DigID and DRM
Lord bless Bryan Field-Elliot over at NetMeme. Bryan is a founder of PingID,
a member-owned, technology-neutral network that is facilitating the business framework necessary for the accelerated deployment of federated identity services.
He’s also a straightforward guy. In response to Doc‘s call for “full-power” digital IDs in order to give power back to “consumers,” Bryan writes:
There’s an important relationship here with DRM (Digital Rights Management), which I think has been danced around quite enough, and should be brought into the spotlight. The relationship is, quite simply, that “Strong Identity” (what Doc calls “full power”) is synomymous with Digital Rights Management. You can’t have one without the other.
Why not? Bryan explains:
In both cases, one party (individual, or content megaconglomerate) produces digital content (personal info, or a $100mln movie), and makes it available for consumption by other parties, but only with some assurance that the information won’t be copied or applied in undesired ways. The two problem patterns, and their range of solutions, appear pretty much identical to me.
…by the nature of information (which “wants to be free”, it’s said), we can never have Doc’s “full power” identity infrastructure without some enforcement teeth.
As far as I can see, only hardware enforcement, or legal enforcement, will provide such a bite, and in both cases, likely to be circumventable by the sufficiently determined.
It’s good to see the relationship of DRM and digID made explicit. Too often those pushing for digID avoid acknowleding the relationship.
So, let’s get yet more clear about the relationship of DRM and digID. Bryan is not saying (I assume) that the two can’t be distinguished the way you can’t separate “automobile” from “car” or “wet” from “liquid water.” Rather, he says, “you can’t have one without the other.”
And here I disagree. We could have digIDs that are used solely for enabling us prove we’re the one that sent an email, to enable online voting, and to prove that we are the holder of the credit cards we use to buy stuff online. And, as Bryan acknowledges, we can have DRM without digID; DRM just wouldn’t “have teeth.”
But it all depends on what you mean by teeth. Bryan says he accepts “legal enforcement” as a type of tooth. You don’t need digIDs to crack down on pirates who are taping movies on their first day of release and posting the files on the Net or to arrest the pirates who are mass producing bootleg CDs. You can even crack down on Kazaa “super nodes” or students at the Naval Academy who are downloading MP3s. You only need digIDs if you want to make it technologically nigh impossible to do what you want with the content you’ve downloaded. You only need digIDs if you want your ownership rights to be regulated at the bit level by the people from whom you’ve bought the content. You only need digIDs if your idea of DRM is CPPSROSE: “Content Providers’ Post-Sale Rigid and One-Sided Enforcement.” For more reasonable digital rights management we don’t need digIDs.
So, it’s good to surface the fact that when many people talk about digital IDs, they’re often really talking about DRM. But, IMO we need to be damn sure not to define DRM solely as the right of content providers to prevent us from using the content we’ve bought in the ways we see fit within the bounds of law.
Now Bryan, who understands this stuff 100x better than I, can set me straight…
Bryan’s posted a response. Here’s what he says (from an email to me):
I think we disagree mostly because I didn’t make clear enough in my original post, the difference between using DigID to “prove who you are” (what we do today), vs. using DigID to “control others’ use of your personal info” (which we don’t have today, and which Doc has variously named “Strong Identity” or “Sovereign Identity”). I believe, your response to me assumes I’m comparing the former to DRM, when actually I’m comparing the latter to DRM.
In his blog, Bryan says: “In classic security terms, we’re talking about taking authentication as a given, and moving up the chain to a flexible authorization system for access to personal information.” DRM gives the vendor the ability to authorize our use of the goods we buy, so I can see that formally digID and DRM are the same. Thanks for the clarification, Bryan (and did I get it right?).
Categories: Uncategorized dw