The Digital Media Project

 

Source

Martin Springer

Title

TRU #75 to choose security

No.

040312springer01r1

 

Name:

Martin Springer

Affiliation/additional information:

Active Contributor, Luebeck, Germany

Date submitted:

2004/03/12

 

#

Criteria

Description

1.

Name of TRU

TRU to choose security

2.

Summary description of TRU

To choose a system on which enough trust can be put to use it together with sensitive information [1].

3.

Use records of TRU

Security is a property assigned to IED and IDP hardware and software.

Throughout history people could (more or less) choose the systems they use together with sensitive information:

  • To be sure that nobody can access their private data (e.g. private photos), users can encrypt the data using a system of their choice
  • If two users want to keep their conversation (e.g. by e-mail or by phone) secret, they can choose a trusted system.
  • If a group of users needs to collaborate (e.g. business people exchanging data), the users are able to agree on a trusted system and choose the necessary security.
In these use records the TRU to choose the security only bears on the users' trust in the system. The TRU does not depend on the question who owns the rights of the content for which the system is used, nor does it matter whether the content is analog or digital. If the users do not trust the system anymore, they can change it (e.g. use another hardware, another software, another encryption algorithm,...).

Since the advent of digital media (e.g. DVD, Pay-TV) there is a restriction on who can choose the security.
  • The DVD-CCA [2] prescribes their security solution to DVD content producers and device manufacturers
  • Digital Pay-TV service providers prescribe their security (e.g. Conditional Access systems) to broadcasters, device manufacturers and paying subscribers.
These use records show that only certain media users can choose the security. Users who do not trust the system are not able to change it (e.g. use another hardware, another software, another encryption algorithm,...). You might qualify that with the "take it or leave it" aspect that users can reject the system but not alter how it is configured.

4.

Nature of TRU

Customary TRU, supported by competition law

5.

Benefits of TRU

The benefit for users is obvious: the ability to choose security is a pre-condition for the free flow of information, freedom of choice for consumers, media pluralism and cultural diversity. The media user's independence of the security for content usage accounts for competition and economical growth of the media industry.

Security imposed upon media users by certain players (e.g. content providers, service providers) raises interesting questions:

  • Can media users, who have no choice of security trust service providers that their private data are not misused?
  • Can media users who have no choice of security be liable [3] for copyright infringements caused by broken security on their systems?

6.

Possible digital support

  • Conditional access systems
  • Content encryption systems
  • DRM solutions

7.

Requirements

  • The user shall be able to transfer security relevant information (e.g. cryptographic keys needed for user identification, the usage of applications and services) from one device to another (also in case of a defective device)
  • Specifications shall not create market entry barriers for service providers or industry sectors
  • Specifications shall be independent of the requirements of a particular hardware or software and shall not be used to exclude certain platforms or solutions.
  • DRM solutions shall be system-open so that the effort for implementation on different hardware platforms is comparable
  • The patent policy shall not be used to exclude competitors (e.g. by unreasonable license fees).
  • The patent policy should find arrangements for Open Source projects (e.g. exemption from patent license fees for non commercial Open Source projects)

8.

References

[1] - Tomas Olovsson quoted in "Computer Security: A Practical Definition"
[2] - DVD Copy Control Association
[3] - Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures and procedures to ensure the enforcement of intellectual property rights