Content publishers - in the very broadest terms of the meaning of the word content - publish in order to make money from their efforts.  It doesn't matter if they publish magazines, consultancy reports, training courses, sheet music, computer games, music, films or whatever.  Content is what they create, and that content is the thing that sells their products.  Probably the same goes for blogs except they don't currently sell quite so well .

So it is no big surprise to find that content providers selling over the Internet, or even just using forms of electronic distribution like CD-ROM or DVD, want to make sure that they get paid, and they get paid for each copy that gets used.  After all, taken to the ultimate, you would only make the first sale and all the rest of the world would be on the free copies.  Not a sales model you  see that often - if you don't believe me try to explain the last time you purchased maintenance services on an ebook.  

Not surprisingly, content publishers are very interested in DRM technologies.  Because if they aren't then they will soon be out of business as the market fills up with free copies of what they were selling.  Actually, I once had exactly the opposite of this happen.  I published a free article analysing various security technologies, and was very surprised to receive an email from someone telling me that my article, reproduced 100% unchanged, was being sold from a web site, and that people were buying it.  You could say that I am obviously stupid because I should have been selling the article, not giving it away, and why should I stop some enterprising person from getting away with making money from something when I was too stupid to do so.  But there is the small problem of them claiming the work as their own!  Now that really annoyed me.  I mean, business is a lot about opportunism - being in the right place at the right time with the right product, and I applaud that.  But I have my limits.  I mean, not even an acknowledgement!

That got me looking into what I could do about it, and so I learned the hard way about protecting your content.

I started off by talking to a lawyer (a personal friend I should add since I could not afford to buy their time) and the advice was clear and succinct.  "They are in a foreign country.  It will cost you a fortune.  Don't bother.  Write threatening letters to their ISP.  It might work."  I hasten to add that this does not constitute legal advice to you, I am not legally qualified and I make no representation in that regard.  (See, I did learn something from them.)  So after a bit of correspondence with the ISP threatening a take-down notice and lots of very bad publicity, it vanished.  But it cost me time and money and I made nothing out of it at all.

And that gets me to the point I wanted to share with you.  As a content publisher, I simply could not begin to afford to do anything about being ripped off, using the law.  I could not afford to start the case, and I deeply suspect that even if I had won the victory would be Pyrrhic (Wikipedia notes: The phrase is a reference to King Pyrrhus of Epirus, who during the Pyrrhic War defeated the Romans at Heraclea and Asculum in 279 BC, but suffered severe and irreplaceable casualties in the process) because the costs would have killed my business.

For all except the 800 lb gorillas, the law is about as much use as a paper handkerchief in a gale.

So for content publishers, the only realistic alternative is technology.  To stop if possible, and otherwise reduce as much as possible, the ability of recipients, whether they have purchased a copy or not, to be able to misuse it.

But what are the tools that technology is able to provide, and how effective are they?

Well, anything that does not use encryption technology to prevent the unauthorized from any access at all is like our paper handkerchief in a gale.  Completely ineffective.  And if encryption is in use, then if the way in to the content is a password, that's not realistically a lot better.  It's rather like giving the key to Fort Knox to anyone and letting them copy it anywhere any time, and give it to anyone else as well.  The technical term for that approach is offline control - very similar to that for all Microsoft operating systems before XP.  Any valid registration code would, and did do.

More up to date approaches use a machine unique challenge/response mechanism or a 'phone home' control, or a combination of the two.  In machine unique challenge/response, at installation time a value unique to the computer the installation is being run on, which is used to generate a unique challenge code.  Only entry of the machine unique response allows the use of the content.  In the 'phone home' system at installation a connection must be established with a server controlled by the publisher or a third party, which is able to make a number of checks, such as are there license conditions to apply, has the claimed license already been used, is the license still valid, and so on.  A combination of the two methods allows a license to be locked to a specific computer once it has been implemented as well as allowing the content publisher to change the license conditions if that is appropriate.

So you need the best to suit your situation.  In other fields this is known as risk analysis.  You have to take a view as to how likely it is your customers are going to try and rip you off and why, what you can stop, what you can make difficult, and what you can't stop.

Let's have a few examples.

The kinds of DRM controls that can be applied using these types of mechanisms are different from those that applied to physical books and magazines, but that may be appropriate.  After all, if I print a magazine, I know that it is not that likely that people are going to go to the effort of scanning it into a computer system and then republishing it with a view to making it available or making a profit.  But it could be the case with a pornographic magazine, a sex manual or something similar.  And that's because they appeal to a mass market, cost relatively little, and can be acquired by nerds who would spend the time trying to figure out how to get a copy of it once they have bought it.  By comparison, a high value consultancy report or a stock market analysis is different  because the customer is very different. Such things are bought by organizations and the people reading them are not likely to make the effort of taking a document apart, scanning it, assembling it, and then sending it on, especially if it's a significant pain just to do someone else a favour and the purchaser's time is worth a lot more than that.

So we have some parameters for risk analysis, and some feeling for the kinds of documents that are likely to be attacked and why.  We have not considered content that is a state or military secret.  That belongs in a different league from IPR protection, the controls are quite different, and have no relevance to normal commerce and industry.

Therefore, from a content publisher's perspective, if you need to secure your IPR, the controls you put in place have got to be effective enough that they are not trivial to bypass.  So sending out documents secured by a password, or even a login and password, don't make sense because the customer can too easily pass that information on to anyone they choose.  (Even with more sophisticated systems that count the current logins for an id/password combination, that does not mean that half the world cannot manage to read it given enough time.)

That means that content publishers must use systems that restrict their customer to a limited number of locations from which to be able to use content, simply because otherwise there is no control at all and the idea of IPR management a non-starter.  Many games manufacturers achieve this by requiring a specific CD to be present before the game will run.  Content publishers have to look for systems that provide a similar facility, a file that is locked to the PC for which the user is authorized, and which must be present before their IPR will be revealed.  That's a more difficult technique to implement.  The alternative is to do everything from servers and accept that there will be easy ways to compromise IPR through sharing access information.  Something the content publisher does not want because for them it is loss of revenue.

The thing is that electronic documents are trivial to copy and distribute compared with paper ones.  And also there are some things that you cannot prevent no matter how clever you are.  You cannot stop someone from sitting in front of a very high definition screen and recording everything that comes up on the screen.  You can't stop them taping music played over loudspeakers either.  There are programs (some provided by operating systems manufacturers, no doubt for entirely proper reasons) that can capture what is visible on the computer screen at a moment in time and allow you to print them.  Only the most cynical of commentators could suggest that those manufacturers either don't care about content publisher's IPR, or see it as a market that they wish to dominate by making it impossible for others to prevent what they control for themselves. 

So IPR security can be obtained, but for a price, and with a minimum level of capability.  There are plenty in the freedom of information movement who may think that IPR should be shared with the rest of the world at no cost.  But they likely don't see that they are selling their own IPR to a middleman (strangely enough that's what the server in McDonalds is doing, the IPR may not fetch much but that is the real transaction) whilst content publishers are going directly to the final customer.  The servers in McDonalds would soon be up in arms if you suggested they give away what they are doing, but somehow content publishers are supposed to be delighted by the idea.