Compliance and Robustness

Compliance and Robustness, sometimes abbreviated as C&R, refers to the legal structure or regime underlying a Digital Rights Management (DRM) system. In many cases, the C&R regime for a given DRM is provided by the same company that sells the DRM solution. For example, RealNetworks Helix or Microsoft Windows Media DRM.

However, for standardised DRM systems, it is fairly common for a separate body to be established to run the C&R regime.

C&R Body
The legal entity that establishes and maintains the regime. Usually this will be a joint venture or forum with representation from multiple companies, structured in such as way as to avoid accusations of antitrust violations. The nature of the business is that such bodies will generally be composed of manufacturers and content owners, with little or no direct representation from consumer advocates.

Trust Model
The C&R body is responsible for ensuring a chain of trust, such that the original content provider is sufficiently satisfied that their content will remain adequately secure throughout all future links in the chain. This may include export of content from one DRM system to another.

To meet this requirement, it is normal that any device planning to receive DRMed content is required to validate that it meets the C&R requirements, and this is usually done using a device certificate of some kind. The issuance of such certificates is the stamp of approval for both the manufacturer and the device.

If two devices can verify that they both have trusted certificates, they can then reasonably expect that content passed between them will remain secure.

Compliance Rules
In many cases there will be gaps, ambiguities or options left open in a DRM technical specification. The C&R regime must clarify exactly how a compliant device is to behave in these cases. For example, a compliance rule may define which other types of interfaces are acceptable on a device, something that the technical specification itself will never do.

Robustness Rules
The most controversial aspect of C&R is the agreement on how to ensure that a device is sufficiently robust at resisting attacks. These rules may require that certain elements are implemented only in hardware, or run on secure CPUs, or that the code must not be available as open source. Manufacturers then have to satisfy the C&R body that they meet this requirement before they are granted access to the certificates needed to establish their products as trusted.

"Hook IP"
One particular trick that is often used is to include some patented technology, often as part of the trust establishment mechanism. This means that anyone wanting to implement the DRM in a way that will work with others is forced to license these patents. A condition of obtaining such a license is to follow the rules of the C&R regime itself. Thus a C&R body has a 20-year window to pursue legal measures against a "rogue" implementation on the grounds of patent violation, rather than having to rely on a DMCA-style regulation provided by the relevant government. The need to license hook IP patents also impacts anyone thinking of building a product covered by the GPL.

One well-known example of a system employing such Hook IP is the DVB Common Scrambling Algorithm DVB-CSA, which though standardised by ETSI, includes patented elements that are only licensed to approved Conditional access systems vendors who agree to maintain the secrecy and integrity of the algorithm in their chip designs.

Examples

 * OMA DRM is governed by the CMLA C&R regime
 * DTCP-IP is governed by the DTLA C&R regime