Collaboration

Tech Tip: See how digital rights management is changing information security

Find out how digital rights management is changing information security.

By Jonathan Yarden

Long before PCs and the World Wide Web became part of our daily vocabulary, the issue of the "appropriate use" of copyrighted material led to legal battles that continue to this day. At the heart of the issue is the question of who's ultimately responsible for the misuse of copyrighted material.

In 1984, the U.S. Supreme Court ruled in favor of Sony Corporation in a landmark case regarding videocassette recorders and copyright infringement. The ruling basically asserted that manufacturing a device or system that someone can use for duplication and distribution of copyrighted material doesn't imply that someone will in fact use it illegally.

At the time, digital media formats were just emerging, and it's doubtful that anyone could have anticipated the eventual impact of the Internet. But the ramifications of this decision still resonate, as evidenced by recent court battles between the entertainment industry and Internet users illegally downloading digital media.

Digital rights management (DRM) isn't only applicable to music—it applies to any digital data. The issues of Internet security apply to digital rights management, but implementation of DRM policies, both from a technical and a management viewpoint, is complex.

These present-day court battles intersect with Internet security issues for a number of reasons. Again, the primary issue is determining who is ultimately responsible for the misuse of copyrighted materials. Peer-to-peer (P2P) software developers argue that the 1984 ruling places culpability with the user.

But this isn't a simple issue, particularly when the only identifiable information about an infringement is an IP address and perhaps a filename. Corporations and Internet service providers have found themselves stuck in the middle of a fight they didn't ask for, which they have limited means to resolve.

Many corporations have no formal company policy regarding Internet usage and only act on reported problems. Of course, a reported infringement behind a corporate firewall isn't a simple matter to track down either.

This is why most companies simply block access to P2P services and leave it at that. Obviously, this method works for corporate networks to some degree—but no security is foolproof.

Organizations must enforce their Internet security policies, but they also need to better explain these policies to employees and apply them across the entire enterprise. Exceptions to Internet security policies are frequently the cause of problems.

I think the best bet for corporate networks is to block P2P services and deal with policy enforcement as it occurs. However, Internet service providers bear the brunt of DRM issues—in addition to the brunt of Internet security problems.

But establishing—and enforcing—Internet security and DRM policies is often an unpopular move with users. It's one thing for an Internet service provider to implement an acceptable use policy, but it's an entirely different matter to enforce it and continue to stay in business.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editor's Picks

Free Newsletters, In your Inbox