Privacy and Digital Rights Management

1
Privacy and Digital Rights Management

• Poorvi Vora
• Dave Reynolds
• Ian Dickinson
• John Erickson
• Dave Banks
• Publishing Systems and Solutions Lab.,
• Hewlett Packard Labs.
• January 22, 2001

2
Reasons for concern

• Privacy infringement is common across the
  Internet
• Consumers are responding with class action suits
  and strongly negative responses through stock
  value depreciation (e.g. Intel, DoubleClick, Real
  Jukebox)
• Privacy infringement possibilities are amplified
  with commerce in digital assets (through detailed
  usage tracking)
• This infringement is not necessary for fraud
  prevention
• This implies that the legal liability of data
  collectors is amplified

3
Why should a W3C DRM standards effort care?

• Consumers are concerned about privacy
• Those who depend on privacy invasion to prevent
  fraudulent use of digital assets can be legally
  liable
• P3P credibility will be diminished by privacy
  infringement in any other W3C standard
• All of this impacts the efficacy of the standard

4
Potential Privacy Invasions in a DRM System

• User Authentication
• Current PKI-based protocols limit the degree of
  anonymity
• Usage tracking for fraud prevention
• Many ways of doing this - it need not be as
  invasive as it currently is
• All controls are in the hand of the content
  provider.
• The focus of DRM systems has to move towards
  including the consumer as a first-class
  participant, resulting in a more neutral system
  which is more likely to be trusted, and hence
  used, by the consumer.

5
Consumer as first-class participant means

• Personal profiles are assets in the system,
  with
• ownership,
• access and usage rights, and
• rights and descriptive metadata
• associated with them.
• Identity is part of the personal profile.
• Proof of identity, in so much as it involves
• divulgence of the personal profile, or
• allows for its divulgence through unique
  identifiers,
• is trade in an asset when the information
  revealed is more than the minimum required

6
Consumer as first-class participant means,
specifically

• User authentication
• a range of methods with different degrees of
  anonymity
• the maximum extent of anonymity allowed by the
  system is determined by technical feasibility
• what method is used is determined by the consumer
  and the content provider
• Rights clearing
• The consumer participates in the degree of
  tracking established
• Consumer profiles
• consumer assets in the system
• All transactions explicit, and with consumer
  participation

7
Existing Anonymity Technology

• Trusted (screening) Mediator
• The mediator knows other transaction details
  (when, between which parties, etc.) even if the
  information is encrypted
• Mediator liable for data security, or else
  mediator snafus result in violations
• Digital pseudonyms (Nyms)
• Multiple persona prevent collation of data across
  different persona
• Can be implemented within existing PKI with some
  changes
• Proofs of Knowledge (POK) within and outside the
  existing Public Key Infrastructure (PKI)
• Provides a more general framework for the
  inclusion of more anonymous techniques to prove
  access rights, voucher possession, etc.

8
Existing Privacy Expression Technology

• Access Rights Expression P3P is a beginning
• Need vocabularies for
• Profile description (metadata on personal
  profiles) including granularity of usage profiles
• Degree of tracking information

9
Example Workshop Outcome A framework consistent
with

• User Authentication with
• Degrees and types of anonymity, for example  
• PKI
• SPKI
• Nym
• Anonymized through trusted third party
• POK
• Choice of when to reveal identity and to what
  extent

10
Example Workshop Outcome A framework consistent
with

• Usage Tracking with
• Extent of tracking (what is being tracked?)
• Controlled revelation of usage data
  specification of granularity level of usage data
  (in what detail is it being tracked?)
• Rights clearing with
• degree of usage and rights information staying
  with client vs. rights clearing agency (how much
  of the tracking information is sent back to the
  clearing agency and at what level of aggregation)
  

11
Example Workshop Outcome A fulfillment protocol
including

• how often the rights clearing agency is contacted
  wrt asset access
• what is the granularity of divulged usage logs

12
Example outcome wrt HP main position paper
(Erickson et al)

• Expression
• Vocabularies for profile description (metadata
  about profile, including granularity)
• Access rights (P3P, XrML)
• Degree of tracking
• Degree of anonymity
• Enable combinations of profiles and other assets
  into composite documents
• Protocols
• Identity proofs and access control decisions
  determined by Proofs of Knowledge
• Compliance
• Dependent on POKs and not on identity divulgence

13
Consumer as first-class participant means

• Personal profiles are assets in the system,
  with
• ownership,
• access and usage rights, and
• rights and descriptive metadata
• associated with them.
• Identity is part of the personal profile.
• Proof of identity, in so much as it involves
• divulgence of the personal profile, or
• allows for its divulgence through unique
  identifiers,
• is trade in an asset.