Request for Comments: Use Cases & Requirements for Lightweight Content Protection for EPUB

May 17, 2012

The IDPF on May 18, 2012 published a draft of use cases and requirements for lightweight content protection technology for EPUB, available at: Comments from members and other interested parties are requested by Friday, June 8. Comments are particularly solicited regarding the priority of this activity versus other potential IDPF-mediated projects. Also requested are comments on any additional high priority use cases and requirements not encompassed in this initial straw-man document, and regarding the overall desirability of a solution embodying the proposed requirements, or any standardized solution in this area.

The document describes requirements for a potential content protection scheme for EPUB.  It outlines what would be a “lightweight” scheme, occupying a middle ground between strong DRM and DRM-free.  This would enable sharing with or without watermarking, but, unlike watermarking alone, cracks would be considered definitively illegal. As well, the proposed scheme incorporates configurable passwords (including the option of no password at all); it could be used to discourage “over-sharing” by requiring passwords that contain personal information, such as an email address or credit card number.  The use of encryption would also enable limits on modification, copying, and printing of content in a manner similar to the encryption technology incorporated in PDF.  It would also support lending models via usage durations.  Other aspects that would make the scheme “lightweight” include not requiring network connectivity (i.e. no “phoning home”) and trading off less stringent security for lower implementation cost and complexity. 
While public discussion of the “straw man” requirements document is anticipated and welcome, it should be noted that it does not represent any commitment by the IDPF to establish a solution. Through this discovery process, it may become clear that no feasible standardized solution would be sufficiently useful or accepted, or that no solution is forthcoming that will sufficiently address critical requirements.
The requirements document was prepared for the IDPF by Bill Rosenblatt of GiantSteps Media Technology Strategies, a recognized expert consultant in digital rights technologies. It is meant as a response to requests from some members and other industry stakeholders that IDPF consider standardizing a DRM solution for EPUB.
The IDPF anticipates revising this document, taking into account comments received, and, should the IDPF membership and industry at-large support it,, issuing a Request For Proposal (RFP) for potential solutions. Should proposals be solicited, the IDPF will evaluate them based on a variety of criteria that will be detailed in the RFP.
The IDPF takes no official position on the level of content protection measures that are appropriate, considering this as a situational determination between rights holders, distribution partners and end users. The proposed use cases and requirements describe a “lightweight” encryption approach, but this is primarily based on the judgment of IDPF and its consultant that this approach, should it be supported by the membership, would be by far the most likely to gain meaningful adoption within the desired timeframe. We recognize that some publishers may under some circumstances require content control technology that is more stringently protective than is feasible for a lightweight approach.  First, the lightweight approach is designed to be extended in various ways to be more stringent.  Second, EPUB will remain open to multiple forms of DRM technology, and any standard form of content protection will be complemented by the multiplicity of more full-featured commercial DRM solutions already in the market. As EPUB has an extensible encryption framework, these DRM solutions will remain valid for use with EPUB.
Please send any comments to IDPF via email to bmccoy at  Comments received will be by default considered public; however, IDPF member organizations may request anonymity, or for feedback to remain limited to IDPF management and Board. 

Secondary menu