Digital Rights Management vs. Identity Management
Via Dave Kearns, I learn of the Open Media Commons project sponsored by Sun whose goal is to “develop open, royalty-free digital rights management and codec solutions.” I’m all for that. While DRM raises the hackles of many, I think it’s necessary to enable various business models for content creators.
I’m a bit confused, however, by some of the use cases published by the Open Media Commons. Dave has a link to this slide deck (pdf), which he quotes from in his newsletter. The use cases include one controlling health care worker access to patient medical records, and another for corporate user access to enterprise reporting. If this is DRM, then how does DRM differ from identity management?
I admit I’m not totally up on DRM, but I have always seen digital rights management as a mechanism to embed access control into a media file. That media file could be text, a spreadsheet, software, audio, video or graphics, but the file carries with it its own authentication and authorization. This is very different from a typical enterprise identity management scenario, where access to data (and application functionality) is controlled externally to the report or document produced. So in the electronic medical record apps I’m aware of, access to patient records is controlled by the EMR system itself (plus perhaps an identity management infrastructure) external to the patient record. The same is even more true for an enterprise reporting system. So Sun’s description of these use cases as “DRM” just doesn’t seem accurate to me.
Having said this, I can see an application of DRM to the patient record use case, but in a way that perhaps was intended but not spelled out in the Sun document. If my medical record is recorded in a chip inserted in my shoulder, and I turn up unconscious in an emergency room, I would want the ER staff to be able to access the medical record. However, I wouldn’t want someone standing behind me in line at the supermarket to access my medical record by scanning the chip without my knowledge. Hence, the medical record would require DRM to authenticate that the person accessing it is a health care worker in the absence of any external IdM system (and in the absence of my ability to approve the access.) If this is what the Sun folks have in mind, then I’m totally on board. (I still don’t get the corporate reporting use case, though.)
A final area of confusion for me is Sun’s “fair use” use case. They make it sound as though fair use requires the copyright-holder’s approval and authorization. Now, IANAL (I am not a lawyer), but my understanding is that fair use is a right granted by the laws of the United States (and other countries I presume) and does not rely on the granting of permission by the copyright-holder. I can satirize, parody or critique any publication or speech by anyone, and in so doing quote directly from the copyrighted material, without authorization from the author. Requiring an author to grant a fair use “license” up-front would, it seems to me, violate the whole intent of fair use law.
If Dave Kearns, any of the Open Media Commons folks, or anyone else can clear this up for me, I’d appreciate it!