The Digital-Rights Debate

Electronic distribution is the future of the music industry. Broadband Internet is rapidly replacing the CD store in the mall as the preferred means of

Electronic distribution is the future of the music industry. Broadband Internet is rapidly replacing the CD store in the mall as the preferred means of getting music to consumers. This fact is recognized by home enthusiasts and by major market players such as Bertelsmann, Sony, and Warner Brothers. Moving bits across fiber is not only cheaper than shipping jewel cases in trucks, it is vastly more flexible. As with many things, however, flexible can mean complicated.

Labels and content providers are caught in a balancing act: they must try to give consumers what they want while still protecting their own interests. Consumers want simple access to a broad catalog of titles with the ability to move files from player to player regardless of platform or format, burning as many CDs and ripping as many MP3 files as they care to along the way. Artists just want to be fairly compensated for their product and ensure that it is not damaged, distorted, or misrepresented in any way. Artists and labels want to keep track of who is listening to what, when, and how often. That information is the Holy Grail of music distribution. Listeners, on the other hand, generally prefer to remain anonymous.

Pleasing both sides of the market has proved difficult. Solutions favoring the consumer have brought the wrath of the music industry (witness the rise and fall of Napster), whereas efforts to please the industry have turned off consumers (witness the implosion of the Internet music delivery company Supertracks). Haunting both sides of the debate is the specter of piracy, which — whether the listener realizes it or not — deals everyone a loss. Stepping into the gap to bring both sides together are the emerging technologies of digital-rights management (DRM).

DRM consists of technologies and techniques for securing digital content. Even though these technologies are still in their infancy, they are emerging as the dominant force shaping the way music is delivered online. Robert McGarvey of MIT's Technology Review has predicted that DRM will be “potentially the biggest — and bloodiest — of the many battles that will shape the Internet during the 21st century's initial decade” (“Digital Rights Management,” The Technology Review, January/February 2001). Like it or not, DRM is coming, and musicians need to understand both sides of the digital-rights-management debate and the technologies involved if their music is to survive those battles.


In a nutshell, DRM limits access to the contents of a file to those who have proper authorization (that is, people who legally purchased the track), and it controls how the content can be used once it has been opened. The perception that that's the entire scope of DRM — which would then be more appropriately called digital-rights enforcement — has fostered a resistance to DRM on the part of artists and audiences that often borders on open hostility. Late in 2001, Microsoft's DRM solution was cracked by a hacker named “Beale Screamer” who also distributed a DOS utility to strip DRM protection from audio files. The documentation for the tool indicates that the hack was intended as an act of protest against what Screamer saw as an infringement of fair-use rights. In the documentation, Screamer writes, “What is bad is the use of DRM to restrict the traditional form of music sale. When I buy a piece of music (not rent it, and not preview it), I expect (and demand!) my traditional fair-use rights to the material. I should be able to take that content, copy it onto all my computers at home, my laptop, my portable MP3 player … basically anything I use to listen to the music that I have purchased. I can't do this at all with Microsoft's DRM scheme.”

Consumers like Beale Screamer are rightfully concerned about possible infringement of their fair-use rights by DRM technologies (see the sidebar, “Fair Use in an Online World”), but digital-rights management encompasses much more than mere usage enforcement. It involves not only protection but identification, description, trading, monitoring, and tracking of user rights. Instead of just giving files to users and sending them on their way, DRM lets you manage any aspect of your relationship with your audience, from promotional follow-up to preference feedback.

Under DRM the traditional process for publishing music on the Internet — adding a link to an MP3 file on your Web site — becomes a bit more involved (see Fig. 1). Once the music is ready to be released to the public, it is packaged in an encrypted and locked form. That prevents anyone from playing the file without first obtaining a key from the content owner or authorized distributor. Most DRM solutions use some form of public key encryption, which allows content, keys, and licenses to be transmitted securely across the Internet. That enables you to verify that consumers are who they say they are.

Once the music is packaged, you define the rights governing how it may be used. These specify how many times a song can be played, if the user is allowed to burn a copy to CD or transfer it to a portable device, or even a time period during which the track can be played. These rights define the license you will grant to the consumer downloading or streaming your music. You may define multiple licenses for each piece of content you publish. For example, one license may allow the user to rent a track for a week or to play it ten times, whereas a different license allows the user to purchase the same song outright. The license will also contain the key to decrypt the song it is associated with.


When you have packaged the content and defined the usage rights, the song is ready to be published to the Internet. This occurs in two parts. The encrypted content itself is hosted by a download server, a streaming server, or both; the key to unlock the file is hosted by a separate license server. Both servers come into play when it is time to retrieve and play the file as described below. With the content and license servers loaded, your music is ready to be consumed by the world at large. Users can download, stream, and e-mail your music to each other, but at this point, they still can't play it. To do so, they must obtain a license.

When a user tries to open your file, his or her DRM-enabled media player will attempt to find a license containing the key needed to decrypt the contents of the file. In most cases, the license will have been “silently” delivered as part of the file-transfer process when the media was first obtained. In this license-predelivery scenario, the application transferring the media file to the user's computer will request a license to open the song on the computer requesting the file. The license server generates a license with the rights the user has requested, bundles it with the decryption key, and ships it to the media player. That all goes on behind the scenes and is completely transparent to the user. The license-predelivery approach is the simplest and most user-friendly for your audience, but it also offers the fewest options for managing your content.

The alternative is the postdelivery model in which the user must take additional steps, providing any information or payment you may require, to obtain a license after the media has been downloaded. The listener can still obtain a copy of your music from any source — a music-sharing service, an e-mail from a friend, promotional CDs, and so on — but must go to a license broker for the license to use it. The license broker can be any license server, set up on your own Web site or with a license clearinghouse, that can collect information about the listener and, if desired, payment (see Fig. 2).


The appropriate license server is usually identified to the media player (or whatever application is trying to access your content) by a URL that was bundled with the media when it was first packaged by the DRM system. That URL directs listeners to a Web site where they can provide information about themselves — such as their e-mail address, age group, and music preferences — and also provide a credit card number to pay for the track they have just downloaded. Once payment is made, the license is sent to the media player and the user is free to enjoy your music within the bounds of whatever rights you have specified.

Some DRM systems can bundle your song with an additional, hidden URL, called the authorization URL, that directs the media player to a service that grants or denies the license regardless of whatever information is provided to the license broker. For example, you may have an exclusive contract with Yahoo that makes your music available only to its users. If a customer of a competing service were to obtain a copy of your music and try to buy a license, the authorization agent specified by this URL would deny the license and potentially direct the user to a Yahoo subscription offer.

The best approach is some combination of pre- and postdelivery of licenses. For example, you could post all the tracks from your latest CD to your Web site and predeliver a limited-use license with each track downloaded. This license could allow the user to play the track ten times and only on the computer downloading it. When the ten plays are used up, the media player would be directed to the license broker where the user would have the opportunity to purchase a new license that allows unlimited plays, burn to CD, and transfer to a portable device. The combination of pre- and postdelivery allows for superdistribution of your music, making file sharing a marketing dream instead of piracy nightmare.


In some DRM implementations, the security of the file can be circumvented without having to break its encryption. When a DRM-enabled media player has unlocked a media file, the music still must be transferred from the application to the computer's audio card. During this transfer, your music is unencrypted, uncompressed, and completely unprotected. Third-party tools and plug-ins have started to pop up on the Internet that can grab the contents of your file and make a perfect digital duplicate that can be shared without hindrance or compensation.

The first response to this situation is Microsoft's Secure Audio Path (SAP), which was introduced in Windows ME and XP. When a DRM-wrapped file is opened on either of those platforms, SAP adds cryptographic noise to the signal that is removed at the computer's audio subsystem only when all of its components have been authenticated. If a copy of the file has been grabbed between the media player and the audio card, it contains noise that makes playback unlistenable. Playback by an authorized system is noise free, making SAP transparent to the authorized listener.

A limitation of the SAP approach is its dependence on the ME and XP operating systems. Both are relatively new and have somewhat limited installed-user bases. It also completely excludes Mac and Linux users. When a consumer requests a license for a SAP-enabled song, the license server detects the operating system of the PC making the request. If it is ME or XP, all is well and the license is granted. If another OS is detected or appropriate certified drivers cannot be found, the user is out of luck and to a large extent, so are you.


Another approach to combating fraudulent audio path recording is digital watermarking. Like a traditional watermark, a digital watermark is additional information added to your file that is imperceptible to the listener but that can be detected by an application that knows what to look for. One advantage of audio watermarking is that most current solutions will survive translation from analog to digital, compressed to decompressed, and encrypted to unencrypted.

The process of digital watermarking involves inserting data packets containing additional information about the file directly into the content signal. Like the noise added in SAP, this additional information is removed from playback and is completely imperceptible to the user (see Fig. 3). The watermark information can be audio, text, or multimedia and can contain copy and usage rules, information about the artist, or any other information you wish to provide or retrieve.

One current use is assigning a unique watermark to a music file for each distribution channel to which it is released. If a watermarked copy of your music is pirated and you locate an unauthorized copy on, say, a music-sharing site, you can trace the source. Contractual agreements are emerging between artists, labels, and content delivery networks that hold the provider responsible for such security breaches. A verifiable watermark can be the smoking gun that validates your complaint.


Despite the proliferation of do-it-yourself audio tools ranging from plug-in effects to PC-based mastering suites, full DRM may still be beyond the capabilities of most independent artists. Even though many DRM technology offerings are available free of charge (provided certain licensing requirements are met) or as features of emerging operating systems, the requirements for an infrastructure on which to run them remain costly. To establish a viable DRM-enabled music-distribution service, you need substantial programming and system administration skills, a fair amount of beefy hardware, and a wide Internet pipe. In most cases (barring recruiting your closest geek friends), that demands a greater investment than many musicians are prepared to make.

The alternative is to turn to a DRM service provider such as CenterSpan (the company that I work for), Digital World Services, InterTrust, or Liquid Audio. Such companies serve as license clearinghouses and as content-delivery channels. That greatly simplifies your role in protecting your music, but there are drawbacks as well as benefits to signing on.

Beyond giving artists an easy entrée to digital-rights management, the main advantages of DRM service providers are flexibility and exposure. A full-service clearinghouse provides a range of business models to choose from and an infrastructure capable of supporting them. Your audience can go the rent-to-own route if they are just discovering your music, or they can become subscribers to your new releases if they are die-hard fans.

Most services also let you bundle your music in different combinations for “special offer” promotions. There are also distinct advantages to being a part of an established catalog with a ready-made listener base. Your promotional efforts are automatically piggybacked onto those of the service provider. Providers usually charge for the service based on the number of bytes delivered and the number of licenses generated.

The downside of clearinghouses is that they lock you in to whatever DRM solution they have selected. That can eliminate a large chunk of your audience if they happen to be on an incompatible platform. The lack of cross-platform compatibility is perhaps the biggest hurdle DRM has yet to clear before gaining mainstream acceptance.

At this stage of the game, there is virtually no interoperability between competing DRM solutions. Even within a single vendor, problems can (and have) arisen. A file encoded in a standard format, such as MP3, can generally be opened by multiple applications from various vendors across multiple platforms. When it has been DRM encoded, however, it may be locked across those platforms even if the tools on both sides are from the same vendor. In this circumstance, your listeners would need multiple copies of a single song, each encoded for a particular platform, if they wanted to move it from their laptops to their desktop computers or portable players.


This untenable situation has arisen because every DRM solution describes and implements the rules governing content usage in its own way. What is needed is a standardized way of describing how content may be used. Such a standardized language would enable all DRM solutions to come together on the back end and exchange information in a manner completely transparent to the listener. That would not only simplify life for everyone involved but would also dramatically reduce costs for publishers. With a common DRM language available, content providers could package content just once to the standard's specifications rather than once for each potential DRM platform.

Two efforts to provide such a language have recently appeared: the Extensible Rights Management Language (XrML) from Xerox offshoot ContentGuard, and the Open Digital Rights Language (ODRL), which is being developed by a coalition of industry players including Adobe, Accenture, Napster, and IBM. Both approaches are open, XML-based descriptive languages promising a transparent, standardized method for specifying rights and licenses associated with the protection and use of digital content. Both standards are available on a royalty-free, licensed basis.

The primary difference between the two initiatives is a matter of scope. ODRL focuses on the description of business rules, whereas XrML encompasses the entire DRM process, from beginning to end. The industry must choose between simplicity and comprehensiveness. This decision should be settled in the DRM market during the coming year.


Online distribution of your music is a mixed blessing. It expands your potential audience beyond what you could have imagined just a few years ago while putting you much closer to that audience. Internet distribution puts you in control of how your music is distributed but also makes you responsible for protecting it.

Any restriction placed on how a listener accesses your music has the potential of alienating some part of your audience. The challenge is finding a compromise between your needs as an artist and the audience's demands as consumers. Listeners want to be able to enjoy the music they have legitimately purchased whenever, wherever, and however they like. Keeping your music protected while protecting the interests of your audience is the central struggle of online music. Digital-rights-management technologies, though still in their infancy, are the solution the industry has put forth for this phase of the Internet's evolution. Whether or not it can balance the scales remains to be seen.

Darin Stewartis the principal information architect of the C-star Content Delivery Network produced by CenterSpan Communications. He is also a Chapman Stick player in the Portland, Oregon, area. He can be reached


The primary objective of copyright is not to reward the labor of authors, but “[t]o promote the Progress of Science and useful Arts.” To this end, copyright assures authors the right to their original expression, but encourages others to build freely upon the ideas and information conveyed by a work. This result is neither unfair nor unfortunate. It is the means by which copyright advances the progress of science and art.
— Justice Sandra Day O'Connor (Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340, 349 [1991])

“Fair use” has been a popular rallying cry of Internet music aficionados hoping to preserve the freewheeling world of online music. As appealing as this may sound, defending the rights of the consumer has never been the intention of the fair-use provisions of copyright law. The provisions are intended only as a limit on the exclusive rights of copyright holders. Fair use attempts to balance the rights of the artist with the interests of society in a manner that promotes the furtherance of the art. Justice David Souter has described fair use as “the guarantee of breathing space for new expression within the confines of copyright law” (Campbell v. Acuff-Rose Music, Inc. 114 S.Ct. 1164, 127 L. Ed. 2d 500 [1994]). The individual consumer is rarely under the protective wing of fair use.

The fair-use doctrine evolved in the judiciary during the course of numerous court decisions and was eventually codified in the Copyright Act of 1976 (17 USC 107). The Copyright Act specifies four criteria for determining what constitutes fair use. Even with these guidelines, what is and is not allowed is far from clear-cut and can be determined definitively only by a judge on a case-by-case basis. Here are the fair-use factors specified in section 107 of the Copyright Act.

The purpose and character of the use, including whether it is intended for commercial or nonprofit use. Fair-use rulings have overwhelmingly favored nonprofit endeavors, but several commercial applications have also been accepted. For example, a paid critic is allowed to quote or excerpt from copyrighted works to facilitate a commercial review. Generally, this provision is intended to allow duplication of copyrighted works to facilitate scholarship, research, and teaching.

The nature of the copyrighted work. Being unpublished strengthens a copyright claim. Historically, greater copyright protection has been awarded to unpublished works than to published works. Similarly, fair use is more protective of creative works than of factual ones.

The amount and substantiality of the portion used in relation to the copyrighted work as a whole. There is no hard-and-fast rule to determine how much of a copyrighted work may be duplicated under fair use. In ruling, judges have generally weighed this factor when considering purpose of use and the potential impact on the copyrighted work.

The effect of the use upon the potential market for, or value of, the copyrighted work. The potential for negative impact on a copyrighted work takes several factors into account, including when the work was published, how accessible it is currently, and its expected economic life span and value. Taken together, these factors will help determine if the duplicate, quote, or excerpt supports a replacement for the copyrighted work. If it does not, fair use is more likely to be granted.

While seemingly straightforward, these factors can lead to ambiguous or conflicting interpretations of the law. For example, a 3-second bass riff sampled from a 5-minute song represents only 1/100th of the copyrighted work and so would seem to be covered by the third fair-use criterion. When this riff is incorporated into a commercially released song, however, the first factor, nature of use, trumps amount and substantiality, pushing the sample outside the bounds of fair use.

Judicial precedent has settled some general case issues. The seminal example is “time shifting” as approved by the Supreme Court in 1984 (Sony Corporation of America v. Universal City Studios, 464 U.S. 417). That decision defined home taping of television programs for noncommercial, private viewing at a later time as fair use. Most online music users assume that space-shifting songs — moving music from one format to another such as ripping a CD to an MP3 file — is covered under the same decision. It isn't. Space-shifting, even for personal use, has not been definitively determined to fall under the rubric of fair use.

Like most things in the online world, copyright law and fair use are still being defined. Although many lawyers believe that space-shifting and other duplication for personal and noncommercial purposes constitutes fair use, the ultimate decision still comes from a judge's bench. In its current state, fair use is by no means a right.