Digital Rights Management vs. Identity Management
Via Dave Kearns, I learn of the Open Media Commons project sponsored by Sun whose goal is to “develop open, royalty-free digital rights management and codec solutions.” I’m all for that. While DRM raises the hackles of many, I think it’s necessary to enable various business models for content creators.
I’m a bit confused, however, by some of the use cases published by the Open Media Commons. Dave has a link to this slide deck (pdf), which he quotes from in his newsletter. The use cases include one controlling health care worker access to patient medical records, and another for corporate user access to enterprise reporting. If this is DRM, then how does DRM differ from identity management?
I admit I’m not totally up on DRM, but I have always seen digital rights management as a mechanism to embed access control into a media file. That media file could be text, a spreadsheet, software, audio, video or graphics, but the file carries with it its own authentication and authorization. This is very different from a typical enterprise identity management scenario, where access to data (and application functionality) is controlled externally to the report or document produced. So in the electronic medical record apps I’m aware of, access to patient records is controlled by the EMR system itself (plus perhaps an identity management infrastructure) external to the patient record. The same is even more true for an enterprise reporting system. So Sun’s description of these use cases as “DRM” just doesn’t seem accurate to me.
Having said this, I can see an application of DRM to the patient record use case, but in a way that perhaps was intended but not spelled out in the Sun document. If my medical record is recorded in a chip inserted in my shoulder, and I turn up unconscious in an emergency room, I would want the ER staff to be able to access the medical record. However, I wouldn’t want someone standing behind me in line at the supermarket to access my medical record by scanning the chip without my knowledge. Hence, the medical record would require DRM to authenticate that the person accessing it is a health care worker in the absence of any external IdM system (and in the absence of my ability to approve the access.) If this is what the Sun folks have in mind, then I’m totally on board. (I still don’t get the corporate reporting use case, though.)
A final area of confusion for me is Sun’s “fair use” use case. They make it sound as though fair use requires the copyright-holder’s approval and authorization. Now, IANAL (I am not a lawyer), but my understanding is that fair use is a right granted by the laws of the United States (and other countries I presume) and does not rely on the granting of permission by the copyright-holder. I can satirize, parody or critique any publication or speech by anyone, and in so doing quote directly from the copyrighted material, without authorization from the author. Requiring an author to grant a fair use “license” up-front would, it seems to me, violate the whole intent of fair use law.
If Dave Kearns, any of the Open Media Commons folks, or anyone else can clear this up for me, I’d appreciate it!
Bob -
Would I gather from the Health Care scenario is that the “patient record” is not stored on a part of the emergency room’s IT infrastructure. i.e., this is a patient coming in off the street who may never have been in that facility – or any facility in that city, state or country – before. THe documents themselves, those that comprise the patient record are either carried by the patient (a somewhat futuristic MedicID barcelet, perhaps) or are available (with proper validation, authentication and authorization) thru some clearinghouse. Thus the “treating physician” acquires role-based access to the docs which would expire should he/she no longer be the treating physician.
So far the DReaM scope is at the document level. They do intend to work towards the element level in the future, though.
The “fair use” scenario is, I’ll agree. badly stated. I believe the intent was to model the work that Sun and the Open Media Comons folks are doing with the people at Creative Commons to have enforced and unenforced rights enumerated along with the document/work so encumbered.
-dave
Thanks Dave. These clarifications make good sense. The tie in with the Creative Commons to protect the “some rights reserved” as determined by the copyright holder would be welcome.
One snag I stumbled across via Newsforge. The Creative Commons license states:
Not sure how any kind of DRM can get around this restriction.