How Digital Rights Management Works

Copyright Definition Highlighted in Green
Digital rights management, or DRM, is a general term used to describe any type of technology that aims to stop, or at least ease, the practice of piracy wakila / Getty Images

For much of the music industry's lifetime, piracy wasn't a serious problem. From the onset of recorded sound through the 1960s, people bought vinyl records at record stores. They could listen to them at home and at gatherings and swap them with friends, but copying them would've been a difficult and expensive endeavor. Of course, a few people made bootleg records, but they were typically collections of outtakes or live performances the record companies had little interest in releasing -- some alternate recordings of Bob Dylan songs, for instance, or a cobbled-together version of the Beach Boys' album "SMiLE" that had yet to see the light of day.

The advent of magnetic tape as a recording medium began to change things, primarily after blank microcassettes went on sale. Some recording industry executives took issue with people duplicating cassette tapes, but soon they had bigger problems to worry about -- especially when CDs arrived and sound became digital. CD burners allowed people to rip music off of CDs and onto personal computers. Add the Internet and peer-to-peer sites (P2P) to the equation, and record executives really started to worry. People were suddenly able to duplicate and share music with an almost unlimited number of users over the Internet, giving many the chance to download songs, albums, even entire discographies without paying a dime. With the value of music changing so rapidly, how would the music industry react?


Soon, record companies began selling "special" music CDs to consumers who thought they were getting ordinary compact discs. When people played these CDs on their computers, what happened in many cases was the equivalent of a spyware nightmare: Programs froze up, applications slowed and a series of hidden files that were the source of the problem proved to be nearly impossible to uninstall. Why would a company do this to its customers?

The answer comes down to copyright. The digital revolution that has empowered consumers to use digital content in new and innovative ways has also made it nearly impossible for copyright holders to control the distribution of their property. It's not just music, but film, video games and any other media that can be digitized and passed around. Digital rights management, or DRM, is a general term used to describe any type of technology that aims to stop, or at least ease, the practice of piracy. In this article, we'll find out what DRM is, how copyright holders are implementing the concept and what the future holds for digital content control.

What Is DRM?

Digital rights management is a far-reaching term that refers to any scheme that controls access to copyrighted material using technological means. In essence, DRM removes usage control from the person in possession of digital content and puts it in the hands of a computer program. The applications and methods are endless -- here are just a few examples of digital rights management:

  • A company sets its servers to block the forwarding of sensitive e-mail.
  • An e-book server restricts access to, copying of and printing of material based on constraints set by the copyright holder of the content.
  • A movie studio includes software on its DVDs that limits the number of copies a user can make to two.
  • A music label releases titles on a type of CD that includes bits of information intended to confuse ripping software.

While many consumers see DRM methods as overly restrictive -- especially those methods employed by the movie and music industries -- digital rights management is nonetheless trying to solve a legitimate problem. The distribution of digital content over the Internet via file-sharing networks has made traditional copyright law obsolete in practice. Every time someone downloads an MP3 file of a copyrighted song from a free file-sharing network instead of buying the CD, the music label that owns the copyright and the artist who created the song lose money. In the case of the movie industry, some estimates place revenue losses from illegal distribution of DVD content at around $5 billion a year. The nature of the Internet makes it impractical to try to sue every person who breaks the law in this way, so companies are trying to regain control of distribution by making it technologically impossible for consumers to make digital copies.


The problem is that when you buy a DVD, it's perfectly legal for you to make a copy of it for your own use. This is the gist of the fair use doctrine in copyright law -- there are certain situations that negate copyright protection in favor of the content user, including copying protected material for personal use and copying anything in the public domain for any use. Most digital rights management schemes cannot take fair use into account, because a computer program cannot make subjective decisions.

Before we get further into the DRM controversy, let's take a step back and find out what a DRM scheme entails from a programming standpoint.

DRM Framework

The ideal DRM system is flexible, entirely transparent to the user and pretty complex stuff for a computer program to crack. First-generation DRM software sought merely to control copying. Second-generation DRM schemes, on the other hand, seek to control viewing, copying, printing, altering and everything else you can possibly do with digital content.

A digital rights management scheme operates on three levels: establishing a copyright for a piece of content, managing the distribution of that copyrighted content and controlling what a consumer can do with that content once it has been distributed. To accomplish this level of control, a DRM program has to effectively define and describe three entities -- the user, the content and the usage rights -- and the relationship between them.


Let's take the example of a simple DRM scheme for an MP3-download site. Jane Doe logs on to a site to which she subscribes in order to download Lauryn Hill's "Everything is Everything." Jane's subscription level entitles her to five downloads per month. In this case, the user is Jane Doe, and the content is Lauryn Hill's "Everything is Everything." Identifying the user and the content are fairly simple tasks. Jane probably has a customer ID number, and each MP3 file on the site probably has a product number associated with it. The harder part is identifying the rights -- the ways in which Jane is and is not allowed to use "Everything is Everything." Can she download it, or has she already downloaded her five files for the month? Can she copy it, or is she downloading an encrypted file and a corresponding key? Can she excerpt a piece of the song to use in her own audio-mixing software, or is the file locked? Usage rights include not only permissions and constraints, but also any obligations related to the transaction -- for example, does Jane need to pay extra for this download? Has Jane been promised a savings pass if she downloads this song? This would be included in the relationship between Jane, the song and the rights.

DRM Technology

Let's say Jane has only downloaded three files so far this month, so this download is within her subscription rights. And let's say she received a promotional offer for $1 off next month's subscription fee if she downloads this song. Jane should be able to copy the file under fair use, but maybe she can only make three copies. And let's say the copyright holder denies anyone the right to excerpt its digital content. The DRM structure for this download might look something like this:

­Keep in mind that while the user status stays the same each time Jane logs on to the site, the relationship between the user, the content and the rights can change. The DRM scheme must be able to adapt to changing conditions. If Jane increases her subscription level to one that allows unlimited downloads instead of only five downloads per month, the DRM software has to adjust to that new relationship. The DRM scheme has to be tied in to the Web site's technology so it can adjust the relationship on the fly. This is one reason why seamless DRM setups are difficult to implement: With no standards to go on, digital rights management software doesn't easily blend in with existing e-commerce tools. Still, arguably the easiest transaction to control is a download from a Web site. The hard part is controlling what a user does with digital content once it's in his or her possession. How is the download site going to enforce Jane's usage rights? How do they know she's only going to make two copies of the file? This is where DRM can get sticky.If you're a big media company trying to keep people from copying electronic material, it's not hard to do.


Companies like ContentGuard, Digimarc, InterTrust and Macrovision sell automated "DRM solutions" that include everything you need to set up a DRM scheme. ContentGuard's complete DRM toolkit lets copyright holders create and enforce licenses for their digital products and services, including everything from movie downloads to software use to Web-site access. The RightsExpress software uses the MPEG REL rights-expression language and guides the copyright holder through the process of defining a piece of content, defining a user and defining usage rights. The copyright holder can set access levels and encryption modes for the content, create a custom interface that lets users obtain content based on those settings, develop an enforcement model that verifies user identification and track the use of that content.

DRM Protection

It's a pretty simple thing to allow Jane to copy "Everything is Everything" only twice. Computers understand "2." But they don't understand Jane when she says "I've already copied it to my MP3 player and my laptop, but I got a new desktop computer and I need to transfer it again!"

"Fair use" is not necessarily something that's easily determined. Many companies have taken desperate measures to "plug the hole" of digital content flowing over the Internet, eliminating any right on the part of the consumer to make decisions regarding the content he or she has purchased. To many, more recent DRM schemes have crossed the line from copy protection to hog-tying the user.


A common DRM encryption scheme provides an encryption key that works forever. In this case, the key must be tied to the ID number of the user's machine. The key will only decode the file when it's accessed from the computer it was originally installed on. Otherwise, the user could simply forward the key along with the encrypted software to everyone he knows.

Some products, like those protected by Macrovision SafeCast or Microsoft Product Activation, use a Web-based permission scheme to prevent illegal use of the content. When a user installs the software, his computer contacts a license-verification server to get permission (the access key) to install and run a program. If the user's computer is the first to request permission to install this particular piece of software, the server returns the key. If the user gives the software to his friend and the friend tries to install it, the server will deny access. In this type of scheme, a user typically has to contact the content provider to get permission to install the software on another machine.

A less common DRM method is the digital watermark. The FCC is trying to require a "broadcast flag" that lets a digital video recorder know if it's allowed to record a program or not. The flag is a piece of code sent out with a digital video signal. If the broadcast flag says a program is protected, a DVR or DVD recorder won't be able to record it. This DRM proposal is one of more disruptive ones out there, because it requires media and equipment that can read the broadcast flag. This is where Philips' Video Content Protection System (VCPS) format comes in. The VCPS technology reads the FCC broadcast flag and determines whether or not a device can record a program. A disc with unprotected video can play on any DVD player, but video with a broadcast flag will only record and play on VCPS-prepared players.

The DRM-provider Macrovision used an interesting approach in one of its recent DVD-protection products. Instead of making a DVD uncopyable, Macrovision RipGuard exploits glitches in DVD ripping software to prevent copying. It's a piece of code in the software on a DVD, and its purpose is to confuse the code known as DeCSS, a small program that allows software to read and rip encrypted DVDs. Macrovision programmers studied DeCSS to discover its flaws and then built RipGuard to trigger those flaws and shut down the copying process. DVD consumers have already found ways around RipGuard, though, mostly by using ripping software that doesn't employ DeCSS or by tweaking the code in DeCSS-based rippers. The Digital Millennium Copyright Act of 1998 makes disabling a DRM system illegal in the United States, but many people actively seek and publish methods to bypass DRM restrictions.

DRM Controversy

The DRM controversy stems from software implemented by Sony-BMG.
The DRM controversy stems from software implemented by Sony-BMG.

Recent DRM schemes have set up an adversarial relationship between digital-content providers and digital-content consumers, and it's not only the consumers who are employing sneaky techniques to get the upper hand. Over the years, several controversies involving DRM technology have surfaced.

In 2005, for instance, Sony BMG distributed select CDs (one estimate puts the number of titles at 20) that led to lawsuits, backtracking and a public-relations nightmare. The problem stemmed from two pieces of software on the CDs: SunnComm's MediaMax and First4Internet's Extended Copy Protection (XCP). The incident has raised questions regarding just how far copyright holders are allowed to go to protect their content. In this case, copy protection was the least of people's concerns.


In the first place, the MediaMax software doesn't protect a copyright at all. It tracks users' activities. Every time someone plays the CD on his or her PC, MediaMax sends a message to the SunnComm server. Sony-BMG can find out who's listening to the CD and how often they listen to it. And this happens behind the scenes -- there are no obvious signs of the activity or disclaimers on the CD. To make matters worse, there's no easy way to uninstall it.

The other problem is a bigger one. First4Internet's Extended Copy Protection limits the number of copies a person can make of the CD to three -- this might be annoying, but it's arguably within the "copyright protection" realm. The XCP uproar is primarily about the software's other activities. First, it hides in the user's machine so the user doesn't know it's there and probably can't find it if he or she looks. It creates a hidden area (sometimes called a rootkit) in the Windows operating system that could potentially pose a security risk once virus writers find out it's there. A virus could live there undetected indefinitely. Virus scanners typically can't see the files in a rootkit. XCP also slows computing processes and automatically connects to the Sony-BMG server to install copy-protection updates. And there's no easy way to uninstall it. Some users had to reformat their hard drive to get rid of the files and their negative effects.

Sony recalled the millions of discs with this DRM software combination built in and has agreed to issue tools that make the hidden files visible. Sony, along with the rest the major labels, essentially have given up on DRM [source: Holahan].

DRM hasn't disappeared forever, though, and it continues cause problems for businesses and consumers alike. The hotly anticipated computer game "Spore," released by Electronic Arts (EA) in 2008, came with what many players considered an intrusive and difficult-to-remove DRM system known as SecuROM. The technology limited gamers who bought "Spore" with three installations -- anything more than that required contacting EA's customer service and providing proof of purchase, reasons for exceeding install limits and other information. EA eventually loosened up the restrictions on the game's DRM, but they were still hit with several lawsuits soon after the release date [source: Kuchera].

Apple and its customers have also sparred concerning downloading movies from iTunes, the company's download service. With very little press concerning any type of DRM, Apple released new models of their personal laptops, the Macbook, in October 2008. These Macbooks were installed with High-bandwidth Digital Content Protection (HDCP), a copy protection scheme developed by Intel. Without being aware of the technology, many customers who purchased Macbooks and tried to play movies downloaded from iTunes on external monitors hooked up to their laptops were unable to watch anything. HDCP blocks any movies from playing on analog devices in order to stop pirates from recording content onto copying software, but many customers who purchased content found they couldn't display movies on external monitors hooked up to their computers -- forcing them to watch on their Macbook screens [source: Chen].

DRM Standards

There are no industry-wide standards for DRM. At this point, many companies in the digital entertainment sector are opting for the crude, "because I said so" approach in which users can't copy, print, alter or transfer material, period. The area of most concern to activists regarding DRM has to do with the fact that current DRM trends surpass the protections afforded under traditional copyright law. For example, when you play a DVD that won't let you skip the trailers, that has nothing to do with protecting a copyright. Even more than consumers, though, libraries and educational institutions that archive and lend digital content have a lot to lose if highly restrictive DRM software becomes the norm. A library can't archive a piece of software with a time-limited encryption key, and it can't lend out a machine-specific license for viewing content using its traditional lending structure.

The arguments against digital rights management discuss issues like user privacy, technological innovation and fair use. Under copyright law, the fair use doctrine gives a consumer the right to make copies of copyrighted content for their own use. Other doctrines like "first sale," the right of a content purchaser to resell or give away the content he's purchased, and "limited term," the expiration of a copyright after a certain period of time, also afford consumers rights that fall by the wayside in DRM implementation. As we saw in the case of Sony-BMG , secretly tracking consumer activities and hiding files on a user's computer invades user privacy -- they're the methods of a spyware application, not a legitimate rights management scheme. DRM systems can also affect technological innovation as it limits the use and form of digital content. Third-party vendors can't develop software-specific products and plug-ins if the computer code in that software is indefinitely protected by DRM, and consumers can't legally tinker with their own hardware if it's protected by a DRM scheme that prohibits alteration.


As Professor Ed Felten of Princeton University discovered, DRM affects not only technological freedom of development, but also freedom of speech. When Felten tried to publish an article on a faulty DRM system in 2001, members of the music industry threatened him with lawsuits. Several companies said that his research would assist people in bypassing DRM schemes, which is illegal in the United States. The Digital Millennium Copyright Act of 1998 (DCMA) ensures the protection of a DRM scheme regardless of whether or not it respects the fair use doctrine. It's not only illegal to get around DRM, but it's also illegal to create, purchase or download any product that enables you to bypass DRM restrictions. Consumer rights' groups are lobbying Congress to amend the section of the Digital Millennium Copyright Act that makes disabling a DRM system against the law, claiming that it gives an improper advantage to copyright holders by not placing limits on the type of DRM schemes they can employ. In essence, according to some, the DCMA encourages anti-competitiveness and makes it increasingly difficult for consumers to easily enjoy their entertainment [source: Lee].

In the increasingly embattled realm of digital content, we're left to wonder whether any DRM system can satisfy both copyright holders and consumers. As DRM becomes standardized across industries, the result will be what experts call "trusted computing." In this setup, DRM methods will ensure the protection of copyrighted content along each step of the way, from the production or upload process to the purchase or download to the use of the digital content once it's in the user's hands. Computers will know automatically what a user is legally allowed to do with a piece of content and will act accordingly. With the adoption of standards, consumers will be better off at least in part, because DRM-encoded media will play on all types of equipment. As far as user rights go, however, it doesn't look good for consumers. Their best bet is the chance that programmers will somehow quantify "fair use" so that computers can understand the concept.

For more information on digital rights management and related topics, take a look at the links on the next page.

Lots More Information

Related HowStuffWorks Articles

More Great Links


  • Chen, Brian. "Apple bends to studios, adds copyright protection to Macbooks." WIRED. Nov. 17, 2008. (Nov. 16, 2008)
  • ContentGuard RightsExpress
  • Coyle, Karen. "The Technology of Rights: Digital Rights Management."
  • DeCSS Central.
  • Delahunty, James. "Ricoh offers VCPS capable blank DVD media." July 2007, 2008. (Nov. 21, 2008)
  • "Digital Rights Management and Libraries." American Library Association.
  • "DRM Features." Giant Steps.
  • "French court bans DVD DRM." TheRegister.
  • Holahan, Catherine. "Sony BMG plans to drop DRM." BusinessWeek. Jan. 4, 2008. (Nov. 16, 2008)
  • Iannella, Renato. "Digital Rights Management Architectures." D-Lib Magazine.
  • Kuchera, Ben. "Gamers fight back against lackluster Spore gameplay, bad DRM." Ars Technica. Sept. 8, 2008. (Nov. 16, 2008)
  • Kuchera, Ben. "EA relents, changes Spore DRM. Too little, too late?" Ars Technica. Sept. 19, 2008. (Nov. 16, 2008)
  • Lee, Timothy. "Circumventing competition: the perverse consequences of the Digital Millennium Copyright Act." CATO Institute. March 21, 2006. (Nov. 16, 2008)
  • Macrovision ­DVD Products.
  • "Music Man Cracks DRM Schemes." Wired News.,1282,69763,00.html?tw=wn_story_top5
  • "Sony BMG Litigation Info." EEF.
  • "Tech heavies support challenge to copyright law." CNET
  • "Week 3 of the SonyBMG/First4Internet Debacle: The Fallout Continues." DRM Watch.
  • "Video Content Protection System." Philips.
  • "What Does DRM Really Mean?" PC Magazine.,4149,942369,00.asp