Demystifying Technical Protection Measures (TPMs) in the Library

Download the Code | Download this page as PDF

The Code of Best Practices in Fair Use for Academic and Research Libraries suggests at various points that librarians consider the use of appropriate “technical protection measures” when making digitized materials available on-line, as a way of bolstering their fair use claims. Many libraries already employ such measures as a risk-management strategy.

When libraries choose to employ technological protection measures, they are following a “belt-and-suspenders” approach to fair use. Many factors may contribute to these choices, including considerations of relative effectiveness and convenience, the cost of initial implementation and continued deployment, and consumer acceptance. Most importantly, libraries should consider whether the use of a particular TPM, or of TPMs in general, is consistent with the mission-based goals for which the information to be safeguarded is being offered in the first instance.

At no point does the Code suggest that the use of TPM’s is an essential component of fair use (with the exception of passwords in certain situations), though in some places the Code suggests that use of such measures will further enhance an otherwise strong assertion of fair use claim based on the nature of and purpose of the use itself. It’s also important to realize that there is a wide array of different options (more and less intrusive or expensive) available.

No one really likes technical protection measures, especially as they are employed by copyright owners to “safeguard” digital contents. Members of the information-seeking public justly complain that the use of TPMs may interfere with the exercise of their rights to access and use copyrighted content fairly. (Every three years, user groups line up to petition the Library of Congress to enable fair use by granting exemptions to the so-called anti-circumvention provisions of the 1998 Digital Millennium Act, which impose special penalties on hackers largely without regard to motive.) Even advocates for wider TPM use acknowledge that TPM developers and hackers are locked together in a perpetual “arms race” that swallows up stocks of ingenuity that might otherwise be better employed.

The Code recommends considering the use of TPMs, even with their limitations, as part of good-faith efforts to protect copyright owners against third-party misappropriation, in connection with library-based fair uses. Such TPMs, as we know from the anti-circumvention provisions of the 1998 DMCA, need not be perfect in order to be effective. The question is choosing an appropriate TPM, then, is not how to achieve perfect security, but how to accomplish good-enough protection for the task at hand.

Possible TPMs a library might consider, in connection with library fair use, include:

Passwords: Unique or shared password to access the protected content. Indeed, there are several points in the Code of Best Practices where the use of this technique is strongly recommended (for on-line content directed to a particular group of students, for example). Password systems block casual users and are easy and inexpensive to provide. Although passwords are hackable by a person with determination and expertise, they are effective in enforcing respect for reasonable conditions of use on the part of most people in most communities.

Watermarks (including steganography): Watermarking is another effective, low impact and relatively low-cost approach to technological protection of copyrighted content. They may be visible or invisible (invisible being steganography). All watermarks can encode ownership information, and more elaborate ones may also carry extensive metadata. Visual watermarks have the advantage of making content less suitable for inappropriate downstream release, and the coordinate drawback of reducing somewhat its utility for teaching/research purposes. Many businesses (Getty Images, for example) rely heavily on this form of TPM. Invisible digital tags may make it possible for copyright owners to trace inappropriate used copies of their work back to the source, thus enabling more effective legal enforcement. Again, watermarks are susceptible to hacking, but new technologies make them relatively robust and persistent.

Encryption: This is the best-known, and most controversial, of the varieties of TPM. Encrypted content can be read only by devices that have the appropriate “key” built in, and once the “handshake” between encrypted content and authorized device has occurred, the ways in which the device can process the content is limited. An early, and fairly crude, example is the CSS (Content Scrambling System) used on most commercial DVD’s. At least in theory, an unauthorized device cannot play back a DVD protected by CSS, and most devices cannot copy its contents to new blank media. Some providers of e-books use encryption to assure that the “text-to-speech” features of readers are selectively disabled. It also is deployed to enforce “streaming only” limitations on the on-line availability of content, both in the commercial and educational sectors. Although certainly subject to hacks, implementations of encryption are effective “speed bumps” if the goal is to limit the proliferation of copies by reinforcing the good motives of law-abiding people, who are the great majority of users.

Other TPMs: Additional approaches include limiting the time period during which a given item is available, or the number of individual readings or viewings to which it is subject, as some commercial e-book providers have begun to do. Other measures, like the provision of images in lower-resolution formats only, may not qualify as technological protection measures under a formal definition, but may be equally effective and efficient in promoting the goal of discouraging unauthorized re-use (especially in commercial contexts) of educational content.

For more information, see Mike Godwin, “What Every Citizen Should Know about DRM” (Public Knowledge and New America Foundation, undated) at