A. Controlling Access to Protected Works
1. Controlling Access at the Server Level
2. Controlling Access at the File Level
B. Controlling Use of the Work
C. Authenticating the Work
D. Managing Rights in the Work
E. Development of Standards
Technology can be used to help protect copyrighted works against unauthorized access, reproduction, manipulation, distribution, performance or display. It can also be useful in the authentication of the integrity of copyrighted works and in the management and licensing of the rights in such works. Protection and management schemes based strictly on specific technologies may have limited usefulness due to the rapidly evolving nature of these technologies. Furthermore, if the systems developed are too cumbersome or complicated, consumers may reject works protected under such systems. However, to the extent that the marketplace will tolerate such measures, they can be useful in protecting copyrighted works.[329]
Technology-based protection of digital works can be implemented through hardware, software or a combination thereof. It can be implemented at the level of the copyrighted work or at other, more distant levels. It can be used to prevent or restrict access to a work, as well as reproduction, adaptation, distribution, performance or display of the work.
Unauthorized access to copyrighted works can be denied in two general ways: by restricting access to the source of the work, and by restricting manipulation of the electronic file containing the work.
Distribution of digital works can be controlled by controlling access to the source of the works--information or data servers. Access to these servers can vary from completely uncontrolled access (e.g., the full contents of the server are accessible without restriction) to partially controlled access (e.g., unrestricted access is granted to only certain data on the server) to completely controlled access (e.g., no uncontrolled access in any form is permitted). Access control is affected through user identification and authentication procedures (e.g., log-in name and password) that deny access to unauthorized users to a server or to particular information on a server.[330]
Nearly all information providers, including commercial on-line services such as Compuserve and America Online and dial-up private bulletin boards, not only control access to their systems but also vary the nature of that access depending on the information a user wishes to access (e.g., access to certain data is conditioned on paying a higher fee, having greater access rights, etc.). On the Internet, users can connect to public servers through protocols such as gopher, file transfer protocol (ftp), telnet or the world wide web (www). Some information providers on the Internet grant full unrestricted access to all the information contained on their servers. This means that anyone can access any data stored on the servers. Other information providers restrict access to users with accounts or grant only limited access to unregistered users. For example, using ftp a user can often log on as an "anonymous" user (e.g., a user for which no account has been created in advance), but access through anonymous ftp is limited to certain data. Of course, an information provider can elect not to provide uncontrolled access (e.g., permit only those with accounts to access the server), provided appropriate security measures are implemented.
Thus, control over access to a server may be used as one of the first levels of protection for the works found on it.
A second level of control over protected works can be exerted through control measures tied to the electronic file containing the work. One type of restriction can be implemented through "rendering" or "viewing" software. Such systems require (1) a proprietary or unique file format that can only be read by certain software and that is developed or controlled by the information provider and (2) software that incorporates both a "control" measure to prevent viewing or use of a work without authorization from the information provider and "manipulation" functions to permit the user to view or use the work. Rendering or viewing software can be written to deny access if the user enters unauthorized identification or an improper password. Rendering software can also be written to deny access if the work is not an authorized copy (provided that sufficient information regarding authorized use is included in header information and it is sealed with a digital signature).[331]
Another type of restriction is encryption. In its most basic form, encryption amounts to a "scrambling" of data using mathematical principles that can be followed in reverse to "unscramble" the data. Encryption technologies can be used to deny access to the work in a usable form. File encryption simply converts a file from a manipulatable file format (e.g., a word processor document or a picture file that can be opened or viewed by appropriate general purpose software packages) to a scrambled format.[332] Authorization in the form of possession of an appropriate password or "key" is required to "decrypt" the file and restore it to its manipulatable format.
Encryption techniques use "keys" to control access to data that has been "encrypted." Encryption keys are actually numbers that are plugged into a mathematical algorithm and used to scramble data using that algorithm. Scrambling simply means that the original sequence of binary digits (i.e., the 1s and 0s that make up a digital file) is transformed using a mathematical algorithm into a new sequence of binary digits (i.e., a new string of 1s and 0s). The result is a new sequence of digital data that represents the "encrypted" work.[333] Anyone with the key (i.e., the number used to scramble the data according to the specified mathematical algorithm) can decrypt the work by plugging the number into a program that applies the mathematical algorithm in reverse to yield the original sequence of digital signals.[334] Although perhaps most commonly thought of as a tool for works transmitted via computer networks, encryption can be and is used with virtually all information delivery technologies, including telephone, satellite and cable communications. Of course, once the work is decrypted by someone with the key, there may be no technological protection for the work if it is stored and subsequently distributed in its "decrypted" or original format.
Requests for the export of cryptographic technologies are reviewed by the U.S. State Department. Although some cryptographic technologies used to encrypt communications are restricted from export, technologies used to identify and authenticate users and files are generally not restricted. There is an ongoing review of policies governing the export of computer and networking technologies, and there has been some relaxation of prior controls.
Hardware and/or software can provide protection against unauthorized uses of copyrighted works. For instance, the Audio Home Recording Act requires circuitry in digital audio recording devices and digital audio interface devices that controls serial copying.[335] The circuitry in the hardware is programmed to read certain coding information contained in the "digital subcode channel" of digital sound recordings and broadcasts. Based on the information it reads, the hardware circuitry will either permit unrestricted copying, permit copying but label the copies it makes with codes to restrict further copying, or disallow copying. The serial copy management system implemented by this circuitry allows unlimited first generation copying--digital reproduction of originals (such as CDs distributed by record companies), but prevents further digital copying using those reproductions.[336]
Systems such as these can be implemented through hardware, software or both, using the concepts discussed above (e.g., rendering software and encryption technology). For example, files containing works can include instructions used solely to govern or control distribution of the work. This information might be placed in the "header" section of a file[337] or another part of the file. In conjunction with receiving hardware or software, the information, whether in the header or elsewhere, can be used to limit what can be done with the original or a copy of the file containing the work. It can limit the use of the file to read-, view-, or listen-only. It can also limit the number of times the work can be retrieved, opened, duplicated or printed.
Mathematical algorithms can be used to create digital signatures that, in effect, place a "seal" on a digitally represented work. These algorithms can be implemented through software or hardware, or both. Digital signatures can play an important role in ensuring data integrity.
A digital signature is a unique sequence of digits that is computed based on (1) the work being protected, (2) the digital signature algorithm being used, and (3) the key used in digital signature generation.[338] Generating a digital signature uses cryptographic techniques, but is not encryption of the work; the work may remain unencrypted so it can be accessed and used without decryption. In fact, digital signatures and encryption can be used simultaneously to protect works. Generally, a signature is computed for a copyrighted work first and then the work (including the seal) is encrypted. When the work is to be used, the work is decrypted, then the signature (i.e., the seal) is verified to be sure the work has not been modified (either in its original or encrypted form). If the work is never changed, the seal need never be removed or changed. If the work is changed, a new seal must be computed on the revised information.
Generating a digital signature is called "signing" the work. Both the digital signature and the public key are often appended to signed copyrighted works (or they may be stored in a header). The signature serves as a "seal" for the work because the seal enables the information to be independently checked for unauthorized modification.[339] If the seal is verified (independently computed signature matches the original signature), then the copyrighted work is a bona fide copy of the original work--i.e., nothing has been changed in either the header or the work itself.
Software-based systems for tracking and monitoring uses of copyrighted works are contemplated in the development of the NII. Software-based systems may also be used to implement licensing of rights and metering of use. A combination of access controls, encryption technologies and digital signatures can be used by copyright owners to protect, license and authenticate their works on the NII. These security measures must be carefully designed and implemented to ensure that they protect the copyrighted works and are not defeated.
Information included in files can be used to inform the user about ownership of rights in a work and authorized uses of it. For instance, information can be stored in the header of a file regarding authorship, copyright ownership, date of creation or last modification, and terms and conditions of authorized uses. It can also support search and retrieval based on bibliographic records.
Electronic licenses may be used in connection with works offered via the NII. Electronic contracts may be analogous to the "shrink wrapped" licenses used for prepackaged software.[340] Providers may inform the user that a certain action--the entering of a password, for instance, to gain access to the service or a particular work, or merely the use of the service--will be considered acceptance of the specified terms and conditions of the electronic license. Payments for such licenses also may be made via the NII.[341]
The Library of Congress' Electronic Copyright Management System may be instrumental in rights management. The proposed system, which is under development, has three distinct components: (1) a registration and recordation system, (2) a digital library system with affiliated repositories of copyrighted works, and (3) a rights management system.[342] The system will serve as a testbed to gain experience with the technology, identify issues, prototype appropriate standards, and serve as a working prototype if full deployment is pursued later.
Some level of interconnection, interoperability and standardization of telecommunications, computer, wireless, satellite, broadcast and cable TV technologies and networks may be essential to achieve the Administration's vision of the NII. Government, industry or the marketplace may desire or require certain technological standards related to the NII. There has been much discussion of standardization of encryption technology, protocols, interfaces, headers and electronic licenses for purposes such as interoperability, interconnectivity and ease of information management or use.