[Fsedu-developers] RFC for Free software consent based content mangement

[James Michael DuPont]

Dear All,
I have been in involved in a discussion on the "open-source-now"
project list from RedHat on the issue of DRM and content distribution. 

RedHat is providing their learning materials in non-standard file
formats (flash,java) with a EULA that is designed to remove the rights
of the students. Their argument is that it is not possible to protect
their content without taking away the rights of the students. That is
why I have sought to design a solution for content distribution based
on  free software and open standards that still protects the content
from illegal distribution.

I seek with this proposal to address these issues in the context of
free software without violating the rights of the students.

http://www.advogato.org/article/698.html
Specifically, Digital Think is the exclusive provider of Red Hat
eLearning, the EULA of the redhat online courseware is written in such
a way to prevent the students from using free software :
 http://www.digitalthink.com/catalog/license.html

"Licensee shall not, without the prior written permission of
DIGITALTHINK, nor permit anyone else to copy, decompile, reverse
engineer, disassemble or otherwise reduce the Courseware to a human
perceivable form, or to modify, network, rent, lease, loan, distribute,
or create derivative works based upon the Courseware or the
documentation in whole or in part." 

The fsedu project seeks to defend the following rights of the students,
it proposes the following basic student rights : 

http://fsedu.org/fsedu.pl?DefendStudents

 1. You have the right to use free software instead of proprietary
 software for all school-related tasks. The school shall not impede 
this right in any way.
 
 2. You have the right to demand open file formats:
 
 2.1. Allow sincere choice of software/operating system
 
 2.2. Openly specified and freely implementable
 
 3.3. Work with completely Free systems
 
 3. You have the right to publish your homework assignments as you see
 fit, for profit or gratis.
 
 4. You have the right to publish what you learn, in your own words, 
for
 profit or gratis.


Lets say that we have some content that an author worked hard on, and
it should be distributed to people who decide that paying a reasonable
fee.

Now the one issue is that even if the users should have the right to
examine the source code of the software, we still need a way to prevent
them from extracting the content out of that software. 

If you allow the user to modify the viewing software as to create an
human readable and machine processable of the content instead of
displaying it, then you are opening up the content for further
duplication. Now we are precluding screen shots and OCR software here.
Lets say that you want to deliver a rastrasterizedy of the content to
the user at an agreed upon resolution. Vector graphics would again
allow  too much export control.

So we have an agreement between a content provider and a content
consumer for a delivery of a certain amount of content that meets a
certain level of quality to a viewer that limits the users rights in a
predefined manner.

Now, the viewer cannot store the content in a internal data format that
is readable by an debugger, because it would be too easy to snarf that
data out.

So, I think we can solve this problem very simply : You need to trust
that the user will only use an agreed upon version of the viewer
software.  This software can be free software, and the full source code
may be made available, but the content provider does not agree to
provide the content to any but an specified and verified set of modules
to the user.

So I proposed the following architecture :

1. The users are to be validated by a chip-card system, each user must
have a way to authenticate their identity using a card issued by the
content provider or a certificate authority. Simple PGP PGP SSH
certificate can also be agreed here.

2. The users agree to have a free software client module installed that
is of a specified version. This software is able to make a network
connection to the content provider and send a digitally signed and
encrypted signature of itself to the content provider by a secure
channel. This creates a secure session that can only be understood by
the client module. The user agrees that he does not have the right to
intercept this content which uses open and free software that he can
inspect on his leisure. The session however is only good for one set of
package, because the user might swap out the software once the session
is set up. Hardware based checksumming might help speed up this
signature process. BSD has such a software signature built in as well.
The user agrees to allow the server to re-check/audit the validity of
the client software on its leisure on a predefined interval,that way
the server administrator  and users can agree on a set of security
levels that are appropriate for the given application performance
requirements.

3. The user uses this session to request content that is sent securely
to him/her.  The content is encrypted with an agreed upon encryption
standard that will prevent the user from viewing the content. Only the
client software session, given an authentication token from the
provider and from the client will be able to for one time be able to
decode the content. The software then deletes that content according to
the agreed procedure.

4. The user can then view the rastrasterizedge. That image could also
be  water-marked and Id-ed. The agreement between the content provider
and the user may define various rules preventing the removal of the
various security water-marks. Of course the user can take that one
raster and distribute it illegally. There is nothing that any of the
DRM DRM do to prevent that.


You see, this is a consent based security system that requires no
freedoms are removed from the user. The content provider reserves the
right to refuse delivery of content to any other version of the
software, the client however has the freedom to modify this software
and submit it to content providers for certification.

I think such an consent based content management is much saner than
using non-free file formats and non-free software.

What do you think?

mike


=====
James Michael DuPont
http://introspector.sourceforge.net/

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com