9.1-4A Model for Privacy Preserving Metering Service

Bo Gyeong Kang, Je Hong Park, Seung Chul Chae, and Seonman Kim, NonMember, IEEE

Abstract--In this paper, we propose a DRM system to protectusers' privacy. The proposed system utilizes special protocolsdesigned to preserve privacy using pseudonyms and anobfuscation mechanism. Those provide different levels of controlson metered data and personal identifiers, by expressing theirpreference on privacy sensitive information.

I. INTRODUCTION

In DRM system, by service provider, every purchase ofcontents is recorded in name of the real identifier. Now, thingsare getting worse by metering service for DRM system.Metering subscription is defined as a service where the devicereturns detailed usage information to the license issuer for thepurpose of royalty collection [1]. So user preference analyzedfrom metered data gets delivered to service providers throughvarious networks if a user once agrees the meteringsubscription. Of course, the more to know about users'behavior and preference certainly help in marketing,customized service and other value-added service deducedfrom data mining. However, privacy fundamentalists andpragmatists have tendency to deny the customized or meteringservice which requires private data representing theirpreference. To date, proposed solutions [3, 4, 5, 6] to remedythose negative aspects have been mainly focused on theprivacy violation while purchasing contents, and made a useof only anonymous approaches. Unfortunately, anonymousapproach by itself has seemed to somehow fail in the industrynot only because of complex implementation but also the lackof understanding user's sensitiveness about privacy problems.In this paper, we propose a new privacy preserving DRMsystem with metering service that achieves pseudonymity anduser controllability on his personal data.

The followings are derived requirements to strengthenprivacy preserving properties.

RI. Instead of device identifiers, it should be possible touse pseudonyms as identifiers to obtain valid license.So users are relieved from being identified for eachpurchase ofmedia contents.

R2. In some situation, it should be possible to trace theuser's real identifier from his pseudonym. Thismatching should only happen when an appropriateauthorized process is satisfied.

R3. Metered data should not be reported back to theservers without users' consent.

R4. Granularity in the choice to reveal users' metereddata should be provided.

II. PRIVACY PRESERVING DRM WITH METERING SERVICE

Our system to meet the above requirements consists of 4explicit entities: Pseudonym Authority, License Server,Payment Service and User Device. Fig. 1 describes theproposed system. The special protocols between each entityare explained as follows:

Pseudonym License Server PaymentAuthority 3-1 Lies evrService

PseudonymCredential (D

Pseu(Cred

GeneratePseudonym

ltential_.

License -(for Pseudonym) .

DeviceInitiate Metering X

Storage

Fig. 1 Overall Description

A. Protocols1) Pseudonym Credential Issuing

At first, the User Device should register to PseudonymAuthority with its real identifier, and then the pseudonymcredential for the pseudonym and its corresponding keys isissued. There are two approaches according to the trust levelfor Pseudonym Authority: pseudonym is known to PseudonymAuthority or not. If Pseudonym Authority acts as a trustedthird party, it is much simple for License Server to check thevalidity of pseudonym credential through making query toPseudonym Authority as (3-1) in Fig. 1. However, to meetanonymity, the link between issued pseudonym credential andits usage should be broken. Fortunately, we have severalcandidates to achieve anonymous credential system such asblind signatures, group signatures and oblivious transfer [1, 2].In this paper, we use partially blind signatures [2] with time orn-time usages limitation, which allows the signer to explicitlyinclude common information into blind signature.

2) License Acquisition ProtocolTo issue a proper license corresponding to media contents,

first, the authentication through pseudonym credential shouldbe completed. For this, License Server checks the status of thecredential by making a query to Pseudonym Authority orchecks time or n-time usages limitation. If it is okay, LicenseServer generates a license binding to the pseudonym and itscorresponding key within pseudonym credential. As soon asthe protocol is completed, the license is installed safely by theagent within the device.

3) Metering Report ProcedureThe DRM agent residing in User Device consumes contents

according to user's choice and records the information of

1-4244-1459-8/08/$25.00 ©2008 IEEE

enen

.S_

co

Fo.1

a.f

I

rendering action. Then, metered data is reported in a variousform depending on user's preference at a scheduled time.

4) Bill Issuing ProtocolAfter a pre-agreed number of metering reports, a bill is

delivered to the agent. It is possible to obtain the bill which isissued to the real identifier by using partially blind signaturescheme in a similar sense with pseudonym credential issuingprotocol. Then the agent un-blinds bill for the payment.

5) Payment ProtocolThe agent submits the un-blinded bill, pays the bill to

Payment Service and obtains the bill confirmation message.Later, the bill confirmation message should be submitted tothe Pseudonym Authority as the evidence of the valid behavior.

III. PRIVACY PRESERVING FRAMEWORKInstall License

InstallerManagerUpdaer Keyfev Reporter

Pseudonymm Renderer ObiuscatedManager I i Save Liens Ma

Peuror n RetrMenve Metering Mnuser PolicyUManaereandBillManager,hManager Manager

p seudonyms,h biln informdatinan thBetrdl aa.O

_Credenlials Reposiory_- Manage r UsrPl., IeyA/A

Fig. 2 Privacy Preserving Agent Framework

Fig. 2 shows the DRM agent framework for the proposedsystem. It is composed of 5 modules, License Manager,Pseudonym Manager, Metering Manager, User PolicyManager and Bill Manager, which manage and controlpseudonyms, the billing information and the metered data. Onthe license installation, the agent first checks the ownership ofpseudonym specified in the license whether it is listed up itsown pseudonyms. If so, it starts installing procedure of thelicense in the name of the pseudonym and then consumes themedia contents using the key corresponding to the pseudonym.On the scheduled time for metering report, it is obfuscatedfollowing the user preference. The agent can delete or reducethe amount of the metered data only when the paymentconfirmation message is checked as a valid one. Theconfirmation message should be kept securely and laterpresented to Pseudonym Authority as a proof for thelegitimate usage and payment.

MID Actions

CID1 Genre# 1 Play 2 Copy 1 CD Burn 3 Time lh 20m Other Parameters

CID2 Genre# 2 Play 1 Copy 3 CD Burn 0 Time 2h 14m Other Parameters

CID3 Genre# 2 Play 2 Copy 0 CD Burn 2 Time Oh 30m Other Parameters

Fig. 3 Example of Metered Data

A. User Preference ModelFor R4, we propose the preference model in Fig. 4 for the

leveled metered data description. In terms of our model,current metering subscription is expressed by the policy [MID,CID, level 3] when MID is an identifier for metered data. If auser sets user policy [MID, Genre #, level 1], it implies thatthe total number and time regardless of action type is countedin terms of Genre #.

No metering subscription No metering subscription Level 0

No identifier Total # and time Level I

Sub Actions # and time Level 2

Other Identifiable Metadata Genre#

Each Action #time Level 3

ECIDFig. 4 The Preference Model

Then the processed metered data from the original data inFig. 3 becomes as follows:Genre 1 Action all. Counts 6. Time lh 20mGenre 2 Action all. Counts 8. Time 2h 44m

If [MID, No identifier, level 1] is chosen, thenNo identifier Action all. Counts 14. Time 4h 04m

is reported. In this way, users can reflect own preference foreach MID, and only blurred metered data is delivered tolicense issuer.

IV. ANALYSIS

Our model satisfies the privacy requirements described inSection I. RI is easily obtained by adopting pseudonymcredential system. For R2, time limitation or n-time usablecredentials are used. As R3 says, unified consent at once doesnot seem to relieve user's concern about privacy. Hence, at thetime of reporting metered data, a certain notificationmechanism or consent decider based on user's pre-settingshould be provided. In addition, users can control thegranularity of metered data through user policy. This meetsthe requirement R4.

V. CONCLUSION

In this paper, we propose a new privacy preserving DRMwhich combines privacy preserving protocols usingpseudonyms, and an obfuscation mechanism which definesuser policy on preference model. It is possible to extend ourmodel for each user to have different privacy policies againstdifferent services. The research about more detailed schemafor user policy is still in progress as the further research topic.

REFERENCE

[1] M. Abe and T. Okamoto, "Provable secure partially blind signatures,"Proc. ofCRYPTO 2000, LNCS vol. 1880, pp. 271-286.

[2] J. Camenisch and A. Lysyanskaya, "Efficient non-transferable multi-show credential system with optional anonymity," Proc. ofEUROCRYPT2001, LNCS vol. 2045, pp.93-118.

[3] C. Conrado, M. Petkovi and W. Jonker, "Privacy-preserving digitalrights management," Proc. ofSDM2004, LNCS vol. 3178, pp. 83-99.

[4] R. Grimm and P. Aichroth., "Privacy protection for signed media files:A separation-of-duty appraoch to the lightweight DRM (LWDRM)system, " Proc. ofMM&Sec'04, 2004, pp. 93-99.

[5] B.N. Park, J.W. Kim and W. Lee., "PrecePt: A privacy-enhancinglicense management protocol for digital rights management," Proc. ofAINA'04, 2004, pp. 574-579.

[6] H.-M. Sun, K.-H. Wang and C.-F. Hung., "Towards privacy preservingdigital rights management using oblivious transfer," Manuscript, 2006.Available at df.