Electronic content can include a wide variety of audio and/or video presentations, such as music, dialogue, still pictures, movies, and the like. A client device can include a wide variety of electronic devices, such as an MP3 player, a personal data assistant (PDA), a cellular phone, and the like. Rights enforcement involves defining how content can be used on a client device. For instance, rights information associated with a piece of content may permit rendering the content, but not copying or distributing the content.
Rights information is often closely tied to usage information. For instance, rights information may define that a piece of content can be played a particular number of times or for a certain duration. In which case, the content's usage may be tracked so that the rights limitation can be enforced. Similarly, a variety of business models can be designed around usage. For instance, with a pay-per-play business model, a user or distributor may pay royalties or license fees based on the number or duration of plays. In which case, the usage information may need to be reported from the client device to a server device.
In order to enforce content rights, the rights and/or usage information needs to be protected in some way. If the information is not protected, a user could, for instance, modify the information to improperly grant himself or herself additional rights or reset the number of plays. Protecting rights information usually involves encrypting the rights information. As long as the rights information is encrypted, the information is unreadable. Encryption, however, relies on secret keys, making encryption only as secure the security measures surrounding the code.
Security of usage reporting is often handled in one of two ways. In one approach, the client device can perform the encryption and decryption itself. In which case, the client device usually needs an application program interface (API) to manage communications with an external device. For example, if a client device stores the rights and/or usage information in encrypted form, a server device may need to establish communications with the client device through an API. The API may be able to receive and process a variety of requests from the server device. In response to a request to report how many times a particular piece of content has been played, the client device may decrypt the usage information and deliver it to the server through the API in a format that the server device can understandable.
Many client devices, however, are intended to be quite simple and inexpensive, lacking the resources to provide an API that can manage content and external communications, which leads to the second commonly used security approach. These simple client devices often rely on an external device, such as a server, to provide security of usage reporting. Unfortunately, externally managed security is ripe for abuse. That is, when the secret, or cryptographic key, is known outside the client device, a persistent user is likely to be able to find it.