White paper: DAISY DRM Second Release

Background

In January of 2002 a meeting was held in Toronto to discuss how we would protect DTB. This was driven by RFB&D. RFB&D felt that they could not launch in September 2002 without some kind of protection. Another meeting was held in Princeton in April 2002 to finalize the specification. Sample implementations were demonstrated. By September there were players and content that use this specification.

Other organizations have expressed the importance of protecting DTB. The specification called " Protected Digital Talking Books (PDTB)" was delivered to the Board as a proposed recommendation. The status of this specification has not changed. The Board has not moved this to a formal recommendation, but decided to leave it as a proposed recommendation. The thinking was that more knowledge could be gained by observing RFB&D's experiences.

Observations about PDTB

Over the past two years, many organizations have looked at the PDTB specification. They have signed "Non Disclosure Agreements" (NDA) stating that they would not reveal what is in the specification. Based on these observations, the following weaknesses have been identified:

• The protection depends on not openly publishing the specification. The protection scheme that is used is fairly easy to break and if you could read the specification, it would be easy to write a program to break the protection. This is sometimes called, "security by obscurity."
• The mechanisms for distributing a user authorization key (UAK) are not defined in the specification. As a result, each organization must decide how their keys are distributed. This mechanism does not lend itself to interoperability.
• There is no defined way to protect the keys themselves and this creates a security leak in the protection scheme. RFB&D has had many problems related to this weakness. This is closely related to not defining the mechanisms for distribution of the UAK.
• The current specification does not describe how Interlibrary Lending (ILL) would take place. If we are to have a global library, this mechanism must be clearly defined.
• The current specification does not describe how text can be used in note takers and devices commonly used in the disability community.
• The protection of the XML textual content is considered to be very weak. This is perhaps the greatest criticism and the one that makes people think that publishers would not want their XML to be given to libraries and organizations serving persons with disabilities.

Urgency for Moving Forward

While RFB&D championed the PDTB Version 1, it is now DBB that is calling for a second release of PDTB, which would be strong enough to legitimately be called DRM. DBB says they need this to be successful in their work with publishers. They need this in the April - May 2005 time frame. DBB is not alone in this request. Reviews inside NLS and RFB&D have pointed to many of the same weaknesses identified above.

Proposal

1. At the January 2004 Madrid Board meeting, the Board is requested to authorize the beginning of the development of the second release of the DAISY PDTB specification.
2. It is proposed that the DAISY 3, the ANSI/NISO Z39.86 standard would formally point to the DAISY PDTB Version 2 specification as the required mechanism for providing DRM. This would take place in the late 2005 or 2006 revision to the NISO standard.
3. If the Board authorizes this work, a project leader and team would be approved. James Pritchett, from RFB&D as a project lead, with Ole Holst, from DBB assisting on implementation, would make an excellent start. We should be able to find a technical writer, funded by NLS to assist in the process. A project plan and budget would be submitted to the DAISY Board for approval.
4. The work is expected to be completed by January 2005, with an additional 3 or 4 months for public review and revisions.
5. Once completed, the specification would be openly published as a DAISY recommendation/standard.

Some things for Consideration

While DBB has committed significant resources to this effort, other organizations will need to participate. The working group and leaders have not yet been selected. Michael Moodie has committed to make resources, and perhaps funding available for this work.

The implementation of Version 1 of PDTB is significant. RFB&D has over 11,000 protected titles, and most of the player manufactures support this specification. Mechanisms for backward compatibility or techniques for moving this content forward need to be clarified. Also, approaches for upgrading players in the field need to be identified as part of the project plans.

Finally, it may be useful for publisher organizations to be invited to the working group. We may be able to have the publisher organizations contribute requirements to this DRM process. It would be very important to find out what exactly the publishers expect in terms of the protection required. This has a plus and a minus. The publisher's participation may help adoption and it may help in the flow of files to DAISY organizations, but it may also slow down the process. It might be especially interesting if technical organizations that the publisher's work with become interested in this development.

It is important to point out that there are W3C standards for protecting XML and for key encryption that we will want to use where ever possible. Of course, the work will start by looking at existing DRM systems and what is available off the shelf.

Finally, the DAISY Consortium will need to identify our IP policy prior to the beginning of this work. We will need to decide if we want any of our specifications to include technologies that have royalty fees. The W3C Royalty Free (RF) IP policy for working groups is a policy that the DAISY Consortium may be able to endorse without any modifications. The OeBF is finishing their IP Policy process and this will be made available for review in the next month or so, perhaps even before Christmas 2003. This policy allows for specifications that contain Reasonable and Non-Discriminatory (RAND) licensing fees