1. Field of the Invention
The present invention relates to electronic commerce. More specifically, the present invention relates to a data rights management system and method for controlling access to data on the Internet.
2. Discussion of the Related Art
Since the advent of the Internet and the World Wide Web, electronic commerce, or e-commerce as it is commonly referred, has received increased attention as a mechanism for sellers and buyers to transact business in virtual stores.
Many types of businesses readily lend themselves to e-commerce. Certain businesses, such as mail-order businesses, merely transformed their paper catalogs to electronic web sites. Consumers are able to “surf” the web site viewing the businesses products and subsequently making purchases through a telephone operator or directly through the Internet. In some cases, consumers are able to place their prospective purchases in a “shopping cart” while they navigate the web site for later settlement.
Businesses dealing in intellectual property or information have been slow to move their businesses to the Internet for good reason. These types of businesses include, for example, the entertainment industry, the database industry, and any other industry in the business of selling “information.” The entertainment industry incurs considerable expense to produce and market its product, e.g., music, motion pictures, etc. The database industry incurs considerable expense to gather information, organize it and store it in an accessible manner. Both of these industries are interested in protecting their investments in their respective properties and have been unwilling to merely place it on the Internet where it can be easily transferred among consumers with little regard to the owner's intellectual property rights. Some industries, particularly those dealing in information databases, may not yet exist simply because the cost of gathering the information exceeds the expected return.
Various solutions have been developed to “secure” the information using protection mechanisms including encryption. Secured or protected information cannot be accessed through normal means or casual computer access. In order to access the information, consumers must purchase the rights to the information. Once the rights are purchased, consumers are given a password, key, and/or an electronic device whereby the information can be accessed. In theory, only the consumer that purchased the rights to the information can use or access the information.
Many schemes have been developed to secure the information. One scheme uses a protected container. The information, or “content” as it is referred to herein, is placed in the container along with “access rules” governing the steps that must be taken in order for a consumer to access the content. The container is represented as a data stream, generally in a file, located on media such as a CD-ROM or magnetic diskette. The content may vary from a database or collection of databases to a piece or collection of music or other literary works to motion pictures as well as a host of other digital content. The content is protected in the container so that a consumer cannot access the content unless the proper rights have been obtained. The access rules describe the circumstances under which the consumer may access the protected content.
In this scheme, the access rules define the consumer's ability to access the content. For example, the access rules may define the cost of each piece of content, whether this cost is a one time payment or a payment for the amount of use of the content (i.e., by time or number of accesses), and what access the consumer has including viewing, copying, printing, etc. The access rules may also define who the consumer must pay and how this payment is to occur.
This system includes a rights enforcement engine that interacts with the container to access the content. Only the enforcement engine can access the content and transform it from a protected state to one accessible by the consumer. The enforcement engine retrieves the access rules from the container and evaluates them to determine whether the consumer has rights to the content. The enforcement engine may require the consumer to perform particular acts in order to obtain rights to the content as governed by the access rules.
A significant problem associated with the scheme described above is that the access rules reside in the container with the content. This makes it very difficult for a content provider (i.e. a content producer) or a web retailer (i.e., a content retailer) to alter the access rules once the containers have been released. Thus, the content providers or retailers are unable to offer discounts or offer special limited access to the content unless these promotions were considered at the time the container was created. Having the access rules in the container is not a practical solution to today's rapidly changing business environment. Moreover, development of various solutions and protection schemes has led to compatibility problems between schemes.
The importance of data rights management has caused a proliferation of incompatible solutions for protecting content throughout the industry. Examples of incompatible solutions are available from Intertrust™, Microsoft™, Adobe Systems™, Preview Systems™, Xerox Corporation™, and IBM™. Each solution is based on a different data rights management model, or architecture. Since each of the data rights management architectures is different, content protected in accordance with one architecture cannot be accessed with another. In some cases, a data rights management architecture is specific to a type of content, such as music, video or literary works.
Moreover, data rights management architectures include more than just accessing content. Content providers, or packagers, protect content by “wrapping it” in containers, in a process called packaging. Each data rights management architecture implements its own process for packaging, often with proprietary encryption and access methods. Content packaged within one data rights management architecture, therefore, is incompatible with another data rights management architecture. Consumers wishing to gain access to protected content, therefore, must utilize the system of the particular data rights management architecture that packaged the content.
Incompatible data rights management architectures pose a number of significant problems to distribution of content. Currently, each data rights management architecture requires a separate system for packaging content and distributing rights to the content. Content providers and content packagers using multiple data rights management architectures, such as when packaging music and information content, are forced to use multiple systems. When the number of different data rights management architectures and pieces of content is large, the process and management of packaging becomes difficult and unwieldy. Additionally, duplicating DRM architecture systems and storage is expensive and inconvenient.
Conventionally, each data rights management architecture requires its own separate system to grant rights to consumers. When attempting to access content, a consumer must be granted rights by a system corresponding to the originally protected content. Separate, independent systems essentially prohibit the central management of rights to content protected with incompatible data rights management architectures. With the growing number of data rights management architectures, content types, consumers and the amount of content available, granting access to protected content has become a very difficult task.
Incompatible data rights management architectures make commercial distribution of rights to protected content difficult. In particular, management of transactions, tracking and auditing of rights to content becomes very difficult. Moreover, if a transaction becomes corrupt, or a consumer has somehow lost the ability to access the content, reconstruction of the transaction across multiple data rights management is difficult at best.
Other problems exist with respect to data rights management systems, some of which are discussed in further detail below. Accordingly, what is needed is a system and method to integrate multiple, incompatible data rights management architectures that allow access rules to content to be defined outside the container.