Mobile devices are fast becoming the means by which we can extend the reach of our communication and entertainment channels. With this new mobility of media, producers of digital content are facing a new challenge: how to protect their content against unauthorized use.

Every day new mobile devices hit the market - telephones, PDAs, and various hybrids. With each new generation comes increased processing power and storage facilities. These mobile devices are no longer primarily communication tools, which is why they come with all the processing power and storage facilities. Instead, they are fast becoming the means by which we can extend the reach of our communication and entertainment channels.

We already see portable devices for music listening, video viewing, and game playing. These machines require an external uploading or storage mechanism - CD, DVD, game packs, or memory cards. New mobile devices give us access to the Internet while on the go, providing a way to download content to the mobile device, and eliminating the need for external uploading capabilities. These mobile devices also use movable storage, such as memory sticks or flash cards, giving us the ability to transfer downloaded content to the entertainment machines that we already own.

With this new mobility of media, producers of digital content are facing a new challenge. Since the inception of digital content, they have struggled with the problem of protecting their content against unauthorized use.

We've seen numerous breaches of the copyright protection of media - CD ripping, peer-to-peer sharing networks, breaking of DVD protections, and more. The problem of unauthorized sharing could be greatly reduced if the industry enabled consumers to use their purchased media legally in different contexts. The field of Digital Rights Management (DRM) holds the solution to this problem. Digital rights define the legal usage policies for digital content, while DRM enables the transfer of rights from one person/device to another person/device. With the emergence of new, advanced mobile devices, the time to introduce DRM into the wireless world is now, to get ahead of the curve and avoid the unauthorized use now rampant in the wired world.

The fundamental requirement for digital rights is that only the individual who has acquired the rights to consume the digital content is allowed to do so. Fulfilling this basic requirement is not particularly difficult - one image that comes to mind is the kind of one-time licenses used in the TV show "Mission Impossible" ("this device will self-destruct in 30 seconds") - but also not particularly useful. For digital content to be usable there are a number of additional requirements that complicate matters. These additional requirements fall into two classes: end-user requirements (user experience) and delivery requirements (business models).

User Experience From the end-user perspective, DRM should be as transparent as possible. The end user will typically expect to be able to:

• Save a backup copy of the content so they can restore that content if it is deleted from their device
• Move the content from one device to another, possibly transforming the content to suit the second device
• Share the content with his/her friends
• Purchase new or extended rights for the object.

Business Models
There are a number of parties involved in the value chain between the producer of the digital content and the end user. Those on the supply side are interested in ensuring they are paid when their digital content is consumed. The following set of typical business models illustrates how suppliers can offer and, by extension, be appropriately compensated for their content:

• Buy once and use forever: Sell a CD in a music store and buyers can listen to it as long as they keep it.
• Buy once and use once: Sell a ticket to a movie seen in a theatre. The buyer can view the movie only once.
• Teaser: Give the end user a preview of the content and provide details on how to purchase the full version.
• Subscriptions: Sell time-limited usage of the content and let the end user renew the usage when the time limit has been reached.
• Buy for a friend: Let the end user purchase the content and send it and the rights to use it to a friend.
• Sharing between friends: Enable end users to forward the digital content to friends and provide the means for the friend to purchase the rights to consume the content.

Management
The requirements from the end user and content provider perspective clearly dictate that the digital content must be separated from the rights to use the content. This separation of content and rights leads to requirements on how to manage the content and rights as separate entities while maintaining the association between the two. The process for supporting these requirements is exactly what DRM is, in essence.

Early Implementations
The first implementations of Digital rights in mobile devices came from mobile phone manufacturers like Nokia and Sony Ericsson or mobile Internet software vendors like Openwave Systems. The early implementations provided only the basic functionality of prohibiting the forwarding of content downloaded to the device. Once downloaded to the device, the user had no ability to send the content to another party - either via an MMS message or using synchronization between a PC and the mobile device. This function is often called Forward Lock.

Content and rights providers could indicate that the content should be forward-locked. The content delivery had to be tailored for each type of device and WAP browser, since the implementations were proprietary. Content providers had no means of ensuring that the content wasn't forwarded to other parties. They had to trust the integrity of the implementations on the devices.

Nokia extended their proprietary solution to include encryption of content and the association of different kinds of rights with the content. The primary types of rights were the right to preview the content before it was purchased and the right to consume the content once the digital rights had been purchased.

Some content providers also tackled the problem of enforcing usage rights in the case of executable content (e.g., Java J2ME MIDlets, Symbian applications). This enforcement of rights relied on the integrity of the execution environment and the addition of a rights component to the executable. The rights component could either check with an origin server to ensure the user had the right to run the application (this required network connectivity) or it could use application-specific techniques. One common method used by content providers to add the rights component to the applications was to modify the executable code, often called instrumentation, before delivering it to the consumer.

These early implementations only fulfilled some of the basic requirements for digital rights and essentially only the buy-and-use business model. In order to move forward, all involved parties recognized that a standardization of Digital Rights Management would be the best way to move forward.

Open Mobile Alliance Standardizations
Open Mobile Alliance (OMA) is the organization that creates standards for the mobile world. Its mission is "… to grow the market for the entire mobile industry by removing the barriers to global user adoption and by ensuring seamless application interoperability while allowing businesses to compete through innovation and differentiation." (For more information, see www.openmobilealliance.org).

The first OMA standard for Digital Rights Management was published in September 2002. The standard establishes the foundations for DRM within the mobile world. It clarifies the distinction between distribution policies for digital content and the rights associated with that content. It also specifies a preferred mechanism to be used for downloading the content - OMA Download. A year after the first version of the OMA DRM specification was published, OMA DRM-capable phones are now coming to market.

The standard decouples the digital content from the rights to consume it. This enables business models where the full content is delivered to the handset along with a rights object that defines the usage policy for the content. Earlier, if a content provider wanted to deliver a preview of the content (to help the user in the purchase process), the preview was often a kind of "crippled" content - low resolution image, short music or video clip, and so on. With OMA DRM the rights are decoupled from the content, enabling different rights to be given or purchased based on the usage policy to consume the content. This means it is possible to provide the user with a fully functional preview with a limited usage policy.

The specification describes two different distribution policies: forward-lock and separate delivery. The forward-lock policy is the same as in the early versions of DRM (i.e., the handset prohibits forwarding from the device to another location). The separate delivery policy does allow for forwarding. This is achieved by encrypting the content. Any receiving party must obtain the key to decrypt the content.

Whenever the content is encrypted the problem of distributing the decryption key to the handset must be solved. The standard specifies that the decryption key is part of the rights and that, since it is sensitive information, it should be delivered to the client via channels that are reasonably secure. In this case, the WAP Push channel is chosen as the most appropriate delivery mechanism.

The standard combines the distribution policy and the delivery of rights into three models: forward-lock, combined delivery, and separate delivery. Combined delivery implies a forward lock of the content. Separate delivery is the most interesting model since it enables users to forward content to another device without compromising the original usage policy. The receiving device cannot use the content until the rights for it have been purchased and delivered to the second device. The standard calls this model "superdistribution."

Rights
The rights associated with a piece of digital content describe the permissions the owner of the rights has and the constraints imposed on the usage of the content. The language for expressing the rights in OMA DRM is a subset of a more extensive rights expression language - Open Digital Rights Language (http://odrl.net). In OMA DRM the focus is on the rights given to the user for viewing and executing the content.

The digital content is associated with permissions to play, display, execute, and print the content. The granted permissions depend on the type of content. For each granted permission, a set of constraints can also be imposed. The constraints can be:

• Only use it a specified number of times
• Only use it during a specified time interval after the first usage
• Only use it between a start- and end-date.

These constraints can also be mixed (e.g., use it five times but only between tomorrow and next Sunday, or use it for one week after the first usage but not after a specified date).

Next Generation
The first version of OMA DRM has two major shortcomings, both related to security considerations. The first concerns the delivery of the content encryption key. In the original version it is delivered over WAP Push and in the clear. In using WAP Push, the security of the solution is dependent upon the operator. A more desirable solution would remove this dependency on the operator and provide a more secure way of transferring the key and the rights. The second shortcoming concerns the trust relationship between a content/rights provider and the mobile device. Is the DRM implementation in the device compliant? Does it honor all of the restrictions imposed by the standard and by the rights? And if not, how can we identify those devices that should be avoided?

The next version of OMA DRM primarily addresses these two shortcomings. The basic remedy is to apply public/private key techniques to the transactions between the parties. Every device manufacturer will provision the devices with a public-private key pair. This enables the content and rights delivery component to:

• Authenticate the handset (i.e., verify that the handset is among those that provides a trusted implementation of DRM). The content provider has the ability to verify the certificates (encapsulation of the public key) from the handset against certificate revocation services to determine its trust.
• Use the keys to establish a secure communication channel between the device and the rights issuer. A secure channel is needed for exchanging the encryption key that was used to encrypt the digital content.
• Encrypt the rights object so that only the receiving device can decrypt it.
• Ensure that the binding between rights and content cannot be tampered with.

The next generation also covers most of the user experience-related requirements:

• Content can be backed up and restored.
• Content can be moved between devices that the user owns.
• Content can be exported to other copy protection schemes.

The standard will also cover handling of digital rights for streaming content.

The second version of the OMA specification, which will cover these enhancements, is still under consideration. The specification is expected to be published in the first half of 2004.

Conclusion
Digital Rights Management in the wireless world introduces a number of interesting possibilities for content providers - be it producers or rights management servers. Adoption of standards is vital for both content providers and device manufacturers. A common standard for DRM is the basis for a widespread and accepted solution among the involved parties. But the DRM market is still extremely nascent and content providers will still need to support both legacy DRM systems and proprietary DRM systems for specific digital content and device implementations.