Download PDF version of this article PDF

Understanding DRM

Recognizing the tradeoffs associated with different DRM systems can pave the way for a more flexible and capable DRM.


The explosive growth of the Internet and digital media has created both tremendous opportunities and new threats for content creators. Advances in digital technology offer new ways of marketing, disseminating, interacting with, and monetizing creative works, giving rise to expanding markets that did not exist just a few years ago. At the same time, however, the technologies have created major challenges for copyright holders seeking to control the distribution of their works and protect against piracy.

DRM (digital rights management)—broadly defined as technical measures used to protect content in digital media devices and services—is a response to these issues. Its role and impact in the digital media marketplace, however, are under debate. Proponents maintain that DRM can facilitate the secure distribution of digital content in new markets and help fuel new business models that exploit the power of digital media and the Internet, giving consumers many more choices. Critics, meanwhile, contend that DRM will do little to stop piracy and that its main effect may be to frustrate consumers’ ability to take advantage of the full power of digital media.

The role that DRM plays in the media marketplace likely will depend, however, on the specific forms of DRM in question. Different DRM systems can provide different capabilities for users. The forms that DRM takes are likely to be shaped, in turn, not by any government action or policy decision, but ultimately by consumers comparing products and acting on their preferences in the marketplace. Products with DRM will compete with each other, and in some cases with non-DRM alternatives as well, as in the trend toward offering many music downloads in MP3 format.

This article describes various factors that may be relevant to consumers as they evaluate DRM. The goal is not to suggest that any particular DRM schemes are good or bad in any general sense, but rather to provide some metrics that could be used in assessing the DRM-related tradeoffs associated with different marketplace offerings.

Of course, not every individual can or will track through all the questions set forth here. As in many other contexts, the public may look to product reviewers and consumer advocates to take the lead in analyzing, summarizing, and comparing how different products perform in key areas. For some consumers or some products, certain factors may matter and others may not. To the extent that consumers become informed about and focus on the types of metrics discussed here, however, product developers will also need to focus on those same factors.

Key Factors for Assessing and Comparing DRM

What follows is a discussion of four key consumer metrics for evaluating DRM-equipped digital devices and services. These metrics are transparency, effect on use, collateral impact, and purpose and consumer benefit. The list is not necessarily exhaustive; other issues that matter to consumers may emerge as technologies and media markets evolve. These metrics identify specific questions that product reviewers and testers should be asking as they evaluate media products, services, and devices incorporating DRM.

A consumer base sufficiently informed and engaged on these types of questions can drive competition between different DRM offerings, and ultimately push content providers and technologists away from approaches to DRM that offer unattractive tradeoffs from the consumer perspective.

METRIC 1: Transparency

To what extent are the effects of DRM clearly disclosed to users? In particular:

Unless limitations and collateral impacts associated with a product are clearly disclosed, users are likely to be surprised and angered when they encounter them.

Relevant information for disclosure. Disclosure is certainly warranted when DRM will cause a product’s function to deviate significantly from mainstream consumer expectations for the particular medium in question. Expectations also evolve, however, and consumers will likely become increasingly accustomed to the flexibility with which they use digital files on their general-purpose, Internet-connected computers and other devices. Evaluating what should be disclosed requires careful thinking about the full range of technical tradeoffs DRM entails. In addition, disclosure is particularly important where DRM-equipped products will not work with certain devices or in certain configurations. For example, consumers need to understand in advance that DVDs purchased on a trip abroad may not work in the purchaser’s home DVD player because of region coding, or that many songs purchased on iTunes cannot easily be transferred to non-Apple portable music players.

Manner of disclosure. To be useful, disclosure needs to be sufficiently prominent and understandable. What constitutes an appropriate manner of disclosure depends on the likely importance of the information to consumers. For example, in some cases, it may be appropriate to disclose less significant details of DRM within licensing agreements. Because consumers rarely read through long licensing agreements, however, key information should be disclosed in a more prominent fashion.

Timing of disclosure. Timing is another factor in evaluating disclosures. Certainly information that is likely to affect a consumer’s decision to buy a particular product or service should be disclosed prior to purchase. In general, however, notices should not be limited to the time when a possibly hurried user is signing up for a service or picking out a product in a store. Depending on the nature of the DRM system, disclosure at other times may also be warranted as part of a user’s ongoing interaction with a product or service.

For example, for songs purchased online that are limited in the number of times they can be burned to a CD, users should be notified as they approach the limit. Post-purchase disclosure also can be relevant when DRM will result in the installation or upgrading of software, particularly if an upgrade may cause compatibility problems with older products or change usage rules governing a user’s already-purchased content or devices. A 2006 firmware upgrade to two of Creative’s MP3 players reportedly enabled the devices to support more DRM platforms but also disabled the players’ FM radio recording capability—clearly a consequence that consumers would want to be informed of when they are deciding whether to accept the upgrade.

METRIC 2: Effect on Use

What specific parameters does DRM establish for the use of a work? What limitations does it entail? In particular:

Any evaluation of a DRM technology must include a careful look at the impact on the ways a creative work can be used.

Personal use and copying of works. Consumers have developed a number of expectations concerning the use and copying of familiar types of content. Widespread use of the Internet and digital technologies is likely to foster additional expectations concerning personal use as consumers grow accustomed to the flexibility that computer platforms provide.

Of course, expectations may vary depending on the medium and the delivery method, but they may include (and are not necessarily limited to) the following:

Flexible personal use—the ability to read, listen to, play, or watch a lawfully acquired copy of a work in a manner or sequence of the consumer’s choosing.

Time shifting—the ability to record or store a work for use at a later time.

Place shifting—the ability to use a work on different devices and at different locations within a personal, family, or work environment (for example, recording a program in one room to watch in another).

Archiving—the ability to copy a work for purely archival purposes.

Lending or reselling—the ability to lend, give, or resell a lawfully acquired copy of a work.

Limited copying for noncommercial purposes—the ability to engage in limited copying, such as that contemplated by the Audio Home Recording Act or the fair use doctrine.

Some traditional personal uses may not translate easily into the digital world. For example, it is easy and common to lend physical items, such as books, but it is somewhat less natural to “lend” a digital file, since people tend to copy files rather than physically move or transfer them.

Providing certain personal-use capabilities without opening the door to widespread infringement may pose significant technical and business challenges. To the extent that consumers value certain capabilities, however, they may reasonably press product and platform developers to take on these challenges. In addition, where DRM-equipped products will not allow personal uses that have been commonplace for that type of media, that fact should be disclosed to consumers.

Choice and interoperability. Many consumers have already encountered compatibility limitations in the online music market. Most songs purchased on iTunes will not work on portable music players other than Apple’s own iPods, and Apple’s iPods will not work with songs purchased from other online stores in Windows Media format. The confusing tangles of DRM incompatibility can be frustrating to users accustomed to buying CDs under the assumption that that they will play in any device in which they fit.

To some extent, compatibility limitations stem from the basic purposes of DRM. One major aim of DRM is to limit a user’s technical ability to use or distribute digital content in ways the copyright holder has not authorized. To do that, DRM often aims to make the content incompatible with devices or platforms that would enable (or fail to prevent) such unauthorized uses.

Of course, DRM can also be used for segregating markets or creating and enforcing different distribution windows. These uses of DRM can result in compatibility issues as well—as in the example of DVD region coding, which makes U.S. DVDs incompatible with players sold outside North America.

Given the purposes of DRM and the likelihood of multiple distribution platforms, it is not realistic to expect every digital distribution service and every DRM-equipped file to be compatible with every other platform or playback device. Nonetheless, DRM that is compatible with a range of platforms and devices—and thus permits competition and consumer choice—generally has advantages over DRM that locks users into a narrow set of complementary technologies. Media products and technologies that can be expanded and deployed in ways not anticipated by the original developers are likely to have significant long-term advantages over those with more closed architectures.

One route to greater interoperability is for different products, services, and devices to adopt the same DRM platform. For example, if a vendor of DRM solutions licenses its DRM widely, many different companies can incorporate that solution into a variety of competing downstream products. Microsoft licenses use of its Windows Media DRM to third parties, and it is used by a variety of digital music stores and device vendors. Alternatively, a group of companies may come together to develop a joint DRM standard they would all use. Members of the consumer electronics industry have formed a consortium called the Marlin Developer Group with the intention of developing a common DRM standard.

A different way of achieving interoperability would be to develop standard interfaces and protocols to enable users to shift their content back and forth between separate DRM platforms. The idea is that information relating to the user’s identity and the rights the user has acquired for particular content would be recorded in a standard format that is not specific to any one DRM platform, enabling the content to be translated into (or exchanged with) alternative DRM formats while maintaining the same basic usage parameters. Sun’s Project DReaM and the electronics industry’s Coral Consortium are examples of efforts to develop this kind of inter-DRM interface.

In short, evaluating the extent to which DRM locks users into a narrow family of products in complementary markets requires looking not just at the technology, but also at licensing agreements, policies for granting future licenses, and compatibility with any standard protocols that have been developed. As discussed previously, where DRM does entail limitations on choice and interoperability, transparency is essential. Consumers would not have expected a tape deck to be capable of playing vinyl records, but in the world of digital media, compatibility-related complications may be less obvious for consumers to discern.

Facilitating end-user creativity. Digital technologies and open computer architectures can empower individual consumers to be much more than passive consumers of media. The digital revolution has made mass publishing available to anyone with a computer. It provides cheap, easy access to the kind of music and video production tools previously available only to corporations and professionals. Mainstream users can choose to engage in such activities as remixing content into new creations or commenting on current affairs via a video blog. In a world in which people increasingly express themselves through rich media, they will want the ability to quote, comment, and editorialize on and through all kinds of media in the same way they have historically been able to do with print. Naturally, copyright law establishes boundaries, but the fair use doctrine provides a certain amount of leeway, especially for noncommercial uses that have little impact on the market for a copyrighted work.

Ideally, therefore, DRM solutions should allow users to interact with, excerpt, and expand on existing works in ways that are consistent with copyright law. They should allow reuse of content for noncommercial creative purposes, such as using purchased music as background in home videos. They should take advantage of the metadata capabilities of digital media to make it easy to purchase licenses to expand upon and redistribute content as part of users’ own creations.

Most DRM is not well adapted to the task of facilitating end-user creation. The CSS (Content Scramble System) DRM on prerecorded DVDs provides little flexibility for any activity other than passive viewing. DRM used by online music stores, on the other hand, at least allows for the creation of custom playlists and burning of mix CDs.

It is not a simple task to develop DRM solutions that, in accommodating a broad range of creative uses, do not also open the door to uses that infringe copyright. But the potential for interactivity and user creativity is one of the great advantages of digital media. In the long run, DRM should work toward allowing users of computers and consumer electronics devices to interact with and transform content, not just to consume it passively.

Permanence/risk of unexpected loss of access. In some cases, DRM may carry the risk of unexpectedly interrupting or losing a user’s access to content. DRM that involves some kind of ongoing, post-sale linkage to or dependence on the individual provider of the content could make content permanently inaccessible if the provider goes out of business or ceases support for that particular product line or format. For example, Google’s recent decision to close its Google Video store means that videos purchased there will cease to be playable, because the DRM requires files to be authenticated with a Google Video server before they will play. Similarly, when DRM requires that kind of Internet-based “handshake” or verification on an ongoing basis, access to purchased content could be interrupted temporarily whenever the user loses an Internet connection.

Of course, under some business models, users may acquire content with the full understanding that their rights to access the content are not necessarily permanent. Access to rented content may expire after a certain period of time, and access to subscription-based content may expire if the user allows the subscription to lapse. Unless such limits are an explicit part of the bargain at the time of purchase, however, users generally expect that content they purchase will remain accessible and usable.

The risk of future loss of access is unlikely to be immediately apparent from direct tests of DRM platforms or from the associated disclosures. Rather, evaluating this factor requires a sound understanding of how a DRM scheme works and an effort to think through how it could be affected by various future contingencies.

METRIC 3: Collateral Impact

Does DRM have any other potential impact on users, aside from its direct impact on the ways they can use or distribute the protected content? In particular:

In some cases, DRM may affect more than just the use of the specific DRM-protected content. Secondary or collateral effects may relate to such matters as user privacy, computer or network security, or other potential impairment to the functionality of user devices.

Privacy and anonymity. Analog media generally affords the ability to read, view, or otherwise access content anonymously. Some DRM systems, however, may associate a specific identity with each use of or access to content and then, using the Internet, communicate that information back to the content distributor. For example, the Google Video service embedded encrypted user account information in purchased videos and relayed that information back to Google each time a user played a video. This kind of system may benefit users by allowing them to access their content from multiple devices or remote locations, based on their identities. On the other hand, usage under such a system is not anonymous in the same way it is when a user reads a book or watches a videotape.

Information about what individuals read, watch, and listen to can be quite personal and sensitive. Moreover, such information could be linked to purchase histories or other data that a content provider may possess, creating detailed profiles of individual users. Thus, DRM schemes that make usage less anonymous can raise significant privacy questions.

Security. When DRM involves the installation or alteration of software on a user’s computer or other device, sloppy or overly aggressive programming could impair the general security of the device. Sony BMG’s copy-protected CDs created a controversy in 2005 after reports emerged that the software they installed created security vulnerabilities that could be exploited by virus writers seeking to access users’ computers. Examples of DRM behaviors that pose security risks include:

Device functionality. There may be other ways, not directly related to security, in which DRM could impair the overall functionality of a user’s device. For example, DRM may drain battery or processing power. It has been reported that playing music files with certain DRM systems can cut the battery life of MP3 players by 25 percent. Some DRM software appears to run, and thus use processing power, even when the user is not accessing protected content. This could slow the performance of the device, particularly if multiple DRM systems operate this way and have a cumulative effect. DRM systems could also interfere with a device’s general-purpose copying hardware or software; there have been reports of certain DRM systems modifying the operation of the device drivers for DVD burners. As noted previously, a 2006 firmware update to certain MP3 players disabled the FM radio recording capability. 

METRIC 4: Purpose and Consumer Benefit

Is DRM being used to innovate and facilitate new business models that fill previously unaddressed demand and give consumers new choices? Or is DRM being used to lock consumers into old business models or to limit their choices in services and devices?

The factors addressed thus far focus mainly on the details of what a DRM’s practical impact is and how that impact is disclosed. But consumers—particularly product reviewers and consumer advocates—may also want to step back and look at the big picture. In particular, they may seek to assess whether particular DRM schemes appear to be facilitating new delivery channels that benefit content providers and consumers alike—or whether they seem mainly to serve some other purpose, such as locking users into a company’s technology platform.

This inquiry may be more subjective than, for example, determining the usage parameters established by a DRM scheme. In many cases, however, the purpose and role of DRM may not be terribly difficult to perceive.

For example, online video rental services use DRM to cause downloaded video files to expire at the end of the agreed-upon rental term. It is easy to understand why an online rental business, or the content companies licensing videos to it, would not be at all comfortable distributing so-called “rentals” that in fact take the form of permanent files on customers’ computers. Since online rentals are an attractive and convenient choice for some consumers, it is reasonable to conclude that the DRM system causing the video files to expire is facilitating a business model for which there is real consumer demand.

Another example is DRM schemes that focus primarily on tracking and accounting for usage—rather than just restricting it—to permit appropriate payment. For example, services that allow users to transmit files to one another (superdistribution) might need a means for tracking referred files to facilitate payment. Subscription services likewise need a way to make access contingent on valid subscription status.

While DRM may help foster new choices for consumers, DRM with narrower competitive aims may limit such choices by making it harder for consumers to switch brands. There is nothing impermissible about employing DRM for such a purpose, and consumers may in some cases accept the limitations. It is fair, however, for reviewers and consumer advocates to point out when DRM is being used in ways that offer no significant consumer benefit—and to be appropriately critical.

Applying the Metrics—Frames of Reference

In assessing how a particular DRM system performs with respect to the criteria identified here, it may be useful to compare DRM-equipped digital media products with their traditional analog predecessors. Comparisons with competing digital products already in the marketplace can be informative as well.

At the same time, frames of reference based narrowly on existing products or services will tend to put the focus more on familiar features than innovative ones and will cease to be useful over time. For example, several years ago, few were predicting that home users would easily be able to create, edit, and remix digital video. Now it is reasonable, in considering the uses DRM allows, to probe the extent to which users are able to interact with or excerpt digital video they purchase or capture.

A full analysis, therefore, would include a forward-looking frame of reference as well: specifically, what an honest and law-abiding consumer could do with networked, general-purpose computers and open-format media. In such an open-media environment, devices are freely interoperable. Content can be readily moved across home and personal networks, converted to different formats, and accessed on several devices. Consumers are able to transfer and access their content easily from diverse locations over the Internet. Wide personal and transformative uses of content are possible, limited only by the imagination of technologists in devising new ways to manipulate digital data.

Content owners will object that it is not reasonable to expect protected digital media to live up to such a standard. After all, completely unprotected media of the kind envisioned in the open media environment is easily susceptible to massive piracy. This is a fair observation. The point is not that everything that is possible with unprotected content on general-purpose computers should be immediately possible for DRM-protected media.

Rather, using the open media environment as a frame of reference helps illustrate the technical choices and tradeoffs associated with DRM. In a world of technological convergence and digital media, there is no technical reason why content cannot be distributed with the flexibility that networked, general-purpose computer architecture can provide. There may be economic, business-model, or legal reasons for taking a different approach, but consumers and product reviewers evaluating DRM should have a clear picture of the tradeoffs in each of the areas, as described in the metrics.

Awareness of those tradeoffs may result in demand for manufacturers and content owners to develop secure ways of implementing the missing capabilities. Keeping the open media environment in mind, product reviewers, consumer advocates, and highly-engaged consumers will be able to ask whether makers of products and platforms are keeping up with advances in digital media technology—and apply market pressure for them to do so.

The Final Say

As valuable creative content continues to move online and creators migrate to digital media, DRM is likely to continue to play a major role in many segments of the media marketplace. An informed base of consumers, capable of comparing products according to criteria such as those discussed in this article, can help ensure that the DRM marketplace is diverse, competitive, and responsive to reasonable consumer expectations. In the end, consumers are likely to have the final say on whether various approaches to DRM will succeed or fail.

DAVID SOHN is senior policy counsel at the Center for Democracy and Technology, which he joined in 2005. Prior to that, he worked for nearly five years as commerce counsel for U.S. Senator Ron Wyden (D-OR). Sohn has also practiced law in Washington, D.C., at Wilmer, Cutler & Pickering. He received his B.A. from Amherst College, J.D. from Stanford Law School, and M.Sc. from the London School of Economics.


Originally published in Queue vol. 5, no. 7
Comment on this article in the ACM Digital Library

More related articles:

Raphael Auer, Rainer Böhme, Jeremy Clark, Didem Demirag - Mapping the Privacy Landscape for Central Bank Digital Currencies
As central banks all over the world move to digitize cash, the issue of privacy needs to move to the forefront. The path taken may depend on the needs of each stakeholder group: privacy-conscious users, data holders, and law enforcement.

Sutapa Mondal, Mangesh S. Gharote, Sachin P. Lodha - Privacy of Personal Information
Each online interaction with an external service creates data about the user that is digitally recorded and stored. These external services may be credit card transactions, medical consultations, census data collection, voter registration, etc. Although the data is ostensibly collected to provide citizens with better services, the privacy of the individual is inevitably put at risk. With the growing reach of the Internet and the volume of data being generated, data protection and, specifically, preserving the privacy of individuals, have become particularly important.

Kallista Bonawitz, Peter Kairouz, Brendan McMahan, Daniel Ramage - Federated Learning and Privacy
Centralized data collection can expose individuals to privacy risks and organizations to legal risks if data is not properly managed. Federated learning is a machine learning setting where multiple entities collaborate in solving a machine learning problem, under the coordination of a central server or service provider. Each client's raw data is stored locally and not exchanged or transferred; instead, focused updates intended for immediate aggregation are used to achieve the learning objective.

Mark Russinovich, Manuel Costa, Cédric Fournet, David Chisnall, Antoine Delignat-Lavaud, Sylvan Clebsch, Kapil Vaswani, Vikas Bhatia - Toward Confidential Cloud Computing
Although largely driven by economies of scale, the development of the modern cloud also enables increased security. Large data centers provide aggregate availability, reliability, and security assurances. The operational cost of ensuring that operating systems, databases, and other services have secure configurations can be amortized among all tenants, allowing the cloud provider to employ experts who are responsible for security; this is often unfeasible for smaller businesses, where the role of systems administrator is often conflated with many others.

© ACM, Inc. All Rights Reserved.