1. Lift Asia 09
Jeju, Korea
Jean-Henry Morin
University of Geneva – CUI
Dept. of Information Systems
Jean-Henry.Morin@unige.ch
http://jean-henry.com/
Lift Asia, Sept 16-17, 2009
5. Where did we go wrong?
• Where did User Experience go ?
• Where did Superdistribution go ?
• Where are the innovative Business Models, the
Real-time Marketers, etc. ?
• Did DRM curb those that it meant ?
• Wasn’t DRM supposed to be an enabler ?
J.-H. Morin
6. Can we finally make DRM
“FUN” (i.e., User Friendly ;-) ?
• Assuming :
• DRM is likely to stay and be needed (managed content)
• Absolute security is neither achievable nor desirable
• Given the right User Experience and Business Models
most users smoothly comply (e.g., iTunes)
• Most users aren’t criminals
• We needed to take a step back to :
• Critically re-think DRM
• Reconsider the debate outside the either/or extremes of
total vs. no security
• Re-design DRM from ground up
6
J.-H. Morin
7. Rethinking & Redesigning DRM
• Acknowledge the Central role of the User and User
Experience
• Reinstate Users in their roles & rights
• Presumption of innocence & the burden of proof
• Fundamental guiding principle to Rethink and Redesign
DRM : Feltens’ “Copyright Balance” principle (Felten,
2005)
“Since lawful use, including fair use, of copyrighted works is in the
public interest, a user wishing to make lawful use of copyrighted
material should not be prevented from doing so by any DRM
system.”
• Claim and Proposition :
• Put the trust back into the hands of the users
• Reverse the distrust assumption
• Requires a major paradigm shift
7
J.-H. Morin
8. Rethinking & Redesigning DRM
(cont.)
• Exception Management in DRM environments, mixing
water with fire ? Not necessarily !
• Reversing the distrust assumption puts the user “in
charge”, facing his responsibilities
• Allow users to make Exception Claims, granting them
Short Lived Licenses based on some form of logging and
monitoring
• Use Credentials as tokens for logging to detect and
monitor abuses
• Credential are Revocable in order to deal with abuse and
misuse situations
• Mutually acknowledged need for managed content while
allowing all actors a smooth usability experience
(Morin and Pawlak, 2007, 2008); (Morin 2008, 2009) 8
J.-H. Morin
9. Exception Management in DRM
Environments
(Morin and Pawlak, 2007, 2008); (Morin 2008, 2009)
• What is an Exception ?
• A claim made by a user wishing to rightfully access /
use content
• Based on « real world » credential patterns
• Delegation model based on chained authorities
• Credential authorities closer to the users
• Locally managed and held by users (credential store)
• Short lived or fixed life time
• Revocable
• Late binding (enforcement point)
• Model is auditable for abuse and includes
revocation capabilities
• Burden of proof on the party having a justifiable reason
to claim abuse (presumption of innocence)
• Monitoring in near real time of security policies 9
J.-H. Morin
10. A “Serious” problem in Social
Networks and Services
Socially-Responsible Management of
Personal Information
• Personal Information
• Different from Personally Identifying Information (PII)
• Subject to legal frameworks in most countries
• Increasingly shared on social networks
• Blurring boundaries between private and public life
Legitimate concern (i.e., rights) over our
information in terms of lifetime, usage
purposes, access, etc.
10
J.-H. Morin
11. Problems and Issues
• Publish / share once, publish / share
forever
• Indexing and searching
• Who “owns” and manages YOUR
information (SLAs) ? Raging debates.
• Who’s information is it ?
• Do you retain control ?
• Semantic searching capabilities
11
J.-H. Morin
12. The Right to Forget
• Right to Forget : fundamental
human right threatened by the digital
nature of information (i.e., searchable)
• Traditional Media (i.e., non digital)
“Memory” erodes over time
• Labor and cost intensive
• Digital Media, requires explicit human
intervention to “make forget” information
(Rouvroy, 2007)
12
J.-H. Morin
13. Anonymity and Privacy
• Anonymity and Privacy are fundamental
to social networking
• It’s not a “bug”, it’s a feature !
• It’s not schizophrenia !
• Multiple legitimate personas (e.g., work, family,
communities, etc.)
• How do we deal with it in a socially-
responsible and ethically sustainable way ?
• Cyber bullying (e.g., Akple in Korea)
Requires traceability and accountability of
information (i.e., managed information)
13
J.-H. Morin
14. Key Question
• Is Privacy and personal information
threatened by current social
networking services ?
• We contend there is a need for
Managed Personal Information
• Socially-responsible and sustainable
How can we retain an acceptable (by all) level of
control over our personal information ?
14
J.-H. Morin
15. Proposition
(Morin, 2009)
• Personal Information should be
augmented with a layer accounting for its
management
• Alongside other metadata increasingly
used in addressing the semantic
dimension of our electronic services
• We argue DRM combined with Exception
Management may be a promising path
towards :
• Socially-Responsible management of personal
information in social networks and services
15
J.-H. Morin
16. Conclusion
• Can DRM “go green” before we all “go
dark” ?
• If so, we might be able to address some
“Serious” societal issues while having
“Fun” along the way !
16
J.-H. Morin
17. Security is bypassed not
attacked
Inspired by Adi Shamir, Turing Award lecture, 2002
Thank you
Jean-Henry Morin
University of Geneva – CUI
Dept. of Information Systems
Jean-Henry.Morin@unige.ch
http://jean-henry.com/
17
J.-H. Morin