Secure and Privacy-Preserving DRM for Mobile Devices with Web Service Security∗ – An Experience Report –

Preserving the customer’s privacy has to be a major concern when implementing a commercial DRM system. In [12] a privacy-preserving digital rights management (DRM) architecture based on the widely used Open Mobile Alliance (OMA) DRM [17] specification for mobile devices has been suggested. In this paper the design of a possible implementation of the proposed architecture is explained which uses Web Service Security (WSS). This choice has been made since the web services originally designed in the architecture have to meet several security features which are necessary for privacy-preservation. Thus specifically selected WSS features facilitate validation of correctness of the security enhanced concept. This validation is reflected by a detailed security assessment. Moreover a prototypical implementation of privacy-preserving DRM by using a recent WSS implementation (WSS4J) is briefly explained. Finally, along with the experiences from the implementation, a discussion of a potential extension of our suggested architecture and implementation to other DRM systems is given. This discussion also reviews privacy and DRM, both mobile and stationary, in general from a technological point of view. The conclusion is that a similar extension would be possible for all DRM specifications that do not require an online on-access license validation.