By Matt Rosoff [bio]
Posted: Sep. 12, 2005

• Illustration: Common Rights Management Concepts
• Chart: How Windows Media DRM and RMS Differ

The digital era presents a problem for organizations whose business depends on controlling access to content: once in digital form, content can be copied an infinite number of times with no loss of fidelity and redistributed at lightning speed over computer networks. The recording industry blames digital piracy for several consecutive years of declining revenue. Movie studios remain reluctant to release content on the Internet for fear of a similar outcome. Corporations see employee salaries sent around the company via e-mail or top-secret product plans posted on Web sites.

Rights management, sometimes called digital rights management (DRM), addresses this problem. Rights management technology allows the owner of digital data to define what users may and may not do with that data—that is, their "rights" to that data—and enforces those rights as the data travels among computers and other devices. So far, rights management software has primarily been used as a way for content producers, such as record companies or movie studios, to prevent their content from being used without payment and to support new business models, such as renting music via online services. However, it's increasingly being used to protect sensitive corporate data, such as documents and e-mail messages, as well.

The simplest such systems prohibit copying altogether, and are sometimes dubbed copy protection. More complex rights management technologies offer more granular control—for example, a user may be allowed to play a movie only for a specified time period before it becomes unplayable, or a worker may be allowed to view and modify a document but not print or forward it via e-mail.

Two Distinct Technologies

Today, Microsoft offers two distinct sets of rights management technologies—one for protecting digital media, and one for protecting corporate data. The two technologies perform essentially the same function and work in similar ways. (For more information about the basic design of both rights management systems, see the illustration "Common Rights Management Concepts".)

However, they are intended for different audiences, are being developed by completely separate product teams at Microsoft, and are based on different underlying technologies. (For details, see the chart "How Windows Media DRM and RMS Differ".) Moreover, Microsoft says it has no plans to integrate or merge them.

Digital media. Introduced in 1999 as part of Windows Media 7, Windows Media DRM allows the owners of digital entertainment content, such as record companies and movie studios, and distributors, such as online music stores, to define what end users can do with digital media content. For example, users could be allowed to view a movie a certain number of times before it expires or listen to a song from a limited number of client devices (such as their PC and up to two portable music players). Content owners and distributors use tools supplied as part of a Windows Media SDK to define rights for material, then distribute the content and licenses to end users through Windows Media Services, a component of Windows Server. The technology is overseen by the Digital Media Division, part of the Windows Client business unit.

In addition to Windows Media DRM, Microsoft has built other technologies into Windows that allow content owners to control what users may do with their content once it's on a PC. Secure Audio Path (SAP), which first appeared in Windows Me, is meant to prevent recording programs from posing as sound card drivers by requiring all hardware in the audio path to be authenticated and authorized. However, although many hardware manufacturers support SAP, no content owners currently take advantage of this technology.

Windows Vista (formerly code-named Longhorn), which is due out in late 2006, will have similar technology for video, collectively known as Protected Video Path (PVP), which will let content owners prevent users from attaching video recording devices to PCI Express (PCIe) buses and unprotected video outputs. Also in Vista, SAP will also be replaced with a new, functionally similar technology called Protected User Mode Audio, or PUMA.

These technologies are not as granular as Windows Media DRM—for example, they don't have any provisions for allowing users to play files a certain number of times before expiration. However, they're similar to Windows Media DRM in that the usage restrictions for a piece of content are embedded and transmitted with that content, and because they're part of the same Microsoft effort to meet content owners' requirements for releasing their material to the PC. Consequently, these Vista technologies are being developed by the same group at Microsoft that works on Windows Media DRM.

Corporate information. Introduced as part of Windows Server 2003, Windows Rights Management Services (RMS) allows administrators and users in large organizations to define how material that they create, such as documents and e-mails, can be used. For example, a user can protect a Word document or Excel spreadsheet so that her boss may read, write, print, and forward it, but so that other employees in her department may only read it.

RMS uses different technology than Windows Media DRM and is overseen by a different product group: the Security Business and Technology Unit, which is part of the Server and Tools business unit. (For marketing reasons, Microsoft does not use the term "DRM" to describe RMS, preferring terms such as "information rights management" or "enterprise rights management.")

The server piece of RMS ships with Windows Server 2003, and each PC participating in an RMS system needs client software and compatible applications. For example, the Professional Editions of Office 2003 applications can be used to create RMS-protected content, and a free Internet Explorer plug-in can be used to read protected material. By linking RMS and Office 2003, Microsoft hopes to convince organizations that are particularly interested in confidentiality, such as government agencies and corporate legal departments, to upgrade to Windows Server 2003 and Office 2003 simultaneously.

Since the release of RMS, partners such as Liquid Machines have provided support for RMS to protect other types of content, such as Adobe PDF files.

Why Digital Media Rights Management Matters

Microsoft's rights management technologies for digital media help content owners reduce piracy and explore new distribution models, provide opportunities for OEMs and other types of partners to develop complementary hardware and software, and are necessary for Microsoft to reach its goal of positioning the PC as a home entertainment hub.

Content owners. Traditional content owners and distributors are the customers for Microsoft's technologies for protecting digital media. Although no rights management technology can prevent all forms of piracy—for example, a determined pirate could always record a piece of music as it emerges from a computer's speakers—Microsoft's rights management technologies for digital media can help reduce casual piracy by average users. These technologies also pave the way for new business models for content owners and distributors. For example, Windows Media DRM allows a content owner to set an expiration date on a piece of content, enabling online movie or music rentals.

Partners. Microsoft's rights management technologies for digital media could pave the way for new entertainment scenarios on the PC, which in turn could help OEMs sell new, higher-priced models. For example, piracy fears have stalled the development of TV tuner cards that allow PCs to receive high-definition digital cable signals. The new video copy-protection technology planned for Windows Vista addresses these fears, paving the way for Media Center PCs that can receive high-definition cable programming.

Consumer electronics manufacturers may also benefit from supporting Windows Media DRM. For example, computer-savvy purchasers might insist that their next CD player be able to play Windows Media Audio files on data discs, as well as regular CDs.

In another example, the latest version of Windows Media DRM has provisions that content owners demanded before they would allow "all-you-can-eat" subscription-based content to be transferred to portable devices: if a user stops paying the subscription, the content is disabled on the portable device. This could create demand for portable audio devices that can play such content, as Apple's popular iPod currently lacks support for subscription services. (So far, however, this disadvantage hasn't dented the iPod's market share, which is estimated at 80% or higher by market research firms such as In-Stat and NPD.)

Finally, as rights management improves, content owners are beginning to embrace Internet-based distribution. This creates new business areas, such as the following:

• Online video and music stores, such as CinemaNow and Napster
• License clearinghouses such as DRMNetworks, which help content owners and online stores distribute the necessary licenses so users can play back DRM-protected files
• Streaming media specialists such as Entriq and iStreamPlanet, which provide tools or hosted services for content owners to protect live streaming broadcasts
• Outsourcers such as Loudeye, which create turnkey online music stores for customers in other industries, such as Amazon.com and AT&T Wireless.

Microsoft. Building effective rights management technologies into Windows is necessary to realize the company's home entertainment strategy, which envisions the Windows PC as the center of home entertainment. Without these technologies, content owners might turn to more draconian measures, such as creating CDs or DVDs that cannot be played on a PC at all.

Microsoft also hopes to use Windows Media DRM to popularize the Windows Media platform—a larger set of technologies for creating and distributing digital media content. Microsoft earns money by licensing support for the platform to device makers and by selling Windows Servers (necessary to distribute Windows Media content) to content owners.

Why RMS Matters

RMS protects confidential material while offering more flexibility than traditional access-control methods (such as access-control lists), presents a sales and implementation opportunity for partners, and helps Microsoft respond to a perceived threat from Adobe and its PDF document format.

Customer organizations. Traditional access-control methods do not let organizations control what users can do once the file has been opened—users can print the file and mail it to a competitor or copy the contents to another document or e-mail, for instance. RMS addresses these issues by letting end users or organizations apply very granular rights, such as who may view, copy, print, save, and forward a file, from within the interface of supported applications. It then embeds these rights with the file so they stay with it regardless of where it is or how many copies are made.

RMS is targeted mainly at large organizations where privacy and confidentiality are prime concerns, such as government agencies and healthcare firms handling patient records, and enterprises that rely heavily on intellectual property, such as law firms, financial services providers, and pharmaceutical companies. Certain departments found within all companies, such as legal, financial, and human resources, can also benefit from better protection of documents and data.

Partners. RMS presents an opportunity to encourage organizations to roll out Windows Server 2003, as well as the Professional versions of Office 2003 applications, which are required for users to create protected content. Also, the product uses its own public key infrastructure (PKI) to protect content and verify the identities of users in the system, which means that organizations will need partners with PKI expertise to help them plan, deploy, and maintain the system.

Microsoft. RMS is a selling point for Windows Server 2003 and the higher-priced Professional versions of Office 2003. It also responds to a threat from Adobe's PDF format, which is widely used as an alternative to Office formats for document sharing and which supports rights management. Adobe and other vendors also offer plug-ins for Office applications that enable users to create PDF documents, and Adobe's free, downloadable reader is widely installed on PCs. Although the threat appears remote at this time, PDF could in theory become the dominant standard for sharing documents, relegating Office to the role of one PDF authoring tool among many and exposing it to sharper competition from document creation suites (such as Sun's StarOffice) that also support PDF. By adding rights management support to Office applications, Microsoft ensures that Office formats offer the same capabilities as PDF for controlled sharing.

Problems with Rights Management

All PC-based rights management technologies, whether from Microsoft or other vendors, face some problems, such as lack of interoperability between technologies and systems, lack of user acceptance, and the fact that no such technology can ever offer perfect protection.

Lack of interoperability. Windows Media DRM faces competition from Apple's FairPlay (used in its iPod and iTunes Music Store), RealNetworks' Helix, and Sony's Open MG, among others. Today, these DRM systems are incompatible: a piece of content protected by one scheme can be played only by client software and devices that support that scheme.

This fragmentation creates extra hassles for consumers, making them more likely to stick with unprotected content, including illegally copied material that is readily available on file-sharing networks such as BitTorrent, eDonkey 2000, FastTrack, and Gnutella (bad for content owners), or to avoid the PC as a digital media tool altogether (bad for Microsoft and its partners). It also creates extra work and expense for content owners and distributors, who must use multiple DRM technologies to reach the widest number of consumers.

Several efforts are under way to address this problem within particular industries, but various groups disagree on the proper approach to interoperability, and some problems (such as how to determine which devices in a content chain can be trusted) will not be easy to resolve. In addition, companies with market leadership positions—particularly Apple, whose iPod dominates portable music players and whose iTunes Music Store is the leading online music store—have little incentive to cooperate in such operations.

In the case of corporate data, customers want to be able to exchange protected material with customers and partners. This market is still quite young, and interoperability has not yet become a major issue here as it has with digital media. Nonetheless, lack of interoperability could eventually stall growth, as customers are reluctant to install a rights management system that is incompatible with those used by associated companies.

Support from hardware makers. The Next-Generation Secure Computing Base (NGSCB, also known as Palladium), Microsoft's proposed initiative to provide better data security on a PC, was scaled back in part because of lack of support from hardware makers. Companies would have had to create new secure keyboards and displays, for instance, but did not perceive sufficient demand for these devices and never began developing them. (Other factors, such as lack of support from ISVs and unclear goals for the project, also contributed to NGSCB's reduction in scope.)

Similarly, new content protection technologies in Windows Vista will require hardware vendors to cooperate—for instance, graphics card manufacturers must create drivers that can authenticate the actual hardware for rights management purposes, and they might have to redesign video cards to include onboard audio in order to handle some types of digital outputs. To justify this investment, graphics cards makers (and the OEMs who bundle these cards) must share Microsoft's belief that new home entertainment functions will spur new PC and advanced PC component sales.

User reluctance. End users are perhaps the most significant barrier to adoption of rights management technologies.

Consumers have longstanding expectations about what they're allowed to do with a piece of content—for example, users who made tape recordings of their LP records to play them in the car might expect to make digital recordings of their CDs and DVDs as well. If content owners are too restrictive, they risk turning casual users into determined hackers.

Similarly, if digital media rights management schemes are too complicated or obtrusive, users will stick with unprotected content or avoid the PC as an entertainment device. Microsoft has taken some positive steps here—for example, the Windows Media Player no longer applies DRM by default when a user rips music from a CD, so users face no restrictions on music they've already purchased or to which they own the intellectual property rights (for example, audio CDs of music they personally recorded). With Windows Vista, Microsoft and its partners will need to clearly identify compatible content sources and hardware (a logo program is the most likely vehicle), or customers will face a potential minefield of incompatibilities.

In the case of corporate data, a system must add minimal overhead to users' jobs or they will evade the system, and organizations will be left wondering why confidential information continues to leak. Organizations can lower user resistance by deploying policy templates appropriate to the organization and by limiting systems such as RMS initially to the most security-conscious departments.

Not bulletproof. Organizations must realize that rights management can only serve as a speed bump to stop casual piracy and will never stop all attacks.

In particular, no DRM or copy protection system can close the "analog loophole"—content must be decrypted for end users to access it, which by definition leaves it open for copying. For example, a corporate thief could snap a digital photo of a protected document on a computer's monitor, or a music bootlegger could use a digital recording device and microphone to copy music as it comes out of computer speakers. Once content has passed through this loophole, attackers still can make perfect digital copies and distribute them via computer networks. Only the initial method of copying has changed.

Thus, content owners and organizations cannot rely exclusively on technology to protect their intellectual property but must also use other resources, such as the legal system. In the long run, the most successful strategy will be to adapt their business plans to accommodate a certain amount of copying and leaks.

What's Ahead

The remainder of this report contains both new material and updates of material previously published in Update and consists of the following chapters:

"Windows Media DRM Secures Digital Media" details the business case for Windows Media DRM and explains how it works.

"Vista Adds New Protection for Digital Media" explains the new copy-protection technologies planned for the next version of Windows, with a focus on a set of technologies for copy-protecting digital video.

"Rights Management Services Secures Corporate Data" details the business case for RMS and its underlying technology.

"Future Directions" identifies trends and predicts likely developments in Microsoft's digital media and enterprise rights management technologies.

"Resources" contains links and pointers to additional material, arranged by chapter.