Banging the DRM Drum: The Role of Digital Rights Management in B2C Strategy for Education Content Providers

As many educational content providers seek to switch to direct-to-consumer (DTC) channels, we’ve noticed an important and often overlooked aspect of this change: content security. The neglect is unfortunate in that security is a crucial component of strong DTC strategy. Without it, education companies risk a sizeable revenue leakage due to the actions of the following groups: 

1. Savings-motivated users. If content is not protected, such users can exploit vulnerabilities that allow them to download or otherwise get shared content for free. This group is responsible for violations most often. However, protecting content from such users is relatively easy, due to their limited hacking skills.
2. Copyleft idealists. Some skilled amateurs believe that content should be free. They are a bit more motivated to go further and can explore more advanced ways of taking over your content. 
3. Profit-motivated pirates. They can perform intentional hacks to take over content for further distribution for either ad revenue or paid file- or video-share services. This group is the hardest to protect against and requires multi-layered content protection and encryption. 
4. Hostile competitors, content hoarders and other, more nuanced actors can act with varying degrees of skill.

We should note that the internet is full of step-by-step guides and tutorials for removing protection locks from educational content. This makes it easy for the groups above to access your content. Bear in mind: Once your content is leaked, it is nearly impossible to revert it back to a protected state, since multiple unprotected copies immediately become available across various communities and sites. All your efforts should be put into preventing such leaks in the first place.

DIGITAL RIGHTS MANAGEMENT SOLUTIONS

Luckily, the industry has already come up with a solution for content security: digital rights management (DRM) systems. A DRM solution seamlessly embeds into your content pipeline — from content authoring through publishing and distribution workflows. It provides you with the following digital rights protections: 

• Content Encryption/Decryption 
  Ideally, all your content should be encrypted both at rest and in transit. Moreover, the decryption keys on the client side must be specific to a particular user accessing the content, so the system should encrypt the content with keys generated for a particular user-device pair. The encryption scheme should allow automatic key rotation, when users are provided a short-lived content decryption key that they need to renew on some periodic basis, depending on the time you’d like to allow them offline access to your content. 
• License Management & Access Controls 
  Each piece of content will have an embedded license to specify the rules (policies) regarding who has access and when. Some examples of the policy include:
  • Allow view-only and print access to a group of users from a particular organization.
  • Allow access until expiration date.
  • Set download limit to three downloads per user maximum or limit number of devices up to two per use.

In general, a DRM policy defines a specific permission or restriction and the users or groups to whom this policy applies.

• Digital Watermarking & Fingerprinting 
  Both features have historically been widely used in hi-tech and manufacturing to protect complex engineering know-how, but nowadays are widely applied in content distribution. Digital watermarks are either visible (overt) or invisible (covert) bits embedded into your content that establish the ownership of the content and identify whether the content was compromised. A typical use case includes making sure that a digital watermark persists when the content is being shared, printed or otherwise distributed.
  Digital fingerprints are similar, but their goal is to determine leakage source. They typically establish a connection between an owner of a particular copy of content. If such content is leaked, the content owner can easily identify where it leaked from.
• Protected Content Packaging & Distribution 
  To enable the above protection, it’s important to add transcoding, encoding and decoding for all content types and delivery channels (such as a content delivery network). This is achieved by embedding specific DRM metadata, including the license, into the content using protocols that can be easily understood by the receiving client.
  The implementation depends on content type. For example, for video streaming, the multi-DRM solutions are commonly used to provide an interoperability layer that encodes the video based on a target video client (Safari, Edge or Chrome). Each client relies on a very specific DRM protocol while streaming (Apple FairPlay Streaming, Microsoft PlayReady and Google WideVine, respectively). For Word documents, the implementation will either use standard DOCX or XLSX specifications for access controls, which can be limited or will use some custom-defined metadata to be interpreted by client's extension (typically provided by a DRM vendor or custom-built using open source solutions). 
• Protected Content Client-Side Delivery 
  To support each device type (Web browser, Android, iOS, Windows, Smart TV, etc.) and content type, you need to develop either plugins/extensions — or even a native reader capability — to ensure full scope content protection. The plugin or reader performs the decryption, securely stores short-lived decryption keys, rotates them on a regular basis and ensures the license policies are enforced. Options vary depending on a file type, the level of protection needed and whether you require streaming and/or offline content access. 
  
• DRM Administration, Access Reporting & Analytics 
  This module is responsible for capturing all DRM-related events, such as content download, access, use or distribution, and providing a dashboard for content security specialists to manage and respond to such events. The initial implementation of such a dashboard and logs can be intended for manual analysis, but next-generation solutions would include automated anomaly and piracy detection. Using administration capabilities, your content security team can revoke and manage digital rights to the content using interactive filters, including granting and revocation of rights to selected content items. 
• DRM APIs 
  Providing an API is very important to ensure that standard actions can be automated within a content pipeline when content is being deployed. These APIs will be used in both the client and author/publisher environments.

CHOOSING A DRM VENDOR

If you are convinced that DRM must be a requirement for your business, you can start exploring DRM vendors that can provide a reliable solution. However, there is probably no off-the-shelf solution that will satisfy all your needs. The reason is that each solution is targeting a very specific content type. We can generally split DRM platforms as follows: 

• Document DRM (Seclore, Vera, NextLabs, FileCloud, Digify)
• File-specific DRM  (for PDF: Locklizard, VeryPDF, FileOpen, Digify, Adobe Digital Editions DRM)
• Video DRM (multi-DRM vendors such as Verimatrix, Pallycon, ExpressPlay, Vitrium, Marlin, EzDRM, BuyDRMm, etc.)

Moreover, some file types have existing open-source alternatives or building blocks, such as Apache PDFBox and Apache POI, which you can use to enhance or build into your own solution. Finally, there are also a host of feature-specific solutions (for digital watermarks: Digimarc, Proquest, iText).

At the end of the day, DRM should be tailor-made to your content using the building blocks and vendors already available in the space. There is no need to build everything from scratch, but reasonable effort should be made to integrate everything into a cohesive solution that works with your content pipeline.

As a content provider, you provide unique content or distribute it in unique way that becomes your key business value and differentiator. Your content security strategy should be equally unique.