| |
 |
|||||||
|
|
5
Protecting Digital Intellectual Property: Means and Measurements
Recent years have seen the exploration of many technical mechanisms intended to protect intellectual property (IP) in digital form, along with attempts to develop commercial products and services based on those mechanisms. This chapter begins with a review of IP protection technology, explaining the technology's capabilities and limitations and exploring the consequences these capabilities may have for the distribution of and access to IP. Appendix E presents additional technical detail, attempting to demystify the technology and providing an introduction to the large body of written material on this subject. This chapter also addresses the role of business models in protecting IP. Protection is typically conceived of in legal and technical terms, determined by what the law permits and what technology can enforce. Business models add a third, powerful element to the mix, one that can serve as an effective means of making more digital content available in new ways and that can be an effective deterrent to illegitimate uses of IP. The chapter also considers the question of large-scale commercial infringement, often referred to as piracy. It discusses the nature of the data concerning the rates of commercial infringement and offers suggestions for improving the reported information. The chapter concludes with a discussion of the increasing use of patents to protect information innovations such as software and Internet business models, and explores the question of whether the patent system is an appropriate mechanism to protect these innovations.
TECHNICAL PROTECTION
The evolution of technology is challenging the status quo of IP management in many ways. This section and Appendix E focus on technical protection services (TPSs) that may be able to assist in controlling the distribution of digital intellectual property on the Internet.1 The focus here is on how technical tools can assist in meeting the objectives stated throughout the report, as well as what they cannot do and what must therefore be sought elsewhere. Appendix E explores how the tools work, details what each kind of tool brings to bear on the challenges described throughout the report, and projects the expected development and deployment for each tool. For ease of exposition, the presentation in this chapter is framed in terms of protecting individual objects (texts, music albums, movies, and so on); however, many of the issues raised are applicable to collections (e.g., libraries and databases),2 and many of the techniques discussed are relevant to them as well. A number of general points are important to keep in mind about TPSs:
Here (and in more detail in Appendix E) the committee provides a layman's description of the most important technical protection mechanisms, suggesting how each can be fit into an overall protection scheme, describing the limitations of each, and sketching current research directions. There are several classes of mechanisms:
For effective protection, the developer of an IP-delivery service must choose the right ingredients and attempt to weave them together into an end-to-end technical protection system. The term "end-to-end" emphasizes the maintenance of control over the content at all times; the term "protection system" emphasizes the need to combine various services so that they work together as seamlessly as possible. Protecting intellectual property is a variant of computing and communications security, an area of study that has long been pursued both in research laboratories and for real-world application. Security is currently enjoying renewed emphasis because of its relevance to conducting business online.3 While security technology encompasses a very large area, this discussion is limited to describing generally applicable principles and those technical topics relevant to the management of intellectual property.4 As cryptography is an underpinning for many of the other tools discussed, the following section begins with a brief explanation of this technology.5 Next, the techniques that help manage IP within general-purpose computers are described. Finally the discussion turns to technology that can help in consumer electronics and other special-purpose devices.6
Encryption: An Underpinning Technology for Technical Protection Service Components
Cryptography is a crucial enabling technology for IP management. The goal of encryption is to scramble objects so that they are not understandable or usable until they are unscrambled. The technical terms for scrambling and unscrambling are "encrypting" and "decrypting." Encryption facilitates IP management by protecting content against disclosure or modification both during transmission and while it is stored. If content is encrypted effectively, copying the files is nearly useless because there is no access to the content without the decryption key. Software available off the shelf provides encryption that is for all practical purposes unbreakable, although much of the encrypting software in use today is somewhat less robust. Many commercial IP management strategies plan a central role for what is called "symmetric-key" encryption, so called because the same key is used both to encrypt and decrypt the content. Each object (e.g., movie, song, text, graphic, software application) is encrypted by the distributor with a key unique to that object; the encrypted object can then be distributed, perhaps widely (e.g., placed on a Web site). The object's key is given only to appropriate recipients (e.g., paying customers), typically via a different, more secure route, perhaps one that relies on special hardware. One example of an existing service using encryption in this way is pay-per-view television. A program can be encrypted with a key and the key distributed to paying customers only. (The special hardware for key distribution is in the set-top box.) The encrypted program can then safely be broadcast over public airwaves. Someone who has not paid and does not have the key may intercept the broadcast but will not be able to view it. There is, of course, an interesting circularity in symmetric-key encryption. The way to keep a message secret is to encrypt it, but then you also have to send the decryption key so the message recipient can decrypt the message. You have to keep the key from being intercepted while it is being transmitted, but if you have a way to do that, why not use that method to send the original message? One answer is hinted at above: speed. The key (a short collection of digits) is far smaller than the thing being encrypted (e.g., the television program), so the key distribution mechanism can use a more elaborate, more secure, and probably slower transmission route, one that would not be practical for encrypting the entire program.7 Another answer has arisen in the past 20 years that gets around the conundrum--a technique called public-key cryptography.8 This technique uses two different keys--a public key and a private key--chosen so that they have a remarkable property: Any message encrypted with the public key can be decrypted only by using the corresponding private key; once the text is encrypted, even the public key used to encrypt it cannot be used to decrypt it. The idea is to keep one of these keys private and publish the other one; private keys are kept private by individuals, while public keys are published, perhaps in an online directory, so that anyone can find them. If you want to send a secret message, you encrypt the message with the recipient's public key. Once that is done, only the recipient, who knows the corresponding private key, can decrypt the message. Software is widely available to generate key pairs that have this property, so individuals can generate key pairs, publish their public keys, and keep their private keys private. As public-key encryption is typically considerably slower (in terms of computer processing) than symmetric-key encryption, a common technique for security uses them both: Symmetric-key encryption is used to encrypt the message, then public-key encryption is used to transmit the decryption key to the recipient. A wide variety of other interesting capabilities is made possible by public-key systems, including ways to "sign" a digital file, in effect providing a digital signature. As long as the signing key has remained private, that signature could only have come from the key's owner. These additional capabilities are described in Appendix E. Any encryption system must be designed and built very carefully, as there are numerous and sometimes very subtle ways in which information can be captured. Among the more obvious is breaking the code: If the encryption is not powerful enough, mathematical techniques can be used to decrypt the message even without the key. If the key-distribution protocol is flawed, an unauthorized person may be able to obtain the key via either high technology (e.g., wiretapping) or "social engineering" (e.g., convincing someone with access to the key to supply it, a widely used approach). If the system used to read the decrypted information is not designed carefully, the decrypted information may be left accessible (e.g., in a temporary file) after it has been displayed to the user. The point to keep in mind is that cryptography is no magic bullet; using it effectively requires both considerable engineering expertise and attention to social and cultural factors (e.g., providing incentives for people to keep messages secret).9
Access Control in Bounded Communities
Perhaps the most fundamental form of technology for the protection of intellectual property is controlling access to information (i.e., determining whether the requester is permitted to access the information). A basic form of such control has been a part of the world of operating systems software almost from the time operating systems were first implemented, offering limited but useful security. In its simplest form, an access control system keeps track of the identity of each member of the user community, the identities of the data objects, and the privileges (reading, altering, executing, and so on) that each user has for each object. The system consults this information whenever it receives a service request and either grants or denies the request depending on what the privilege indicates. Existing access control, however, offers only a part of what is needed for dealing with collections of intellectual property. Such systems have typically been used to control access to information for only relatively short periods such as a few years, using only a few simple access criteria (e.g., read, alter, execute), and for objects whose owners are themselves users and who are often close at hand whenever a problem or question arises. In contrast, access control systems for intellectual property must deal with time periods as long as a century or more and must handle the sometimes complex conditions of access and use. A sizable collection--as indeed a digital library will be--also needs capabilities for dealing with hundreds or thousands of documents and large communities of users (e.g., a college campus or the users of a large urban library). Such systems will thus need to record the terms and conditions of access to materials for decades or longer and make this information accessible to administrators and to end users in ways that allow access to be negotiated. This raises interesting questions of user authentication: For example, is the requester who he says he is? Does he have a valid library card? It also raises issues of database maintenance: For example, collections change, rights holders change, and the user community changes as library cards expire. Many other questions must be addressed as well so that systems work at the scale of operation anticipated. Some work along these lines has been done (e.g., Alrashid et al., 1998), but a considerable amount of development work is still needed. Some attempts have also been made to represent in machine-readable form the complex conditions that can be attached to intellectual property. This is the focus of what have been called rights management languages, which attempt to provide flexible and powerful languages in which to specify those conditions.10 DPRL (Ramanujapuram, 1998), for example, attempts to offer a vocabulary in which a wide variety of rights management terms and conditions can be specified. An important characteristic of these languages is that they are machine-readable (i.e., the conditions can be interpreted by a program that can then grant or deny the desired use). This is superficially the same as a traditional operating system, but the conditions of access and use may be far more complex than the traditional notions used in operating systems. In addition, as will be shown below, these languages are quite useful outside the context of bounded communities. Finally, although large-scale systems have yet to be deployed, rights management language design is not perceived as a roadblock to more robust TPSs.
Enforcement of Access and Use Control in Open Communities
Access control systems of the sort outlined above can be effective where the central issue is specifying and enforcing access to information, as is typically true in bounded communities represented by, for example, a single corporation or a college campus. In such communities much greater emphasis is placed on questions of original access to information than on questions of what is done with the information once it is in the hands of the user. The user is presumed to be motivated (e.g., by social pressure or community sanctions) to obey the rules of use specified by the rights management information. A larger problem arises when information is made accessible to an unbounded community, as it is routinely on the Web. The user cannot in general be presumed to obey rules of use (e.g., copyright restrictions on reproduction); therefore, technical mechanisms capable of enforcing such rules are likely to be needed. A variety of approaches has been explored. The simpler measures include techniques for posting documents that are easily viewed but not easily captured when using existing browsers. One way to do this uses Java routines to display content rather than the standard HTML display. This gives a degree of control over content use because the display can be done without making available the standard operating system copy-and-paste or printing options. A slightly more sophisticated technique is to use a special format for the information and distribute a browser plug-in that can view the information but isn't capable of writing it to the disk, printing, and so on. Knowledgeable users can often find ways around these techniques, but ordinary users may well be deterred from using the content in ways the rights holder wishes to discourage. There are also a number of increasingly complex techniques for controlling content use that are motivated by the observation made earlier, that digital IP liberates content from medium--the information is no longer attached to anything physical. When it is attached to something physical, as in, say, books or paintings, the effort and expense of reproducing the physical object offers a barrier to reproduction. Much of our history of and comfort with intellectual property restrictions is based on the familiar properties of information bound to physical substrates. Not surprisingly, then, some technical protection mechanisms seek to restore these properties by somehow "reattaching" the bits to something physical, something not easily reproduced. The description that follows draws on features of several such mechanisms as a way of characterizing this overall approach. Encryption is a fundamental tool in this task. At a minimum, encryption requires that the consumer get a decryption key, without which a copy of the encrypted content is useless. Buy a digital song, for example, and you get both an encrypted file and a password for decrypting and playing the song. But this approach secures only the original access to the content and its transit to the consumer. Two additional problems immediately become apparent. First, the content is still not "attached" to anything physical, so the consumer who wished to do so could pass along (or sell) to others both the encrypted content and the decryption key. Second, the consumer could use the key to decrypt the content, save the decrypted version in a file, and pass that file along to others. There are several ways to deal with the first problem that involve "anchoring" the content to a single machine or single user. One technique is to encode the identity of the purchaser in the decryption key, making it possible to trace shared keys back to their source. This provides a social disincentive to redistribution.11 A second technique is for the key to encode some things about the identity of one particular computer, such as the serial number of the primary hard drive, or other things that are unlikely to change.12 The decryption software then checks for these attributes before it will decrypt the content. A third technique calls for special hardware in the computer to hold a unique identifier that can be used as part of the decryption key. Some approaches call for this hardware to be encased in tamper-resistant cases, to discourage tampering even by those with the skill to modify hardware. One form of tamper resistance involves erasing the key if any attempt is made to open or manipulate the chip containing it. Whatever the approach, the intended result is the same--the content can be decrypted only on the machine for which the decryption has been authorized. But even this protection alone is not sufficient, because it is not persistent. The consumer may legally purchase content and legally decrypt it on her machine, then (perhaps illegally) pass that on to others who may be able to use the information on their machines. The final technological step is to reduce the opportunities for this to happen. Two basic elements are required: (1) just-in-time and on-site encrypting and (2) close control of the input/output properties of the machine that will display the content. Decrypting just in time and on site means that the content is not decrypted until just before it is used, no temporary copies are ever stored, and the information is decrypted as physically close to the usage site as possible. An encrypted file containing a music album, for instance, would not be entirely decrypted and then played, because a sophisticated programmer might find a way to capture the temporary decrypted file. Instead, the file is decrypted "on the fly" (i.e., as each digital sample is decrypted, it is sent to the sound-generation hardware), reducing the ease with which the decrypted sample can be captured. On-site decryption involves placing the decryption hardware and the sound-generation hardware as physically close as possible, minimizing the opportunity to capture the decrypted content as it passes from one place to another inside (or outside) the computer.13 Some playback devices are difficult to place physically near the computer's decryption hardware. For example, digital camcorders, digital VCRs, digital video disk (DVD) movie players, and so on all require cables to connect them to the computer, which means wires for interconnection, and wires offer the possibility for wiretapping the signal. One approach to maintaining on-site decryption for peripheral devices is illustrated by the Digital Transmission Content Protection (DTCP) standard, an evolving standard developed through a collaboration of Hitachi, Intel, Matsushita, Sony, and Toshiba (see Box 5.1). The computer and the peripheral need to communicate to establish that each is a device authorized to receive a decryption key. The key is then exchanged in a form that makes it difficult to intercept, and the content is transmitted over the wire in encrypted form. The peripheral device then does its own on-site decryption. This allows the computer and peripheral to share content yet provides a strong degree of protection while the information is in transit to the decryption site.
But even given just-in-time and on-site decryption, a sophisticated programmer might be able to insert instructions that wrote each decrypted unit of content (e.g., a music sample) to a file just before it was used (in this case sent to the sound-generation hardware). Hence, the second basic element in providing persistent encryption is to take control of some of the routine input and output (I/O) capabilities of the computer. There are a number of different ways to attempt this, depending partially on the degree to which the content delivery system is intended to work on existing hardware and software. The largest (current) market is of course for PCs running off-the-shelf operating systems (such as Windows, Mac, and Linux). In that case the content delivery system must use the I/O routines of the existing operating system. The difficulty here is that these routines were not designed to hide the information they are processing. As a result, using an existing operating system opens another door to capturing the decrypted content. Content delivery systems that wish to work in the environment of such operating systems attempt, through clever programming, to reduce the opportunities to capture the decrypted information while the operating system is performing output. But given existing operating systems, abundant opportunities still exist for a sophisticated programmer. More complex proposals call for replacing parts of, or even the entire, operating system, possibly right down to the BIOS, the basic input/output routines embedded in read-only memory in the computer hardware. Such computers would instead use specially written routines that will not read or write without checking with the decryption hardware on the computer to ensure that the operation is permitted under the conditions of use of the content. This more ambitious approach faces the substantial problem of requiring not only the development of a new and complex operating system but the widespread replacement of the existing installed base as well. This clearly raises the real possibility of rejection by consumers. The final problem is the ultimate delivery of the information: Music must be played, text and images displayed, and so on. This presents one final, unavoidable opportunity for the user to capture the information. The sophisticated owner of a general-purpose computer can find ways to copy what appears on the screen (e.g., screen capture utilities) or what goes into the speakers (connect an analog-to-digital converter to the speaker wires). As is usual in such matters, the expectation is that this will be tedious enough (capturing a long document screenful by screenful), complex enough (hooking up the converter), or of sufficiently low quality (the captured speaker signal is not identical to the digital original) that all but the most dedicated of thieves will see it as not worth the effort. Nevertheless, those who place substantial faith in elaborate TPSs should keep in mind the necessity of presenting information to the user and the opportunity this provides for capture. More generally, because all protection mechanisms can eventually be defeated at the source (e.g., as it was with a2b encoding and Windows Media; see Chapter 2), the key questions concern trade-offs of cost and effectiveness. A good mechanism is one that provides the degree of disincentive desired to discourage theft but remains inexpensive enough so that it doesn't greatly reduce consumer demand for the product. A good deal more real-world experience is needed before both vendors and consumers can identify the appropriate trade-offs. Currently, any system aiming to provide substantial technical protection will rely on encryption, anchoring the bits to a specific machine, and making encryption persistent through just-in-time decryption and low-level control of I/O. Systems using one or more of these ideas are commercially available, and others are under active development. Music delivery systems such as AT&T's a2b and Liquid Audio's Liquid Player, for example, are commercially available. InterTrust, IBM, and Xerox are marketing wide-ranging sets of software products aimed at providing persistent protection for many kinds of content.14 Similar efforts currently under development include the Secure Digital Music Initiative (discussed in Chapter 2) aimed at providing a standard for protecting music.
Copy Detection in Open Communities: Marking and Monitoring
When a valuable digital object is not encrypted and is outside the sphere of control of its rights holder, the only technical means of hindering misuse is to change it in ways that discourage wrongdoing or facilitate detection. A variety of approaches have been used to accomplish these goals. One technique calls for releasing only versions of insufficient quality for the suspected misuses. Images, for example, can be posted on the Web with sufficient detail to determine whether they would be useful, for example, in an advertising layout, but with insufficient detail for reproduction in a magazine. Another technique embeds in the digital document information about ownership, allowed uses, and so on. One of the simplest and most straightforward ways to do this is by labeling the document in a standard way (so the label can be found) and in a standard vocabulary (so the terms of use may be widely understood). In its simplest format, a digital label could take the form of a logo, trademark, or warning label (e.g., "May be reproduced for noncommercial purposes only"). Labels are intended to be immediately visible and are a low-tech solution in that they are generally easily removed or changed, offering no enforcement of usage terms. Labels could, nevertheless, ease the problem of IP management, at least among the (fairly large) audience of cooperative users. Consider the utility of having every Web page carry a notice in the bottom right corner that spelled out the author's position on use of the page. Viewers would at least know what they could do with the page, without having to guess or track down the author, allowing cooperative users to behave appropriately. Getting this to work would require spreading the practice of adding such information, so that authors did it routinely, and some modest effort to develop standards addressing the kinds of things that would be useful to say in the label. There is an existing range of standard legal phrases. A second category of label attached to some digital documents is a time stamp, used to establish that a work had certain properties (e.g., its content or the identity of the copyright holder) at a particular point in time. The need for this arises from the malleability of digital information. It is simple to modify both the body of a document and the dates associated with it that are maintained by the operating system (e.g., the creation date and modification date). Digital time stamping is a technique that affixes an authoritative, cryptographically strong time stamp to digital content; the label can be used to demonstrate what the state of the content was at a given time. A third-party time-stamping service may be involved to provide a trusted source for the time used in the time stamp. Time-stamping technology is not currently widely deployed.15 Where the labels noted above are separate from the digital content, another form of marking embeds the information into the content itself. Such digital alterations are called watermarks and are analogous to watermarks manufactured into paper. An example cited earlier described how a music file might be watermarked by using a few bits of some music samples to encode ownership information and enforce usage restrictions. The digital watermark may be there in a form readily apparent, much like a copyright notice on the margin of a photograph; it may be embedded throughout the document, in the manner of documents printed on watermarked paper, or it may be embedded so that it is normally undetected and can be extracted only if you know how and where to look, as in the music example.16 Visible watermarks are useful for deterrence, invisible watermarks can aid in proving theft, and a watermark distributed through a document can by design be difficult to remove, so that it remains detectable even if only part of the document is copied. The objectives, means, and effectiveness of marking technologies depend on a number of factors. Designing an appropriate watermark means, for instance, asking what mix is desired of visibility (Should the mark be routinely visible?), security (How easy is it to modify the mark?), and robustness (What kinds of modifications, such as printing a picture and rescanning it, can the mark survive?). The nature and value of the information clearly matters. A recent hit song needs different treatment than a Mozart aria. Modality also matters. Sheet music is watermarked differently than an audio recording of a performance. Some things are difficult to watermark. Machine code for software cannot be watermarked in the same way as music, because every bit in the program matters; change one and the program may crash. Identifying information must instead be built into the source code, embedded in a way that the information gets carried into the machine code but does not adversely affect the behavior of the program.17 Watermarking digital text also presents challenges: How can, say, an online version of The Grapes of Wrath be marked to include a digital watermark, without changing the text? One trick is to change the appearance of the text. The watermark can be encoded by varying the interline and intercharacter spacing slightly from what would be expected; the variation encodes the information. Marking a document is of course only half the battle; monitoring is needed in order to detect the presence of unauthorized copies. A number of efforts have been made in this direction, many of which rely on "Web crawlers," programs that methodically search the Web looking for documents bearing a relevant watermark. An IP management system that watermarked images, for example, would also have a Web searching routine that examined publicly available image files for that system's watermarks. This is an active area of work; systems have been developed in both the commercial and academic world.18 Marking and monitoring technologies do not attempt to control users' behavior directly. In particular, they do not attempt to prevent unauthorized copy and modifications. Rather, they attempt to make these actions detectable so that rights holders can seek legal redress when infringements have been detected. Frequently their intent is simply to indicate that copying is prohibited; the utility of these technologies relies on the fact that many people are honest most of the time.
Trusted Systems
The preceding discussion of technical protection mechanisms points out that the strongest intellectual property protection requires embedding protection mechanisms throughout the computer hardware and software at all levels, right down to the BIOS. In one vision of the future, security will become a major influence on the design of computing and communications infrastructure, leading to the development and widespread adoption of hardware-based, technologically comprehensive, end-to-end systems that offer information security, and hence facilitate creation and control of digital IP. There has been some research (and a great deal of speculation and controversy) about these so-called "trusted systems," but none is in widespread use as of 1999. One example of this vision (Stefik, 1997b) seeks to enable the world of digital objects to have some of the same properties as physical objects. In these systems, when a merchant sells a digital object, the bits encoding that object would be deposited on the buyer's computer and erased from the merchant's computer. If the purchaser subsequently "loaned" this digital object, the access control and rights management systems on the lender's computer would temporarily disable the object's use on that computer while enabling use on the borrower's computer. These changes would be reversed when the object is returned by the borrower to the lender. The published literature (see, e.g., Stefik, 1997a,b) is fairly clear on what trusted systems are supposed to accomplish, but it does not spell out in technical detail how they are supposed to accomplish it. Stefik, for example, is clear on the need for some sort of hardware component (Stefik, 1997b) to supplement the Internet and PC world of today,19 but he says little about how that component would work or how it would be added to today's infrastructure. Here, we explore two general ways in which trusted systems might be implemented, then consider the barriers they face. One way to increase control over content is to deliver it into special-purpose devices designed for purchase and consumption of digital content, but not programmable in the manner of general-purpose PCs. For example, game-playing machines, digital music players, electronic books, and many other types of devices could be (and some are) built so that each one, when purchased, contains a unique identifier and appropriate decoding software. The devices could then be connected to the Web in much the same way as general-purpose computers and download content encrypted by distributors. Legitimate devices would be able to (1) verify that the content came from an authorized distributor, (2) decrypt and display the content (the meaning of "display" depending on whether the content is text, video, audio, and so on), and (3) force the device owner to pay for the content (perhaps by checking before decrypting that the subscription fee payment is up-to-date). It is expensive to design, manufacture, and mass market such a special-purpose device, and an entire content-distribution business based on such a device would necessitate cooperation of at least the consumer-electronics and content-distribution industries, and possibly the banking and Internet-service industries as well. A particular business plan could thus be infeasible because it failed to motivate all of the necessary parties to cooperate or because consumers failed to buy the special-purpose devices in sufficient numbers. The failure of the Divx player for distribution of movies is perhaps an instructive example in this regard.20 Hardware-based support for IP management in trusted systems could also be done using PCs containing special-purpose hardware. Because such machines would have the full functionality of PCs, users could continue to use them for everything that they do today. The intent would be that because they had secure hardware, content distributors and their customers could conduct business just as they could in the information-appliance scenario, but without customers having to buy a separate special-purpose device. One problem here, suggested above, is that the content must, eventually, be presented to the user, at which point it can be captured. The capturing may be a slow and perhaps painful process, but, if the content in question is of sufficient value, pirates may well be motivated to go to the effort or to write software that will automate the effort. The trusted systems scenario faces substantial challenges, in part because accomplishing it would require changes to the vast installed base of personal computers, changes that the marketplace may reject. The need for specialized hardware would require buying new machines or retrofitting existing computers with hardware ensuring that the computer user was able to do with the digital object exactly those actions specified by the rights management language. The tight control of input and output, for example, if universally enforced, would be experienced by the user as an inability to do print redirection, the ability that permits the personal computer user to save into a local file anything he or she can see on the screen or print. The committee finds it questionable whether computer owners would accept the inconvenience, risk, and expense of retrofitting their machines with a device that makes them more expensive and in some ways less capable. The case is less obvious where purchasing new machines is concerned, but even here there is a substantial question of what will motivate buyers to purchase a machine that is more expensive (because of the new hardware and software) and, once again, less capable in some ways. Note, too, that although consumers might benefit from access to content that would not have been released without trusted systems in place, significant benefit from such systems would accrue to content originators, while the costs would be borne principally by content users.21 There are two plausible scenarios for the adoption of such an approach: the "clean slate" scenario and the "side effect" scenario. The clean slate scenario involves the introduction of new technology, which avoids the problem of an installed base and offers opportunities to mandate standards. DVD offers one such example: The hardware and software for a player must use certain licensed technology and obey certain protection standards in order to be capable of playing movies. Such requirements can be set in place at the outset of a new technology, before there is an installed base of equipment without these capabilities. Given the size of the installed base of computers and their continuing utility, it is not clear what would provide the analogous clean slate opportunity for trusted systems. The "side effect" scenario involves technology that is introduced for one reason and turns out to be useful for a second purpose.22 In this case, the initial reason is business-to-business electronic commerce; the second purpose is IP protection. The Trusted Computing Platform Alliance, a collaborative effort founded in October 1999 by Compaq, HP, IBM, Intel, and Microsoft, is aimed at "building confidence and trust of computing platforms in e-business transactions."23 It plans to provide security at the level of the hardware, BIOS, and operating system, i.e., thoroughly integrated into the system in ways that would make it transparent to the user. This is a very ambitious undertaking that will require a considerable, coordinated effort among several manufacturers, and its success is far from guaranteed. Nevertheless, should the alliance make substantial progress, it would offer a foundation for business-to-business e-commerce and would also mean that PCs would likely come equipped with hardware and software that provided a natural foundation for TPSs aimed at IP protection. This report noted earlier that the marketplace for electronic information might benefit from the marketplace infrastructure built for electronic commerce; it may be the case that the computer hardware and software built for secure electronic commerce will turn out to be a useful foundation for IP protection on individual computers. An alternative version of the trusted system notion envisions creating software-based IP management systems whose technical protection arises from a variety of software tools, including encryption, watermarking, and some of the technologies discussed above. Although this would not provide the same degree of protection as systems using both software and special hardware, it may very well offer sufficient strength to enable an effective marketplace in low- to medium-value digital information. For a variety of nontechnical reasons discussed at length in Gladney (1998), the integration phase of such systems is proceeding slowly, with end-to-end systems not nearly as well developed or well understood as the individual technical tools.
Protection Technologies for Niches and Special-Purpose Devices
As the discussion above makes clear, there are substantial challenges in creating technical protection services capable of working effectively in the context of a general-purpose computer. However, with more specialized devices, or in contexts of limited uses of the computer, additional techniques may be employed. For example, for high value, specialized software with smaller, more narrowly defined markets, hardware-based copy protection schemes have had some success. In the computer-aided design software market, for instance, products are distributed with "dongles," simple physical devices that plug into the printer port; the software does not function unless the dongle is installed. But dongles have been tried and have proven impractical for mass market software: Consumers rapidly became frustrated with the need to keep track of a separate dongle for each application and each of its upgrades. For specific devices, like CD players, copy protection can be based on hardware built into the device. This hardware makes it difficult to use CD-ROM recorders to create unauthorized copies of disks with commercially valuable music, software, or other content. For example, Macrovision's SafeDisc technology uses digital signature, encryption, and hardware-based copy protection in a TPS that is transparent to the user of a legitimate disk.24 The content of the CD-ROMs is encrypted and digitally signed. The physical copy protection technology prevents CD-ROM readers and other professional mastering equipment from copying the digital signature. This in turn prevents unauthorized copying, because the content can be decrypted only when the digital signature can be read and verified. Digital video disks provide a second example of hardware-based copy protection for special-purpose devices, in this case for use by the entertainment industry (see Box 5.2).
Technical Protection Services, Testing, and the Digital Millennium Copyright Act of 199825
Understanding the interaction of intellectual property and technical protection services requires an understanding of how technical protection methods and products are developed. One key feature of the technology underlying TPSs is that its creation proceeds in an adversarial manner. One member of the community of cryptography and security researchers proposes a protection mechanism, and others then attack the proposal, trying to find its vulnerabilities. It is important that this process go on at both the theoretical and experimental levels. Proposals for new ideas are often first evaluated on paper, to see whether there are conceptual flaws. Even if no flaws are evident at this stage, the concept needs to be evaluated experimentally, because systems that have survived pencil-and-paper attempts may still fail in actual use. This can happen either because flaws were simply not discovered in the theoretical analysis or because a sound proposal was implemented badly. Fielded implementations, not abstract designs, are what customers will use; hence, real implementations must be tested in real use. A crucial part of the development of good technical protection mechanisms is thus the experimental circumvention, or attack, on hardware and software that are claimed to be secure. Before the device is relied on to protect valuable content, vigorous, expert attacks should be carried out, and they should be done under conditions that are as close as possible to those in which the secure hardware or software will be used. This process is not merely good in theory; it is how good security technology and products are created, both by researchers and in commercial practice. Vendors, for example, assemble their own "tiger teams" that try to circumvent a security mechanism before it is released in the marketplace. The results of this practice validate its use. The history of the field is replete with good ideas that have been tested by the community, found to be flawed, improved, retested, and improved again. The process continues and the technology constantly gets better.26 This in turn has policy significance: Regulating circumvention must be done very carefully lest we hobble the very process that enables the development of effective protection technology. If researchers, vendors, security consultants, and others are unsure about the legal status of their activities, their effectiveness may suffer, and the quality of the resulting products may decline. This issue arises in part as a consequence of the Digital Millennium Copyright Act of 1998 (DMCA), the U.S. Congress's implementation of the World Intellectual Property Organization (WIPO) treaty. See Box 5.3 for a brief background on the interaction of the development of technical protection mechanisms and the policy in the DMCA.
What Makes a Technical Protection Service Successful?
Whether a TPS is successful begins with its inherent technical strength but depends ultimately on both the product it protects and the business in which it is deployed. The vendor interested in protecting content is only partly concerned with whether a TPS satisfies an abstract technical definition of security. Indeed, most of the techniques discussed in this section can be circumvented by people who are sufficiently motivated and knowledgeable. Vendors have more concrete concerns: Does the TPS deter enough potential thieves and facilitate enough use by paying customers to produce a profitable content-distribution business? Some of the properties that bring a TPS in line with a business model include:
The cost-benefit analysis needed to design or choose an appropriate TPS--if indeed there is one--is difficult, but necessary. Distributors can lose in the marketplace because they choose a TPS that is too sophisticated or too expensive, just as easily as they can because they choose one that is too weak.
THE ROLE OF BUSINESS MODELS IN THE PROTECTION OF INTELLECTUAL PROPERTY
Intellectual property protection is frequently viewed in terms of two forces--law and technology. The law articulates what may legally be done, while technology provides some degree of on-the-spot enforcement. In the early days of the software market, for example, the copyright on some programs was enforced by distributing floppy disks that had been written in a nonstandard way, making them difficult to copy. But law and technology are not the only tools available for grappling with the sometimes difficult task of distributing intellectual property without losing control of it. In the commercial setting, a third powerful factor in the mix is the business model. By selecting appropriately from the wide range of business models available, a rights holder may be able to influence significantly the pressure for and degree of illegal copying or other unauthorized uses. By thinking creatively about the nature of the product and the needs of the customer, rights holders may be able to create new business models that are largely unaffected by the properties of digital information (e.g., the ease of replication and distribution) that are problematic in the traditional model of selling content. They may even be able to find business models that capitalize on those very properties. Hence, in addition to its traditional role of specifying the nature of the commercial enterprise, the business model may also play a role in coping with the IP difficulties that arise with products in digital form. This section explores a variety of models and their impact on the need for technical protection mechanisms and considers the interaction of law, technology, and business models.
The Impact of the Digital Environment on Business Models
As noted in Chapter 1, the introduction of digital media changes the business environment in a number of important ways. The focus here is on the impact of digital media on the intellectual property issues involved in the commercial distribution of content.27 Most business models for traditional copyrighted works involve the sale of a physical item that becomes the property of the customer. The economics of the transaction include the costs associated with creating the initial content and first copy of the work (first-copy costs), the costs of reproduction, marketing, distribution, and other overhead costs. Although copyright does not protect subsequent redistribution of the physical copy, in many cases further reproduction and distribution is protected de facto by the costs associated with creating or re-creating a physical copy nearly equal in quality to the original. Digital information is of course not the first technology to challenge this business model. Photocopying permits the reproduction and distribution of protected works, and although the quality may not be equal to the original, if made available at a low enough price some customers will find photocopies to be acceptable substitutes. Videotapes and audiotapes are similarly vulnerable. Digital media disrupt the traditional business model by drastically lowering the cost and effort of reproduction and distribution and by producing copies indistinguishable from the original. While rights holders and consumers benefit from this, so of course may infringers. Additional impacts of the digital medium include the ability to reproduce material in private, increasing the difficulty of detection, and the ability to copy and distribute material very quickly, often before an intellectual property owner can even detect the offense, let alone seek injunctive relief. Natural barriers to infringement are thus eroded in the digital environment. This erosion may be sufficiently extreme at times that rights holders may be wise to reevaluate their fundamental business model. In some cases digital information may be simply unprotectable, at least in practice if not in law and in principle. Digital media have other impacts on business models as well. Licensing, rather than sale, is becoming increasingly popular for digital media, in part because of the difficulty of retaining control of it after a sale. In this model the customer becomes a user rather than an owner, buying access to a service rather than a physical good. This raises important issues: In a world of distribution by paper, the customer owns a physical copy of the work. What is "owned" in a service offered over a network? If a library discontinues a subscription to an online journal, for example, what rights, if any, does it have to the intellectual property it had been accessing? While networked services are far from new--Dialog and Lexis-Nexis are now more than 20 years old--the nature of access rights has become a major concern with information products and must be factored into the business model. Those distributing intellectual property in digital form over networks find they are in a business environment changed by customer perceptions and expectations. The perception is that distribution costs are lower, so customer expectations are that prices will be lower than for analog equivalents. In some cases this is true, as with, for example, the replacement of printed software manuals with online or ondisk help; here the economics clearly favor digital formats over paper. In many other cases, however, first-copy costs are higher with digital products, partly because consumers have come to expect more from digital information (e.g., indexing, searching, hyperlinks, multimedia). There are, in addition, new costs associated with digital distribution that offset at least some of the decreased traditional manufacturing costs (e.g., the cost of keeping up with the rapid evolution in browser capabilities and in Web languages). This pressure for low-priced goods is exacerbated by the fact that on the Web, by far the largest single supply of digital information, free information currently predominates, creating expectations that content will be available free or for low prices. There is also the misperception that "free" equates to "public domain," leading some to believe that if it can be downloaded freely, it is unprotected by intellectual property law. Traditional business models are thus stressed in a number of ways by digital information; of particular significance here are the erosion of natural barriers to infringement and the pressure for inexpensive goods.
Business Models for Handling Information
Traditional business models include a wide variety of possibilities, including goods paid for solely by the buyer, goods totally or partially subsidized by advertisers, and goods given away at no charge, as well as mixes of these models. These are reviewed briefly here, to indicate how they are used in the digital environment and to set the stage for exploring less traditional business models in the next section.
Traditional Business Models
Some traditional business models are outlined below: 1. Business models based on fees for products or services: a. Single transaction purchase. Examples: Videos, books, some software, music CDs, some text CD-ROMs, and article photocopies (document delivery). b. Subscription purchase. Examples: Newsletter and most journal subscriptions. c. Single-transaction license. Examples: Some software and most text CD-ROMs. d. Serial-transaction license (usually where there is a flat fee for unlimited use). Example: Electronic subscription to a single title (this is different from item 1c above in that the license will often be renewed from year to year upon payment of fees). e. Site licenses (these are generally also flat fees for unlimited use, but with a broader licensed community). Examples: Software licenses for whole companies, a package containing all electronic journals from a publisher for all members of a university community. f. Payment per electronic use. Examples: Information resources paid for per search, per time online, or per article accessed. 2. Business models relying on advertising28 a. Combined subscription and advertising. Examples: Newspapers, consumer and business-to-business magazines, Web sites such as the Wall Street Journal, and America Online. b. Advertising income only. Examples: Many Web sites and controlled circulation magazines. 3. "Free" distribution business models29 a. Free distribution (no hidden motive). Examples: Scholarly papers on preprint servers and software like Apache, available for free. b. Free samples--the traditional notion of providing an introduction to the product. Example: A demonstration version of a software package, in the expectation that the customer will want a full, or more up-to-date, version. c. Information goods for those who buy something else or have another income-producing relationship with the information provider. Example: Free browser software offered to increase traffic on an income-producing Web site. d. Government information or other information in the public domain. Examples: Standards, economic data, statutes, and regulations. e. Prestige/vanity/some start-ups. Example: Garage band wanting to get publicity for other services.
Intellectual Property Implications of Traditional Business Models
Models in the first category derive all revenue from fees for the product or service. Here revenues depend on the number of copies sold or licenses signed, making the rights holder more sensitive to illegal copying, piracy, and even fair use, to the degree that any of these replace the purchase of a copy. Success of a business model of this type depends, in part, on the producer's ability to control postsale copying. Specifically, Models 1a (single transaction purchase) and 1b (subscription purchase) are outright purchases, with all of the first-sale and existing copyright implications as to fair use described in Chapters 3 and 4. Models 1c (single transaction license), 1d (serial transaction license), and 1e (site license), as licenses, are attempts to remove any ambiguity in the copyright law by creating an enforceable contract between the rights holder and the user. Such contracts may attempt to impose other desires of the rights holder through the terms in the contract. While nominally clearer, many licenses are frequently ignored, not understood, not known about by the end user, or otherwise fail to satisfy all parties. Model 1f (pay per use) is a fee for service that may be implemented through either sale or licensing models. Business models that include advertising (Models 2a and 2b) add more balance to the revenue stream. Subscription prices are held down or eliminated because a large number of qualified recipients helps to ensure advertising revenues. Intellectual property concerns may be more related to illegal reproduction and framing--for example, it is important to ensure that users come to the rights holders' Web site so that advertisements are viewed by users as intended by the rights holders. There is less concern about unauthorized access when the sole income is from advertising. Many Web sites of this type require user registration as a way to identify viewers to advertisers but, for many others, simply counting page views or some other measure of traffic is sufficient. In the free distribution business models (Models 3a through 3e), reproduction is generally not an issue: Except for the case where use of intellectual property is tied to the purchase of some other product, the information owner is clearly seeking as widespread a dissemination as possible by giving free access. The principal intellectual property concerns here relate to preservation of the integrity of the information, proper citation if someone else uses the information, and the prevention of commercial use of the material by unauthorized users.
Less Traditional Business Models
A variety of other business models have been explored in an attempt to confront the IP difficulties encountered in the digital world. Some of these are derived from models used for traditional products, while others appear to be unique to the world of information products. Eight of these less traditional business models are described below: 1. Give away the information product and earn revenue from an auxiliary product or service. Examples of auxiliary products: Free access to an online newspaper in exchange for basic demographic data; the revenue-generating auxiliary product is the database of information about readers. Free distribution of (some) music because it enhances the market for auxiliary goods and services associated with the artist (attendance at concerts, T-shirts, posters, etc.). Example of auxiliary service: The Linux operating system is distributed for free; the market is in service--support, training, consulting, and customization. 2. Give away the initial information product and sell upgrades. Example: Antivirus software, where the current version is often freely downloadable; the revenue-generating product is the subsequent updates (along with support service). 3. Extreme customization--Make the product so personal that few people other than the purchaser would want it. Examples: Search engine output, personalized newspapers, and personalized CDs. MusicMaker will create a CD containing the tracks exactly in the sequence specified by a customer.30 4. Provide a large product in small pieces, making it easy to browse but difficult to get in its entirety. Examples: Online encyclopedias, databases, and many Web sites. 5. Give away digital content because it complements (and increases demand for) the traditional product. Examples: The MIT Press and the National Academy Press make the full text of some books and reports available online; this has apparently increased sales of the hard-copy versions. 6. Give away one piece of digital content because it creates a market for another. Examples: The Netscape browser was freely distributed in part to increase demand for their server software; Adobe's Acrobat Reader is freely distributed to increase demand for the Acrobat document preparation software. 7. Allow free distribution of the product but request payment (perhaps offering additional value in the paid-for version). Example: Shareware. Where shareware versions have time-limited functionality or are incomplete demonstration versions, this is quite similar to the "free sample" model above. 8. Position the product for low-priced, mass market distribution. Examples: Microsoft Windows ('95 and '98). These examples illustrate that far more than immediate production costs enter into pricing decisions. They also demonstrate the trend of relating pricing and other decisions to efforts to develop relationships with customers.
Intellectual Property Implications of Less Traditional Business Models
These less traditional models all reduce the need for enforcement of intellectual property protection against reproduction. The first two do it by foregoing any attempt to generate revenue from the digital content, using it instead as a means of creating demand for services or physical products, neither of which are subject to the replication difficulties of digital products. Giving away digital content as a complement to a traditional product works because reading information online is still awkward and because most people are not willing to print out a multi-hundred-page book.31 Selling upgrades relies on the relatively short shelf life of the original product; antivirus software is typically upgraded every 3 months. Extreme customization renders moot any need for enforcing IP protection, because only the original purchaser is interested in the product. Parceling out the product in small pieces simply makes it difficult to copy the entire product, in part restoring a barrier to infringement that comes naturally with physical products. Giving away one digital product to promote another reduces the need for IP enforcement for the product given away, but it of course does little to reduce the need for IP enforcement for the charged-for product. One related strategy is to differentiate individuals from organizations. For example, Netscape and Adobe give away programs that individuals use, in order to sell the (more expensive) programs purchased by organizations. This approach takes advantage of the comparative ease of enforcing IP rights against organizations as compared to detecting and prosecuting infringement by individuals. It also capitalizes on the expectation that organizations may generate use that is valuable enough for them to pay for the product and recognizes that organizations also have processes and resources to comply more easily with IP laws and license agreements. Free and low-cost mass market distribution are in the spirit of making the product cheaper to buy than it is to steal. It is worth noting that stealing an information product or service typically comes at a cost. An individual needs to expend the cost, time, and effort to obtain the product or service through infringing means and faces possible downstream costs such as refusal of technical support. When costs (i.e., the price to buy versus the total costs to steal) converge, the need for IP enforcement clearly diminishes.
Business Models as a Means of Dealing with Intellectual Property
As the variety of models above illustrates, business model design and selection can play a significant role in grappling with questions of IP protection. The choice of a model has significant consequences for the role that IP rights enforcement will play and, importantly, models are available that require far less enforcement. Hence, one approach to IP rights in a world where digital content is difficult to control entails selecting a business model that does not require strict control. Relying on a business model rather than a technical protection mechanism may also offer some leverage with the difficulty described in Chapter 1. With the emergence of computers and networking into the mainstream of daily life, attempting to enforce IP rights increasingly involves the difficult task of controlling private behavior. Where IP enforcement has historically been an issue between corporations, and where it has historically regulated public acts, the vastly increased means and opportunity for using (and abusing) IP in the hands of individuals has led to increased concern with the private actions of individuals. Where such private actions of individuals are concerned, detection and enforcement is more difficult, making the law a less effective tool. Technical protection mechanisms may help in such circumstances by making illegal or unauthorized actions more difficult, but the selection of an appropriate business model can reduce the motivation for those actions in the first place. There are, of course, limits to the applicability of these models. Some properties, such as first-run movies, are unlikely ever to be given away, simply because of their high value. In that case other means of dealing with IP issues become more relevant, such as technical protection mechanisms (e.g., as in DVD) or perhaps not making any digital versions of the intellectual property available to consumers. In formulating a plan for the commercial distribution of intellectual property, then, the rights holder is well advised to consider all three factors: exploring what boundaries are set by the law, what technical protections are practical and cost-effective, and how the business model will produce revenue. The law sets the foundational context in which the other two must function, drawing the boundaries that specify both what legal protection exists against unauthorized reproduction, distribution, and use, and what limits there are on the rights holder's monopoly (e.g., provisions for public access or time limitations on the term of protection). Technical protection mechanisms and business models can then play complementary roles in grappling with the difficulties of distributing IP content in digital form, each capable of reducing the degree of "leakage" of the product. All three factors interact. Technology influences the selection of a business model: Any technical protection mechanism has both cost and benefit; it costs the producer to implement and may produce nuisance value for the customer (as for example nonstandard floppies), but may also pay off in lower rates of illegal copying. IP law also influences business model selection, as, for example, the limited lifetime of copyright protection must be considered in developing the business model. And, in some cases, the selection of a business model may obviate the need for technical protection. Selecting a business model for an information product is difficult in part because of the curious economics of information products. Appendix D discusses this in some detail; this section summarizes a few observations that have consequences in the marketplace and for the selection of a business model. The duration of economic value varies over an extraordinary range, from a stock market quote (one minute or less) to a classic play (e.g., timeless Greek tragedies), but generally the economic value of most works is far shorter than the standard period of copyright protection. However, while duration of value is often short (sometimes fleeting), changes in value over time can be quite unpredictable. The novel Moby Dick was valueless when published; today's best-sellers may soon be. Today's news is valuable, yesterday's nearly worthless, while the news of 100 years ago is valuable again. Curiously, there is value in both scarce information and in widely disseminated information. Scarcity confers obvious value. Consider the stock tip known by few others. But wide dissemination of information can produce value as well. Consider network effects in software, where the value of a program increases as more people use it, particularly as it approaches the status of a standard. For digital information products, there are large first-copy costs and almost negligible production and distribution costs. Particularly in the absence of IP protection, this can produce a very sharp decline in product value over time, as it becomes an easily copied commodity. A few generalizations are available about selecting business models to deal with IP issues. As a general observation, business models in which intellectual property can be widely disseminated at low cost are more successful in addressing intellectual property problems than are businesses that rely on higher prices and a small number of units distributed. The reasons are straightforward: If the cost of reproduction or piracy is high relative to the cost of acquiring the work legitimately, intellectual property problems will be less serious. Examples include newspapers, magazines, and paperback books. More interesting, perhaps, is finding ways to permit low-cost distribution. The mass communication media have been the most successful because they make use of advertiser support to cover most or all of the cost of production and distribution, a model widely adopted on the Web. The use of rental markets as in videos (and formerly books) works well where such markets are feasible. The use of intellectual property to promote the use of other products (e.g., free browsers to promote Web traffic) is one of the few successful models available of widespread distribution of a digital information product for (very) low cost.32 It is no wonder that the ones most concerned about protection are the producers of intellectual property of high value that is distributed in relatively small quantities. Many high-end professional software packages, for instance, still require a dongle for use, and providers of specialized business information frequently use intranets and extranets protected by passwords in order to keep control of their content. There is reason to approach doing business on the Web or in other electronic forms with some optimism, for there are a variety of business models to consider. As pointed out by Shapiro and Varian (1998), the goal for commercial information creators and owners is to maximize revenues, not protection. Business models will continue to evolve with the maturation of digital products; their careful design and selection may help to create effective ways to do business in the information world.
ILLEGAL COMMERCIAL COPYING
The U.S. industries that produce and sell copyrighted products constitute a significant part of the U.S. gross domestic product (GDP) and trade with other nations. It is therefore not surprising that the affairs of these industries and the issues they are concerned with attract considerable attention. One of these issues is the definition of illegal copying and the enforcement of the rules against it. A particular focus is illegal commercial copying--piracy.33 Extensive data are collected and information reported under the auspices of the International Intellectual Property Association (IIPA) and its constituent member trade associations, including the Association of American Publishers (AAP), American Film Marketing Association (AFMA), Motion Picture Association of America (MPAA), National Music Publishers Association, (NMPA), Business Software Alliance (BSA), Interactive Digital Software Association (IDSA), and Recording Industry Association of America (RIAA), as well as industry trade associations outside of the IIPA, such as the Software and Information Industry Association (SIIA).34 These trade associations and other groups representing rights holders publish figures intended to demonstrate the huge dollar cost of infringement of U.S. IP rights that occurs both domestically and abroad. These figures are invariably impressive and are often cited as authoritative in newspaper articles or congressional hearings. The total contribution to the GDP of the United States represented by the copyright industries and the potential economic significance of global copyright infringement that detracts from these industries are substantial and disturbing. For example, in one widely publicized IIPA report published in 1998, it was estimated in 1996 that the total (not just core) copyright industries accounted for $433.9 billion in value added, or 5.68 percent of the U.S. GDP, and that those industries employed over 6.5 million people, or 5.2 percent of the U.S. workforce.35 In 1996, the core copyright industries alone were estimated to account for $278.4 billion of the U.S. GDP, 3.65 percent of the total.36 The IIPA estimates U.S. losses due to foreign piracy for the core copyright industries to be approximately $12.4 billion annually; losses resulting from domestic piracy make the total even greater.37 Notwithstanding the extensive amounts of data and information made available by these trade associations, some committee members believe there are reasons to question the reliability of some of the data claiming to measure the size of the economic impact of piracy. The committee considers here some of the issues that arise in collecting and analyzing such data, in part to inform the reader about those issues, and in part as the basis for a recommendation about how such information might reliably be assembled and analyzed. In exploring these issues, the committee takes a strictly economic view, focusing on profits lost from piracy. Lost profits are not the only cost of piracy, nor are the economic consequences the only rationale for enforcing antipiracy laws. But the figures widely circulated by trade organizations are intended to be economic analyses of profits lost, hence it is appropriate to explore these figures and their methodology from a strictly economic viewpoint. One concern is that those who read figures of the sort found in the IIPA report may infer that all or most of the copyright industries' contribution to the GDP depends on copyright policy that protects works to at least the current degree and that perhaps the contribution now requires still greater copyright protection as a consequence of digital information and networks. However, within the economics community, the specific relationship between the level of IP protection and revenue of a firm in the copyright industries is unclear.38 A second problem is the accuracy of estimates of the costs of illegal copying. A number of difficulties arise here. One difficulty is that the needed data have to be based on extrapolation from very limited information, because illegal sales and distribution are frequently private acts. A second difficulty is determining the extent to which illegal copies are displacing sales. One widely quoted study, by the SIIA, estimates the number of illegal copies and then derives the net loss to the industry by assuming that each illegal copy displaces a sale at standard market prices39 (other studies appear to rely on more complex formulations). This approach is problematic because it is unlikely that each illegal copy displaces a sale at the market price (some people will buy at the pirate price but not the legal market price) and because it estimates reduction in gross revenues rather than net loss to the copyright industries (see Box 5.4). Consequently, these estimates may be taken to represent an upper bound on the reduction in gross revenues by these industries.
There is, as shown in Box 5.4, disagreement about the economic impact of piracy on the copyright industries. It is clear, however, that there are significant losses that, if avoided, might result in increased production. It is also clear that uncontrolled digital dissemination could have very serious repercussions for the copyright industries. A number of committee members conclude that, despite the extensive statistics available, there is a paucity of reliable information of the quality that might be generated if the subject were investigated by a disinterested third party. They conclude that such information is sorely needed. However, even given the caveats above concerning methodology, the committee believes that the available information suggests that the volume and cost of illegal copying is substantial. Although this section is concerned with the economics of piracy, the committee also believes that, regardless of whether the extent of illegal copying is financially significant to all industries that produce copyrighted products, the laws against illegal copying should be strictly enforced. Economic harm, after all, is not the only reason for enforcing copyright protection (or any other law with economic consequences). In a 1983 address and article, "The Harm of the Concept of Harm in Copyright," David Ladd, then the United States Register of Copyrights, expressed the following view: "The notion of economic 'harm' as a prerequisite for copyright protection is mischievous because it disserves the basic constitutional design which embraces both copyright and the First Amendment." Mr. Ladd argued for recognition of the fact that copyright protection is a sine qua non of a civilized society and, accordingly, merits recognition independent of economic impact. This view is not unanimously endorsed by the committee, as some committee members believe that the constitutional basis for intellectual property protection in authorizing laws was meant to encourage strictly instrumental purposes. Even so, the committee as a whole recognizes that many creators believe that their works, as expressions of their individuality, deserve to be protected and controlled by rights holders, quite independent of the economic consequences. Because people differ in the weight they give to this argument, the committee believes that copyright policy will never be resolved solely by appeal to facts about its economic effects. Despite the difficulty of finding a universally accepted copyright policy, the committee believes that it is important to conduct research in an attempt to better assess the social and economic impact of both commercial illegal copying for profit and noncommercial personal-use copying.40 The committee believes that reducing the current state of uncertainty about the impact of these various phenomena will be important to policy makers and entrepreneurs. Clearly, there are multiple phenomena at work in both the commercial and noncommercial copying spheres, and perhaps there are differing behaviors among different demographic groups, geographic locations, and, perhaps, even cultures.41 These multiple phenomena may include how much the difficulty of making the illegal copy affects the frequency of copying, the effect on consumer decision making of the price and availability of legitimate copies, the personal sense of the moral or ethical dimensions of the copying involved, the degree of law enforcement or legal scrutiny directed at the behavior, peer group or social opprobrium or encouragement, and so on. Society needs to understand better what these multiple phenomena are and how they operate in the real world, so that appropriate responses can be formulated.
THE IMPACT OF GRANTING PATENTS FOR INFORMATION INNOVATIONS
Historically, information innovations have been excluded from the purview of patent law, based on a notion that Congress had meant for only industrial processes to be patented. Documents were deemed unpatentable, as were improved ways for calculating, organizing information, and managing organizations. However, a great deal has changed in recent years, and it seems that nearly all information innovations may now be patented, as long as they meet the patent law's requirements for novelty, nonobviousness, and utility and can be precisely defined in claims. Computer software was the first digital information product to challenge the traditional interpretation of patent concepts because of its dual nature as both a literary work (the textual source code) and a machine (i.e., a useful device). Programs have a dual nature because they are textual works created specifically to bring about some set of behaviors. They have been characterized as "machines whose medium of construction happens to be text" (Samuelson et al., 1994).42 The "printed matter" and "mental process" rules were initially invoked to deny patent protection to computer software, as on occasion was the "business method" rule. In its 1972 Gottschalk v. Benson decision, the U.S. Supreme Court ruled that an innovative method for transforming binary coded decimals into pure binary form could not be patented, even though the patent applicant intended to carry out the method by computer and one of the two claims before the Court was limited to computer implementations.43 Drawing on the "mental process" line of cases, the Supreme Court announced that mathematical algorithms could not be patented. One factor that clearly disturbed the Court about the prospect of patenting the Benson algorithm was that a patent would preempt all uses of it, including apparently the teaching of it. In 1978, the Supreme Court in Parker v. Flook denied patent protection for an algorithm useful for calculating "alarm limits" (i.e., dangerous conditions) for a catalytic converter plant.44 The Court did not think that this algorithm, any more than the Pythagorean theorem or any other purely mathematical method, could become patentable merely because it might be applied to a particular useful end. The turning point in the long struggle over patents for information inventions came with the Supreme Court's 1981 decision in Diamond v. Diehr, which upheld the patentability of an improved rubber curing process, one step of which required a computer program.45 Because Diehr involved a traditional technological process and had so deeply divided the Court, patent administrators and the courts continued to struggle over how broadly to construe the Diehr decision. In the late 1980s, the tide turned in favor of patents for computer-program-related inventions because of their technological character. Source code listings might still be regarded as unpatentable under the printed matter rule, but as soon as a program has been put in machine-readable form, recent precedents would seem to regard it as patentable subject matter. Most recent program-related patents are, however, for more abstract design elements of programs. In the late 1980s and through the 1990s, it became increasingly common for courts to uphold patents for data structures, applied algorithms, information retrieval, and business methods carried out by computer programs. The denouement of the legal controversy over software-related patents in the courts and in the U.S. Patent and Trademark Office (PTO) may be the U.S. Supreme Court's decision in early 1999 not to review the State Street Bank decision. The Court upheld a patent attacked on grounds that the claims covered an algorithm and a business method. However, patents continue to be controversial in the information technology industry (Box 5.5).
| ||||||
