Where did we go wrong?
• Where did User Experience go ?
• Where did Superdistribution go ?
• Where are the innovative Business Models, the
Real-time Marketers, etc. ?
• Did DRM curb those that it meant ?
• Wasn’t DRM supposed to be an enabler ?
Can we finally make DRM
“FUN” (i.e., User Friendly ;-) ?
• Assuming :
• DRM is likely to stay and be needed (managed content)
• Absolute security is neither achievable nor desirable
• Given the right User Experience and Business Models
most users smoothly comply (e.g., iTunes)
• Most users aren’t criminals
• We needed to take a step back to :
• Critically re-think DRM
• Reconsider the debate outside the either/or extremes of
total vs. no security
• Re-design DRM from ground up
Rethinking & Redesigning DRM
• Acknowledge the Central role of the User and User
• Reinstate Users in their roles & rights
• Presumption of innocence & the burden of proof
• Fundamental guiding principle to Rethink and Redesign
DRM : Feltens’ “Copyright Balance” principle (Felten,
“Since lawful use, including fair use, of copyrighted works is in the
public interest, a user wishing to make lawful use of copyrighted
material should not be prevented from doing so by any DRM
• Claim and Proposition :
• Put the trust back into the hands of the users
• Reverse the distrust assumption
• Requires a major paradigm shift
Rethinking & Redesigning DRM
• Exception Management in DRM environments, mixing
water with fire ? Not necessarily !
• Reversing the distrust assumption puts the user “in
charge”, facing his responsibilities
• Allow users to make Exception Claims, granting them
Short Lived Licenses based on some form of logging and
• Use Credentials as tokens for logging to detect and
• Credential are Revocable in order to deal with abuse and
• Mutually acknowledged need for managed content while
allowing all actors a smooth usability experience
(Morin and Pawlak, 2007, 2008); (Morin 2008, 2009) 8
Exception Management in DRM
(Morin and Pawlak, 2007, 2008); (Morin 2008, 2009)
• What is an Exception ?
• A claim made by a user wishing to rightfully access /
• Based on « real world » credential patterns
• Delegation model based on chained authorities
• Credential authorities closer to the users
• Locally managed and held by users (credential store)
• Short lived or fixed life time
• Late binding (enforcement point)
• Model is auditable for abuse and includes
• Burden of proof on the party having a justifiable reason
to claim abuse (presumption of innocence)
• Monitoring in near real time of security policies 9
A “Serious” problem in Social
Networks and Services
Socially-Responsible Management of
• Personal Information
• Different from Personally Identifying Information (PII)
• Subject to legal frameworks in most countries
• Increasingly shared on social networks
• Blurring boundaries between private and public life
Legitimate concern (i.e., rights) over our
information in terms of lifetime, usage
purposes, access, etc.
Problems and Issues
• Publish / share once, publish / share
• Indexing and searching
• Who “owns” and manages YOUR
information (SLAs) ? Raging debates.
• Who’s information is it ?
• Do you retain control ?
• Semantic searching capabilities
The Right to Forget
• Right to Forget : fundamental
human right threatened by the digital
nature of information (i.e., searchable)
• Traditional Media (i.e., non digital)
“Memory” erodes over time
• Labor and cost intensive
• Digital Media, requires explicit human
intervention to “make forget” information
Anonymity and Privacy
• Anonymity and Privacy are fundamental
to social networking
• It’s not a “bug”, it’s a feature !
• It’s not schizophrenia !
• Multiple legitimate personas (e.g., work, family,
• How do we deal with it in a socially-
responsible and ethically sustainable way ?
• Cyber bullying (e.g., Akple in Korea)
Requires traceability and accountability of
information (i.e., managed information)
• Is Privacy and personal information
threatened by current social
networking services ?
• We contend there is a need for
Managed Personal Information
• Socially-responsible and sustainable
How can we retain an acceptable (by all) level of
control over our personal information ?
• Personal Information should be
augmented with a layer accounting for its
• Alongside other metadata increasingly
used in addressing the semantic
dimension of our electronic services
• We argue DRM combined with Exception
Management may be a promising path
• Socially-Responsible management of personal
information in social networks and services
• Can DRM “go green” before we all “go
• If so, we might be able to address some
“Serious” societal issues while having
“Fun” along the way !
Security is bypassed not
Inspired by Adi Shamir, Turing Award lecture, 2002
University of Geneva – CUI
Dept. of Information Systems