Protecting Digital Intellectual Property:
Means and Measurements
Recent years have seen the exploration of many technical mechanisms intended to protect intellectual property (IP) in digital form, along with attempts to develop commercial products and services based on those mechanisms. This chapter begins with a review of IP protection technology, explaining the technology's capabilities and limitations and exploring the consequences these capabilities may have for the distribution of and access to IP. Appendix E presents additional technical detail, attempting to demystify the technology and providing an introduction to the large body of written material on this subject.
This chapter also addresses the role of business models in protecting IP. Protection is typically conceived of in legal and technical terms, determined by what the law permits and what technology can enforce. Business models add a third, powerful element to the mix, one that can serve as an effective means of making more digital content available in new ways and that can be an effective deterrent to illegitimate uses of IP.
The chapter also considers the question of large-scale commercial infringement, often referred to as piracy. It discusses the nature of the data concerning the rates of commercial infringement and offers suggestions for improving the reported information.
The chapter concludes with a discussion of the increasing use of patents to protect information innovations such as software and Internet business models, and explores the question of whether the patent system is an appropriate mechanism to protect these innovations.
The evolution of technology is challenging the status quo of IP management in many ways. This section and Appendix E focus on technical protection services (TPSs) that may be able to assist in controlling the distribution of digital intellectual property on the Internet.1 The focus here is on how technical tools can assist in meeting the objectives stated throughout the report, as well as what they cannot do and what must therefore be sought elsewhere. Appendix Explores how the tools work, details what each kind of tool brings to bear on the challenges described throughout the report, and projects the expected development and deployment for each tool. For ease of exposition,m the presentation in this chapter is framed in terms of protecting individual objects (texts, music albums, movies, and so on); however,many of the issues raised are applicable to collections ( e.g., libraries and databases),2 and many of the techniques discussed are relevant to them as well.
A number of general points are important to keep in mind about TPSs:
• Technology provides means, not ends; it can assist in enforcing IP policy, but it cannot provide answers to social, legal, and economic questions about the ownership of and rights over works, nor can it make up for incompletely or badly answered questions.
• No TPS can protect perfectly. Technology changes rapidly, making previously secure systems progressively less secure. Social environments also change, with the defeat of security systems attracting more (or less) interest in the population. Just as in physical security systems, there are inherent trade-offs between the engineering design and implementation quality of a system on the one hand and the cost of building and deploying it on the other. The best that can be hoped for is steady improvement in TPS quality and affordability and keeping a step ahead of these bent on defeating the systems.
1Note that the phrase "technical protection services" is used deliberately. Although it is tempting to talk about technical protection systemspackages of tools integrated into digital environments and integrated with each otherthe committee believes that such systems are difficult to implement reasonably in the information infrastructure, an open network of interacting components, lacking boundaries that usefully separate inside and outside. In this environment it is better to talk about technical protection services; services; each service will be drawn on by information infrastructure components and will generally interact with other services.
2For example, as reported by a committee member, in February 1999 the special assistant to the director of Chemical Abstracts Service (CAS) indicated that there were one to three "hacking" attempts per day to get into the CAS database.
• While technical protection for intellectual property is often construed as protecting the rights of rights holders to collect revenue, this viewpoint is too narrow. Technical protection offers additional important services, including verifying the authenticity of information (i.e., indicating whether it comes from the source claimed and whether it has been alteredeither inadvertently or fraudulently). Information consumers will find this capability useful for obvious reasons; publishers as well need authenticity controls to protect their brand quality.
• As with any security system, the quality and cost of a TPS should be tailored to the values of and risks to the resources it helps protect: The newest movie release requires different protection than a professor's class notes.
• Again, as with any security system, there are different degrees of protection. Some TPSs are designed to keep honest people honest and provide only a modest level of enforcement; more ambitious uses seek to provide robust security against professional pirates.
• As with any software, TPSs are subject to design and implementation errors that need to be uncovered by careful research and investigation. Professional cryptologists and digital security experts look for flaws in existing services in order to define better products.
• TPSs almost invariably cause some inconvenience to their users. Part of the ongoing design effort is to eliminate such inconvenience or at least to reduce it to tolerable levels.
• The amount of inconvenience caused by a TPS has been correlated historically with its degree of protection. As a result, in the commercial context, overly stringent protection is as bad as inadequate protection: In either extremeno protection or complete protection (i.e., making content inaccessible)revenues are zero. Revenues climb with movement away from the extremes; the difficult empirical task is finding the right balance.
• Protective technologies that are useful within special-purpose devices (e.g., cable-television set-top boxes or portable digital music players) are quite different from those intended for use in general-purpose computers. For network-attached general-purpose computers, software alone cannot achieve the level of technical protection attainable with special-purpose hardware. However, software-only measures will doubtless be in wide use soon.
Here (and in more detail in Appendix E) the committee provides a layman's description of the most important technical protection mechanisms, suggesting how each can be fit into an overall protection scheme, describing the limitations of each, and sketching current research directions. There are several classes of mechanisms:
• Security and integrity features of computer operating systems include, for example, the traditional file access privileges enforced by the system.
• Rights management languages express in machine-readable form the rights and responsibilities of owners, distributors, and users, enabling the computer to determine whether requested actions fall within a permitted range. These languages can be viewed as an elaboration of the languages used to express file access privileges in operating systems.
• Encryption allows digital works to be scrambled so that they can be unscrambled only by legitimate users.
• Persistent encryption allows the consumer to use information while the system maintains it in an encrypted form.
• Watermarking embeds information (e.g., about ownership) into a digital work in much the same way that paper can carry a watermark. A digital watermark can help owners track copying and distribution of digital works.
For effective protection, the developer of an IP-delivery service must choose the right ingredients and attempt to weave them together into an end-to-end technical protection system. The term ''end-to-end" emphasizes the maintenance of control over the content at all times; the term "protection system" emphasizes the need to combine various services so that they work together as seamlessly as possible.
Protecting intellectual property is a variant of computing and communications security, an area of study that has long been pursued both in research laboratories and for real-world application. Security is currently enjoying renewed emphasis because of its relevance to conducting business online.3 While security technology encompasses a very large area, this discussion is limited to describing generally applicable principles and those technical topics relevant to the management of intellectual property.4
As cryptography is an underpinning for many of the other tools discussed, the following section begins with a brief explanation of this technology.5 Next, the techniques that help manage IP within general-
3As the technology needed for IP may not be affordable for IP alone, there is the possibility of a useful coincidence: The technology needed for IP may be largely a subset of what will be needed for electronic commerce. One concrete example is the Trusted Computing Platform Alliance discussed below.
4For example, the committee passed silently over a concern closely related to IPthe effect of the digital world on personal privacybecause, although there is some intersection of the two sets of issues, they are sufficiently separable and sizable that each is best addressed in its own report.
5A closely related topic, the Public Key Infrastructurea set of emerging standards for distributing, interpreting, and protecting cryptographic keysis primarily of technical interest and is discussed in Appendix E.
purpose computers are described. Finally the discussion turns to technology that can help in consumer electronics and other special-purpose devices.6
Encryption: An Underpinning Technology for Technical Protection Service Components
Cryptography is a crucial enabling technology for IP management. The goal of encryption is to scramble objects so that they are not understandable or usable until they are unscrambled. The technical terms for scrambling and unscrambling are "encrypting" and "decrypting." Encryption facilitates IP management by protecting content against disclosure or modification both during transmission and while it is stored. If content is encrypted effectively, copying the files is nearly useless because there is no access to the content without the decryption key. Software available off the shelf provides encryption that is for all practical purposes unbreakable, although much of the encrypting software in use today is somewhat less robust.
Many commercial IP management strategies plan a central role for what is called "symmetric-key" encryption, so called because the same key is used both to encrypt and decrypt the content. Each object (e.g., movie, song, text, graphic, software application) is encrypted by the distributor with a key unique to that object; the encrypted object can then be distributed, perhaps widely (e.g., placed on a Web site). The object's key is given only to appropriate recipients (e.g., paying customers), typically via a different, more secure route, perhaps one that relies on special hardware.
One example of an existing service using encryption in this way is pay-per-view television. A program can be encrypted with a key and the key distributed to paying customers only. (The special hardware for key distribution is in the set-top box.) The encrypted program can then safely be broadcast over public airwaves. Someone who has not paid and does not have the key may intercept the broadcast but will not be able to view it.
There is, of course, an interesting circularity in symmetric-key encryption. The way to keep a message secret is to encrypt it, but then you also have to send the decryption key so the message recipient can decrypt the message. You have to keep the key from being intercepted while it is
6Where the text that follows identifies specific commercial products and services, it is solely for the purpose of helping to explain the current state of the art. The committee does not endorse or recommend any specific product or service.
being transmitted, but if you have a way to do that, why not use that method to send the original message?
One answer is hinted at above: speed. The key (a short collection of digits) is far smaller than the thing being encrypted (e.g., the television program), so the key distribution mechanism can use a more elaborate, more secure, and probably slower transmission route, one that would not be practical for encrypting the entire program.7
Another answer has arisen in the past 20 years that gets around the conundruma technique called public-key cryptography.8 This technique uses two different keysa public key and a private keychosen so that they have a remarkable property: Any message encrypted with the public key can be decrypted only by using the corresponding private key; once the text is encrypted, even the public key used to encrypt it cannot be used to decrypt it.
The idea is to keep one of these keys private and publish the other one; private keys are kept private by individuals, while public keys are published, perhaps in an online directory, so that anyone can find them. If you want to send a secret message, you encrypt the message with the recipient's public key. Once that is done, only the recipient, who knows the corresponding private key, can decrypt the message. Software is widely available to generate key pairs that have this property, so individuals can generate key pairs, publish their public keys, and keep their private keys private.
As public-key encryption is typically considerably slower (in terms of computer processing) than symmetric-key encryption, a common technique for security uses them both: Symmetric-key encryption is used to encrypt the message, then public-key encryption is used to transmit the decryption key to the recipient.
A wide variety of other interesting capabilities is made possible by public-key systems, including ways to "sign" a digital file, in effect providing a digital signature. As long as the signing key has remained private, that signature could only have come from the key's owner. These additional capabilities are described in Appendix E.
Any encryption system must be designed and built very carefully, as there are numerous and sometimes very subtle ways in which information can be captured. Among the more obvious is breaking the code: If
7The most basic form of "separate mechanism" to send the key is having a codebook of keys hand-carried to the recipient, as has been done for years in the intelligence business. This is not feasible where widescale distribution is concerned.
8The technique was first brought to practical development by R.L. Rivest, A. Shamir, and L.M. Adelman in Rivest et al. (1978). RSA Security (see <http://www.rsa.com> produces software products based on this development.
the encryption is not powerful enough, mathematical techniques can be used to decrypt the message even without the key. If the key-distribution protocol is flawed, an unauthorized person may be able to obtain the key via either high technology (e.g., wiretapping) or "social engineering" (e.g., convincing someone with access to the key to supply it, a widely used approach). If the system used to read the decrypted information is not designed carefully, the decrypted information may be left accessible (e.g., in a temporary file) after it has been displayed to the user. The point to keep in mind is that cryptography is no magic bullet; using it effectively requires both considerable engineering expertise and attention to social and cultural factors (e.g., providing incentives for people to keep messages secret).9
Access Control in Bounded Communities
Perhaps the most fundamental form of technology for the protection of intellectual property is controlling access to information (i.e., determining whether the requester is permitted to access the information). A basic form of such control has been a part of the world of operating systems software almost from the time operating systems were first implemented, offering limited but useful security. In its simplest form, an access control system keeps track of the identity of each member of the user community, the identities of the data objects, and the privileges (reading, altering, executing, and so on) that each user has for each object. The system consults this information whenever it receives a service request and either grants or denies the request depending on what the privilege indicates.
Existing access control, however, offers only a part of what is needed for dealing with collections of intellectual property. Such systems have typically been used to control access to information for only relatively short periods such as a few years, using only a few simple access criteria (e.g., read, alter, execute), and for objects whose owners are themselves users and who are often close at hand whenever a problem or question arises.
In contrast, access control systems for intellectual property must deal with time periods as long as a century or more and must handle the sometimes complex conditions of access and use. A sizable collectionas indeed a digital library will bealso needs capabilities for dealing with hundreds or thousands of documents and large communities of users (e.g., a college campus or the users of a large urban library).
Such systems will thus need to record the terms and conditions of access to materials for decades or longer and make this information acces-
9See, for example, CSTB (1996).
sible to administrators and to end users in ways that allow access to be negotiated. This raises interesting questions of user authentication: For example, is the requester who he says he is? Does he have a valid library card? It also raises issues of database maintenance: For example, collections change, rights holders change, and the user community changes as library cards expire. Many other questions must be addressed as well so that systems work at the scale of operation anticipated. Some work along these lines has been done (e.g., Alrashid et al., 1998), but a considerable amount of development work is still needed.
Some attempts have also been made to represent in machine-readable form the complex conditions that can be attached to intellectual property. This is the focus of what have been called rights management languages, which attempt to provide flexible and powerful languages in which to specify those conditions.10 DPRL (Ramanujapuram, 1998), for example, attempts to offer a vocabulary in which a wide variety of rights management terms and conditions can be specified.
An important characteristic of these languages is that they are machine-readable (i.e., the conditions can be interpreted by a program that can then grant or deny the desired use). This is superficially the same as a traditional operating system, but the conditions of access and use may be far more complex than the traditional notions used in operating systems. In addition, as will be shown below, these languages are quite useful outside the context of bounded communities. Finally, although large-scale systems have yet to be deployed, rights management language design is not perceived as a roadblock to more robust TPSs.
Enforcement of Access and Use Control in Open Communities
Access control systems of the sort outlined above can be effective where the central issue is specifying and enforcing access to information,
10MPEG-4 offers a general framework of support for rights management, providing primarily a structure within which a rights management language might be used, rather than a language itself. It is nonetheless interesting, partly because it represents the growing recognition that rights management information can be an integral part of the package in which content is delivered. The standard specifies a set of IP management and protection descriptors for describing the kind of protection desired, as well as an IP identification data set for identifying objects via established numbering systems (e.g., the ISBN used for books). Using these mechanisms, the content providers can specify whatever protection strategy their business models call for, from no protection at all to requiring that the receiving system be authorized via a certified cryptographic key, be prepared to communicate in an encrypted form, and be prepared to use a rights management system when displaying information to the end user. For additional information on MPEG-4, see Konen (1998) and Lacy et al. (1998).
as is typically true in bounded communities represented by, for example, a single corporation or a college campus. In such communities much greater emphasis is placed on questions of original access to information than on questions of what is done with the information once it is in the hands of the user. The user is presumed to be motivated (e.g., by social pressure or community sanctions) to obey the rules of use specified by the rights management information.
A larger problem arises when information is made accessible to an unbounded community, as it is routinely on the Web. The user cannot in general be presumed to obey rules of use (e.g., copyright restrictions on reproduction); therefore, technical mechanisms capable of enforcing such rules are likely to be needed.
A variety of approaches has been explored. The simpler measures include techniques for posting documents that are easily viewed but not easily captured when using existing browsers. One way to do this uses Java routines to display content rather than the standard HTML display. This gives a degree of control over content use because the display can be done without making available the standard operating system copy-and-paste or printing options. A slightly more sophisticated technique is to use a special format for the information and distribute a browser plug-in that can view the information but isn't capable of writing it to the disk, printing, and so on. Knowledgeable users can often find ways around these techniques, but ordinary users may well be deterred from using the content in ways the rights holder wishes to discourage.
There are also a number of increasingly complex techniques for controlling content use that are motivated by the observation made earlier, that digital IP liberates content from mediumthe information is no longer attached to anything physical. When it is attached to something physical, as in, say, books or paintings, the effort and expense of reproducing the physical object offers a barrier to reproduction. Much of our history of and comfort with intellectual property restrictions is based on the familiar properties of information bound to physical substrates. Not surprisingly, then, some technical protection mechanisms seek to restore these properties by somehow "reattaching" the bits to something physical, something not easily reproduced. The description that follows draws on features of several such mechanisms as a way of characterizing this overall approach.
Encryption is a fundamental tool in this task. At a minimum, encryption requires that the consumer get a decryption key, without which a copy of the encrypted content is useless. Buy a digital song, for example, and you get both an encrypted file and a password for decrypting and playing the song.
But this approach secures only the original access to the content and
its transit to the consumer. Two additional problems immediately become apparent. First, the content is still not "attached" to anything physical, so the consumer who wished to do so could pass along (or sell) to others both the encrypted content and the decryption key. Second, the consumer could use the key to decrypt the content, save the decrypted version in a file, and pass that file along to others.
There are several ways to deal with the first problem that involve "anchoring" the content to a single machine or single user. One technique is to encode the identity of the purchaser in the decryption key, making it possible to trace shared keys back to their source. This provides a social disincentive to redistribution.11 A second technique is for the key to encode some things about the identity of one particular computer, such as the serial number of the primary hard drive, or other things that are unlikely to change.12 The decryption software then checks for these attributes before it will decrypt the content. A third technique calls for special hardware in the computer to hold a unique identifier that can be used as part of the decryption key. Some approaches call for this hardware to be encased in tamper-resistant cases, to discourage tampering even by those with the skill to modify hardware. One form of tamper resistance involves erasing the key if any attempt is made to open or manipulate the chip containing it.
Whatever the approach, the intended result is the samethe content can be decrypted only on the machine for which the decryption has been authorized.
But even this protection alone is not sufficient, because it is not persistent. The consumer may legally purchase content and legally decrypt it on her machine, then (perhaps illegally) pass that on to others who may be able to use the information on their machines. The final technological step is to reduce the opportunities for this to happen. Two basic elements are required: (1) just-in-time and on-site encrypting and (2) close control of the input/output properties of the machine that will display the content. Decrypting just in time and on site means that the content is not decrypted until just before it is used, no temporary copies are ever stored, and the information is decrypted as physically close to the usage site as possible. An encrypted file containing a music album, for instance, would not be entirely decrypted and then played, because a sophisticated pro-
11This also has privacy implications that consumers may find undesirable.
12Hard drives typically have serial numbers built into their hardware that can be read using appropriate software but cannot be changed. However, because even hard disks are replaced from time to time, this and all other such attempts to key to the specific hardware will fail in some situations. The idea of course is to select attributes stable enough that this failure rarely occurs.
grammer might find a way to capture the temporary decrypted file. Instead, the file is decrypted "on the fly" (i.e., as each digital sample is decrypted, it is sent to the sound-generation hardware), reducing the ease with which the decrypted sample can be captured. On-site decryption involves placing the decryption hardware and the sound-generation hardware as physically close as possible, minimizing the opportunity to capture the decrypted content as it passes from one place to another inside (or outside) the computer.13
Some playback devices are difficult to place physically near the computer's decryption hardware. For example, digital camcorders, digital VCRs, digital video disk (DVD) movie players, and so on all require cables to connect them to the computer, which means wires for interconnection, and wires offer the possibility for wiretapping the signal.
One approach to maintaining on-site decryption for peripheral devices is illustrated by the Digital Transmission Content Protection (DTCP) standard, an evolving standard developed through a collaboration of Hitachi, Intel, Matsushita, Sony, and Toshiba (see Box 5.1). The computer and the peripheral need to communicate to establish that each is a device authorized to receive a decryption key. The key is then exchanged in a form that makes it difficult to intercept, and the content is transmitted over the wire in encrypted form. The peripheral device then does its own on-site decryption. This allows the computer and peripheral to share content yet provides a strong degree of protection while the information is in transit to the decryption site.
But even given just-in-time and on-site decryption, a sophisticated programmer might be able to insert instructions that wrote each decrypted unit of content (e.g., a music sample) to a file just before it was used (in this case sent to the sound-generation hardware). Hence, the second basic element in providing persistent encryption is to take control of some of the routine input and output (I/O) capabilities of the computer. There are a number of different ways to attempt this, depending partially on the degree to which the content delivery system is intended to work on existing hardware and software.
The largest (current) market is of course for PCs running off-the-shelf operating systems (such as Windows, Mac, and Linux). In that case the content delivery system must use the I/O routines of the existing operating system. The difficulty here is that these routines were not designed to hide the information they are processing. As a result, using an existing operating system opens another door to capturing the decrypted content.
13Information may be captured by physically wiretapping the cables that route signals inside and outside the computer.
Content delivery systems that wish to work in the environment of such operating systems attempt, through clever programming, to reduce the opportunities to capture the decrypted information while the operating system is performing output. But given existing operating systems, abundant opportunities still exist for a sophisticated programmer.
More complex proposals call for replacing parts of, or even the entire, operating system, possibly right down to the BIOS, the basic input/output routines embedded in read-only memory in the computer hardware. Such computers would instead use specially written routines that will not read or write without checking with the decryption hardware on the computer to ensure that the operation is permitted under the conditions of use of the content. This more ambitious approach faces the substantial problem of requiring not only the development of a new and complex operating system but the widespread replacement of the existing installed base as well. This clearly raises the real possibility of rejection by consumers.
The final problem is the ultimate delivery of the information: Music must be played, text and images displayed, and so on. This presents one final, unavoidable opportunity for the user to capture the information. The sophisticated owner of a general-purpose computer can find ways to copy what appears on the screen (e.g., screen capture utilities) or what goes into the speakers (connect an analog-to-digital converter to the speaker wires). As is usual in such matters, the expectation is that this will be tedious enough (capturing a long document screenful by screenful), complex enough (hooking up the converter), or of sufficiently low quality (the captured speaker signal is not identical to the digital original) that all but the most dedicated of thieves will see it as not worth the effort. Nevertheless, those who place substantial faith in elaborate TPSs should keep in mind the necessity of presenting information to the user and the opportunity this provides for capture.
More generally, because all protection mechanisms can eventually be defeated at the source (e.g., as it was with a2b encoding and Windows Media; see Chapter 2), the key questions concern trade-offs of cost and effectiveness. A good mechanism is one that provides the degree of disincentive desired to discourage theft but remains inexpensive enough so that it doesn't greatly reduce consumer demand for the product. A good deal more real-world experience is needed before both vendors and consumers can identify the appropriate trade-offs.
Currently, any system aiming to provide substantial technical protection will rely on encryption, anchoring the bits to a specific machine, and making encryption persistent through just-in-time decryption and low-level control of I/O. Systems using one or more of these ideas are commercially available, and others are under active development. Music delivery systems such as AT&T's a2b and Liquid Audio's Liquid Player, for example, are commercially available. InterTrust, IBM, and Xerox are marketing wide-ranging sets of software products aimed at providing persistent protection for many kinds of content.14 Similar efforts currently under development include the Secure Digital Music Initiative (discussed in Chapter 2) aimed at providing a standard for protecting music.
Copy Detection in Open Communities: Marking and Monitoring
When a valuable digital object is not encrypted and is outside the sphere of control of its rights holder, the only technical means of hinder-
14See <http://www.a2bmusic.com> for information about a2b, <http://www.liquidaudio.com> for information about Liquid Audio, <http://www.ibm.com/security/html/cryptolopes.html> for information on the IBM products, <http://www.intertrust.com> for information on InterTrust offerings, and <http://www.contentguard.com> for information on Xerox's offerings.
ing misuse is to change it in ways that discourage wrongdoing or facilitate detection. A variety of approaches have been used to accomplish these goals. One technique calls for releasing only versions of insufficient quality for the suspected misuses. Images, for example, can be posted on the Web with sufficient detail to determine whether they would be useful, for example, in an advertising layout, but with insufficient detail for reproduction in a magazine.
Labels could, nevertheless, ease the problem of IP management, at least among the (fairly large) audience of cooperative users. Consider the utility of having every Web page carry a notice in the bottom right corner that spelled out the author's position on use of the page. Viewers would at least know what they could do with the page, without having to guess or track down the author, allowing cooperative users to behave appropriately. Getting this to work would require spreading the practice of adding such information, so that authors did it routinely, and some modest effort to develop standards addressing the kinds of things that would be useful to say in the label. There is an existing range of standard legal phrases.
A second category of label attached to some digital documents is a time stamp, used to establish that a work had certain properties (e.g., its content or the identity of the copyright holder) at a particular point in time. The need for this arises from the malleability of digital information. It is simple to modify both the body of a document and the dates associated with it that are maintained by the operating system (e.g., the creation date and modification date).
Digital time stamping is a technique that affixes an authoritative, cryptographically strong time stamp to digital content; the label can be used to demonstrate what the state of the content was at a given time. A third-party time-stamping service may be involved to provide a trusted source for the time used in the time stamp. Time-stamping technology is not currently widely deployed.15
Where the labels noted above are separate from the digital content, another form of marking embeds the information into the content itself. Such digital alterations are called watermarks and are analogous to watermarks manufactured into paper. An example cited earlier described how a music file might be watermarked by using a few bits of some music samples to encode ownership information and enforce usage restrictions. The digital watermark may be there in a form readily apparent, much like a copyright notice on the margin of a photograph; it may be embedded throughout the document, in the manner of documents printed on watermarked paper, or it may be embedded so that it is normally undetected and can be extracted only if you know how and where to look, as in the music example.16 Visible watermarks are useful for deterrence, invisible watermarks can aid in proving theft, and a watermark distributed through a document can by design be difficult to remove, so that it remains detectable even if only part of the document is copied.
The objectives, means, and effectiveness of marking technologies depend on a number of factors. Designing an appropriate watermark means, for instance, asking what mix is desired of visibility (Should the mark be routinely visible?), security (How easy is it to modify the mark?), and robustness (What kinds of modifications, such as printing a picture and rescanning it, can the mark survive?). The nature and value of the information clearly matters. A recent hit song needs different treatment than a Mozart aria. Modality also matters. Sheet music is watermarked differently than an audio recording of a performance. Some things are difficult to watermark. Machine code for software cannot be watermarked in the same way as music, because every bit in the program matters; change one and the program may crash. Identifying information must instead be built into the source code, embedded in a way that the information gets carried into the machine code but does not adversely affect the behavior of the program.17 Watermarking digital text also presents challenges: How can, say, an online version of The Grapes of Wrath be marked to include a digital watermark, without changing the text? One trick is to change the appearance of the text. The watermark can be encoded by varying the interline and intercharacter spacing slightly from what would be expected; the variation encodes the information.
Marking a document is of course only half the battle; monitoring is
16Embedding IP ownership information in documents in subtle ways has a long history and had been used much before the arrival of digital information. One of the oldest and simplest techniques is the mapmaker's trick of inserting nonexistent streets or roads. Similarly, text has been "marked" by distributing versions with small changes in wording.
17This is not difficult technologically, but it adds another step to the marking process and can present significant additional overhead.
needed in order to detect the presence of unauthorized copies. A number of efforts have been made in this direction, many of which rely on "Web crawlers," programs that methodically search the Web looking for documents bearing a relevant watermark. An IP management system that watermarked images, for example, would also have a Web searching routine that examined publicly available image files for that system's watermarks. This is an active area of work; systems have been developed in both the commercial and academic world.18
Marking and monitoring technologies do not attempt to control users' behavior directly. In particular, they do not attempt to prevent unauthorized copy and modifications. Rather, they attempt to make these actions detectable so that rights holders can seek legal redress when infringements have been detected. Frequently their intent is simply to indicate that copying is prohibited; the utility of these technologies relies on the fact that many people are honest most of the time.
The preceding discussion of technical protection mechanisms points out that the strongest intellectual property protection requires embedding protection mechanisms throughout the computer hardware and software at all levels, right down to the BIOS. In one vision of the future, security will become a major influence on the design of computing and communications infrastructure, leading to the development and widespread adoption of hardware-based, technologically comprehensive, end-to-end systems that offer information security, and hence facilitate creation and control of digital IP. There has been some research (and a great deal of speculation and controversy) about these so-called "trusted systems," but none is in widespread use as of 1999.
One example of this vision (Stefik, 1997b) seeks to enable the world of digital objects to have some of the same properties as physical objects. In these systems, when a merchant sells a digital object, the bits encoding that object would be deposited on the buyer's computer and erased from the merchant's computer. If the purchaser subsequently "loaned" this digital object, the access control and rights management systems on the lender's computer would temporarily disable the object's use on that computer while enabling use on the borrower's computer. These changes
18Digimarc at <http://www.digirnarc.com> is one example of a commercial watermarking and tracking system; Stanford's Digital Library project at <http://www-diglib.stanford.edu/diglib/pub/> has produced systems for detecting copying of text and audio files, using feature extraction techniques to enable fast searching and detection of partial copies.
would be reversed when the object is returned by the borrower to the lender.
The published literature (see, e.g., Stefik, 1997a,b) is fairly clear on what trusted systems are supposed to accomplish, but it does not spell out in technical detail how they are supposed to accomplish it. Stefik, for example, is clear on the need for some sort of hardware component (Stefik, 1997b) to supplement the Internet and PC world of today,19 but he says little about how that component would work or how it would be added to today's infrastructure. Here, we explore two general ways in which trusted systems might be implemented, then consider the barriers they face.
One way to increase control over content is to deliver it into special-purpose devices designed for purchase and consumption of digital content, but not programmable in the manner of general-purpose PCs. For example, game-playing machines, digital music players, electronic books, and many other types of devices could be (and some are) built so that each one, when purchased, contains a unique identifier and appropriate decoding software. The devices could then be connected to the Web in much the same way as general-purpose computers and download content encrypted by distributors. Legitimate devices would be able to (1) verify that the content came from an authorized distributor, (2) decrypt and display the content (the meaning of "display" depending on whether the content is text, video, audio, and so on), and (3) force the device owner to pay for the content (perhaps by checking before decrypting that the subscription fee payment is up-to-date).
It is expensive to design, manufacture, and mass market such a special-purpose device, and an entire content-distribution business based on such a device would necessitate cooperation of at least the consumer-electronics and content-distribution industries, and possibly the banking and Internet-service industries as well. A particular business plan could thus be infeasible because it failed to motivate all of the necessary parties to cooperate or because consumers failed to buy the special-purpose devices in sufficient numbers. The failure of the Divx player for distribution of movies is perhaps an instructive example in this regard.20
Hardware-based support for IP management in trusted systems could also be done using PCs containing special-purpose hardware. Because such machines would have the full functionality of PCs, users could con-
19For example, a tamperproof clock to ensure that rights are not exercised after they expire or to secure memories to record billing information (Stefik, 1997b).
20Production of Digital Video Express LP, or Divx, was terminated by Circuit City in June 1999 (Ramstad, 1999). Although it was not designed to download content from the Web, it was in many other respects the sort of device suggested above.
tinue to use them for everything that they do today. The intent would be that because they had secure hardware, content distributors and their customers could conduct business just as they could in the information-appliance scenario, but without customers having to buy a separate special-purpose device. One problem here, suggested above, is that the content must, eventually, be presented to the user, at which point it can be captured. The capturing may be a slow and perhaps painful process, but, if the content in question is of sufficient value, pirates may well be motivated to go to the effort or to write software that will automate the effort.
The trusted systems scenario faces substantial challenges, in part because accomplishing it would require changes to the vast installed base of personal computers, changes that the marketplace may reject. The need for specialized hardware would require buying new machines or retrofitting existing computers with hardware ensuring that the computer user was able to do with the digital object exactly those actions specified by the rights management language. The tight control of input and output, for example, if universally enforced, would be experienced by the user as an inability to do print redirection, the ability that permits the personal computer user to save into a local file anything he or she can see on the screen or print. The committee finds it questionable whether computer owners would accept the inconvenience, risk, and expense of retrofitting their machines with a device that makes them more expensive and in some ways less capable.
The case is less obvious where purchasing new machines is concerned, but even here there is a substantial question of what will motivate buyers to purchase a machine that is more expensive (because of the new hardware and software) and, once again, less capable in some ways. Note, too, that although consumers might benefit from access to content that would not have been released without trusted systems in place, significant benefit from such systems would accrue to content originators, while the costs would be borne principally by content users.21
There are two plausible scenarios for the adoption of such an approach: the "clean slate" scenario and the "side effect" scenario. The clean slate scenario involves the introduction of new technology, which avoids the problem of an installed base and offers opportunities to mandate standards. DVD offers one such example: The hardware and software for a player must use certain licensed technology and obey certain protection standards in order to be capable of playing movies. Such requirements can be set in place at the outset of a new technology, before there is an installed base of equipment without these capabilities. Given
21For a more thorough discussion of this issue, see Gladney and Lotspiech (1998) and the works it cites.
the size of the installed base of computers and their continuing utility, it is not clear what would provide the analogous clean slate opportunity for trusted systems.
The "side effect" scenario involves technology that is introduced for one reason and turns out to be useful for a second purpose.22 In this case, the initial reason is business-to-business electronic commerce; the second purpose is IP protection. The Trusted Computing Platform Alliance, a collaborative effort founded in October 1999 by Compaq, HP, IBM, Intel, and Microsoft, is aimed at "building confidence and trust of computing platforms in e-business transactions."23 It plans to provide security at the level of the hardware, BIOS, and operating system, i.e., thoroughly integrated into the system in ways that would make it transparent to the user. This is a very ambitious undertaking that will require a considerable, coordinated effort among several manufacturers, and its success is far from guaranteed.
Nevertheless, should the alliance make substantial progress, it would offer a foundation for business-to-business e-commerce and would also mean that PCs would likely come equipped with hardware and software that provided a natural foundation for TPSs aimed at IP protection. This report noted earlier that the marketplace for electronic information might benefit from the marketplace infrastructure built for electronic commerce; it may be the case that the computer hardware and software built for secure electronic commerce will turn out to be a useful foundation for IP protection on individual computers.
An alternative version of the trusted system notion envisions creating software-based IP management systems whose technical protection arises from a variety of software tools, including encryption, watermarking, and some of the technologies discussed above. Although this would not provide the same degree of protection as systems using both software and special hardware, it may very well offer sufficient strength to enable an effective marketplace in low- to medium-value digital information. For a variety of nontechnical reasons discussed at length in Gladney (1998), the integration phase of such systems is proceeding slowly, with end-to-end systems not nearly as well developed or well understood as the individual technical tools.
22In fact there is some reason to believe that general-purpose computers are being used increasingly for entertainment purposes, such as stereo listening, recording studios, and high-tech photo albums, as well as for traditional PC entertainment applications such as computer games, based on a "totally unexpected surge in U.S. home PC buyers," according to industry analyst Roger Kay commenting in McWilliams (1999).
Protection Technologies for Niches and Special-Purpose Devices
As the discussion above makes clear, there are substantial challenges in creating technical protection services capable of working effectively in the context of a general-purpose computer. However, with more specialized devices, or in contexts of limited uses of the computer, additional techniques may be employed.
For example, for high value, specialized software with smaller, more narrowly defined markets, hardware-based copy protection schemes have had some success. In the computer-aided design software market, for instance, products are distributed with "dongles," simple physical devices that plug into the printer port; the software does not function unless the dongle is installed. But dongles have been tried and have proven impractical for mass market software: Consumers rapidly became frustrated with the need to keep track of a separate dongle for each application and each of its upgrades.
For specific devices, like CD players, copy protection can be based on hardware built into the device. This hardware makes it difficult to use CD-ROM recorders to create unauthorized copies of disks with commercially valuable music, software, or other content. For example, Macrovision's SafeDisc technology uses digital signature, encryption, and hardware-based copy protection in a TPS that is transparent to the user of a legitimate disk.24 The content of the CD-ROMs is encrypted and digitally signed. The physical copy protection technology prevents CD-ROM readers and other professional mastering equipment from copying the digital signature. This in turn prevents unauthorized copying, because the content can be decrypted only when the digital signature can be read and verified.
Digital video disks provide a second example of hardware-based copy protection for special-purpose devices, in this case for use by the entertainment industry (see Box 5.2).
Technical Protection Services, Testing, and the Digital Millennium Copyright Act of 199825
Understanding the interaction of intellectual property and technical protection services requires an understanding of how technical protection methods and products are developed. One key feature of the technology underlying TPSs is that its creation proceeds in an adversarial manner.
24SafeDisc is targeted at the software publishing market. See <http://www.macrovision.com> for more information.
25These issues are discussed at greater length in Appendix G.
One member of the community of cryptography and security researchers proposes a protection mechanism, and others then attack the proposal, trying to find its vulnerabilities. It is important that this process go on at both the theoretical and experimental levels. Proposals for new ideas are often first evaluated on paper, to see whether there are conceptual flaws. Even if no flaws are evident at this stage, the concept needs to be evaluated experimentally, because systems that have survived pencil-and-
paper attempts may still fail in actual use. This can happen either because flaws were simply not discovered in the theoretical analysis or because a sound proposal was implemented badly. Fielded implementations, not abstract designs, are what customers will use; hence, real implementations must be tested in real use.
A crucial part of the development of good technical protection mechanisms is thus the experimental circumvention, or attack, on hardware and software that are claimed to be secure. Before the device is relied on to protect valuable content, vigorous, expert attacks should be carried out, and they should be done under conditions that are as close as possible to those in which the secure hardware or software will be used.
This process is not merely good in theory; it is how good security technology and products are created, both by researchers and in commercial practice. Vendors, for example, assemble their own "tiger teams" that try to circumvent a security mechanism before it is released in the marketplace. The results of this practice validate its use. The history of the field is replete with good ideas that have been tested by the community, found to be flawed, improved, retested, and improved again. The process continues and the technology constantly gets better.26
This in turn has policy significance: Regulating circumvention must be done very carefully lest we hobble the very process that enables the development of effective protection technology. If researchers, vendors, security consultants, and others are unsure about the legal status of their activities, their effectiveness may suffer, and the quality of the resulting products may decline.
This issue arises in part as a consequence of the Digital Millennium, Copyright Act of 1998 (DMCA), the U.S. Congress's implementation of the World Intellectual Property Organization (WIPO) treaty. See Box 5.3 for a brief background on the interaction of the development of technical protection mechanisms and the policy in the DMCA.
What Makes a Technical Protection Service Successful?
Whether a TPS is successful begins with its inherent technical strength but depends ultimately on both the product it protects and the business in
26One ongoing example is the evolution of the Sun Microsystems Java programming system. When Sun launched this innovative system, one of the most important claims that it made was that server-supplied code could be run from any Java-enabled Web browser "safely." This soon turned out to be false, as shown by Dean et al. (1996), whose analysis of the underlying problem led to improvements in Sun's next release of its Java Development Kit. This process continues, as real use and experimentation uncover additional defects, leading to further repairs and improvements.
(text box continued on next page)
(text box continued from previous page)
which it is deployed. The vendor interested in protecting content is only partly concerned with whether a TPS satisfies an abstract technical definition of security. Indeed, most of the techniques discussed in this section can be circumvented by people who are sufficiently motivated and knowledgeable. Vendors have more concrete concerns: Does the TPS deter enough potential thieves and facilitate enough use by paying customers to produce a profitable content-distribution business?
Some of the properties that bring a TPS in line with a business model include:
• Usability. A protection system that is cumbersome and difficult to use may deter paying customers. If that happens, it is a failure, no matter how successful it may be at preventing theft.
• Appropriateness to the content. The cost of designing, developing, and deploying the protection system has to be in harmony with the market for the content. For content that is inexpensive or already available in a reasonably priced, non-Internet medium, there is no point to an expensive TPS that drives up the price of Internet delivery.
• Appropriateness to the threat. Preventing honest customers from giving copies to their friends may require nothing more than a reasonably priced product, a good distribution system, and a clear set of instructions. At the other end of the spectrum, preventing theft of extremely valuable content that must at some point reside in a networked PC requires a very sophisticated TPS, and even the best available with current technology may not be good enough.
The cost-benefit analysis needed to design or choose an appropriate TPSif indeed there is oneis difficult, but necessary. Distributors can lose in the marketplace because they choose a TPS that is too sophisticated or too expensive, just as easily as they can because they choose one that is too weak.
The Role of Business Models in the Protection of Intellectual Property
Intellectual property protection is frequently viewed in terms of two forceslaw and technology. The law articulates what may legally be done, while technology provides some degree of on-the-spot enforcement. In the early days of the software market, for example, the copyright on some programs was enforced by distributing floppy disks that had been written in a nonstandard way, making them difficult to copy.
But law and technology are not the only tools available for grappling with the sometimes difficult task of distributing intellectual property with-
out losing control of it. In the commercial setting, a third powerful factor in the mix is the business model. By selecting appropriately from the wide range of business models available, a rights holder may be able to influence significantly the pressure for and degree of illegal copying or other unauthorized uses. By thinking creatively about the nature of the product and the needs of the customer, rights holders may be able to create new business models that are largely unaffected by the properties of digital information (e.g., the ease of replication and distribution) that are problematic in the traditional model of selling content. They may even be able to find business models that capitalize on those very properties. Hence, in addition to its traditional role of specifying the nature of the commercial enterprise, the business model may also play a role in coping with the IP difficulties that arise with products in digital form. This section explores a variety of models and their impact on the need for technical protection mechanisms and considers the interaction of law, technology, and business models.
The Impact of the Digital Environment on Business Models
As noted in Chapter 1, the introduction of digital media changes the business environment in a number of important ways. The focus here is on the impact of digital media on the intellectual property issues involved in the commercial distribution of content.27
Most business models for traditional copyrighted works involve the sale of a physical item that becomes the property of the customer. The economics of the transaction include the costs associated with creating the initial content and first copy of the work (first-copy costs), the costs of reproduction, marketing, distribution, and other overhead costs. Although copyright does not protect subsequent redistribution of the physical copy, in many cases further reproduction and distribution is protected de facto by the costs associated with creating or re-creating a physical copy nearly equal in quality to the original.
Digital information is of course not the first technology to challenge this business model. Photocopying permits the reproduction and distribution of protected works, and although the quality may not be equal to the original, if made available at a low enough price some customers will find photocopies to be acceptable substitutes. Videotapes and audiotapes are similarly vulnerable.
Digital media disrupt the traditional business model by drastically lowering the cost and effort of reproduction and distribution and by pro-
27Shapiro and Varian (1998) have studied digital media in detail, exploring a wide variety of issues encountered in doing business in this new environment.
ducing copies indistinguishable from the original. While rights holders and consumers benefit from this, so of course may infringers. Additional impacts of the digital medium include the ability to reproduce material in private, increasing the difficulty of detection, and the ability to copy and distribute material very quickly, often before an intellectual property owner can even detect the offense, let alone seek injunctive relief. Natural barriers to infringement are thus eroded in the digital environment. This erosion may be sufficiently extreme at times that rights holders may be wise to reevaluate their fundamental business model. In some cases digital information may be simply unprotectable, at least in practice if not in law and in principle.
Digital media have other impacts on business models as well. Licensing, rather than sale, is becoming increasingly popular for digital media, in part because of the difficulty of retaining control of it after a sale. In this model the customer becomes a user rather than an owner, buying access to a service rather than a physical good. This raises important issues: In a world of distribution by paper, the customer owns a physical copy of the work. What is "owned" in a service offered over a network? If a library discontinues a subscription to an online journal, for example, what rights, if any, does it have to the intellectual property it had been accessing? While networked services are far from newDialog and Lexis-Nexis are now more than 20 years oldthe nature of access rights has become a major concern with information products and must be factored into the business model.
Those distributing intellectual property in digital form over networks find they are in a business environment changed by customer perceptions and expectations. The perception is that distribution costs are lower, so customer expectations are that prices will be lower than for analog equivalents. In some cases this is true, as with, for example, the replacement of printed software manuals with online or ondisk help; here the economics clearly favor digital formats over paper. In many other cases, however, first-copy costs are higher with digital products, partly because consumers have come to expect more from digital information (e.g., indexing, searching, hyperlinks, multimedia). There are, in addition, new costs associated with digital distribution that offset at least some of the decreased traditional manufacturing costs (e.g., the cost of keeping up with the rapid evolution in browser capabilities and in Web languages).
This pressure for low-priced goods is exacerbated by the fact that on the Web, by far the largest single supply of digital information, free information currently predominates, creating expectations that content will be available free or for low prices. There is also the misperception that "free" equates to "public domain," leading some to believe that if it can be downloaded freely, it is unprotected by intellectual property law. Tradi-
tional business models are thus stressed in a number of ways by digital information; of particular significance here are the erosion of natural barriers to infringement and the pressure for inexpensive goods.
Business Models for Handling Information
Traditional business models include a wide variety of possibilities, including goods paid for solely by the buyer, goods totally or partially subsidized by advertisers, and goods given away at no charge, as well as mixes of these models. These are reviewed briefly here, to indicate how they are used in the digital environment and to set the stage for exploring less traditional business models in the next section.
Traditional Business Models
Some traditional business models are outlined below:
1. Business models based on fees for products or services:
a. Single transaction purchase. Examples: Videos, books, some software, music CDs, some text CD-ROMs, and article photocopies (document delivery).
b. Subscription purchase. Examples: Newsletter and most journal subscriptions.
c. Single-transaction license. Examples: Some software and most text CD-ROMs.
d. Serial-transaction license (usually where there is a flat fee for unlimited use). Example: Electronic subscription to a single title (this is different from item 1c above in that the license will often be renewed from year to year upon payment of fees).
e. Site licenses (these are generally also flat fees for unlimited use, but with a broader licensed community). Examples: Software licenses for whole companies, a package containing all electronic journals from a publisher for all members of a university community.
f. Payment per electronic use. Examples: Information resources paid for per search, per time online, or per article accessed.
2. Business models relying on advertising28
a. Combined subscription and advertising. Examples: Newspapers,
28One of the emerging controversies about the Internet is the relative long-term viability of advertising-supported business models as compared with transaction-based business models. See Caruso (1999).
consumer and business-to-business magazines, Web sites such as the Wall Street Journal, and America Online.
b. Advertising income only. Examples: Many Web sites and controlled circulation magazines.
3. "Free" distribution business models29
a. Free distribution (no hidden motive). Examples: Scholarly papers on preprint servers and software like Apache, available for free.
b. Free samplesthe traditional notion of providing an introduction to the product. Example: A demonstration version of a software package, in the expectation that the customer will want a full, or more up-to-date, version.
c. Information goods for those who buy something else or have another income-producing relationship with the information provider. Example: Free browser software offered to increase traffic on an income-producing Web site.
d. Government information or other information in the public domain. Examples: Standards, economic data, statutes, and regulations.
e. Prestige/vanity/some start-ups. Example: Garage band wanting to get publicity for other services.
Intellectual Property Implications of Traditional Business Models
Models in the first category derive all revenue from fees for the product or service. Here revenues depend on the number of copies sold or licenses signed, making the rights holder more sensitive to illegal copying, piracy, and even fair use, to the degree that any of these replace the purchase of a copy. Success of a business model of this type depends, in part, on the producer's ability to control postsale copying.
Specifically, Models la (single transaction purchase) and 1b (subscription purchase) are outright purchases, with all of the first-sale and existing copyright implications as to fair use described in Chapters 3 and 4. Models 1c (single transaction license), 1d (serial transaction license), and 1e (site license), as licenses, are attempts to remove any ambiguity in the copyright law by creating an enforceable contract between the rights holder and the user. Such contracts may attempt to impose other desires
29The term "free" in quotation marks is used as a way of acknowledging that there are always costs associated with the products and services being given away, costs that must be paid somehow. Free software is paid for by the time of the individuals who create it; the cost of producing and distributing free samples is often built into the price of the full product; government information is paid for by taxes, and so on.
of the rights holder through the terms in the contract. While nominally clearer, many licenses are frequently ignored, not understood, not known about by the end user, or otherwise fail to satisfy all parties. Model If (pay per use) is a fee for service that may be implemented through either sale or licensing models.
Business models that include advertising (Models 2a and 2b) add more balance to the revenue stream. Subscription prices are held down or eliminated because a large number of qualified recipients helps to ensure advertising revenues. Intellectual property concerns may be more related to illegal reproduction and framingfor example, it is important to ensure that users come to the rights holders' Web site so that advertisements are viewed by users as intended by the rights holders. There is less concern about unauthorized access when the sole income is from advertising. Many Web sites of this type require user registration as a way to identify viewers to advertisers but, for many others, simply counting page views or some other measure of traffic is sufficient.
In the free distribution business models (Models 3a through 3e), reproduction is generally not an issue: Except for the case where use of intellectual property is tied to the purchase of some other product, the information owner is clearly seeking as widespread a dissemination as possible by giving free access. The principal intellectual property concerns here relate to preservation of the integrity of the information, proper citation if someone else uses the information, and the prevention of commercial use of the material by unauthorized users.
Less Traditional Business Models
A variety of other business models have been explored in an attempt to confront the IP difficulties encountered in the digital world. Some of these are derived from models used for traditional products, while others appear to be unique to the world of information products. Eight of these less traditional business models are described below:
1. Give away the information product and earn revenue from an auxiliary product or service. Examples of auxiliary products: Free access to an online newspaper in exchange for basic demographic data; the revenue-generating auxiliary product is the database of information about readers. Free distribution of (some) music because it enhances the market for auxiliary goods and services associated with the artist (attendance at concerts, T-shirts, posters, etc.). Example of auxiliary service: The Linux operating system is distributed for free; the market is in servicesupport, training, consulting, and customization.
2. Give away the initial information product and sell upgrades. Example:
Antivirus software, where the current version is often freely downloadable; the revenue-generating product is the subsequent updates (along with support service).
3. Extreme customizationMake the product so personal that few people other than the purchaser would want it. Examples: Search engine output, personalized newspapers, and personalized CDs. MusicMaker will create a CD containing the tracks exactly in the sequence specified by a customer.30
4. Provide a large product in small pieces, making it easy to browse but difficult to get in its entirety. Examples: Online encyclopedias, databases, and many Web sites.
5. Give away digital content because it complements (and increases demand for) the traditional product. Examples: The MIT Press and the National Academy Press make the full text of some books and reports available online; this has apparently increased sales of the hard-copy versions.
6. Give away one piece of digital content because it creates a market for another. Examples: The Netscape browser was freely distributed in part to increase demand for their server software; Adobe's Acrobat Reader is freely distributed to increase demand for the Acrobat document preparation software.
7. Allow free distribution of the product but request payment (perhaps offering additional value in the paid-for version). Example: Shareware. Where shareware versions have time-limited functionality or are incomplete demonstration versions, this is quite similar to the "free sample" model above.
8. Position the product for low-priced, mass market distribution. Examples: Microsoft Windows ('95 and '98).
These examples illustrate that far more than immediate production costs enter into pricing decisions. They also demonstrate the trend of relating pricing and other decisions to efforts to develop relationships with customers.
Intellectual Property Implications of Less Traditional Business Models
These less traditional models all reduce the need for enforcement of intellectual property protection against reproduction. The first two do it by foregoing any attempt to generate revenue from the digital content, using it instead as a means of creating demand for services or physical
30MusicMaker is available at <http://www.musicmaker.com>.
products, neither of which are subject to the replication difficulties or digital products. Giving away digital content as a complement to a traditional product works because reading information online is still awkward and because most people are not willing to print out a multi-hundred-page book.31 Selling upgrades relies on the relatively short shelf life of the original product; antivirus software is typically upgraded every 3 months. Extreme customization renders moot any need for enforcing IP protection, because only the original purchaser is interested in the product. Parceling out the product in small pieces simply makes it difficult to copy the entire product, in part restoring a barrier to infringement that comes naturally with physical products.
Giving away one digital product to promote another reduces the need for IP enforcement for the product given away, but it of course does little to reduce the need for IP enforcement for the charged-for product. One related strategy is to differentiate individuals from organizations. For example, Netscape and Adobe give away programs that individuals use, in order to sell the (more expensive) programs purchased by organizations. This approach takes advantage of the comparative ease of enforcing IP rights against organizations as compared to detecting and prosecuting infringement by individuals. It also capitalizes on the expectation that organizations may generate use that is valuable enough for them to pay for the product and recognizes that organizations also have processes and resources to comply more easily with IP laws and license agreements.
Free and low-cost mass market distribution are in the spirit of making the product cheaper to buy than it is to steal. It is worth noting that stealing an information product or service typically comes at a cost. An individual needs to expend the cost, time, and effort to obtain the product or service through infringing means and faces possible downstream costs such as refusal of technical support. When costs (i.e., the price to buy versus the total costs to steal) converge, the need for IP enforcement clearly diminishes.
Business Models as a Means of Dealing with Intellectual Property
As the variety of models above illustrates, business model design and selection can play a significant role in grappling with questions of IP protection. The choice of a model has significant consequences for the role that IP rights enforcement will play and, importantly, models are available that require far less enforcement. Hence, one approach to IP
31This situation, of course, may eventually change as a result of technological developments that improve the usability of online reading. One such ongoing effort is the activity surrounding electronic books.
rights in a world where digital content is difficult to control entails selecting a business model that does not require strict control.
Relying on a business model rather than a technical protection mechanism may also offer some leverage with the difficulty described in Chapter 1. With the emergence of computers and networking into the mainstream of daily life, attempting to enforce IP rights increasingly involves the difficult task of controlling private behavior. Where IP enforcement has historically been an issue between corporations, and where it has historically regulated public acts, the vastly increased means and opportunity for using (and abusing) IP in the hands of individuals has led to increased concern with the private actions of individuals. Where such private actions of individuals are concerned, detection and enforcement is more difficult, making the law a less effective tool. Technical protection mechanisms may help in such circumstances by making illegal or unauthorized actions more difficult, but the selection of an appropriate business model can reduce the motivation for those actions in the first place.
There are, of course, limits to the applicability of these models. Some properties, such as first-run movies, are unlikely ever to be given away, simply because of their high value. In that case other means of dealing with IP issues become more relevant, such as technical protection mechanisms (e.g., as in DVD) or perhaps not making any digital versions of the intellectual property available to consumers.
In formulating a plan for the commercial distribution of intellectual property, then, the rights holder is well advised to consider all three factors: exploring what boundaries are set by the law, what technical protections are practical and cost-effective, and how the business model will produce revenue. The law sets the foundational context in which the other two must function, drawing the boundaries that specify both what legal protection exists against unauthorized reproduction, distribution, and use, and what limits there are on the rights holder's monopoly (e.g., provisions for public access or time limitations on the term of protection). Technical protection mechanisms and business models can then play complementary roles in grappling with the difficulties of distributing IP content in digital form, each capable of reducing the degree of "leakage" of the product.
All three factors interact. Technology influences the selection of a business model: Any technical protection mechanism has both cost and benefit; it costs the producer to implement and may produce nuisance value for the customer (as for example nonstandard floppies), but may also pay off in lower rates of illegal copying. IP law also influences business model selection, as, for example, the limited lifetime of copyright protection must be considered in developing the business model.
And, in some cases, the selection of a business model may obviate the need for technical protection.
Selecting a business model for an information product is difficult in part because of the curious economics of information products. Appendix D discusses this in some detail; this section summarizes a few observations that have consequences in the marketplace and for the selection of a business model.
The duration of economic value varies over an extraordinary range, from a stock market quote (one minute or less) to a classic play (e.g., timeless Greek tragedies), but generally the economic value of most works is far shorter than the standard period of copyright protection. However, while duration of value is often short (sometimes fleeting), changes in value over time can be quite unpredictable. The novel Moby Dick was valueless when published; today's best-sellers may soon be. Today's news is valuable, yesterday's nearly worthless, while the news of 100 years ago is valuable again.
Curiously, there is value in both scarce information and in widely disseminated information. Scarcity confers obvious value. Consider the stock tip known by few others. But wide dissemination of information can produce value as well. Consider network effects in software, where the value of a program increases as more people use it, particularly as it approaches the status of a standard.
For digital information products, there are large first-copy costs and almost negligible production and distribution costs. Particularly in the absence of IP protection, this can produce a very sharp decline in product value over time, as it becomes an easily copied commodity.
A few generalizations are available about selecting business models to deal with IP issues. As a general observation, business models in which intellectual property can be widely disseminated at low cost are more successful in addressing intellectual property problems than are businesses that rely on higher prices and a small number of units distributed. The reasons are straightforward: If the cost of reproduction or piracy is high relative to the cost of acquiring the work legitimately, intellectual property problems will be less serious. Examples include newspapers, magazines, and paperback books.
More interesting, perhaps, is finding ways to permit low-cost distribution. The mass communication media have been the most successful because they make use of advertiser support to cover most or all of the cost of production and distribution, a model widely adopted on the Web. The use of rental markets as in videos (and formerly books) works well where such markets are feasible. The use of intellectual property to promote the use of other products (e.g., free browsers to promote Web traffic)
is one of the few successful models available of widespread distribution of a digital information product for (very) low cost.32
It is no wonder that the ones most concerned about protection are the producers of intellectual property of high value that is distributed in relatively small quantities. Many high-end professional software packages, for instance, still require a dongle for use, and providers of specialized business information frequently use intranets and extranets protected by passwords in order to keep control of their content.
There is reason to approach doing business on the Web or in other electronic forms with some optimism, for there are a variety of business models to consider. As pointed out by Shapiro and Varian (1998), the goal for commercial information creators and owners is to maximize revenues, not protection. Business models will continue to evolve with the maturation of digital products; their careful design and selection may help to create effective ways to do business in the information world.
Illegal Commercial Copying
The U.S. industries that produce and sell copyrighted products constitute a significant part of the U.S. gross domestic product (GDP) and trade with other nations. It is therefore not surprising that the affairs of these industries and the issues they are concerned with attract considerable attention. One of these issues is the definition of illegal copying and the enforcement of the rules against it. A particular focus is illegal commercial copyingpiracy.33 Extensive data are collected and information reported under the auspices of the International Intellectual Property Association (IIPA) and its constituent member trade associations, including
32The model has not been uniformly successful of course. Despite vast numbers of MP3 files that have been downloaded and traded, there is as yet little systematic evidence that this has benefited more than a very few of the artists in question through increased CD sales.
33A briefer at the committee's July 9, 1998, meeting cited her favorite example:
This very cheesy CD, which costs $10 in Hong Kong, includes Windows '95, Office Professional, Microsoft Project, Microsoft Money, Microsoft Works, Norton Antivirus, Norton PCAnywhere, Omni Page, Quark Xpress, Photoshop, Pagemaker, Netscape Communicator, Front Page, Internet Explorer, NetObjects Fusion, Internet Phone, Eudora, McAfee Virus Scan, WinFaxPro, and Winzip Final. All for ten bucks. The street price [the selling price that most customers pay for a product] for this collection of software was $4,415 at the Egghead Online Store.
Even though some of the programs on this list are available for free (e.g., WinZip, Netscape Communicator, Internet Explorer), the prices quoted by a major discount software supplier for the rest still totaled over $4,000 in July 1999.
the Association of American Publishers (AAP), American Film Marketing Association (AFMA), Motion Picture Association of America (MPAA), National Music Publishers Association, (NMPA), Business Software Alliance (BSA), Interactive Digital Software Association (IDSA), and Recording Industry Association of America (RIAA), as well as industry trade associations outside of the IIPA, such as the Software and Information Industry Association (SIIA).34
These trade associations and other groups representing rights holders publish figures intended to demonstrate the huge dollar cost of infringement of U.S. IP rights that occurs both domestically and abroad. These figures are invariably impressive and are often cited as authoritative in newspaper articles or congressional hearings. The total contribution to the GDP of the United States represented by the copyright industries and the potential economic significance of global copyright infringement that detracts from these industries are substantial and disturbing. For example, in one widely publicized IIPA report published in 1998, it was estimated in 1996 that the total (not just core) copyright industries accounted for $433.9 billion in value added, or 5.68 percent of the U.S. GDP, and that those industries employed over 6.5 million people, or 5.2 percent of the U.S. workforce.35 In 1996, the core copyright industries alone were estimated to account for $278.4 billion of the U.S. GDP, 3.65 percent of the total.36 The IIPA estimates U.S. losses due to foreign piracy for the core copyright industries to be approximately $12.4 billion annually; losses resulting from domestic piracy make the total even greater.37
Notwithstanding the extensive amounts of data and information made available by these trade associations, some committee members believe there are reasons to question the reliability of some of the data claiming to measure the size of the economic impact of piracy. The com-
34The Web sites of many of these organizations contain both extensive statistical data on copyright infringement and a description of the methodology utilized to generate their estimates of piracy rates and economic loss (e.g., IIPA data, at <http://www.iipa.com/homepage_index.html>; AAP data, at <http://www.publishers.org/home/issues/index.htm>; AFMA data, at <http://www.afma.com>; MPAA data, at <http://www.mpaa.org/anti-piracy/content.htm>; NMPA data, at <http://www.nmpa.org>; BSA data, at <http://www.bsa.org>; IDSA data, at <http://www.idsa.com/piracy.html>; RIAA data, at <http://www.riaa.com/newtech/newtech.htm>; and SIIA data, at <http://www.siia.net>.
35The "core" copyright industries are those that create copyrighted products, whereas the wider set of "total" copyright industries includes those that distribute or depend on copyrighted products. Some members of the committee have expressed skepticism about the accuracy of balance of trade statistics, fearing they may be influenced by political agendas. However, even if somewhat overstated, there is no doubt that the copyright industries' export value makes a significant positive contribution to the balance of trade.
mittee considers here some of the issues that arise in collecting and analyzing such data, in part to inform the reader about those issues, and in part as the basis for a recommendation about how such information might reliably be assembled and analyzed. In exploring these issues, the committee takes a strictly economic view, focusing on profits lost from piracy. Lost profits are not the only cost of piracy, nor are the economic consequences the only rationale for enforcing antipiracy laws. But the figures widely circulated by trade organizations are intended to be economic analyses of profits lost, hence it is appropriate to explore these figures and their methodology from a strictly economic viewpoint.
One concern is that those who read figures of the sort found in the IIPA report may infer that all or most of the copyright industries' contribution to the GDP depends on copyright policy that protects works to at least the current degree and that perhaps the contribution now requires still greater copyright protection as a consequence of digital information and networks. However, within the economics community, the specific relationship between the level of IP protection and revenue of a firm in the copyright industries is unclear.38
A second problem is the accuracy of estimates of the costs of illegal copying. A number of difficulties arise here. One difficulty is that the needed data have to be based on extrapolation from very limited information, because illegal sales and distribution are frequently private acts. A second difficulty is determining the extent to which illegal copies are displacing sales. One widely quoted study, by the SIIA, estimates the number of illegal copies and then derives the net loss to the industry by assuming that each illegal copy displaces a sale at standard market prices39 (other studies appear to rely on more complex formulations). This approach is problematic because it is unlikely that each illegal copy displaces a sale at the market price (some people will buy at the pirate price but not the legal market price) and because it estimates reduction in gross revenues rather than net loss to the copyright industries (see Box 5.4). Consequently, these estimates may be taken to represent an upper bound on the reduction in gross revenues by these industries.
There is, as shown in Box 5.4, disagreement about the economic impact of piracy on the copyright industries. It is clear, however, that there
38See, for example, Shy (1998) and the works cited in that article.
39Testimony at the July 9, 1998, committee meeting by a representative of the Software Publishers Association (now SIIA) indicated that they did this when calculating piracy estimates. In addition, the BSA/SIIA's 1999 Global Software Piracy Report indicates that this is still the approach: "By using the average price information from the collected data, the legal and pirated revenue was calculated. This is a wholesale price estimate weighted by the amount of shipments within each software application category" (p. 12). Pirate revenue is then taken to be equivalent to a loss to the legal sellers.
(text box continued on next page)
(text box continued from previous page)
are significant losses that, if avoided, might result in increased production. It is also clear that uncontrolled digital dissemination could have very serious repercussions for the copyright industries.
A number of committee members conclude that, despite the extensive statistics available, there is a paucity of reliable information of the quality that might be generated if the subject were investigated by a disinterested third party. They conclude that such information is sorely needed.
However, even given the caveats above concerning methodology, the committee believes that the available information suggests that the volume and cost of illegal copying is substantial.
Although this section is concerned with the economics of piracy, the committee also believes that, regardless of whether the extent of illegal copying is financially significant to all industries that produce copyrighted products, the laws against illegal copying should be strictly enforced. Economic harm, after all, is not the only reason for enforcing copyright protection (or any other law with economic consequences). In a 1983 address and article, "The Harm of the Concept of Harm in Copyright," David Ladd, then the United States Register of Copyrights, expressed the following view: "The notion of economic 'harm' as a prerequisite for copyright protection is mischievous because it disserves the basic constitutional design which embraces both copyright and the First Amendment." Mr. Ladd argued for recognition of the fact that copyright protection is a sine qua non of a civilized society and, accordingly, merits recognition independent of economic impact.
This view is not unanimously endorsed by the committee, as some committee members believe that the constitutional basis for intellectual property protection in authorizing laws was meant to encourage strictly instrumental purposes. Even so, the committee as a whole recognizes that many creators believe that their works, as expressions of their individuality, deserve to be protected and controlled by rights holders, quite independent of the economic consequences. Because people differ in the weight they give to this argument, the committee believes that copyright policy will never be resolved solely by appeal to facts about its economic effects.
Despite the difficulty of finding a universally accepted copyright policy, the committee believes that it is important to conduct research in an attempt to better assess the social and economic impact of both commercial illegal copying for profit and noncommercial personal-use copying.40 The committee believes that reducing the current state of uncer-
40The rationale for greater research on noncommercial copying for personal use is discussed in Chapter 4. The issue is raised here because the two spheres interact. For example, social norms and the easy availability of other copying alternatives (e.g., from a friend) affect an individual's likelihood of purchasing an illegal commercial copy.
tainty about the impact of these various phenomena will be important to policy makers and entrepreneurs. Clearly, there are multiple phenomena at work in both the commercial and noncommercial copying spheres, and perhaps there are differing behaviors among different demographic groups, geographic locations, and, perhaps, even cultures.41 These multiple phenomena may include how much the difficulty of making the illegal copy affects the frequency of copying, the effect on consumer decision making of the price and availability of legitimate copies, the personal sense of the moral or ethical dimensions of the copying involved, the degree of law enforcement or legal scrutiny directed at the behavior, peer group or social opprobrium or encouragement, and so on. Society needs to understand better what these multiple phenomena are and how they operate in the real world, so that appropriate responses can be formulated.
The Impact of Granting Patents for Information Innovations
Historically, information innovations have been excluded from the purview of patent law, based on a notion that Congress had meant for only industrial processes to be patented. Documents were deemed unpatentable, as were improved ways for calculating, organizing information, and managing organizations. However, a great deal has changed in recent years, and it seems that nearly all information innovations may now be patented, as long as they meet the patent law's requirements for novelty, nonobviousness, and utility and can be precisely defined in claims.
Computer software was the first digital information product to challenge the traditional interpretation of patent concepts because of its dual nature as both a literary work (the textual source code) and a machine (i.e., a useful device). Programs have a dual nature because they are textual works created specifically to bring about some set of behaviors. They have been characterized as "machines whose medium of construction happens to be text" (Samuelson et al., 1994).42
The "printed matter" and "mental process" rules were initially invoked to deny patent protection to computer software, as on occasion was the "business method" rule. In its 1972 Gottschalk v. Benson decision, the U.S. Supreme Court ruled that an innovative method for transforming binary coded decimals into pure binary form could not be patented, even
41For example, see Chapter 1, Box 1.6, "A Copyright Tradition in China?"
42See Intellectual Property Issues in Software (CSTB, 1991b) for a greater articulation of the issues and implications concerning the use of the patent regime for software.
though the patent applicant intended to carry out the method by computer and one of the two claims before the Court was limited to computer implementations.43 Drawing on the "mental process" line of cases, the Supreme Court announced that mathematical algorithms could not be patented. One factor that clearly disturbed the Court about the prospect of patenting the Benson algorithm was that a patent would preempt all uses of it, including apparently the teaching of it. In 1978, the Supreme Court in Parker v. Flook denied patent protection for an algorithm useful for calculating "alarm limits" (i.e., dangerous conditions) for a catalytic converter plant.44 The Court did not think that this algorithm, any more than the Pythagorean theorem or any other purely mathematical method, could become patentable merely because it might be applied to a particular useful end.
The turning point in the long struggle over patents for information inventions came with the Supreme Court's 1981 decision in Diamond v. Diehr, which upheld the patentability of an improved rubber curing process, one step of which required a computer program.45 Because Diehr involved a traditional technological process and had so deeply divided the Court, patent administrators and the courts continued to struggle over how broadly to construe the Diehr decision.
In the late 1980s, the tide turned in favor of patents for computer-program-related inventions because of their technological character. Source code listings might still be regarded as unpatentable under the printed matter rule, but as soon as a program has been put in machine-readable form, recent precedents would seem to regard it as patentable subject matter.
Most recent program-related patents are, however, for more abstract design elements of programs. In the late 1980s and through the 1990s, it became increasingly common for courts to uphold patents for data structures, applied algorithms, information retrieval, and business methods carried out by computer programs. The denouement of the legal controversy over software-related patents in the courts and in the U.S. Patent and Trademark Office (PTO) may be the U.S. Supreme Court's decision in early 1999 not to review the State Street Bank decision. The Court upheld a patent attacked on grounds that the claims covered an algorithm and a business method. However, patents continue to be controversial in the information technology industry (Box 5.5).
In State Street Bank and Trust Co. v. Signature Financial Group, the U. S. Court of Appeals for the Federal Circuit issued an opinion that has been
43Gottschalk v. Benson, 409 U.S. 63, 34 L. Ed. 2d 273, 93 S. Ct. 253 (1972).
44Parker v. Flook, 437 U.S. 584, 57 L. Ed. 2d 451, 98 S. Ct. 2522 (1978).
45Diamond v. Diehr, 450 U.S. 175, 67 L. Ed. 2d 155, 101 S. Ct. 1048 (1981).
widely regarded as vastly increasing the scope of patent protection available for software,46 and which led the PTO to begin issuing a number of quite broad patents covering methods for conducting business. In the State Street case, the patent in question covered a "hub and spoke" com-
46State Street Bank and Trust Co. v. Signature Financial Group, 149 F.3d 1368, 47 U.S.P.Q.2d 1596 (Fed. Cir. 1998).
puterized business system, which allowed mutual funds (spokes) to pool their assets into an investment portfolio (the hub). The court held that the calculation by a machine of a mathematical formula, calculation, or algorithm is patentable if it produces a "useful, concrete and tangible result." In reaching this conclusion, the court rejected what it termed "the ill conceived [business method] exception" to patentability.
Patents that were issued in the wake of State Street that attracted widespread public attention include Patent No. 5,794,210, which was issued to an online Internet marketing company, Cybergold, and covers the practice of paying consumers to view advertisements on the Internet. Other examples include a patent issued to Priceline.com covering reverse sellers auctions (which allow potential purchasers to specify the various items they wish and terms on which they are willing to purchase and then allows Priceline to find a seller) and a patent issued to cover a method for embedding Web addresses in e-mail and news group postings (see Box 5.6).
The effects of this substantial de facto broadening of patent subject matter to cover information inventions are as yet unclear. Because this expansion has occurred without any oversight from the legislative branch and takes patent law into uncharted territories, it would be worthwhile to study this phenomenon to ensure that the patent expansion is promoting the progress of science and the useful arts, as Congress intended.
There are many reasons to be concerned. There is first the concern that the U.S. Patent and Trademark Office lacks sufficient information about prior art in the fields of information technology, information design, and business methods more generally to be able to make sound decisions about the novelty or nonobviousness of claims in these fields.47
47On August 31, 1993, the PTO issued U. S. Patent Number 5,241,671 for a multimedia search system to Compton's NewMedia. Not long after the patent was issued, Compton's announced at the Comdex trade show in the fall of 1993 that it had acquired the patent and intended to enforce it and to collect royalties and licensing fees from independent and third-party multimedia developers who utilized a multimedia search system claimed in the Compton's patent. On December 17, 1993, the Commissioner of Patents and Trademarks, in the wake of numerous multimedia developers' complaints about the Compton's patent, took the fairly unusual step of requesting reexamination of the patent. Third parties submitted new prior art references to assist the PTO in determining whether there was a substantial question as to the patentability of the 41 claims granted under the patent. The PTO's examination concerned the issue of whether the 41 claims filed in the patent application were novel and not obvious to someone skilled in the relevant art. The PTO concluded that Compton's claimed inventions had been disclosed or taught in prior art references, and, accordingly, on November 9, 1994, the PTO issued a press release announcing it had formally canceled all 41 claims granted in the Compton's patent. Many commentators believe the Compton's case strongly underscores their concerns regarding the qualifications of the PTO to effectively evaluate prior art in the information technology field.
(text box continued on next page)
A related concern is the insufficient number of adequately trained patent examiners and inadequate patent classification schemata to deal with this new subject matter. The success of the patent system in promoting innovation in a field depends on the integrity of the process for granting patents, which in turn depends on adequate information about the field. Serious questions continue to exist within the information technology field about the PTO's software-related patent decisions. A number of legal commentators have pointed out that allowing these kinds of patents potentially makes concepts, not technology, the protectable property of the patent holder, "allow[ing] virtually anything under the sun to win patent protection."48
48See, for example, Goldman (1999), Scheinfeld and Bagley (1998), Sandburg (1998), and Sullivan (1999).
(text box continued from previous page)
Second, the tradition of independent creation in the field of computer programming may run counter to assumptions and practices associated with patents as they are applied to its traditional domains. When someone patents a component of a manufactured system, for example, it will generally be possible for the inventor to manufacture that component or license its manufacture to another firm and reap rewards from the invention by sale of that component. Rights to use the invention are cleared by buying the component for installation into a larger device.
But there is little or no market in software components. Programmers routinely design large and complex systems from scratch. They do so largely without reference to the patent literature (partly because they consider it deficient), although they generally respect copyright and trade secrecy constraints on their work. With tens of thousands of programmers writing code that could well infringe on hundreds of patents with-
out their knowing it, there is an increased risk of inadvertent infringement.49 An added disincentive to searching the patent literature is the danger that learning about an existing patent would increase the risk of being found to be a willful infringer. The patent literature may thus not be providing to the software world one of its traditional purposesproviding information about the evolving state of the art. Much the same could be said about the mismatch between patents and information inventions in general.
Third, although patents seem to have been quite successful in promoting investments in the development of innovative manufacturing and other industrial technologies and processes, it is possible that they will not be as successful in promoting innovation in the information economy. One concern is that the pace of innovation in information industries is so rapid, and the gears of the patent system are so slow, that patents may not promote innovation in information industries as well as they have done in the manufacturing economy. The market cycle for an information product is often quite short18 months is not unusual; thus, a patent may well not issue until the product has become obsolete. If information inventions continue to fall within the scope of patents, then, at a minimum, the patent cycle-time needs to be improved significantly. Patent classification systems for information innovations may also be more difficult to develop and maintain in a way that will inform and contribute to the success of the fields they serve.
One final reason for concern is that developing and deploying software and systems may cease to be a cottage industry because of the need for access to cross-licensing agreements and the legal protection of large corporations. This in turn may have deleterious effects on the creativity of U.S. software and Internet industries.
49This is in contrast to the copyright framework, where infringement requires a demonstration that some (conscious or unconscious) plagiarism has occurred. For example, independent creation is a defense. Two people could write original but very similar stories (or programs) independently; both would be copyrightable, and neither would infringe upon the other, because the standard for copyright protection is originality, not novelty. Thus an author is not responsible for knowing the entire corpus of literature still within copyright so as not to infringe on it.