Paul Sweazey believes he has found the solution that mitigates the problem of DRM. He wanted to emulate a property of physical goods: rivalry (If you want more information about rivalry, please have a look on Bomsel’s works). In a nutshell, rivalry is the fact that when consuming a good you reduce the access for others. For instance, when you play your DVD, someone else cannot play it on another player. This is not true for electronic files. By definition, electronic goods are non-rival. One of the purposes of DRM is to add a pinch of rivalry.

To do so, Sweazey created the concept of Digital Personal property. How does it work? Content has two elements: an encrypted folder containing the essence and a playkey that you preciously keep in a vault. Sounds familiar, isn’t it? In DRM vocabulary, his playkey is called a license. You may freely distribute the encrypted folder but will give your playkey only to trusted people who would not steal your license. The license must be UNIQUE in the sense that there is one unique instance at any time. Thus, if the person you gave your playkey does not return it, you lost its ownsership.

The technical trick will be to be able to create a rival license that should not be linked to a device (else you end up with the typical problem of interoperability).

He just moved the problem of DRM towards the license. He will still have to find a method to generate a license (playkey) that can exist only as one unique instance in the world and that could be played everywhere. This is the Holy Grail of DRM that we have been all looking for years. TCreating rivalry is difficult without introducing physical constraints.

It reminds me one of the concepts we built in an old system called SmartRight. The objective was to control the size of an authorized domain for a familly but without any central online authority. We used an electronic token that was passed to the newly joining device. Of course, you could add a device from your neighbour, but then your neighbour “owned” the electronic token. Would the neighbour leave or not collaborate anymore, you could not anymore add devices to your domain. It was based on the use of secure processors and on the fear of loosing the token.

Will DPP work? If Sweazy finds a robust and user friendly way to create this unicity of instance, it would work. This would also offer a lot more applications. But is it feasible? Bruce Schneier would probably say no. (Wait our next security newsletter with his interview.) And many brains are researching this topic.

For more information, read Goodbye, DRM; hello “stealable” Digital Personal Property at Ars technica.

CES period is always interesting time because many initiatives are disclosed or present their progress. In the field of DRM, two interesting news:

Disney starts to unveil more about its KeyChest technology. CNBC presented the following spot.

At the same time, DECE made a press release presenting their latest milestones. In a nutshell, DECE has:

• defined a common file format In the FAQ, it seems that it is compliant with Microsoft’s PIFF,
• selected a company that will host the rights locker,
• and announced that five DRMs will support it (Adobe, Marlin, Microsoft PlayReady, OMA and Widevine

Both KeyChest and DECE use the new concept of rights locker. In very simplistic terms, a rights locker is a database that stores the usage rights that a customer purchased. This database should be shared by content distributors. The promise is that if you purchase one piece of content, it may be played back (if you paid as such) on any of your devices (or at least on the devices compliant with this rights locker) independently of the DRM used by the device. In other words, the usage rights will be linked to a customer rather than to his/her devices.

This is a great progress in electronic content distribution. One of the strongest complains of customers is the lack of interoperability of DRMs. This is an answer.

Without doubt, this blog will come back on the topics of rights locker in the future.

Last month, Microsoft announced an important initiative for DRM interoperability. Within a larger announcement, they disclosed the Protected Interoperable File Format (PIFF). The media focused mainly on smooth streaming and SilverLight. But content protection community should be interested by PIFF.

In an nutshell, PIFF defines a file format with a list of supported codecs but above all (at least for security minded people) two mandatory AES based scrambling modes. The basic idea for interoperability is that the PIFF protected essence can use any system of DRM to protect the license. Provided they both have the scrambling key used to protect “Rambo 28”, merchant A and merchant B can sell it using different DRM. PIFF compliant device A with DRM A can play “Rambo 28” sold by merchant B with DRM B. Device A just needs to get license from merchant A. The essence, ie “Rambo 28”, remains the same.

Is it a new revolutionary approach? No. DVB embraced this approach for many years with simulcrypt. In 2004, Thomson proposed to standardize this layer of protection in the IST Medianet project.

Is it a good thing? YES. According to me, it is clearly the right approach. That a giant like Microsoft takes this path is huge. Furthermore, it is royalty free, which is wise from Microsoft to facilitate the adoption. Now, the condition of success is that there will be ONE unique such format. Would there be more than one, then it would decrease its impact.

Of course, we may expect that next generation of Windows DRM and Play Ready will support PIFF. Which DRM technology provider will be the next one?