Hi all,
I'm working for a new employer who wants to post new web content such as documents and media. The issue is ensuring the media isn't distributed after its purchased. How can make it more difficult to distribute and copy our companies products?

In my personal opinion, don't do it. DRM only creates trouble for legitimate consumers (see Spore fiasco) and doesn't stop unauthorized distribution. Those who want to share will find a way to crack the DRM anyway (see Ubisoft fiasco).

See http://en.wikipedia.org/wiki/Digital_rights_management#Controversy

Dude, talking about using DRM to linux people is like talking about eating steak to PETA people.

Dude, talking about using DRM to linux people is like talking about eating steak to PETA people.

LOL. Perfect analogy. :)

Dude, talking about using DRM to linux people is like talking about eating steak to PETA people.

:lolflag:

Hi all,
I'm working for a new employer who wants to post new web content such as documents and media. The issue is ensuring the media isn't distributed after its purchased. How can make it more difficult to distribute and copy our companies products?

DRM will hinder and inconvenience your customers.

those interested in stealing the content, will do so anyways. or do you think an employee of your company is smarter than the smartest black hat hacker on the planet? all it takes is one person breaking the DRM and telling the world.

once that is done, it will be easier to steal your content than to purchase the content with its DRM.

once the bootleg version of your product is superior to the legal version (they are identical, except the bootleg one no longer has DRM), why would anyone purchase it legally?



what content is your company producing? there is probably a way to both respect your customers and get paid.

a method you could use is to tag a file with a unique id each time it is purchased and include legal ramifications if the file is shared without the consent of your company, or even provide a unique serial number rather than a randomly generated one. Both methods could potentially be evaded.

There really is no perfect method of DRM however if the content is of high enough quality I would hope that enough people would recognize that and the profit would be within acceptable values.

The question of quality of product is one that seems to be completely overlooked by many of the companies implementing DRM today, it seems so much focus has shifted to how can we lock down are content vs how can we make our content stand out. I am a firm believer that if you focus entirely on making a product of the highest possible quality the money will eventual flow in your direction however not in the high quantities we are used too seeing in the big corporations today but enough that the main individuals of the company would be considered "well off"

DRM makes people to pirate more especially those who see it and IP as stupid and ********.Many pirates admit it.

DRM makes people to pirate more especially those who see it and IP as stupid and ********.Many pirates admit it.

Pirates, huh? Downloading software in violation of current Corporate-sponsored laws is the same as attacking ships at sea? This is an offensive and derogatory term. you may as well use the word "Rapist" to describe people that litter.

(not picking on you, sir, just the term in general. i've slipped and used it myself, from time to time. when i do, it makes me want to punch myself in the face.)


Anyways: When something is only available with DRM, I try to avoid it. When I really want it, I admit that i will cave and purchase it.... and then obtain the copy i actually use from non-official sources. After purchasing the product, I consider that particular copy to be my "Fair Use Backup."

I have box that has "Spore" written on it somewhere in a box in the garage, still in it's shrink-wrap. I enjoy the game thoroughly.

If you don't want it to be distributed why is it "web content?" Putting someone on the Internet guarantees that it CAN be distributed. If your company doesn't want it distributed, don't make it easily available to get hold of on the Internet.

However, if you are simply worried about attribution, you could try to find a way to "stamp" the documents/content. Then, if it ever comes up again, everyone should be able to see it belongs to your company. If it is a document, put a copyright in a footer on all the pages and use meta-data to place info about your company on it. If it is a picture, put the copyright in the bottom corner. Then, anyone who gets a copy will know it is from your company.

Honestly, don't bother with DRM. Just put a notice saying that people aren't allowed to copy the materials. If they are honest people, they won't. If they are dishonest, they will. DRM wouldn't have stopped them anyway.

Dude, talking about using DRM to linux people is like talking about eating steak to PETA people.

Yeah, I know. Ive spent alot of time removing the stops for drm media, but have never had to engage using it. Still, the job calls for it. If theres a better solution, I really want to know what it is.

in windows I use "TuneBite"
in linux I don't know

If you don't want it to be distributed why is it "web content?" Putting someone on the Internet guarantees that it CAN be distributed.

The web content component is available after purchase. I can make that step fairly secure. Its what to do once it leaves the sever.

The whole purpose is to stop printing dvds and shipping them. (or reduce that) The Company is enticed at the idea of not buying dvds, or doing shipping, and providing customers with instant access to thier purchase, but scared of having the media stolen over the interwebs. Somehow, interweb theft is more "Real" to them than the prospect of a customer purchasing a dvd, waiting a week, and then burning a dozen copies to give to all their friends.

I thought about creating some sort of encryption access but it seems troublesome to anyone using the media.

Honestly.
-ugh.

If theres a better solution, I really want to know what it is.

what is your product, exactly?

The web content component is available after purchase. I can make that step fairly secure. Its what to do once it leaves the sever.

The whole purpose is to stop printing dvds and shipping them. (or reduce that) The Company is enticed at the idea of not buying dvds, or doing shipping, and providing customers with instant access to thier purchase, but scared of having the media stolen over the interwebs. Somehow, interweb theft is more "Real" to them than the prospect of a customer purchasing a dvd, waiting a week, and then burning a dozen copies to give to all their friends.

I thought about creating some sort of encryption access but it seems troublesome to anyone using the media.

Honestly.
-ugh.

I see.

Heh, if your company wants to save money in the long run, they could higher some programmers to make a proprietary content displayer/player/loader and all the files could be proprietary binaries that only work with the player. Then, you could give each binary file an ID code associated with the purchaser. This ID will also be found in the player and it would be checked before playing so you can only use the purchased content with the appropriate player. Also, have the player store data about the user's computer so, if the computer changes, the player doesn't work. No player, no content. All you have to do is secure the player then.

However, if you are concerned about convenience for the consumer then my convoluted plan may not be the best course of action. :P

Good luck to you on your project, though. I hope you're able to come up with a good solution.

so you can only use the purchased content with the appropriate player
Well, nice idea.. But wouldn't it be difficult to determine when a playback is legit or not?
Despite this, I think that a "fair" use of DRM can be somehow reached, anyway.

Let's start saying that the company should provide encrypted files.
Each user+video couple has to have a different key (meaning that if I purchased 3 videos I should have 3 different keys, and if the same video is purchased by 2 people, they should have different encrypting keys).

Then, first of all, we need an online database (hosted by the company selling videos) in which are stored all the users (with their login passwords) and with the list of the content they've purchased (with also a key to decrypt files, specific for any user+video entry).

Then, we need a "standard" player (which means it's NOT user-specific) that requires a login to play videos.

The player will work like this: it has to require the insertion of an user ID (and of a user password) every time is started. Upon insertion, the player will look up the online database to see if the content the user is trying to play is allowed (has been regularly purchased).
Then, the player will require an OTP (http://en.wikipedia.org/wiki/One-time_password) to be inserted. If the OTP is wrong, the player will just refuse to play the video.
If the OTP is right, the player should be sent information to decrypt the video and then should play it.

Downsides of this method are that an OTP is required for any user (which can be costly, I really don't know how much it costs though) and that an internet connection is required to play videos (this renders impossible playing videos for example on a car while driving).
Additionally, I don't know how decrypting the video "on-the-fly" can impact on system performance (maybe it's something that takes just a couple of seconds, I'm prone to think so, but I don't know it for sure).

I don't know whether this is feasible (I'm not that deep into encryption, the only thing I know is that OTP is widely used as an authentication form even if I don't know the effective costs of it). Any other thoughts?

PS:
Something I've been thinking about after I completed the post is that the OTP method only applies if the site requests some kind of subscription (so the OTP can be sent to the subscriber once he registers, but can even take a week before the OTP is actually delivered in the customer's hands and you have to rely on posts or on private delivery service). So, it may not be the case if what the company offers is a "one-off" download that comes immediately.

If you don't want it to be distributed why is it web content?
...

Exactly.
You're putting your data onto the biggest and most efficient public data distribution system ever imagined by man. What do you think will happen?

Your best bet would be to make wide distribution of your documents a GOOD thing for your company, but if you (your boss) insist on going down the rather futile ''closed'' path, I suggest you make the files only viewable online, on your website.

I suggest you make the files only viewable online, on your website.
He stated that the content is made of videos, or did I understand wrong?
If so, live streaming each time you want to see it may not be the appropriate solution.

Let's start saying that the company should provide encrypted files.
Each user+video couple has to have a different key (meaning that if I purchased 3 videos I should have 3 different keys, and if the same video is purchased by 2 people, they should have different encrypting keys).

Then, first of all, we need an online database (hosted by the company selling videos) in which are stored all the users (with their login passwords) and with the list of the content they've purchased (with also a key to decrypt files, specific for any user+video entry).

Then, we need a "standard" player (which means it's NOT user-specific) that requires a login to play videos.

The player will work like this: it has to require the insertion of an user ID (and of a user password) every time is started. Upon insertion, the player will look up the online database to see if the content the user is trying to play is allowed (has been regularly purchased).
Then, the player will require an OTP (http://en.wikipedia.org/wiki/One-time_password) to be inserted. If the OTP is wrong, the player will just refuse to play the video.
If the OTP is right, the player should be sent information to decrypt the video and then should play it.


OMG I wouldn't buy anything that came with so much fuss to play. The idea was that download would be easier than buying a DVD. But this kind of scheme makes it all much more complex, and much less likely that I would want to play the content.

OP: forget DRM or copy protection. It's simpler, less offensive and just as effective to rely on customers' honesty. There aren't a huge number of content thieves out there, despite what the RIAA and its kind say.

OMG I wouldn't buy anything that came with so much fuss to play. The idea was that download would be easier than buying a DVD.
Exactly what I thought after posting the OTP idea. But well, it had already been posted so I thought it was just useless deleting it.
As I said, if the company plans to offer a kind of subscription OTP can be used, otherwise it's too slow and totally useless: why would I want to wait a week (time to get the OTP) to view a movie that I'm currently downloading and what I've alredy paid for?

The web content component is available after purchase. I can make that step fairly secure. Its what to do once it leaves the sever.

The whole purpose is to stop printing dvds and shipping them. (or reduce that) The Company is enticed at the idea of not buying dvds, or doing shipping, and providing customers with instant access to thier purchase, but scared of having the media stolen over the interwebs. Somehow, interweb theft is more "Real" to them than the prospect of a customer purchasing a dvd, waiting a week, and then burning a dozen copies to give to all their friends.

I thought about creating some sort of encryption access but it seems troublesome to anyone using the media.

Honestly.
-ugh.

Use passive protection instead of active protection: Rather than trying to make it difficult or inconvenient to copy, simply have the server put a digital signature on the content as it goes out the door, and record which customer got which signature. Then, if illegal copies end up on the internet, you look at the signature and compare it against your records. You then know who to take legal action against.

Pros: Easy to implement, doesn't inconvenience honest customers. Catches casual copiers easily.

Cons: Possible legal/privacy issues? Trivial to get around once found out.

Specifically, WRT the legal issues (get together with your legal team and see how many of these are real concerns, since IANAL):

*Possible legal issues with associating the signature with the customer, as it means keeping data on the customer. Probably just name and address would be sufficient though, and since my name, address, and phone number can be found in the telephone book, I personally wouldn't be too concerned with that (I have no idea what the law says, though). If you're already keeping that info anyways (for one reason or another), this should not be a big problem.

*The person who made the download may have used a stolen identity. The signature should make for a fairly open and shut case in most cases, but care is needed when bringing legal action so that in cases where identity theft is involved you don't cause more trouble for people who have already been inconvenienced.

*To be of any use (lest the customer simply change the signature), this scheme would have to be under the radar. There might be issues with keeping the name and address of customers and not telling them that you're doing it (and telling them would make it useless). Again not a problem if you're already keeping that info.

This, when they 'buy it', they dont really have a copy. Keep it online accessed thru a password username system.
Let them be able to print out a hard copy. But access to the original is password protected. This is ok, as long as your server stays up.

It could get more complex here like
Give the document out only to one system buyer at a time. If the password is stolen, then if the original buyer cant get in to see it because someone else is seeing it, give them the opportunity to change the password and gain access. But hard to identify their computer or is it? Use email verification

Use passive protection instead of active protection: Rather than trying to make it difficult or inconvenient to copy, simply have the server put a digital signature on the content as it goes out the door, and record which customer got which signature. Then, if illegal copies end up on the internet, you look at the signature and compare it against your records. You then know who to take legal action against.

Pros: Easy to implement, doesn't inconvenience honest customers. Catches casual copiers easily.

Cons: Possible legal/privacy issues? Trivial to get around once found out.

Specifically, WRT the legal issues (get together with your legal team and see how many of these are real concerns, since IANAL):

*Possible legal issues with associating the signature with the customer, as it means keeping data on the customer. Probably just name and address would be sufficient though, and since my name, address, and phone number can be found in the telephone book, I personally wouldn't be too concerned with that (I have no idea what the law says, though). If you're already keeping that info anyways (for one reason or another), this should not be a big problem.

*The person who made the download may have used a stolen identity. The signature should make for a fairly open and shut case in most cases, but care is needed when bringing legal action so that in cases where identity theft is involved you don't cause more trouble for people who have already been inconvenienced.

*To be of any use (lest the customer simply change the signature), this scheme would have to be under the radar. There might be issues with keeping the name and address of customers and not telling them that you're doing it (and telling them would make it useless). Again not a problem if you're already keeping that info.


I like the idea of individual accountability the best, and so does the management.

Okay, sounds good. There's no point in making DRM, since people will circumvent it, anyway. They tend to be MORE honest when you don't force it on them. When there's little resistance from vendors, consumers feel obligated to give the company the same rights, or at least more often than when a company, "tries to tell me what to do with what I legitimately bought! D:<"

You're likely to get more of a following if you don't make it difficult or worrisome for people to enjoy their content.