One of the commonest errors you see made in articles about information security is to equate the secrecy obtained by cryptography with the licensing control applied by DRM.

You will see plenty of ‘experts’ state that you can use cryptography to ensure the security of your information, when what they actually mean is that a recipient can check that what they receive has not been altered or falsified, and that unauthorized people cannot have read it first.

Now that isn’t DRM.  When you, as the authorized recipient of encrypted information decrypt it, you can do precisely what you like with it.  Copy it, send it to your friends (or even your enemies), alter it, anything you feel like.

But DRM is about very much more.

DRM has to deal with what you are allowed to do with information that you are authorized to receive.  Generally you are not allowed to pass information on to others.  (That is considered implicit in military systems, but is a physical or manual control, and you can’t apply that to electronic information.  What the military do is make sure it can’t leave the system it is stored on, which is not an option if you’re selling eBooks.)

As importantly, you may not be able to make printed copies, or that might be allowed but a Copyright mark is prominently displayed when you do that.  You might only be able to use the electronic information for a limited number of times (pay per view) or for a limited time period (documents for evaluation or for bidding for contracts).

Only DRM controls have the ability to ensure that the controls, or license terms that go along with the information actually get enforced.

Of course DRM also makes use of encryption technology both to be sure that nothing can be used unless the recipient is authorized, but that’s only the start of the story.

So next time someone tells you that all your security problems can be solved by encryption, just let them know better.