PGP CTO Blog

Digital Rights Management in 2003 and beyond
24 Oct 2003

With Office 2003, Microsoft has introduced integrated digital rights management (DRM) software, which it calls Information Rights Management (IRM). This feature allows the creator of a document to control what someone who opens the document can do with it, such as printing, forwarding, and even reading it. Furthermore, these permissions can be changed by having Office 2003 on the reader's computer check over the network with the owner's Windows server to see if the requested use is permitted.

A number of people have asked if PGP® products work with Office 2003's rights management. They do. PGP products (including PGP Universal™) create an envelope that holds the document and secures it while it is encrypted by PGP® technology. Once the message is decrypted, the rights management software in MS Office controls the use of the document. Another way to think of this is that PGP technology is a secure courier ensuring that when you send a document it can only be opened by the intended recipient; however, once the PGP® encrypted message's envelope is opened, the document is then controlled by other software. There are a number of other rights management solutions that do similar things with similar architectures. PGP products' digital signatures can also assure the integrity of the file just as they would with anything else.

I believe that although Microsoft's approach has a number of uses, rights management is a system that everyone wants to impose on other people, but no one wants imposed on them. I expect several reactions to it.

There certainly will be people who flat out refuse to accept documents that have restrictions on them. And why wouldn't you refuse? I know I don't want a document that rats on me every time I read it, print it, and so on.

I also expect these documents to be banned from any organization that has to archive mail and respond to requests for archived mail. Financial organizations are going to be among the first to ban such documents. I see an opportunity for content scanning firewalls to strip rights-protected attachments. I would not be surprised if some organizations resort to banning all Microsoft Office documents altogether and require attachments to be in PDF format. I wouldn't want to be the CIO who has to explain to the SEC, NASD, or a judge that I'd love to turn over some requested emails, but I can't because a third party has rights-protected them. I also wouldn't want to be the third party who may have to turn over full use of a document that was written with the expectation it would be protected from prying eyes.

This last risk is particularly interesting. A well-known problem with email and electronic memos is that people say things in them that they probably shouldn't. Imagine how careless they'll be if they think MS Office 2003 will enforce rights that could be yanked out from under them, which is more likely the more frank a document is about some issues.

I also see an interesting interaction between rights management and the spread of digital cameras. Cell phones, PDAs, and other devices now come with digital cameras that can take high-quality pictures of computer screens. I expect that the spread of rights management software will lead to more people taking pictures of their screens, and foresee a nice market in accessories to do precisely that.

To sum up: PGP products interoperate with new DRM solutions. But we expect them not to be widely used, or if they do become widely used, to quickly be widely banned.

Levy, Christopher, " Secure Content Collaboration with Information Rights Management," eContent, October 2003.

Pruitt, Scarlet, " Microsoft sets sights on DRM market," InfoWorld news, May 8, 2003.

Robichaux, Paul, " Information Rights Management and You," Windows Network, April 25, 2003.

Schindler, Deb, " How the Windows Rights Management Service can Enhance the Security of your Documents," WindowsSecurity.com, September 23, 2003