The Digital Rights Management Dictionary

Back to InfoMech DRM home Send Corrections & Suggestions About The Author		The DRM Dictionary: Terms, Technologies, Companies, and More !
	0-9, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z
	Copyright 2002-2008 Information Mechanics Ottawa Inc. All rights Reserved.
0-9	2600 The "Hacker Quarterly", a Web site and physical magazine devoted to, what else, hacking. The name derives from a legendary incident in which a phone hacker (John Draper) discovered that the sound from a toy whistle found in Captain Crunch cereal was a precise 2600 hertz which, due to the multi-tone in-band signaling system employed at the time, could be used to steal long-distance service from the phone network ("phreaking"). The hacker subsequently adopted the moniker "Cap'n Crunch" and took his place in history. The phone network has evolved so that this particular attack is no longer useful, and the group has diversified and grown up, for example engaging in advocacy relating to the DMCA and those charged with violating it. 321 Studios An illustrative lesson about business and the DMCA: a company whose only product existed to easily copy DVD movies. In most jurisdictions, that would lead to an interesting shades-of-gray discussion about fair use and personal backups vs. piracy and so forth. In the USA however, thanks to the DMCA and the fact that the technology incorporated the verboten "circumvention measures" (i.e. the logic of deCSS), things are more black and white, and 321 was sued into oblivion in 2004. It is still possible to copy DVDs of course, you just have to get software from somewhere else to do it. 3C Patent Group A consortium that licenses patents required to make DVD players, consisting of Sony, Phillips, Pioneer, and recently LG. Their profile was raised in early 2005 when most of them joined the Marlin group, and also when they were sued by Chinese DVD player manufacturers claiming discriminatory pricing. 4C Entity A consortium of 4 computer technology companies (IBM, Intel, Matsushita, and Toshiba) which fosters the production of, and subsequently licenses, intellectual property associated with content control. The 4C entity emphasizes secure storage licensing schemes such as CPRM. 5C Entity A consortium of 5 computer technology companies (IBM, Intel, Matsushita, and Toshiba, who are the 4C Entity, plus Hitachi) which fosters the production of, and subsequently licenses, intellectual property associated with content control. The 5C entity emphasizes secure transmission e.g. over domestic IEEE 1394 links, while the 4C Entity emphasizes secure storage. Also known as dtcp.com, and the "Digital Transmission Licensing Authority."
A	Adobe Systems A leader in technology for electronic documents, best known for the PDF document format and software tools to create and read it. Their main approach to DRM has been plug-in framework for their PDF software which third parties can plug functions into including DRM. The security of this set-up has been poor and attacks against it were well-documented, most famously in 2002 by a Russian security expert who was arrested shortly after pointing out the systems weaknesses. Adobe makes money from other products such as PhotoShop and, with the eBook market stagnating, DRM doesn't seem to be too high on their list these days. Activated Content A supplier of forensic watermark technology for the digital audio industry, based near Microsoft in the western USA. They claim that their system is both inaudible to "Golden Ear" testers, and able to survive various manipulations such as encoding with perceptual codecs. If these claims stand the test of time, they have certainly advanced the state of the art beyond where it was in the SDMI era. Advanced Access Content System (AACS) The copy protection scheme for next-generation video disks; here's an early (2004) EE Times article. It is administered by the AACS Licensing Authority which has a most impressive roster of members including IBM, Intel, Microsoft and Sony. AACS is the copy protection scheme for next-gen video disks regardless of who wins the blu-ray vs. HD-DVD wars, and regardless of whose codecs are used. Any such scheme must confront the embarrassing legacy of CSS and strike a very difficult balance between content provider paranoia and consumer convenience. Preliminary technical specifications became available in spring 2005 here. Early in 2007, a crack emerged, at least for HD-DVD. It's not a very elegant crack i.e. it does not stand alone like DeCSS. It's really just a software implementation of the AACS cryptography specification which is not useful without secret per-title keys. However, compromised software players have yielded many such keys, which have been posted on the Internet, and given the small selection of ND-DVD titles, this represents a substantial fraction of the HD-DVD movie inventory. Further, many of the HD-DVD security mechanisms, such as Traitor Tracing and revocation, are not useful against this attack, since the keys produced from compromised machines are not traceable and the users of the keys would not need to do anything which could be detected as a revocation trigger. Advanced Encryption Standard (AES) A standard for symmetric cryptography endorsed - after open technical competition - by the National Institute of Standards and Technology in the USA. Because it's free, secure, and subject to intense scrutiny by the cryptographic community, AES is the obvious choice for the symmetric requirements of many security applications including DRM. Many DRM applications use 128-bit AES somewhere in their architecture. Currently AES is not usually used for persistent content encryption; there, more lightweight stream ciphers such as RC4 are preferred. However as processing power becomes cheaper it is becoming become more common - it is already used in DTCP and WMDRM-ND, for example. Advanced Video Coding (AVC) See H.264. Aegis DRM A UK-based DRM technology company which apparently has solutions in the Enterprise space for both Web and Office documents, as well as for software. This is quite a comprehensive range for a new company and it will be interesting to watch the competition between them and competitors such as SealedMedia. Aegisoft Also known as 1800software. A Digital Rights Management technology vendor which specialized in PC game DRM and reputedly had PC Video DRM in development. They were bought out by Real Networks in January 2001. Aggregator A business which assembles a collection of content from various publishers under one banner, typically in the form of downloadable content on a Web site. Some businesses become aggregators primarily to provide "one-stop shopping"; for instance, an online music site must have content from all major labels to be competitive, because consumers don't want to worry about which label their favorite artist works for this month. Others, like DRM technology provider Trymedia, sometimes become content aggregators to attract audiences and build a market for content using their (in this case DRM) technology, since otherwise that content might not obtain adequate distribution. Aladdin A software DRM company with roots in dongel-based protection. In recent years they have developed or acquired software-only DRM technology. They acquired the Ziplock Electronic Software Distribution technology from Preview Systems when Preview ceased operations in 2001. HASP SL is their current offering in the software DRM space. America On Line (AOL) The Reader's Digest of Internet Service Providers. It used to matter what AOL did and it's choices in partnerships with, say, DRM-enabled music services might have been major consumer influencers. However AOL's dominance is waning. They have stumbled badly in being way too late with broadband, and AOL Time Warner removed the "AOL" from its name in fall 2003. analog A continuously variable quantitative value, such as the air pressure variations caused by sound, electrical voltage on wires connected to speakers producing sound, or the wavelength of colors in a photograph. This is in contrast to the constrained values (in the simplest case, 1 or 0) which can be represented in the digital domain. Analog signals can be extremely high quality, however, transmitting them and recording them in high quality is expensive and time-consuming - and even with the best available techniques, analog copies degrade through the generations. That is why, even though analog techniques for content piracy have always been available, they were largely ignored by content owners, because they have not been used enough to significantly diminish retail sales of original media. Recently, as content owners have built protections around digital content, they are becoming more concerned with possibility of analog signals being used to pirate content. See The Analog Hole. Analog Copy Protection System (ACP) Macrovision's ubiquitous anti-copy technology, best known for preventing easy copying of DVDs to VCR tapes. Here's a PDF plug for ACP by Macrovision. Also known as "Analog Protection System" or APS. Analog Hole The potential weakness in a digital content-protection scheme that arises from converting the digital signal to analog, copying it, and re-converting it to a digital format with copy control removed. AS far ago as 2002, some content owners argued that copy protection should be built-in to the relevant electronic hardware components: analog-to-digital and digital-to-analog converters, as per this EE Times Article. In the United States, there are ongoing attempts to legislate-in such technology, such as this one from 2005. Ancoratech Son of Beeble. A California based company which is leveraging Beeble's patent in a new direction, emphasizing applications of BIOS security to the on-line identity problem. Given the fairly broad nature of the patent, it is likely they have other aspirations in the IP arena as well. Anti-Copy See Copy Protection AnyMusic A Japanese online music service spearheaded by Sony. The twist, as per this EE Times article, is that the content only targets portable Consumer Electronics players and cannot be played on PCs. Application Programming Interface (API) A logical connection through which one software component talks to another, usually within one computer and invisible to most end users. APIs are significant from a security point of view because they are a great place to attack. For example, the API to a "decrypt" subroutine might get passed the true key to a given piece of content, making that API call a great place to try a key discovery attack. Apple Computer The "other" personal computer company. For a long time Apple deliberately avoided Digital Rights Management. But in April 2003, Apple introduced its own music service, which has set the standard for the genre ever since. As you might expect from Apple, it's a mixed bag. The good news: user-friendly, very liberal DRM policies, 99 cent downloads, unlimited CD burning and transfers to their iPod portable player. The bad news: it only works with Apple iPod players - forget using that Rio MP3 player. And at first it only worked on Macintosh computers, but Apple introduced a PC version in October 2003. Apple is using the AAC codec from MPEG-4 and their own DRM called fairplay. The DRM is often cracked (here's one example), but that doesn't seem to slow them down too much. You have to give Apple credit for striking a plausible balance between the desires of on-line music consumers on one hand, and the content owners on the other - something that none of the other on-line music services have done as well so far. Asymmetric cryptography A family of cryptographic techniques which makes use of the one-way nature of certain mathematical functions, which results in a system where two separate keys are used. They are usually called "public" and "private" keys, and either key can be used to encrypt or decrypt data. If one of the keys is used to encrypt content then the other must be used to decrypt it, and knowing one key does not help you discover the other. This is also known as "public key" cryptography, because a sender of encrypted messages can make one key public. That key can read messages sent by him, or encrypt messages that only he can read; only he can create messages using his private key. Asymmetric cryptography is extremely powerful, can provide functions in addition to confidentiality (such as digital signatures), and scales well in large user communities. However it is also extremely compute-intensive, so in practical systems such as SSL and most DRM systems, it is usually used in combination with symmetric cryptography. ATRAC "Adaptive TRansform Acoustic Coding", a proprietary audio codec from Sony, originally used in Mini Disc players, and now incorporating MagicGate DRM. The audio quality of this codec is fine, but it just goes to show that Sony has always had a "Not Invented Here" problem. Does the world really need another manufacturer-specific codec ? I think not. Sony's official story is here. In fall 2004 Sony started supporting MP3 in its players, but they still use ATRAC on DRM'ed Sony tunes such as those from the JapaneseAnymusic site. Authena An "open forum for open DRM", Authena tries to be a clearing house for information relating to open-source content management including DRM. This looks to be a losing cause. The links range from the philosophical e.g. Larry Lessig's pages, to the practical, e.g. openipmp at sourceforge. Authentication The art and science of detecting exactly what person - or what physical or logical device or entity - you are dealing with in a specific interaction. Typically authentication works in a client/server context with the main security burden on the server. It is very difficult on the public Internet, which is why systems requiring strong authentication either are not Internet based, or add robust additional overhead (such as PKI or smart cards and associated procedures) to Internet-based access. Recently, "local" authentication has become important in DRM, as various software components inside a software-based player authenticate one another, to try to prevent the use of rogue programs to steal content.
B	Business-To-Consumer (B2C) A business paradigm in which business either sells directly to consumers, or provides infrastructure to other businesses which do so. iTunes and Windows Media Player are prime examples in the DRM space. During the dot-com boom of the late 1990s, many startup companies flailed in desperation between this and the B2B model. For the most part, they started out with a B2C vision, but either could not get worthwhile content, or were years ahead of the consumer in terms of technology expectations. Business-To-Business (B2B) The counterpart of B2C, above: a business paradigm which either sells directly to businesses, or provides infrastructure to other businesses which do so. The slight shift of DRM's focus to the enterprise market beginning in 2004 reflected that businesses were more ready than consumers (other than some online music customers) to embrace DRM. Authentica is the thought leader in this space. Basic Input-Output System (BIOS) A part of every PC and video game console, which controls various aspects of the systems operation, notably the bootstrap process. In game consoles, the BIOS is a fundamental part of the anti-piracy strategy. It either implements security functions directly or launches a "chain of trust" to other software using mechanisms such as Code Signing. In most game consoles (e.g. PS2), the BIOS is on a separate physical chip with readily accessible pins and the attack of choice is a Mod Chip that bypasses the legitimate BIOS in favor of a piracy-friendly one. On the PC, the BIOS does not perform any such functions currently and there is no moral equivalent of the "mod chip." However, just as for a console, it is the first code to run when a system powers up and so a logical place to begin a chain of "trusted" software. Microsoft's (arguably stalled) NGSCB includes this among other enhancements. There are also efforts underway to put specific DRM support into the BIOS such as that from Ancoratech. BD-ROM The format specification for manufacturing video disks for Blu-ray disks. Bear An Open-Source implementation (from Dartmouth University) of a trusted computing platform for Linux, built according to TCPA principles. The intent is admirably democratic: taking TCPA out of the hands of mega-corporations and putting it into the hands of the people... but one suspects that "the people" (especially the ones who contribute to Open Source developments) probably do not want TCPA in the first place. Indeed, the Web site shows little sign of activity since 2003. Beeble A California company which, based on this Patent, staked a claim to the idea of inserting license information for a DRM system into the BIOS of a PC. Beeble ceased operations in 2004 but the patent and principals have resurfaced at Ancoratech. BigChampagne BigChapagne started out tracking trends in illegal downloading and reporting them to the record labels think of Nielson ratings for Kazaa ;-). Illegal downloading is less of an issue than it once was, so they have wisely adopted by including data on legal downloads as well. Bit-Arts A UK-based Digital Rights Management technology vendor, which seemed poised to attack many sectors of the market when it mysteriously disappeared sometime in 2005. Biometrics A technology of authentication which identifies individual humans based on unique physical characteristics which are hard to spoof, such as fingerprints, retina patterns, or voice prints. Despite what you might think from James Bond films, biometrics is an imperfect science - see crossover error rate for more on that. As a result, it is rarely used on its own, but rather as part of two-factor authentication system where the biometric identity adds more confidence to a candidate identity already established by some other factor, such as a password. Biometrics today is way too heavyweight and expensive for mass-market DRM and is mostly found in high-security applications in government and industry. Musicrypt is the only example that comes to mind of a mainstream DRM company using biometrics. Black Box A component whose boundaries are well defined and whose inputs and outputs can be observed (and perhaps the inputs manipulated), but whose internal operations cannot be observed. For DRM and similar applications, a well-designed physical black box provides perhaps the best currently attainable level of protection. Smart cards are one kind of black box. In the media world, a Super Audio CD player is a "black box" whose inputs are AC power and an SACD disk, and whose output is multiple channels of analog audio. Compliant SACD players cannot have unencrypted or raw digital outputs. What is hidden inside the box - and what the SACD designers don't want anyone to figure out - are mechanisms such as encryption, watermarking, media binding etc. which try to prevent both digital copying of SACD disks, and the creation by home users of their own playable SACD disks. A PC, by contrast, is a white box, whose internals are very open to inspection, reverse engineering etc. Most of the initiatives to make PCs more secure, such as NGSCB and secure audio path, amount to putting little black boxes inside the white box of the PC. Black Hat A hacker with malevolent intent - the counterpart of a White Hat. Black Hats are the predominant source of cracks and exploits. Blu Ray The Blu-ray media disc, the new high-definition media format which finally won out in early 2008 over its rival HD-DVD. Blu-Ray, like HD-VD, uses the AACS protection scheme and several related security technologies. The security arsenal is considerable, including bringing revocation and "push" software updates (contained on the media disks) to the mass-market Consumer Electronics domain for the first time. As a consumer, let alone a DRM expert, I am in no hurry to buy a piece of off-line consumer electronics which will "change its mind" about how it behaves at some unknown point in the future. Break Once Break Everywhere (BOBE) A common but undesirable attribute of many software-based secure systems, including digital content control technologies, namely, that if one person produces an effective attack such as a content-protection crack, others can use it anywhere, in the worst case for all content on all systems using similar software. Broadcast Flag A controversial technical copy-protection proposal solicited by the Federal Communications Commission and prepared by the CPTWG, for digital television broadcasts in the United States. Under this proposal, a flag in a digital TV channel's data stream controls whether digital copying is allowed or not. The Motion Picture Industry loves it, but almost everyone else hates it. It appears the MPAA has better connections, because in a classic example of Design by Politician, the FCC recommended it be mandated (PDF) in fall 2003. And then in 2005, a US court ruled that the FCC did not have the power to mandate the broadcast flag in the first place. So now powerful content owners are drafting their own "suggested" laws to deal with it, either by expanding the powers of the FCC, or having the US Congress legislate the issue directly. The US government's motives are not just the usual Republican pro-business ones in this case. They want the radio spectrum from soon-to-be "legacy" analog TV broadcast frequencies back, and they'll never get it back if consumers don't switch en masse to digital TV. Hollywood's argument (which if history is any guide will eventually prevail) is that the carrot for consumers to switch to digital is premium Hollywood content, and such content will only be available if the broadcast flag is implemented. One could argue- and many have - that the broadcast flag is a *disincentive* to the adoption of digital TV, because it makes a "digital VCR" an oxymoron. Who would spend thousands of dollars on a new TV system when a basic capability he already has - home taping - is substantially taken away by it ? Brute-Force Attack An attack which seeks to defeat security schemes using passwords, serial numbers, cryptographic keys, or similar secret data, simply by "guessing" and trying every possible value until one works. As a rule, brute-force attacks are ineffective against well-implemented systems. If the system is cryptographic, keys in modern cryptography are quite long and an exhaustive search would take many years- perhaps millions of years - with current technology. As for logon passwords, measures such as a lockout after a certain number of unsuccessful attempts can slow the attacker to a crawl (unless he's doing a local attack on a copy of your password file, in which case you have other problems- and it still takes quite a while). Serial numbers usually have internal validity checks so that randomly guessed values would mostly not even pass those checks. As a result, brute-force attacks are rarely used by hackers, who prefer other techniques such as key discovery, keygens, clear text interception, or social engineering instead. Business Model How all of the players involved in a business transaction make money, from the end consumer and through the value chain. What's this got to do with DRM ? Plenty. For the better part of a decade, DRM technology has languished while people squabbled over how to share on-line revenue that they would never get in the first place, usually because their business offers sucked. A case in point from 1998: a broadband ISP wants game software companies to pay it for making their software easily available to its customers. The game software companies argue that access to premium content helps the ISP sell service, so the ISP should pay them. Result: a stalemate, a half-hearted implementation, and 10% of nothing for infrastructure players like DRM providers. Fast-forward a few years: there is an online content business, and it has a standard retail model: the 99 cent music-single download, years late though it may be. Behind the Web site, however, it's still a mess, with half-a-dozen parties haggling for their share of the revenue, and profits being elusive for most of them. This is in large part the result of Byzantine licensing rules and entrenched players such as the major record labels. Now that the genie of healthy competition is out of the bottle, it cannot be put back in, much as some of the embattled incumbents would like it to be. Major artists who can get by without a label - or up-and-coming artists who never had one in the first place - can go direct to on-line. Peter Gabriel organized just such a system. Further, all-you-can-eat subscription business models are appearing as alternatives to paying per tune. This is certainly a good thing for on-line content, and a bad thing for the RIAA. Whether it supports growth for independent DRM providers, or just more dominance for in-house DRM from the likes of Microsoft or Apple, remains to be seen. Burst Cutting Area (BCA) An optional add-on data area sometimes used on DVD media. Originally proposed by the now-defunct Divx video-rental company, it is a way of putting unique information such as serial numbers on otherwise mass-produced and identical DVDs. This is because putting data on the BCA uses a laser as an additional step after the stamping of the DVD. The BCA is also in a section of the disc which could be read but not written by consumer DVD burners, thus helping copy protection schemes. More recent formats are capable of burning it however. Because the BCA adds expense to the production process it is not widely used, the only notable exception being Playstation games. buymusic An early (July 2003) entrant into the on-line music distribution business. Launched by Scot Blum, the founder of buy.com, it uses Microsoft Windows Media Player technology and was the first answer for Windows users to Apple's then Mac-only iTunes service. Initial reviews were mixed. At 79 cents a song, it's cheaper than iTunes; however, it is not as user-friendly and different songs have different rights associated with them. For more details here is a PC World Article on buymusic.
C	c-dilla UK-based company which developed CD anti-copy technology for software and audio. They were bought-out by Macrovision in 1999, which morphed their technology into the "SafeAudio", safecast and CDS products. Macrovision has also acquired related technology from TTR and apparently aims to be the leading expert in this field. certificate A digital document which uses cryptographic techniques to create a mathematically unspoofable association between some data and an entity that certifies that data. Certificates have many flavors and applications. The best-known one is probably the X.509 certificates issued by companies such as Verisign which act as "certification authorities" for the identity of a Web merchant in SSL sessions, as used to provide privacy for credit-card transactions. In such cases the certificate is associated with a public-private (asymmetric) key pair which was created by the same certification authority, and the public key is actually part of the certificate. In the world of DRM, certificates are becoming common now, but they are almost always "under the hood", identifying components of the end-to-end infrastructure and not the actual consumer. Therefore, the consumer is not aware of their existence or function. The proposed Coral architecture aims to make such certificates a standard part of each interacting component. Certified Output Protection Protocol (COPP) A security technology which Microsoft is phasing in for video subsystems as a requirement for logo certification. The details are not public but the gist of it seems to be that drivers are well authenticated, protected from tampering, and the control signals (though not the media content) are encrypted across even internal interfaces such as software APIs. The end objective is that signals controlling security aspects of video outputs such as HDCP, which may, for instance, originate with the Broadcast Flag, are not tampered with so as to enable unauthorized high-quality recording from the video outputs. Channel Conflict A classic business dilemma where one method of selling something reduces the revenues that would otherwise be obtained from another method. For example, selling software through online downloads reduces the revenue of retail software stores. In the worst case, a poorly chosen new channel can simultaneously alienate major partners and reduce overall revenues. Fear of channel conflict is endemic in the content industry. Unfortunately, sometimes the most significant competitive channels are ones - such as peer-to-peer networks- which generate no revenue and content owners don't control. In the long run the only way to succeed is to recognize the whole channel set, including channels inside and outside your control, and optimize it so that it most consumers prefer the legitimate channels and so generate a reasonable return on your investment. Check In / Check Out The ability of a DRM system on one platform, such as a PC, to "lend" a copy of a controlled asset to another platform - such as a PDA or another PC, - in such a way that the asset behaves like a physical one. That is, it is "checked out" from the original system and cannot be accessed from there until it is later "checked in" from the other device. The intent is to support space shifting without helping make possibly unlimited, illegitimate copies. However it is extremely hard to implement in such a way that it is both secure and convenient, and considering that it closes a relatively small security gap, it is not clear that it will become a mainstream feature of DRM systems any time soon. Chilling Effect The intimidation of corporations or citizens based on allegations - usually in letters from lawyers- that their (typically on-line) activities are in violation of some law such as the DMCA. The problem is that it usually doesn't matter whether the allegations have merit or not. Most recipients of such letters simply give in regardless, because they cannot afford the distraction and cost of a legal fight. The chillingeffects.org Web Site is a clearing house for information on this activity. Cinea An American DRM technology company founded by key executives from Divx. They developed technology to prevent the video taping of movies from theater screens using camcorders. Their main current product is a fingerprint-based "secure DVD player" used for Hollywood screeners (advance movie copies sent to Hollywood insiders for award-related reviews, which have often been pirated.) They apparently also have a pool of intellectual property from Divx. They were bought by Dolby (PDF) in September 2003. Cleartext, Cleartext Interception "Cleartext" is the term used in cryptography for the unencrypted form of a protected data item. (The term "plain text" is also used.) An intelligent attacker of a cryptography-based system seeks to obtain a cleartext with the minimum possible effort. In DRM systems, obtaining a cleartext is usually (for the case of audio/video media) equivalent to cracking the system's security. In the world of mass-market open systems such as PCs, intercepting a clear text is usually very easy, for two reasons: All you have to do is "play" the content once... and the first user might even pay for it, and In open systems the decrypted content, even if intended to be hidden and transient, can always be intercepted, such as by a Wedge Program. As a result, cleartext interception is the attack of choice for many pirates, especially with audio and video. Cloakware A North American (U.S. headquarters, Canadian R & D) technology company which provides security technology useful for DRM and other applications. Their products provide source-based obfuscation to slow down black hat attackers, and controlled diversity to counter cracks and similar automated code-based attacks. More recently they have developed "packaged" solutions which enable software developers to comply with the Robustness Rules associated with media DRM standards such as DTCP. In 2007, Cloakware was bought by Dutch Set-Top maker Irdeto. *Full disclosure: your scribe has been working for Cloakware since 2004, and is still an even-handed commentator on the DRM scene - I do this on my own time ;-)* cloning A special case of spoofing where an attacker analyzes a component of a security system (typically a physical one like a smart card) and succeeds in understanding it well enough to make "plausible" copies. These copies are good enough to fool the system (e.g. the phone network) into providing free service - free because there is either no associated subscriber, or a fraudulent association to another existing subscriber. A typical cloning scenario for modern cell phones is described here. cocktail A proprietary encryption algorithm used by Microsoft to encrypt media data in their DRM systems such as WMDRM and PlayReady. It is essentially a variation of RC4 which, so to speak, "rotates the shield frequencies" so the derivation of the final bytewise XOR values (keystream) has variations thrown in relative to normal RC4. codec Short for "coder-decoder". In this context, a codec is a digital algorithm, typically executed in software, which transforms a media signal into a form optimized for transmission or storage, and then transforms it back again. The best-known codec, MP3, transforms a raw PCM music signal into a form about 10 times smaller than the original. It is important to note that a codec is NOT the same as - although it may be related to - a file format Code Signing Putting a digital signature on a piece of code to provide assurance that it was produced by a known entity and is untampered. Often the techniques of PKI are used. Sometimes code signing is designed to inspire confidence in the user, as when installing browser add-ons. In the DRM world, code signing is often used to very that rights-enforcing code has not been tampered i.e. to inspire confidence in the content owners. Compliance Rules Term of art for behavioral rules which manufacturers of equipment implementing DRM must ensure their equipment follows. For example, video cards must ensure output copy protection such as ACP is turned (in this case, for NTSC outputs) if the content license so specifies. Since hackers will inevitably seek to crack such systems to allow unrestricted copying, there are usually additional Robustness Rules, designed to make the system resistant to attack, which must also be complied with. In practice, Compliance Rules and Robustness Rules are technical documents tied to license contracts for particular DRM technology such as Windows Media DRM or CPRM. Most compliance rules are private but here's a publicly available example for CPPM from the 4C Entity. Compulsory License A license to use content which is prescribed by law on a blanket basis for a given situation, as opposed to being negotiated between users and copyright holders. It's "compulsory" because, as a practical matter, copyright holders can't say no. They DO get paid, although the formulas by which this happens are a matter of great debate. Compulsory license serve legitimate purposes in some arenas. Most notably, they enabled commercial radio to become a viable business by giving radio stations access to a vast range of music without having to enter into endless negotiations with thousands of copyright holders. Some commentators (notably the EFF) argue that the current mess in digital music - P2P downloading of pirated MP3s - could be solved by compulsory licensing, but they have yet to make a compelling case. Perhaps few of us care that compulsory licensing would weaken the raison d'etre of powerful, well-connected groups like the RIAA, but the U.S. Congress does. More fundamentally, in the absence of good revenue sources for distributors, it's hard to see how the business model would work without in effect becoming a general "music tax" - which sounds wrong even to this liberal Canadian, and would never fly in the free-enterprise-will-fix-all-problems ethos of the USA. Conditional Access (CA) The term used for controlling the viewing of television signals in a broadcast - (e.g. satellite or set-top cable)- television system. Such systems differ from consumer PCs in that they typically have proprietary, tamper-resistant, uniquely addressable terminals, and often use Smart Cards or PODs as well. There is also an emerging market for software-based conditional access, which eschews smart-cards in favor of flexible, tamper-resistant software control. By some estimates, the "cracking" market for CA on satellite TV systems - i.e. the money spent on hacked Smart Cards - is larger than the entire legitimate revenue of the satellite TV business. Constrictor A software component which deliberately degrades the quality of a (usually video) signal. The idea is that when a signal is at risk of being copied, it should not be pristine "copyable unto the Nth generation" quality, but rather behave more like a low-quality analog copy, making it undesirable as a source of pirated content. This can be accomplished in various ways - for example, an HDTV-quality image could be down-sampled to lower resolution and re-sampled up to HDTV again - but a lot fuzzier. Windows Vista might do this if, for example, a high-resolution video was playing on an "insecure" monitor. Many observers consider this is an unwelcome use of extra PC cycles to make things worse. You could also argue that it just attempts to mimic the analog world, where copies are possible, but their quality leaves something to be desired. Consumer Electronics (CE) Everyday fixed-function electronic appliances such as audio CD players, DVD players, SACD/ DVD Audio players, or MP3 players. These are significant for DRM because the dominant formats - Red Book audio and MP3 for music and MPEG-2 / CSS for DVDs - are almost impossible to change in a way which makes them hard to steal on a PC without screwing up their performance on CE devices which are deployed in the billions. In fact, exactly this has happened repeatedly, starting with Audio CDs as early as 2002. The newer DVD Audio and SACD formats have non-trivial copy protection and, just as important, license restrictions which prevent them exporting unencrypted digital content. However, the quality improvement with these formats is not significant except for the minority of consumers who have high-end audio equipment, and the inability to make digital copies is unattractive. Thus it is far from clear that mainstream consumers will move to these new formats - which accounts for some of the desperation seen recently in trying to protect legacy formats. As for the emerging Blu-ray and HD-DVD video formats, many are disturbed by the addition of Revocation to CE devices for the first time, in Blu-Ray players. That is, your player might decide to behave differently at some point in the future, because the distributed discs contain not only the movie content, but also software upgrades and lists which may ban certain devices or certain content. Considering this "feature" alone, your scribe will not be buying such a device any time soon. ContentGuard A DRM technology company spun out of Xerox, based largely on DRM patents from Xerox' famous PARC research institute. In 2004 there was a controversial takeover by Microsoft, Time Warner, and Thomson. For more information see their entry in our DRM vendors page. Content Protection for Recordable Media (CPRM) A system for "renewable cryptographic method for protecting entertainment content when recorded on physical media" from the 4C Entity. CPRM has flavors for several storage media types, notably SD Cards. They also had a controversial proposal for, ATA Disk Drives for PCs, which met wide opposition and never went anywhere. Content Protection System Architecture (CPSA) A set of guidelines for content protection in the video space developed in co-operation with the CPTWG. They don't have the force of a standard or clear corporate backing, but they do provide insight into the thinking of content owners and Consumer Electronics Manufacturers. Here's a thorough Article from ExtremeTech on CPSA. Content Reference Forum A zombie industry forum that aimed to foster interoperability for DRM systems and to allow the extension of such systems to P2P, viral, or other distribution forms. The key concept is that an always-resolvable reference to content is an essential starting point for content-based commerce, and that details such as the format of the content are changeable and secondary. This is, technologically, a good approach, and key players such as Microsoft are members. However it seems the usual logjam of competing commercial and IP issues has slowed things down since the Web site has very little sign of activity since 2003. Content Scrambling System (CSS) The encryption scheme for DVD video disks, which was famously cracked by a Scandinavian teenager who released deCSS, a DVD decoder for PCs, in 1999. Convergence A buzzword used by anyone trying to sell high-tech gear with ever-more features crammed in - cell-phones with color graphics, Internet capability, and PDA functions, for instance. The term is used in two ways, to refer both to the convergence of many functions in one box, and to the convergence of many applications over one network (for example, Voice Over IP.) So far, convergence has been more of a vision than a reality. However, a number of factors - ubiquitous wireless, a critical mass of standards, and the amazing processing power of cheap integrated circuits, are making convergent devices a mass-market commodity. As this unfolds, DRM on these devices will become a hot issue, as will new malicious attacks enabled by convergent networks. It is a large business challenge, given widely diverse technology bases, severe manufacturing cost constraints, and often low-value content. One symptom of convergence is that device makers are staring to combine both OMA DRM and Windows Media DRM in a single device. Copy From Device (CFD) See Device Bridge. Copy Generation Management System (CGMS) A system designed to prevent digital copies being made from DVDs. There are separate versions addresses for copies which are transferred between devices in analog form (CGMS/A) and in digital form (CGMS/D). Due to fumbling between industry standards groups CGMS/A is largely ineffective in the European PAL format. copyleft As the name implies, a kind of opposite to copyright, used by the free software movement. Material which is "copylefted" is not only publicly available, but requires that all of its users maintain its public availability even if they modify it. The intent is that material such as open source software remains freely available as it evolves and improves, rather than reverting to commercial status. Copy Protection Copy protection is the use of technology to prevent the copying of analog or digital data. By this definition, trying to make uncrackable copy protection is futile. Unfortunately, many people believe that copy protection and DRM are the same thing. They're not. More enlightened DRM approaches, such as those developed by the now-defunct :-( NetActive welcome copying as free distribution and focus on controlling how the recipient uses the copied data. Copy protection is also causing a backlash amongst consumers by preventing, for instance, legitimate ripping of tunes via iTunes by iPod owners. Content providers have seemed determined to kill physical audio CD sales with harebrained anti-copy schemes. However the 2006 Sony Rootkit Fiasco brought things to a head and in 2007 the major labels hopefully gave up on copy protection for CDs. Copy Protection Technical Working Group (CPTWG) An industry consortium, apparently sponsored by the MPAA, which proposes copy protection technology. They created the current Broadcast Flag proposal and are also investigating means to close the "analog hole." Copyright A set of cultural expectations and laws that aim to strike a balance between the ability of a creative person to get paid for her efforts, and the long-term needs of society. The details vary widely from one place to another, but the principles are commonly understood. For example, if I buy a copyrighted audio CD, a bit of copying for certain uses is OK, but a lot of copying -especially if I'm selling the copies - is not. This particular notion is called Fair Use in the USA. Unfortunately, in the face of trivially copyable digital goods, copyright in its current form is in trouble. Many software companies are attempting to get around copyright expectations they don't like by positioning their transactions as License Contracts rather than sales of copyrighted goods. Content owners can't get both traditional fair-use behavior and robust protection, so many of them are simply trying to prevent copying altogether. It's not clear how this will play out, but the current situation is clearly transitional. For more on this see our DRM Policy page. Coral Consortium In the words of their Web-site at launch in October 2004: "..a cross-industry group to promote interoperability between digital rights management (DRM) technologies...". Interoperability is a most worthwhile goal. AS of early 2008, it remains to have much impact in the real world. It is probably not a coincidence that the founding members represent the largest pool of DRM IP on the planet, with only Microsoft's being comparable. As always, much can be learned from who's NOT a member. The Microsoft/Contentguard/Time Warner triad is missing. Apple's iPod/iTunes is doing just fine without interoperability. To be fair, there is some good technical thinking here; for instance they demonstrated that Windows Media DRM can work in the Coral framework. CPU Serial Numbers A security idea introduced by Intel in the late 1990s: a unique (the 64-bit) number in every Pentium CPU. It generated a huge public backlash due to concerns about privacy. Stung by this, Intel determined to share any good or bad consequences for their next security initiatives, and so the Trusted Computing Platform Alliance was born. The aversion to "serial numbers" is so strong that even today the NGSCB, which uses a public key per PC, attempts to keep the public key private(!) so it cannot be used as a serial number. Crack *No, crack-trollers (you know who you are) we don't give out cracks here!* (Verb): the art and science of discovering one or more security "secrets" with an aim to defeating the related security system. DRM systems for software are often "cracked" by reverse-engineering and modifying their software executable files to circumvent built-in restrictions - typically copying or usage restrictions. The term is also used for the discovery of cryptographic keys and passwords, especially when the latter are derived by analyzing a Unix-style hashed password file. It is also applied to breaking hardware-based schemes, for example, cloning GSM SIM smart cards. Sometimes the term is also used to refer generally to any malicious activity by hackers, such as breaking into other people's networks. (Noun): The captured, redistributable result of a successful "cracking" exercise - typically a password, small set of instructions, or executable code-modifying program, which allows unskilled users to circumvent built-in limitations as above. The problem of cracks is that *one determined dishonest technical expert can usually enable theft of content by millions of non-technical people. (See also exploits and BOBE).* Creative Commons The brainchild of Larry Lessig, Creative Commons is a Web site, a technology, and a concept, all in support of Larry's ideas about what to do about copyright in the Internet era. The essence of the idea is to support direct relationships between creators and consumers of digital content, without technological copy protection but with an automated scheme that makes choosing various licensing options easy. Will this be to the major media companies what Linux is to Microsoft i.e. a plausible alternative ? Will people still refuse to pay for online content when it's really easy and much of the money goes to the creators ? Time will tell, but it's an interesting experiment and there is some good content using the system already - see for instance Magnatunes. Credit Cards Those ubiquitous pieces of plastic which *a significant part of the Internet content audience does not possess.* They also aren't very good for billing small amounts of money - as Apple and others are finding out with 99 cent downloads such as those on iTunes. Apple is responding with an online allowance program for kids. Theoretically, microtransactions could also fill the bill, though that road is littered with corpses. Another option is prepaid cards such as those announced by Napster. Crossover Error Rate (CER) The generally accepted figure-of-merit for biometric systems. All non-trivial biometric systems are tunable. If you tune a given system so that the percentage of false "accepts" equals the percentage of false "rejects", that percentage (say, 1% errors) is the Crossover Error Rate. Obviously, a lower error rate is better. You might expect that either false positives or false negatives could be eliminated altogether, but even expensive, state-of-the-art biometrics is far from achieving this. That's why biometric systems are almost never used alone to provide user authentication, but rather to provide additional confidence in a system which already has a candidate identity. It is also true that better performance (lower CER) comes from more expensive and invasive technologies such as retina scans. Simpler technologies, such as keyboard pattern recognition and voice recognition, are the only ones that can currently be contemplated in DRM systems. Customary Historic Use A really insidious idea from the American entertainment establishment: a successor to Fair Use which says, in effect, that any new creative media application may be illegal if it does not somehow make "customary historic use" of the material in question. Hopefully this will not get beyond the proposed-legislation stage. More from Ars Technica here. Cryptography Cryptography is the technology of keeping - and selectively sharing - secrets, which is a key component of Digital Rights Management systems. For more details see the entries on the most popular implementations of cryptography: symmetric cryptography, asymmetric cryptography, and PKI. Cryptography has been over sold and misunderstood in DRM circles. To help clear this up, see the more detailed analysis on the Cryptography in DRM page.
D	darknet 1)A term coined by Microsoft in their seminal 2002 paper The Darknet and the Future of Content Distribution. This paper doesn't really say anything that Internet experts didn't know already - i.e. that content protection systems will always be cracked by somebody, somewhere, and stolen content will always be illicitly traded in "dark" corners of the Internet. But the paper is significant in that is an unusual expression of candor from Microsoft, and also in that it encourages people to think beyond black and white notions of "crackability". A content management system can be crackable and still provide both good risk management for content owners, and good value for consumers. 2) A book of the same name largely concerned with DRM. deCSS A crack to remove CSS encryption (thus, "de-CSS") from DVD video. The quick emergence of deCSS was an embarrassment to Hollywood and rightly discredited the sort of closed-door, secret process by which the weak CSS scheme was developed. Residential broadband Internet connections, DVD burners and DVD copying software are easily accessible so this is a practical problem, though there is little data on the associated revenue loss. The studios are tacking no chances with the next generation, building much heavier security into both HD-DVD and blu-ray formats. Design by Lawyer A paradigm according to which technology is designed, not to actually work (i.e. accomplish common-sense objectives), but to make sure that there is someone to sue when it fails. Sometimes this takes the form of laughable "protection" measures which are trivially circumventable but - gotcha ! - you can't circumvent them without violating the DMCA. Design by Politician Although most politicians are lawyers, this is even more dangerous than design by lawyer, because politicians can force manufacturers - and thereby consumers - to use their bad designs through legislation. While a notable previous American attempt - the Hollings Bill - went nowhere, an arguably equally misguided proposal was endorsed by the FCC in fall 2003, as described in our entry on the Broadcast Flag (though fortunately it was overturned later). Device Bridge Term adopted by Microsoft in 2006 for a protected content transfer link between Microsoft devices, formerly known as CopyFromDevice (CFD). It is a quick copy mechanism used for content transfer, as opposed to real-time streaming. It debuted (at least under that name) along with the Zune portable media player, and is used for the wireless sharing feature of the Zune. DFAST "Dynamic Feedback Arrangement Scrambling Technique". An encryption mechanism used in the digital set-top box arena, invented by (and licensed, with a little encouragement from the FCC), from CableLabs. Digibox An interesting bit of history: an early (1995) bit of DRM-related Intellectual Property from Electronic Publishing Resources, which later became Intertrust. A copy of the paper from Usenix can be found here. Digital Represented by discrete values such as 1 and 0, as opposed to the continuously varying values of the analog domain. From a DRM perspective, the significance of a digital representation is that collections of 1s and 0s - such as, say, DVD movies- can be transmitted and copied perfectly for many generations. Add personal computers and hackers to the mix, and digital content piracy becomes so easy and potentially damaging that Digital Rights Management technologies are required. Digital Asset Management (DAM) The art and technology of managing large, complex, evolving collections of digital assets, such as the file sets of a large Web site, or a collection of media files which can be distributed over the Internet. Many content owners, trying to make content available on line, have found that large-scale DAM is a difficult obstacle which must be addressed for a site to be viable, whether DRM is also involved or not. This is especially true when the content has complex licensing or royalty requirements, some of which may have been negotiated years ago without taking Internet distribution into account. Software to automate DAM processes is available from companies such as picdar. Digitalgoods A defunct provider of DRM technology for eBooks. For more information see Softlock. Digital Living Network Alliance Formerly known as the Digital Home Working Group, a consortium which seems to be promoting interoperable home media networking, including DRM capabilities. I say "seems to be" because you have to pony up thousands of dollars a year or more to join and find out what they are really up to. This is arguably not a good way to get a critical mass of adoption. However, their support from Intel and alignment with DTCP seem to be moving them in a reasonable direction. Microsoft is also a member, and is pushing hard for inclusion of their own otherwise-proprietary WMDRM-ND interconnect scheme as well as DTCP. Digital Media Project A multidisciplinary advocacy group led by Leonardo Chiariglione, which is trying to help digital media out of its current technical, legal, and commercial log-jams, but without much effect. The group has very little commercial support ; their initial wide-ranging Digital Media Manifesto document provided a useful vision and in 2005 they published more practical specifications, but nobody with any commercial clout seems to care. Digital Millennium Copyright Act (DMCA) The DMCA is legislation passed in the USA in 1998. It attempts to bring copyright legislation into the Internet age, but many observers feel that it tilts the balance of power way too far in favor of copyright holders. The Electronic Frontier Foundation has an html copy here. The DMCA is immensely controversial and is covered in more detail on our DRM Policy Page DPRL(Digital Property Rights Language) An early Rights Expression Language developed by a team led by Mark Stefik at the Xerox Palo Alto Research Center. DPRL was conceived before XML became the clear choice for metadata in general and Rights Expression in particular. Although XML implementations of DPRL were proposed, today DPRL is a historical artifact whose concepts have been adopted by XRML and ODRL. Digital Rights Management (DRM) See our what is DRM page. Digital Transmission Content Protection (DTCP) A proposed encryption mechanism for use on advanced digital interconnect joining consumer electronics and PCs, sponsored by the 5C entity. The thinking is that unencrypted media transmitted over standardized high-speed digital interconnect such as IEEE 1394 ( or IP over high-speed Ethernet) is easily intercepted for piracy purposes, so it should never be allowed "in the clear", even between two boxes in a consumer's home. Digital Transmission Licensing Administrator (DTLA) Apparently, to judge by the Web site, the same organization as - or the outward face of - the 5C Entity. Also apparent from the Web site is that they only have one thing to license, DTCP. Digital Versatile Disk (DVD) Also known as Digital Video Disk. The hugely popular plastic-disk format for home viewing of movies using the MPEG-2 codec. It was the first mass-entertainment medium to feature encryption, although the security design was poor and was cracked soon after the format became common. The emergence of home PC-based DVD Recorders has movie studios afraid that the same large-scale copying that goes on with Audio CDs will happen with DVDs as well. Constrained as they are by backward compatibility with Consumer Electronics DVD players, they can't stop this technologically in the current generation. Since DVDs account for almost half of movie studio revenue currently anyway, it's hard to be too sympathetic. Jim Taylor maintains the authoritative DVD FAQ. The next high-definition generation of video disk technology, just coming to market, presents the opportunity to fix shortcomings in DRM and other areas. However, there is the usual squabbling between opposing camps ( Blu Ray and HD-DVD) which, combined with other factors, makes mass adoption of the next generation seem unlikely before 2008 at the earliest. Indeed, early Blu Ray players have been released before all the standards involved are ironed out, creating a significant risk to consumers. The two camps do agree on using AACS for DRM. Digital World Services A European digital content distribution company best known for attempting to make Napster "go straight", by developing a DRM system for Napster at the request of their mutual parent company, Bertelsmann. Within the culture of Napster it is doubtful that any DRM technology could have succeeded, but Napster died for other reasons before we had a chance to find out. Since then they have apparently changed their focus to DRM-agnostic content distribution of content such as university textbooks. Diversity Deliberate variation between individual instances of something - typically software code or digital media - designed to make it traceable and/or to make it resistant to fixed-function attack tools such as cracks. DivX 1) A media technology company originally focused on a codec of the same name, which, years ago, offered the best compression efficiency and was favored by the technical PC "underground" crowd. Recently, more efficient codes such as H.264 have emerged, so DivX has adapted by providing other parts of the solution as well. There was a 2006 DRM- deal with Google but Google cancelled their DRMed video service in 2007. 2) A consumer electronics company that made "trick" DVD players that called home in the late 1990s. Encrypted DVDs were used that didn't need to be returned to video stores, since their play periods were controlled by DRM technology in the players. Although the technology apparently worked as intended, commercial factors killed them in 1999. Most notably, the requirement that consumers buy a special (and more expensive, and harder to find) DVD player caused inadequate adoption rates to sustain the company. Some of their executives bounced back to found Cinea. Document Object Identifier (DOI) A proposal for a sort of Internet Dewey Decimal System which could provide unique identifiers for intellectual property on the Internet. Dongel A pocket-size PC peripheral hardware device. Today the term can loosely cover any such device, including simple USB key chain memories. Historically, dongels were hardware anti-piracy devices which had to be plugged in for a specific software application to run on a given machine. Dongels from companies such as Aladdin or Rainbow, were typically associated with expensive CAD (Computer-Aided Design) software packages. Dongels are considered very inconvenient and are widely cracked anyway. As a result, most companies which sell dongel DRM solutions also have software-only DRM solutions. Some companies are also packaging more capable smart card technology in dongel-like packages such as key chain-sized USB plug-ins. This provides many of the benefits of a traditional smart-card without requiring a separate reader peripheral on a PC. Domain A collection of devices which support protected media and which can share the media, and a single license for that media, in such a way that the user can access protected content on any of the devices. Technically, this is quite hard to do when the content and license are stored on the user's device. Only two DRM ecosystems currently support domains, Marlin and PlayReady. Dublin Core A group of standards from the "Dublin Core Metadata Initiative" which address various aspects of Internet metadata. The group predates XML and has no inherent relation to DRM. Recently they have focused on XML implementations which are of particular interest in the publishing industry. DVD-Audio A variation of DVD which provides high-quality digital multi channel audio. (The DVD-Audio version of Philip Glass' "Koyaanisqatsi" is astounding on high-end gear.) It competed with Sony's SACD format, and neither is winning in the marketplace - they are virtually historical collector's items a of early 2008. (For instance, your scribe knows no-one else who buys or listens to such disks). Unlike the older Audio CD format, DVD-audio does have built-in copy protection using CPPM as specified by the 4C Entity. There are no material cracks, due largely to the closed-platform approach where raw digital outputs are prohibited. This lack of copying ability is probably one reason for the format's very limited uptake. DVD Jon Jon Lech Johansen, the Scandinavian who famously cracked CSS as a teenager and has been a thorn in the side of copy protection advocates ever since. He has a record of consistently cracking DRM schemes, often with highly skilled help. In early 2005 he managed to design an iTunes client that can buy songs without DRM from the iTunes store. Later that year he surprised many observers by moving to the USA to work for Michael Robertson. Since Hollywood would love to see this guy in jail, you'd think he'd retire from activities which violate the DMCA. However, since he recently registered the domain deaacs.com, this seems unlikely. In 2006 he started out on his own, trying to make a legitimate business of applying his reverse-engineering skills to interoperability via DoubleTwist Ventures, and shortly after that he moved back to Denmark.
E	ecosystem (Better expressed as "Content Ecosystem" or "DRM ecosystem".) A sizable system of managed content distribution using a consistent technology base including DRM. By this definition there are only three ecosystems worth talking about: iTunes, Windows Media, and the Open Mobile Alliance. (Well, maybe four, since the Zune has its own ecosystem as well.) Ecosystems are very important because it is very hard to live outside of one. For example, it is much simpler for content owners to license their content on a per-ecosystem basis, because that way they don't have to do costly and difficult due diligence on a wide variety of content technologies - the ecosystems build that in via licensing rules for the participants. This can make life difficult for vendors of DRM technology who are not part of such an ecosystem. It's worth noting that all of the ecosystems above are concerned with consumer media. There are no significant ecosystems yet for software DRM or Enterprise DRM. Electronic Book (eBook) A book in electronic form, such as Adobe's Portable Document Format or the Open eBook Format. The term can also be applied to a physical, dedicated electronic book appliance, although the history of such appliances is not encouraging. After the death of the GemStar eBook and Barnes and Noble's withdrawal from the eBook content market in 2003, it took years for other attempts at hardware eBooks in the form of the Sony Reader in 2006, and then the Kindle from Amazon in 2007. The eBook market has been slow to take off due to consumer reluctance, piracy concerns, and a fragmented market with no useful standards. (The Kindle, for example, will not read PDFs). There has been some progress on content availability, such as from The British Library, and with classic titles from some traditional publishers. eBooks need DRM, at least some of the time, but the challenges of DRM are really not the main stumbling block here. Consumers are rightly suspicious of appliances which tie them to non-standard content formats - history shows that in a few years they will have a door-stop and a collection of useless files. A physical book still makes a lot more sense for most people. Electronic Frontier Foundation (EFF) The EFF is an advocacy group based in California which seeks to protect principles such as free speech and privacy on the Internet. They oppose DRM in general and limitations on copying digital goods (or sharing information about related security technology) in particular. They have a reasonably well-written diatribe against music DRM here. I want to like these guys; they seem to be on the side of the common man. But their idealism works against them; if Hollywood overstates the case by depicting copying as evil piracy, the EFF equally overstates the case by insisting that ALL copy control is evil. A world without any copy control would effectively eliminate the main business model of the entertainment industry and, therefore, as a matter of American political reality, is NOT going to happen, period. Their record in legal battles is also uneven, as this Register article demonstrates. Electronic Media Management System (EMMS) IBM's offering in the consumer DRM space, now long defunct. It had no significant content portal wins except in Japan shortly after they year 2000. Electronic Software Distribution (ESD) As the name implies, ESD is the distribution of software by electronic means - typically the Internet - as opposed to physical means such as CD-ROM. In itself, transferring software files is fairly trivial; it can be accomplished by simple FTP or browser-based download. This is why there aren't any pure ESD products left; Ziplock from the late 90's was probably the last one standing. In the consumer world today, Steam is the spiritual successor to ZipLock. End User License Agreement (EULA) An agreement between a user of software and the software vendor, which specifies the terms and conditions for use of the software. In practice, most EULAs are "click-through" steps at software installation time, where users glance briefly at pages of lawyer-speak before shrugging and clicking "accept". In principle a EULA is a contract, in which the software supplier can specify arbitrary terms and conditions - notably, ones which remove the user's rights such as Fair Use normally associated with copyright. However, unlike a conventional contract, a EULA permits no negotiation. Recent trends in EULAs have been disturbing; for example, setting the stage for remote, unstoppable "updates" pushed to a user's machine whether they want it or not. It's clear that the current state is transitional, but not yet clear when and how the use of EULAs or similar instruments will stabilize. Enterprise With online music DRM being a very vertical market dominated by a few huge, conservative players, and not many other promising applications in sight, the enterprise has been targeted for another wave of DRM solutions. This makes some sense; at the very least, most participants in an Enterprise value chain either want (or can live with) DRM, whereas it is viewed negatively in most consumer applications. Regulatory requirements around privacy, which apply to enterprise documents more than popular media, are another driving factor. Authentica is probably the foremost provider in space currently. It's worth noting the elephant in this particular room: most participants in this space are basing their offerings -or at least some of them - on Microsoft's Windows Rights Management Services. Those who aren't, have to convince their customers they have a better idea - which might be true, but requires more selling. Envelope A general-purpose content encrypt/decrypt capability introduced as a new feature in Microsoft's PlayReady DRM technology. It is content agnostic and lets a software application developer open and seek into encrypted files using APIs provided by the PlayReady Porting Kit. The previous WMDRM-PD technology assumed that the content being protected was audio/video media. Envelopes use 128-bit AES encryption, unlike the simpler Cocktail sued by WMDRM. Entriq A company that doesn't apparently build DRM per se, but builds all the infrastructure around it, such as billing, distribution etc. Evidently the brainchild of a successful parent company in the pay-TV business looking to expand its markets. Companies like this are a sign that the digital content market is maturing. Whether this one will be seen as added value for content owners who don't want to worry about the details of, (say) Windows Media Player DRM, or as an un-necessary middleman, remains to be seen. Everywhere Internet Audio (EIA) A concept for wireless, Internet-connected music players (Blackberry meets iPod) based a subscription model where piracy is impossible.(More from BusinessWeek here). From a user's perspective, this seems to lose the concept of OWNING music, and may not be accepted on that basis. And, at least per information published so far, if the system is inherently more secure, it presumably comes at the price of no user-accessible digital inputs or outputs. As well, it requires drastic changes in music business models. But since drastic changes in music business models are required anyway, this may contain elements of the "right" solution. Executable A binary file which can be directly executed by the central processor of a computer, such as an Intel Pentium processor. (Executables may also contain virtual instructions for execution on virtual machines such as the Java Virtual Machine; however for reasons of efficiency and security DRM is rarely applied to virtual code. ) From a DRM perspective, although all content rendering necessarily involves executable code, it makes a difference whether the executable code itself is the controlled content - say, a demo of a game - or whether the content is a media file, played by a standard media player executable. This latter is the Player / Asset model. Because an executable file can have non-trivial "hidden" behavior, it turns out that it is technically more feasible to add DRM functions - both protection functions and consumer-desired functions - to executable content, than to media content. This is one reason why some software DRM technologies - such as those from Trymedia and (once upon a time) Netactive have a more convincing security record than media DRM technologies. Exploit An automated tool, developed by a hacker and used to perform malicious attacks on computer systems. Exploits are usually scripts which attack ("exploit") software weaknesses over a network, and so are of more concern in network security than in DRM. Cracks on the other hand, are usually applied directly, to maliciously modify locally accessible code, and so are of direct concern in DRM systems. Producing an exploit may require considerable expertise, but using it unfortunately does not. (See script kiddies.) Extensible Markup Language (XML) A subset of Standard Generalized Markup Language (SGML), a widely used international text processing standard. XML has enjoyed tremendous uptake as the standard metadata language for the Web and in particular has become the basis for other standards such as XRML. For more information, see http://www.w3.org/XML/.
F	fade An interesting software anti-copy idea from Macrovision: let copies happen but arrange for subtle side-effects of the copying to degrade the software (usually a game) over time in such a way that users will get enough of a taste to like the game, but have to go buy it to continue. As an idea it's relatively obvious - your scribe had a few over-beer discussions that touched on it in the late 90's - but credit to Macrovision for actually doing something with the idea. As always, the devil is in the details... if the system is used with high-value content, you can bet that highly-talented hackers will be trying to take it apart. Fair Dealing The term used in Canada and several other British-influenced countries for what is called fair use in the United States. fairplay The term Apple uses for the DRM technology in their iTunes Music Service launched in spring 2003. Fairplay does control what can be done with music files, and restricts them to a world of Apple formats and portable audio players.. but other than that it is easily the most reasonable and flexible music DRM technology in widespread use. It supports play on several computers and an unlimited number of iPod portable players, as well as burning regular Red Book Audio CDs. Little has been made public about its internals. It is clear that security was less of a priority than usability in its design. Fair Use Fair Use is a principle of copyright law in most parts of the world, though it does not usually go by that name outside the USA. It explicitly allows copying of copyrighted goods under specific circumstances, such as quoting a book in a review, or making a copy of an audio recording for personal domestic use. Unfortunately, the line between legitimate fair use and piracy is usually a matter of USER INTENT, which no technology can determine. As a result, content protection technologies cannot -even in principle - exactly preserve the current notion of Fair Use and still offer robust content protection. Most likely, the technology capability will evolve and the practical definition of "fair Use" will also evolve, to some middle ground acceptable to consumers and copyright holders. More background on this is found on our DRM Policy page. fairuse4wm A crack for Windows Media DRM, released in summer 2006, which removes the DRM encryption from the Windows Media Player files on a user's PC. Developed by a hacker known as Viodentia, it is a command-line utility which uses Windows Media Player (version 10 or 11) as part of its dirty work in an apparent key discovery attack. In fairness to Microsoft, several crack-free years went by prior to this problem, which is a considerable accomplishment in the space. Within a week Microsoft had issued a patch and the crackers had issued an "upgraded" crack which circumvented the patch. The cat and mouse game never ends ;-). Federal Communications Commission (FCC) The leading regulatory body for telecommunications and broadcasting in the United States. Their 2003 broadcast flag ruling placed them in the midst of the DRM debate. About a year later, they stirred the pot further in a ruling that approved Specific DRM Technologies (pdf) which provided limited copying even in the face of the Broadcast Flag, despite serious opposition from content owners. It is debatable whether a government organization such as the FCC should be in the business of approving specific technologies (see design by lawyer). The particular list approved is also debatable: reportedly, all of the submitted technologies were approved, making one wonder whether there was a meaningful evaluation process. However this ruling is encouraging in two respects. It shows that content owners do not always win in Washington. It is also the first meaningful step towards a definition of fair use which can be implemented by available technology. Federated Network Identity A multi vendor standards effort led by Sun for emerging technology that gives users the benefit of single sign on and extends it across varied Web sites, operating systems, applications etc. In the limit, such a system would require only one logon and password for anything a computer user might want to do anywhere in the world. We are a long way from this vision currently, for both technical and commercial reasons. Such a scheme could couple nicely to identity for DRM purposes. There was even a moment when (gasp!) Sun and Microsoft were co-operating in this arena. Federation Against Software Theft (FAST) A British advocacy group promoting the respect of software copyrights (and thus, obviously, opposing piracy). According to them, it is "also unique in that it is the only association in the world that represents both software publishers and end users." Fingerprint 1) Generally, a unique or pseudo-unique identifier associated with a specific machine, user, item of content, or a combination thereof. Depending on the implementation, fingerprints can be used to aid in authentication of users, or to tag a piece of downloaded digital content to associate it with a specific user. In some cases fingerprints are managed as explicit data items, and in others, they can be produced at will (close to the biological case) from any suitable media file with no special requirements on the file. This is a probabilistic process that makes a different tradeoff than watermarks which, when present and detected, are always accurate. See also UID, traceability. 2) Specific term of art for technology that recognizes commercial content (specifically music) "on-the-fly", even when that content has no inherent DRM or metadata. One promised application is that it could help P2P companies go straight by recognizing copyrighted music. Here's an example from the company Gracenote. Firmware Special-purpose, low-level software contained on (permanent or periodically updateable) hardware chips. Historically, firmware has been below the radar in the DRM world, but this is changing. The BIOS on game consoles, and, soon, PCs, is involved in DRM. As media-capable systems such as PCs and PVRs become more complex, increasingly the media streams are controlled by firmware on peripheral devices. An overall system which needs robust DRM, therefore needs robust firmware as well. For example, a video card might be induced by corrupt firmware to ignore the Broadcast Flag. As increasingly comprehensive content protection requirements like HCDP come into force, manufacturers will be called upon to certify that their firmware is protected, authenticated etc. This presents some new issues; for example, an HDTV tuner card which supported Open Source driver firmware might be forced to discontinue that support in order to ensure that the card's behavior could not be changed in non-compliant ways. Forensic Applicable to questions which are of interest to the legal system. Some DRM-related technologies, notably watermarks, are well-suited to forensic applications i.e. establishing that specific content is obtained (perhaps fraudulently) from a particular source. Notably, forensic measures do not *prevent* unlicensed use of content, but they can help establish that such use has taken place. Format The layout of a digital asset such as physical media (CD/DVD), or of files containing video or music. In the PC world, file formats are more logical than physical and usually correspond to file extensions e.g. .rm for RealMedia files. Note that, MP3 files aside, file formats are NOT necessarily the same as media codecs; for example, Microsoft's .avi file format supports multiple codes, via a four-character code which identifies the required codec for any given piece of media. This has enabled third parties to supply extensions for many codecs (not always with Microsoft's approval, but that's another story.) Forward Lock A function of the early 1.0 implementation of OMA DRM, found in some cell phones circa 2004. Forward lock simply prevents a user from forwarding (presumably DRM-protected and paid-for) content - it's locked into the phone. It got a bad rap when it turned out that some implementations prevented people from forwarding their own content, like personal photos. Fragile Easily broken, by design intent. Usually such fragility serves a larger purpose which makes the overall system more reliable. For example, some smart cards are designed so that their internal components will usually break if anyone attempts to remove them from their housing- which is preferable to having an attacker discover sensitive private information or reverse-engineer the card's technical secrets. Similarly some types of watermarks are designed to be fragile i.e. to get "lost" from the data when it is converted from digital to analog and back. See also robust. Fravia Fravia was one of the foremost underground experts on reverse engineering of PC software in the 1990s. His "Fravias pages of reverse engineering" was a favorite haunt of both black hats and DRM system designers. The site contained many tutorials on how to crack security schemes such as TBYB functions in PC games. Reputedly a Dutchman, Fravia had a philosophical side and decided in the late 1990's that his efforts were, on balance, being misused. All that is left now of his work is unreliable archives such as this one (link may be broken). Fritz Chip A security ("Trusted Platform Module") chip named after American Senator Fritz Hollings, a staunch political ally of the entertainment industry, who favors mandatory inclusion of such devices in Personal Computers. He sponsored a Senate Bill proposing such mandatory inclusion, which died in early 2003. Chips in the same spirit are still being built under the auspices of the Next Generation Secure Computing Base, but the will to force mass deployment of them seems to be waning. It is unlikely that anyone would deliberately buy the chip as an extra-cost option, except perhaps if the chip provided real security improvements in an enterprise environment, which seems a long way off. In the consumer arena such chips have yet to find any demand.
G	Global Release Identifier (GRID) A Unique Identifier for content proposed by the music industry in 2002. Sponsored by the RIAA and IFPI, it is an 18 character alphanumeric code administered for global uniqueness. Judging by the complete lack of visible activity since 2003, it seems not to have caught on. It was apparently intended for multiple uses e.g. multi-tier distribution, identification of content in DRM systems etc. Globally Unique Identifier (GUID) 1A software Unique Identifier which is guaranteed to be unique world-wide. Often, such GUIDs are created on the fly, and in these cases their uniqueness is guaranteed by using unique local attributes available to software, such as network MAC addresses. I<>2Sometimes in the DRM domain, especially Windows Media DRM, a GUID is a pre-defined "magic number" which specifies (usually in a content license) specific protections for an item of content. Such GUIDs are simply hard-to-understand shorthand for specific software control requests e.g. "turn on CGMS.
H	hacker A person with both the skills and inclination to learn about - and possibly circumvent - various forms of computer security, including network security and DRM. The most famous hacker of all time, Kevin Mitnick, personifies the common confusions about hackers. Are they predominantly just curious or are they master criminals? There is also debate about related terms e.g. is a "cracker" a bad hacker? For the purposes of this site, we avoid such debates and regard hackers as people with certain skills who aren't predominantly good or bad. Those who choose to use their skills constructively are commonly referred to as white hats and those who go to the dark side are black hats. Information on a few of the most famous hackers can be found on this hacker bio page by Cap'n Crunch of 2600 fame. HANA The High-Definition Audio-Video Network Alliance, an industry consortium promoting in-home media networking. Their basic approach seems to be to standardize the network layer (Firewire aka IEEE 1394) and the UI layer, whereby any media device can present a UI over FireWire using Web interfaces. It's not a bad idea, but there is very little mention of DRM or content protection, and the DLNA, which takes a quite different approach, seems to be more widely known currently. A comparison of the two approaches can be found here. Harmony Technology from Real Networks which allows their media player to render content protected by DRM systems other than their own - i.e. interoperable DRM. Trouble is, none of the owners of those other DRM systems actually want to interoperate, so Real had to do it by reverse-engineering, raising a legal onslaught (e.g. on the basis of the DMCA) that may drown the initiative. An ongoing cat-and-mouse game between Real and Apple, in particular, changes too quickly to track here. HD-DVD High Definition DVD - which sounds like a generic term but isn't. It is one of two high-definition video formats which lost in early 2008 to its rival Blu Ray) battling it out to replace the current MPEG2/CSS based DVD technology. Both use AACS with related enhancements for content protection. HD-DVD is notably backed my Microsoft, which is using the format in its XBox 360 game console. Helix The media DRM technology from Real Networks. Real Networks was notable for trying to make their DRM interoperate with others (see Harmony), without much success. Although Helix still exists, Real no longer sells it as a product, preferring to use it as an internal part of their service offerings. High bandwidth Digital Content Protection (HDCP) A content protection scheme for digital video links licensed by an Intel-Led consortium. Here is a publicly available version of the specification. High Definition Multimedia Interface(HDMI) A physical interface specification that takes the existing DVI digital video interface and adds multi-channel digital audio. HDMI has evolved in recent years and consumers have been stung by not having the right version of HDMI at both ends of a connection. The DRM connection is that HDMI supports the HDCP link protection scheme. The latest (As of early 2008) version 1.3 of the spec is described here. H.264 A video codec with breakthrough compression factors that is doing for video what MP3 did for music - scaring the hell out of media owners by making downloading movies a practical proposition. Otherwise known as MPEG-4 Part 10 or AVC, it offers video compression with a 60% reduction in bit rate compared with MPEG-2 for the same quality and resolution. Both H.264 and Microsoft's son-of-WMP9 VC-1 codec are listed as mandatory support codecs for Blu-Ray and HD-DVD.
I	iMesh One of a crop of sites trying to legitimize peer-to-peer by marrying it to DRM. From a user's point of view it's hard to see how this is more appealing than, say, the iTunes Music Store. Theoretically such systems could allow users to get a cut on super-distributed tunes, though this doesn't seem to be actually implemented anywhere yet. Indirect License Acquisition (ILA) A process by which a media player device - typically a portable one which does not have a permanent network connection - acquires a license to play a particular piece of media using a intermediary device such as a PC. The intermediary device might either create such a license itself, or engage in an Internet-based acquisition process on the portable player's behalf. info2clear A European DRM technology company specializing in eBooks and enterprise document markets. Their SecureAttachment product has an interesting spin relative to peers such as Authentica: it incorporates automated conversion of various document types to PDF, so that recipients of outbound documents don't need any specific software other than a recent copy of Acrobat Reader. Information Rights Management(IRM) Marketing-speak from Microsoft, at least with respect to enterprise DRM functions such as those in Office 2003. See their explanation here. Installshield The leading third-party supplier of installation software for PCs, with which almost any PC user is familiar. The DRM connection is that they were bought by Macrovision in 2004. The possible synergy between installation and software DRM is obvious. Most software developers already use Installshield and it is much easier for them to try DRM options in a product they already know, than to evaluate separate DRM products from small, shaky startups. It's not obvious how Macrovision has leveraged the acquisition so far. Intellectual Property (IP) The ownable fruit of someone's mental efforts. There are many forms of Intellectual Property, notably patents, trade secrets, copyrights, and trademarks. For the form that most affects DRM, see the entry on patents. Music and movies are IP too; see also licensing. Interactive Music Network A European consortium which, to quote their Web site: "..is a Centre of Excellence to bring the music industry, content providers and research institutions together. The MUSICNETWORK draws on the assets and mutual interests of these actors to exploit the potential of new technologies, tools, products, formats and models." DRM is one of the group's core interests, and they have a free sign-up providing access to related bulletins and discussion boards. Recommended for anyone wishing to understand DRM and music, or who is looking for a European perspective. International Organization for Standardization (ISO) An international standards body established in 1947, responsible for standards such as MPEG. Internet Relay Chat (IRC) One of the earliest Internet "chat" programs, with roots going back to the 1980s. Through the 1990s and even now, IRC has been a favorite hangout for hackers of all stripes. IRC is better suited to their activities than the Web, because conversations are transient by nature and can be restricted to known parties. IRC is good place to gain insight into cracking activities, but it is generally true that cracks which never get outside IRC have little economic impact. For more, see their classic FAQ. Internet Streaming Media Alliance(ISMA) An industry consortium including major heavy-hitters, notably excluding Microsoft, devoting to promoting streaming technology, particularly DRM. They have a streaming media protection standard. The good news is that the standard requires no licensing. The bad news is that you have to pay to get a copy (or pay a lot more to join the group). interoperability The ability of different types of computers, networks, operating systems, and applications to work together effectively, without prior communication, in order to exchange information in a useful and meaningful manner. DRM systems are not meaningfully interoperable today. Worse, although there are organizations promoting interoperability, the vast majority of them are either inactive, ineffective, or more interested in promoting a particular pool of patents than in true interoperability. Some vendors, notably Real Networks tried providing a simulation of interoperability by simply building-in several proprietary systems under one user interface. However since they did it by reverse-engineering rather than licensing Apple's technology, Apple changed their technology to break Real's system and also sued them under the DMCA. Meanwhile, those pesky Europeans are pushing for interoperability themselves, at the content licensing and technology levels. InterTrust At one time the largest of the pure DRM companies, with no products to speak of but a huge patent portfolio and a long history of suing DRM technology providers, including Microsoft. The company - which is to say the patents, was bought by Sony and Philips in November 2002. Fast-forward to 2004, and Microsoft makes a settlement of over $400 million to get out of court. Not coincidentally, that amount is a bit more than was paid for the company. More details are on the DRM Technology Vendors page. iPod The best portable music player in the world and a compelling argument that even though DRM is inherently imperfect, good products can make intelligent use of DRM and thrive. There are several iPods in my family. It's brilliant. So is the integration of iTunes software with the iPod and the iTunes music store. Buying CDs suddenly looks a lot less attractive. Success has made them a target: their FairPlay DRM is cracked with some regularity, and Microsoft tried to emulate their plug-and-play simplicity with the now-defunct PlaysForSure program. IPTV TV delivered over the Internet Protocol - that is to say, in Internet-style packets as opposed to the fixed-bandwidth-per-channel approach traditionally used in broadcast and cable television systems. IPTV has a number of theoretical advantages, notably that the concept of a "channel" becomes virtual. However, for IPTV to become well entrenched involves many factors, only one of which is DRM. It is a disruptive technology trying to replace incumbents- usually both incumbents in set-top technology and incumbents in service provision. Today, its biggest proponents are telcos who wish to deploy it over DSL in order to capture revenue streams which they would otherwise lose to cable companies. Whether consumers will love it remains to be seen. It also remains to be seen whether the security technology, which is predominantly based on software as opposed to the traditional POD hardware, is adequately secure in the long run. The leading providers of IPTV technology include giants such as Microsoft and Siemens, and smaller players such as BitBand. iTunes Apple's highly successful debut in the legitimate on-line music business, which has provided a benchmark for others to follow. Unlike many of its competitors iTunes focuses on selling music per-download rather than as a monthly subscription service. A relatively impartial technical review of iTunes from MusicNetwork can be found here.
J	Janus Code name for new DRM functionality introduced in Microsoft's Windows Media Player 10, officially known as "Windows Media Digital Rights Management for Portable Devices." In essence, it gives content providers more control of content in space and time. For instance, it enables content to be revoked on time-based expiry *even if the content has been moved to secondary devices* such as portable media players. Media produces like the idea, and it does enable an "all-you-can-eat" subscription model. However some observers think removing capability consumers already have is hardly progress. Java The popular programming language from Sun. Actually, it's more than a language; running a Java program also requires a special environment - at a minimum, an interpreter that converts standard Java byte codes into the native instructions of the actual processor at hand. This gives Java excellent portability. In recent years Java has been fragmented and shaped by legal rivalry between Sun and Microsoft, and is not always found on Microsoft PCs, but is becoming the platform of choice for smaller devices such as cell-phones and set-top boxes. Because Java's byte-code structure is well-known and trivially reverse-engineerable, it has traditionally been regarded as impossible to meet the security requirements for persistent DRM in Java. Sun themselves have announced their intention to market DRM for Java applications, and made some related acquisitions, but nothing seems to have come of it. Johansen, John Lech See DVD Jon Joint Photographic Experts Group (JPEG) A standard for compressing digital still images, widely used on the World Wide Web. JPEG images on the Web are easily stolen, but since their value is limited few DRM technologies address Web images (fewer still with the death of Elisar in December 2003.) Most JPEG image owners either ignore the issue or use watermarks in their images so that large-scale or commercial theft can be deterred.
K	Kaspersky, Kris One of the better-known security experts in the DRM technology arena. Kris has several books relating to either building copy-protection schemes, or cracking them. He has also built PC anti-copy schemes, but that is a very precarious living (see time to crack), so he has recently moved to the more promising anti-virus business. kazaa One of the best-known second-generation peer-to-peer applications. Following in the footsteps of Napster, such systems are more decentralized and thus harder to effectively attack legally.(Although the RIAA is suing them anyway.) Most of them also have modular architectures so that anyone with the required technical skills can create their own components. Pirated content on these networks is still a large concern for content owners. Key In cryptography, a special piece of data which enables the creation/encoding and/or decoding of encrypted data. There are many kinds of keys and many kinds of cryptographic systems which use them. Most DRM systems make use of such keys. Sometimes the term is used imprecisely to refer to secret data such as software serial numbers, which are not keys in the above sense. (See also keygen.) key2audio An audio CD anti-copy scheme from Sony's media manufacturing subsidiary Sony DADC. Its initial form was supposed to prevent playback on PCs altogether but was cracked with a magic marker. Allegedly, new versions are in the pipe which have better security and some concessions to PC access. It's not clear that any product in this space can gain consumer acceptance, because most consumers simply consider such protected CDs to have much lower value than traditional CDs. Key Discovery The discovery of a cryptographic key left "lying around", by an adversary who can then use it to decrypt data that he is not supposed to see - or more generally, obtain content, functionality, or privileges to which he is not entitled. In a typical DRM application on an open platform such as a PC, software retrieves and uses a "key" which can be intercepted either as it is stored (e.g. on disk) or as it is read into the DRM application. Since, with strong cryptography, brute-force guessing of a key is virtually impossible, key discovery is a superior - and more often used - mode of attack. That's why key hiding is often a requirement of DRM Robustness Rules. Keygen Short for "key generator". In the field of software piracy, a program which generates usable "keys" (which are typically serial numbers, not keys in the cryptographic sense as above) for a software program which is protected by such a scheme. For example, many shrink-wrapped CDs of PC software have a unique serial number on a piece of paper in the package, and require a valid serial number to install successfully. However, assuming that an off-line install is supported, it must be local code in the install which algorithmically determines the validity of the presented serial number. Such code is routinely reverse engineered to determine the valid serial number algorithm, and that knowledge is then captured as a crack -in this case, a redistributable Keygen program. Indeed, in the trivial case, just using ONE valid serial number - which has perhaps been used and shared by thousands of others - in a replay attack will do the trick. Keygens and serial number sharing are becoming less useful because more and more applications are using Internet connections, not just local code, to verify the validity and uniqueness of keys and licenses generally. Windows "Product Activation" is the best known example of this.
L	LaGrande A hardware-based Trusted Platform strategy from Intel, slated to place security functions - which could support DRM - into X86 CPUs. Intel appears to have support from key members of the Trusted Computing Group, notably Microsoft. The impact of LaGrande will be limited until deployment of both Prescott with Trusted Platform Module version 1.2 support, and since Vista does not support TPMs, "never' may be the schedule for Lagrande becoming useful. . levy A special form of directed tax added to the purchase price of certain items. In many Western nations, blank recordable media such as CD-Rs are already subject to levies. (For example, here are the rates in Canada, which notably cover embedded disk drives as well as removable media.) In these cases the proceeds go to compensate the entertainment industry for revenue which, it is assumed, is lost to illegal duplication of copyrighted material using these media. Levies are very controversial, in general being hated by consumers and liked by entertainment companies. Many consumers argue that the levies penalize legitimate uses of media such as computer system backups. In Germany, levies are in effect for CD writers and DVD writers, and in many places, levies for hard disk drives are in the works. Another argument against levies is that content owners are trying to have their cake and eat it too. After all, if compensation for artists is built in to the cost of CDRs, that should making such copying legal, so who needs copy control ? Indeed, an American observer has interpreted the Canadian levies to mean that Canada Has Declared P2P Downloading Legal. As of spring 2004, File Sharing is actually Legal in Canada, but the underlying ruling was driven by the conflict between music labels and ISPs over consumer privacy, rather than levies (which would actually be a better argument.) Canadian copyright owners are fighting this vigorously, expecting us to pay for online content through sites such as puretracks. As a result, many consumers pay twice, once in the levy and once for the download. Some organized opposition to levies is emerging, notably from consumer electronics companies - see for example the EICTA. Liberty Alliance An open consortium dedicated to developing technology for federated network identity. Mainstream DRM today does not use any federated identity schemes, but it seems logical that they will be employed in the future, because they help decouple the identity problem from the content control problem. As of early 2005 erstwhile-competitor Passport abandoned the multi-vendor vision, leaving the field to Liberty if they can sell the idea to the world. Licensing Acquiring the right to legitimately use or re sell intellectual property. *In the world of DRM, licensing is everything, at several levels.* First, of course, if you as a consumer don't have some sort of license for the content you're using, that makes you a content pirate. The same goes for any on-line media source - the iTunes Music Store gives vast sums of money to the record labels to license the content they distribute. Then of course there is the matter of licensing the *technologies* - DRM and otherwise - which are involved in encoding, delivering, and playing the media in question. A few companies - notably Intertrust, Microsoft, and Sony collectively own huge pools of DRM-related patents. It's hard to run a content Web Site - or design DRM technology -without the risk of infringing, or being accused of infringing, some of these patents. All this means that creating an online media site with a critical mass of legitimately licensed content, using technology which is both user-friendly and not likely to cause lawsuits, is incredibly difficult. This is one of the reasons why legitimate online music distribution is restricted to a small number of large sites such as Rhapsody, most of which are part of larger DRM Ecosystems. Smaller players simply don't have the leverage and budgets required to license large amounts of content. It's also the main reason that such services have been much slower to develop outside the United States - licensing for other countries drags in a whole new team of lawyers, which is not justifiable until some success in domestic markets is demonstrated. Lightweight Digital Rights Management (LWDRM) An initiative from the Fraunhofer Institute - generally regarded as the inventors of MP3 - to provide DRM that still allows fair use. As announced so far, it consists of forensic watermarks which allow content to be traced but does not stop copying. The theory is that benign sharing (e.g. among family members) will continue unimpeded, but that users would hesitate to put such content traceable to them on, for example, peer-to-peer systems. Although the philosophy is appealing, the system is complex - involving two levels of file formats, AES encryption, and different watermarking requirements for different codecs such as MPEG-4, MP3 etc. Further, the system would need to be fairly ubiquitous to be effective. Indeed, it doesn't seem to have gone anywhere since the idea was introduced.! Lightweight Directory Access Protocol (LDAP) A client-server protocol for accessing a directory service. It is very useful for authenticating users over the Internet through end-user X.509 certificates. Currently, this infrastructure is used mainly in enterprise environments and is considered too heavyweight for public Internet DRM. However its use in DRM is contemplated, for example by the OpenIPMP project. Liquid Audio Liquid Audio was just about the only "vertical" Internet music company. They only did Internet music, and they did all the parts of Internet music, from DRM to players to on-line distribution. They were the first to have PC music player technology which had DRM and was still slick and user-friendly. But Internet music didn't turn into a viable business soon enough, and time has largely passed them by. They sold their patent portfolio to Microsoft in October 2002, and paid out most of their remaining cash to stockholders in January 2003. They appear to be in a zombie state with a Web site still functioning and occasional sniffing at the corpse. It will be merciful when the lights finally go out. Listen.com The company that operates the rhapsody music service, which was bought by Real Networks in April 2003. LIT A media format for controlled eBooks from Microsoft. LIT is apparently an encrypted variant of the Open eBook standard. Microsoft touted a number of advantages for LIT over PDF - notably dynamic fitting of books to available screen space. PDF still won the war. Locklizard A Scotland-based DRM company which supplies technology to protect software applications and various formats including PDFs and Web content such as online training. They seem to be aiming at small to medium sized organizations who wish to control their IP while still making their material easily available over the Internet, as opposed to mainstream commercial audio and video . Lossless Term of art used in the field of digital data compression, and particularly codecs. In a lossless system, binary data can be compressed, stored or transmitted, and decompressed, and the end result will be a binary file that is identical to the original. As a rule, compression schemes used for computer data - such as the Lempel-Zev algorithm used in WinZip, are lossless, because a computer file - especially a binary executable file - can be rendered useless by even a single bit error. An Intel CPU, unlike a human ear, is not the least bit forgiving. Audio and video codecs, on the other hand, are usually lossy - not because losing data per se is good, but because lossiness allows for much higher degrees of compression. 10x compression is typical of a lossy audio codec whereas 2X is more typical of a lossless compression scheme. Clever design techniques such as perceptual coding are used to ensure that lossy codecs produce results that are of high enough quality for human consumption. Lossy The opposite of lossless, as explained above.
M	Machine Binding Technology which limits the use of a particular item of software or digital media to one physical machine, e.g. one particular PC. Usually machine binding is done as part of the licensing process for that item of content. Most content owners like machine binding because it makes piracy more difficult. Unless it is done very carefully though, it is a significant problem for users, who may have difficulty keeping their rights through routine operation such as buying a new PC or upgrading a video card. In part, the difficulty arises from the fact that PCs to date do not have reliable uniquely identifiable information built into the hardware. (Except for Intel's bad experience with CPU Serial Numbers). As a result of this and of the requirement to be tamper resistant, most machine binding systems are ad-hoc, with behavior that can be difficult to predict. If add-on hardware-based security systems such as those proposed by the TCG are widely deployed, they would presumably support robust machine binding in the future. Macintosh The love-it-or-hate-it alternative personal computer from Apple, which has often had superior technology and ease-of-use, but has remained a closed system struggling for market share against the Microsoft/Intel PC. The Mac and Apple have stayed on the side lines in DRM, but this changed with the introduction of a music service in April 2003, as described in our entry on Apple. Macrovision Macrovision is an American company which is investing its revenue stream from video anti-copy technology (mostly in VHS VCRs) into other DRM markets, such as their CDS CD anti-copy system, and strategic acquisitions such as Installshield. It didn't hurt that their technology was literally legislated into the market: here's the actual US legislation which does so. They are usually regarded as an ally of Microsoft in the DRM space. More information on Macrovision can be found on our DRM technology Vendor page. MagicGate Marketing term used by Sony for their anti-copy technology. The term was used a lot when SDMI started in 1999. More recently it has been mentioned along with Memory Stick flash media cards, their ATRAC codec, and the AnyMusic online music site. magnatunes You have to love an on-line music service whose motto is "we are not evil" - a not-so-subtle jab at the RIAA, which is indeed considered evil by quite a few people due to a combination of immensely heavy-handed legal tactics and years of foot-dragging before supporting decent "legitimate" on-line services. Magnatunes is a genuine effort in the direction of direct distribution without DRM of any kind on an honor system - more precisely, using the licensing scheme from the Creative Commons. An interesting experiment. Marlin Joint Development Association This is the gang that brought us the Coral Consortium. The twist for Marlin is that they are supporting actual implementations. They are talking about "Community Licensing" and interoperability - but given Intertrust's only asset is DRM IP, where the rubber will really hit the road will be when licensing costs are established. More from CNET here. In fairness, confusion around interoperability is the norm in DRM. The similar Microsoft-supported Content Reference Forum is a zombie, and the only actual interoperable DRM system to date, Real Network's Harmony, was torn to shreds by the owners of the technologies it interoperates with. As of early 2008 there are actually some Marlin deployments in the works. Media-S Another open source DRM project, formerly known as "ogg-s" because of its initial focus on client-side audio players using the ogg vorbis codec. They take the interesting tack of having a special Commercial license for companies that want to make "non-open" source modifications- presumably for security functions such as obfuscation. Media Transfer Protocol (MTP) A protocol and accompanying generic drivers from Microsoft that let PCs talk to hard-disk-based portable media players natively i.e. without installing product-specific drivers. This gives them plug-and-play capabilities similar to those flash-based devices already enjoy via the Media Storage Class interface - familiar to anyone who has a USB Dongel memory on her key chain. In particular MTP is used to transfer media files from a PC to a portable player, and as the link for indirect license acquisition. More details here microcode Extremely low-level logic which is typically used to translate between the binary instruction set of a microprocessor, such as an X86, and the underlying hardware implementation. Which would have nothing to do with DRM, except that in some cases such microcode can be maliciously hacked. To perform such a hack, with any result more devious than an HCF ("Halt and Catch Fire") effect, requires considerable skill, and is hard to do remotely. But such an attack could conceivably circumvent any security measures which relied on the processor preventing certain kinds of operations. Look for these holes to be closed soon. microtransaction (Also known as micropayment.) A spontaneous financial transaction for small goods or services, involving very small amounts of money, which can be conducted effortlessly between two parties. Ideally, such a system would work on-line in support of digital goods, would have negligible overhead so amounts of even less than 1 cent could be charged, and would require no prior set-up on the part of customers. While microtransactions have no direct relationship to DRM, microtransaction technology with these attributes would drive the online content business and thus indirectly support DRM. Indeed, some online content distributors have attempted to marry DRM-protected online distribution with their own micropayment schemes. We used to link to an example called "File-Cash" but they apparently died in 2004. Unfortunately, in spite of many attempts, no commercially significant microtransaction technology has emerged, and there are arguments that this will not change soon, such as the paper The Case Against Micropayments (PDF) by Odlyzko. As for systems in common use, PayPal, as used on eBay, is about as close as we have come so far, especially since they now support payments of $2 or less. Japan seems to be leading the way with cell-phone based alternatives such as FeliCa. See also Prepaid Cards. mod chip After-market add-on or replacement integrated circuit chips designed to defeat the hardware security measures in consumer electronics devices, notably video game consoles such as the xBox. A typical mod chip is installed in parallel with the original BIOS chip so the user can selectively run either an original BIOS or a piracy-friendly one which allows the console to run copies produced with a computer's CD or DVD burner, or downloaded to a hard disk off the Internet. Given the huge size of the game console market and the impressive engineering skill in that industry, it is somewhat surprising that mod chips continue to be technically possible. Presumably this is due to a number of factors such as severe cost and code size constraints, business tradeoffs, mass media manufacturing, security knowledge in the industry, and the art of the technically possible. While some mod chips do more than just support piracy (some xBox mod chips make the xBox into a relatively general-purpose PC or Linux box, for instance), they are mostly used to circumvent copy protection measures and as such, are legitimately being challenged under the DMCA. MP3 MP3 is both an audio codec and an associated file format used for the storage and transmission of high-quality compressed music. Like the word "kleenex", the word MP3 has come to be used very generically - for example, only an engineer would bother correcting someone who called an Apple iPod an "MP3 Player." MP3 is actually the "level 3 audio" part of the MPEG-1 Specification more commonly associated with video. Like most popular audio and video codecs in use today, MP3 achieves high compression by use of perceptual coding techniques. It was the powerful combination of MP3's fast downloads and Napsters easy file sharing that brought Internet music piracy and DRM into the spotlight in the late 1990s. MP3 has been superseded technically by newer codecs, and is not used for paid downloads because it does not inherently support DRM. In 2004, Fraunhofer tried to rehabilitate MP3 by applying DRM to it. But MP3 is the lowest-common-denominator digital format, used today mostly by people who value interoperability and ubiquitous hardware/software support over audiophile quality. Adding DRM to it makes about as much sense as putting a V12 engine in a Hyundai. MPAA The Motion Picture Association of America. What the RIAA is to music, the MPAA is to movies. Which is to say, some will call them protectors of free enterprise and intellectual property, and some will call them evil monopolists. If the MPAA has a lower profile currently, it's mostly because stealing movies over the Internet is less prevalent than stealing music, because the files are a lot bigger and less convenient to play. But as the world moves to broadband, they are following in the RIAA's footsteps by, among other things, suing file-swappers. MPEG The Moving Picture Experts Group is a working group of the ISO which has defined many standards for audio and video encoding. Their most widely deployed efforts are the MP3 audio codec and the MPEG-2 video encoding used in DVD video disks. MPEG is well respected technically and liked by the open source community. Hollywood studios want to like MPEG because it does not tie them to one media software vendor. The MPEG-4 framework includes the "hooks" (though no implementations) for Digital Rights Management. The emerging MPEG-21 has more support for DRM in the form of approved specifications for a Rights Data Dictionary and Rights Expression language (the latter based on XRML 2.0). But their technology is not royalty free, and licensing terms are slow to be defined, leaving potential users of the technology to make strategic decisions without knowing what their cost implications may be. It is also complex, though it is sometimes possible to pick and choose the parts you need. In the PC arena, and even Consumer Electronics, MPEG faces a difficult struggle against proprietary formats, with well-defined licensing terms, being marketed by Microsoft and Real Networks. Some have gone so far as to say their latest incarnation, MPEG-4 is Dead . MPEG LA The licensing authority for intellectual property portfolios managed by MPEG. The idea is great - a one-stop shop where content owners and infrastructure suppliers can get licenses for current media technologies, including DRM. In practice, it has been a rough road, with the most conspicuous initiative - a patent pool license for OMA DRM being widely rejected by cellular handset manufacturers. musicATM A kiosk that dispenses music on-demand in physical or electronic form at the point of consumption, such as a university residence. This idea has been around for ages... a company called Digital on Demand has been dabbling with it since the days of SDMI. Given cheap broadband and commodity hardware requirements, this isn't expensive infrastructure, so it's a good bet that the slow takeoff of these services is due largely to difficulty in licensing content. That, and existing music stores -one of the most obvious venues - might hesitate to install such machines as they arguably just accelerate their own demise. Musicmatch A PC-oriented online music service which started out with a subscription model but announced a 99 cent download model in fall 2003. This has been compared to Apple's popular iTunes service and helps turn the online music market into the free-market competition it should always nave been. In a sign of the maturing of the industry (and perhaps the impossibility of making money as a pure on-line music play), they were acquired by Yahoo in fall 2004. MusicNet By some measures (notably longevity and tune selection), Musicnet was the most successful music download site on the Internet until 2005. That still left it in the shadow of iTunes. It was originally founded in 1999 as a defensive move by a consortium of music labels. In 2005 they lost the urge to be in the distribution business directly and sold out to a venture capital firm. Since then the site has devolved into a referral site for other music distributors such as HMV. musicrypt A Canadian DRM technology company that combines music protection and biometrics. Their Digital Media Distribution System is a secure system for private distribution of music over the Internet, typically from music labels to radio stations. Apparently this and other products use biometric authentication technology from Net Nanny which recognizes individual keyboard usage patterns. The wholesale distribution angle is clever because it addresses a growing market as radio stations increasingly are software-driven. Keyboard biometrics are not exactly high-security, (see crossover error rate, but they are publicly traded and may be destined to become a survivor in the field.
N	Napster The program that started the peer-to-peer file-sharing craze. Invented in 1998, it went on-line in 1999 and had millions of users the same year. It also has its first lawsuits the same year, from many major record labels. It was mostly down-hill from there. The brand is back, as a paid online music service which is where the link above will take you. The original Napster provided a lesson to the creators of newer P2P applications such as kazaa, who eliminated centralized portions of the Napster architecture. Eliminating these newer P2P systems through legal action is more difficult. NetActive A developer of Digital Rights Management technology spun out from Nortel Networks in the late 1990s. They developed a robust, user-friendly Internet-based DRM system for Windows software and later video, but fell victim to the dot-com crash like many of their peers. What's left of the company is dormant while seeking a buyer for its intellectual property. (See disclaimer.) Netquartz A DRM technology company from France which apparently died in early 2004. It was founded in 1997 by a group of former Rainbow executives. Their specialty was software and games, built on an unusual "asymmetric execution" security technology which split an application into asymmetric parts and executed the smaller part in a secure virtual machine. In earlier architectures, which were presumably abandoned for performance reasons,(or maybe a similar-sounding patent from now-defunct Sospita) a real-time link to a physically separate server was used. Next Generation Secure Computing Base (NGSCB) Microsoft's security architecture for "Trusted Computing", which was known by the code name "Palladium" until 2003. It was slated for inclusion in "longhorn" (now the Vista operating system). However, Microsoft has backpedaled on the contents of Vista, and NGSCB appears to be stalled for now. It has roots in the Trusted Computing Platform Alliance, with which Microsoft diverged in 2002. In 2003 NGSCB was re-unified with most of the rest of the industry under the banner of the newer Trusted Computing Group. NGSCB aims to establish a "root of trust" in PCs using special software and TPM hardware, and build up through BIOS, trusted peripherals, O/S, media player applications, and so forth. Doubtless, one of the reasons for not including NGSCB in Vista is the requirement for ubiquitous deployment of the TPM hardware, which shows no sign of happening so far. Another reason delay may be the considerable controversy around NGSCB. It was promoted as "in response to public demand", but many people were skeptical. There are few examples of such public demand - for example, that there are huge holes in virus protection or personal privacy that it fills. In the consumer arena, despite statements that DRM is not the objective, such an architecture is suspected by many to be overkill benefiting Hollywood, with consumers paying the bill. This infrastructure could do good things for ordinary consumers, but a convincing case has yet to be made. It should be noted that many of these issues are different in the enterprise, where security and centralized desktop control are valued much more than the ability to do anything you want with your PC. In that arena, NGSCB is an easier sell. As additional perspective, respected security expert Ross Anderson has published an analysis of the technical and other aspects of Palladium/TCPA. Nexus A secure kernel component of NGSCB, colloquially associated with "ring -1" as it provides a higher level of code security than the currently "highest" ring 0. Some analysis from extremetech can be found here. No-CD Crack, No-DVD Crack A specific class of Crack which modifies software designed to require the presence of original media in a drive, so that it can run exclusively from disk and the original media is not required. These schemes are common anti-piracy measures for PC games and are widely disliked for their sheer inconvenience, so such cracks are often used by people who have no desire to be pirates. If, for instance, you're traveling with a laptop with a 50 Gbyte drive and a game that takes 1 GByte, why would you tolerate the reduced battery life and inconvenience of using the physical media ? Been there, done that, got the crack ;-). N-Gage One of the niftier convergence devices, from Nokia: a phone, MP3, and game console all in one. This system gets mention here because it was the first to attempt commercial-scale DRM on a Java platform, the quick cracking of which confirmed suspicions that DRM and Java make a lousy combination. With the crack in hand, N-Gage games can be freely played on many other Symbian platforms. The commercial impact of this on Nokia, N-Gage, and its game-publisher partners is not yet clear.
O	OASIS An ecommerce standards group, which was once home for the XRML specification. However they Dissolved their XRML Committee in summer 2004 , with the MPEG REL group being the only current home of note for XRML. Obfuscation The deliberate obscuring of something - typically, binary executable software code - which makes it harder for an attacker to reverse engineer and thus to crack. Obfuscation is usually an ad-hoc technique in a DRM developer's security arsenal, but there are companies, such as Cloakware, which have specific related expertise and products. Some technologists are critical of such "security through obscurity", but in fact, due to the limitations of cryptography, it is a necessary component of DRM on open systems such as PCs. See also tamper resistance. Open Digital Rights Language (ODRL) The Open Source movement's proposed Rights Expression Language. ODRL is a W3C proposal for an XML-based rights-expression language, from Australian DRM technology provider IPR Systems. ODRL is free of licensing requirements, but with the exception of some penetration in the wireless market, it appears to be losing to XRML in the marketplace anyway. For more information see our DRM standards page. Open eBook (OEB) An eBook format supported by the Open eBook Forum, an industry consortium led by Microsoft. Its main competitor is PDF from Adobe. Strangely enough Adobe is also a member of the OEB Forum, though it appears they are just hedging their bets. If OEB is ever to catch up to PDF, it will be on the back of a growing eBook market.. which so far has failed to materialize. OpenIPMP An open source project aimed at DRM for audio and video using the MPEG standards family, developed by Objectlab. Objectlab is an American East Coast consulting firm specializing in media, which has been involved in several high profile DRM initiatives and includes Digital World Services among their list of clients. The latter developed content protection technology for Napster. To quote Objectlab's Web site: "The project implements a full PKI, utilizing the Digital Object Identifier (DOI) as the content identification scheme and the Open Digital Rights Language (ODRL) as the Rights Expression Language. The software adheres to the Internet Streaming Media Alliance (ISMA) 1.0 specifications and supports encoding and protecting content in MPEG-4 files so that the same file can be used for local and streamed playback." This is a noble effort which gives legitimacy to DRM from an unexpected direction. Given that the Open Source movement is, in the main, hardly sympathetic to DRM, that MPEG deployment is hindered by other factors, and that essential practical aspects such as anti-tamper are not addressed, its success is far from assured. However Objectlab is well connected in the media world and their non-proprietary approach (i.e. not Microsoft or Real Networks) may help attract content owners to their system. Open Media Commons (OMC) An initiative announced by Sun Microsystems in mid 2005 to develop open source DRM - further evidence, if any was needed, that Sun has lost it. There are already too many ways to do DRM, and the vast majority of Open Source supporters hate DRM in the first place. The fatal flaw, however, is that the Open Source licensing is no insurance against patent infringement claims. Such claims would come hard and fast if the initiative took off, and unlike Microsoft, Open Source developments do not have billions in the bank to pay lawyers and licensing fees. Open Mobile Alliance (OMA) A consortium of the Wireless industry focused on standards and interworking, kind of a cellular equivalent to the W3C. OMA is one of the predominant forces for multi-vendor, standards-based DRM today. For more information see their entry on our DRM standards page. Open Source A collaborative software development philosophy which has produced a lot of widely-used code, notably the Linux operating system. Open source is based on the notion that anyone can gain access to the source code and modify it in any way, but they must return the modified code back to the open-source community, as captured in the applicable licensing schemes such as the GNU Public License. For the legally minded, here's a description of Open Source licensing by a lawyer from Red Hat. SourceForge is one of the largest open source communities. There are some requirements of DRM - such as obfuscation and tamper resistance, at least for PCs, which it is hard to see open source code meeting. Nonetheless, there are open-source DRM initiatives under way, such as are linked to at Authena. Open System A computing system based on well-known (if de-facto) standards and subject to detailed internal analysis, extension, and modification by any suitably skilled person. The runaway success of the PC is largely due to the wide-open, multi vendor competition in software and hardware made possible by this openness. From a content protection point of view, this openness is problematic. It means there is no place to robustly "hide" data, whether it be controlled content, keys used to access such content, or what-have you. It also means there is a vast arsenal of reverse engineering tools and skills which can internally inspect and modify software, including defeating protection mechanisms. Initiatives such as NGSCB from Microsoft have the potential to curtail much of this openness in the name of security. Overdrive A supplier of electronic content services including Digital Rights Management, which specialized in the eBook industry. More recently they have focused on electronic download services for libraries and library users - probably a good move given the lackluster eBook market. Although they're apparently successful it's hard to tell how successful, since the company is privately held. Overpeer As the name implies, a kind of "overseer" of piracy-friendly P2P networks. In this case , it worked primarily for content providers who typically don't want their content on such networks. Overpeer was shut down by owner Loudeye in late 2005 - perhaps a sign that free P2P has gotten so polluted that it's no longer considered much of a threat.
P	Palladium Old code name for Microsoft's security architecture for "Trusted Computing", which was renamed to Next Generation Secure Computing Base in May 2003. Passport Microsoft's ubiquitous user ID scheme, which is well known and widely used primarily because you have to get a Passport to get free services such as hotmail and MSN messenger. Microsoft's original vision was that passport would be a multi-vendor de-facto standard for the single sign on problem, (also known as federated network identity, though the latter term was coined by rival Sun). You were supposed to be able to log onto any Web site using a Passport. At the end of 2004 however, Microsoft abandoned the multi-vendor objective. There were concerns about privacy, including legal challenges in Europe. In hindsight, user information that would have been useful enough to really save time (e.g. true identities, addresses, credit card numbers etc.), people just would not want to entrust to Microsoft. This leaves the Liberty Alliance carrying the torch for Federated Network Identity- though chief proponent Sun is probably quite capable of losing a one-horse race at this point. It seems logical that such ID schemes should be tied to DRM, but they would have to actually be used by consumers for that to happen. Patent A monopoly on the creation or sale of an invention granted through an institution such as the United States Patent and Trademark Office. In high-technology in general and DRM in particular, patents play a huge role. It is often impossible to build a specific product without infringing a patent and thus, either risking huge legal liabilities, or licensing the patent from its owner. Even standards-based products may encounter patent problems since it often occurs that companies contributing standards have patented underlying technologies. For more on this, see our DRM Standards page. The largest patent collections in the DRM arena belong to Microsoft/ContentGuard, and the Sony/Phillips consortium which bought InterTrust. The patents and related settlements are key factors in the kind of co-operation that goes on between these large parties - which is to say on the interoperability and popularity of DRM systems in the next few years. Patent Troll A company which does not produce products itself but instead nurtures a patent portfolio, waiting for other companies to infringe (or allegedly infringe) their patents, at which point they demand substantial licensing fees. In other words, they make money off patents but nothing else. A well-known case is that of NTP (which doesn't even have a Web site), which has been a major thorn in the side of Reserach in Motion, demanding a substantial portion of their revenue and possibly shutting down operation of their Blackberry network. Opinions vary on what makes a troll - in the DRM space, both Contentguard and Intertrust are seen by some as trolls, though they (or their corporate ancestors) have provided some useful DRM technology as well as patents. Peer-to-Peer A networked communications model wherein there is no "hierarchy" and substantially all of the participants have the same capabilities e.g. for both providing and obtaining content. When this model is applied to the public internet and the nodal software is freely available, it is an efficient, self-sustaining means of distributing digital content. Unfortunately, as the original Napster experience illustrated, a primary application of such systems is piracy of copyrighted content such as music. Though Napster is now dead, (except for an on-line music service recycling the name) P2P continues through Napster descendants which are more decentralized and so provide less fruitful targets for legal action. There are ongoing attempts to "legitimize" P2P, such as Snocap and iMesh. These efforts are doomed - they have been spinning their wheels for years due to a simple truth- for a consumer, *if the content isn't free, the iTunes music store is way better than P2P. The economic impact of P2P - i.e. the losses to the music industry as a result of decreased legitimate sales - are a subject of much debate. Unbiased analyses are hard to come by but this one by Michael Geist is pretty convincing in its conclusion that P2P's net impact is minor. (This is based on the situation in Canada but is largely applicable to any Western nation. Legal action and pollution of the free P2P ecosystem by the likes of Overpeer, have also decreased their impact. Personal Video Recorder (PVR)* A Consumer Electronics device which replaces the magnetic tape of a videocassette recorder with a hard-disk drive, and analog recording with digital, among a host of other improvements. These started out as relatively high-end stand-alone devices from pioneering companies such as Tivo and Replay TV. More recently PVR capabilities have been integrated into related devices such as set-top boxes and DVD player/recorders. As they become more mainstream, content providers become more concerned about their potential for piracy, and thus about applying DRM to them. Current PVRs start with current analog television signals, which limits their quality and thus the piracy threat. The bigger threat, in the eyes of many, is when emerging purely digital television signals are digitally recorded - and perhaps redistributed - using such devices. In the United States, a controversial mechanism called the Broadcast Flag may in effect prevent PVRs from making digital recordings of the digital broadcast signal. On a more positive note, organizations such as the TV-Anytime forum are addressing, not just copy protection, but interoperability and accessibility of such data stored in the home. UPDATE: in 2004 PVR manufacturers won a victory of sorts which legitimized a certain amount of sharing of recorded material; see TiVo. Perceptual Coding A family of techniques for compactly encoding audio and video information which is based on experimentally determined limits of human perception. Almost all modern codecs (MP3, AAC, MPEG-2, DivX, MPEG-4 etc.) use these techniques because of the high (10X or more) file compression they provide relative to raw formats such as PCM. The encoding takes advantage of such perceptual phenomena as "masking", where noise or a quiet sound in given frequency range is not detected by a listener in the presence of a louder sound in the same range. A good technical description of how this works for audio is provided in this article from Audio Design Line. Perceptual coding aims to eliminate any bits from the data stream which are not directly perceptible by the listener/viewer. In practice this raises a couple of issues: Perception differs between individuals so a particular encoding (say, MP3 at 64 kilobits/sec) that satisfies one person may not satisfy another. It is very difficult to design robust watermarks which will survive encoding in current or future perceptual codecs. After all, watermarks seek to add "imperceptible" data bits, which is exactly what perceptual codecs try to eliminate ! This contradiction is what caused your humble scribe to abandon the SDMI when they became determined to solve the digital music piracy problem with watermarks. Phrozen Crew An underground club of PC software cracking experts who produce cracks of admirable quality, which can often be found on usenet or ever-changing crack web sites. Your scribe has seen some which use Windows menus to conveniently select from among many programs to be cracked. Plain Text See Clear Text. Platform Security A security paradigm according to which the platform (e.g. Operating System and possibly hardware) protects software programs from attack, so that the programs do not need to protect themselves. The advantage of platform security is that is simplifies software development by eliminating security concerns for most developers. The disadvantage is that, once the platform security is cracked, it's game over for any programs which relied on the associated protections. For example, the original xBox had reasonably diligent platform security which included game copy protection, and game developers were forbidden from using their own homebrew copy protection. However, once the platform was cracked, all games could be copied easily. There is a similar situation, at least potentially, with the platform security of the Symbian 9.x cell phone operating systems. Player / Asset Model One of two possible approaches to rendering digital content. The other is the executable model. In the player/asset model, the desired content is in the form of passive data, such as an MP3 file, and it is rendered by a standard executable player program, such as Windows Media Player. The content does not know how to play itself, and typically uses standardized file formats and codecs. (From a technical point of view, it could serve the purposes of DRM to have a unique player for every piece of content, but this is not commercially practical.) In this situation, the only way to protect the content is to encrypt it in such a way that only approved, DRM-aware player programs can decrypt and render it. This means that the security level of the media file is less than or equal to the security of the player, with key discovery or wedge attacks being common. In practice all audio and video content uses this model, which is one of the reasons that high security is more difficult to attain for these content types than for software. PlaysForSure A marketing/logo campaign from Microsoft which was designed to reassure consumers that they could buy portable media players from anywhere and (given the right logo), their Microsoft-format music will still "Play For Sure." This was in response to one of Apple's great strengths - namely, that if I buy a tune from the iTunes Music Store , download it using iTunes software, and synch it up with my iPod, *there's only company (Apple) to blame if it doesn't work.* Contrast this to a WMA transaction involving three separate companies for the store, the PC application, and the portable player, where finger-pointing scenarios could easily drive a consumer nuts. It didn't work anyway. Microsoft's own Zune of 2006 didn't work with "PlaysForSure", and the logo was dropped in 2007 in favor of "Certified for Windows Vista". As other pundits pointed out, that leaves us with the Zune and other devices both "Certified for Windows Vista" but *not able to work with each other. What was the point of those logos again? PlayReady* Microsoft's newest DRM technology, introduced in 2007 as a successor to WMDRM-PD. PlayReady has some nifty new capabilities, notably multi-device support via Domains, Over-The-Air (OTA) license acquisition, and arbitrary content encryption via envelopes. PlayReady also supports access to WMDRM version 10 content, providing a bridge to their legacy technology - something they didn't do with the Zune. Technically, PlayReady looks pretty good and has some of the same goodies as would-be competitor Marlin, but with less complexity. PlayReady appears to target the mobile space especially. Playstation 2 (PS2) The leading video-game console in the world, manufactured by Sony. Similarly to Microsoft's Xbox, the Playstation 2 is an interesting example of reasonably diligent efforts to prevent copying being widely cracked. See also Mod Chip. Point of Deployment (POD) Module PODs are industry-specific variants of smart cards which are used to support conditional access in satellite TV systems. Hacking these cards is a major underground industry, which by most estimates is larger, dollar-wise, than the corresponding legitimate industry. Portable Document Format (PDF) The de-facto multi-platform standard for viewing and printing electronic documents, created by Adobe. PDF and its associated reader software are ubiquitous, and Adobe does have a plug-in framework that supports DRM. However their existing DRM is poor - especially re security - and Adobe's strategy going forward regarding DRM and DRM-enabled markets such as eBooks is unclear. Prepaid Cards One of several approaches to the problem of small online payments for digital goods. Considering that credit cards have high overhead and aren't possessed by kids, and microtransaction technology is missing in action it's not a bad idea. Here's the story of the new Napster's version of prepaid cards. Pressplay An early on-line music service bought by Roxio and rebranded as Napster. Preview Systems A defunct DRM and ESD technology supplier, which acquired much of its technology in a merger with Portland Software in the late 1990s. In turn, much of Preview's technology (notably Vbox and ZipLock) was bought on Preview's demise by Aladdin. Their founder has re-emerged as CEO of Protexis. Privacy The expectation that individuals should not be spied on, or have personal information inappropriately collected and/or shared. In the online world, privacy is a major issue. For example, many Internet users like to maintain their privacy by being anonymous, at least some of the time. But law enforcement agencies and copyright holders see anonymity as something which criminals can hide behind. Internet Service Providers are often caught in the middle, wishing to protect the privacy of their subscribers in the face of court orders to reveal the identities of suspected wrong-doers. As for the law, there is no general-purpose federal privacy legislation in the USA, but the use of personal information in Canada is limited by PIPEDA (PDF). For more information see our DRM and Privacy page. Protexis A software DRM company based in Canada (apparently with help from the Canadian government), with notable alumni from Preview Systems, especially Preview CEO Karl Hirsch. Public key cryptography See asymmetric cryptography Public Key Infrastructure (PKI) A combination of hardware, software, policies, and procedures intended to foster the universal use of Public Key cryptography in commerce, industry, and government. The term was first widely promoted by Entrust, a Canadian-based company which spun out from Nortel in the mid 1990s and is one of the leaders in the field. The cornerstone of PKI is certificate-based authentication of all the entities involved in a transaction. When properly implemented such systems allow a large number of parties who do not know each other to engage in trusted transactions, commercial or otherwise. It would be nice if PKI was universal enough and cheap enough for mainstream DRM uses, but it hasn't happened yet. Technology providers in the space are still developing their markets and focusing on early adopters -such as government, military, or health care- where limited interoperability is acceptable, and where significant per-user costs can be justified. As PKI gains critical mass and lower costs, it may well emerge as a key component of Digital Rights Management systems. For the most part when people say PKI today, they are referring to specific commercial systems from vendors such as Entrust or Verisign. OASIS has a good technical overview of PKI in this PDF document. Pulse Code Modulation (PCM) One of the earliest and simplest kinds of codec for representing analog data such as music in digital form. In it, the amplitude of an analog signal is sampled at regular time intervals by an analog-to-digital converter, and the resulting digital amplitude values are stored in a raw form. For example, the Red Book format used in audio CDs linearly samples each of two channels at 44.1 kilohertz and represents each sample as a 16-bit number. PCM encoded data is too bulky for convenient Internet download and it took the development of more efficient perceptual codecs such as MP3 to make Internet music sharing a mainstream activity. PUMA (Protected User Mode Audio) Technology used by Windows Vista to ensure that audio output driver chains are "trusted" to handle protected media content. This was done by Secure Audio Path in previous Windows operating systems. Puretracks The first "legitimate" music download site for Canadians, started in October 2003. The site is in the Windows Media Player camp and was overwhelmed at its opening. Having tried it I confess to being pleasantly surprised - it was quite painless and I paid the princely sum of $2.28 (Canadian, including tax, on a credit card !) for a couple of tracks I wanted. It's still not getting me to abandon iTunes though. PVP-OPM "Protected Video Path - Output Protection Management", a software system designed to take the concepts of COPP further in Windows Vista. It has generated consternation via "monitor DRM" aspects which may force people to buy new computer monitors to watch HD content.
Q	Quality of Service (QoS) The capability to provide guaranteed sustained performance characteristics - notably, bandwidth and latency - for a connection over a packet-switched network. When the network is the public Internet - i.e. for the vast majority of consumers - end-to-end QoS capabilities are not currently available. This is unfortunate for real-time content delivery technologies such as streaming, because it makes it very difficult for them to produce a high-quality consumer experience, especially for video. The significance for DRM is twofold: First, since streamed content is rarely paid for and/or of high quality, DRM for streaming, although it exists, is a largely untested - and financially unrewarding - field. Nobody wants to steal this stuff in the first place. Secondly, this means that locally stored content is the better alternative, with all of the technical challenges that may raise for DRM.
R	Rainbow Technologies A multinational software security company. Like Aladdin, their roots are in dongel-based security i.e. usage control for high-value software applications. They diversified considerably after the turn of the millennium and were bought by SafeNet in late 2003. Reasonable And Non-Discriminatory(RAND) Favorable licensing terms sometimes offered by owners of technological Intellectual Property - usually patents - so that other companies may build products that incorporate their technology. Typically, this is done in a situation where the intellectual property covers part of an industry standard. The idea is to compromise between, on the one hand, killing the standard by unreasonable license demands, or, on the other hand, simply giving the technology away as per the Royalty Free model. The spirit of RAND is to charge small licensing fees and to not deny licenses to anyone, including competitors. The interplay between patents and standards is controversial, with patent policy being a key differentiator between different standards bodies. RAND is not specific to DRM, but it does affect DRM. Any company designing a DRM system may find that they need a technology license from a patent holder such as ContentGuard or Intertrust - and if that license is not available on reasonable terms, it could kill their business. Licensing terms - such as financial compensation for the use of codecs - may well also be a major factor in the war for Media Player dominance between Microsoft, Real Networks, and MPEG, and the winner of course gets to win in DRM as well as codecs. For more on this see our standards page. RealPlayer The number-3 software media player technology, after iTunes and Windows Media Player, from Real Networks. It is functionally comparable to WMP in most ways, including a DRM capability. DRM is not a significant differentiator between these products, even though Microsoft probably can provide technically better DRM due to building the platform as well. It is difficult for Real to compete with Microsoft due to the latter's bundling of WMP with the Windows O/S. Real's answer to this is interoperability - to support more platforms (e.g. MacIntosh) and more media formats (e.g. MPEG4) than Microsoft. Their recent claim to fame is support for DRM interoperability through their Harmony technology, which allowed Realplayer to play music in Microsoft and Apple iTunes formats. As a consumer this seems like a pretty good idea, but apparently they achieved this compatibility by reverse-engineering, not technology licensing (though they were evidently rebuffed in attempts to acquire licenses legitimately). As a result they are facing both legal and technological countermeasures, so ongoing interoperability is highly doubtful. Reciprocal A DRM provider which died in 2001 while trying to provide an unusual multivendor DRM service model. Recently Reciprocal was reborn as a subsidiary of Overdrive although the approach, based on Microsoft WRMS seems fundamentally different. It is single-vendor and targets enterprise security, much like Authentica. It is not clear what Overdrive is up to, because there is not much brand value in the Reciprocal name nor, apparently, much reusable technology. Red Book Audio The standard for the logical and physical layout of audio CDs, originally proposed by Sony and Phillips. The CD-ROM computer data standard evolved incrementally (through Yellow and Orange books) as a super-set of the Red Book audio standard. This is why "Orange-book compliant" computer CD-ROM drives can read both data and audio on CDs, but consumer electronics "Red-book compliant" players cannot read computer data tracks on CD-ROMs. The Red Book was defined long before powerful PCs and digital piracy became commonplace, and so does not include any DRM capability. Given this, and the huge backward-compatibility constraints of deployed consumer electronics, it is difficult, if not impossible, to technologically protect Red Book audio from piracy. Some companies, such as Sunncomm and key2audio, are trying anyway, but are causing a significant backlash, as exemplified by this button from the UK Campaign for Digital Rights lobby group: Even the record companies are treading lightly with this technology for now. For more on this, see copy protection. Replay Attack An attack against a digital security system which "replays" captured information - typically, a digital credential of some kind - in an attempt to coerce the receiving system into giving the attacker whatever resources were associated with the original, presumably legitimate and successful, presentation of the information. For example, a Web user who pays for a PDF document and is then relayed to a download page might capture the download URL from his browser screen and present it again - or email it to a friend - to get another copy of the document. If necessary, a system can be made resistant to replay attacks by making credentials different every time and/or robustly embedding client-related information in the credential. See also spoofing. Renewability A feature of a networked security system than lets compromised components - such as cracked cryptographic keys - be replaced selectively without having to replace other parts of the system, redeploy content etc. Reverse Engineering Analyzing a product to determine how it functions. In the security and DRM worlds, reverse-engineering is used by researchers, competing DRM technology providers, and hackers, to determine how protection mechanisms work. For Black Hat hackers, successful reverse-engineering is often followed by producing and distributing a Crack or exploit. Those who engage in this activity are often very skilled, as exemplified by this (now outdated) Windows Media Player analysis. In the United States, reverse-engineering of content protection technology is to large extent outlawed by the Digital Millennium Copyright Act. Revocation, Revocability In security systems in general and DRM systems in particular, it is useful to be able to "revoke" i.e. take away, some previously granted credential or right. "Revocability" is the term applied to systems which have this feature designed in. SSL certificates, for example, are subject to revocation to deal with fraudulent behavior on Web sites. For mass-market DRM revocation is controversial, because consumers will not accept having capability they once had being "taken away" even if, say, that capability was only useful for pirated files. In reality, PCs already support revocation through a combination of on-line updates and EULAs which give vendors such as Microsoft the right to alter the behavior of, say, Windows Media Player. So far, there have been no major incidents of lost capability in the PC arena. RFID Radio Frequency IDentifier. A ubiquitous technology of small, low-cost, passive physical tags containing UIDs which can be read at a distance. They are typically used to track store inventory and would have nothing to do with DRM except that a truly silly proposal has been put forward to add RFID to DVD in the name of DRM. Rhapsody An on-line music service bought by Real Networks in April 2003 in an apparent move to provide a market for their RealPlayer technology. Most music labels are represented. Gnutella news has an interesting article on how their security works. RIAA The Recording Industry Association of America, the dominant lobby group of the music industry. For more information see their entry in our Lobby Group list. Rights Data Dictionary (RDD) To quote MPEG: "..a set of clear, consistent, structured, integrated and uniquely identified Terms to support (the MPEG-21) Rights Expression Language." Although you don't need MPEG to have an RDD, MPEG-21 Part 6 is currently the pre-eminent Rights Data Dictionary, even though it is still under development. In essence, a Rights Data Dictionary defines standard semantics so that a Rights Expression Language can use a term (say, "license") without having multiple interpretations of the term confuse developers and users. It seems likely that the MPEG RDD and REL may be adopted in DRM systems which don't otherwise use MPEG technology e.g. codecs. This would be a good thing, as it builds on the letter and the spirit of XRML, bringing DRM systems one step closer to interoperability. Rights Expression Language A machine-readable - and usually somewhat human-readable - language for expressing what rights are available and/or have been obtained for certain items of content and certain users. The dominant ones today are XRML and ODRL. robust Not easily broken. In a DRM context, robustness usually refers to the ability of a security mechanism to continue to function under attack. For example, a robust watermark is designed to remain detectable and unaltered even if the media file that contains it is subject to manipulation such as digital to analog conversion. Of course everyone wants overall systems to be robust - but it is worth noting that sometimes the overall system is served well by having certain components which are fragile. See also Robustness Rules. Robustness Rules A set of rules that an implementer (which is usually to say, licensee) of DRM technology such as DTCP must meet in order to resist cracking attacks. In addition to being crack resistant, the implementation must also handle content in the proper way, which is usually specified by a "sister" set of Compliance Rules. Robustness rules vary from one system to another and are usually not public. There are, however, usually common elements such as anti-tamper, key hiding etc. Some infrastructure providers, such as Cloakware, specialize in helping developers meet such requirements. Rootkit A set of software tools designed to conceal functionality in a computer and more particularly to give a third party secret control ("Root privileges", based on Unix terminology) of that computer. Which has nothing to do with DRM, except that in 2006 Sony was accused of stealthily installing a rootkit on PCs from audio CDs using MediaMax DRM anti-copy technology. Technically, this was not quite right - the software in question was not a true rootkit - but it was a public relations disaster for Sony. Bruce Schneier described the incident, as it was still unfolding, here. An insightful analysis by Ed Felten argues convincingly that, while the label "rootkit" may be unjustified in this case, the very nature of Audio CD anti-copy requires the use of sneaky techniques otherwise found mostly in spyware. Royalty Free (RF) Unrestricted licensing terms sometimes offered by owners of a patent or other Intellectual Property (IP) so that other companies may freely build products that incorporate their IP. Usually, this is done in a situation where the patents cover part of an industry standard. The other option in a standards situation is the RAND model. The interplay between patents and standards is controversial, as many promising standards - DRM-related or not - have been derailed by surprise declarations of IP ownership part-way through the process. IP licensing policy (i.e. RF vs. RAND) is a key differentiator between different standards bodies. For more on this see our standards page. RSA One of the first and best known asymmetric cryptography algorithms, named after its inventors (Ron Rivest, Adi Shamir, and Leonard Adleman). The RSA algorithm relies on the fact that it is MUCH easier to create an extremely large number by multiplying two large prime factors together, than it is to analyze such an extremely large number to figure what its factors are. RSA was patented but its patents expired a few years ago. RSA is often used as part of the SSL Web security protocol.
S	SafeCast A software protection scheme from Macrovision, based on technology acquired with the purchase of c-dilla in the UK. SafeNet A network security company that got into the DRM business through a merger with Rainbow in 2003. Script A simple form of computer program used to automate everyday tasks. Typically scripts take the form of a few lines of human-readable commands and are runnable from a command line (e.g. a Unix shell script.) If the task being automated is a malicious network attack, then the script becomes an exploit, which may be widely used by script kiddies. Script Kiddie A malicious but not necessarily highly skilled hacker who runs exploit scripts produced by others in order to do damage. A well known example is that of MafiaBoy, a 15-year old who used exploits to perform a major "Distributed Denial of Service" attack which brought many Web sites, including CNN, to their knees. Secret Key Cryptography See symmetric cryptography. Note particularly that a secret key is NOT the same as a "Private key", which is one part of a key pair used in asymmetric cryptography. Secure Audio Path (SAP) An initiative from Microsoft, probably inspired by SDMI, to prevent the installation of "insecure" drivers which might be wedge programs designed to steal audio content during playback on PCs. It also eliminates the presence of high-quality cleartext audio inside the PC except for a final trusted output driver. Deployed starting with Windows Millennium and Windows XP, it is common but not pervasive in consumer PCs. Consumers with PCs which don't support SAP may find they are unable to listen to protected WMDRM content on their PCs. SAP is superseded by PUMA in Windows Vista. Secure Digital Card (SD Card) A trade-secret, licensable standard for flash memory cards intended for consumer applications such as portable music players. Originally developed by SanDisk, Matsushita and Toshiba, SD cards are postage-stamp sized and store several GBytes at this writing. They are now promoted by the widely supported SD Card Association. Their security features are not all public, but they include CPRM and are rumored to be elementary e.g. a passive on-card Globally Unique Identifier. Secure Digital Input/Output (SDIO) A specification that enables the SD Card interface on consumer devices such as PDAs, which was originally intended only for secure flash memory, to serve as a general secure I/O port. As for the original SD card, the specification is private and accessible only to members of the SD Card Association. Secure Digital Music Initiative A multi-industry consortium about DRM for on-line music, started by the Recording Industry Association of America in 1999. Participants were from music labels, the computing industry, DRM providers, and the consumer electronics industry. Unfortunately, the RIAA seemed to have unrealistic expectations re attainable security levels. The resulting desperation - or technical ignorance, or both- led them down a path of designating watermark based protections, which were fatally cracked once exposed to outside scrutiny. Your humble scribe participated in SDMI and has more comment here. Today SDMI appears to be defunct as judged by their ghost Web site. Secure Video Processor A proposed standard for video security incorporating both hardware and software. The root of trust is licensable silicon IP - that is, cryptographic co-processors which can be built into devices such as set-top boxes. The target architecture is a system with multiple nodes in a domestic "domain", all of which have this capability and communicate over secure channels. Technically it seems well thought out, but the technology is of very little use if you only have one compliant device - and Coral has a somewhat similar (though less mature) architecture which doesn't require special hardware. The sponsors are mostly European TV-delivery companies, with few computing heavyweights and, as usual, no sign of Apple or Microsoft. Serial Copy Management System (SCMS) A system for controlling the copying of digital media by the use of permission flags (copy once, copy all, copy never) which has been used for over twenty years in Digital Audio Tape (DAT) recorders, and almost as long in mini-disc recorders. Since neither have become mainstream items, SCMS is rarely spoken of today. SCMS data can also be present on Red Book audio CDs, but this is of no consequence as the data is only visible over "spdif" digital outputs, which practically no one uses. Nonetheless, the idea lives on in other related areas; see for example the broadcast flag. Signet Screener A interesting watermark-based approach to DRM from a subsidiary of Sony. In their "denial DRM" vision, watermarks do not prevent playback of the media. However unlike most watermarks, these are obtrusively visible and/or audible. The idea is that they are obtrusive enough to prevent sustained content enjoyment and fraudulent redistribution, but not so obtrusive as to prevent evaluation of the content by a potential purchaser. Removing the marks to convert the content to an unimpaired version requires secret key knowledge and can presumably be done on a user's PC. Not a lot of progress has been made since spring 2003- indeed, the Web site has been unreliable and perhaps gone dark. SIIA The Software and Information Industry Association. For more information see their entry in our Lobby Groups list. Single Sign On A system by which a user needs to log on only once for access to more than one resource. Today single sign on exists to a limited extent within the enterprise (e.g. Kerboros) but usually doesn't interwork between different operating systems and rarely between more than one business domain. Such full-blown solutions are in the emerging realm of federated network identity. Sink The receiving end of a point-to-point link streaming protocol such as DTCP or WMDRM-ND. Smart Cards Tamper-proof security microprocessors in standardized, typically credit-card-sized packages, used for various applications such as banking, automatic road toll collection, and Virtual Private Network access. There are specific variations for Satellite TV and GSM cell phones. Smart Cards have been popular in Europe for years and have recently experienced rapid growth in North America as well. Although smart cards have obvious technical appeal for DRM, a lack of critical mass outside vertical markets and a lack of application flexibility have limited their adoption in this field. Several smart-card platforms support multiple applications but there is so far not much motivation for businesses such as, say, credit card companies and DRM providers, to share cards. In the long run, the decreasing cost and increasing functionality of smart cards, coupled with content owner's piracy fears, will probably see them deployed for DRM. The SmartRight consortium appears to be gaining consensus for their smart-card-based consumer DRM scheme. Microsoft has added support for smart cards in their XP operating system, and all Microsoft employees have smart-cards. It is also possible that PCs will get most of the functionality of a smart-card - without the portability, and whether consumers want it or not - via the TPM. For more information, here is a good smart card FAQ from Usenet. Smartright A smart-card based "copy protection system for digital home networks", supported by a consortium of the same name which consists mostly of European companies. More information is found on our DRM standards page. Social Engineering A favorite trick of black hats: getting around a security barrier by fooling a human being into helping you do so, such as by cold-calling a stranger within the target organization and deceiving him into providing a crucial password. Kevin Mitnick, a master at such things, points out that social engineering, when it works, is vastly easier than highly skilled and laborious approaches such as reverse engineering. Soft-lock, softlock, softlok Over the years several companies with confusingly similar variations on this name have come and gone. Soft-lock is an active company whose main focus apparently is providing anti-copy for software CD-ROMs. Softlok provides dongel based protection for software. Softlock had 15 minutes of fame when it protected a electronic Stephen King story in 1999, but never made any money. They have since changed names to DigitalGoods, and apparently gone under. softwrap A UK-based DRM technology company with products for protecting both software and music. They have attracted attention by simply surviving for the last few years, and by supplying DRM technology to P2P provider Grokster. . Solution Provider It could mean anything ;-) but in the world of DRM it refers to "one-stop" service shops which help content owners get their content on the Web. There are many of them and they are not a main focus of this site because they are not DRM technology inventors, but use standard technology such as Windows Media. The added value is that it relieves content providers from being technology experts. EZDRM is one such. Source The transmitting end of a point-to-point link streaming protocol such as DTCP or WMDRM-ND. The other end is the Sink. Source Code The human-readable form in which software is originally developed i.e. in languages such as C++. With respect to DRM, source is connected to two issues: For DRM technology, whether, in order to apply DRM protection to a given software program, the developer has to modify source code or not, and for the Open Source movement. Most open source advocates argue that there cannot be DRM in an open-source system since, by definition, the code that implements the DRM must be visible and - by implication- removable in the freely distributed source. Space Shifting Moving of a digital asset - such as an MP3 song - from one platform to another, such as from a PC to a portable player. Such moves are usually simple copying operations which most people consider to be fair use. However, exactly the same copies could be used for fraudulent redistribution, so some copy protection proponents see this as a security gap which they try to close with check in / check out capability. See also time shifting. Spoofing Pretending to be someone - or something - that you are not, in order to fool a system into giving you resources that you would not otherwise be entitled to, or to mislead an adversary. The use of someone else's password on a for-pay Web site is a trivial example. The modification of a cell phone's internals to fool a network into providing phone service for free is a less trivial example. Spyware Software installed on a users computer - without the user's constructive consent and usually without even her knowledge - which "spies" on the user or otherwise is considered to invade user privacy. Typically, spyware covertly "calls home" over the Internet to report its findings. Often spyware is deployed by adding "extra" functionality in freely available software downloads, or by exploiting well-known Windows security holes. While spyware has nothing to do with DRM as such, it has become associated with online content due to questionable judgments on the part of companies such as Real Networks. Microsoft and others have raised suspicions as well, through disturbing language in their EULAs. It falls to online content businesses and media player manufacturers therefore, to legitimately reassure their customers they will not be spied upon when using their content. Steam Arguably the future of distribution and content protection on PCs, from game publisher Valve : a system which provides online delivery, updates, and mandatory registration. This paradigm makes possible the combination of verifiable global UIDS with regular security updates to stay abreast of hacker's efforts. It caused something of a backlash in the gaming community when applied to the mega-hit Half-Life 2 in 2004, partly because people resented paying big bucks for a CD and then watching the whole thing be replaced by a gigantic download, and partly because gamers hate really robust copy protection. However it also took the time to crack from weeks to months (and counting), and didn't stop the game from being a mega-hit which made Valve a bazillion dollars. steganography The hiding of a secret message within an ordinary message, and the subsequent extraction of that message. Since the secret message is usually not even detectable, an interloper probably wouldn't even know where to look for it, let alone how to interpret it. If the ordinary message is a media file such as a JPEG image, or an analog signal such as music, this is referred to as Watermarking. sterile A copy that can't be copied - the digital equivalent of a mule. Sony is flogging the idea of sterile CD copies as a way of providing personal-use copies of audio CDs while still preventing privacy. Trouble is, the permitted copies aren't in Red Book format, and so are useless for very common purposes such as listening in a car CD player. Based on initial public information, this appears to be little more than a re-hash of the years-old Windows Media Data Session idea as promoted by Sunncomm. stream cipher A class of cryptographic algorithm which encrypts and decrypts each bit (practically speaking, each byte) independently, so that decrypting one byte can be done without knowing the values of neighboring bytes. RC4 is the best known example. Stream ciphers are less secure than block-oriented ciphers such as AES, but they support random access to media files better and are less compute-intensive, so are widely used for content encryption in DRM systems. Block-oriented ciphers need larger chunks (typically around 16 bytes) of data to work with, so it's harder for them to jump to an arbitrary point in a media file and decrypt on the fly; they are also slower. However block ciphers can be implemented so as to support random access, and as the compute power of even inexpensive consumer electronics improves, the 128-bit AES block cipher is the emerging favorite for content encryption. streaming A client/server paradigm in which content is resident on a server, and the client machine renders the content without having complete or permanent copies of it locally. Until recently, streaming (at least for consumers) typically referred to delivery to a consumer's PC over the public Internet. But frankly, that sucked - for the most part, the public internet can't deliver the real-time performance required. There are three distinct streaming technologies, which each have their own detailed entry here. In the enterprise, Thin Client technologies - which might not be considered streaming in the strict sense - simplify desktop management by having many software applications run remotely (e.g. through a Web browser). Streaming Media can be used to transport media within your home, or to turn your PC into a radio or TV. Streaming software tries to replicate the values of streaming media but with software applications rather than audio or video. Streaming Media Technology for rendering audio or video from a remote source over an IP connection. Until recently this was usually from a content source on the public Internet, turning your PC into a TV or radio. Streaming capabilities, including streaming DRM, are built into major media players such as Windows Media Player and RealPlayer. This sucked so badly that nobody every used it for paid content (OK, except for porn, where image quality isn't much of an issue). Even in the era of YouTube, video streaming may be common, but the quality still sucks and there is no business model for applying DRM to the content. Unlike video, streamed audio is usually acceptable relative to commercial radio - and there some implementations with good audio quality, such as BlueBeat. More recently, streaming media is more likely to be going from one box inside your home to another than to be coming from the public Internet, using standards such as DTCP or WMDRM-ND. The local links can be engineered to have guaranteed bandwidth. Internet radio stations using streaming do have one business advantage relative to download: unlike, say, iTunes, they don't have to convince major labels to give them their content - they can license it automatically under the same terms as radio stations. (Whether those terms are too expensive, is a separate debate.) Streaming Software Similarly to streaming media, streaming software aims to provide internet-connected consumers with content that is stored only transiently on their PCs. The idea is appealing: software-as-service, low per-month fees, instant gratification, and no local installation. Internet Service Providers are big fans of residential software streaming, because they see in it a new revenue source - renting application software which is otherwise sold by others. However, the art of the possible is limited and it has proved a marginal business. For one thing, whereas media player software on a PC can begin presenting media after only a few seconds of buffering, executable programs cannot be run at all until a substantial proportion of their code and data has been received. This means that "instant gratification" for consumers on the first try is not really possible. Most current streaming technologies actually download the whole program in stages. Finally, it is hard for streaming software providers to get high-quality consumer content, for several reasons. Highly desired content tends to be large (e.g. graphical games) which makes for long download delays. It tends to raise support issues which an ISP would rather not deal with. Its owners are content with their existing channels e.g. retail, because at $70 or so a pop, they're making money already. It also requires, in its owners eyes, substantial content protection which it is not clear streaming technology can provide. As a result, most streaming offerings today are heavy with low-end "edutainment" or end-of-life games. IntoNetworks (formerly Arepa), and Mediastation were two American technology companies which died while trying to create a residential broadband streaming software market. GamesMania is an example of the same thing from Bell Canada's broadband arm. Bell Canada uses technology from Exent. Exent and StreamTheory are among currently active consumer software streaming technology companies. Streamtheory was acquired by Tadpole Technology, which seems to be struggling, in 2004. The only area where software streaming is gaining traction is in the enterprise (see for example Appstream, where bandwidth is plentiful, games are rare, and central control wins out over user choice. Subscriber Information Module (SIM) A specialized smart card used to store subscriber information in GSM cell-phones. In GSM, it is the SIM, not the phone itself, which is associated with a subscriber. Subscription A business model where a consumer gets access to content, not by buying it per piece, but by paying continuously for virtually unlimited access to a very large collection of content. Subscription to digital media content is technically difficult to implement, because it has to work on portable players, which do not traditionally have the reliable clocks needed to know when a subscription has expired. Microsoft's "Janus" technology for Windows Media PLayer 10 addressed this issue, and portable devices supporting subscription models, notably "Napster-to-go", have emerged. They have not been very successful however, probably because of a combination of complexity and limited content choices. Subscription is obviously part of Microsoft's assault on the iPod, because it's a business model that the iPod can't support, and a tempting option for some consumers, especially younger ones who don't miss the "ownership" of music. However it does pose an additional security risk. An iPod owner can't get a hold of 10,000 songs (assuming they aren't unprotected in the first place) without actually paying for them at the iTunes store, which he's not likely to do... so he's not likely to crack those 10,000 songs. A Napster-to-go customer could get those 10,000 songs, for a few bucks a month. Of course the songs are protected in both cases - the point is, that a crack that automatically "un-protects" songs would be far more damaging in the subscription case than in the per-song sale case, because of the larger content base. sunncomm One of the leading providers of Audio CD anti-copy technology products. Their Web site is very slick and they are obviously well-funded and well-connected. However the art of the possible in this area is extremely limited; early versions of their technology alienated users and were also cracked. In 2003 they aligned with the Windows Media Data Session Toolkit approach, without much apparent impact. The basic idea is that you "make up" for crippling the standard Red Book audio by duplicating the music - and sometimes more - elsewhere on the same disk in protected Windows Media Player 9 format. A CD protected by this scheme - obviously an experiment in both technology and consumer acceptance- was released in fall 2003 in North America and is so bad it made the DRM Hall of Shame. A not-totally-objective history from the Register can be found here. Super Audio CD (SACD) Similar to competitor DVD Audio, a variation of the DVD format which provides high-quality digital multichannel audio. Invented by Sony, it does not interwork with DVD-Audio, although players are available which play both formats. SACD and DVD-Audio both have great sound quality and there is no clear winner between them in the marketplace. Arguably, neither of them is winning - by some reports, combined sales of SACD and DVD-Audio are eclipsed by sales of vinyl records. SACD does have built-in copy protection which has no known cracks and some of which is described here. This raises the interesting question of whether copy protection can be too good. SACD's relative failure may be partly doe to high costs and a smaller player base, but the fact that consumers cannot copy them is certainly a negative as well. superdistribution The willfully uncontrolled distribution of digital goods which generate revenue based on controlling their use, not controlling copying. The first good description of this vision was in the book Superdistribution by Brad Cox in 1996. Today's peer-to-peer systems get the uncontrolled-copying part right, but by leaving out the controlled-usage part, they are seen primarily as agents of piracy. Superdistribution is still a powerful idea but it is technically difficult and its potential has yet to be widely realized. So far, closest we have come to superdistribution is via OMA-enabled cell phones Symbian An operating system for high-end cell phones owned by a consortium of cell phone manufacturers led by Nokia. The significance of Symbian for DRM is that recent releases of the OS (Symbian 8 and especially 9.1) have powerful Platform Security features such as privilege-based code signing, hardware isolation of processes, and OS enforcement of inter-process security. If leveraged appropriately these can provide superior security for DRM and similar applications. Symmetric Cryptography Also known as "secret key" cryptography. A family of cryptographic techniques where the same key is used to both encrypt and decrypt messages. Almost all cryptography was of this type until the discovery of asymmetric techniques in the 1970s. It is still the commonest type of cryptography, implemented via well-known standards such as AES. The biggest weakness of this type of cryptography is in key management: maintaining secrecy of the shared key is difficult, and a community of "N" users would require about N squared keys, which is impractical. Anyone who can read a message can also send another message pretending to be the originator of the first message. Its biggest strength is that it is relatively efficient and so can be practically implemented even on low-cost portable devices, without causing unacceptable processing overhead. In practice most secure systems today rely on some combination of symmetric and asymmetric cryptography.
T	Tages A Copy Protection system for software distributed on CD-ROM or DVD-ROM. It relies on breaking the rules for formatting these disks in such a way that most duplicating programs cannot make perfect duplicates, in conjunction with software that checks for the evidence of such imperfect duplication. Like everyone else in this space, their security has been cracked, (see time to crack), and there is no sign that have protected any major titles recently. Tamper Resistance Design principle according to which it is difficult to inspect and modify the internals of a system. In many cases, the system is deliberately designed to stop working altogether in the face of persistent attacks (see fragile). Tamper resistance may be primarily physical, as in the design of smart cards, or it may be logical, as in tamper-resistant software. Usually it is applied in concert with obfuscation. Tariff See levy. Technological Protection Measures (TPM) Note: See also Trusted Platform Module . A range of technologies used to protect digital content; a general term which encompasses copy protection and its modern descendants. DRM can and should be more than TPMs, though unfortunately, it is not always so. Tethered Requiring a direct connection to a server e.g. "calling home" over the Internet. From a security perspective, the more often a system connects directly to the Internet, the more secure it can be. A system which never "calls home" cannot know for sure, for instance, whether the serial number its user typed in was also used by 10,000 other users (see UID). A system which calls home EVERY time content is consumed can be very secure, but the associated nuisance level is unacceptable to many consumers. Finding the right balance of times at which to call home is one of the arts of DRM design. Thin Client Networked computing paradigm in which most computation is done on a server and the end user's PC, the "thin client", is basically a dumb input-output device. In enterprise markets, where LANs provide lots of bandwidth and managing desktop PC configurations is a major headache for IT departments, thin client computing technologies from companies such as Citrix Systems are doing OK. In the late 1990s, some startup companies promoted consumer thin-client computing (along with streaming), as a means of simplifying user support and implicitly protecting content as well. This does provide implicit protection for software applications because the applications are actually executed on a server i.e. the code is never present on the client machine. However, much like streaming, the thin-client experience over residential Internet connections was poor, especially considering that the most in-demand applications were graphically-intensive games which required large I/O bandwidth and expensive rendering hardware. Today, except for browser-resident technology such as Macromedia Flash, thin client computing is seen only in the enterprise. Threat Model When designing a secure system, a necessary step is to ask and answer the question "secure against what ?". The answer is a threat model - a documented set of hypotheses about who or what will attack the system, and with what skills, resources, and motives. Threat models have three main purposes: To improve a design's security by anticipating specific attacks and implementing countermeasures in advance. To anticipate the varying outcomes of "successful" attacks - such as cracks - and their possible impact. To enable the creation of advance response plans to deal with significant attacks as and when they occur. Time Shifting Watching or listening to some media programming at a time other than when it was originally broadcast. Taping a TV program on the VCR or PVR for later watching - while probably skipping commercials - is the most common example. From a copy-protection point of view, time-shifting is just copying. It's very hard to distinguish between a "temporary" copy for later viewing and a permanent one which might be fraudulently redistributed. Between that and the loss of some attention to TV commercials, neither the networks nor the content owners like time-shifting. However consumers have become very used to it and would not easily accept losing the capability. Some recent products, such as PVRs, attempt to support time-shifting while preventing fraudulent copying, but it's a hard problem with a poor security record. See also space shifting. Time to Crack A common figure-of-merit for DRM technology and especially copy protection technology: how long it takes before a newly introduced content protection technology is publicly cracked. If it takes an hour, then that technology is unlikely to pay for itself by materially reducing piracy losses. In the PC game business in particular, publishers are privately very realistic about this economic tradeoff. They know that any anti-copy technology will be cracked, and compare how much extra revenue they might get if a hot title remains uncracked for (say) an extra week, vs. the cost of applying that protection. Re-using an existing (which is to say already-cracked) protection scheme is rarely done with major titles, as the time-to-crack reduces to the time required to recognize the scheme and (at most) tweak an existing crack. In the PC arena, historically the average time-to-crack for major game titles is 5 days, and no popular CD-based title with local protection logic has gone more than 8 weeks. However the days of local protection and physical delivery may be numbered; the Steam-delivered Half-Life went many months without a public crack. Tiramisu The Innovative Rights and Access Management Inter-platform Solution. Sigh. Does the world really need yet another group solving the problems of DRM interoperability? I think not. This version is led by the European Commission along with a bunch of academic and commercial partners. The emphasis here is on video within the home. Repeat after me: *we do not need any more DRM interoperability organizations which include neither Microsoft nor Apple!* Traitor Tracing Any of various systems designed to figure out the identity of a "traitor" i.e. the person (or more specifically, the machine) which was responsible for removing the copy protection from a piece of content and distributing the unprotected version, for example via a P2P site. The simple forms of traitor tracing involve Unique Identifiers for the device itself, and/or the owner of the device and/or the specific piece of content in combination with one of the foregoing. Sometimes the simple versions work e.g. the watermark based scheme used for online Playboy pictures is technically effective and has held up in court. More elaborate models exist, notably one for AACS but their value is largely unproven so far. TiVo A leading Personal Video Recorder (PVR) made by the American company of the same name. TiVo is notable mainly because they petitioned the FCC to approve their device's ability to provide limited copying and sharing of content in spite of the Broadcast Flag, *and won !* As described the Official Ruling from the FCC, several other content-protection technologies were also approved at the same time. Traceability The ability to determine the original source of an item of digital content, and possibly the identity of an individual who downloaded - or licensed- an instance of that content item. For example, the Playboy Web site watermarks its images so that Playboy can detect - and prove in court - instances of unauthorized reproduction of their images. Trusted Computing Group Formed in April 2003, this industry group has the same key members as the TCPA, below as per this ZDNET article. It laid to rest the "Palladium vs. TCPA" confusion of 2002 by re-unifying the vendors behind a new banner. It also promises to be about more than PCs. Most interesting of all, it is purportedly NOT about DRM, according to the Web site, which has consistent tone of putting all the control in the hands of the user. But the whole idea of trusted computing has its skeptics, as in the thought-provoking Can You Trust Your Computer ?. Microsoft's implementation, the NGSCB, was to be delivered on Longhorn (now Vista), , but most of the NGSCB components have been deferred beyond it. Trusted Computing Platform Alliance *NOTE: The TCPA was subsumed by the TCG, above, in April 2003.. Trusted Platform Module (TPM)* Note: See also Technological Protection Measures. An add-in security hardware component for PCs currently promoted by the Trusted Computing Group. The TPM provides security primitives including digital signatures, random number generation, protected storage and binding information to the TPM. For the TPM to be useful the PC must have related support in its BIOS and, preferably, Operating System. Currently, several manufacturers (e.g. Infineon, Atmel and Wave Systems) manufacture such modules. However in a classic chicken-or-egg dilemma, the main driver for uptake of TPMs, Microsoft's NGSCB, appears to be stalled. Basically, the TPM amounts to a Black Box inside every PC, which could be used for some purposes which are clearly good (e.g. increasing the security of corporate desktops) and some which are worrisome (e.g. enforcing draconian copy protection or preventing the installation of software not "approved" by Microsoft.) The related controversy may have influenced Microsoft's decision not to include NGSCB in Vista. Try Before You Buy (TBYB) A business model where consumers can try a product for free or at very low cost, with some restrictions, before deciding whether to buy it. If the product is software or media, the trial restrictions (such as limited time use, feature restrictions etc.) are often enforced by a DRM system. Sometimes - especially in 1990s PC games, when demos almost always used CDROM delivery - these "demo" versions were actually crippled full-function versions, which could be turned into free full-function versions by application of a crack easily found on the Internet. TBYB is well established in some areas, particularly PC games. Part of the appeal is that the TBYB / DRM functionality can be self-contained within the demo application, and not require users to update media players or otherwise take extra steps which are inconvenient and possibly invade their privacy. This and similar models are showing some commercial successes with the help of well-designed DRM systems. Trygames A Web site run by Trymedia which serves as an aggregation point for PC games treated with their DRM technology. Trymedia Systems A California-based DRM technology provider whose main focus is the PC game software business. They are notable for surviving long enough, and having solid enough technology, that Macrovision acquired them in summer 2005. Their "active watermark" technology uses instance variations for DRM purposes and is thus suited best to a download delivery model. Despite some other software-DRM-related acquisitions in the past, Macrovision has yet to make a significant dent in the software DRM market. It seems they are serious this time, especially for the games market. TTR A New-York based provider of copy-protection technology bought by Macrovision in November 2002 following earlier strategic investments. Audio CD copy protection leveraging their "SafeAudio" technology was apparently the main goal.
U	Unique Identifier (UID, GUID) A "magic number" associated with a hardware item, software application, user, or item of digital content. If the number is guaranteed to be globally unique it is called a "Globally Unique IDentifier" or GUID. Many UID schemes have nothing to do with computers or DRM, such as telephone numbers, mailing addresses, credit card numbers etc. In the computer arena, the best known UID schemes are the 32-bit Internet Protocol (IP) address space, the globally unique 48-bit physical address of a PC's Ethernet card, and one from Microsoft which uses the latter 48-bit addresses as a basis for software-created GUIDs. GUIDS generated controversy in the late 1990s when it was discovered they were routinely inserted into Microsoft Word documents, providing traceability of the documents whether the originator wanted it or not. (In fairness, this only became publicized when this same traceability was used to track down the author of a nasty computer virus.) GUIDS arise in DRM :for example, Microsoft gives your PC a GUID if you use protected content in Windows Media Player, and the music industry purportedly uses the GRID system for content identification. User-associable UIDs are of legitimate concern to privacy advocates and led, for example, to Intel's CPU Serial Number Fiasco . Usage Control & Usage Rights Since copying cannot be effectively controlled, a superior approach is to forget traditional copyright, and copy control, let copying happen anyway and control the USE of digital goods. That is, playing the video game or watching the video. This approach is not a silver bullet - security is still hard to do well, for example - but at least it works WITH, not AGAINST, the key characteristics of the Internet. The same networks which make worldwide copying easy, can also making "calling home" to acquire usage rights easy. This was the philosophy of the too-far-ahead-of-its-time NetActive, but is now getting mainstream consideration, for example in the Content Reference Forum. usenet An Internet-based collection of user-submitted notes or messages on various subjects that are posted to servers on a worldwide network. Usenet predates the World Wide Web and usenet support is being dropped by many ISPs. Younger Internet users tend not to know of it, although they may see it indirectly through Web-based intermediaries such as Google groups. Usenet has been important to DRM as it serves as a discussion and exchange forum both for developers (e.g. group "sci.crypt") and for hackers (e.g. group "alt.2600.cracks").
V	Valenti, Jack Jack was chairman of the MPAA for nearly four decades, from the 1960's until after the turn of the millennium. He was friend to presidents going all the way back to Lyndon Johnson, and epitomizes the extreme political savvy that has enabled the American entertainment industry to largely dictate (for example) copy-protection technologies to much larger industries, such as PCs and consumer electronics. Vbox A digital wrapper ("Virtual box") DRM technology invented by Preview Systems and acquired at Preview's demise by Aladdin. VC-1 The SMPTE designation for Microsoft's Windows Media Player 9 codec, which Microsoft in effect gave away to help it become a designated video format in next-generation Consumer Electronics. In this form the codec does not use Windows Media DRM, but instead will use whatever DRM a platform, such as a Blu-Ray player, might have. This looks like a smart move to stimulate adoption on Microsoft's part, but suspicion of them is rampant as per this EETimes article. Licensing issues involving a dozen or so patent holders are now in the SMPTE's lap, and could take a very long time to resolve into one known-cost license for implementers. The alternative, the MPEG-4 version of H.264 which is already specified in addition to the MS codec for next-generation video players, is claimed by some to be technically superior and no more complicated from a business point of view. Video Content Protection System (VCPS) Anti-copy technology from Philips (or at least licensed by them), mandated by the FCC, to prevent DVD recorders from recording broadcast television programs if the Broadcast Flag prohibits it. (If the broadcast flag ever gets legislatively revived anyway.) This is a nice gig if you can get it - having the government dictate that your technology must be used in a certain space. Someone at Macrovision must be very unhappy. Vista (Windows Vista) The retail name chosen by Microsoft in summer 2005 for their current Windows operating system release, previously known by its codename Longhorn. Vista does not include hardware-based security a la NGSCB but does include a number of significant DRM-related software technologies, such as PVP-OPM.
W	warez Net slang for stolen digital content - typically software. Warez involves redistributing entire software applications, not just cracks. Warez has only become a significant concern from a DRM perspective in the last few years. In the 1990s, cracks were much more a threat of concern because: Warez were much larger than cracks: say, 500 MB vs. 5 KB. So, they were impractical to redistribute using narrowband Internet connections, and physical copies were expensive and difficult to make. Warez was clearly illegal whereas cracks were arguably not. Because of this, warez distribution was a relatively marginalized activity. Recently however, broadband Internet access and ubiquitous CD burners have removed the size barrier, and the DMCA arguably makes cracks and cracking just as illegal as warez, at least in the USA. As a result, current DRM and security technology addresses both warez and cracks; they are just different parts of the relevant threat models. For the same reason, both warez and cracks are getting harder to find on the Web as sites are regularly shut down, and are relegated to the Darknet e.g. certain corners of Internet Relay Chat. There are some prosecutions for dealing in warez; here's a typical American Warez Incident. Watermarks, Digital Watermarks Watermarking, a type of steganography, is the insertion of (usually) hidden data such as copyright information, into visible data such as a JPEG image. There are various kinds of watermarks, depending on the purpose of the embedded data, whether it is the same for each instance of a given content item, whether one or both of the signals are analog vs. digital, how subtly the data is embedded, and how visible the data is. In 2003, watermarks enjoyed something of a resurgence - at least at the announcement-ware level - see for example Light Weight Digital Rights Management and Signet Screener. More detail may be found on the DRM Technology Page. Wave Systems Corporation A New England based company which has been pursuing a hardware-assisted version of the superdistribution vision for over a decade. They are driven by the Sprague family, members of the New England establishment who have a history of technological inventiveness going back more than a century. This is a good thing, as they have mostly been way too far ahead of their time to make a profit. Recently the world has come around more to their hardware-assisted security vision, and they are key players in the Trusted Computing Group. Wedge A piece of software designed to capture protected content in an unprotected form, as it goes by "in the clear" in the process of transport or playback. In the PC world, a typical wedge program is a device driver which "wedges" itself into the path between audio player software drivers and the PC sound card to intercept audio. The appeal of a wedge attack is that it completely side-steps the encryption and other security technology: the DRM system (in, say, a demo mode) does the decryption work, and the hacker only steals the result. The only ways to prevent wedge attacks are either to have hardware decryption on peripheral cards with no cleartext present in software, or to established an unbroken chain of "trusted" drivers, and prevent users from installing untrusted drivers which could be wedge programs. Secure Audio Path from Microsoft is an initiative to do the latter. Weedshare An interesting attempt at superdistribution for music files. Weedshare's creators are evidently Seattle-area musicians. Wisely- and unusually for the field- they have chosen to innovate ONLY on the superdistribution business model, and use third party technology for the rest: Paypal for payments and Microsoft Windows Media Player for DRM. Payments are split between the artist and those who distribute the songs. If users can get past the paranoia induced by having Windows Media Player get their PC a UID from Microsoft, and also past the notion of actually paying for music, it may well take off. White Box A component whose boundaries are well defined and whose inputs and outputs can be observed (and perhaps the inputs manipulated), and which also has internals which can be observed and possibly manipulated. It is very difficult to implement a system with robust security on a white box platform. (Indeed, from an academic/mathematical perspective, many would say it is impossible, depending on the system's objectives.) The PC is a classic white box, which is one of the reasons that content protection on PCs is extremely hard to implement robustly. It is also one of the reasons that PCs are fantastically versatile, ever-improving, general-purpose machines. Turning them into closed black boxes might make some content owners happy but would be an unacceptable price for most PC users. Some PC security initiatives such as NGSCB amount to putting little black boxes inside the PC. White Hat A hacker with benevolent intent. That is, someone who possesses the technical skills to invade systems, defeat protection mechanisms, etc. but who uses them only for "good" reasons e.g. helping companies assess and improve their security. Some white hats are security consultants who used to be black hats. There's even an official certification for white hats called "Certified Ethical Hacker". Of course, there is debate about what is "good". For example, some people feel that publicizing security vulnerabilities which have not been fixed is irresponsible, while other argue that it is the only way to get some corporations to improve the security of their products in a timely fashion. Windows Media Audio (WMA) The de-facto standard audio codec from Microsoft, which makes use of the DRM capabilities of Windows Media Player 9. With tens of millions of PCs deployed with Windows XP and Windows Media Player 9, WMA is quickly becoming the automatic choice of on-line PC music providers. No one thinks their technology - including DRM - is especially inspired, but Microsoft has inherent advantages, like OS bundling, intimate knowledge of internal security capabilities, and long-term stability. RealNetworks is the only other viable choice and, if Rhapsody is any indication, the only way they can count on being used by an on-line music service is by buying it ;-). Windows Media Data Session Toolkit An initiative from Microsoft in the Audio CD anti-copy arena. It appears to be just a business spin on a long-known capability: putting compressed, protected media (in WMP 9 format, in their case) on the second session of a multi-session CD-ROM where the first session contains conventional Red Book audio. The supporting argument is that the Red Book audio session can then be protected by proprietary audio anti-copy systems (such as those from Sunncomm), which are otherwise considered unacceptable by users today. What makes it acceptable in this case - the story goes - is that the lost features (inability to listen on a PC, inability to copy) are more than made up for by replicating all of the material - and perhaps more - in PC-friendly formats on the second session. Of course, the second session will be in a proprietary, protected format. It's not clear that Microsoft has a killer differentiator which will make this a compelling approach. Windows Media Player The dominant media player system from Microsoft. Windows Media Player includes DRM capability which, because Microsoft is the 800-pound gorilla in this space, is the choice of most PC media content providers. Microsoft has inherent advantages, in that it owns the operating system and can also exert considerable influence over peripheral manufacturers e.g. to include crypto functions on sound cards. This same dominance - and anti-Microsoft bias among parts of the "techno-geek" community - also ensures that Microsoft DRM security is subject to relentless attacks. The security has stood up quite well nonetheless, with no major cracks in the last couple of years. This system does not provide DRM for software, only media. WMDRM-ND Windows Media DRM for Network Devices, a Microsoft proprietary architecture for protecting media streamed over digital packet point-to-point links within the home e.g. from one "Network Device" such as a computer, to another network device such as an IP set-top box. Of course, the content has to be protected inside the boxes as well. To this end Windows Media player 11 supports a content export API for source devices and a corresponding content import API for sink devices. This enables an all-Microsoft solution - which could be a good thing or a bad thing depending on your point of view. Its main competition is DTCP. The source is dubbed WMDRM-NDT (Network Device, Transmitter) while the sink is WMDRM-NDR (Network Device, Receiver). WMDRM-PD Windows Media DRM for Portable Devices, a Microsoft proprietary architecture for distributing and playing protected media on portable devices such as handheld music players. This has a well-defined content ecosystem with a comprehensive architecture rooted in Windows Media Player 10 ("Janus"), which can be licensed by third-party manufacturers who agree to abide by the required Robustness and Compliance rules. Through the use of reliable clocks, this ecosystem supports time-based subscriptions on portable devices - something iTunes can't do. It all sounds good on paper, but it could never come close to Apple's legendary ease of use. To make matters worse, Microsoft introduced their own non-compatible Zune player in 2006. In 2007 they rolled out the next generation technology, PlayReady, though WMDRM can still be licensed as well. Windows Rights Management Services (WRMS) Announced in February 2003 (a slightly more recent press release can be found here) and based on Windows Server 2003, this is the first time that Microsoft offered DRM capability which supports the development of DRM-controlled applications by third parties. It is a separate development from their consumer/media DRM and focuses on the enterprise secure document distribution using "protected html" (.rmh) files. This has the advantage of not requiring anything special (at least, once the right browser components are distributed) on the receiving end-user system to consume protected content. This is causing re-alignment for incumbent vendors in this space, such as Authentica. wrapper A common paradigm for digital content protection, in which a digital asset in some known form such as MP3, Win32 .EXE or MS Word .DOC, is "wrapped" using cryptography so that it can only be accessed with the help of an "unwrapping" agent that knows the key. Typically these agents are not stand-alone programs but are "behind-the-scenes" and automatically invoked - in systems where they have been installed- when the affected files are accessed in the "normal" e.g. point-and-click fashion. Almost all media-protection schemes use wrappers, which means that to obtain any useful level of security they must build in countermeasures to attacks such as key discovery and wedges.
X	xBox Microsoft's original entry into the video game console market. Although game consoles are not a primary focus of this site, the original xBox is interesting from a security technology point of view. It is a direct architectural descendant of the PC, with modifications in three broad areas: cost, fixed-function simplicity, and security. So as to be more robust, the xBox is a partly a black box i.e. security is implemented in hardware as well as software. It will only run applications signed with a 2048-bit(!) private key which could only be worked around by using a hardware modchip. For a while the Neo Project was trying to co-ordinate a distributed cracking exercise for this key, but they were reportedly set on by Microsoft lawyers, and anyway if they did the math they'd have known it was futile (see brute force attack.) Anyway, hackers later figured out how to run unsigned code without a modchip. In addition the xBox uses encrypted boot blocks and an encrypted kernel, with some "fake" FLASH BIOS data replaced at run-time with code hidden in the hardware of the "south bridge" bus chip. More detail on this can be found in the following paper by an MIT Student. The bottom line is that, although Microsoft was reasonably diligent in the xBox's security design, the hacker community has an amazingly high level of skill and loves to attack Microsoft. Concern about security is probably one of the factors leading to changes in the current xBox 360, such as the use of a non-Intel processor. xCP -eXtensible Content Protection An interesting foray by IBM into domestic DRM as described in this Internet News article. It's not clear whether it's progressed much from the spring 2003 lab demo, but the idea is intriguing: a way to enable unfettered "domestic" fair use by grouping networked domestic devices into a single DRM domain. This doesn't match the current notions of fair use very well, but it's at least an interesting idea along the lines of aligning a reasonable notion of fair use with something technologically verifiable. XMCL - eXtensible Media Commerce Language A proposed XML-based rights-expression standard from Real Networks. It seems all they wanted was a press release - Real Networks never really tried to establish it as a serious competitor to XRML. It was submitted to the W3C, but went no further. XRML - eXtensible Rights Markup Language An XML-based standard Rights Expression Language. Notable as a rare example of industry consensus in the DRM world, it was created by ContentGuard and is endorsed by Microsoft, which is part-owner of ContentGuard. For more information see our DRM Standards page entry for XRML and the DRM vendor page entry for ContentGuard.
Y
Z	ZipLock A legacy Electronic Software Distribution (ESD) technology developed in the mid 1990s by Portland Software. Portland Software and ZipLock were absorbed by Preview Systems in 1998, which in turn was absorbed by Aladdin. ESD by itself (i.e. without value-add such as DRM) is pretty much dead. Zune Microsoft's attempt at an "iPod Killer". The Zune is NOT compatible with the existing Windows Media ecosystem, even though it is close enough that such was clearly a technical possibility, and Microsoft does not license Zune technology for use by others, unlike WMDRM. It has not been very successful in the marketplace and has served to alienate potential partners who might otherwise have produced WMDRM-PD devices. . The device itself is decent enough, featuring (for instance) wireless synching and sharing. However, Apple has taught the world that the whole end-to-end experience counts, and Microsoft appears not to have caught up yet. Disclaimer Gord Larose, author of these pages, was employed by NetActive and invented much of their key technology. NetActive is no longer active so Mr. Larose is no longer associated with the company. Gord is currently employed by Cloakware, but this site is maintained with his own time and resources, and remains an objective source of insight on the DRM landscape.

The DRM Dictionary:Terms, Technologies, Companies, and More !

0-9

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

The DRM Dictionary:
Terms, Technologies, Companies, and More !