Most discussion about digital rights management (DRM) is directed at the efforts of the music industry to use it to prevent piracy. But it’s a much bigger issue than creating a technological hurdle for MP3 rippers.
DRM will be used with documents, spreadsheets, presentations, databases, programs, photos and movies. The attraction of using DRM controls for these everyday files is to provide a technological barrier to breaches of commercial confidentiality, to beef up privacy and to protect against other types of intellectual property infringement.
Although DRM is widely supported in the software development industry, there are aspects of the broader DRM concept that raise significant concerns for the judicial system in terms of production of electronic evidence in court.
At a time when the courts are coming to terms with electronic evidence generally, DRM threatens longstanding notions of preservation of evidence and production of the "best evidence". This issue of how DRM is to be used day-to-day and what the courts will think of DRM-protected files is, we suggest, one that technologists should be helping their executives understand.
DRM is founded on cryptography, commonly incorporating elements of a public key infrastructure (PKI) and a combination of asymmetric and symmetric encryption keys. Symmetric encryption (supporting 128-bit through to 448-bit key sizes) is used for encrypting media assets while asymmetric encryption is used, for example, to protect sensitive data including licences. For an example, see OpenIPMP. Steven Levy explains in his book Crypto that this key length means a simple Word document in which access is controlled by DRM can be protected against cracking by virtually everyone.
One of the key proponents of broad use of DRM is Microsoft. Its system for the management of digital rights is described in "Microsoft Rights Management Solutions for the Enterprise: Persistent Policy Expression and Enforcement for Digital Information" (available at www.microsoft.com), which in particular states:
"Windows rights management adds value to any organisation's security mix by providing enterprise users with a flexible, easy way to control most of the types of digital information they typically create and use. For online information ... as well as email communications and documents, RMS can help enforce policies such as restricting the ability to print, forward and edit data. Permissions can be set to expire at a specific point, such as a number of days after publishing or at regular intervals, requiring acquisition of a new licence."
It is this evolution, to the control of digital information and seemingly with the objective of protecting any file or information rather than an intellectual property right, that seems likely to increase or to create problems for the courts.
Consider records that are produced or generated automatically; for example, the metadata stored in relation to Microsoft Office documents (that is, the name of the last person to edit the document, the length of time editing and the last print time). DRM will add a lot more detail to that record, such as who was allowed to see it, whether the persons allowed did access the document and whether the creator planned for the document to "die" by automatic deletion. All that information may be very useful in a court case and would be discoverable under our Evidence Act.
The application of DRM is intended to be much wider than just documents. All electronic information is included in our law as a "document", as that is very broadly defined, to include information (whether machine or human-generated) in the form of email, application files, temporary files, backup files and random access memory (RAM). What’s more, all this electronic information is discoverable whether it is stored on a hard disk, CD-ROM, floppy or any other storage media.
While the extra complications that DRM will impose on the litigation process does not appear to have been considered in the plans of the vendors of DRM-enabled products, such as Microsoft Office, organisations will have to ensure that they consider their duties at law to keep information and make information available. Statutes that control the length of time information must be kept include heavy-duty laws such as those in the income tax legislation and the prohibitions against destroying (by DRM-predetermined deletion?) evidence under the Crimes Act.
Every "version" of an electronic document (information) is a document that may have to be preserved. DRM does not change this basic premise but, as it is a system of restricting rights of access to the information and predetermining deletion of information, people adopting DRM must consider that the documents may, in the future, be required for a criminal or tax investigation or be required to be produced in court.
Knowing that the document may be required and setting up the document to be automatically destroyed may end up being obstruction of justice or a contempt of court.
Aside from the drama of tax or criminal investigations, there are more basic reasons why there needs to be careful consideration of how DRM is going to operate. The "best evidence" rule, which requires each party to produce the "best evidence" available, generally means that the original document must be produced. The increased use of email and the ease with which a document can be forwarded from one party to another for editing, review or reply means that, for evidence purposes, there may be multiple "documents" created and each is required to be produced in its original condition.
DRM, which was originally designed around regulating access to digital information such as music, is now being pushed as a tool for the humble corporate report or spreadsheet.
While implementing DRM to, for example, systematically destroy information may be committing a crime, implementing it with the result that a document is rendered unusable for both legitimate and legal use may put a company that is trying to defend itself in a court case at a disadvantage.
DRM represents the classic battle between the need of the law to be able to have all the evidence and the desire of litigants to only produce the evidence that presents their perspective on the dispute; in short, not complying with discovery, which is to commit the crime of offering a perjured document. Using DRM will not change the obligation at law to fully disclose and to file sworn lists of documents that are complete. A lie to the court on oath is perjury and using the miracle of DRM to cause documents to die will not alter the obligation to tell the court that the document existed or give the document to tax investigators when asked.
Horrocks is a partner and Miller a solicitor in Clendon Feeney’s technology law team. This article, together with further background comments and links to other websites, can be downloaded from www.clendons.co.nz. Questions and comments can be sent to firstname.lastname@example.org.