On its website JISC, the Joint Information Systems Committee of the United Kingdom, describes its role as follows: it “supports further and higher education by providing strategic guidance, advice and opportunities to use Information and Communications Technology (ICT) to support teaching, learning, research and administration. JISC is funded by all the UK post-16 and higher education funding councils.” Recently a study on DRM was commissioned by JISC to Intrallect Ltd, Linlithgow, Scotland (Duncan et al. 2004). The objective of the study was “to make recommendations on the best approach for JISC and the UK education and research communities to adopt in relation to Digital Rights Management“ (p. 5). The study started in February 2004. An interim report was presented in June and three months later the present final report was published. The work consisted of a literature survey, a series of workshops and interviews as part of the use case methodology, and finally an analysis of requirements and an assessment of options for DRM in UK's higher and further education system.

The structure of the report is straightforward: a first chapter gives a short introduction to how DRM is understood and an overview on “Digital rights in UK Higher and Further Education”. The “use case methodology” is explained then in the next chapter. The largest chapter deals with the “Outputs” including a discussion of the results from the “use cases” and the requirements derived from them. The report finishes with “Conclusions” and “Implications”.

DRM in the context of teaching, research, and libraries
There are three main sectors the report dealing with: teaching, research, libraries. What does DRM promise for these sectors? According to the authors DRM could be a key factor in the teaching and learning communities for the development of a learning object economy, for the developing practice of self-archiving of research-publications, and for the licence agreements between commercial publishers and libraries (p. 5). So DRM is needed 1) to allow staff and students in the education sector to make use of digital resources in the confidence that they are complying with law and respect the right-holders’ policy, 2) to enable self-publication by the declaration of permitted uses, 3) to enable users to work within the confines of copyright, and 4) to ensure that all of the above can operate in an internationally connected, digital environment (p. 6).

In general, as Duncan et al. stated, DRM should be an “enabler” and not a “preventer”: “Its purpose is to let people work as freely as possible in the knowledge that they are both working within the bounds of the law of copyright and respecting the rights of others” (p. 8-9).

Defining and modelling DRM
Duncan et al. develop a definition of DRM inspired by LaMacchia (2002). The definition is as follows: “The ultimate goal of a distributed DRM system is for content authors to be able to project policies governing their content into remote environments with confidence that those policies will be respected by the remote nodes“ (Duncan et al., p. 6). The perspective of this DRM definition is an interesting one. The main actor is the author. He or she should be able “to project policies governing their content”. The kind of “policies” is open. DRM is not in a first instance about “control”, “watermarking”, and “tracking”, but about confidence, “that those policies will be respected”. The focus is not on achieving (technical) total security, which, in my opinion, we will never get.

It is interesting to note that Duncan et al. interpret this definition in a quite non technical manner. The policies about the objects over which rights exist, what those rights are, and who owns them could be done in the form of a legal license (p. 6).

In preparation of the use cases (see below) the project team has developed a model of six DRM stages within two main parts. The creation part is composed of the stages: recognition, assertion, and expression of rights. The projection part consists of the stages dissemination, exposure, and enforcement of rights (p. 9-10).

Use case methodology
The “use case” methodology (derived from Cockburn 2001) is a way of defining what people want to achieve, abstaining from any assumptions about technology, architectures, or systems (p. 22). And although this methodology derives from the discipline of software engineering it is also used to develop business processes or in this case digital rights policies.

We will just give a short impression how the “use cases” are developed without going into much detail. A use case is a description of a piece of work in the mentioned environments. To give an example of an use case summary: “A researcher wants to compare and criticize the approaches of two other researchers on personality development by publishing an eprint that hy-perlinks to papers by these researchers that are published in the e-journal collections of two commercial publishers” (p. 24). The use case is based on the goals of the key participants (or actors) and the authors of the use case develop main success and alternative scenarios. Such use cases were the sources for Intrallect’s research group to analyse the requirements on DRM.

The results are presented for each of the six DRM stages: recognition, assertion, expression, dissemination, exposure, and enforcement (see “Defining and modelling DRM” above). Each of these sections is organised in a similar way: First the requirements derived from the use cases are described, second, options to fulfil the requirements are discussed, then a “cost-benefit-risk analysis” on these options is added. To give a rough impression of the outputs, the first and last section on recognition and enforcement will be sketched.

The first stage of the management of digital rights, recognition, is divided into five requirements: define ownership, control of own material, control of third party material, plan use, and record clearance information (p. 28-35). Derived from the use cases examples of concrete requirements to define ownership are the clarification of the ownership of resources by academic employees or the resolution of a conflict between an employment contract and individual rights. Options discussed by the authors to meet these requirements are, for example, that in the em-ployment contract there should be explicit clarification that the higher education institutions have ownership of lecture notes. Several model contractual clauses exist which could be used. The authors consider in the cost-benefit-risk analysis that the cost of establishing ownership has to be related to the value of the resources to be protected (p. 63).

In the enforcement stage of digital rights management three requirements are distinguished: authentication, authorisation, and tracking/accounting (p. 60-62). While tracking seems not to be a core requirement, authentication and authorisation are well established in the UK higher education community, according to the report. Beyond these measures, the authors state that technical enforcements are not a priority.

Concluding their study, the authors argue that to define a DRM policy (the first three stages of the DRM stage model) established procedures and good recommendations exist. There is a substantial base of licence information available and the use of digital rights expression languages is increasing. Only the processes for clearing digital rights and for creating and quality controlling rights metadata are not well recognised (p. 69). Regarding the projection of DRM policy (the last three stages of the used DRM model) dissemination and enforcement methods, particularly authentication, are becoming well established. For exposing rights information recommendations are available but good practice is not yet established (p. 70).

Bottom line
The use case methodology applied in this study has the advantage of not following a technology driven approach. To implement DRM, so the study argues, does not automatically have the implication of implementing a complex piece of software called DRM system. To manage digital rights in the sector of teaching, research and libraries there are in many cases contracts and organisational and technical procedures available which are and could be used.

I very appreciate the view of the authors that different subject areas have different codes of practice (p. 34). This has to be reflected in different requirements and solutions. Detailed analysis must be carried out in the context of a specific organisation and its priorities (p. 62). There is no overall solution.

Sometimes the discussion of requirements and options along the DRM stages seems a bit schematic. In some instances the reader’s interest could be better served if main results were more focused and clustered. A revised version of the report, scheduled for November, will account for this criticism, which was also expressed in a public review process in the UK. But nevertheless these detailed results deliver a wealth of information for the interested reader in the aforementioned communities.


About the author: Ulrich Riehm is sociologist, who has worked on and lead Technology Assessment projects in the field of IST for 25 years at ITAS. Recently he led a TA project on E-Commerce and its political, economical, and social implications on behalf of the Deutsche Bundestag (German Parliament). Currently he is involved in the EU foresight project FISTERA and the eContent project INDICARE.

Status: first posted 27/10/04; included in INDICARE Monitor Vol. 1, No 5, 29 October 2004; licensed under Creative Commons