Olin Sibert
David Bernstein
David Van Wie
InterTrust Technologies Corporation
460 Oakmead Parkway
Sunnyvale, California
Tel: 408.222.6100
info@intertrust.com
1. Introduction
As services and products in modern commerce increasingly take electronic form,
traditional commerce is evolving into electronic commerce. This includes both
creation and enforcement of various agreements between parties in an electronic
commercial relationship. It also includes enforcing the rights of these parties
with respect to the secure management of electronic content or services usage,
billing, payment, and related activities.
To save money, to be competitive, and to be efficient [1,2], members of modern society will shortly be using new information technology tools that truly support electronic commerce. These tools provide for the flow of products and services through creators', providers', and users' hands. They enable the creation, negotiation, and enforcement of electronic agreements, including the evolution of controls that manage both the use and consequences of use of electronic content or services. In addition, these tools support "evolving" agreements that progressively reflect the requirements of further participants in a commercial model.
Participants in electronic commerce [3,4] will need rules and mechanisms such that:
The Internet and other information commerce infrastructures will require a management component that enforces such rules, ensuring a safe, coherent, fair, and productive community. This management component will be critical to the electronic highway's acceptance. Without rules to protect the rights of content providers and other electronic community members, the electronic highway will comprise nothing more than a collection of limited, disconnected applications.
Analysts have concluded that content will constitute the largest revenue-generating component of the information superhighway [5]. It is also clear that unfettered access to content requires that content providers be able to maintain control over literary or copyrighted assets. Many analysts conclude that this will be one of the key bottlenecks in the implementation and deployment of New Media.
The traditional information economy in physical goods is publisher-centric, because creation of information goods--particularly low-cost goods--requires a substantial manufacturing investment. Figure 1 illustrates a simplified traditional information economy: physical goods flow from a publisher (manufacturer) to a customer, in response to orders and followed by payments. The author's relationship with the publisher may be more lightweight, but the author is nonetheless dependent on the publisher to report sales and make royalty payments in accordance with the author's contract. In addition, a financial institution provides payment processing and clearing services for all parties.
Figure 1. Traditional information economy.
Because of the flexibility afforded by electronic mechanisms, information commerce is evolving from indirect, advertiser-supported, mass-audience media to a new, niche-audience-oriented business model. In this system, members of the electronic community, with or without the economic support of advertising, pay providers directly for what they want to receive. Business-to-business purchasing is steadily evolving into a direct electronic ordering model.
Figure 2 illustrates the flexibility possible in new electronic information commerce models. Although there is still a role for publishers, this role no longer involves physical goods. Rather, the publisher is responsible for packaging and aggregating information goods and control information, then making them available to customers. Similar to a manufacturing/distribution/retail chain for physical goods, the electronic model permits information retailers, and even end customers, to re-package and redistribute different aggregations of information while ensuring that the appropriate control rules are maintained. A clearinghouse ensures that usage information and payments are provided directly to authors and publishers; the payments themselves are made through traditional financial institutions. Because control rules are associated with information, a variety of payment and other business models can be associated with the same content (e.g., purchase versus pay-per-use ).
Figure 2. Electronic information economy.
The conversion from traditional commercial distribution channels requires key foundation technologies and results in a fundamental shift in existing infrastructures. This channel transformation will create a new electronic digital distribution industry. Digital distribution employing the DigiBox container architecture and its associated support environment, the InterTrust system, can play a critical role in this transformation of the communication, media, and information technology markets.
The DigiBox container described by this paper is such a container.
The need for various information commerce computers and appliances to interoperate requires that this container format and its access methods be standardized. InterTrust Technologies Corporation has submitted initial specifications for the DigiBox container to the American National Standards Institute (ANSI) Information Infrastructure Standards Panel (IISP) through the Electronic Publishing Task Force (EPUB) in the User/Content Provider Standards Working Group (WG4).
The primary goal of information protection is to permit proprietors of digital information (i.e., the artists, writers, distributors, packagers, market researchers, etc.) to have the same type and degree of control present in the "paper world." Because digital information is intangible and easily duplicated, those rights are difficult to enforce with conventional information processing technology. Many types of rights (compensation, distribution, modification, etc.) are associated with the various elements of information commerce, and these information property rights take many forms. At a high level, there is the legal definition of "copyright," codified in U.S. law [6 9] and the Berne Convention. This gives copyright holders a legal right to control how copyrighted information is handled. In addition, various high-level rights are conferred by contractual arrangements between primary rightsholders and other parties.
For example, the protections needed for content elements incorporate the licensing provisions for the intellectual property rights of the content rightsholders. In a broader sense, these rights include control over several activities: the right to be compensated for use of the property; the right to control how content is distributed; the right to prevent modification of content by a distributor; "fair use" rights; the rights to the usage data, privacy rights of individuals, and so on.
In the realm of physical goods, these rights are enforced by a combination of legal and technical means. However, the technical means can be (and are) unsophisticated because the technology for violating rights is relatively expensive and time-consuming -- in comparison to equivalent activities with respect to digital information. Photocopying a book or copying a video cassette is inherently more labor intensive and costly than copying a file. So, while defeating technical means of enforcement is (relatively) expensive, it can be done -- and often the legal means to deter this are inadequate.
Figure 3 shows some of the operations that could occur in true electronic commerce, using the Internet World Wide Web [10] mechanisms as an example.
Figure 3. Multiparty Internet information commerce.
Creators originate content and apply rules (e.g., "pay author $1.00/use") for its use. Distributors repackage content, applying additional rules (e.g., "pay $5.00 for the collection, then pay the creator," "report use of each item"). Users receive content and operate on it, generating billing reports and usage reports that are delivered to a clearinghouse and paid or summarized back for the originating parties. This structure is very rich and is capable of supporting many business models. There are multiple flows of information in many different directions amongst the parties involved in the transactions.
Another example is that of an advertiser (acting as distributor, or with a distributor). The advertiser might have a rule that offers a discount, or no charge at all, but only if the user views the advertisement and agrees to have that fact reported to the advertiser.
It is relatively simple to devise schemes for parties to pay each other electronically (for example, DigiCash [11], NetBill [12], Open Market [13], SNPP [14], NetCheque [15], First Virtual [16], etc.). Payment, however, constitutes only one -- and perhaps the simplest one -- of the means in which parties in commerce interact. All the other information commerce components must be accomplished with the same needs for security, privacy, and integrity. In fact, these aspects of electronic commerce, including rights protection, are strongly intertwined in the digital economy, because much digital commerce concerns information and innovative business models for information commerce.
InterTrust Technologies Corporation has produced the InterTrust Commerce Architecture to solve unmet, critical needs of electronic commerce. Almost any imaginable information transaction can be supported by the InterTrust architecture. A few examples include distribution of content (e.g., text, video, audio) over networks, selective release of data from a database, controlled release of sensitive information, and so on. The InterTrust architecture can also support the secure communication of private information such as EDI and electronic financial transactions, as well as delivery of the "back channel" marketing and usage data resulting from transactions.
The DigiBox container is a foundation technology within the InterTrust system. It provides a secure container to package information so that the information cannot be used except as provided by the rules and controls associated with the content. InterTrust rules and controls specify what types of content usage are permitted, as well as the consequences of usage such as reporting and payment.
Within the InterTrust architecture, DigiBox containers can enforce a "distributed electronic contract" for value-chain activities functioning within an electronic distribution environment. This unique approach underlies InterTrust Technologies Corporation's information metering and digital rights protection technology. Electronic commerce infrastructure participants can use the InterTrust system to substantially enhance their network, security, or payment method solutions.
The DigiBox container holds both digital property (content) and controls. It is used in conjunction with a locally secured rights protection application (discussed further below) to make content available as governed by arbitrarily flexible controls.
The DigiBox container mechanism is implemented in a set of platform-independent class libraries that provide access to objects in the container and extensions to OpenDoc and OLE object technologies. The DigiBox technology allows rights management components to be integrated with content in highly flexible and configurable control structures. DigiBox rights management components can be integrated with content in a single deliverable, or some or all of the components can be delivered independently. DigiBox rights management components enable true superdistribution [21] and can support virtually any network topology and any number of participants, including distributors, redistributors, information retailers, corporate content users, and consumers.
Further, it may be delivered in stream or other communication-oriented forms, not just in a file-like container.
Because controls can be delivered with properties in a container, the DigiBox container supports superdistribution.
Figure 4. Container logical structure.
Container C1 holds two properties, P1 and P2, and one control set, CS1, that applies to property P1; container C2 contains two control sets and no properties. As shown in the example, each of these elements has a title attribute to provide a human-readable description of the element and, for control sets, an attribute indicating to what other elements the control set applies.
A control set specifies rules and consequences, such as pricing, reporting, and so on, for the properties to which it applies. A user holding just this container could use (e.g., view, print) content from P1 -- though only as specified by CS1. Because there is no control set applying to P2 in that container, P2 would not be usable in any way.
A user holding both containers could use property P2, as specified by CS2, and in addition has the choice of whether to designate CS1 or CS3 when using P1. CS3, which describes itself as "discount," is likely to be the user's preferred choice.
The DigiBox container includes several elements: organizational structures, properties, controls, and supporting data items. Almost all the information in a DigiBox container is encrypted, as described below, and access to the encrypted form is provided through a storage manager as appropriate, depending on how the DigiBox container is delivered (e.g., as a file or as a data stream).
Figure 5. Container physical format.
It begins with a container header structure containing descriptive and organizational information about the container. Part of the container header is encrypted (both for secrecy and for integrity protection); the rest is public organizational information. The header is followed by additional container-wide structures such as the transport key block (TKB) and the container table of contents (TOC) , some of which are encrypted and others not.
These organizational elements are followed by the structures defining the container's content (e.g., properties and control sets ). As shown in the figure, a property is represented by a property header , property attributes, and data blocks composing the property. As shown, the header is encrypted and the attributes are not; the data blocks may be wholly or partly encrypted, or not at all, depending on security requirements.
The figure shows an example property consisting of a multimedia property formed from a pair of synchronized data streams for audio and video. In this example, each video block is mostly unencrypted so that access can be rapid while still maintaining reasonable security -- encrypting even 10 percent of an MPEG stream renders it effectively useless for illicit copying. On the other hand, the audio is entirely encrypted, and each audio block uses four distinct keys, because the content proprietor requires much stronger security for audio than for video.
A property is represented as one or more property sections, each of which is independently associated with control information, and which may also be stored and accessed independently. A property, for example, might be a collection of clip-art images, and each image might be a property "chunk," with its own control specifying how that image's creator is compensated.
Controls can map to property chunks at arbitrary granularity and can enforce arbitrary organizational structures within the property (such as a file hierarchy). Controls can apply to individual bytes, frames of a movie, segments of a musical piece, and so on, because the mapping is performed by a control process specified by the control structure, not simply via a table-driven data structure.
The data for the property itself is encrypted with other keys ("content keys") that are themselves delivered in encrypted high-level structures; this approach permits the keys for a property to be delivered entirely separately from the property or its controls. Multiple keys, in a wide variety of key-mapping schemes, are used to encrypt the data, limiting the loss that would occur from disclosure of any one key.
All DigiBox control structures are both encrypted and verified for integrity with a cryptographic hash function. Several cryptographic algorithms are supported for these control structures (principally for export control reasons), and arbitrary algorithms are supported for encryption of the data.
The basic algorithms are strong: Triple DES [22] and RSA [23] are preferred. This security is, of course, only as strong as the tamper-resistance of the local processing environment. The preferred implementation of DigiBox processing relies on a "secure processing unit" (SPU) that contains a CPU, memory, program storage, and key storage in a single tamper-resistant hardware package. Although these are not widely available today, the variety of applications they might support makes it likely that such SPUs will become widely integrated into common computing platforms. When running in an SPU, the DigiBox processing and control mechanisms are sufficiently well protected to support most commerce applications.
In the absence of an SPU, other approaches are useful for many business models. In fact, a software-only implementation is sufficient for many applications, because much content is of relatively low value and is used in a context (business to business) where a modest level of fraud is both less likely and more tolerable. As long as the software is moderately difficult to defeat and tools to defeat it have no legitimate purpose, business models can be supported where some risk of loss is acceptable. In the world of electronic commerce, just as for traditional commerce, security is not absolute: it is just a factor to balance against the cost of loss and fraud.
Electronic commerce, and information commerce in particular, needs a robust information protection mechanism, including rights protection and controls, not just payment systems. As the electronic world evolves, however, and moves forward from simply emulating traditional transactions into entirely new business models, rights protection and control will become the predominant issues.
Protection of intellectual property rights in information requires strong cryptography as well as a flexible infrastructure for controlling use of the information. A standard protected container for information is necessary to support interoperability -- most existing schemes tightly bind the creator of protected information and the software that processes it. A standard container can rationalize information commerce and reduce costs for all participants.
In the long term, general-purpose secure electronic commerce will need pervasive deployment of tamper-resistant hardware devices to perform secure processing of protected content. However, as these solutions are developed, many business models can be accommodated with weaker or less complete solutions because the risk and expected losses are commercially acceptable.
Business-to-business purchasing is steadily evolving into a direct electronic ordering model. Future communications and media markets will become increasingly segmented and specialized in response to customer preferences and needs and involve increasing, and more sophisticated, direct interaction between consumers and providers. These markets and their value chains (with or without intermediary distributors) will require secure metering and control tools that enable a user to efficiently and economically tailor resources to his or her own desires.
During the next decade, digital delivery of traditional electronic products, such as information databases and software, will be joined by a rapidly growing array of both New Media and electronically distributed traditional content. The conversion from traditional models requires key foundation technologies and will result in a fundamental shift in current infrastructure. This transformation will create a new distribution industry. Digital distribution employing a universal content and commerce container can play a critical role in this broad economic transformation.
[3] Office of Technology Assessment, Accessibility and
Integrity of Networked Information Collections. Washington, D.C.: U.S.
Government Printing Office, July, 1993.
[4] E. Hollings, Communications Competitiveness and
Infrastructure Modernization Act of 1990. Washington, D.C.: U.S.
Government Printing Office, report of the Senate Committee on Commerce, Science,
and Transportation, 12 September 1990.
[5] R. Benjamin and R Wigand, "Electronic Markets and Virtual Value Chains on the Information Superhighway," Sloan Management Review, Vol. 36 No. 2 (1995).
[6] U.S. Constitution, Article 1, Section 8, Clause 8 (1787).
[7] U.S. Copyright Act of 1978
[8] 17 U.S.C. s107
[9] 17 U.S.C s102(a)
[10] T. Berners-Lee, R Caillian, and J.-F. Groff, "The World Wide Web," Computer Networks and ISDN Systems, Vol. 25 (Dec. 1992), pp 454 459.
[11] D. Chaum, "Achieving Electronic Privacy,"
Scientific American, August 1992, pp 96 101.
[12] M. Sirbu and J. D. Tygar, "NetBill: An Internet Commerce
System," IEEE CompCon Proceedings , March, 1995,
pp 20 25.
[13] D. Gifford et al., "Payment Switches for Open Networks,"
IEEE CompCon Proceedings, March, 1995, pp 26 31.
[14] S. Dukach, "SNPP: A Simple Network Payment Protocol," MIT
Laboratory for Computer Science, Cambridge, MA, 1993.
[15] B. C. Neuman and G. Medvinsky., "Requirements for Network
Payment," IEEE CompCon Proceedings, March, 1995, pp
32 36.
[16] First Virtual, Inc. "Introducing the First Virtual
Internet Payment System," 1994.
[17] A. K. Choudhury, et al., "Copyright Protection for
Electronic Publishing over Computer Networks," June 1994, IEEE Network
Magazine
.
[18] J. Erickson, "A Copyright Management System for Networked
Interactive Multimedia," Proceedings of the 1995 Dartmouth Institute for
Advanced Graduate Studies, 1995.
[19] K. Hickman, "SSL Reference Manual," Netscape Corporation
World Wide Web Site, http://www.netscape.com/newsref/std/sslref.html,
1994.
[20] E. Rescorla and A. Schiffman,
"The
Secure HyperText Transfer Protocol," Internet Draft
draft-resorla-shttp-0.txt, 1994.
[21] B. Cox, "Superdistribution," Wired , Sept. 1994, pp 89-92.
[22] U.S. National Bureau of Standards, "Data Encryption
Standard," Federal Information Processing Standards Publication,
FIPS PUB 46-1, Jan. 1988.
[23] R. Rivest, A. Shamir, and L. Adleman, "On Digital
Signatures and Public-key Cryptosystems," Communications of the ACM
, Vol. 21 (Feb. 1978), pp 120 126.
DigiBox, InterTrust, the InterTrust logo, InterTrust Commerce Architecture, and InterTrust Commerce Node are trademarks of InterTrust Technologies Corporation which may or may not be registered in certain jurisdictions.