM" is actually a misnomer. These technologies are not really about the management of digital "rights" but rather about management of certain "permissions" to do X, Y, or Z with digital information. If DRM systems were about digital management of rights, they would need to be designed so users could express their rights under copyright, too. Thus far, digital rights expression languages (RELs) lack semantics to allow the expression of concepts like fair use. DRM cannot accommodate user rights without REL vocabularies capable of expressing them. Even if RELs developed semantics to express user rights, content owners may abjure expressing them unless forced to do so by law or competition...
How DRM and the law interact over the next decade depends on decisions made in the near future by individual technologists, firms in the technology and content industries, participants in standard-setting processes, and legislators and other policymakers. DRM technology is not policy neutral but highly policy charged, in part because of the goals the content industry has for it.
It may seem obvious to computing professionals why DRM should not be mandated in digital media devices and why consumers, scientists, and other legitimate reverse-engineers ought to be able to continue to engage in fair and other noninfringing uses of copyrighted works. Unfortunately, it is not as obvious to members of Congress and other policymakers. Computing professionals can make a positive difference in the policy debates over DRM -- if they choose to do so.
"DRM and Privacy." By Julie E. Cohen (Professor of Law, Georgetown University Law Center, Washington, DC). In Communications of the ACM (CACM) Volume 46, Number 4 (April 2003), pages 46-49. How should the law respond to DRM restrictions that invade user privacy? [subscription URL]
"Julie E. Cohen focuses on the privacy incursions enabled by DRM. From limiting what goes on in the privacy of one's own home to exposing what occurs there to outside view, DRM poses a range of special threats to individual privacy that will potentially interfere with individual autonomy and chill intellectual inquiry. She notes the current lack of guidance as to the proper scope of privacy in the digital age, suggesting that courts have the tools to redefine privacy injuries to recognize the kinds of intrusions facilitated by DRM. Finally, she encourages the design of privacy-protecting features into DRM standards and products."
DRM developers and standards bodies also should be encouraged to address the privacy interests of users by incorporating privacy protections into their systems and standards. Stronger privacy protection is not necessarily incompatible with stronger copyright enforcement. DRM controls can be designed to be "leaky," allowing users greater flexibility to access and use information goods within private spaces, while anonymization techniques can lessen at least some of the informational privacy concerns.
In the emerging environment of digital information, the proper balance between DRM and user privacy is an important subject for public debate. That debate should begin now, while infrastructures and standards for DRM are still evolving.
"Fair Use By Design in the European Copyright Directive of 2001." By Séverine Dusollier (Lecturer, University of Namur, Belgium). In Communications of the ACM (CACM) Volume 46, Number 4 (April 2003), pages 51 - 55. Is DRM an empty promise, privileging and preserving author interests at the expense of the public goal of safeguarding fair-use exceptions? [subscription URL]
"Séverine Dusollier covers the European Union's approach to DRM. The EU Directive on Copyright and the Information Society of 2001 sorts out the policies to be implemented through DRM. It motivates copyright holders to build protections for user rights into DRM. It also directs EU member states to take measures ensuring user rights can be exercised wherever content is protected by DRM if private ordering fails to provide adequate protections. While the EU approach differs decidedly from its U.S. counterpart, Dusollier concludes it is likely to engender similar questions about the appropriate scope of private ordering versus public decision making regarding limits on information use as set by DRM. She bases this conclusion on the Directive's lack of guidance regarding the steps required to protect users before governments are required to step in, as well as on the existence of an exemption to government obligations for content delivered on demand. She finds that, like the DMCA in the U.S., the Directive privileges private ordering over copyright policy."
Embedding fair use and other copyright exceptions in the contractual and technical models of the distribution of digital works might seem a perfect yet flexible solution. Such a principle of fair use by design was adopted by the European Union in 2001. Its Directive suggests that the accommodation of exceptions will result from a specific or revised design of the technical measures protecting copyrighted works or from contractual or business models integrating the legitimate demands of users. One might therefore wonder whether this miracle cure is only pretense. Indeed, it does not cover all exceptions to copyright; more important, it does not cover most forms of distribution of works on the Internet...
The fair use that might be produced by this peculiar process would be a poor substitute for the legal defense of fair use or, in Europe, to copyright exceptions, reflecting, after a democratic and public process, the proper consideration and balance of the interests of all members of society, as well as of society as a whole. All could lose a fundamental public benefit a private orderings model would never value properly.
"A Skeptical View of DRM and Fair Use." By Edward W. Felten (Associate Professor, Department of Computer Science, Princeton University, Princeton, NJ). In Communications of the ACM (CACM) Volume 46, Number 4 (April 2003), pages 56-59. Don't expect DRM to ever be smart enough to distinguish fair use from copyright infringement. [subscription URL]
"Edward Felten asks us to view DRM skeptically. In both theory and practice, he argues, DRM is an unproven tool. Weighing the complexities of building fair use into DRM, he raises grave doubts about the ability of technologies to accurately accommodate even the simple cases of fair use (such as making a backup copy or a copy for exclusively in-home use). Felten concludes that fair use is beyond the capacity of current technology and is likely to remain that way."
The vagueness of the fair use test makes it essentially impossible to create a DRM system that allows all fair uses. To be correct, such a system would have to apply the four-factor fair use test to each attempted use of a work. The nature of the test makes it impossible for two reasons:
Lack of knowledge about the circumstances. Aspects of the test require knowledge about the circumstances of the use, but such knowledge is not available to the DRM system; for example, a certain use may be fair when done in a classroom but illegal when done in a commercial setting. The DRM system cannot know enough about the circumstances outside the computer to know whether the setting would more accurately be classified as teaching or as commerce.
Inadequate artificial intelligence. Even if full information about the circumstances were available, applying the four-factor fair use test would require highly sophisticated AI. Several of the factors involve "AI-hard problems." For instance, the fourth factor in the test evaluates the effect of the use on the market for the original work. It requires reasoning about the economics of a particular market, a task even well-trained humans find difficult. For the foreseeable future, no computer system will be able to approach a human's ability to analyze these markets...
A plausible approximation algorithm would make errors in both directions, allowing some uses the law would forbid and forbidding some uses the law would allow. Consider, for example, the system's evaluation of attempts to copy an entire copyrighted work. There are situations in which this is fair use, as well as many in which it is not. The system often cannot tell them apart. So if the requirements say the system must prevent all unfair uses, then apparently it must flatly refuse requests to copy the entire work -- and thereby ban backup copies. Alternatively, if the requirements say the system must allow all fair uses, then apparently it must allow virtually all requests to copy the entire work --and thereby allow blatant infringement. An approach that makes errors in only one direction simply makes too many errors, so we must accept that any practical system is both too permissive and too restrictive.
Fair use is one of the starkest examples of the mismatch between what the law requires and what technology can do. Accurate, technological enforcement of the law of fair use is far beyond today's state of the art and may well remain so permanently. Technology will not obviate the need for legal enforcement of the copyright rights of both copyright owners and users.
"Encouraging Recognition of Fair Uses in DRM Systems." By Barbara L. Fox (Senior Fellow at the John F. Kennedy School of Government, Harvard University, Cambridge, MA, and a software architect in the Windows Trusted Platform Technologies group at Microsoft Corporation, Redmond, WA) and Brian A. LaMacchia (Software architect, Windows Trusted Platform Technologies Group, Microsoft Corporation, Redmond, WA). In Communications of the ACM (CACM) Volume 46, Number 4 (April 2003), pages 61-63. [subscription URL]
"Barbara L. Fox and Brian A. LaMacchia propose creating a legal "safe harbor" to help technologists experiment with DRM architectures and applications that factor in the public's side of the copyright balance -- without exposing themselves to claims of contributory copyright infringement. They elucidate the constraints experienced by technologists in light of today's legal uncertainty. If they are not required to build mechanisms accommodating some aspects of fair use or first sale, is there exposure for technologists or the firms that design and build in such features? One can read the article as a call for a DRM mandate of sorts comprising some set of copyright norms currently agreed to be protected by the fair use doctrine; its technical facilitation would be categorically immune from claims of contributory copyright infringement. Fox and LaMacchia thus provide an interesting approach to creating breathing room for technologists and policy wonks alike to develop more flexible, context-dependent DRM architectures and systems."
Current digital rights management (DRM) systems take a very limited view of the set of rights they need to manage. Typically, they make decisions using a closed-world assumption: Only actions explicitly authorized by content owners or their delegate(s) are allowed, and the only "rights" are those explicitly granted by them and presented to the DRM system. Most DRM systems do not even acknowledge the possible existence of rights other than the content owner's to license a particular work. They simply facilitate the execution of a contract between the content owner (licensor) and a consumer (licensee), represented by a set of authorizations (licenses) specifying which actions the owner sublicenses to the consumer with respect to a particular work.
This view -- considering only the rights explicitly granted by the content owner to the consumer -- serves the interests of builders of DRM systems in two ways: First, since the system's policy-evaluation algorithm evaluates only affirmative grants issued by the content owner, there is no danger the DRM system will "make a mistake" and allow an action not expressly enumerated. And second, it is easier to build systems that rely on only a single source of authorizations. Thus, there is no incentive for DRM architects to try to model fair use rights in their systems, as any attempt to do so puts them at risk of contributing to an infringement.
Needed, therefore, is a set of incentives that encourage DRM system builders to experiment with modeling and implementing subsets of fair use rights -- a safe harbor protecting systems and their users from infringement claims...
Our proposal, or dare, is that we, as representatives of the combined technical and legal communities, form a partnership to model and ultimately create a series of expanding safe harbors for modeling larger and larger subsets of fair use rights in DRM systems. As the implementers of the rights expression languages and policy evaluators within DRM systems, we have the opportunity, and obligation, to attempt to replicate and enforce the delicate balance that is copyright law in the DRM systems we build.
See also: "Legal and Technological Efforts To Lock Up Content Threaten Innovation. Legislation Poses Greater Restrictions on the Very Freedom on Which the Net Was Founded." By Jeff Grove. In Communications of the ACM (CACM) Volume 46, Number 4 (April 2003), pages 21-22. As the result of lobbying efforts by commercial content industries to gain more control over their works, new legislative and regulatory initiatives have emerged that threaten to erode the rights and expectations of researchers and consumers. [subscription URL]
Politically, the debate over DRM restrictions is shaping up as a confrontation between incumbents versus innovators. Incumbents envision a future where new legal protections and DRM restrictions are combined to grant unprecedented control over digital content and to protect their current business models from competition. Continued innovation in software and digital computing could be sacrificed.
A small sampling of the risks includes higher prices, fewer choices, and systems that are prohibitive and more difficult to use. For example, tamper-resistant systems could prevent computer users from auditing software, running open source software, accessing data and information, and customizing systems to enhance security and privacy. In addition, controlled access allows copyright holders to track individual uses of digital works, creating new personal concerns.
USACM is engaged to provide policymakers with a deeper understanding of IT policy issues of concern to the ACM membership and computing community. If the future of digital computing is shaped by content industries and technology companies without input from all computing stakeholders, the unintended consequences may threaten the progress of science, economic growth, and the overall security of our infrastructure.
About ACM
"Founded in 1947, the Association for Computing Machinery (ACM) is a major force in advancing the skills of information technology professionals and students worldwide. Today, our 75,000 members and the public turn to ACM for the industry's leading Portal to Computing Literature, authoritative publications and pioneering conferences, providing leadership for the 21st century."
Principal references:
- Association for Computing Machinery
- Communications of the ACM (CACM)
- "XML and Digital Rights Management (DRM)" - Main reference page.
- See also: "Patents and Open Standards" - Main reference page.