Enhancing Rights Management Systems

Through the Development of Trusted Value Networks

Víctor Torres

, Jaime Delgado

, Xavier Maroñas

Silvia Llorente

and Marc Gauvin

DMAG (Distributed Multimedia Applications Group)

Universitat Politècnica de Catalunya, Jordi Girona, 1-3, 08034 Barcelona, Spain

Universitat Pompeu Fabra, Roc Boronat, 138, 08018, Barcelona, Spain

NetPortedItems S.L., Sol Naciente 10, 03016 Alicante, Spain

Abstract. In this paper, we present an innovative architecture that enables the

digital representation of original works and derivatives while implementing

Digital Rights Management (DRM) with the aim of focusing on promoting trust

within the multimedia content value networks rather than solely on content ac-

cess and protection control. The system combines different features common in

DRM systems such as licensing, content protection, authorisation and reporting

together with innovative concepts, such as the linkage of original and derived

content and the definition of potential rights. The transmission of reporting re-

quests across the content value network combined with the possibility for au-

thors to exercise rights over derivative works enables the system to determine

automatically the percentage of income corresponding to each of the actors in-

volved in different steps of the creation and distribution chain. The implemen-

tation consists of a web application which interacts with different external ser-

vices plus a user application used to render protected content. It is currently

publicly accessible for evaluation.

1 Introduction

The aim of this paper is to describe a web-based system for the registration of content

providing traditional DRM functionality as well as some innovative features. The

proposed system, called IPOS-DS (Intellectual Property Operations System - Digital

Shadow) [1][2], is about managing user creations and the information they own and

provides users the necessary technology for being able to easily spread user-generated

content in a trusted and protected manner.

For this purpose, IPOS-DS has proposed and implemented in a single web-based

platform a set of innovative features, which are not present in existing DRM systems.

IPOS-DS relies on the relationships and entities that are being standardised in the

MPEG-21 Multimedia Value Chain Ontology (MVCO) [3].

Torres V., Delgado J., Maroñas X., Llorente S. and Gauvin M. (2009).

Enhancing Rights Management Systems Through the Development of Trusted Value Networks.

In Proceedings of the 7th International Workshop on Security in Information Systems, pages 26-35

DOI: 10.5220/0002196300260035

 SciTePress

2 Background

2.1 Value Chain and User Roles

The creation value chain concept refers to the user roles that participate in content

creation and distribution and to the operations they can perform over the content

during its lifecycle, determining how the digital content evolves from the creator’s

original work to become digital that can be consumed by an end user.

IPOS-DS value chain is based on the Digital Media Project (DMP) [4] Creation

Model [5]. Figure 1 represents the relationship between the user roles and the content

lifecycle, from the original work in the mind of the creator to the content consumed

by the final user. User roles are represented by rounded squares, which contain the

role name together with the different content types they can create and register. The

label in each arrow describes the type of content that relates two user roles. Next we

describe the evolution of content during its lifecycle.

- Work. A creation that retains intellectual or artistic attributes, i.e. the underlying

concept of an artistic work (a song, a play, etc.). It defines the common core that

identifies the physical representation of a Work.

- Adaptation. The modification of an original work made by an adaptor and

authorised by the creator (or the corresponding rights holder).

- Manifestation. The physical representation of an original work or an adaptation

subject to representation in digital form. Depending on the kind of work it may

take on many different forms, an example being a recorded song (in digital or

analogue format), a manuscript, a music score, etc.

- Instance. A stylised expression of a manifestation such as a performance of a

score that may or may not be on a support such as a media file.

- Copy. A content item available to other users as a commercial product.

Fig. 1. Content lifecycle and user roles.

2.2 Rights and Actions

Content managed by the different user roles in the value chain holds Intellectual

Property (IP) rights. The rights that can be associated to the different IP Entities are

defined by DMP’s Represent Rights Data (RRD) [6]. RRD defines the relationship

between IP Entities present in the creation model with user roles and actions. For the

formalisation of this ontology, the Ontology Web Language (OWL) is used.

In RRD, actions refer to both those that may be applied over digital objects as well

as those that may not. The result of some actions may imply the creation of a new IP

Entity. This is the case, e.g. of the action MakeAdaptation, which generates a new IP

Entity called Adaptation. On the other hand, other actions do not suppose the creation

of a new IP Entity. This is the case, for example, of the action Play, which grants

permission for rendering the IP Entity. For a complete list of actions refer to [6].

3 IPOS-DS Key Concepts

3.1 Content Format, Lineage and Ownership

The content representation format adopted to represent objects is the DMP Content

Information (DCI), as defined in the DMP Interoperable DRM Platform 3 (IDP3) [6].

This format is based on the MPEG-21 Digital Item Declaration (DID) [7], which

consists in a XML-based language used to convey the object’s metadata and the con-

tent. Nevertheless, IPOS-DS has added some specifics like the use of Dublin Core

(DC) terms [8] to express most of the metadata fields of the object, including the

author’s identification, the use of DMP <DIDLInfo> and <DISignature> elements to

include the object’s XML Digital Signature, the use of MPEG-21 <Identifier> ele-

ment to enclose the object’s unique identifier and the use of MPEG-21 <RelatedIden-

tifier> element to refer to the object’s ancestor. Moreover, the resource is not embed-

ded but referenced and the IETF/W3C XML Signature approach [9] is used to convey

information about the resource hash, providing the digest method and value.

On one hand, the fact that object representations are signed with the Registration

service’s (see section 4.1) private key provides a means to prove content ownership,

as long as this service is provided by a trusted entity. In this sense, it would be very

useful that collecting societies took part in this process to provide an added value to

the system, as discussed in section 7.

On the other hand, the presence of a link from any derived object towards its par-

ent enables the possibility to trace the whole content lineage, ensuring attribution.

3.2 Potential Rights

Potential rights refer to the rights and conditions that an author offers for an object.

For example, if a Creator assigns the MakeAdaptation right to a Work, it means that

potentially, Adaptations can be created from that Work. Once acquired by a user,

potential rights become effective rights and a specific license is generated to formal-

ise that the user is granted certain rights over the object.

In IPOS-DS, potential rights are defined by the content Creator when registering

the Work. Those rights need to include the actions that may be performed when de-

riving any object from the Creator’s object, as Adaptations, Instances and Copies.

When an object is registered, the potential rights are stored out of the object represen-

tation so that, whenever an author wants to modify the offered rights, there is no need

to modify the registered object representation but the associated potential rights in-

stead. It is important to note that the modification of the offered rights does not affect

the effective rights acquired by users prior to the modification.

When a derived object is created, it inherits the potential rights from its ancestor, if

any. However, the potential rights inside the derived object may be restricted in terms

of rights and even conditions.

3.3 Content Usage Monitoring

IPOS-DS deals with content usage monitoring to enable that any author may get

worldwide statistics on how the content is being used and by whom. For that purpose,

an enhanced implementation of MPEG-21 Event Reporting [10] is followed.

The solution adopted in IPOS-DS consists in embedding a MPEG-21 Event Report

Request (ERRs) in each registered object as a means of publicly stating the cases

when Event Reports will be generated. However, in order to ensure the transmission

of the request along the whole content value chain, ERRs are transmitted from one

object to its derivatives. This means that an object will have not only the ERRs be-

longing to the object’s author, but also those corresponding to the object’s ancestry.

Thus, the execution of an operation over an object may unleash the generation of

several Event Reports, each of them directed to a user that corresponds to one or

more of the object’s ancestors. Those reports will be collected by a Reporting Service

and presented to each author in a specific section of the main web application.

3.4 Benefit from the Success of Derivatives

IPOS-DS gives authors the possibility to benefit from the success of content derived

from theirs. It may occur that someone registers an adaptation which is economically

much more successful than the original work. In this case, in traditional DRM sys-

tems, there will be no means for the original author to benefit from that situation. To

deal with this issue, IPOS-DS has implemented a mechanism to include inside the

rights expressions a condition to determine the percentage of rights that are trans-

ferred towards the derivatives of an object (i.e. the percentage of rights and incomes

that the object’s author preserves over any object derived from theirs).

This restriction can be seen as an additional condition associated to the right that

may be granted. We could say: The user U may exercise the right R over the object O

under the condition “the author preserves a certain percentage of the rights over the

derivatives of the resulting object”. This condition is slightly different from common

conditions present in MPEG-21 Rights Expression Language (REL) [11] or even

Open Mobile Alliance Digital Rights Management REL (OMA DRM REL) [12],

based on ODRL [13]. ODRL supports Rights Holders royalty percentages, which

apply as a percentage of the value of the net transaction over the object. However, our

condition applies over the derived objects instead of over the object itself. Thus, it

cannot be taken into account when authorising the creation of derived objects but the

creation of objects derived from the derived, i.e. a second level of derivation.

To deal with this new condition, the MPEG-21 REL, used to express potential

rights and licenses in IPOS-DS, has been extended. The transferred rights over de-

rivatives are expressed as follows: <rightsOverDerivative><percentage> 50.0 <per-

centage><rightsOverDerivative>.

The fact of preserving a percentage of the rights over the derivative objects implies

that whenever a payment is cleared, as expressed in the license terms, if the licenses

in the object’s value network specify any rightsOverDerivative condition, the fee

needs to be distributed amongst all the authors involved in the process.

The distribution of the incomes coming from derived objects is determined by the

content Creator, who registers the Work. The Creator, by setting the conditions of the

rights that apply over the creation value network, is determining the minimum in-

comes they will perceive. The conditions set by each author will depend on their

personal preferences but also on what the market is willing to pay for it.

Figure 3, illustrates how the payments should be transferred and distributed across

the value network and proves the feasibility of the proposed model.

3.5 Directed Rights

Another relevant and innovative feature in IPOS-DS is the possibility to offer some

rights for being acquired only to some restricted set of users.

In order to deal with directed rights, IPOS-DS provides the users a means for im-

porting personal contacts as well as defining contact groups. These contacts and con-

tact groups are personal and specific for each user in the system. In this way, when

defining or modifying potential rights, any author will be able to select the contacts or

contacts groups for which the potential rights will be available for acquisition. If no

contacts or contacts groups are selected, then the defined potential rights will be

available for everyone. Moreover, whenever a contact or contract group is removed

from the author’s contacts, any potential rights including those contacts or contact

groups will be automatically updated so as not to include them.

3.6 Surrogate Objects

A system such as IPOS-DS could be limited in terms of success because of the lack of

original content being registered in the system. If so, any author who may want to

services. Therefore, IPOS-DS is currently defining a mechanism so that any author

may require the registration of a surrogate parent in the system.

We need to analyse two main situations: the case when the content is in the public

domain and the case when it is not. In the first case, according to intellectual property

laws, any user is free to register any derived content. Thus, the surrogate parent can

be registered in the system without any special permission from the original author or

their legal heirs. In the latter case, the surrogate parent can be registered for some

specific cases. Instantiation is something that anyone can freely do. However, in this

latter case, there may be some limitations and restrictions derived from the original

author’s moral rights. Therefore, it is foreseen that periodical reports are sent to the

corresponding collecting societies so that they can take the corresponding measures.

3.7 Really Simple Syndication

IPOS-DS provides a dynamic RSS 2.0 [14] feed including metadata about the latest

registered objects so that they can be traced by any feed reader or aggregator.

4 Architecture

IPOS-DS is a service-oriented architecture consisting of a main web application,

accessible through a web browser and several DRM components implemented as web

services. It also includes a user desktop application which renders protected content.

Figure 2 depicts the overall architecture.

4.1 Applications

Web Application. It is the IPOS-DS main application from which the user can access

almost all the system functionality, available in different sections, as detailed next.

- Registration of new Objects. In this section the user can register any kind of ob-

ject. The web application provides a form where the user can fill the metadata

fields of the objects, define the potential rights and attach a resource, when

needed. The web application makes use of the Registration and Content services.

- Potential Rights Modification. This option is available for own objects and en-

ables the user to modify the offered potential rights, as explained in section 3.2.

- Search amongst own Objects. In this section the user can search by any of the

metadata fields of their own objects. It makes use of the Objects Search service.

- Global Object retrieval and download. Here the user can perform a global search

amongst all the objects registered in the system by any user. For the listed result,

several options are available, as e.g. view or download the object’s XML, navi-

gate towards the object’s ancestor, if available, and acquire a license. It makes

use of the Objects Search service.

- License acquisition. This option is accessible from the results obtained in the

global object retrieval. When a user selects this option, they are redirected to a

web page were they can select the rights and conditions they are interested in

amongst the different options the original author made available. Once selected

and purchased, a specific license is generated by the License service.

- View acquired objects. Once a user has acquired any licenses that enable them to

exercise a right over an object, they can consult all of them in a specific section

of the web application. This section also enables the user to register derived ob-

jects from those for which he owns a license that grants them the corresponding

derivation right (e.g. makeAdaptation, makeInstance, etc.).

- Search and view Reports. The web application includes a section where the user

can consult the reports collected by the Reporting service and directed to them.

- Personal data management. The user is able to modify their personal data and

default language for the web application. It interfaces the authentication service.

- User Groups and Contacts. The user can define their own contacts and contacts

groups used for issuing directed rights, as explained in section 3.5.

Fig. 2. IPOS overall architecture.

Desktop User Application. It demonstrates how resources can be rendered. Current

development enforces the rights and conditions fulfilment when the rendering is at-

tempted and opens the resource with the system’s predefined application, showing it

in clear to the user. The main functionalities are:

- Load Object. The player opens the object and displays the metadata to the user.

- Download Content. Download the encrypted resource associated to the object.

The player enables authenticated and authorised users to download the resource

associated to the loaded object, which is encrypted using an AES block cipher.

- Decrypt and render the resource. Only if the user is authorised, the player will

get the encryption key that can be used to decrypt the resource and render it.

4.2 Services

The IPOS-DS main web application interacts with different web services:

- User Authentication and Registration Service. This component acts as a single-

sign-on access point, by issuing Security Assertion Markup Language (SAML)

[15] tokens for any user or service in the system to be authenticated.

- Content Registration Service. It is responsible for registering the objects received

after processing the registration form data in the main web application.

- Content Service. It consists in an application that depends directly on the IPOS-

DS web application. It uses sockets instead of standard Web service calls for a

better transmission performance of large resources.

- Objects Search Service. It provides searching features within object’s metadata.

- License Service. It deals with the generation and archival of licenses, which con-

vey user’s usage rights and conditions. Moreover, it provides the collection of li-

censes that can be acquired by a user over an object, a list of user licenses associ-

ated to an object and the number of times a license has been used.

- Authorisation Service. It enforces the fulfilment of the rights and conditions

expressed in licenses. It searches the applicable licenses in the license service to

determine whether the user is allowed or not to perform the requested action.

- Reporting Service. It collects the reports about content usage, provides searching

capabilities amongst the collected reports and determines payment duties.

5 Use Case

Figure 3 depicts a sample use case applied to the music composer’s collective. In the

example, a Creator registers a Work, representing a music score for guitar. No license

is needed for this action, as the owner of the Work is the Creator.

Fig. 3. Creation model, roles, potential rights, event reports and incomes.

An Adaptor, after acquiring License 1 is able to register an Adaptation derived from

the Work, representing a variation of the score for being played on the piano. An

Event Report and a payment duty will be generated from the Adaptor towards the

Creator. The amount will be that specified in the License 1, i.e. 10$.

An Instantiator, after acquiring License 2, registers an Instance derived from pre-

vious Adaptation, representing a specific performance of the piano score. Two Event

Reports are generated: one towards the Adaptor and another one towards the Creator,

as the latter is also part of the content value chain. A payment duty will be then regis-

tered from the Instantiator to the Adaptor. The amount will be that specified in Li-

cense 2, i.e. 50$. Moreover, another payment duty will be generated from the Adaptor

to the Creator. Therefore, the Adaptor’s incomes will be shared with the Creator ac-

cording to License 1. That is, as the Instance is derived from the Adaptation and the

Creator transferred only the 20% of the rights in License 1, the Creator preserves the

80% of the incomes coming from any Instance. That’s why Figure 3 depicts that 80%

of the 50$ perceived by the Adaptor is transmitted to the Creator, i.e. 40$. Finally, in

a similar manner, a Producer registers a Copy, representing a product that can be

commercialised corresponding to the Instance.

6 Related Work

Creative Commons (CC) [16] is a non-profit organisation devoted to expanding the

range of creative works available for others to build upon legally and to share. The

CC licenses enable copyright holders to grant some or all of their rights to the public

while retaining others through a variety of licensing and contract schemes including

dedication to the public domain or open content licensing terms. Although CC works

at a different level than IPOS-DS, we can depict some differences between CC li-

censes and IPOS-DS potential rights. In CC, neither the creator is informed about the

work being used nor can they define the fees to be cleared when creating a derived

object. Moreover, in CC there is no means for author to benefit from the success of

derived objects. By using IPOS-DS, any author may decide in any moment to stop

offering previously determined conditions of use of their content and define a new set

of potential rights to be applied from that moment onwards. Any rights acquired be-

fore the change will not be affected, but authors, by means of temporal or usage limit

restrictions can always keep control of the rights they have already commercialised,

avoiding e.g. an unlimited usage of their content.

ColorIURIS (CI) [16] is a proprietary system for the management and transfer of

author rights. It enables the generation of legal contracts between two parties to de-

termine the conditions under which content can be used, something useful if a legal

dispute occurs. Each registered work has two associated policies identified by a col-

our code: one to inform about the transformation right policy and another one to in-

form about the copyright policy and the distribution and public communication rights.

The main differences between CI and IPOS-DS are: 1) IPOS-DS controls the access

to the content; 2) IPOS-DS enables to define the potential rights for the whole content

value network, including future content; 3) CI cannot ensure that authors benefit from

the success of derived content; 4) CI does not support the definition of directed rights;

5) IPOS-DS informs all the authors in the creation chain about content usage, while

CI is limited to the owner of the content; 6) IPOS-DS is based on open standards.

7 Conclusions and Future Work

In this paper we have presented a content registration system and we have focused on

innovative concepts such as the traceability of the content lineage, the definition of

potential rights, the possibility of modifying or revoking the offered rights, the trans-

mission of reporting requests to inform all the actors in the content value chain, the

possibility for authors to benefit from the success of derived content and the possibil-

ity to offer some rights exclusively to some selected users. We have also depicted the

IPOS-DS components and we have compared it to some related work, proving that

our proposal means an important progress with respect to the state of the art.

IPOS-DS has been developed by the DMAG [2] of the Universitat Politècnica de

Catalunya for the company NetPortedItems S.L. [1], responsible for its exploitation.

It has been recently made accessible for the public from [1] in a pre-exploitation

phase. Currently, it can be accessed after an online registration or in a trial mode.

The goal for the next months is to promote its usage amongst different user com-

munities that may be interested in it for spreading their works and creations. One of

those potential groups could be the composer’s collective, where different users with

a trusted relationship use to collaborate to create, arrange and instantiate audio or

audiovisual content. Another goal is the adoption of the IPOS-DS by collecting socie-

ties in different countries. It could help to spread and ease the management of content

generated by the millions of creators, adaptors and instantiators around the world that

currently work without the support of any collective management schema.

Acknowledgements

This work has been partly supported by the Spanish administration (Multimedia Con-

tent Management Life Cycle project, TEC2008-06692-C02-01)

References

1. NetPortedItems. http://www.digitalmediavalues.com.

2. Distributed Multimedia Applications Group. http://dmag.ac.upc.edu/.

3. M. Gauvin, J. Delgado et al. Media Value Chain Ontology (Committee Draft).

ISO/IEC JTC 1/SC 29/WG 11/N10264

4. The Digital Media Project. 2008. http://www.dmpf.org/.

5. The Digital Media Project. 2007. Approved Document No 2 – Technical Reference:

Architecture, Version 3.0. No.1002/GA15.

6. The Digital Media Project. 2007. Approved Document No. 3 – Technical Specification:

Interoperable DRM Platform, Version 3.0. No.1003/GA15.

7. ISO/IEC 21000-2, Information technology – Multimedia framework (MPEG-21) –

Part 2: Digital Item Declaration.

8. Dublin Core Metadata Initiative (DCMI). http://dublincore.org/.

9. W3C Recommendation. XML-Signature Syntax and Processing.

http://www.w3.org/TR/xmldsig-core/.

10. ISO/IEC 21000-15, Information technology – Multimedia framework (MPEG-21) –

Part 15: Event Reporting.

11. ISO/IEC 21000-5, Information technology – Multimedia framework (MPEG-21) –

Part 5: Rights Expression Language.

12. Open Mobile Alliance. 2006. DRM Rights Expression Language.

http://www.openmobilealliance.com/Technical/ release_ program/drm_v2_0.aspx.

13. The Open Digital Rights Language (ODRL) Initiative. http://odrl.net/.

14. Really Simple Syndication (RSS 2.0). http://www.rssboard.org/rss-specification/.

15. OASIS Security Assertion Markup Language (SAML).

http://www.oasis-open.org/specs/#samlv2.0.

16. Creative Commons. http://creativecommons.org/.

17. ColorIURIS. http://www.coloriuris.net/.