Note: Descriptions are shown in the official language in which they were submitted.
CA 02619962 2008-02-21
DE1VIANDES OU BREVETS VOLUINIINEUX
LA PRES ENTE PA.RTIE DE CETTE D EIYIAND E O U CE BREVETS
COIVIPREND PLUS D'UN TOIYIE.
CECI EST LE TOME DE
NOTE: Pour les tocnes additioneIs, veillez contacter le Bureau Canadien des
Brevets.
JiJNMO APPLICATIONS / PATENTS
TEIS SECTION OF THE APPLICATION / PATENT CONTATNS MORE
THAN ONE VOLUME.
THIS IS VOLUME ~ OF '~ NOTE: For additional volumes plesse contact the
Canadian Patent Office.
CA 02619962 2008-02-21
SYSTEMS AND METHODS FOR SECURE TRANSACTION
MANAGEMENT AND ELECTRONIC RIGHTS PROTECTION
Field(s) of the Invention(s)
This invention generally relates to computer and/or
electronic security.
More particularly, this invention relates to systems and
techniques for secure transaction management. This invention
also relates to computer-based and other electronic appliance-
based technologies that help to ensure that information is
accessed and/or otherwise used only in authorized ways, and
maintains the integrity, availability, and/or confidentiality of
such information and processes related to such use.
The invention also relates to systems and methods for
protecting rights of various participants in electronic commerce
and other electronic or electronically-facilitated transactions.
The invention also relates to secure chains of handling and
control for both information content and information employed to
regulate the use of such content and consequences of such use. It
also relates to systems and techniques that manage, includi.ng
meter and/or limit and/or otherwise monitor use of electronically
stored and/or disseminated information. The invention
-1-
CA 02619962 2008-02-21
wo 98/09ZO9 rCrws9711s?,a3
particularly relates to transactions, conduct and arrangements
that make use of, including consequences of use of, such systems
and/or techniques.
The invention also relates to distributed and other
operating systems, environments and architectures. It also
generally relates to secure architectures, including, for example,
tamper-resistant hardware-based processors, that can be used to
establish security at each node of a distributed system.
Background and Summary of the Invention(s)
Teleconununications, financial transactions, government
processes, business operations, entertainment, and personal
business productivity all now depend on electronic appliances.
Millions of these electronic appliances have been electronically
connected together. These interconnected electronic appliances
comprise what is increasingly called the "information highway."
Many businesses, academicians, and government leaders are
concerned about how to protect the rights of citizens and
organizations who use this information (also "electronic" or
"digital") highway.
-2-
CA 02619962 2008-02-21
wo 98/09209 PCT/US97/15243
Electronic Content
Today, virtually anything that can be represented by
words, numbers, graphics, or system of commands and
instructions can be formatted into electronic digital information.
Television, cable, satellite transmissions, and on-line services
transmitted over telephone lines, compete to distribute digital
information and entertainment to homes and businesses. The
owners and marketers of this content include software
developers, motion picture and recording companies, publishers
of books, magazines, and newspapers, and information database
providers. The popularization of on-line services has also
enabled the individual personal computer user to participate as a
content provider. It is estimated that the worldwide market for
electronic information in 1992 was approximately $40 billion and
is expected to grow to $200 billion by 1997, according to
Microsoft Corporation. The present invention can materially
enhance the revenue of content providers, lower the distribution
costs and the costs for content, better support advertising and
usage information gathering, and better satisfy the needs of
electronic information users. These improvements can lead to a
significant increase in the amount and variety of electronic
= information and the methods by which such information is
distributed.
-3-
CA 02619962 2008-02-21
Wo 981b9Z09 PC'P/QS97/15?A3
The inability of conventional products to be shaped to the
needs of electronic information providers and users is sharply in
contrast to the present invention. Despite the attention devoted
by a cross-section of America's largest telecommunications,
computer, entertainment and information provider companies to
some of the problems addressed by the present invention, only
the present invention provides commercially secure, effective
solutions for configurable, general purpose electronic commerce
transaction/distribution control systems.
Controlling Electronic Content
The present invention provides a new kind of "virtual
distribution environment" (called "VDE" in this document) that
secures, administers, and audits electronic information use.
VDE also features fundamentally important capabilities for
managing content that travels "across" the "information
highway." These capabilities comprise a rights protection
solution that serves all electronic community members. These
members include content creators and distributors, financial
service providers, end-users, and others. VDE is the fmt general
purpose, configurable, transaction control/rights protection
solution for users of computers, other electronic appliances,
networks, and the information highway.
-4-
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/151d3
A fundamental problem for electronic content providers is extending their
ability to control the use of proprietary
information. Content providers often need to limit use to
authorized activities and amounts. Participants in a business
model involving, for example, provision of movies and
advertising on optical discs may include actors, directors, script
and other writers, musicians, studios, publishers, distributors,
retailers, advertisers, credit card services, and content end-users.
These participants need the ability to embody their range of
10, agreements and requirements, including use limitations, into an
"extended" agreement comprising an overall electronic business
model. This extended agreement is represented by electronic
content control information that can automatically enforce
agreed upon rights and obligations. Under ti-DE, such an
extended agreement may comprise an electronic contract
involving all business model participants. Such an agreement
may alternatively, or in addition, be made up of electronic
agreements between subsets of the business model participants.
Through the use of VDE, electronic commerce can function in the
same way as traditional commerce-that is commercial
relationships regarding products and services can be shaped
through the negotiation of one or more agreements between a
variety of parties.
-5-
CA 02619962 2008-02-21
Wo 98/09N19 PCT/[JS97/15?A3
Commercial content providers are conceraed with ensuring
proper compensation for the use of their electronic information.
Electronic digital information, for example a CD recording, can
today be copied relatively easily and inexpensively. Similarly,
unauthorized copying and use of software programs deprives
rightful owners of billions of dollars in annual revenue according
to the International Intellectual Property Alliance. Content
providers and distributors have devised a number of limited
function rights protection mechanisms to protect their rights.
Authorization passwords and protocols, license servers,
"lock/unlock" distribution methods, and non-electronic
contractual limitations imposed on users of shrink-wrapped
software are a few of the more prevalent content protection
schemes. In a commercial context, these efforts are inefficient
and limited solutions.
Providers of "electronic currency" have also created
protections for their type of content. These systems are not
sufficiently adaptable, efficient, nor flexible enough to support
the generalized use of electronic currency. Furthermore, they do
not provide sophisticated auditing and control configuration
capabilities. This means that current electronic currency tools
lack the sophistication needed for many real-world financial
business models. VDE provides means for anonymous currency
-6-
CA 02619962 2008-02-21
WO 98/09209 PCT1US97l15243
and for "conditionally" anonymous currency, wherein currency
related activities remain anonymous except under special
circumstances.
VDE Control Capabilitiea
VDE allows the owners and distributors of electronic
digital information to reliably bill for, and securely control, audit,
and budget the use of, electronic information. It can reliably
detect and monitor the use of commercial information products.
VDE uses a wide variety of different electronic information
delivery means: including, for example, digital networks, digital
broadcast, and physical storage media such as optical and
magnetic disks. VDE can be used by major network providers,
hardware manufacturers, owners of electronic information,
providers of such information, and clearinghouses that gather
usage information regarding, and bill for the use of, electronic
information.
VDE provides comprehensive and configurable transaction
management, metering and monitoring technology. It can
change how electronic information products are protected,
marketed, packaged, and distributed. When used, VDE should
result in higher revenues for information providers and greater
-7-
CA 02619962 2008-02-21
w0 gg/pgZpg PCrYUS47/15243
user satisfaction and value. Use of VDE will normally result in
lower usage costs, decreased transaction costs, more efficient
access to electronic information, re-usability of rights protection
and other transaction management implementations, greatly
improved flexibility in the use of secured information, and
greater standardization of tools and processes for electronic
transaction management. VDE can be used to create an
adaptable environment that fulfilis the needs of electronic
information owners, distributors, and users; financial
clearinghouses; and usage information analyzers and resellers.
Rights and Control Information
In general, the present invention can be used to protect the
rights of parties who have:
(a) proprietary or confidentiality interests in electronic
information. It can, for example, help ensure that
information is used only in authorized ways;
(b) financial interests resulting from the use of
electronically distributed information. It can help
ensure that content providers will be paid for use of
distributed information; and
-8-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
(c) interests in electronic credit and electronic currency
storage, communication, and/or use including
electronic cash, banking, and purchasing.
Protecting the rights of electronic community members
involves a broad range of technologies. VDE combines these
technologies in a way that creates a "distributed" electronic
rights protection "environment." This environment secures and
protects transactions and other processes important for rights
protection. VDE, for example, provides the ability to prevent, or
impede, interference with andlor observation of, important rights
related transactions and processes. VDE, in its preferred
embodiment, uses special purpose tamper resistant Secure
Processing Units (SPUs) to help provide a high level of security
for VDE processes and informatioii storage and communication.
The rights protection problems solved bv the present
invention are electronic versions of basic societal issues. These
issues include protecting property rights, protecting privacy
rights, properly compensating people and organizations for their
work and risk, protecting money and credit, and generally
= protecting the security of information. VDE employs a system
that uses a common set of processes to manage rights issues in
an efficient, trusted, and cost-effective way.
-9-
CA 02619962 2008-02-21
wo 98/09209 PCT/US97/15243
VDE can be used to protect the rights of parties who create
electronic content such as, for example: records, games, movies,
newspapers, electronic books and reference materials, personal
electronic mail, and confidential records and communications.
The invention can also be used to protect the rights of parties
who provide electronic products, such as publishers and
distributors; the rights of parties who provide electronic credit
and currency to pay for use of products, for example, credit
clearinghouses and banks; the rights to privacy of parties who
use electronic content (such as consumers, business people,
governments); and the privacy rights of parties described by
electronic information, such as privacy rights related to
information contained in a medical record, tax record, or
personnel record.
In general, the present invention can protect the rights of
parties who have:
(a) commercial interests in electronically distributed
information -- the present invention can help
ensure, for example, that parties, will be paid for use
of distributed information in a manner consistent
with their agreement;
-10-
CA 02619962 2008-02-21
WO 98/09209 PCT11JS97/15143
(b) proprietary and/or confidential.ity interests in
electronic information - the present invention can,
for example, help ensure that data is used only in
authorized ways;
(c) interests in electronic credit and electronic currency
storage, communication, and/or use - this can
include electronic cash, banking, and purchasing;
and
(d) interests in electronic information derived, at least
in part, from use of other electronic information.
VDE Functional Propertiee
VDE is a cost-effective and efficient rights protection
solution that provides a unified, consistent system for securing
and managing transaction processing. VDE can:
(a) audit and analyze the use of content,
(b) ensure that content is used only in authorized ways,
and
-11-
CA 02619962 2008-02-21
wo 98/09209 PCTIUS97/15243
(c) allow information regarding content usage to be
used only in ways approved by content users.
In addition, VDE:
(a) is very configurable, modifiable, and re-usable;
(b) supports a wide range of useful capabilities that
may be combined in different ways to accommodate
most potential applications;
(c) operates on a wide variety of electronic appliances
ranging from hand-held inexpensive devices to large
mainframe computers;
(d) is able to ensure the various rights of a number of
different parties, and a number of different rights
protection schemes, simultaneously;
(e) is able to preserve the rights of parties through a
series of transactions that may occur at different
times and different locations;
-12-
CA 02619962 2008-02-21
Wo 98J09209 PCT/US97115243
(f) is able to flexibly accommodate different ways of
securely delivering information and reporting usage;
and
(g) provides for electronic analogues to "real" money
and credit, including anonymous electronic cash, to
pay for products and services and to support
personal (including home) banking and other
financial activities.
VDE economically and efficiently fulfills the rights
protection needs of electronic community members. Users of
VDE will not require additional rights protection systems for
different information highway products and rights
problems-nor will they be required to install and learn a new
system for each new information highway application.
VDE provides a unified solution that allows all content
creators, providers, and users to employ the same electronic
rights protection solution. Under authorized circumstances, the
participants can freely exchange content and associated content
control sets. This means that a user of VDE may, if allowed, use
the same electronic system to work with different kinds of
content having different sets of content control information. The
-13-
CA 02619962 2008-02-21
{1yo gg/pgZpg PCTIUS97/15243
content and control information supplied by one group can be
used by people who normaliy use content and control information
supplied by a different group. VDE can aIlow content to be
exchanged "universally" and users of an implementation of the
present invention can interact electronically without fear of
incompatibilities in content control, violation of rights, or the
need to get, install, or learn a new content control system.
The VDE securely administers transactions that specify
protection of rights. It can protect electronic rights including, for
example:
(a) the property rights of authors of electronic content,
(b) the commercial rights of distributors of content,
(c) the rights of any parties who facilitated the
distribution of content,
(d) the privacy rights of users of content,
(e) the privacy rights of parties portrayed by stored
and/or distributed content, and
-14-
CA 02619962 2008-02-21
WO 98/09209 rCT/US97/1524
(f) any other rights regarding enforcement of electronic
agreements.
VDE can enable a very broad variety of electronically enforced
commercial and societal agreements. These agreements can
include electronically implemented contracts, licenses, laws,
regulations, and tax collection.
Contraat With Traditional Solutions
Traditional content control mechanisms often require
users to purchase more electronic information than the user
needs or desires. For example, infrequent users of shrink-
wrapped software are required to purchase a program at the
same price as frequent users, even though they may receive
much less value from their less frequent use. Traditional
systems do not scale cost according to the extent or character of
usage and traditional systems can not attract potential
customers who find that a fixed price is too high. Systems using
traditional mechanisms are also not normally particularly
secure. For example, shrink-wrapping does not prevent the
constant illegal pirating of software once removed from either its
physical or electronic package.
-15-
CA 02619962 2008-02-21
WO 98/09209 PCT/QS97/15243
Traditional electronic information rights protection
systems are often infleidble and inefficient and may cause a
content provider to choose costly distribution channels that
increase a product's price. In general these mechanisms restrict
product pricing, configuration, and marketing flexibility. These
compromises are the result of techniques for controlling
information which cannot accommodate both different content
models and content models which reflect the many, varied
requirements, such as content delivery strategies, of the model
participants. This can limit a provider's ability to deliver
sufficient overall value to justify a given product's cost in the
eyes of many potential users. VDE allows content providers and
distributors to create applications and distribution networks that
reflect content providers' and users' preferred business models.
It offers users a uniquely cost effective and feature rich system
that supports the ways providers want to distribute information
and the ways users want to use such information. VDE
supports content control models that ensure rights and allow
content delivery strategies to be shaped for maximum
commercial results.
Chain of $andling and Control
VDE can protect a collection of rights belonging to various
parties having in rights in, or to, electronic information. This
-16-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
information may be at one location or~ dispersed across (and/or
moving between) multiple locations. The information may pass
through a "chain" of distributors and a "chain" of users. Usage
information may also be reported through one or more "chains" of
parties. In general, VDE enables parties that (a) have rights in
electronic information, and/or (b) act as direct or indirect agents
for parties who have rights in electronic information, to ensure
that the moving, accessing, modifying, or otherwise using of
information can be securely controlled by rules regarding how,
when, where, and by whom such activities can be performed.
VDE Applications and Software
VDE is a secure system for regulating electronic conduct
and commerce. Regulation is ensured by control information put
in place by one or more parties. These parties may include
content providers, electronic hardware manufacturers, financial
service providers, or electronic "infrastructure" companies such
as cable or telecommunications companies. The control
information implements "Rights Applications." Rights
applications "run on" the "base software" of the preferred
embodiment. This base software serves as a secure, flexible,
general purpose foundation that can accommodate many
different rights applications, that is, many different business
models and their respective participant requirements.
-17-
CA 02619962 2008-02-21
WO 98/09209 FCT/US97/15243
A rights application under VDE is made up of special
purpose pieces, each of which can correspond to one or more
basic electronic processes needed for a rights protection
environment. These processes can be combined together like
building blocks to create electronic agreements that can protect
the rights, and may enforce fulfillment of the obligations, of
electronic information users and providers. One or more
providers of electronic information can easily combine selected
building blocks to create a rights application that is unique to a
specific content distribution model. A group of these pieces can
represent the capabilities needed to fuifill the agreement(s)
between users and providers. These pieces accommodate many
requirements of electronic commerce including:
= the distribution of permissions to use electronic
information;
= the persistence of the control information and sets of
control information managing these permissions;
= configurable control set information that can be
selected by users for use with such information;
18
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/15243
= data security and usage auditing of electronic
information; and
0 a secure system for currency, compensation and
debit management.
For electronic commerce, a rights application, under the
preferred embodiment of the present invention, can provide
electronic enforcement of the business agreements between all
participants. Since different groups of components can be put
together for different applications, the present invention can
provide electronic control information for a wide variety of
different products and markets. This means the present
invention can provide a "unified," efficient, secure, and
cost-effective system for electronic commerce and data security.
This allows VDE to serve as a single standard for electronic
rights protection, data security, and electronic currency and
banking.
In a VDE, the separation between a rights application and
its foundation permits the efficient selection of sets of control
= information that are appropriate for each of many different types
of applications and uses. These control sets can reflect both
rights of electronic community members, as well as obligations
-19-
CA 02619962 2008-02-21
WO 98/09Z09 PCT/U397/15243
(such as providing a history of one's use of a product or paying
taxes on one's electronic purchases). VDE flexibility allows its
users to electronically implement and enforce common social and
commercial ethics and practices. By providing a unified control
system, the present invention supports a vast range of possible
transaction related interests and concerns of individuals,
communities, businesses, and governm.ents. Due to its open
design, VDE allows (normally under securely controlled
circumstances) applications using technology independently
created by users to be "added" to the system and used in
conjunction with the foundation-of the invention. In sum, VDE
provides a system that can fairly reflect and enforce agreements
among parties. It is a broad ranging and systematic solution
that answers the pressing need for a secure, cost-effective, and
fair electronic environment.
VDE Implementation
The preferred embodiment of the present invention
includes various tools that enable system designers to directly
insert VDE capabilities into their products. These tools include
an Application Programmer's Interface ("API") and a Rights
Permissioning and Management Language ("RPML"). The
RPML provides comprehensive and detailed control over the use
of the invention's features. VDE also includes certain user
-20-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
interface subsystems for satisfying the needs of content
providers, distributors, and users.
Information distributed using VDE may take many forms.
It may, for example, be "distributed" for use on an individual's
own computer, that is the present invention can be used to
provide security for locally stored data. Alternatively, VDE may
be used with information that is disnersed by authors and/or
publishers to one or more recipients. This information may take
many forms including: movies, audio recordings, games,
electronic catalog shopping, multimedia, training materials,
E-mail and personal documents, object oriented libraries,
software programming resources, and reference/record keeping
information resources (such as business, medical, legal,
scientific, governmental, and consumer databases).
Electronic rights protection provided by the present
invention will also provide an important foundation for trusted
and efficient home and commercial banking, electronic credit
processes, electronic purchasing, true or conditionally
anonymous electronic cash, and EDI (Electronic Data
Interchange). VDE provides important enhancements for
improving data security in organizations by providing "smart"
-21-
CA 02619962 2008-02-21
WO 9&W209 PCT/US97/15243
transaction management features that can be far more effective
than key and password based "go/no go" technology.
VDE normally employs an integration of cryptographic
and other security technologies (e.g. encryption, digital
signatures, etc.), with other technologies including: component,
distributed, and event driven operating system technology, and
related communications, object container, database, smart agent,
smart card, and semiconductor design technologies.
1. Overview
A. VDE Solves Important Problems and Fills
Critical Needs
The world is moving towards an integration of electronic
information appliances. This interconnection of appliances
provides a foundation for much greater electronic interaction and
the evolution of electronic commerce. A variety of capabilities
are required to implement an electronic commerce environment.
VDE is the first system that provides many of these capabilities
and therefore solves fundamental problems related to electronic
dissemination of information.
22 -
CA 02619962 2008-02-21
WO 98109209 rcr/USS7115W
Electronic Content
VDE allows electronic arrangements to be created
involving two or more parties. These agreements can themselves
comprise a collection of agreements between participants in a
commercial value chain and/or a data security chain model for
handling, auditing, reporting, and payment. It can provide
efficient, reusable, modifiable, and consistent means for secure
electronic content: distribution, usage control, usage payment,
usage auditing, and usage reporting. Content may, for example,
include:
= financial information such as electronic currency
and credit;
= commercially distributed electronic information such
as reference databases, movies, games, and
advertising; and
= electronic properties produced by persons and
organizations, such as documents, e-mail, and
proprietary database information.
-23-
CA 02619962 2008-02-21
wo 9&4)9zos Pcr/irs97ns243
VDE enables an electronic commerce marketplace that supports
differing, competitive business partnerships, agreements, and
evolving overall business models.
The features of VDE allow it to function as the first
trusted electronic information control environment that can
conform to, and support, the bulk of conventional electronic
commerce and data security requirements. In particular, VDE
enables the participants in a business value chain model to
create an electronic version of traditional business agreement
terms and conditions and further enables these participants to
shape and evolve their electronic commerce models as they
believe appropriate to their business requirements.
VDE offers an architecture that avoids reflecting specific
distribution biases, administrative and control perspectives, and
content types. Instead, VDE provides a broad-spectrum,
fundamentally configurable and portable, electronic transaction
control, distributing, usage, auditing, reporting, and payment
operating environment. VDE is not limited to being an
application or application specific toolset that covers only a
limited subset of electronic interaction activities and
participants. Rather, VDE supports systems by which such
applications can be created, modified, and/or reused. As a result,
.24.
CA 02619962 2008-02-21
Wo 98/09ZO9 rcr/US971IS'l43
the present invention answers pressing, unsolved needs by
offering a system that supports a standardized control
environment which facilitates interoperability of electronic
appliances, interoperability of content containers, and efficient
creation of electronic commerce applications and models through
the use of a programmable, secure electronic transactions
management foundation and reusable and extensible executable
components. VDE can support a single electronic "world" within
which most forms of electronic transaction activities can be
managed.
To answer the developing needs of rights owners and
content providers and to provide a system that can accommodate
the requirements and agreements of all parLies that may be
involved in electronic business models (creators, distributors,
administrators, users, credit providers, etc. ), VDE supplies an
efficient, largely transparent, low cost and sufficiently secure
system (supporting both hardware/ software and software only
models). VDE provides the widely varying secure control and
administration capabilities required for:
1. Different types of electronic content,
2. Differing electronic content delivery schemes,
-25-
CA 02619962 2008-02-21
WO 9M9209 PCT/US97/15243
3. Differing electronic content usage schemes,
4. Different content usage platforms, and
5. Differing content marketing and model strategies.
VDE may be combined with, or integrated into, many
separate computers and/or other electronic appliances. These
appliances typically include a secure subsystem that can enable
control of content use such as displaying, encrypting, decrypting,
printing, copying, saving, e:etracting, embedding, distributing,
auditing usage, etc. The secure subsystem in the preferred
embodiment comprises one or more "protected processing
environments", one or more secure databases, and secure
"component assemblies" and other items and processes that need
to be kept secured. VDE can, for example, securely control
electronic currency, payments, and/or credit management
(including electronic credit and/or currency receipt,
disbursement, encumbering, and/or allocation) using such a
"secure subsystem."
VDE provides a secure, distributed electronic transaction
management system for controlling the distribution and/or other
usage of electronically provided and/or stored information. VDE
-26-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97115243
controls auditing and reporting of electronic content and/or
appliance usage. Users of VDE may include content creators
who apply content usage, usage reporting, and/or usage payment
related control information to electronic content and/or
appliances for users such as end-user organizations, individuals,
and content andlor appliance distributors. VDE also securely
supports the payment of money owed (including money owed for
content and/or appliance usage) by one or more parties to one or
more other parties, in the form of electronic credit and/or
currency.
Electronic appliances under control of VDE represent VDE
'nodes' that securely process and control; distributed electronic
information andlor appliance usage, control information
formulation, and related transactions. VDE can securely
manage the integration of control information provided by two or
more parties. As a result, VDE can construct an electronic
agreement between VDE participants that represent a
"negotiation" between, the control requirements of, two or more
parties and enacts terms and conditions of a resulting
agreement. VDE ensures the rights of each party to an
electronic agreement regarding a wide range of electronic
activities related to electronic information and/or appliance
usage.
-27-
CA 02619962 2008-02-21
WO 98/09209 PCT/U397115243
Thraugh use of VDE's control system, traditional content
providers and users can create electronic relationships that
reflect traditional, non-electronic relationships. They can shape
and modify commercial relationships to accommodate the
evolving needs of, and agreements among, themselves. VDE
does not require electronic content providers and users to modify
their business practices and personal preferences to conform to a
metering and control application program that supports limited,
largely fixed functionality. Furthermore, VDE permits
participants to develop business models not feasible with non-
electronic commerce, for example, involving detailed reporting of
content usage information, large numbers of distinct
transactions at hitherto infeasibly low price points, "pass-along"
control information that is enforced without involvement or
advance knowledge of the participants, etc.
The present invention allows content providers and users
to formulate their transaction environment to accommodate:
(1) desired content models, content control models, and
content usage information pathways,
(2) a complete range of electronic media and
distribution means,
- 28
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
(3) a broad range of pricing, payment, and auditing
strategies,
(4) very flexible privacy and/or reporting models,
(5) practical and effective security architectures, and
(6) other administrative procedures that together with
- steps (1) through (5) can enable most "real world"
electronic commerce and data security models,
including models unique to the electronic world.
VDE's transaction management capabilities can enforce:
(1) privacy rights of users related to information
regarding their usage of electronic information
and/or appliances,
(2) societal policy such as laws that protect rights of
content users or require the collection of taxes
derived from electronic transaction revenue, and
-29-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
(3) the proprietary and/or other rights of parties related
to ownership of, distribution of, and/or other
commercial rights related to, electronic information.
VDE can support "real" commerce in an electronic form,
that is the progressive creation of commercial relationships that
form, over time, a network of interrelated agreements
representing a value chain business model. This is achieved in
part by enabling content control information to develop through
the interaction of (negotiation between) securely created and
independently submitted sets of content and/or appliance control
information. Different sets of content andior appliance control
information can be submitted by different parties in an electronic
business value chain enabled by the present invention. These
parties create control information sets through the use of their
respective VDE installations. Independently, securely
deliverable, component based control information allows efficient
interaction among control information sets supplied by different
parties.
VDE permits multiple, separate electronic arrangements
to be formed between subsets of parties in a VDE supported
electronic value chain model. These multiple agreements
together comprise a VDE value chain "extended" agreement.
-30-
CA 02619962 2008-02-21
WO 98/09209 rcr/US97/1S243
VDE allows such constituent electronic agreements, and
therefore overall VDE extended agreements, to evolve and
reshape over time as additional VDE participants become
involved in VDE content and/or appliance control information
handling. VDE electronic agreements may also be extended as
new control information is submitted by existing participants.
With VDE, electronic commerce participants are free to structure
and restructure their electronic commerce business activities and
relationships. As a result, the present invention allows a
competitive electronic commerce marketplace to develop since
the use of VDE enables different, widely varying business models
using the same or shared content.
A significant facet of the present invention's ability to
broadly support electronic commerce is its ability to securely
manage independently delivered VDE component objects
containing control information (normallv in the form of VDE
objects containing one or more methods, data, or load module
VDE components). This independently delivered control
information can be integrated with senior and other pre-existing
content control information to securely form derived control
information using the negotiation mechanisms of the present
invention. All requirements specified by this derived control
information must be satisfied before VDE controlled content can
31
CA 02619962 2008-02-21
Wo 9M9Z09 PCTlUS97n5?,43
be accessed or otherwise used. This means that, for example, all
load modules and any mediating data which are listed by the
derived control information as required must be available and
securely perform their required function. In combination with
other aspects of the present invention, securely, independently
delivered control components allow electronic commerce
participants to freely stipulate their business requirements and
trade offs. As a result, much as with traditional, non-electronic
commerce, the present invention allows electronic commerce
(through a progressive stipulation of various control
requirements by VDE participants) to evolve into forms of
business that are the most efficient, competitive and useful.
VDE provides capabilities that rationalize the support of
electronic commerce and electronic transaction management.
This rationalization stems from the reusability of control
structures and user interfaces for a wide variety of transaction
management related activities. As a result, content usage
control, data security, information auditing, and electronic
financial activities, can be supported with tools that are
reusable, convenient, consistent, and familiar. In addition, a
rational approach-a transaction/distribution control
standard-allows all participants in VDE the same foundation
set of hardware control and security, authoring, administration,
-32-
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/15243
and management tools to support widely varying types of
information, business market model, and/or personal objectives.
Employing VDE as a general purpose electronic
transaction/distribution control system allows users to maintain
a single transaction management control arrangement on each of
their computers, networks, communication nodes, and/or other
electronic appliances. Such a general purpose system can serve
the needs of many electronic transaction management
applications without requiring distinct, different installations for
different purposes. As a result, users of VDE can avoid the
confusion -and expense and other inefficiencies of different,
limited purpose transaction control applications for each
different content and/or business model. For example, VDE
allows content creators to use the same VDE foundation control
arrangement for both content authoring and for licensing content
from other content creators for inclusion into their products or
for other use. Clearinghouses, distributors, content creators, and
other VDE users can all interact, both with the applications
rti nn;ng on their VDE installations, and with each other, in an
entirely consistent manner, using and reusing (largely
transparently) the same distributed tools, mechanisms, and
consistent user interfaces, regardless of the type of VDE activity.
-33-
CA 02619962 2008-02-21
wo 9MM PGT/I7S97/15243
VDE prevents many forms of unauthorized use of
electronic information, by controlling and auditing (and other
administration of use) electronically stored and/or disseminated
information. This includes, for example, commerciaIIy
distributed content, electronic currency, electronic credit,
business transactions (such as EDI), confidential
communications, and the like. VDE can further be used to
enable commercially provided electronic content to be made
available to users in user defined portions, rather than
constraining the user to use portions of content that were
"predetermined" by a content creator and/or other provider for
billi.ng purposes.
VDE, for example, can employ:
(1) Secure metering means for budgeting and/or
auditing electronic content and/or appliance usage;
(2) Secure flexible means for enabling compensation
and/or biIling rates for content and/or appliance
usage, including electronic credit and/or currency
mechanisms for payment means;
34
CA 02619962 2008-02-21
WO 9sro9209 PCT/US97/15243
(3) Secure distributed database means for storing
control and usage related information (and
employing validated compartmentalization and
tagging schemes);
(4) Secure electronic appliance control means;
(5) A distributed, secure, "virtual black box" comprised
of nodes located at every user (including VDE
content container creators, other content providers,
client users, and recipients of secure VDE cantent
usage information) site. The nodes of said virtual
black box normally include a secure subsystem
having at least one secure hardware element (a
semiconductor element or other hardware module
for securely executing VDE control processes), said
secure subsystems being distributed at nodes along
a pathway of information storage, distribution,
payment, usage, andlor auditing. In some
embodiments, the functions of said hardware
element, for certain or all nodes, may be performed
by software, for example, in host processing
environments of electronic appliances;
-35-
CA 02619962 2008-02-21
WO 98/09209 PCT/U397/15243
(6) Encryption and decryption means;
(7) Secure communications means employing
authentication, digital signaturing, and encrypted
transmissions. The secure subsystems at said user
nodes utilize a protocol that establishes and
authenticates each node's and/or participant's
identity, and establishes one or more secure
host-to-host encryption keys for communications
between the secure subsystems; and
(8) Secure control means that can allow each VDE
installation to perform VDE content authoring
(placing content into VDE containers with
associated control i.nformation), content distribution,
and content usage; as well as clearinghouse and
other administrative and analysis activities
employing content usage information.
VDE may be used to migrate most non-electronic,
traditional information delivery models (including
entertainment, reference materials, catalog shopping, etc.) into
an adequately secure digital distribution and usage management
-36-
CA 02619962 2008-02-21
WO 98/09209 PCTICJS97/15243
and payment context. The distribution and financial pathways
managed by a VDE arrangement may include:
= content creator(s),
= distributor(s),
= redistributor(s),
= client administrator(s),
= client user(s),
= ' financial and/or other clearinghouse(s),
= and/or government agencies.
These distribution and financial pathways may also include:
= advertisers,
= market survey organizations, and/or
= other parties interested in the user usage of
information securely delivered and/or stored using
VDE.
Normally, participants in a VDE arrangement will employ the
same secure VDE foundation. Alternate embodiments support
VDE arrangements employing differing VDE foundations. Such
' alternate embodiments may employ procedures to ensure certain
interoperability requirements are met.
-37-
CA 02619962 2008-02-21
W09B)MO9 PCT/US97/15243
Secure VDE hardware (also known as SPUs for Secure
Processing Units), or VDE installations that use software to
substitute for, or complement, said hardware (provided by Host
Processing Environments (HPEs)), operate in conjunction with
secure cominunications, systems integration software, and
distributed software control information and support structures,
to achieve the electronic contract/rights protection environment
of the present invention. Together, these VDE components
comprise a secure, virtual, distributed content and/or appliance
control, auditing (and other administration), reporting, and
payment environment. In some embodiments and where
commercially acceptable, certain VDE participants, such as
clearinghouses that normally maintain sufficiently physically
secure non-VDE processing environments, may be allowed to
employ HPEs rather VDE hardware elements and interoperate,
for example, with VDE end-users and content providers. VDE
components together comprise a configurable, consistent, secure
and "trusted" architecture for distributed, asynchronous control
of electronic content and/or appliance usage. VDE supports a
"universe wide" environment for electronic content delivery,
broad dissemination, usage reporting, and usage related
payment activities.
38
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
VDE provides generalized configurability. This results, in
part, from decomposition of generalized requirements for
supporting electronic commerce and data security into a broad
range of constituent "atomic" and higher level components (such
as load modules, data elements, and methods) that may be
variously aggregated together to form control methods for
electronic commerce applications, commercial electronic
agreements, and data security arrangements. VDE provides a
secure operating environment employing VDE foundation
elements along with secure independently deliverable VDE
components that enable electronic commerce models and
relationships to develop. VDE specifically supports the unfolding
of distribution models in which content providers, over time, can
expressly agree to, or allow, subsequent content providers and/or
users to participate in shaping the control information for, and
consequences of, use of electronic content and/or appliances. A
very broad range of the functional attributes important for
supporting simple to very complex electronic commerce and data
security activities are supported by capabilities of the present
invention. As a result, VDE supports most types of electronic
information and/or appliance: usage control (including
distribution), security, usage auditing, reporting, other
administration, and payment arrangements.
-39-
CA 02619962 2008-02-21
WO 009209 PGT/US97115243
VDE, in its preferred embodiment, employs object software
technology and uses object technology to form "containers" for
deliverp of information that is (at least in part) enczypted or
otherwise secured. These containers may contain electronic
content products or other electronic information and some or all
of their associated permissions (control) information. These
container objects may be distributed along pathways involving
content providers and/or content users. They may be securely
moved among nodes of a Virtual Distribution Environment
(VDE) arrangement, which nodes operate VDE foundation
software and execute control methods to enact electronic
information usage control and/or administration models. The
containers delivered through use of the preferred embodiment of
the present invention may be employed both for distributing
VDE control instructions (information) and/or to encapsulate and
electronically distribute content that has been at least partially
secured.
Content providers who employ the present invention may
include, for example, software application and game publishers,
database publishers, cable, television, and radio broadcasters,
electronic shopping vendors, and distributors of information in
electronic document, book, periodical, e-mail and/or other forms.
Corporations, government agencies, and/or individual
-40-
CA 02619962 2008-02-21
WO 98/09209 PGT/US97/15243
"end-users" who act as storers of, and/or distributors of,
electronic information, may also be VDE content providers (in a
restricted model, a user provides content only to himself and
employs VDE to secure his own confidential information against
unauthorized use by other parties). Electronic information may
include proprietary and/or confidential information for personal
or internal organization use, as well as information, such as
software applications, documents, entertainment materials,
and/or reference information, which may be provided to other
parties. Distribution mav be by, for example, physical media
delivery, broadcast and/or telecommunication means, and in the
form of "static" files and/or streams of data. VDE may also be
used, for example, for multi-site "real-time" interaction such as
teleconferencing, interactive games, or on-line bulletin boards,
where restrictions on, and/or auditing of, the use of all or
portions of communicated information is enforced.
VDE provides important mechanisms for both enforcing
commercial agreements and enabling the protection of privacy
rights. VDE can securely deliver information from one party to
another concerning the use of commercially distributed electronic
content. Even if parties are separated by several "steps" in a
chain (pathway) of handling for such content usage information,
such information is protected by VDE through encryption and/or
-41-
CA 02619962 2008-02-21
WO 98/09209 PCT/1JS97/15243
other secure processing. Because of that protection, the accuracy
of such information is guaranteed by VDE, and the information
can be trusted by all parties to whom it is delivered.
Furthermore, VDE guarantees that all parties can trust that
such information cannot be received by anyone other than the
intended, authorized, party(ies) because it is encrypted such that
only an authorized party, or her agents, can decrypt it. Such
information may also be derived through a secure VDE process
at a previous pathway-of-handling location to produce secure
VDE reporting information that is then communicated securely
to its intended recipient's VDE secure subsystem. Because VDE
can deliver such information securely, parties to an electronic
agreement need not trust the accuracy of commercial usage
and/or other information delivered through means other than
those under control of VDE.
VDE participants in a commercial value chain can be
"commercially" confident (that is, sufficiently confident for
commercial purposes) that the direct (constituent) and/or
"extended" electronic agreements they entered into through the
use of VDE can be enforced reliably. These agreements may
have both "dynamic" transaction management related aspects,
such as content usage control information enforced through
budgeting, metering, and/or reporting of electronic information
-42-
CA 02619962 2008-02-21
WO 9/09?A9 PCT/US47/1543
and/or appliance use, and/or they may include "static" electronic
assertions, such as an end-user using the system to assert his or
her agreement to pay for services, not to pass to unauthorized
parties electronic information derived from usage of content or
systems, and/or agreeing to observe copyright laws. Not only can
electronically reported transaction related information be trusted
under the present invention, but payment may be automated by
the passing of payment tokens through a pathway of payment
(which may or may not be the same as a pathway for reporting).
Such payment can be conr.ained within a VDE container created
automatically by a VDE installation in response to control
information (located, in the preferred embodiment, in one or
more permissions records) stipulating the "withdrawal" of credit
or electronic currency (such as tokens) from an electronic account
(for example, an account securely maintained by a user's VDE
installation secure subsystem) based upon usage of VDE
controlled electronic content and/or appliances (such as
governments, financial credit providers, and users).
VDE allows the needs of electronic commerce participants
to be served and it can bind such participants together in a
universe wide, trusted commercial network that can be secure
enough to support very large amounts of commerce. VDE's
security and metering secure subsystem core will be present at
-43-
CA 02619962 2008-02-21
WO 9&19M PCT/US9711524.3
all physical locations where VDE related content is (a) assigned
usage related control information (rules and mediating data),
andlor (b) used. This core can perform security and auditing
functions (including metering) that operate within a "virtual
black box," a collection of distributed, very secure VDE related
hardware instances that are interconnected by secured
information exchange (for example, telecommunication)
processes and distributed database means. VDE further
includes highly configurable trainsaction operating system
technology, one or more associated libraries of load modules
along with affiliated data, VDE related administration, data
preparation, and analysis applications, as well as system
software designed to enable VDE integration into host
environments and applications. VDE's usage control
information, for example, provide for property content and/or
appliance related: usage authorization, usage auditing (which
may include audit reduction), usage billing, usage payment,
privacy filtering, reporting, and security related communication
and encryption techniques.
VDE extensively employs methods in the form of software
objects to augment configurability, portability, and security of
the VDE environment. It also employs a software object
architecture for VDE content containers that carries protected
-44-
CA 02619962 2008-02-21
WO 98/09?A9 PCTIUS97/I5243
content and may also carry both freely available information (e.g,
summary, table of contents) and secured content control
information which ensures the performance of control
information. Content control information governs content usage
according to criteria set by holders of rights to an object's
contents and/or according to parties who otherwise have rights
associated with distributing such content (such as governments,
financial credit providers, and users).
In part, security is enhanced by object methods employed
by the present invention because the encryption schemes used to
protect an object can efficiently be further used to protect the
associated content control information (software control
information and relevant data) from modification. Said object
techniques also enhance portability between various computer
andlor other appliance environments because electronic
information in the form of content can be inserted along with (for
example, in the same object container as) content control
information (for said content) to produce a "published" object.
As a result, various portions of said control information may be
specificaIly adapted for different environments, such as for
diverse computer platforms and operating systems, and said
various porticns may all be carried by a VDE container.
-45-
CA 02619962 2008-02-21
Wo 9&09z09 rcrIUS97ns2a3
An objective of VDE is supporting a
transaction/distribution control standard. Development of such a
standard has many obstacles, given the security requirements
and related hardware and communications issues, widely
differing environments, information types, types of information
usage, business andlor data security goals, varieties of
participants, and properties of delivered information. A
significant feature of VDE accommodates the many, var-i.ng
distribution and other transaction variables by, in part,
decomposing electronic commerce and data security functions
into generalized capability modules executable within a secure
hardware SPU and/or corresponding software subsystem and
further allowing extensive flexibility in assembling, modifving,
and/or replacing, such modules (e.g. load modules and/or
methods) in applications run on a VDE installation foundation.
This configurability and reconfigurability allows electronic
commerce and data security participants to reflect their
priorities and requirements through a process of iteratively
shaping an evolving extended electronic agreement (electronic
control model). This shaping can occur as content control
information passes from one VDE participant to another and to
the extent allowed by "in place" content control information.
This process allows users of VDE to recast existing control
-46-
CA 02619962 2008-02-21
Wo 98/09?A9 PCT/US97nU43
information and/or add new control information as necessary
(including the elimination of no longer required elements).
= VDE supports trusted (sufficiently secure) electronic
information distribution and usage control models for both
commercial electronic content distribution and data security
applications. It can be configured to meet the diverse
requirements of a network of interrelated participants that may
include content creators, content distributors, client
administrators, end users, and/or clearinghouses and/or other
content usage information users. These parties may constitute a
network of participants involved in simple to complex electronic
content dissemination, usage control, usage reporting, and/or
usage payment. Disseminated content mav include both
originally provided and VDE generated information (such as
content usage information) and content control information may
persist through both chains (one or more pathways) of content
and content control information handling, as well as the direct
usage of content. The configurability provided by the present
invention is particularly critical for supporting electronic
commerce, that is enabling businesses to create relationships
and evolve strategies that offer competitive value. Electronic
commerce tools that are not inherently configurable and
interoperable wiIl ultimately fail to produce products (and
-47-
CA 02619962 2008-02-21
WO 98/09209 PC,T/US97115243
services) that meet both basic requirements and evolving needs
of most commerce applications.
VDE's fundamental configurability will allow a broad
range of competitive electronic commerce business models to
flourish. It allows business models to be shaped to maimize
revenues sources, end-user product value, and operating
efficiencies. VDE can be employed to support multiple, differing
models, take advantage of new revenue opportunities, and
deliver product configurations most desired by users. Electronic
commerce technologies that do not, as the present invention
does:
= support a broad range of possible, complementary
revenue activities,
= offer a flexible array of content usage features most
desired by customers, and
= exploit opportunities for operating efficiencies,
will result in products that are often intrinsically more costly
and less appealing and therefore less competitive in the
marketplace.
Some of the key factors contributing to the configurability
intrinsic to the present invention include:
-48-
CA 02619962 2008-02-21
wo 9&109M rcrrtrs97MAQ43
(a) integration into the fundamental control
environment of a broad range of electronic
appliances through portable API and pro-
language tools that efficiently support merging of
control and auditing capabilities in nearly any
electronic appliance environment while maintaining
overall system security;
(b)- modular data structures;
(c) generic content model;
(d) general modularity and independence of foundation
architectural components;
(e) modular security structures;
(f) variable length and multiple branching chains of
control; and
(g) independent, modular control structures in the form
of executable load modules that can be maintained
' in one or more libraries, and assembled into control
methods and models, and where such model control
- 49
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
schemes can "evolve" as control information passes
through the VDE installations of participants of a
pathway of VDE content control information
handling.
Because of the breadth of issues resolved by the present
invention, it can provide the emerging "electronic highway" with
a single transaction/distribution control system that can, for a
very broad range of commercial and data security models, ensure
against unauthorized use of confidential and/or proprietary
information and commercial electronic transactions. VDE's
electronic transaction management mechanisms can enforce the
electronic rights and agreements of all parties participating in
widely varying business and data security models, and this can
be efficiently achieved through a single VDE implementation
within each VDE participant's electronic appliance. VDE
supports widely varying business and/or data security models
that can involve a broad range of participants at various "levels"
of VDE content and/or content control information pathways of
handling. Different content control and/or auditing models and
agreements mav be available on the same VDE installation.
These models and agreements may control content in
relationship to, for example, VDE installations and/or users in
general; certain specific users, installations, classes and/or other
-50-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
groupings of installations andlor users; as well as to electronic
content generally on a given installation, to specific properties,
property portions, classes and/or other groupings of content.
Distribution using VDE may package both the electronic
content and control information into the same VDE container,
and/or may involve the delivery to an end-user site of different
pieces of the same VDE managed property from plural separate
remote locations and/or in plural separate VDE content
containers andlor employing plural different delivery means.
Content control information may be partially or fully delivered
separately from its associated content to a user VDE installation
in one or more VDE administrative objects. Portions of said
control information may be delivered from one or more sources.
Control information may also be available for use by access from
a user's VDE installation secure sub-system to one or more
remote VDE secure sub-systems and/or VDE compatible,
certified secure remote locations. VDE control processes such as
metering, budgeting, decrypting and/or fingerprinting, may as
relates to a certain user content usage activity, be performed in a
user's local VDE installation secure subsystem, or said processes
may be divided amongst plural secure subsystems which may be
located in the same user VDE installations and/or in a network
server and in the user i.nstallation. For example, a local VDE
-51-
CA 02619962 2008-02-21
WO 98/09209 pCT/US97/15243
i,nstallation may perform decryption and save any, or all of,
usage metering information related to content and/or electronic
appliance usage at such user installation could be performed at
the server employing secure (e.g., encrypted) communications
between said secure subsystems. Said server location may also
be used for near real time, frequent, or more periodic secure
receipt of content usage information from said user instaLlation,
with, for example, metered information being maintained on2y
temporarily at a local user installation.
Delivery means for VDE managed content may include
electronic data storage means such as optical disks for delivering
one portion of said information and broadcasting and/or
telecommunicating means for other portions of said information.
Electronic data storage means may include magnetic media,
optical media, combined magneto-optical systems, flash RAM
memory, bubble memory, andlor other memory storage means
such as huge capacity optical storage systems employing
holographic, frequency, and/or polarity data storage techniques.
Data storage means may also employ layered disc techniques,
such as the use of generally transparent and/or translucent
materials that pass light through layers of data carrying discs
which themselves are physically packaged together as one
-52-
CA 02619962 2008-02-21
WO 98/09209 PCT/IJS97115243
thicker disc. Data carrying locations on such discs may be, at
least in part, opaque.
VDE supports a general purpose foundation for secure
transaction management, including usage control, auditing,
reporting, and/or payment. Tbis general purpose foundation is
called "VDE Functions" ("VDEFs"). VDE also supports a
collection of "atomic" application elements (e.g., load modules)
that can be selectively aggregated together to form various
VDEF capabilities called control methods and which serve as
VDEF applications and operating system functions. When a host
operating environment of an electronic appliance includes VDEF
capabzlities, it is called a "Rights Operating System' (ROS).
VDEF load modules, associated data, and methods form a body of
.15 information that for the purposes of the present invention are
called "control information." VDEF control information may be
specifically associated with one or more pieces of electronic
content and/or it may be employed as a general component of the
operating system capabilities of a VDE installation.
VDEF transaction control elements reflect and enact
content specific and/or more generalized administrative (for
example, general operating system) control information. VDEF
capabilities which can generally take the form of applications
-53-
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/15243
(application models) that have more or less configurability which
can be shaped bv VDE participants, through the use, for
example, of VDE templates, to employ specific capabilities, along,
for example, with capability parameter data to reflect the
elements of one or more express electronic agreements between
VDE participants in regards to the use of electronic content such
as commercially distributed products. These control capabilities
manage the use of, and/or auditing of use of, electronic content,
as well as reporting information based upon content use, and any
payment for said use. VDEF capabilities may "evolve" to reflect
the requirements of one or more successive parties who receive
or otherwise contribute to a given set of control information.
Frequently, for a VDE application for a given content model
(such as distribution of entertainment on CD-ROM, content
delivery from an Internet repositorv, or electronic catalog
shopping and advertising, or some combination of the above)
participants would be able to securely select from amongst
available, alternative control methods and apply related
parameter data, wherein such selection of control method and/or
submission of data would constitute their "contribution" of
control information. Alternatively, or in addition, certain control
methods that have been expressly certified as securely
interoperable and compatible with said application may be
independently submitted by a participant as part of such a
54
CA 02619962 2008-02-21
WO 98/09Z09 PC'T/US99115Z43
contribution. In the most general example, a generally certified
load module (certified for a given'VDE arrangement and/or
content class) may be used with many or any VDE application
that operates in nodes of said arrangement. These parties, to the
extent they are allowed, can independently and securely add,
delete, and/or otherwise modify the specification of load modules
and methods, as well as add, delete or otherwise modify related
information.
Normally the party who creates a VDE content container
defines the general nature of the VDEF capabilities that will
and/or may apply to certain electronic information. A VDE
content container is an object that contains both content ( for
example, commercially distributed electronic information
products such as computer software programs, movies, electronic
publications or reference materials, etc.) and certain control
information related to the use of the object's content. A creating
party may make a VDE container available to other parties.
Control information delivered by, and/or otherwise available for
use with, VDE content containers comprise (for commercial
content distribution purposes) VDEF control capabilities (and
any associated parameter data) for electronic content. These
capabilities may constitute one or more "proposed" electronic
agreements (and/or agreement functions available for selection
- 55
CA 02619962 2008-02-21
WO 98i09209 PCT/US97/15243
and/or use with parameter data) that manage the use and/or the
consequences of use of such content and which can enact the
terms and conditions of agreements involving multiple parties
and their various rights and obligations.
A VDE electronic agreement may be explicit, through a
user interface acceptance by one or more parties, for example by
a"junior" party who has received control information from a
"senior" party, or it may be a process amongst equal parties who
individually assert their agreement. Agreement may also result
from an automated electronic process during which terms and
conditions are "evaluated" by certain VDE participant control
information that assesses whether certain other electronic terms
and conditions attached to content and/or submitted by another
party are acceptable (do not violate acceptable control
information criteria). Such an evaluation process may be quite
simple, for example a comparison to ensure compatibility
between a portion of, or all senior, control terms and conditions
in a table of terms and conditions and the submitted control
information of a subsequent participant in a pathway of content
control information handling, or it may be a more elaborate
process that evaluates the potential outcome of, and/or
implements a negotiation process between, two or more sets of
control information submitted by two or more parties. VDE also
-56-
CA 02619962 2008-02-21
WO 98109209 PCT/US971aS?A3
accommodates a semi-automated process during which one or
more VDE participants directly, through user interface means,
resolve "disagreements" between control information sets by
accepting and/or proposing certain control information that may
be acceptable to control information representing one or more
other parties interests and/or responds to certain user interface
queries for selection of certain alternative choices and/or for
certain parameter information, the responses being adopted if
acceptable to applicable senior control information.
When another party (other than the first applier of rules),
perhaps through a negotiation process, accepts, and/or adds to
and/or otherwise modifies, "in place" content control information,
a VDE agreement between two or more parties related to the use
of such electronic content may be created (so long as any
modifications are consistent with senior control information).
Acceptance of terms and conditions related to certain electronic
content may be direct and express, or it may be implicit as a
result of use of content (depending, for example, on legal
requirements, previous exposure to such terms and conditions,
and requirements of in place control information).
VDEF capabilities may be employed, and a VDE
agreement may be entered into, by a plurality of parties without
57 -
CA 02619962 2008-02-21
wO 9~M09 PCT/[JS97115243
the VDEF capabilities being directly associated with the
controlliug of certain, specific electronic information. For
example, certain one or more VDEF capabilities may be present
at a VDE installation, and certain VDE agreements may have
been entered into during the registration process for a content
distribution application, to be used by such installation for
securely controlling VDE content usage, auditing, reporting
and/or payment. Similarly, a specific VDE participant may enter
into a VDE user agreement with a VDE content or electronic
appliance provider when the user and/or her appliance register
with such provider as a VDE installation and/or user. In such
events, VDEF in place control information available to the user
VDE installation may require that certain VDEF methods are
employed, for example in a certain sequence, in order to be able
to use all and/or certain classes, of electronic content and/or VDE
applications.
VDE ensures that certain prerequisites necessary for a
given transaction to occur are met. This includes the secure
execution of any required load modules and the availability of
any required, associated data. For example, required load
modules and data (e.g. in the form of a method) might specify
that sufficient credit from an authorized source must be
confirmed as available. It might further require certain one or
-58-
CA 02619962 2008-02-21
WO 98109209 PCT/US97/15243
more load modules execute as processes at an appropriate time
to ensure that such credit will be used in order to pay for user
use of the content. A certain content provider might, for
example, require metering the number of copies made for
distribution to employees of a given software program (a portion
of the program might be maintained in encrypted form and
require the presence of a VDE installation to run). This would
require the execution of a metering method for copying of the
property each time a copy was made for another employee. This
same provider might also charge fees based on the total number
of different properties licensed from them by the user and a
metering history of their licensing of properties might be
required to maintain this information.
VDE provides organization, community, and/or universe
wide secure environments whose integrity is assured by
processes securely controlled in VDE participant user
installations (nodes). VDE installations, in the preferred
embodiment, may include both software and tamper resistant
hardware semiconductor elements. Such a semiconductor
arrangement comprises, at least in part, special purpose circuitry
that has been designed to protect against tampering with, or
unauthorized observation of, the information and functions used
in performing the VDE's control fnnctions. The special purpose
-59-
._...._.
CA 02619962 2008-02-21
WO 99W209 PCT1US97115243
secure circuitry provided by the present invention includes at
least one of a dedicated semiconductor arrangement known as a
Secure Processing Unit (SPU) and/or a standard microprocessor,
microcontroller, and/or other processing logic that accommodates
the requirements of the present invention and functions as an
SPU. VDE's secure hardware may be found incorporated into,
for example, a fax/modem chip or chip pack, I/O controller, video
display controller, and/or other available digital processing
arrangenients. It is anticipated that portions of the present
invention's VDE secure hardware capabilities may ultimately be
standard design elements of central processing units (CPUs) for
computers and various other electronic devices.
Designing VDE capabilities into one or more standard
microprocessor, microcontroller and/or other digital processing
components may materially reduce VDE related hardware costs
by employing the same hardware resources for both the
transaction management uses contemplated by the present
invention and for other, host electronic appliance functions. This
means that a VDE SPU can employ (share) circuitry elements of
a "standard" CPU. For example, if a "standard" processor can
operate in protected mode and can execute VDE related
instructions as a protected activity, then such an embodiment
may provide sufficient hardware security for a variety of
-60-
CA 02619962 2008-02-21
WO 98109209 PCT/US97115243
applications and the expense of a special purpose processor
might be avoided. Under one preferred embodiment of the
present invention, certain memory (e.g., RAM, ROM, NZTR,AM) is
maintained during VDE related instruction processing in a
protected mode (for example, as supported by protected mode
microprocessors). This memory is located in the same package as
the processing logic (e.g. processor). Desirably, the packaging
and memory of such a processor would be designed using
security techniques that enhance its resistance to tampering.
The degree of overall security of the VDE system is
primarily dependent on the degree of tamper resistance and
concealment of VDE control process execution and related data
storage activities. Employing special purpose semiconductor
packaging techniques can significantly contribute to the degree
of security. Concealment and tamper-resistance in
semiconductor memory (e.g., RAlti1, ROM, NVRAM) can be
achieved, in part, by employing such memory within an SPU
package, by encrypting data before it is sent to external memory
(such as an external RAM package) and decrypting encrypted
data within the CPU/RAM package before it is executed. This
process is used for important VDE related data when such data
is stored on unprotected media, for example, standard host
storage, such as random access memory, mass storage, etc. In
-61-
CA 02619962 2008-02-21
WO 98/09209 PCT1US97/15243
that event, a VDE SPU would encrypt data that results from a
secure VDE execution before such data was stored in external
memory.
Summary of Some Important Featuree Provided by VDE in
Accordance With the Present Invention
VDE employs a variety of capabilities that serve as a
foundation for a general purpose, sufficiently secure distributed
electronic commerce solution. VDE enables an electronic
commerce marketplace that supports divergent, competitive
business partnerships, agreements, and evolving overall
business models. For example, VDE includes features that:
"sufficiently" impede unauthorized andlor
uncompensated use of electronic information andlor
appliances through the use of secure
communication, storage, and transaction
management technologies. VDE supports a model
wide, distributed security implementation which
creates a single secure "virtual" transaction
processing and information storage environment.
VDE enables distributed VDE installations to
securely store and communicate information and
remotely control the execution processes and the
-62-
CA 02619962 2008-02-21
WO 98/09209 PGT/US97/15243
character of use of electronic information at other
VDE installations and in a wide variety of ways;
= support low-cost, efficient, and effective security
architectures for transaction control, auditing,
reporting, and related communications and
information storage. VDE may employ tagging
related security techniques, the ti.me-ageing of
encryption keys, the compartmentaiization of both
stored control information (including di.fferentially
tagging such stored information to ensure against
substitution and tampering) and distributed content
(to, for many content applications, employ one or
more content encryption keys that are unique to the
specific VDE installation andior user), private key
techniques such as triple DES to encrypt content,
public key techniques such as RSA to protect
communications and to provide the benefits of
digital signature and authentication to securely bind
together the nodes of a VDE arrangement, secure
processing of important transaction management
executable code, and a combining of a small amount
of highly secure, hardware protected storage space
with a much larger "exposed" mass media storage
-63-
CA 02619962 2008-02-21
WO 98/09209 PGT/US971151A.3
space storing secured (normally encrypted and
tagged) control and audit information. VDE
employs special purpose hardware distributed
throughout some or all locations of a VDE
implementation: a) said hardware controlli.ng
imporcant elements of content preparation (such as
causing such content to be placed in a VDE content
container and associating content control
information with -said content), content and/or
electronic appliance usage auditing, content usage
analysis, as well as content usage control; and b)
said hardware having been designed to securely
handle processing load module control activities,
wherein said control processing activities may
involve a sequence of required control factors;
a support dynamic user selection of information
subsets of a VDE electronic information product
(VDE controlled content). This contrasts with the
constraints of having to use a few high level
individual, pre-defined content provider information
increments such as being required to select a whole
information product or product section in order to
acquire or otherwise use a portion of such product or
-64-
CA 02619962 2008-02-21
WO 98/09209 PGTlUS97/15243
section. VDE supports metering and usage control
over a variety of increments (including "atomic"
increments, and combinations of different increment
types) that are selected ad hoc by a user and
represent a collection of pre-identified one or more
increments (such as one or more blocks of a
preidentified nature, e.g., bytes, images, logically
related blocks) that form a generally arbitrary, but
logical to a user, content "deliverable." VDE control
information (including budgeting, pricing and
metering) can be configured so that it can
specifically apply, as appropriate, to ad hoc selection
of different, unanticipated variable user selected
aggregations of information increments and pricing
levels can be, at least in part, based on quantities
and/or nature of mixed increment selections (for
example, a certain quantitv of certain text could
mean associated images might be discounted by
15%; a greater quantity of text in the "mixed"
increment selection might mean the images are
discounted 20%). Such user selected aggregated
information increments can reflect the actual
requirements of a user for information and is more
flexible than being limited to a single, or a few, high
- 65
CA 02619962 2008-02-21
WO 9&49209 PCT/US97115243
level, (e.g. product, document, database record)
predetermined increments. Such high level
increments may include quantities of information
not desired by the user and as a result be more
costly than the subset of information needed by the
user if such a subset was available. In sum, the
present invention allows information contained in
electronic information products to be supplied
according to user specification. Tailoring to user
specification allows the present invention to provide
the greatest value to users, which in turn will
generate the greatest amount of electronic commerce
activity. The user, for example, would be able to
define an aggregation of content derived from
various portions of an available content product, but
which, as a deliverable for use by the user, is an
entirely unique aggregated increment, The user
may, for example, select certain numbers of bytes of
information from various portions of an information
product, such as a reference work, and copy them to
disc in unencrypted form and be billed based on
total number of bytes plus a surcharge on the
number of "articles" that provided the bytes. A
content provider might reasonably charge less for
66
CA 02619962 2008-02-21
WO 98/09209 PCT/US97115243
such a user defined information increment since the
user does not require all of the content from all of
the articles that contained desired information. This
process of defining a user desired information
increment may involve artificial intelligence
database search tools that contribute to the location
of the most relevant portions of information from an
information product and cause the automatic display
to the user of information describing search criteria
hits for user selection or the automatic extraction
and delivery of such portions to the user. VDE
further supports a wide variety of predefined
increment types including:
= bytes,
= images,
= content over time for audio or video, or any
other increment that can be identified by content
provider data mapping efforts, such as:
= sentences,
= paragraphs,
= articles,
= database records, and
= byte offsets representing increments of
logically related information.
-67-
CA 02619962 2008-02-21
Wo 9&09Z09 PGT/IJS97/1S?A3
VDE supports as many simultaneous predefined increment types
as may be practical for a given type of content and business
model.
= securely store at a user-'s site potentially higbly
detailed information reflective of a user's usage of a
variety of different content segment types and
employing both inexpensive "exposed" host mass
storage for maintaining detailed information in the
form of encrypted data and maintaining summary
information for security testing in highly secure
special purpose VDE installation nonvolatile
memory (if available).
= support trusted chain of handling capabilities for
pathways of distributed electronic information
and/or for content usage related information. Such
chains may extend, for example, from a content
creator, to a distributor, a redistributor, a client
user, and then may provide a pathway for securely
reporting the same and/or differing usage
information to one or more auditors, such as to one
or more independent clearinghouses and then back
to the content providers, including content creators.
-68-
CA 02619962 2008-02-21
WO 98l09209 PGT/US97/15243
The same and/or different pathways employed for
certain content handling, and related content control
information and reporting information handling,
may also be employed as one or more pathways for
electronic payment handling (payment is
characterized in the present invention as
administrative content) for electronic content and/or
appliance usage. These pathways are used for
conveyance of all or portions of content, and/or
content related control information. Content
creators and other providers can specify the
pathways that, partially or fully, must be used to
disseminate commerciallv distributed property
content, content control information, payment
administrative content, and/or associated usage
reporting information. Control information specified
by content providers may also specify which specific
parties must or may (including, for example, a group
of eligible parties from which a selection may be
made) handle conveyed information. It may also
specify what transmission means (for example
telecommunication carriers or media types) and
= transmission hubs must or may be used.
69
CA 02619962 2008-02-21
WO 98J09209 PCT/US97/15243
= support flexible auditing mechanisms, such as
employing "bitmap meters," that achieve a high
degree of efficiency of operation and throughput and
allow, in a practical manner, the retention and
ready recall of information related to previous usage
activities and related patterns. This flexibility is
adaptable to a wide variety of biIli.ng and security
control strategies such as:
= upgrade pricing (e.g. suite purchases),
~ pricing discounts (including quantity
discounts),
~ billing related time duration variables such as
discounting new purchases based on the
timing of past purchases, and
~ security budgets based on quantity of
different, logically related units of electronic
information used over an interval of time.
Use of bitmap meters (including "regulal' and
"wide" bitmap meters) to record usage and/or
purchase of information, in conjunction with other
elements of the preferred embodiment of the present
invention, uniquely supports efficient maintenance
of usage history for: (a) rental, (b) flat fee licensing
- 70
CA 02619962 2008-02-21
WO 98/0920 PCT/US97/15243
or purchase, (c) licensing or purchase discounts
based upon historical usage variables, and (d)
reporting to users in a manner enabling users to
determine whether a certain item was acquired, or
acquired within a certain time period (without
requiring the use of conventional database
mechanisms, which are highly inefficient for these
applications). Bitmap meter methods record
activities associated with electronic appliances,
properties, objects, or portions thereof,.and/or
administrative activities that are independent of
specific properties, objects, etc., performed by a user
and/or electronic appliance such that a content
and/or appliance provider and/or controller of an
administrative activity can determine whether a
certain activity has occurred at some point, or
during a certain period, in the past (for example,
certain use of a commercial electronic content
product and/or appliance). Such determinations can
then be used as part of pricing and/or control
strategies of a content and/or appliance provider,
and/or controller of an administrative activity. For
example, the content provider may choose to charge
only once for access to a portion of a property,
-71-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
regardless of the number of times that portion of the
property is accessed by a user.
= support "launchable" content, that is content that
can be provided by a content provider to an
end-user, who can then copy or ,pass along the
content to other end-user parties without requiring
the direct participation of a content provider to
register and/or otherwise initialize the content for
use. This content goes "out of (the traditional
distribution) channel" in the form of a "traveling
object." Traveling objects are containers that
securely carry at least some permissions information
and/or methods that are required for their use (such
methods need not be carried by traveling objects if
the required methods wiIl be available at, or directly
available to, a destination VDE installation).
Certain travelling objects may be used at some or all
VDE i.nstallations of a given VDE arrangement since
they can make available the content control
information necessary for content use without
requiring the involvement of a commercial VDE
value chain participant or data security
administrator (e.g. a control officer or network
-72-
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/15243
administrator). As long as traveling object control
information requirements are available at the user
VDE installation secure subsystem (such as the
presence of a sufficient quantity of financial credit
from an authorized credit provider), at least some
travelling object content may be used by a receiving
party without the need to establish a connection
with a remote VDE authority (until, for example,
budgets are exhausted or a time content usage
reporting interval has occurred). Traveling objects
can travel "out-of-channel," allowing, for example, a
user to give a copy of a traveling object whose
content is a software program, a movie or a game, to
a neighbor, the neighbor being able to use the
traveling object if appropriate credit (e.g. an
electronic clearinghouse account from a
clearinghouse such as VISA or AT&T) is available.
Similarly, electronic information that is generally
available on an Internet, or a similar network,
repository might be provided in the form of a
traveling object that can be downloaded and
subsequently copied by the initial downloader and
then passed along to other parties who may pass the
object on to additional parties.
-73-
CA 02619962 2008-02-21
wo 98r092o9 rcr/US97115?,43
= provide very flexible and extensible user
identification according to individuals, installations,
by groups such as classes, and by function and
hierarchical identification employing a hierarchy of
levels of client identification (for example, client
organization ID, client department ID, ciient
network ID, client project ID, and client employee
ID, or any appropriate subset of the above).
= provide a general purpose, secure, component based
content control and distribution system that
functions as a foundation transaction operating
system environment that employs executable code
pieces crafted for transaction control and auditing.
These code pieces can be reused to optimize
efficiency in creation and operation of trusted,
distributed transaction management arrangements.
VDE supports providing such executable code in the.
form of "atomic" load modules and associated data.
Many such load modules are inherently
configurable, aggregatable, portable, and extensible
and singularly, or in combination (along with
associated data), run as control methods under the
VDE transaction operating environment. VDE can
-74-
CA 02619962 2008-02-21
w0 9M92{19 Pcr/Us97115243
satisfy the requirements of widely differing
electronic commerce and data security applications
by, in part, employing this general purpose
transaction management foundation to securely
process VDE transaction related control methods.
Control methods are created primarily through the
use of one or more of said executable, reusable load
module code pieces (normally in the form of
executable object components) and associated data.
The component nature of control methods allows the
present invention to efficiently operate as a highly
configurable content control system. Under the
present invention, content control models can be
iteratively and asynchronously shaped, and
otherwise updated to accommodate the needs of
VDE participants to the extent that such shaping
and otherwise updating conforms to constraints
applied by a VDE application, if any (e.g., whether
new component assemblies are accepted and, if so,
what certification requirements exist for such
component assemblies or whether any or certain
participants may shape any or certain control
information by selection amongst optional control
information (permissions record) control methods.
-75-
CA 02619962 2008-02-21
WO 98J09209 PCT/US97/15243
This iterative (or concurreat) multiple participant
process occurs as a result of the submission and use
of secure, control information components
(executable code such as load modules and/or
methods, and/or associated data). These
components may be contributed independently by
secure communication between each control
information influencing VDE participant's VDE
installation and may require certification for use
with a given application, where such certification
was provided by a certification service manager for
the VDE arrangement who ensures secure
interoperabitity and/or reliability (e.g., bug control
resulting from interaction) between appliances and
.15 submitted control methods. The transaction
management control functions of a VDE electronic
appliance transaction operating environment
interact with non-secure transaction management
operating system functions to properly direct
transaction processes and data related to electronic
information security, usage control, auditing, and
usage reporting. VDE provides the capability to
manages resources related to secure VDE content
-76-
CA 02619962 2008-02-21
WO 98/09209 PCTlUS97/!S?A3
and/or appliance control 'information execution and
data storage.
= facilitate creation of application andlor system
functionality under VDE and to facilitate integration
into electronic appliance environments of load
modules and methods created under the present
invention. To achieve this, VDE employs an
Application Programmer's Interface (API) and/or a
transaction operaLting system (such as a ROS)
programming language with incorporated functions,'
both of which support the use of capabilities and can
be used to efficiently and tightlv integrate VDE
functionality into commercial and user applications.
= support user interaction through: (a) "Pop-Up"
applications which, for example, provide messages to
users and enable users to take specific actions such
as approving a transaction, (b) stand-alone VDE
applications that provide administrative
environments for user activities such as: end-user
preference specifications for limiting the price per
transaction, unit of time, and/or session, for
-77-
CA 02619962 2008-02-21
WO 98109209 PCT/U597/15243
accessing history information concerai.ng previous
transactions, for reviewing financial information
such as budgets, expenditures (e.g. detailed and/or
summary) and usage analysis information, and (c)
VDE aware applications which, as a result of the use
of a VDE API and/or a transaction management (for
example, ROS based) programming language
embeds VDE "awareness" into commercial or
internal software (application programs, games, etc.)
so that VDE user control information and services
are seamlessly integrated into such software and
can be directly accessed by a user since the
underlying functionality has been integrated into
the commercial software's native design. For
example, in a VDE aware word processor
application, a user may be able to "print" a
document into a VDE content container object,
applying specific control information by selecting
from amongst a series of different menu templates
for different purposes (for example, a confidential
memo template for internal organization purposes
may restrict the ability to "keep," that is to make an
electronic copy of the memo).
-78-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
= employ "templates" to ease the process of configuring
capabilfties of the present invention as they relate to
specific industries or businesses. Templates are
applications or application add-ons under the
present invention. Templates support the efficient
specification and/or manipulation of criteria related
to specific content types, distribution approaches,
pricing mechanisms, user interactions with content
and/or administrative activities, and/or the like.
Given the very large range of capabilities and
configurations supported by the present invention,
reducing the range of configuration opportunities to
a manageable subset particularly appropriate for a
given business model allows the full configurable
.15 power of the present invention to be easily employed
by "typicaP' users who would be otherwise burdened
with complex program*r-ing and/or configuration
design responsibilities template applications can
also help ensure that VDE related processes are
secure and optimally bug free by reducing the risks
associated with the contribution of independently
. developed load modules, includi.ng unpredictable
= aspects of code interaction between independent
modules and applications, as well as security risks
-79-
CA 02619962 2008-02-21
WO 9819Za9 PCT/(JS97/1S?A3
associated with possible presence of viruses in such
modules. VDE, through the use of templates,
reduces typical user configuration responsibilities to
an appropriately focused set of activities including
selection of method types (e.g. functionality) through
menu choices such as multiple choice, icon selection,
and/or prompting for method parameter data (such
as identification information, prices, budget limits,
dates, periods of time, access rights to specific
content, etc.) that supply appropriate and/or
necessary data for control information purposes. Bg
limiting the typical (non-programaung) user to a
limited subset of configuration activities whose
general configuration environment (template) has
been preset to reflect general requirements
corresponding to that user, or a content or other
business model can very substantially limit
difficulties associated with content containerization
(including placing initial control information on
content), distribution, client administration,
electronic agreement implementation, end-user
interaction, and clearinghouse activities, including
associated interoperability problems (such as
conflicts resulting from security, operating system,
-80-
CA 02619962 2008-02-21
wo 9W92o9 rCrnJ39710243
and/or certification incompatibilities). Use of
appropriate VDE templates can assure users that
their activities related to content VDE
containerization, contribution of other control
information, communications, encryption techniques
and/or keys, etc. will be in compliance with
specifications for their distributed VDE
arrangement. VDE templates constitute preset
configurations that can normally be reconfigurable
to allow for new and/or modified templates that
reflect adaptation into new industries as they evolve
or to reflect the evolution or other change of an
existing industry. For example, the template
concept may be used to provide individual, overall
frameworks for organizations and individuals that
create, modify, market, distribute, consume, and/or
otherwise use movies, audio recordings and live
performances, magazines, telephony based retail
sales, catalogs, computer software, information data
bases, multimedia, commercial communications,
advertisements, market surveys, infomercials,
games, CAD/CAM services for numerically
= controlled machines, and the like. As the context
surrounding these templates changes or evolves,
-81-
CA 02619962 2008-02-21
WO 98/09209 PGT/1JS97/15243
template applications provided under the present
invention may be modified to meet these changes for
broad use, or for more focused activities. A given
VDE participant may have a plurality of templates
available for different tasks. A party that places
content in its initial VDE container may have a
variety of different, configurable templates
depending on the type of content and/or business
model related to the content. An end-user may have
different configurable templates that can be applied
to different document types (e-mail, secure internal
documents, database records, etc.) andlor subsets of
users (applying differing general sets of control
information to different bodies of users, for example,
.15 selecting a list of users who may, under certain
preset criteria, use a certain document). Of course,
templates may, under certain circumstances have
fixed control information and not provide for user
selections or parameter data entry.
= support plural, different control models regulating
the use and/or auditing of either the same specific
copy of electronic information content and/or
differently regulating different copies (occurrences)
-82-
CA 02619962 2008-02-21
WO 98/09209 PC'F/US97/15243
of the same electronic information content.
Differing models for billing, auditing, and security
can be applied to the same piece of electronic
information content and such differing sets of
control information may employ, for control
purposes, the same, or differing, granularities of
electronic information control increments. This
includes supporting variable control information for
budgeting and auditing usage as applied to a variety
of predefined increments of electronic- information,
including employing a variety of different budgets
andlor metering increments for a given electronic
information deliverable for: billing units of measure,
credit limit, security budget limit and security
content metering increments, and/or market
surveying and customer profiling content metering
increments. For example, a CD-ROM disk with a
database of scientific articles might be in part billed
according to a formula based on the number of bytes
decrypted, number of articles containing said bytes
decrypted, while a security budget might limit the
- use of said database to no more than 5% of the
database per month for users on the wide area
network it is installed on.
-83-
CA 02619962 2008-02-21
WO 9B/09209 PCT/US97/15243
provide mechanisms to persistently maintain
trusted content usage and reporting control
information through both a sufficiently secure chain
of handling of content and content control
information and through various forms of usage of
such content wherein said persistence of control may
survive such use. Persistence of control includes the
ability to extract information from a VDE container
object by creating a new container whose contents
are at least in part secured and that contains both
the extracted content and at least a portion of the
control information which control information of the
original container and/or are at least in part
produced by control information of the original
container for this purpose and/or VDE installation
control information stipulates should persist and/or
control usage of content in the newly formed
container. Such control information can continue to
manage usage of container content if the container
is "embedded" into another VDE managed object,
such as an object which contains plural embedded
VDE containers, each of which contains content
derived (extracted) from a different source.
-84-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97115243
= enables users, other value chain participants (such
as clearinghouses and government agencies), and/or
user organizations, to specify preferences or
requirements related to their use of electronic
content and/or appliances. Content users, such as
end-user customers using commercially distributed
content (games, information resources, software
programs, etc.), can define, if allowed by senior
control information, budgets, and/or other control
information, to manage their own internal use of
content. Uses include, for example, a user setting a
limit on the price for electronic documents that the
user is willing to pay without prior express user
authorization, and the user establishing the
character of metering information he or she is
willing to allow to be collected (privacy protection).
This includes providing the means for content users
to protect the privacy of information derived from
their use of a VDE installation and content and/or
appliance usage auditing. In particular, VDE can
prevent information related to a participant's usage
of electronic content from being provided to other
parties without the participant's tacit or explicit
agreement.
- 85 -
CA 02619962 2008-02-21
WO 98/09209 PCT1US91115243
= provide mechAnism that allow control information
to "evolve" and be modified according, at least in
part, to independently, securely delivered further
control information. Said control information may
include executable code (e.g., load modules) that has
been certified as acceptable (e.g., reliable and
trusted) for use with a specific VDE application,
class of applications, and/or a VDE distributed
arrangement. This modification (evolution) of
control information can occur upon content control
information (load modules and any associated data)
circulating to one or more VDE participants in a
pathway of handling of control information, or it
may occur upon control information being received
from a VDE participant. Handlers in a pathway of
handling of content control information, to the
extent each is authorized, can establish, modify,
and/or contribute to, permission, auditing, payment,
and reporting control information related to
controlling, analyzing, paying for, and/or reporting
usage of, electronic content and/or appliances (for
example, as related to usage of VDE controlled
property content). Independently delivered (from an
independent source which is independent except in
- $6
CA 02619962 2008-02-21
wo 9sm9z09 PGT/US97/15243
regards to certification), at least in part secure,
control information can be employed to securely
= modify content control information when content
control information has flowed from one party to
another party in a sequence of VDE content control
information handling. This modification employs,
for example, one or more VDE component
assemblies being securely processed in a VDE secure
subsystem. In an alternate embodiment, control
information mav be modified by a senior party
through use of their VDE installation secure
sub-svstem after receiving submitted, at least in
part secured, control information from a"junior'
party, normaliy in the form of a VDE administrative
object. Control information passing along VDE
pathways can represent a mixed control set, in that
it may include: control information that persisted
through a sequence of control information handlers,
other control information that was allowed to be
modified, and farther control information
representing new control information and/or
mediating data. Such a control set represents an
evolution of control information for disseminated
content. In this example the overall content control
-87-
CA 02619962 2008-02-21
WO 9s09209 PcTIcrS'97/15Z43
set for a VDE content container is "evolving" as it
securely (e.g. communicated in enczypted form and
using authentication and digital signaturing
techniques) passes, at least in part, to a new
participant's VDE installation where the proposed
control information is securely received and
handled. The received control information may be
integrated (through use of the receiving parties'
VDE installation secure sub-system) with in-place
control information through a negotiation process
involving both control information sets. For
example, the modification, within the secure
sub-system of a content provider's VDE installation,
of content control information for a certain VDE
content container may have occurred as a result of
the incorporation of required control information
provided by a financial credit provider. Said credit
provider may have employed their VDE installation
to prepare and securely communicate (directly or
indirectly) said required control information to said
content provider. Incorporating said required
control information enables a content provider to
allow the credit provider's credit to be employed by a
content end-user to compensate for the end-user's
-88-
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/15243
use of VDE controlled content and/or appliances, so
long as said end-user has a credit account with said
financial credit provider and said credit account has
sufficient credit available. Similarly, control
information requiring the payment of taxes and/or
the provision. of revenue information resulting from
electronic commerce activities may be securely
received by a content provider. This control
information may be received, for example, from a
government agency. Content providers might be
required by law to incorporate such control
information into the control information for
commercially distributed content and/or services
related to appliance usage. Proposed control
information is used to an extent allowed by senior
control information and as determined by any
negotiation trade-offs that satisfy priorities
stipulated by each set (the received set and the
proposed set). VDE also accommodates different
control schemes specifically applying to different
participants (e.g., individual participants and/or
participant classes (types)) in a network of VDE
content handling participants.
-89-
CA 02619962 2008-02-21
WO 98/09209 PCTiUS971IS?A3
~ support multiple simultaneous control models for
the same content property and/or property portion.
This allows, for example, for concurrent business
activities which are dependent on electronic
commercial product content distribution, such as
acquiring detailed market survey information and/or
supporting advertising, both of which can increase
revenue and result in lower content costs to users
and greater value to content providers. Such control
information and/or overall control models may be
applied, as deterrnined or allowed by control
information, in differing manners to different
participants in a pathway of content, reporting,
payment, and/or related control information
handling. VDE supports applying different content
control information to the same and/or different
content and/or appliance usage related activities,
and/or to different parties in a content and/or
appliance usage model, such that different parties
(or classes of VDE users, for example) are subject to
differing control information managing their use of
electronic information content. For example,
differing control models based on the category of a
user as a distributor of a VDE controlled content
-90-
CA 02619962 2008-02-21
WO 9W09M PCTIUS97115243
object or an end-user of such content may result in
different budgets being applied. Alternatively, for
example, a one distributor may have the right to
distribute a different array of properties than
another distributor (from a common content
collection provided, for example, on optical disc). An
individual, and/or a class or other grouping of
end-users, may have different costs (for example, a
student, senior citizen, and/or poor citizen user of
content who may be provided with the same or
differing discounts) than a "typical" content user.
= support provider revenue information resulting from
customer use of content and/or appliances, and/or
provider and/or end-user payment of taxes, through
the transfer of credit and/or electronic currency from
said end-user and/or provider to a gover.ament
agency, might occur "automatically" as a result of
such received control information causing the
generation of a VDE content container whose
content includes customer content usage information
reflecting secure, trusted revenue summary
iuiforrnation and/or detailed user transaction listings
(level of detail might depend, for example on type or
-91-
CA 02619962 2008-02-21
WO 9g/09209 pCT/U397/15243
size of transaction-information regarding a bank
interest payment to a customer or a transfer of a
large (e.g. over $10,000) might be, by law,
automatically reported to the government). Such
summary and/or detailed information related to
taxable events and/or currency, and/or creditor
currency transfer, may be passed along a pathway of
reporting and/or payment to the government in a
VDE container. Such a container may also be used
for other VDE related content usage reporting
information.
= support the flowing of content control information
through different "branches" of content control
information handling so as to accommodate, under
the present invention's preferred embodiment,
diverse controlled distributions of VDE controlled
content. This allows different parties to employ the
same initial electronic content with differing
(perhaps competitive) control strategies. In this
instance, a party who first placed control
information on content can make certain control
assumptions and these assumptions would evolve
into more specific and/or extensive control
-92-
CA 02619962 2008-02-21
WO 98/09209 PCT/[IS97115243
assumptions. These control assumptions can evolve
during the branching sequence upon content model
= participants submitting control information changes,
for example, for use in "negotiating" with "in place"
content control information. This can result in new
or modified content control information and/or it
might involve the selection of certain one or more
already "in-place" content usage control methods
over in-place alternative methods, as well as the
submission of relevant control information
parameter data. This form of evolution of different
control information sets applied to different copies of
the same electronic property content and/or
appliance results from VDE control information
flowing "down" through different branches in an
overall pathway of handling and control and being
modified differently as it diverges down these
different pathway branches. This ability of the
present invention to support multiple pathway
branches for the flow of both VDE content control
information and VDE managed content enables an
. electronic commerce marketplace which supports
' diverging, competitive business partnerships,
agreements, and evolving overall business models
-93-
CA 02619962 2008-02-21
WO 98/0920 PCT/[TS97/15Z43
which can employ the same content properties
combined, for example, in differing collections of
content representing differing at least in part
competitive products.
= enable a user to securely extract, through the use of
the secure subsystem at the user's VDE installation,
at least a portion of the content included within a
VDE content container to produce a new, secure
object (content container), such that the extracted
information is maintained in a continually secure
manner through the extraction process. Formation
of the new VDE container containing such extracted
content shall result in control information consistent
with, or specified by, the source VDE content
container, and/or local VDE installation secure
subsystem as appropriate, content control
information. Relevant control information, such as
security and administrative information, derived, at
least in part, from the parent (source) object's
control information, will normally be automatically
inserted into a new VDE content container object
containing extracted VDE content. This process
typically occurs under the control framework of a
- 94 -
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
parent object and/or VDE installation control
i.nformation executing at the user's VDE installation
secure subsystem (with, for example, at least a
portion of this inserted control information being
stored securely in encrypted form in one or more
permissions records). In an alternative embodiment,
the derived content control information applied to
extracted content may be in part or whole derived
from, or employ, content control information stored
remotely from the VDE installation that performed
the secure extraction such as at a remote server
location. As with the content control information for
most VDE managed content, features of the present
invention allows the content's control information to:
(a) "evolve," for example, the extractor of content
may add new control methods and/or modify
control parameter data, such as VDE
application compliant methods, to the extent
allowed by the content's in-place control
information. Such new control information
might specify, for example, who may use at
least a portion of the new object, and/or how
said at least a portion of said extracted
-95-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
content may be used (e.g. when at least a
portion may be used, or what portion or
quantity of portions may be used);
(b) allow a user to combine additional content
with at least a portion of said extracted
content, such as material authored by the
extractor and/or content (for example, images,
video, audio, and/or text) extracted from one
or more other VDE container objects for
placement directly into the new container;
(c) allow a user to securely edit at least a portion
of said content while maintaining said content
in a secure form within said VDE content
container;
(d) append extracted content to a pre-existing
VDE content container object and attach
associated control information -- in these
cases, user added information may be secured,
e.g., encrypted, in part or as a whole, and may
be subject to usage and/or auditing control
-96-
CA 02619962 2008-02-21
WO 98/09209 PGT/US97/15243
information that differs from the those applied
to previously in place object content;
(e) preserve VDE control over one or more
portions of extracted content after various
forms of usage of said portions, for example,
maintain content in securely stored form
while allowing "temporary" on screen display
of content or allowing a software program to
be maintained in secure form but transiently
decrypt any encrypted executing portion of
said program (all, or only a portion, of said
program may be encrypted to secure the
program).
Generally, the extraction features of the present
invention allow users to aggregate and/or
disseminate and/or otherwise use protected
electronic content information extracted from
content container sources while maintaining secure
VDE capabilities thus preserving the rights of
providers in said content information after various
' content usage processes.
97 -
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
= support the aggregation of portions of VDE
controlled content, such portions being subject to .'~'.
differing VDE content container control information,
wherein various of said portions may have been
provided by independent, different content providers
from one or more different locations remote to the
user performing the aggregation. Such aggregation,
in the preferred embodiment of the present
invention, may involve preserving at least a portion
of the control information (e.g., executable code such
as load modules) for each of various of said portions
by, for example, embedding some or all of such
portions individually as VDE content container
objects within an overall VDE content container
and/or embedding some or all of such portions
directly into a VDE content container. In the latter
case, content control information of said content
container may apply differing control information
sets to various of such portions based upon said
portions original control information requirements
before aggregation. Each of such embedded VDE
content containers may have its own control
information in the form of one or more permissions
records. Alternatively, a negotiation between
-98-
CA 02619962 2008-02-21
wo Mam rCrnrs9711saa3
control information associated with various
aggregated portions of electronic content, may
produce a control information set that would govern
some or all of the aggregated content portions. The
VDE content control information produced by the
negotiation may be uniform (such as having the
same load modules and/or component assemblies,
and/or it may apply differing such content control
information to two or more portions that constitute
an aggregation of VDE controlled content such as
differing metering, budgeting, billing and/or
payment models. For example, content usage
payment may be automaticallv made, either through
a clearinghouse, or directlv, to different content
providers for different potions.
= enable flexible metering of, or other collection of
information related to, use of electronic content
and/or electronic appliances. A feature of the
present invention enables such flexibility of
metering control mechanisms to accommodate a
simultaneous, broad array of: (a) different
' parameters related to electronic information content
use; (b) different increment units (bytes, documents,
- 99
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
properties, paragraphs, images, etc.) and/or other
organizations of such electronic content; and/or (c)
different categories of user and/or VDE installation
types, such as client organizations, departments,
projects, networks, and/or individual users, etc.
This feature of the present invention can be
employed for content security, usage analysis (for
example, market surveying), and/or compensation
based upon the use and/or exposure to VDE
managed content. Such metering is a flexible basis
for ensuring payment for content royalties,
licensing, purchasing, and/or advertising. A feature
of the present invention provides for payment means
supporting flexible electronic currency and credit
mechanisms, including the ability to securely
maintain audit trails reflecting information related
to use of such currency or credit. VDE supports
multiple differing hierarchies of client organization
control information wherein an organization client
administrator distributes control information
specifying the usage rights of departments, users,
and/or projects. Likewise, a department (division)
network manager can function as a distributor
- 100 -
CA 02619962 2008-02-21
wo "i09 rcr/i7S97n52a3
(budgets, access rights, eic.) for department
networks, projects, and/or users, etc.
= provide scalable, integratable, standardized control
means for use on electronic appliances ranging from
inexpensive consumer (for example, television
set-top appliances) and professional devices (and
hand-held PDAs) to servers, mainframes,
communication switches, etc. The scalable
transaction management/auditing technology of the
present invention will result in more efficient and
reliable interoperability amongst devices functioning
in electronic commerce and/or data security
environments. As standardized physical contairiers
have become essential to the shipping of physical
goods around the world, allowing these physical
containers to universally "fit" unloading equipment,
efficiently use truck and train space, and
accommodate known arrays of objects (for example,
boxes) in an efficient manner, so VDE electronic
content containers may, as provided by the present
invention, be able to efficiently move electronic
information content (such as commercially published
properties, electronic currency and credit, and
- 101-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97n5243
content audit information), and associated content
control information, around the world.
Interoperability is fundamental to efficient
electronic commerce. The design of the VDE
foundation, VDE load modules, and VDE containers,
are important features that enable the VDE node
operating environment to be compatible with a very
broad range of electronic appliances. The ability, for
example, for control methods based on load modules
to execute in very "small" and inexpensive secure
sub-system environments, such as environments
with very little read/write memory, while also being
able to execute in large memory sub-systems that
may be used in more expensive electronic
appliances, supports consistency across many
machines. This consistent VDE operating
environment, including'its control structures and
container architecture, enables the use of
standardized VDE content containers across a broad
range of device types and host operating
environments. Since VDE capabilities can be
seamlessly integrated as extensions, additions,
and/or modifications to fundamental capabilities of
electronic appliances and host operating systems,
-102-
CA 02619962 2008-02-21
WO 98/09209 PCTJUS97/15Z43
VDE containers, content control information, and
the VDE foundation will be able to work with many
device types and these device types will be able to
consistently and efficiently interpret and enforce
VDE control information. Through this integration
users can also benefit from a transparent interaction
with many of the capabilities of VDE. VDE
integration with software operating on a host
electronic anpliance supports a variety of
capabilities that would be unavailable or less secure
without such integration. Through integration with
one or more device applications and/or device
operating environments, many capabilities of the
present invention can be presented as inherent
capabilities of a given electronic appliance,
operating system, or appliance application. For
example, features of the present invention include:
(a) VDE system software to in part extend and/or
modify host operating systems such that they
possesses VDE capabilities, such as enabling secure
. transaction processing and electronic information
storage; (b) one or more application programs that in
, part represent tools associated with VDE operation;
and/or (c) code to be integrated into application
-103-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
programs, wherein such code incorporates references
into VDE system software to integrate VDE
capabilities and makes such applications VDE
aware (for example, word processors, database
retrieval applications, spreadsheets, multimedia
presentation authoring tools, film editing software,
music editing software such as MIDI applications
and the like, robotics control systems such as those
associated with CAD/CAM environments and NCM
software and the like, electronic mail systems,
teleconferencing software, and other data authoring,
creating, handling, and/or usage applications
including combinations of the above). These one or
more features (which may also be implemented in
firmware or hardware) may be employed in
conjunction with a VDE node secure hardware
processing capability, such as a microcontroller(s),
microprocessor(s), other CPU(s) or other digital
processing logic.
= employ audit reconciliation and usage pattern
evaluation processes that assess, through certain,
normally network based, transaction processing
reconciliation and threshold checking activities,
- 104 -
CA 02619962 2008-02-21
wO 98N09Z09 PGT/OS97/15243
whether certain violations of security of a VDE
arrangement have occurred. These processes are
performed remote to VDE controlled content
end-user VDE locations by assessing, for example,
purchases, and/or requests, for electronic properties
by a given VDE installation. Applications for such
reconciliation activities include assessing whether
the quantity of remotely delivered VDE controlled
content corresponds to the amount of financial credit
andlor electronic currency employed for the use of
such content. A trusted organization can acquire
information from content providers concerning the
cost for content provided to a given VDE installation
and/or user and compare this cost for content with
the credit and/or electronic currency disbursements
for that installation and/or user. Inconsistencies in
the amount of content delivered versus the amount
of disbursement can prove, and/or indicate,
depending on the circumstances, whether the local
VDE installation has been, at least to some degree,
. compromised (for example, certain important system
security functions, such as breaking encryption for
at least some portion of the secure subsystem and/or
VDE controlled content by uncovering one or more
- 105 -
CA 02619962 2008-02-21
wo 9s/09Z09 rcr/US97nSZ43
keys). Determining whether irregular patterns (e.g.
unusually high demand) of content usage, or
requests for delivery of certain kinds of VDE
controlled information during a certain time period
by one or more VDE installations and/or users
(including, for example, groups of related users
whose aggregate pattern of usage is suspicious) may
also be useful in determining whether security at
such one or more installations, and/or by such one or
more users, has been compromised, particularly
when used in combination. with an assessment of
electronic credit andlor currency provided to one or
more VDE users and/or installations, by some or all
of their credit andlor currency suppliers, compared
with the disbursements made by such users and/or
installations.
= support security techniques that materially increase
the time required to "break" a system's integrity.
This includes using a collection of techniques that
minimizes the damage resulting from comprising
some aspect of the security features of the present
inventions.
-106-
CA 02619962 2008-02-21
wo 931092o9 PCT/EJS97115W
= provide a family of authoring, administrative,
reporting, payment, and billing tool user
= applications that comprise components of the
present invention's trusted/secure, universe wide,
= 5 distributed transaction control and administration
system. These components support VDE related:
object creation (including placing control
information on content), secure object distribution
and management (including distribution control
information, financial related, and other usage
analysis), client internal VDE activities
administration and control, security management,
user interfaces, payment disbursement, and
clearinghouse related functions. These components
are designed to support highly secure, uniform,
consistent, and standardized: electronic commerce
and/or data security pathway(s) of handling,
reporting, and/or payment; content control and
administration; and human factors (e.g. user
interfaces).
= support the operation of a plurality of
= clearinghouses, including, for example, both
financial and user clearinghouse activities, such as
- 107 -
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/15243
those performed by a client administrator in a large
organization to assist in the organization's use of a
VDE arrangement, including usage information
analysis, and control of VDE activities by
individuals and groups of employees such as
specifying budgets and the character of usage rights
available under VDE for certain groups of and/or
individual, client personnel, subject to control
information series to control information submitted
by the client administrator. At a clearinghouse, one
or more VDE installations may operate together
with a trusted distributed database environment
(which may include concurrent database processing
means). A financial clearinghouse normally receives
at its location securely delivered content usage
information, and user requests (such as requests for
further credit, electronic currency, and/or higher
credit limit). Reporting of usage information and
user requests can be used for supporting electronic
currency, billing, payment and credit related
activities, and/or for user profile analysis and/or
broader market survey analysis and marketing
(consolidated) list generation or other information
derived, at least in part, from said usage
-108-
CA 02619962 2008-02-21
WO 98/U9209 YCT/US97/1S243
information. this information can be provided to
content providers or other parties, through secure,
authenticated encrypted communication to the VDE
instailation secure subsystems. Cleari.nghouse
= 5 processing means would normally be connected to
specialized I/O means, which may include high
speed telecommunication switching means that may
be used for secure communications between a
clearinghouse and other VDE pathway participants.
= securely support electronic currency and credit
usage control, storage, and communication at, and
between, VDE installations. VDE further supports
automated passing of electronic currency and/or
credit information, including payment tokens (such
as in the form of electronic currency or credit) or
other payment information, through a pathway of
payment, which said pathway may or may not be the
same as a pathway for content usage information
reporting. Such payment may be placed into a VDE
container created automatically by a VDE
installation in response to control information
stipulating the "withdrawal" of credit or electronic
currency from an electronic credit or currency
-109-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
account based upon an amount owed resulting from
usage of VDE controlled electronic content and/or
appliances. Payment credit or currency may then be
automatically communicated in protected (at least in
part encrypted) form through telecommunication of
a VDE container to an appropriate party such as a
clearinghouse, provider of original property content
or appliance, or an agent for such provider (other
than a clearinghouse). Payment information may be
packaged in said VDE content container with, or
without, related content usage information, such as
metering information. An aspect of the present
invention further enables certain information
regarding currency use to be specified as
unavailable to certain, some, or all VDE parties
("conditionally" to fully anonymous currency) and/or
further can regulate certain content information,
such as currency and/or credit use related
information (and/or other electronic information
usage data) to be available only under certain strict
circumstances, such as a court order (which may
itself require authorization through the use of a
court controlled VDE installation that may be
required to securely access "conditionally"
-i10-
CA 02619962 2008-02-21
WO 98/09209 PCT/U897l15243
anonymous information). Currency and credit
information, under the preferred embodiment of the
present invention, is treated as administrative
content;
= 5
= support fingerprinting (also known as
watermarking) for embedding in content such that
when content protected under the present invention
is released in clear form from a VDE object
(displayed, printed, communicated, extracted, and/or
saved), information representing the identification
of the user and/or VDE installation responsible for
transforming the content into clear form is
embedded into the released content. Fingerprinting
is useful in providing an ability to identify who
extracted information in clear form a VDE
container, or who made a copy of a VDE object or a
portion of its contents. Since the identity of the user
and/or other identifying information may be
embedded in an obscure or generally concealed
manner, in VDE container content and/or control
information, potential copyright violators may be
deterred from unauthorized extraction or copying.
Fingerprinting normally is embedded into
-111-
CA 02619962 2008-02-21
WO 98/09209 PCT1US97/15243
unencrypted electronic content or control
information, though it can be embedded into
encrypted content and later placed in unencrypted
content in a secure VDE installation sub-system as
the encrypted content carrying the fingerprinting
information is decrypted. Electronic information,
such as the content of a VDE container, may be
fingerprinted as it leaves a network (such as
Internet) location bound for a receiving party. Such
repository information may be maintained in
unencrypted form prior to communication and be
encrypted as it leaves the repository. Fingerprinting
would preferably take place as the content leaves
the repository, but before the encryption step.
Encrypted repository content can be decrypted, for
example in a secure VDE sub-system, fingerprint
information can be inserted, and then the content
can be re-encrypted for transmission. Embedding
identification information of the intended recipient
user and/or VDE installation into content as it
leaves, for example, an Internet repository, would
provide important information that would identify
or assist in identifying any party that managed to
compromise the security of a VDE installation or the
- 112 -
CA 02619962 2008-02-21
WO 9&09209 rCr/U897/15za3
delivered content. If a party produces an authorized
clear form copy of VDE controlled content, including
making unauthorized copies of an authorized clear
form copy, fingerprint information would point back
to that individual and/or his or her VDE
installation. Such hidden information will act as a
strong disincentive that should dissuade a
substantial portion of potential content "pirates"
from stealing other parties electronic information.
Fingerprint information identifying a receiving
party and/or VDE installation can be embedded into
a VDE object before, or during, decryption,
replication, or communication of VDE content
objects to receivers. Fingerprinting electronic
content before it is encrypted for transfer to a
customer or other user provides information that
can be very useful for identifying who received
certain content which may have then been
distributed or made available in unencrypted form.
This information would be useful in tracking who
may have "broken" the security of a VDE
i.nstaIlation and was illegaAy making certain
= electronic content available to others.
Fingerprinting may provide additional, available
-113-
CA 02619962 2008-02-21
WO 9MM PCT/US97/15243
information such as time and/or date of the release
(for example extraction) of said content information.
Locations for inserting fingerprints may be specified
by VDE installation and/or content container control
information. This information may specify that
certain areas and/or precise locations within
properties should be used for fingerprinting, such as
one or more certain fields of information or
information types. Fingerprinting information may
be incorporated into a property by modifying in a
normally undetectable way color frequency and/or
the brightness of certain image pixels, by slightly
modifying certain audio signals as to frequency, by
modifying font character formation, etc.
Fingerprint information, itself, should be encrypted
so as to make it particularly difficult for tampered
fingerprints to be interpreted as valid. Variations in
fingerprint locations for different copies of the same
property; "false" fingerprint information; and
multiple copies of fingerprint information within a
specific property or other content which copies
employ different fingerprinting techniques such as
information distribution patterns, frequency and/or
brightness manipulation, and encryption related
- 114 -
CA 02619962 2008-02-21
WO 98/09209 Pf.'T/US97/15243
techniques, are features of the present invention for
increasing the difficulty of an unauthorized
= individual identifying fingerprint locations and
erasing and/or modifying fingerprint information.
= provide smart object agents that can carry requests,
data, and/or methods, including budgets,
authorizations, credit or currency, and content. For
example, smart objects may travel to and/or from
remote information resource locations and fulfill
requests for electronic information content. Smart
objects can, for example, be transmitted to a remote
location to perform a specified database search on
behalf of a user or otherwise "intelligently" search
.15 remote one or more repositories of information for
user desired information. After identifying desired
information at one or more remote locations, by for
example, performing one or more database searches,
a smart object may return via communication to the
user in the form of a secure "return object"
containing retrieved information. A user may be
. charged for the remote retrieving of information, the
= returning of information to the user's VDE
installation, and/or the use of such information. In
- 115 -
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
the latter case, a user may be charged only for the
information in the return object that the user
actually uses. Smart objects may have the means to
request use of one or more services and/or resources.
Services include locating other services and/or
resources such as information resources, language or
format translation, processing, credit (or additional
credit) authorization, etc. Resources include
reference databases, networks, high powered or
specialized computing resources (the smart object
may carry information to another computer to be
efficiently processed and then return the
information to the sending VDE installation),,
remote object repositories, etc. Smart objects can
make efficient use of remote resources (e.g.
centralized databases, super computers, etc.) while
providing a secure means for charging users based
on information and/or resources actually used.
= support both "translations" of VDE electronic
agreements elements into modern language printed
agreement elements (such as English language
agreements) and translations of electronic rights
protection/transaction management modern
-116-
CA 02619962 2008-02-21
wo 98/'09209 rcrftrs97115M
language agreement elements to electronic VDE
agreement elements. This feature requires
maintaining a library of textual language that
' corresponds to VDE load modules and/or methods
and/or component assemblies. As VDE methods are
proposed and/or employed for VDE agreements, a
listing of textual terms and conditions can be
produced by a VDE user application which, in a
preferred embodiment, provides phrases, sentences
and/or paragraphs that have been stored and
correspond to said methods and/or assemblies. This
feature preferably employs artificial intelligence
capabilities to analyze and automatically determine,
and/or assist one or more users to determine, the
proper order and relationship between the library
elements corresponding to the chosen methods
and/or assemblies so as to compose some or all
portions of a legal or descriptive document. One or
more users, and/or preferably an attorney (if the
document a legal, binding agreement), would review
the generated document material upon completion
and employ such additional textual information
= and/or editing as necessary to describe non
electronic transaction elements of the agreement
- 117 -
CA 02619962 2008-02-21
Wo 98/09209 PCT/US97/15243
and make any other improvements that may be
necessary. These features further support
employing modern language tools that allow one or
more users to make selections from choices and
provide answers to questions and to produce a VDE
electronic agreement from such a process. This
process can be interactive and the VDE agreement
formulation process may employ artificial
intelligence expert system technology that learns
from responses and, where appropriate and based at
least in part on said responses, provides further
choices and/or questions which "evolves" the desired
VDE electronic agreement.
0 support the use of multiple VDE secure subsystems
in a single VDE installation. Various security
and/or performance advantages may be realized by
employing a distributed VDE design within a single
VDE installation. For example, designing a
hardware based VDE secure subsystem into an
electronic appliance VDE display device, and
designing said subsystem's integration with said
display device so that it is as close as possible to the
point of display, will increase the security for video
-118-
CA 02619962 2008-02-21
W0 98/09209 rcTIUS97115243
materials by making it materially more diffcult to
"steal" decrypted video information as it moves from
outside to inside the. video system. Ideally, for
example, a VDE secure hardware module would be
in the same physical package as the actual display
monitor, such as within the packaging of a video
monitor or other display device, and such device
would be designed, to the extent commercially
practical, to be as tamper resistant as reasonable.
As another example, embedding a VDE hardware
module into an 1/0 peripheral may have certain
advantages from the standpoint of overall system
throughput. If multiple VDE instances are
employed within the same VDE installation, these
instances will ideally share resources to the extent
practical, such as VDE instances storing certain
control information and content and/or appliance
usage information on the same mass storage device
and in the same VDE management database.
= requiring reporting and payment compliance by
employing exhaustion of budgets and time ageing of
= keys. For example, a VDE commercial arrangement
and associated content control information may
- 119 -
CA 02619962 2008-02-21
wo 9s/09z09 rc T/US97n5ia3
involve a content provider's content and the use of
clearinghouse credit for payment for end-user usage
of said content. Control information regarding said
arrangement may be delivered to a user's (of said
content) VDE installation and/or said financial
clearinghouse's VDE installation. Said control
information might require said clearinghouse to
prepare and telecommunicate to said content
provider both content usage based information in a
certain form. and content usage payment in the form
of electronic credit (s,uch credit might be "owned" by
the provider after receipt and used in lieu of the
availabilitv or adequacy of electronic currency)
and/or electronic currency. This delivery of
information and payment may employ trusted VDE
installation secure subsystems to securely, and in
some embodiments, automatically, provide in the
manner specified by said control information, said
usage information and payment content. Features
of the present invention help ensure that a
requirement that a clearinghouse report such usage
information and payment content will be observed.
For example, if one participant to a VDE electronic
agreement fails to observe such information
-120-
CA 02619962 2008-02-21
WO 98/09209 PGT/US97/15243
reporting and/or paying obligation, another
participant can stop the delinquent party from
successfully participating in VDE activities related
to such agreement. For example, if required usage
. 5 information and payment was not reported as
specified by content control information, the
"injured" party can fail to provide, through failing to
securely communicate from his VDE installation
secure subsystem, one or more pieces of secure
information necessary for the continuance of one or
more critical processes. For example, failure to
report information and/or payment from a
clearinghouse to a content provider (as well as any
security failures or other disturbing irregularities)
can result in the content provider not providing key
and/or budget refresh information to the
clearinghouse, which information can be necessary
to authorize use of the clearinghouse's credit for
usage of the provider's content and which the
clearinghouse would communicate to end-user's
during a content usage reporting communication
= between the clearinghouse and end-user. As
another example, a distributor that failed to make
payments and/or report usage information to a
-121-
CA 02619962 2008-02-21
WO 98J09209 PCT/US97/15243
content provider might find that their budget for
creating permissions records to distribute the
content provider's content to users, and/or a security
budget limiting one or more other aspect of their use
of the provider's content, are not being refreshed by
the content provider, once exhausted or timed-out
(for example, at a predetermined date). In these and
other cases, the offended party might decide not to
refresh time ageing keys that had "aged out." Such
a use of time aged keys has a similar impact as
failing to refresh budgets or time-aged
authorizations.
= support smart card implementations of the present
invention in the form of portable electronic
appliances, including cards that can be employed as
secure credit, banking, and/or money cards. A
feature of the present invention is the use of
portable VDEs as transaction cards at retail and
other establishments, wherein such cards can "dock"
with an establishment terminal that has a VDE
secure sub-system andlor an online connection to a
VDE secure and/or otherwise secure and compatible
subsystem, such as a "trusted" financial
-122-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97115243
clearinghouse (e.g., VISA,1llastercard). The VDE
card and the terminal (and/or online connection) can
securely exchange information related to a
transaction, with credit and/or electronic currency
being transferred to a merchant and/or
clearinghouse and transaction information flowing
back to the card. Such a card can be used for
transaction activities of all sorts. A docking station,
such as a PCMCIA connector on an electronic
appliance, such as a personal computer, can receive
a consumer's V'DE card at home. Such a
stationlcard combination can be used for on-line
transactions in the same manner as a VDE
installation that is permanentlv installed in such an
electronic appliance. The card can be used as an
"electronic wallet" and contain electronic currency as
well as credit provided by a clearinghouse. The card
can act as a convergence point for financial activities
of a consumer regarding many, if not all, merchant,
banking, and on-line financial transactions,
including supporting home banking activities. A
= consumer can receive his paycheck and/or
investment earnings and/or "authentic" VDE content
container secured detailed information on such
-123-
CA 02619962 2008-02-21
wo 9s/ro92o9 rcr/[i897n52a3
receipts, through on-line connections. A user can
send digital currency to another party with a VDE
arrangement, including giving away such currency.
A VDE card can retain details of transactions in a
highly secure and database organized fashion so
that financially related information is both
consolidated and very easily retrieved andlor
analyzed. Because of the VDE security, including
use of effective encryption, authentication, digital
signaturing, and secure database structures, the
records contained within a VDE card arrangement
may be accepted as valid transaction records for
government andJor corporate recordkeeping
requirements. In some embodiments of the present
invention a VDE card may employ docking station
and/or electronic appliance storage means andlor
share other VDE arrangement means local to said
appliance and/or available across a network, to
augment the information storage capacity of the
VDE card, by for example, storing dated, and/or
archived, backup information. Taxes relating to
some or all of an individual's financial activities may
be automatically computed based on "authentic"
information securely stored and available to said
-124-
CA 02619962 2008-02-21
WO 98109209 PCTIUS97/15M
VDE card. Said information may be stored in said
card, in said docking station, in an associated
electronic appliance, and/or other device operatively
attached thereto, and/or remotely, such as at a
= 5 remote server site. A card's data, e.g. transaction
history, can be backed up to an individual's personal
computer or other electronic appliance and such an
appliance may have an integrated VDE installation
of its own. A current transaction, recent
transactions (for redundancy), or all or other
selected card data may be backed up to a remote
backup repository, such a VDE compatible
repository at a financial clearinghouse, during each
or periodic docking for a financial transaction and/or
information communication such as a user/merchant
transaction. Backing up at least the current
transaction during a connection with another party's
VDE installation (for example a VDE installation
that is also on a financial or general purpose
electronic network), by posting transaction
information to a remote cleari.nghouse and/or bank,
can ensure that sufficient backup is conducted to
enable complete reconstruction of VDE card internal
information in the event of a card failure or loss.
-125-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/1SZ43
= support certification processes that ensure
authorized interoperability between various VDE
installations so as to prevent VDE arrangements
and/or installations that unacceptably deviate in
specification protocols from other VDE
arrangements and/or installations from
interoperating in a manner that may introduce
security (integrity and/or confidentiality of VDE
secured information), process control, and/or
software compatibility problems. Certification
validates the identity of VDE installations and/or
their components, as well as VDE users.
Certification data can also serve as information that
contributes to determining the decommissioning or
other change related to VDE sites.
= support the separation of fundamental transaction
control processes through the use of event
(triggered) based method control mechanisms.
These event methods trigger one or more other VDE
methods (which are available to a secure VDE
sub-system) and are used to carry out VDE managed
transaction related processing. These triggered
methods include independently (separably) and
-126-
CA 02619962 2008-02-21
wo 9sro9M pcrrtS9711sia3
securely processable component biliing management
methods, budgeting management methods, metering
= management methods, and related auditing
management processes. As a result of this feature of
the present invention, independent triggering of
metering, auditing, billing, and budgeting methods,
the present invention is able to efficieAtly,
concurrently support multiple financial currencies
(e.g. dollars, marks, yen) and content related
budgets, and/or billing increments as well as very
flexible content distribution models.
= support, complete, modular separation of the control
structures related to (1) content event triggering, (2)
auditing, (3) budgeting tincluding specifying no right
of use or unlimited right of uset, (4) billing, and (5)
user identity (VDE installation, client name,
department, network, and/or user, etc.). The
independence of these VDE control structures
provides a flexible system which allows plural
relationships between two or more of these
structures, for example, the ability to associate a
financial budget with different event trigger
structures (that are put in place to enable
-127-
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/15243
controlling content based on its logical portions).
Without such separation between these basic VDE
capabilities, it would be more difficult to efficiently
maintain separate metering, budgeting,
identification, and/or billing activities which involve
the same, differing (including overlapping), or
entirely different, portions of content for metering,
billing, budgeting, and user identification, for
example, paying fees associated with usage of
content, performing home banking, managing
advertising services, etc. VDE modular separation
of these basic capabilities supports the programming
of plural, "arbitrary" relationships between one or
differing content portions (and/or portion units) and
budgeting, auditing, and/or billing control
information. For example, under VDE, a budget
limit of $200 dollars or 300 German Marks a month
may be enforced for decryption of a certain database
and 2 U.S. Dollars or 3 German Marks may be
charged for each record of said database decrypted
(depending on user selected currency). Such usage
can be metered while an additional audit for user
profile purposes can be prepared recording the
identity of each filed displayed. Additionally,
- 128 -
CA 02619962 2008-02-21
WO 98109209 rcr/Il397nS243
fiurther metering can be conducted regarding the
number of said database bytes that have been
' decrypted, and a related security budget may
prevent the decrypting of more than 5% of the total
bytes of said database per year. The user may also,
under VDE (if allowed by senior control
information), collect audit information reflecting
usage of database fields by different individuals and
client organization departments and ensure that
differing rights of access and differing budgets
limiting database usage can be applied to these
client individuals and groups. Enabling content
providers and users to practically employ such
diverse sets of user identification, metering,
budgeting, and billing control information results, in
part, from the use of such independent control
capabilities. As a result, VDE can support great
configurability in creation of plural control models
applied to the same electronic property and the
same and/or plural control models applied to
differing or entirely different content models (for
example, home banking versus electronic shopping).
- 129 -
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
Mathods, Other Control Information, and VDE Objects
VDE control information (e.g., methods) that collectively
control use of VDE managed properties (database, document,
individual commercial product), are either shipped with the
content itself (for example, in a content container) and/or one or
more portions of such control information is shipped to
distributors and/or other users in separably deliverable
"administrative objects." A subset of the methods for a property
may in part be delivered with each property while one or more
other subsets of methods can be delivered separately to a user or
otherwise made available for use (such as being available
remotely by telecommunication means). Required methods
(methods listed as required for property and/or appliance use)
must be available as specified if VDE controlled content (such as
intellectual property distributed within a VDE content container)
is to be used. Methods that control content may apply to a
plurality of VDE container objects, such as a class or other
grouping of such objects. Methods may also be required by
certain users or classes of users and/or VDE installations and/or
classes of installations for such parties to use one or more
specific, or classes of, objects.
A feature of VDE provided by the present invention is that
certain one or more methods can be specified as required in order
- 130 -
CA 02619962 2008-02-21
wo 98/09209 PCT/US97/15243
for a VDE installation and/or user to be able to use certain
and/or all content. For example, a distributor of a certain type of
content might be allowed by "senior" participants (by content
creators, for example) to require a method which prohibits
end-users from electronically saving decrypted content, a
provider of credit for VDE transactions might require an audit
method that records the time of an electronic purchase, and/or a
user might require a method that summarizes usage information
for reporting to a clearinghouse (e.g. bzIling information) in a
way that does not convey confidential', personal information
regarding detailed usage behavior.
A further feature of VDE provided by the present
invention is that creators, distributors, and users of content can
select from among a set of predefined methods (if available) to
control container content usage and distribution functions and/or
they may have the right to provide new customized methods to
control at least certain usage functions (such "new" methods may
be required to be certified for trustedness and interoperability to
the VDE installation and/or for of a group of VDE applications).
As a result, VDE provides a very high degree of confagurability
' with respect to how the distribution and other usage of each
property or object (or one or more portions of objects or properties
as desired and/or applicable) will be controlled. Each VDE
-131-
CA 02619962 2008-02-21
WOMgZpy pCT/[JS97/15243
participant in a VDE pathway of content control information
may set methods for some or all of the content in a VDE
container, so long as such control information does not conflict
with senior control information already in place with respect to:
(1) certain or all VDE managed content,
(2) certain one or more VDE users and/or groupings of
users,
(3) certain one or more VDE nodes and/or groupings of
nodes, and/or
(4) certain one or more VDE applications and/or
arrangements.
For example, a content creator's VDE control information
for certain content can take precedence over other submitted
VDE participant control information and, for example, if allowed
by senior control information, a content distributor's control
information may itself take precedence over a client
administrator's control information, which may take precedence
over an end-user's control information. A path of distribution
participant's ability to set such electronic content control
-132-
CA 02619962 2008-02-21
Wo 98/09209 PCT/US97/15Z43
information can be limited to certain control information (for
example, method mediating data such as pricing and/or sales
dates) or it may be limited only to the extent that one or more of
the participant's proposed control information conflicts with
control information set by senior control information submitted
previously by participants in a chain of handling of the property,
or managed in said participant's VDE secure subsystem.
VDE control informatiori may, in part or in full, (a)
represent control information directly put in place by VDE
content control information pathway participants, and/or (b)
comprise control information put in place by such a participant
on behalf of a party who does not directly handle electronic
content (or electronic appliance) permissions records information
(for example control information inserted by a participant on
behalf of a financial clearinghouse or government agency). Such
control information methods (and/or load modules and/or
mediating data and/or component assemblies) may also be put in
place by either an electronic automated, or a semi-automated
and human assisted, control information (control set) negotiating
process that assesses whether the use of one or more pieces of
submitted control information will be integrated into and/or
replace existing control information (and/or chooses between
alternative control information based upon interaction with
-133-
CA 02619962 2008-02-21
wo 9sro9zo9 PCT/US97/13243
in-place control information) and how such control information
may be used.
Control information may be provided by a party who does
not directly participate in the handling of electronic content
(and/or appliance) andlor control information for such content
(and/or appliance). Such control information may be provided in
secure form using VDE installation secure sub-system managed
communications (including, for example, authenticating the
deliverer of at least in part encrypted control information)
between such not directly participating one or more parties' VDE
installation secure subsystems, and a pathway of VDE content
control information participant's VDE installation secure
subsystem. This control information may relate to, for example,
the right to access credit supplied by a financial services
provider, the enforcement of regulations or laws enacted by a
government agency, or the requirements of a customer of VDE
managed content usage information (reflecting usage of content
by one or more parties other than such customer) relating to the
creation, handling and/or manner of reporting of usage
information received by such customer. Such control information
may, for example, enforce societal requirements such as laws
related to electronic commerce.
-134-
CA 02619962 2008-02-21
q,O gWOyM PCT/US97J15243
VDE content control information may apply differently to
different pathway of content and/or control information handling
participants. Furthermore, permissions records rights may be
added, altered, and/or removed by a VDE participant if they are
allowed to take such action. Rights of VDE participants may be
defined in relation to specific parties and/or categories of parties
and/or other groups of parties in a chain of handling of content
and/or content control information (e.g., permissions records).
Modifications to control information that may be made by a
given, eligible party or parties, may be limited in the number of
modifications, and/or degree of modification, they may make.
At least one secure subsystem in electronic appliances of
creators, distributors, auditors, clearinghouses, client
administrators, and end-users (understanding that two or more
of the above classifications may describe a single user) provides a
"sufficiently" secure (for the intended applications) environment
for:
1. Decrypting properties and control information;
2. Storing control and metering related information;
3. Managing communications;
-135-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
4. Processing core control programs, along with
associated data, that constitute control information
for electronic content andlor appliance rights
protection, including the enforcing of preferences
and requirements of VDE participants.
Normally, most usage, audit, reporting, payment, and
distribution control methods are themselves at least in part
encrypted and are executed by the secure subsystem of aVDE
installation. Thus, for example, billing and metering records can
be securely generated and updated, and encryption and
decryption keys are securely utilized, within a secure subsystem.
Since VDE also employs secure (e.g. encrypted and
authenticated) communications when passing information
between the participant location (nodes) secure subsystems of a
VDE arrangement, important components of a VDE electronic
agreement can be reliably enforced with sufficient security
(sufficiently trusted) for the intended commercial purposes. A
VDE electronic agreement for a value chain can be composed, at
least in part, of one or more subagreements between one or more
subsets of the value chain participants. These subagreements
are comprised of one or more electronic contract "compliance"
elements (methods including associated parameter data) that
ensure the protection of the rights of VDE participants.
-136-
CA 02619962 2008-02-21
WO 98/09209 PCT/U397/15243
The degree of trustedness of a VDE arrangement will be
primarily based on whether hardware SPUs are employed at
participant location secure subsystems and the effectiveness of
the SPU hardware security architecture, software security
techniques when an SPU is emulated in software, and the
encryption algorithm(s) and keys that are employed for securing
content, control information, communications, and access to VDE
node (VDE i.nstallation) secure subsystems. Physical facility and
user ideritity authentication security procedures may be used
instead of hardware SPUs at certain nodes, such as at an
established financial clearinghouse, where such procedures may
provide sufficient security for trusted interoperability with a
VDE arrangement employing hardware SPUs at user nodes.
The updatilig of property management files at each
location of a VDE arrangement, to accommodate new or modified
control information, is performed in the VDE secure subsystem
and under the control of secure management file updating
programs executed by the protected subsystem. Since all secure
communications are at least in part encrypted and the
processing inside the secure subsystem is concealed from outside
observation and interference, the present invention ensures that
content control information can be enforced. As a result, the
creator and/or distributor and/or client administrator and/or
-137-
CA 02619962 2008-02-21
WO 98/09209 PCr/US97/15243
other contributor of secure control i.nformation for each property
(for example, an end-user restricting the kind of audit
information he or she wiIl allow to be reported and/or a financial
clearinghouse establishing certain criteria for use of its credit for
payment for use of distributed content) can be confident that
their contributed and accepted control information will be
enforced (within the security limitations of a given VDE security
implementation design). This control information can determine,
for example:
(1) How and/or to whom electronic content can be
provided, for example, how an electronic property
can be distributed;
(2) How one or more objects and/or properties, or
portions of an object or property, can be directly
used, such as decrypted, displayed, printed, etc;
(3) How payment for usage of such content and/or
content portions may or must be handled; and
(4) How audit information about usage information
related to at least a portion of a property should be
collected, reported, and/or used.
-138-
CA 02619962 2008-02-21
WO 98/09209 pCT/US9711S243
Seniority of contributed control'information, including
resolution of conflicts between content control information
submitted by multiple parties, is normally established by:
(1) the sequence in which control information is put in
place by various parties (in place control information
normally takes precedence over subsequently
submitted control information),
(2) the specifics of VDE content and/or appliance control
information. For example, in-place control
information can stipulate which subsequent one or
more piece of control from one or more parties or
class of parties will take precedence over control
information submitted by one or more yet different
parties and/or classes of parties, and/or
(3) negotiation between control information sets from
plural parties, which negotiation establishes what
control information shall constitute the resulting
control information set for a given piece of VDE
managed content and/or VDE installation.
- 139 -
CA 02619962 2008-02-21
WO 98109209 PCT/1JS97115243
Electronic Agreemeats and Rights Protection
An important feature of VDE is that it can be used to
assure the administration of, and adequacy of security and rights
protection for, electronic agreements implemented through the
use of the present invention. Such agreements may involve one
or more of
(1) creators, publishers, and other distributors, of
electronic information,
10.
(2) financial service (e.g. credit) providers,
(3) users of (other than financial sen-ice providers)
information arising from content usage such as
content specific demographic information and user
specific descriptive information. Such users may
include market analysts, marketing list compilers
for direct and directed marketing, and government
agencies,
(4) end users of content,
(5) infrastructure service and device providers such as
telecommunication companies and hardware
- 140 -
CA 02619962 2008-02-21
WO 98/09209 PCT1US97/15243
manufacturers (semiconductor and electronic
appliance and/or other computer system
manufacturers) who receive compensation based
upon the use of their services and/or devices, and
(6) certain parties described by electronic information.
VDE supports commercially secure "extended" value chain
electronic agreements. VDE can be configured to support the
various underlying agreements between parties that comprise
this extended agreement. These agreements can define
important electronic commerce considerations including:
(1) security,
(2) content use control, including electronic distribution,
(3) privacy (regarding, for example, information
concerning parties described by medical, credit, tax,
personal, and/or of other forms of confidential
information),
(4) management of financial processes, and
- 141-
CA 02619962 2008-02-21
WO 98/09209 PCT/U$97/15243
(5) pathways of handling for electronic content, content
and/or appliance control information, electronic
content and/or appliance usage information and
payment and/or credit.
VDE agreements may define the electronic commerce
relationship of two or more parties of a value chain, but such
agreements may, at times, not directly obligate or otherwise
directly involve other VDE value chain participants. For
example, an electronic agreement between a content creator and
a distributor may establish both the price to the distributor for a
creator's content (such as for a property (iistributed in a VDE
container object) and the number of copies of this object that this
distributor may distribute to end-users over a given period of
time. In a second agreement, a value chain end-user may be
involved in a three party agreement in which the end-user
agrees to certain requirements for using the distributed product
such as accepting distributor charges for content use and
agreeing to observe the copyright rights of the creator. A third
agreement might exist between the distributor and a financial
clearinghouse that allows the distributor to employ the
clearinghouse's credit for payment for the product if the end-user
has a separate (fourth) agreement directly with the
clearinghouse extending credit to the end-user. A fifth, evolving
-142-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97115243
agreement may develop between all value chain participants as
content control information passes along its chain of handling.
This evolving agreement can establish the rights of all parties to
content usage information, including, for example, the nature of
information to be received by each party and the pathway of
handling of content usage information and related procedures. A
sixth agreement in this example, may involve all parties to the
agreement and establishes certain general assumptions, such as
security techniques and degree of trustedness (for example,
commercial integrity of the system may require each VDE
installation secure subsystem to electronically warrant that their
VDE node meets certain interoperability requirements). In the
above example, these six agreements could comprise agreements
of an extended agreement for this commercial value chain
instance.
VDE agreements support evolving ("living") electronic
agreement arrangements that can be modified by current and/or
new participants through very simple to sophisticated
"negotiations" between newly proposed content control
information interacting with control information already in place
and/or by negotiation between concurrently proposed content
= control information submitted by a plurality of parties. A given
model may be asynchronously and progressively modified over
-143-
CA 02619962 2008-02-21
pCT/(JS97/15243
wo 9arono9
time in accordance with existing senior rules and such
modification may be applied to all, to classes of, and/or to specific
content, and/or to classes andlor specific users and/or user nodes.
A given piece of content may be subject to different control
information at different times or places of handling, depending
on the evolution of its content control information (and/or on
differing, applicable VDE installation content control
information). The evolution of control information can occur
during the passing along of one or more VDE control information
containing objects, that is control information may be modified at
one or more points along a chain of control information handling,
so long as such modification is allowed. As a result, VDE
managed content may have different control information applied
at both different "locations" in a chain of content handling and at
similar locations in differing chains of the handling of such
content. Such different application of control information may
also result from content control information specifying that a
certain party or group of parties shall be subject to content
control information that differs from another party or group of
parties. For example, content control information for a given
piece of content may be stipulated as senior information and
therefore not changeable, might be put in place by a content
creator and might stipulate that national distributors of a given
piece of their content may be permitted to make 100,000 copies
- ].44 -
CA 02619962 2008-02-21
WO 98109209 Pcrlirs97115243
per calendar quarter, so long as such copies are provided to boni
fide end-users, but may pass only a single copy of such content to
a local retailers and the control information limits such a retailer
to making no more than 1,000 copies per month for retail sales to
= 5 end-users. In addition, for example, an end-user of such content
might be limited by the same content control information to
making three copies of such content, one for each of three
different computers he or she uses (one desktop computer at
work, one for a desktop computer at home, and one for a portable
computer).
Electronic agreements supported by the preferred
embodiment of the present invention can vary from very simple
to very elaborate. They can support widely diverse information
management models that provide for electronic information
security, usage administration, and communication and may
support:
(a) secure electronic distribution of information, for
example commercial literary properties,
(b) secure electronic information usage monitoring and
reporting,
- 145 -
CA 02619962 2008-02-21
wo 98/U9209 PCTIUS97/15243
(c) secure financial transaction capabilities related to
both electronic information and/or appliance usage
and other electronic credit and/or currency usage
and administration capabilities,
(d) privacy protection for usage information a user does
not wish to release, and
(e) "living" electronic information content dissemination
models that flexibly accommodate:
(1) a breadth of participants,
(2) one or more pathways (chains) for: the
handling of content, content andlor appliance
control information, reporting of content
andlor appliance usage related information,
and/or payment,
(3) supporting an evolution of terms and
conditions incorporated into content control
information, including use of electronic
negotiation capabilities,
- 146 -
CA 02619962 2008-02-21
wo 9sro92os PCT/US97/15243
(4) support the combination of multiple pieces of
content to form new content aggregations, and
(5) multiple concurrent models.
Secure Processing Units
An important part of VDE provided by the present
invention is the core secure transaction control arrangement,
herein called an SPU (or SPUs), that typically must be present in
each user's computer, other electronic appliance, or network.
SPUs provide a trusted environment for generating decryption
keys, encrypting and decrypting information, managing the
secure communication of keys and other information between
electronic appliances (i.e. between VDE installations and/or
between plural VDE instances within a single VDE installation),
securely accumulating and managing audit trail, reporting, and
budget information in secure and/or non-secure non-volatile
memory, maintaining a secure database of control information
management instructions, and providing a secure environment
for performing certain other control and administrative
fuIIctlOAs.
= A hardware SPU (rather than a software emulation)
within a VDE node is necessary if a highly trusted environment
- 147 -
CA 02619962 2008-02-21
WO 9"9M PCTlUS97J15Z43
for performing certain VDE activities is required. Such a trusted
environment may be created through the use of certain control
software, one or more tamper resistant hardware modules such
as a semiconductor or semiconductor chipset (including, for
example, a tamper resistant hardware electronic appliance
peripheral device), for use within, and/or operatively connected
to, an electronic appliance. With the present invention, the
trustedness of a hardware SPU can be enhanced by enclosing
some or all of its hardware elements within tamper resistant
packaging and/or by employing other tamper resisting
techniques (e.g. microfusing and/or thin wire detection
techniques). A trusted environment of the present invention
implemented, in part, through the use of tamper resistant
semiconductor design, contains control logic, such as a
microprocessor, that securely executes VDE processes.
A VDE node's hardware SPU is a core component of a VDE
secure subsystem and may employ some or all of an electronic
appliance's primary control logic, such as a microcontroller,
microcomputer or other CPU arrangement. This primary control
logic may be otherwise employed for non VDE purposes such as
the control of some or all of an electronic appliance's non-VDE
functions. When operating in a hardware SPU mode, said
primary control logic must be sufficiently secure so as to protect
-148-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
and conceal important VDE processes. For example, a hardware
SPU may employ a host electronic appliance microcomputer
operating in protected mode while performing VDE related
activities, thus allowing portions of VDE processes to execute
with a certain degree of security. This alternate embodiment is
in contrast to the preferred embodiment wherein a trusted
environment is created using a combination of one or more
tamper resistant semiconductors that are not part of said
primary control logic. In either embodiment, certain control
information (software and parameter data) must be securely
maintained within the SPU, and further control information can
be stored externally and securely (e.g. in encrypted and tagged
form) and loaded into said hardware SPU when needed. In
many cases, and in particular with microcomputers, the
preferred embodiment approach of emplovving special purpose
secure hardware for executing said VDE processes, rather than
using said primary control logic, may be more secure and
efficient. The level of security and tamper resistance required
for trusted SPU hardware processes depends on the commercial
requirements of particular markets or market niches, and may
vary widely.
- 149 -
CA 02619962 2008-02-21
WO 9g/09209 PCT/US97/15243
BBIEF DESCRIPTION OF THE DRAWINGS
These and other features and advantages provided by the
present invention(s) may be better and more completely
understood by referring to the following detailed description of
presently preferred example embodiments in connection with the
drawings, of which:
FIGURE 1 illustrates an example of a "Virtual
Distribution Environment" provided in accordance with a
preferred example/embodiment of this invention;
FIGITR.E 1A is a more detailed illustration of an example
of the "Information Utility" shown in FIGURE 1; '
FIGURE 2 illustrates an example of a chain of handling
and control;
FIGITRE 2A illustrates one example of how rules and
control information may persist from one participant to another
in the Figure 2 chain of handling and control;
FIGURE 3 shows one example of different control
information that may be provided;
- 150 -
CA 02619962 2008-02-21
qrO MM PCT/US97J15243
FIGURE 4 iIlustrates examples of some different types of
rules and/or control information;
FIGURES 5A and 5B show an example of an "object";
FIGURE 6 shows an example of a Secure Processing Unit
("SPU"),
FIGURE 7 shows an example of an electronic appliance;
FIGURE 8 is a more detailed block diagram of an example
of the electronic appliance shown in FIGURE 7;
FIGURE 9 is a detailed view of an example of the Secure
Processing Unit (SPU) shown in FIGURES 6 and 8;
Figure 9A shows an example combined secure processing
unit and control processing unit;
Figure 9B shows an example secure processing unit
integrated with a standard CPU;
-151-
CA 02619962 2008-02-21
WO 98J09209 PCT/US97115243
FIGURE 10 shows an example of a'Rights Operating
System" ("ROS") architecture provided by the Virtual
Distribution Environment;
FIGURES 11A-11C show examples of functional
relationship(s) between applications and the Rights Operating
System;
FIGURES 11D-11J show examples of "components" and
"component assemblies";
FIGURE 12 is a more detailed diagram of an example of
the Rights Operating System shown in FIGUR.E 10;
FIGURE 12A shows an- example of how "objects" can be
created;
FIGURE 13 is a detailed block diagram of an example the
software architecture for a"protected processing environment"
shown in FIGURE 12;
FIGURES 14A-14C are examples of SPU memory maps
provided by the protected processing environment shown in
FIGURE 13;
- 152 -
CA 02619962 2008-02-21
wo 98J092o9 rCrNS97nS2a3
FIGiJRE 15 iIlustrates an example of how the channel
services manager and load module execution manager of
FIGU'RE 13 can support a channel;
FIGURE 15A is an example of a channel header and
channel detail records shown in FIGLTRE 15;
FIGURE 15B is a flowchart of an example of program
control steps that may be performed by the FIGURE 13 protected
processing environment to create a channel;
FIGLTR,E 16 is a block diagram of an example of a secure
data base structure;
FIGURE 17 is an illustration of an example of a logical
object structure;
FIGURE 18 shows an example of a stationary object
structure;
FIGURE 19 shows an example of a traveling object
structure;
-153-
CA 02619962 2008-02-21
WO 98109209 PCTIUS97115243
FIGURE 20 shows an example of a content object
structure;
FIGURE 21 shows an example of an administrative object
structure;
FIGURE 22 shows an example of a method core structure;
FIGURE 23 shows an example of a load module structure;
FIGURE 24 shows an example of a User Data Element
(UDE) and/or Method Data Element (MDE) structure;
FIGLTRES 25A-25C show examples of "map meters";
FIGURE 26 shows an example of a permissions record
(PERC) structure;
FIGURES 26A and 26B together show a more detailed
example of a permissions record structure;
FIGURE 27 shows an example of a shipping table
structure;
-154 -
CA 02619962 2008-02-21
wo 98/09209 PGT/OS97115243
FIGURE 28 shows an example of a receiving table
structure;
FIGURE 29 shows an example of an administrative event
log structure;
FIGURE 30 shows an example inter-relationship between
and use of the object registration table, subject table and user
rights table shown in the FIGLTRE 16 secure database;
FIGURE 31 is a more detailed example of an object
registration table shown in FIGURE 16;
FIGURE 32 is a more detailed example of subject table
shown in FIGU'R.E 16;
FIGURE 33 is a more detailed example of a user rights
table shown in FIGURE 16;
FIGURE 34 shows a specific example of how a site record
table and group record table may track portions of the secure
= database shown in FIGURE 16;
-155-
CA 02619962 2008-02-21
WO 98l09209 PCT/US97/15243
FIGURE 34A is an example of a FIGURE 34 site record
table structure;
FIGURE 34B is an example of a FIGURE 34 group record
table stracture;
FIGURE 35 shows an example of a process for updating
the secure database;
FIGURE 36 shows an example of how new elements may
be inserted into the FIGURE 16 secure data base;
FIGURE 37 shows an example of how an element of the
secure database mav be accessed;
FIGURE 38 is a flowchart example of how to protect a
secure database element;
FIGURE 39 is a flowchart example of how to back up a
secure database;
FIGURE 40 is a flowchart example of how to recover a
secure database from a backup;
-156-
CA 02619962 2008-02-21
Wo 9&99209 PCT/US97n5243
FIGtJRES 41A-41D are a set of examples showing how a
"chain of handling and control" may be enabled using "reciprocal
methods"
;
FIGURES 42A-42D show an example of a"reciprocaI"
BUDGET method;
FIGIJRES 43A-43D show an example of a"reciprocaP'
REGISTER method;
FIGURES 44A-44C show an example of a "reciprocal"
AUDIT method;
FIGURES 45-48 show examples of several methods being
used together to control release of content or other information;
FIGURES 49, 49A-49F show an example OPEN method;
FIGURES 50, 50A-50F show an example of a READ
method;
FIGURES 51, 51A-51F show an example of a WRITE
method;
-157-
CA 02619962 2008-02-21
WO 98l09209 PCT/US97115243
FIGURE 52 shows an example of a CLOSE method;
FIGURES 53A-53B show an example of an EVENT
method;
FIGIJRE 53C shows an example of a BILLING method;
FIGL'RE 54 shows an example of an ACCESS method;
FIGURES 55A-55B show examples of DECRYPT and
ENCRYPT methods;
FIGURE 56 shows an example of a CONTENT method;
FIGITRES 57A and 57B show examples of EXTRACT and
EMBED methods;
FIGURE 58A shows an example of an OBSCURE method;
FIGURES 58B, 58C show examples of a FINGERPRINT
method;
FIGURE 59 shows an example of a DESTROY method;
- 158 -
CA 02619962 2008-02-21
wo 98/09209 rCT/US97/1sZa3
FIGURE 60 shows an example of a PANIC method;
FIGURE 61 shows an example of a METER method;
FIGURE 62 shows an example of a key "convolution"
process;
FIGIJRE 63 shows an example of how different keys may
be generated using a key convolution process to determine a
"true" key;
FIGURES 64 and 65 show an example of how protected
processing environment keys may be initialized;
FIGURES 66 and 67 show example processes for
decrypting information contained within stationary and
traveling objects, respectively;
Figures 67A and 67B show example techniques for
cracking a software-based protected processing environment;
FIGURE 68 shows an example of how a protected
processing environment may be initialized;
-159-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/18243
FIGURE 69 shows an example of how firmware may be
downloaded into a protected processing environment;
Figure 69A shows an example technique for distributing
protected processing environment software;
Figure 69B-69C show an example installation routine for
installing a software-based protected processing environment;
Figure 69D shows example techniques for embedding
cryptographic keys at random locations within structure-based
protected processing environment operational materials;
Figure 69E shows example locations for PPE operational
materials random modifications and/or digital fingerprints;
Figure 69F shows an example customized static storage
layout for PPE operational materials;
Figure 69G shows example electronic appliance signature
locations;
Figure 69H shows example sequence dependent and
independent processes;
160
CA 02619962 2008-02-21
WO 98/09209 PCI'/US97/15243
Figures 691 and 69J show example static code and data
storage organizations;
Figures 69K-69L together show example steps for
providing dynamic protection mechanisms;
Figure 69M shows an example initialization time check
routine;
Figure 69N shows an example time check routine;
Figure 690 shows example time check data structures;
FIGUR.E 70 shows an example of multiple VDE electronic
appliances connected together with a network or other
communications means;
Figure 70A shows how content may be prepared for
printing and encrypted inside a PPE, then decrypted inside a
printer;
Figure 70B shows how characters may be selected from
slightly different fonts in order to place an electronic fingerprint
or watermark into printed output;
- 161-
CA 02619962 2008-02-21
WO gg/py209 PCT/US97/15243
Figure 70C shows how characters in a font may be
permuted to render a printed page unusable without the
corresponding scrambled font;
FIGURE 71 shows an example of a portable VDE
electronic appliance;
FIGLTRES 72A-72D show examples of "pop-up" displays
that may be generated by the user notification and exception
interface;
FIGURE 73 shows an example of a"smart object";
FIGURE 74 shows an example of a process using "smart
objects";
FIGURES 75A-75D show examples of data structures used
for electronic negotiation;
FIGURES 75E-75F show example structures relating to an
electronic agreement;
FIGURES 76A-76B show examples of electronic
negotiation processes;
-162-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
FIGURE 77 shows a further example of a chain of
handling and control;
FIGURE 78 shows an example of a VDE "repository";
= 5
FIGUR.ES 79-83 show an example illustrating a chain of
handli.ng and control to evolve and transform VDE managed
content and control information;
FIGURE 84 shows a further example of a chain of
handling and control involving several categories of VDE
participants;
FIGUR.E 85 shows a further example of a chain of
distribution and handling within an organization;
Figures 86 and 86A show a further example of a chain of
handling and control; and
Figure 87 shows an example of a virtual silicon container
model.
= MORE DETAILED DESCRIPTION
-163-
CA 02619962 2008-02-21
wo 98/09209 PCT/US97/15Z43
Figures 1-7 and the discussion below provides an overview
of some aspects of features provided by this invention. Following
this overview is a more technical "detail description" of example
embodiments in accordance with the invention.
Overview
Figure 1 shows a"Virtual Distribution Environment"
("VDE") 100 that may be provided in accordance with this
invention. In Figure 1, an information utility 200 connects to
comznunications means 202 such as telephone or cable TV lines
for example. Telephone or cable TV lines 202 may be part of an
"electrg in c hiv-hwav" that carries electronic information from
place to place. Lines 202 connect information utility 200 to other
people such as for example a consumer 208, an office 210, a video
production studio 204, and a publishing house 214. Each of the
people connected to information utility 200 may be called a "VDE
participant" because they can participate in transactions
occurring within the virtual distribution environment 100.
Almost any sort of transaction you can think of can be
supported by virtual distribution environment 100. A few of
many examples of transactions that can be supported by virtual
distribution environment 100 include:
164
CA 02619962 2008-02-21
wo 9sro92o9 rcr/vs97n5sa3
= home banking and electronic payments;
= electronic legal contracts;
= distribution of "content" such as electronic printed matter,
video, audio, images and computer programs; and
= secure communication of private information such as
medical records and financial information.
Virtual distribution environment 100 is "virtual" because
it does not require many of the physical "things" that used to be
necessary to protect rights, ensure reliable and predictable
distribution, and ensure proper compensation to content creators
and distributors. For example, in the past, information was
distributed on records or disks that were difficult to copy. In the
past, private or secret content was distributed in sealed
envelopes or locked briefcases delivered bv courier. To ensure
appropriate compensation, consumers received goods and
services only after they handed 'cash over to a seller. Although
information utility 200 may deliver information by transferring
physical "things" such as electronic storage media, the virtual
distribution environment 100 facilitates a completely electronic
"chain of handling and control."
VDE Flexibility Supports Transactions
-165-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97115243
Information utility 200 flexibly supports many different
kinds of information transactions. Different VDE participants
may define and/or participate in different parts of a transaction.
Information utility 200 may assist with delivering information
about a transaction, or it may be one of the transaction
participants.
For example, the video production studio 204 in the upper
right-hand corner of Figure 1 may create video/television
programs. Video production studio 204 may send these
programs over lines 202, or may use other paths such as satellite
link 205 and CD ROM delivery service 216. Video production
studio 204 can send the programs directly to consumers 206, 208,
210, or it can send the programs to information utility 200 which
may store and later send them to the consumers, for example.
Consumers 206, 208, 210 are each capable of receiving and
using the programs created by video production studio
204--assuming, that is, that the video production studio or
information utility 200 has arranged for these consumers to have
appropriate "rules and controls" (control information) that give
the consumers rights to use the programs.
Even if a consumer has a copy of a video program, she
cannot watch or copy the program unless she has "rules and
-166-
CA 02619962 2008-02-21
WO 98/09209 PGT/[TS97/15243
controls" that authorize use of the program. She can use the
program only as permitted by the "rules and controls."
. For example, video production studio 204 might release a
half-hour exercise video in the hope that as many viewers as
possible will view it. The video production studio 204 wishes to
receive $2.00 per viewing. Video production studio 204 may,
through information utility 200, make the exercise video
available in "protected" form to all consumers 206, 208, 210.
Video production studio 204 may also provide "rules and
controls" for the video. These "rules and controls" may specify
for example:
(1) any consumer who has good credit of at least $2.00
based on a credit account with independent financial
provider 212 (such as Mastercard or VISA) may watch the
video,
(2) virtual distribution environment 100 will "meter" each
time a consumer watches the video, and report usage to
video production studio 204 from time to time, and
(3) financial provider 212 may electronically collect
payment ($2.00) from the credit account of each consumer
- 167 -
CA 02619962 2008-02-21
wo 93)99Za) rcT/[J397n5243
who watches the video, and transfer these payments to the
video production studio 204.
Information utility 200 allows even a small video
production studio to market videos to consumers and receive
compensation for its efforts. Moreover, the videos can, with
appropriate payment to the video production studio, be made
available to other video publishers who may add value and/or act
as repackagers or redistributors.
Figure 1 also shows a publishing house 214. Publishing
house 214 may act as a distributor for an author 206. The
publishing house 214 may distribute rights to use "content" (such
as computer software, electronic newspapers, the video produced
'15 by publishing house 214, audio, or any other data) to consumers
such as office 210. The use rights may be defined by "rules and
controls" distributed by publishing house 216. Publishing house
216 may distribute these "rules and controls" with the content,
but this is not necessary. Because the content can be used only
by consumers that have the appropriate "rules and controls,"
content and its associated "rules and controls" may be
distributed at different times, in different ways, by different
VDE participants. The ability of VDE to securely distribute and
-168-
CA 02619962 2008-02-21
wo 98/09209 PCT/US97115243
enforce "rules and controls" separately from the content they
apply to provides great advantages.
Use rights distributed by publishing house 214 may, for
example, permit office 210 to make and distribute copies of the
content to its employees. Office 210 may act as a redistributor by
extending a "chain of hanclling and control" to its employees.
The office 210 may add or modify "rules and controls" (consistent
with the "rules and controls" it receives from publishing house
214) to provide office-internal control information and
mechanisms. For example, office 210 may set a maximum usage
budget for each individual user and/or group within the oiTice, or
it may permit only specified employees andJor groups to access
certain information.
Figure 1 also shows an information delivery service 216
delivering electronic storage media such as "CD ROM" disks to
consumers 206. Even though the electronic storage media
themselves are not delivered electronically by information utility
200 over lines 202, they are still part of the virtual distribution
environment 100. The electronic storage media may be used to
distribute content, "rules and controls," or other information.
-169-
CA 02619962 2008-02-21
Wo 9&/09M rcTnJS9711s243
Example of What's Faeide Information Utility 200
"Information utility" 200 in Figure 1 can be a collection of
participants that may act as distributors, financial
clearinghouses, and administrators. Figure 1A shows an
example of what may be inside one example of information
utility 200. Information utility participants 200a-200g could
each be an independent organization/business. There can be any
number of each of participants 200a-200g. In this example,
electronic "switch" 200a connects internal parts of information
utility 200 to each other and to outside participants, and may
also connect outside participants to one another.
Information utility 200 may include a "transaction
processor" 200b that processes transactions (to transfer
electronic fuads, for example) based on requests from
participants and/or report receiver 200e. It may also include a
"usage analyst" 200c that analyzes reported usage information.
A "report creator" 200d may create reports based on usage for
example, and may provide these reports to outside participants
and/or to participants within information utility 200. A "report
receiver" 200e may receive reports such as usage reports from
content users. A"permissioning agent" 200f may distribute
"rules and controls" granting usage or distribution permissions
based on a profile of a consumer's credit worthiness, for example.
-170-
CA 02619962 2008-02-21
WO 98/09209 PGT/US97/15243
An administrator 200h may provide information that keeps the
virtual distribution environment 100 operating properly. A
content and message storage 200g may store information for use
by participants within or outside of information utility 200.
= 5
Example of Distributing eontent' Using A Chain of Handliag
and Control'
As explained above, virtual distribution environment 100
can be used to manage almost any sort of transaction. One type
of important transaction that virtual distribution environment
100 may be used to manage is the distribution or communication
of "content" or other important information. Figure 2 more
abstractly shows a "model" of how the Figure 1 virtual
distribution environment 100 may be used to provide a "chain of
handling and control" for distributing content. Each of the
blocks in Figure 2 may correspond to one or more of the VDE
participants shown in Figure 1.
In the Figure 2 example, a VDE content creator 102
creates "content." The content creator 102 may also specify
"rules and controls' for distributing the content. These
' distribution-related "rules and controls" can specify who has
permission to distribute the rights to use content, and how many
users are allowed to use the content.
-171-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/25243
Arrow 104 shows the content creator 102 sending the
"rules and controls" associated with the content to a VDE rj,ghf.$
distributor 106 ("distributor") over an electronic highway 108 (or
by some other path such as an optical disk sent by a delivery
service such as U. S. mail). The content can be distributed over
the same or different path used to send the "rules and controls."
The distributor 106 generates her own "rules and controls" that
relate to usage of the content. The usage-related "rules and
controls" may, for example, specify what a user can and can't do
with the content and how much it costs to use the content. These
usage-related "rules and controls" must be consistent with the
"rules and controls" specified by content creator 102.
Arrow 110 shows the distributor 106 distributing rights to
use the content by sending the content's "rules and controls" to a
content user 112 such as a consumer. The content user 112 uses
the content in accordance with the usage-related "rules and
controls."
In this Figure 2 example, information relating to content
use is, as shown by arrow 114, reported to a financial
clearinghouse 116. Based on this "reporting," the financial
clearinghouse 116 may generate ahW and send it to the content
user 112 over a"reports and Fayments" network 118. Arrow 120
- 172 -
CA 02619962 2008-02-21
WO 98/09209 PCT/IJS97/15243
shows the content user 112 providing pa,vinents for content
usage to the financial clearinghouse 116. Based on the reports
and payments it receives, the financial clearinghouse 116 may
provide reports and/or payments to the distributor 106. The
distributor 106 may, as shown by arrow 122, provide reports
and/or payments to the content creator 102. The clearinghouse
116 may provide reports and payments directly to the creator
102. Reporting and/or payments may be done differently. For
example, clearinghouse 116 may directly or through an agent,
provide reports and/or payments to each of VDE content creators
102, and rights distributor 106, as well as reports to content user
112.
The distributor 106 and the content creator 102 may be
the same person, or they may be different people. For example, a
musical performing group may act as both content creator 102
and distributor 106 by creating and distributing its own musical
recordings. As another example, a publishing house may act as a
distributor 106 to distribute rights to use works created by an
author content creator 102. Content creators 102 may use a
distributor 106 to efficiently manage the financial end of content
distribution.
-173-
CA 02619962 2008-02-21
WO 98/09209 PCTNS97/15243
The "financial clearinghouse" 116 shown in Figure 2 may
also be a"VDE administrator." Financial clearinghouse 116 in its
VDE administrator role sends "administrative" information to
the VDE participants. This administrative information helps to
keep the virtual distribution environment 100 operating
properly. The "VDE administrator" and financial clearinghouse
roles may be performed by different people or companies, and
there can be more than one of each.
More about Rules and Controla'
The virtual distribution environment 100 prevents use of
protected information except as permitted bY the "rules and
controls" (control information). For example, the "rules and
controls" shown in Figure 2 may grant specific individuals or
classes of content users 112 "permission" to use certain content.
They may specifv what kinds of content usage are permitted, and
what kinds are not. They may specify how content usage is to be
paid for and how much it costs. As another example, "rules and
controls" may require content usage information to be reported
back to the distributor 106 and/or content creator 102.
Every VDE participant in "chain of handling and control"
is normally subject to "rules and controls." "Rules and controls"
define the respective rights and obligations of each of the various
- 174 -
CA 02619962 2008-02-21
WO 98/09209 PCT/U397115243
VDE participants. "Rules and controls" provide information and
mechanisms that may establish interdependencies and
relationships between the participants. "Rules and controls" are
flexible, and permit "virtual distribution environment" 100 to
= 5 support most "traditional" business transactions. For example:
= "Rules and controls" may specify which financial
clearinghouse(s) 116 may process payments,
= "Rules and controls" may specify which participant(s)
receive what kind of usage report, and
= "Rules and controls" may specify that certain information
is revealed to certain participants, and that other
information is kept secret from them.
"Rules and controls" may self limit if and how they may be
changed. Often, "rules and controls" specified by one VDE
participant cannot be changed by another VDE participant. For
example, a content user 112 generally can't change "rules and
controls" specified by a distributor 106 that require the user to
pay for content usage at a certain rate. "Rules and controls" may
"persist" as they pass through a"chain of handling and control,"
and may be "inherited" as they are passed down from one VDE
participant to the next.
- 175 -
CA 02619962 2008-02-21
W0 9Msos rcr/US97115243
Depending upon their needs, VDE participants can specify
that their "rules and controls" can be changed under conditions
specified by the same or other "rules and controls." For example,
"rules and controls" specified by the content creator 102 may
permit the distributor 106 to "mark up" the usage price just as
retail stores "mark up" the wholesale price of goods. Figure 2A.
shows an example in which certain "rules and controls" persist
unchanged from content creator 102 to content user 112; other
"rules and controls" are modified or deleted by distributor 106;
and still other "rules and controls" are added by the distributor.
"Rules and controls" can be used to protect the content
user's privacy by limiting the information that is reported to
other VDE participants. As one example, "rules and controls"
can cause content usage information to be reported anonymously
without revealing content user identity, or it can reveal only
certain information to certain participants (for example,
information derived from usage) with appropriate permission, if
required. This ability to securely control what information is
revealed and what VDE participant(s) it is revealed to allows the
privacy rights of all VDE participants to be protected.
- 176 -
CA 02619962 2008-02-21
WO WM0g PCT/US97/15243
RuleB and Contents" Can Be Separately Delivered
As mentioned above, virtual distribution environment 100
"associates" content with corresponding "rules and controls," and
. prevents the content from being used or accessed unless a set of
= 5 corresponding "rules and controls" is available. The distributor
106 doesn't need to deliver content to control the content's
distribution. The preferred embodiment can securely protect
content by protecting corresponding, usage enabling "rules and
controls" against unauthorized distribution and use.
In some examples, "rules and controls" may travel with the
content they apply to. Virtual distribution environment 100 also
allows "rules and controls" to be delivered separately from
content. Since no one can use or access protected content
without "permission" from corresponding "rules and controls,"
the distributor 106 can control use of content that has already
been (or wiIl in the future be) delivered. "Rules and controls"
may be delivered over a path different from the one used for
content delivery. "Rules and controls" may also be delivered at
some other time. The content creator 102 might deliver content
to content user 112 over the electronic highway 108, or could
make the content available to anyone on the highway. Content
may be used at the time it is delivered, or it may be stored for
later use or reuse.
-177-
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/15243
The virtual distribution environment 100 also allows
payment and reporting means to be delivered separately. For
example, the content user 112 may have a virtual "credit card"
that extends credit (up to a certain limit) to pay for usage of any
content. A "credit transaction" can take place at the user's site
without requiring any "online" connection or further
authorization. This invention can be used to help securely
protect the virtual "credit card" against unauthorized use.
Rules and Contents' Define Processes
Figure 3 shows an example of an overall process based on
"rales and controls." It includes an "events" process 402, a meter
process 404, a billing process 406, and a budget process 408. Not
all of the processes shown in Figure 3 will be used for every set of
"rules and controls_"
The "events process" 402 detects things that happen
("events") and determines which of those "events" need action by
the other "processes." The "events" may include, for example, a
request to use content or generate a usage permission. Some
events may need additional processing, and others may not.
Whether an "event" needs more processing depends on the "rules
and controls" corresponding to the content. For example, a user
who lacks permission will not have her request satisfied ("No
-178-
CA 02619962 2008-02-21
WO 98109209 PCT/[1S97/15243
Go"). As another example, each user request to turn to a new
page of an electronic book may be satisfied ("Go"), but it may not
be necessary to meter, bill or budget those requests. A user who
has purchased a copy of a novel may be permitted to open and
read the novel as many times as she wants to without any
further metering, billing or budgeting. In this simple example,
the "event process" 402 may request metering, billi.ng and/or
budgeting processes the first time the user asks to open the
protected novel (so the purchase price can be charged to the
user), and treat all later requests to open the same novel as
"insignificant events." Other content (for example, searching an
electronic telephone directory) may require the user to pay a fee
for each access.
"Meter" process 404 keeps track of events, and may report
usage to distributor 106 and/or other appropriate VDE
participant(s). Figure 4 shows that process 404 can be based on
a number of different factors such as:
(a) type of usage to charge for,
(b) what kind of unit to base charges on,
(c) how much to charge per unit,
-179-
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/15243
(d) when to report, and
(e) how to pay.
These factors may be specified by the "rules and controls" that
control the meter process.
Billing process 406 determines how much to charge for
events. It records and reports payment information.
Budget process 408 limits how much content usage is
permitted. For example, budget process 408 may limit the
number of times content may be accessed or copied, or it may
limit the number of pages or other amount of content that can be
used based on, for example, the number of dollars available in a
credit account. Budget process 408 records and reports financial
and other transaction information associated with such limits.
Content may be supplied to the user once these processes
have been successfully performed.
Containers and Objects'
Figure 5A shows how the virtual distribution environment
100, in a preferred embodiment, may package information
elements (content) into a"eontainer" 302 so the information can't
be accessed except as provided by its "rules and controls."
- 180 -
CA 02619962 2008-02-21
WO 98f09209 PGT1US97115243
Normally, the container 302 is electronic rather than physical.
Electronic container 302 in one example comprises "digital"
information having a well defined structure. Container 302 and
= its contents can be called an "object 300."
The Figure 5A example shows items "within" and enclosed
by container 302. However, container 302 may "contain" items
without those items actually being stored within the container.
For example, the container 302 may reference items that are
available elsewhere such as in other containers at remote sites.
Container 302 may reference items available at different times
or only during limited times. Some items may be too large to
store Mthin container 302. Items may, for example, be delivered
to the user in the form of a "live feed" of video at a certain time.
Even then, the container 302 "contains" the live feed (by
reference) in this example.
Container 302 may contain information content 304 in
gjectrori (such as "digital") form. Information content 304 could
be the text of a novel, a picture, sound such as a musical
performance or a reading, a movie or other video, computer
= software, or just about any other kind of electronic information
you can think of. Other types of "objects" 300 (such as
-181-
CA 02619962 2008-02-21
w0 yg/09209 PCTIUS97/15243
"administrative objects") may contain "administrative" or other
information instead of or in addition to information content 304.
In the Figure 5A example, container 302 may also contain
"rules and controls" in the form of:
(a) a "permissions record" 808;
(b) "budgets" 308; and
(c) "other methods" 1000.
Figure 5B gives some additional detail about permissions
record 808, budgets 308 and other methods 1000. The
"permissions record" 808 specifies the rights associated with the
object 300 such as, for example, who can open the container 302,
who can use the object's contents, who can distribute the object,
and what other control mechanisms must be active. For
example, permissions record 808 may specify a user's rights to
use, distribute and/or administer the container 302 and its
content. Permissions record 808 may also specify requirements
to be applied by the budgets 308 and "other methods" 1000.
Permissions record 808 may also contain security related
i.nformation such as scrambling and descrambling "keys."
'Budgets" 308 shown in Figure 5B are a special type of
"method" 1000 that may specify, among other things, limitations
-182-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
on usage of information content 304, and how usage will be paid
for. Budgets 308 can specify, for example, how much of the total
information content 304 can be used and/or copied. The methods
310 may prevent use of more than the amount specified by a
specific budget.
"Other methods" 1000 define basic operations used by
"rules and controls." Such "methods" 1000 may include, for
example, how usage is to be "metered," if and how content 304
and other information is to be scrambled and descrambled, and
other processes associated with handling and controlling
infornlation content 304. For example, methods 1000 may record
the identity of anyone who opens the electronic container 302,
and can also control how information content is to be charged
based on "metering." Methods 1000 may apply to one or several
different information contents 304 and associated containers
302, as well as to all or specific portions of information content
304.
Secure Processing Unit (SPU)
The "VDE participants" may each have an "electronic
appliance." The appliance may be or contain a computer. The
appliances may communicate over the electronic highway 108.
Figure 6 shows a secure nrocessing unit ("SPU") 500 portion of
-183-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
the "electronic appliance" used in this example by each VDE
participant. SPU 500 processes information in a secure
processing environment 503, and stores important information
securely. SPU 500 may be emulated by software operating in a
host electronic appliance.
SPU 500 is enclosed within and protected by a"tamDeT
resistant security barrier" 502. Security barrier 502 separates
the secure environment 503 from the rest of the world. It
prevents information and processes within the secure
environment 503 from being observed, interfered with and
leaving except under appropriate secure conditions. Barrier 502
also controls external access to secure resources, processes and
information within SPU 500. In one example, tamper resistant
security barrier 502 is formed by security features such as
"encryption," and hardware that detects tampering and/or
destroys sensitive information within secure environment 503
when tampering is detected.
SPU 500 in this example is an integrated circuit ("IC")
"chip" 504 including "hardware" 506 and "firmware" 508. SPU
500 connects to the rest of the electronic appliance through an
"appliance link' 510. SPU "firmware" 508 in this example is
"software" such as a "computer program(s)" "embedded" ivithin
- 184 -
CA 02619962 2008-02-21
WO 98/09209 PCTiUS97/15243
chip 504. Firmware 508 makes the hardware 506 work.
Hardware 506 preferably contains a processor to perform
instructions specified by firmware 508. "Hardware" 506 also
contains long-term and short-term memories to store information
securely so it can't be tampered with. SPU 500 may also have a
protected clock/calendar used for timing events. The SPU
hardware 506 in this example may include special purpose
electronic circuits that are specially designed to perform certain
processes (such as "encryption" and "decryption") rapidly and
efficiently.
The particular context in which SPU 500 is being used will
determine how much processing capabilities SPU 500 should
have. SPU hardware 506, in this example, provides at least
enough processing capabilities to support the secure parts of
processes shown in Figure 3. In some contexts, the functions of
SPU 500 may be increased so the SPU can perform all the
electronic appliance processing, and can be incorporated into a
general purpose processor. In other contexts, SPU 500 may work
alongside a general purpose processor, and therefore only needs
to have enough processing capabilities to handle secure
processes.
-185-
CA 02619962 2008-02-21
WO 98/09209 PCTIUS97/15243
VDE Electronic Appliance and Rights Operating System'
Figure 7 shows an example of an electronic appliance 600
including SPU 500. Electronic appliance 600 may be practically
any kind of electrical or electsonic device, such as:
= a computer
= a T.V. "set top" control box
= a pager
= a telephone
= a sound system
= a video reproduction system
= a video game player
= a "smart" credit card
Electronic appliance 600 in this example may include a keyboard
or keypad 612, a voice recognizer 613, and a display 614. A
human user can input commands through keyboard 612 and/or
voice recognizer 613, and may view information on display 614.
Appliance 600 may communicate with the outside world through
any of the connections/devices normally used within an electronic
appliance. The connections/devices shown along the bottom of
the drawing are examples:
a"modem" 618 or other telecommunications link;
a CD ROM disk 620 or other storage medium or device;
- 186 -
CA 02619962 2008-02-21
WO 98/09209 pCT/US97/15243
a printer 622;
broadcast reception 624;
a document scanner 626; and
a "cable" 628 connecting the appliance with a"network.'
Virtual distribution environment 100 provides a
onerati ,n,Q system" 602 that manages appliance 600 and SPU 500
by controlling their hardware resources. The operating system
602 may also support at least one "application" 608. Generally,
"application" 608 is hardware and/or software specific to the
context of appliance 600. For example, if appliance 600 is a
personal computer, then "application" 608 could be a program
loaded by the user, for instance, a word processor, a
communications system or a sound recorder. If appliance 600 is
a television controller box, then application 608 might be
hardware or software that allows a user to order videos on
demand and perform other functions such as fast forward and
rewind. In this example, operating system 602 provides a
standardized, well defined, generalized "interface" that could
support and work with many different "applications" 608.
Operating system 602 in this example provides "Hghts and
auditing oRerating system functions" 604 and "other opPr,~g
system functions" 606. The "rights and auditing operating
-187-
CA 02619962 2008-02-21
WO 98/09209 PGT/US97/15243
system functions" 604 securely handle tasks that relate to virtual
distribution environment 100. SPU 500 provides or supports
many of the security functions of the "rights and auditing
operating system functions" 402. The "other operating system
functions" 606 handle general appliance functions. Overall
operating system 602 may be designed from the beginning to
include the "rights and auditing operating system functions" 604
plus the "other operating system functions" 606, or the "rights
and auditing operating system functions" may be an add-on to a
preexisting operating system providing the "other operating
system functions."
"R,ights operating system" 602 in this example can work
with many different types of appliances 600. For example, it can
work with large mainframe computers, "minicomputers" and
"microcomputers" such as personal computers and portable
computing devices. It can also work in control boxes on the top of
television sets, small portable "pagers," desktop radios, stereo
sound systems, telephones, telephone switches, or any other
electronic appliance. This ability to work on big appliances as
well as little appliances is called "scalable." " A "scalable"
operating system 602 means that there can be a standardized
interface across many different appliances performing a wide
variety of tasks.
-188 -
CA 02619962 2008-02-21
WO 98109209 PCT/US97115243
The "rights operating system functions" 604 are "services-
based" in this example. For example, "rights operating system
functions" 604 handle summary requests from application 608
rather than requiring the application to always make more
detailed "subrequests" or otherwise get involved with the
underlying complexities involved in satisfying a summar,y
request. For example, application 608 may simply ask to read
specified information; "rights operating system functions" 604
can then decide whether the desired information is VDE-
protected content and, if it is, perform processes needed to make
the information available. This feature is called "transparency."
"Transparency" makes tasks easy for the application 608.
"Rights operating system functions" 604 can support applications
608 that "know" nothing about virtual distribution environment
100. Applications 608 that are "aware" of virtual distribution
environment 100 may be able to make more detailed use of
virtual distribution environment 100.
In this example, "rights operating system functions" 604
are "event driven". Rather than repeatedly examining the state
of electronic appliance 600 to determine whether a condition has
arisen, the "rights operating system functions" 604 may respond
directly to "events" or "happenings" within appliance 600.
- 189 -
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
In this example, some of the services performed by "rights
operating system functions" 604 may be extended based on
additional "components" delivered to operating system 602.
"Rsghts operating system functions" 604 can collect together and
use "components" sent by different participants at different
times. The "components" help to make the operating system 602
"scalable." Some components can change how services work on
little appliances versus how they work on big appliances (e.g.,
multi-user). Other components are designed to work with
specific applications or classes of applications (e.g., some types of
meters and some types of budgets).
Electronic Appliance 600
An electronic appliance 600 provided by the preferred
embodiment may, for example, be any electronic apparatus that
contains one or more microprocessors and/or microcontrollers
andlor other devices which perform logical and/or mathematical
calculations. This may include computers; computer terminals;
device controllers for use with computers; peripheral devices for
use with computers; digital display devices; televisions; video
and audio/video projection systems; channel selectors and/or
decoders for use with broadcast and/or cable transmissions;
remote control devices; video and/or audio recorders; media
players including compact disc players, videodisc players and
- 190 -
CA 02619962 2008-02-21
WO 98/09209 PCT/U897/15243
tape players; audio and/or video amplifiers; virtual reality
machines; electronic game players; multimedia players; radios;
telephones; videophones; facsimile machines; robots; numericaIly
controlled machines including machine tools and the like; and
other devices containing one or more microcomputers and/or
microcontrollers and/or other CPUs, including those not yet in
existence.
Figure 8 shows an example of an electronic appliance 600.
This example of electronic appliance 600 includes a system bus
653. In this example, one or more conventional general purpose
central processing units ("CPUs") 654 are connected to bus 653.
Bus 653 connects CPU(s) 654 to RAM 656, ROM 658, and I/O
controller 660. One or more SPUs 500 may also be connected to
system bus 653. System bus 653 may permit SPU(s) 500 to
communicate with CPU(s) 654, and also mav allow both the
CPU(s) and the SPU(s) to communicate (e.g., over shared
address and data lines) with RAM 656, ROM 658 and 1/0
controller 660. A power supply 659 may provide power to SPU
500, CPU 654 and the other system components shown.
In the example shown, I/O controller 660 is connected to
secondary storage device 652, a keyboard/display 612,614, a
communications controller 666, and a backup storage device 668.
-191.
CA 02619962 2008-02-21
WO 98/092119 PCT/US97/15243
Backup storage device 668 may, for example, store information
on mass media such as a tape 670, a floppy disk, a removable
memory card, etc. Communications controller 666 may allow
electronic appliance 600 to communicate with other electronic
appliances via network 672 or other telecommunications li.nks.
Different electronic appliances 600 may interoperate even if they
use different CPUs and different instances of ROS 602, so long
as they typically use compatible communication protocols and/or
security methods. In this example, I/0 controller 660 permits
CPU 654 and SPU 500 to read from and write to secondary
storage 662, keyboard/display 612, 614, communications
controller 666, and backup storage device 668.
Secondary storage 662 may comprise the same one or
more non-secure secondary storage devices (such as a magnetic
disk and a CD-ROM drive as one example) that electronic
appliance 600 uses for general secondary storage functions. In
some implementations, part or all of secondary storage 652 may
comprise a secondary storage device(s) that is physically enclosed
within a secure enclosure. However, since it may not be practical
or cost-effective to physically secure secondary storage 652 in
many implementations, secondary storage 652 may be used to
store information in a secure manner by encrypting information
before storing it in secondary storage 652. If information is
- 192 -
CA 02619962 2008-02-21
WO 98/09209 PCT1US97115243
encrypted before it is stored, physical access to secondary storage
652 or its contents does not readily reveal or compromise the
information.
Secondary storage 652 in this example stores code and
data used by CPU 654 and/or SPU 500 to control the overall
operation of electronic appliance 600. For example, Figure 8
shows that "Rights Operating System" ("ROS") 602 (including a
portion 604 of ROS that provides VDE functions and a portion
606 that provides other OS functions) shown in Figure 7 may be
stored on secondary storage 652. Secondary storage 652 may
also store one or more VDE objects 300. Figure 8 also shows that
the secure files 610 shown in Figure 7 may be stored on
secondary storage 652 in the form of a "secure database" or
management file system 610. This secure database 610 may
store and organize information used by ROS 602 to perform VDE
functions 604. Thus, the code that is executed to perform VDE
and other OS functions 604, 606, and secure files 610 (as well as
VDE objects 300) associated with those functions may be stored
in secondary storage 652. Secondary storage 652 may also store
"other information" 673 such as, for example, information used
by other operating system functions 606 for task management,
' non-VDE files, etc. Portions of the elements indicated in
secondary storage 652 may al-so be stored in ROM 658, so long as
-193-
CA 02619962 2008-02-21
WO 98109209 PCT/[TS97/15243
those elements do not require changes (except when ROM 658 is
replaced). Portions of ROS 602 in particular may desirably be
included in ROM 658 (e.g., "bootstrap" routines, POST routines,
etc. for use in establishing an operating environment for
electronic appliance 600 when power is applied).
Figure 8 shows that secondary storage 652 may also be
used to store code ("application programs") providing user
application(s) 608 show-n in Figure 7. Figure 8 shows that there
may be two general types of application programs 608: "VDE
aware" applications 608a, and Non-VDE aware applications
608b. VDE aware applications 608a may have been at least in
part designed specifically with VDE 100 in mind to access and
take detailed advantage of VDE functions 604. Because of the
.15 "transparency" features of ROS 602, non-VDE aware
applications 608b (e.g., applications not specifically designed for
VDE 100) can also access and take advantage of VDE functions
604.
SECURE PROCESSING UNIT 500
Each VDE node or other electronic appliance 600 in the
preferred embodiment may include one or more SPUs 500. SPUs
500 may be used to perform all secure processing for VDE 100.
For example, SPU 500 is used for decrypting (or otherwise
-194-
CA 02619962 2008-02-21
WO 98/09209 PCT/US97/15243
unsecuring) VDE protected objects 300. It is also used for
managing encrypted and/or otherwise secured communication
(such as by employing authentication and/or error-correction
validation of information). SPU 500 may also perform secure
data management processes including governing usage of,
auditing of, and where appropriate, payment for VDE objects 300
(through the use of prepayments, credits, real-time electronic
debits from bank accounts and/or VDE node currency token
deposit accounts). SPU 500 may perform other transactions
related to such VDE objects 300.
SPU Physical Packaging and Security Barrier 502
As shown Figure 6, in the preferred embodiment, an SPU
500 may be implemented as a single integrated circuit "chip" 505
to provide a secure processing environment in which confidential
and/or commercially valuable information can be safely
processed, encrypted and/or decrypted. IC chip 505 may, for
example, comprise a small semiconductor "die" about the size of a
thumbnail. This semiconductor die may include semiconductor
and metal conductive pathways. These pathways define the
circuitry, and thus the functionality, of SPU 500. Some of these
pathways are electrically connected to the external "pins" 504 of
the chip 505.
-195-
CA 02619962 2008-02-21
WO 98/09209 pCT/US97/15243
As shown in Figures 6 and 9, SPU 500 may be surrounded
by a tamper-resistant hardware security barrier 502. Part of this
security barrier 502 is formed by a plastic or other package in
which an SPU "die" is encased. Because the processing occurring
within, and information stored by, SPU 500 are not easily
accessible to the outside world, they are relatively secure from
unauthorized access and tampering. All signals cross barrier
502 through a secure, controlled path provided by BIU 530 that
restricts the outside world's access to the internal components
within SPU 500. This secure, controlled path resists attempts
from the outside world to access secret information and resources
within SPU 500.
It is possible to remove the plastic package of an IC chip
and gain access to the "die." It is also possible to analyze and
"reverse engineer" the "die" itself (e.g., using various types of
logic analyzers and microprobes to collect and analyze signals on
the die while the circuitry is operating, using acid etching or
other techniques to remove semiconductor layers to expose other
layers, viewing and photographing the die using an electron
microscope, etc.) Although no system or circuit is absolutely
impervious to such attacks, SPU barrier 502 may include
additional hardware protections that make successful attacks
exceedingly costly and time consuming. For example, ion
-196-
CA 02619962 2008-02-21
WO 98/09209 PCT1U897/15243
implantation and/or other fabrication techniques may be used to
make it very difficult to visually discern SPU die conductive
pathways, and SPU internal circuitry may be fabricated in such
a way that it "self-destructs" when exposed to air andlor light.
SPU 500 may store secret information in internal memory that
loses its contents when power is lost. Circuitry may be
incorporated within SPU 500 that detects microprobing or other
tampering, and self-destructs (or destroys other parts of the
SPU) when tampering is detected. These and other hardware-
based physical security techniques contribute to tamper-
resistant hardware security barrier 502.
To increase the security of security barrier 502 even
further, it is possible to encase or include SPU 500 in one or
more further physical enclosures such as, for example: epoxy or
other "potting compound"; further module enclosures including
additional self-destruct, self-disabling or other features activated
when tampering is detected; further modules providing
additional security protections such as requiring password or
other authentication to operate; and the like. In addition,
further layers of metal may be added to the die to complicate
acid etching, micro probing, and the like; circuitry designed to
"zeroize" memory may be included as an aspect of self-destruct
processes; the plastic package itself may be designed to resist
-197-
CA 02619962 2008-02-21
WO 98/09289 PGTJUS97/15243
chemical as well as physical "attacks"; and memories internal to
SPU 500 may have specialized addressing and refresh circuitry
that "shuffles" the location of bits to complicate efforts to
electrically determine the value of memory locations. These and
other techniques may contribute to the security of barrier 502.
In some electronic appliances 600, SPU 500 may be
integrated together with the device microcontroller or equivalent
or with a device 1/0 or communications microcontroller into a
common chip (or chip set) 505. For example, in one preferred
embodiment, SPU 500 may be integrated together with one or
more other CPU(s) (e.g., a CPU 654 of an electronic appliance) in
a single component or package. The other CPU(s) 654 may be
any centrally controlling logic arrangement, such as for example,
a microprocessor, other microcontroller, and/or array or other
parallel processor. This integrated configuration may result in
lower overall cost, smaller overall size, and potentially faster
interaction between an SPU 500 and a CPU 654. Integration
may also provide wider distribution if an integrated SPU/CPU
component is a standard feature of a widely distributed
microprocessor line. Merging an SPU 500 into a main CPU 654
of an electronic appliance 600 (or into another appliance or
appliance peripheral microcomputer or other microcontroller)
may substantially reduce the overhead cost of implementing
- 198 -
CA 02619962 2008-02-21
WO 98/09209 PCT/US97115243
VDE 100. Integration considerations may include cost of
implementation, cost of manufacture, desired degree of security,
and value of compactness.
SPU 500 may also be integrated with devices other than
CPUs. For example, for video and multimedia applications, some
performance and/or security advantages (depending on overall
design) could result from integrating an SPU 500 into a video
controller chip or chipset. SPU 500 can also be integrated
directly into a network communications chip or chipset or the
like. Certain performance advantages in high speed
communications applications may also result from integrating an
SPU 500 with a modem chip or chipset. This may facilitate
incorporation of an SPU 500 into communication appliances such
as stand-alone fax machines. SPU 500 mav also be integrated
into other peripheral devices, such as CD-ROM devices, set-top
cable devices, game devices, and a wide variety of other
electronic appliances that use, allow access to, perform
transactions related to, or consume, distributed information.
SPU 500 Internal Architecture
Figure 9 is a detailed diagram of the internal structure
within an example of SPU 500. SPU 500 in this example
includes a single microprocessor 520 and a limited amount of
-199-
CA 02619962 2008-02-21
wo 98/09209 PCT/U597115243
memory configured as ROM 532 and RAM 534. In more detail,
this example of SPU 500 includes microprocessor 520, an
encrypt/decrypt engine 522, a DMA controller 526, a real-time
clock 528, a bus interface unit ('BIU") 530, a read only memory
(ROM) 532, a random access memory (RAM) 534, and a memory
management unit ("MMU") 540. DMA controller 526 and MMU
540 are optional, but the performance of SPU 500 may suffer if
they are not present. SPU 500 may also include an optional
pattem matching engine 524; an optional random number
generator 542, an optional arithmetic accelerator circuit 544, and
optional compression/decompression circuit 546. A shared
address/data bus arrangement 536 may transfer information
between these various components under control of
microprocessor 520 and/or DMA controller 526. Additional or
alternate dedicated paths 538 may connect microprocessor 520 to
the other components (e.g., encrypt/decrypt engine 522 via line
538a, real-time clock 528 via line 538b, bus interface unit 530 via
line 538c, DMA controller via line 538d, and memory
management unit (MMU) 540 via line 538e).
The following section discusses each of these SPU
components in more detail.
-200.
CA 02619962 2008-02-21
DE1~+~IANDES OU BREVETS VOLU1IIiNEUX
LA PRESENTE PA.RTIE DE CETTE DENLkNDE OU CE BREVETS
COMPREND PLUS D'UN TONIE.
CECI EST LE TONIE DE
NOTE: Poar les tomes additionels, veillez contacter te Bureau Canadien. des
Brevets.
JUT)YBO APPLICATIONS I PATENTS
THIS SECTION OF THE APPLICATTON / PATENT CONTAINS MORE
THAN ONE VOLUME.
THIS IS VOLUME ~ OF ~
NOTE: For additional volumes piease contact the Canadian Patent Office.
