ECMS: Technology Issues and Electronic Copyright Management Systems

pedro isaias

ECMS: Technology Issues and Electronic Copyright Management Systems

Pedro Isaias looks at the relevant ECMS e-Commerce technology.

Technology issues are of utmost importance in Electronic Copyright Management Systems (ECMS). In fact, these technologies can in part determine the success or failure of these systems. In a traditional environment, consumers enjoy buying with efficient systems and security. This is even truer in the Internet. Thus the need to develop and deploy technologies that are efficient and can assure security.

This work covers these technology issues, illustrating the following points in an objective way:

Payment systems and security techniques in the Internet;
Importance of these technologies in ECMS.

ECMS: Important Technologies

Most of the technologies referred in this article can be used with the so-called digital objects. A digital object can be defined [1] as being "a logical entity or data structure whose two principal components are digital material ("data"), plus a unique identifier for the material and other information pertaining to the data ("metadata")".

In this section the following technologies will be focused:

Payment Systems
Security Techniques

Payment Systems

Having payment systems that are both effective and reliable is very important in ECMS and digital libraries. It is commonly accepted that quality information should be paid for, situation in which these systems are more than needed: they are an imperative.

According to several authors [2,3] there are important requirements that electronic payment systems should follow in order to be reliable. The most relevant are:

Security/Integrity - The system must assure security measures in order to guarantee the safety of the transactions and that no data is illegally modified;
Robustness - The system should be reliable under any circumstances (in this broad requirement it's included atomicity, which is the guarantee that a transaction occurred or not);
Economic viability - Cost of transactions and values transferred should be compatible;
Scalability - The system should be able to grow (i.e. addition of new buyers and merchants) without significant lack of performance;
Interoperability - The system must make it possible to exchange payment means between different systems;
Auditability - The possibility to audit the system to look for records of operations and possible errors;
Anonymous transactions - The system should support anonymous transactions (i.e. buyers and sellers identity not known);

There are presently two broad categories of electronic payment systems in what concerns their money model [3, 4]:

Token-based or cash-like systems;
Notational or credit/debit systems.

In token-based or cash-like systems, transactions are performed with tokens that have a certain value (of themselves or from the status of the Institutions that issue them) and must be bought to a central authority before consumers being able to make any transactions. These systems do not support debt.

Notational or credit/debit systems consist of having an account and the central authority keeping a record of the amount in that account. In this particular systems consumers exchange documents that are equivalent of value transfers. These exchanges consist in the debiting of the consumers' account and the crediting of the merchant account. These systems can support debt.

Token-based or cash-like systems

One of the most well known examples of these systems was Ecash (DigiCash). The company has gone out of business and ceased operations (now taken over). The main characteristic of the Digicash system, developed by David Chaum, lay in the possibility of using real electronic money. The value of this system lay in the electronic cash, and not in the possibility of authoring funds transfers between consumers and suppliers (sellers). The main strength of the Ecash system was, however, the possibility of conducting anonymous and secure transactions.

Basically, the Ecash system consisted of the following:

A bank, which exchanged real money by electronic money, and simultaneously applied a digital signature for verification purposes;
Electronic currency, which was transferred to the client under the format of a electronic wallet card or software client;
The client, who could spend electronic money with suppliers, that in turn would exchange the electronic money received by real money in pre-defined banks.

This system presented several advantages:

Anyone could buy and sell;
Algorithms against copy of monetary units and against spending above authorised limit, with fraud record;
Information on usage and statistics.

Ecash used a direct cash like payment model with online validation. The same payment model is used by NetCash [5].

NetCash provides a framework for digital payments. The system is based on a system of distributed issuing currency servers. The NetCash coin has the name of the issuing server and specific serial number.

The currency servers offer several services, being one important service the redemption of coins for cheques (NetCheque digital cheques). NetCash has now been layered into NetCheque.

MilliCent [6] is a strong alternative to other token-based systems. It has been released in Japan (went live on June 1, 1999) and is being applied in several on-line sales. The important aspect of MilliCent is that it covers operations as small as 1/10^th of a dollar; this system clearly aims at the micropayments segment. The other important aspect, especially for ECMS, is that with these small amounts, ECMS can sell individual papers, or even parts of papers, for instance. A newspaper publisher can even sell a newspaper article by article.

MilliCent does no use real money but scrip which is like cash because it represents a value but is different from cash because it's only valid with a specific vendor. Scrip is basically a electronic coupon which represents pre-paid value specific to a vendor. Scrip associated with a specific vendor can be exchanged by scrip from other vendors via brokers.

The process of acquiring and using scrip is very straightforward: a customer can acquire it with his or her credit card and then it can be used to make purchases from a specific vendor.

Millicent uses a direct cash like payment model with semi-online validation.

Other relevant token-based systems are available (please refer to appendix for their URLs): CAFE and Mondex.

Notational or credit/debit systems

One of the first examples of a notational system was First Virtual, which has ceased operations. First Virtual system considered the possibility of a user having access to the information before paying for it which was a strong point but also a weakness since users could abuse the system. Its simplicity was also highly regarded.

One of the weakest points was, however, not having cryptography, and therefore not being able to guarantee totally safety transaction.

First Virtual used a credit card payment intermediator notational payment model with online validation.

One of the most relevant systems in this category is CyberCash [7]. This system, which is in fact a system designed to charge the client's credit card, allows transactions with immediate payment between sellers and consumers through a financial institution. The transactions are performed with credit card.

The CyberCash system works according to the following model:

The client sends the credit card data, seller ID and products he wishes to buy to the server (crypted with a public key, and also a symmetric key);
The server executes the operation with a financial institution;
The server transmits to the seller the client ID, products he wishes to buy, number of transaction and symmetric key (encrypted information);

The seller encrypts the information with the symmetric key and sends it to the client.

The CyberCash system has the advantage of cryptography, which guarantees security and privacy to the client. CyberCash uses a secure credit card presentation notational payment model with online validation.

Another good example of a notational system is CyberCoin [8], originated in Cybercash. The CyberCoin system has been designed to deal with small transactions (i.e. 25 cent to $10), that are considered small payments. Cybercash has closed CyberCoin accounts (in North America only) and launched InstaBuy [9].

InstaBuy uses, as CyberCoin, a direct account based payment model with online validation.

Another good example of notational systems, specialised in micropayments, is the NetBill system. The Netbill system [10] has been developed by the Carnegie Mellon University, evolving from previous billing service prototypes and being first applied in the digital library of this University, the CMU’s Informedia Digital Video Library.

The NetBill system deals with authentication, verifying credits, controlling accesses and recording transactions. Their goals are: working with open protocols and dealing exclusively with goods that are delivered electronically and services.

The Netbill system works in the following way [11]:

The consumer finds information of interest and requires its price from the merchant (i.e. can be from a catalogue);
The merchant returns the price;
If the consumer accepts the price, his answer will be assured by a digital signature and sent to the merchant;
The merchant sends the goods encrypted, along with a checksum and a time stamp;
The consumer's software computes a checksum of the goods and this is sent, along with an electronic payment order to the merchant;
The merchant receives the consumer's checksum, verifying that the consumer has received the goods in perfect conditions and sends the electronic payment order with his digital signature to the NetBill server;
The NetBill server processes the electronic payment order and debits the consumer account and credits the merchant account;
The NetBill server sends a digital signed message to the merchant confirming the success or failure of the operation along with the decryption key;
The merchant forwards the key to the consumer in order to have access to the goods.

The NetBill systems features the following advantages: transaction security through encryption and digital signatures; the system allows the use of alias from customers in order to remain anonymous from merchants; the costs per transaction are very low.

NetBill uses a direct account based notational payment model with online validation.

One important standard of Notational systems, and especially designed for secure credit card processing in the Internet, is Secure Electronic Transactions (SET) [12]. SET is an initiative of VISA and Mastercard amongst other participants. This initiative followed several other from different companies and organisations; basically none could impose its standard and since then they join efforts to produce a unified standard, SET.

A SET transaction works in the following way [13]:

After the customer selects an item from a catalogue, for instance, and chooses the credit card he wants to pay with;
The customer sends a signed payment slip to the merchant (protected by an encryption scheme);
The merchant takes the slip and asks the bank gateway for authorisation;
The bank gateway verifies everything and authorises or not the operation;
If authorised, the merchant confirms the order to the customer;
The merchant then sends the goods to the customer.

SET uses a secure credit card presentation notational payment model with online validation.

Other relevant notational systems are available (please refer to appendix for their URLs): NetCheque and eCheck (FSTC Electronic Check).

Security Techniques

There are several techniques that implement concepts of Web security. At the ECMS and digital library level, the following are relevant techniques:

Encryption – Traditional encryption techniques have been used over the centuries. In the Internet, encryption has progressively being adopted because it provides security against unauthorised access/reading. This technique is quite simple in scope: it basically consists in content conversion (of a scientific paper for example) into contents that cannot be understood. After this is done, the ECMS sends the referred contents to the person that requested them. This person, holding both the encrypted contents and the encryption key, then converts the contents into an intelligible form (just like the original contents). A good example of encryption software is Pretty Good Privacy [14].

Watermarking Technology – The traditional watermark that used to characterise certain paper producers is again en vogue. But now, it's applied to the digital environment. Digital watermarks (visible or invisible) applied to ECMS and digital libraries can point to information possession in two different ways [15]:
By identifying from who the materials (contents) originate;
By identifying the recipient (library or final user) to whom the materials (contents) have been distributed;

The recipient watermark is the most used technique because it's easier to prevent in this way the re-distribution of the material.

In what concerns the watermark that identifies from who the materials (contents) originate, there are two possibilities of applying it (with different goals):

Visible identification - it enables the user to a priori avoid the dissemination and unauthorised use of the materials (contents);
Non visible identification – It enables a posteriori to search the web with a view to locate who distributes and uses the materials (contents) without being authorised for that purpose.
Digital Signatures – They give secure integrity indications being in this way of great importance to ECMS. They are generated using cryptographic methods.
Authentication – The goal is to assure that the data that comes from a certain entity can only have been originated by that entity and that the content has not been changed in any way.

Importance of these Technologies in ECMS

It is quite obvious of the extreme importance of these technologies in ECMS. The question mark lies more on the more or less appropriateness of some of the solutions presented rather than on the technologies themselves.

For instance, is it more appropriate to use a micropayment system or a macropayment system? It seems from what has been described that for a ECMS is clearly more appropriate a micropayment system. These allow the user to acquire only fragments or an article, or only an article in a journal. It's clearly more flexible.

Another question is related to token-based vs. notational systems. What systems are more suited for ECMS? This is more difficult to answer. It seems obvious that notational systems are taking the lead in disseminating themselves. And banks and credit card issuers back up several of them. But are these systems the ones that really defend customers? The answer is more on the negative side. In fact systems like Ecash (Digicash) really defended the customer by being rigorously anonymous and secure - they were like real money. But the market didn't favour them and they've ended operations. Of course notational systems also have advantages like allowing debt.

And what about security? ECMS require security in the operations in which the consumer engages. Several options are available and being exploited and only the market will tell the methods that will prevail. While the encryption method seems well suited to be used in payment mechanisms, the digital watermarking seems to be an obvious defence for the control of distributed materials.

Conclusions and Future Perspectives

At a technological level, there are several obvious open questions:

When will electronic payment systems be 100% safe?
Payment models - what is the best? The token-based or the notational?
When can the consumer choose his favourite payment system from several available ones?

The first question is impossible to answer. When hackers enter the Pentagon systems and NASA systems are hacked with some frequency it is difficult to say that there will be 100% safe systems. The bet is more likely to be in minimising the problem and finding alternative ways to address the question. In technological terms is highly difficult to find 100% safe systems.

As for the payment model question, it's difficult to answer because some advantages that the others don't. It depends on several variables like user's bank and specific vendors. As from choosing from several available payment systems it depends on the ECMS that will choose the payment systems that they want to work with. It would be nice to see ECMS presenting alternative payment solutions like we see today in a shop when we want to pay with credit card and several alternatives are often presented.

In future, the tendency is certainly to facilitate the ECMS use by consumers, through the more widespread use of simpler and more efficient technological means. One thing is for granted: future systems will have more and better functionalities and will provide improved features, spoiling consumers with a myriad of possibilities.

Appendix - List of Most Significant Electronic Payment Systems and Their URLs:

CAFE	http://www.cwi.nl/cwi/projects/cafe.html
Cybercash	http://www.cybercash.com
CyberCoin	http://www.cybercash.com/cybercash/services/cybercoin.html
Ecash (DigiCash)	http://www.digicash.com/
eCheck (FSTC Electronic Check)	http://www.echeck.org/
InstaBuy	http://www.instabuy.com/
Millicent	http://www.millicent.digital.com/
Mondex	http://www.mondex.com/
NetBill	http://www.ini.cmu.edu/netbill/ http://www.netbill.com/
NetCash	http://nii-server.isi.edu/info/netcash/
NetCheque	http://gost.isi.edu/info/netcheque/
Secure Electronic Transactions (SET)	http://www.mastercard.com/shoponline/set/set.html

References

[1] Cross Industry Working Team. (1997). Managing access to digital information: an approach based on digital objects and stated operations.

Available from: http://www.xiwt.org/documents/ManagAccess.html [August 4^th 1999]

[2] Costa, J. F., Silva, A. and Delgado, J. (1995). Análise dos sistemas comerciais emergentes na Internet In: Proceedings of I Conferência Nacional WWW - Informação Multimédia na Internet, Minho 1995

[3] Ferreira, L.; Dahab, R. (1998). A scheme for electronic payment systems. In: Proceedings of the 14^th Annual Computer Security Applications Conference, 7-11 December 1998. IEEE, 137-146.

[4] Weber, R. (1998). Chablis - Market Analysis of Digital Payment Systems. Chablis (TUM-I9819)

Available from: http://medoc.informatik.tu-muenchen.de/Chablis/MStudy/x-a-marketpay.html [August 4^th 1999]

[5] NetCash home page: http://nii-server.isi.edu/info/netcash/ [August 4^th 1999]

[6] Millicent home page: http://www.millicent.digital.com/ [August 4^th 1999]

[7] CyberCash home page: http://www.cybercash.com/ [August 4^th 1999]

[8] CyberCoin home page: http://www.cybercash.com/cybercash/services/cybercoin.html [August 4^th 1999]

[9] InstaBuy home page: http://www.instabuy.com/ [August 4^th 1999]

[10] NetBill home page: http://www.netbill.com/ [August 4^th 1999]

[11] Sirbu, M.; Tygar, J. (1995). NetBill: an Internet system optimized for network delivered services. In: Proceedings of the CompCon Conference, March 1995. IEEE

Available from: http://www.ini.cmu.edu/netbill/pubs/CompCon.ps.Z [August 4^th 1999]

[12] Mastercard's SET home page: http://www.mastercard.com/shoponline/set/set.html [August 4^th 1999]

[13] Asokan, N. et al. (1997, September). The state of the art in electronic payment systems. IEEE Computer magazine [Online], Vol. 30 issue 9, 28-35.

Available: http://computer.org/computer/co1997/r9028abs.htm [August 4^th 1999]

[14] More details as well as the software (distributed as freeware) can be found at http://web.mit.edu/network/pgp.html [August 4^th 1999]

[15] Mintzer, F. et al. (1997, December). Safeguarding digital library contents and users – digital watermarking. D-Lib Magazine [Online], 44 paragraphs

Available from: http://www.dlib.org/dlib/december97/ibm/12lotspiech.html [August 4^th 1999]

Author Details

Pedro Isaias
European Projects Manager at ISEGI
New University of Lisbon and Professor at Portuguese Open University
Email: pisaias@mail.telepac.pt