Secure personal content server

Abstract
A local content server system (LCS) for creating a secure environment for digital content is disclosed, which system comprises: a communications port in communication for connecting the LCS via a network to at least one Secure Electronic Content Distributor (SECD), which SECD is capable of storing a plurality of data sets, is capable of receiving a request to transfer at least one content data set, and is capable of transmitting the at least one content data set in a secured transmission; a rewritable storage medium whereby content received from outside the LCS may be stored and retrieved; a domain processor that imposes rules and procedures for content being transferred between the LCS and devices outside the LCS; and a programmable address module which can be programmed with an identification code uniquely associated with the LCS. The LCS is provided with rules and procedures for accepting and transmitting content data. Optionally, the system may further comprise: an interface to permit the LCS to communicate with one or more Satellite Units (SU) which may be connected to the system through the interface, which SUs are capable of receiving and transmitting digital content; at least one SU; and/or at least one SECD. The SECD may have a storage device for storing a plurality of data sets, as well as a transaction processor for validating the request to purchase and for processing payment for a request to retrieve one of the data sets. The SECD typically includes a security module for encrypting or otherwise securitizing data which the SECD may transmit.
Description
FIELD OF INVENTION

The present invention relates to the secure distribution of digitized value-added information, or media content, while preserving the ability of publishers to make available unsecured versions of the same value-added information, or media content, without adverse effect to the systems security.


Authentication, verification and authorization are all handled with a combination of cryptographic and steganographic protocols to achieve efficient, trusted, secure exchange of digital information.


BACKGROUND OF THE INVENTION

The music industry is at a critical inflection point. Digital technology enables anyone to make perfect replica copies of musical recordings from the comfort of their home, or as in some circumstances, in an offshore factory. Internet technology enables anyone to distribute these copies to their friends, or the entire world. Indeed, virtually any popular recording is already likely available in the MP3 format, for free if you know where to look.


How the industry will respond to these challenges and protect the rights and livelihoods of copyright owners and managers and has been a matter of increasing discussion, both in private industry forums and the public media. Security disasters like the cracking of DVD-Video's CSS security system have increased doubt about the potential for effective robust security implementations. Meanwhile, the success of non-secure initiatives such as portable MP3 players lead many to believe that these decisions may have already been made.


Music consumers have grown accustomed to copying their music for their own personal use. This fact of life was written into law in the United States via the Audio Home Recording Act of 1992. Millions of consumers have CD players and purchase music in the Compact Disc format. It is expected to take years for a format transition away from Red Book CD Audio to reach significant market penetration.


Hence, a need exists for a new and improved system for protecting digital content against unauthorized copying and distribution.


SUMMARY OF THE INVENTION

A local content server system (LCS) for creating a secure environment for digital content is disclosed, which system comprises: a communications port in communication for connecting the LCS via a network to at least one Secure Electronic Content Distributor (SECD), which SECD is capable of storing a plurality of data sets, is capable of receiving a request to transfer at least one content data set, and is capable of transmitting the at least one content data set in a secured transmission; a rewritable storage medium whereby content received from outside the LCS may be stored and retrieved; a domain processor that imposes rules and procedures for content being transferred between the LCS and devices outside the LCS; and a programmable address module which can be programmed with an identification code uniquely associated with the LCS. The LCS is provided with rules and procedures for accepting and transmitting content data. Optionally, the system may further comprise: an interface to permit the LCS to communicate with one or more Satellite Units (SU) which may be connected to the system through the interface, which SUs are capable of receiving and transmitting digital content; at least one SU; and/or at least one SECD. The SECD may have a storage device for storing a plurality of data sets, as well as a transaction processor for validating the request to purchase and for processing payment for a request to retrieve one of the data sets. The SECD typically includes a security module for encrypting or otherwise securitizing data which the SECD may transmit.


A method for creating a secure environment for digital content for a consumer is also disclosed. As part of the method, a LCS requests and receives a digital data set that may be encrypted or scrambled. The digital data set may be embedded with at least one robust open watermark, which permits the content to be authenticated. The digital data set is preferably be embedded with additional watermarks which are generated using information about the LCS requesting the copy and/or the SECD which provides the copy. Once received by the LCS, the LCS exercises control over the content and only releases the data to authorized users. Generally, the data is not released until the LCS embeds at least one additional watermark based upon protected information associated with the LCS and/or information associated with the user.


Another embodiment of the method of the present invention comprises: connecting a Satellite Unit to an local content server (LCS), sending a message indicating that the SU is requesting a copy of a content data set that is stored on the LCS, said message including information about the identity of the SU; analyzing the message to confirm that the SU is authorized to use the LCS; retrieving a copy of the requested content data set; assessing whether a secured connection exists between the LCS and the SU; if a secured connection exists, embedding a watermark into the copy of the requested content data set, said watermark being created based upon information transmitted by the SU and information about the LCS; and delivering the content data set to the SU for its use.


The SU may also request information that is located not on the LCS, but on an SECD, in which case, the LCS will request and obtain a copy from the SECD, provided the requesting SU is authorized to access the information.


Digital technology offers economies of scale to value-added data not possible with physical or tangible media distribution. The ability to digitize information both reduces the cost of copying and enables perfect copies. This is an advantage and a disadvantage to commercial publishers who must weigh the cost reduction against the real threat of unauthorized duplication of their value-added data content. Because cost reduction is an important business consideration, securing payment and authenticating individual copies of digital information (such as media content) presents unique opportunities to information service and media content providers. The present invention seeks to leverage the benefits of digital distribution to consumers and publishers alike, while ensuring the development and persistence of trust between all parties, as well as with any third parties involved, directly or indirectly, in a given transaction.


In another approach that is related to this goal, there are instances where transactions must be allowed to happen after perceptually-based digital information can be authenticated. (Perceptually based information is information whose value is in large part, based upon its ability to be perceived by a human, and includes for example, acoustic, psychoacoustic, visual and psychovisual information.) The process of authenticating before distributing will become increasingly important for areas where the distributed material is related to a trust-requiring transaction event. A number of examples exist. These include virtual retailers (for example, an on-line music store selling CDs and electronic versions of songs); service providers (for example, an on-line bank or broker who performs transactions on behalf of a consumer); and transaction providers (for example, wholesalers or auction houses). These parties have different authentication interests and requirements. By using the teachings of this application, these interests and requirements may be separated and then independently quantified by market participants in shorter periods of time.


All parties in a transaction must authenticate information that is perceptually observable before trust between the parties can be established. In today's world, information (including perceptually rich information) is typically digitized, and as a result, can easily be copied and redistributed, negatively impacting buyers, sellers and other market participants. Unauthorized redistribution confuses authenticity, non-repudiation, limit of ability and other important “transaction events.” In a networked environment, transactions and interactions occur over a transmission line or a network, with buyer and seller at different points on the line or network. While such electronic transactions have the potential to add value to the underlying information being bought and sold (and the potential to reduce the cost of the transaction), instantaneous piracy can significantly reduce the value of the underlying data, if not wholly destroy it. Even the threat of piracy tends to undermine the value of the data that might otherwise exist for such an electronic transaction.


Related situations range from the ability to provably establish the “existence” of a virtual financial institution to determining the reliability of an “electronic stamp.” The present invention seeks to improve on the prior art by describing optimal combinations of cryptographic and steganographic protocols for “trusted” verification, confidence and non-repudiation of digitized representations of perceptually rich information of the actual seller, vendor or other associated institutions which may not be commercial in nature (confidence building with logo's such as the SEC, FDIC, Federal Reserve, FBI, etc. apply). To the extent that an entity plays a role in purchase decisions made by a consumer of goods and services relating to data, the present invention has a wide range of beneficial applications. One is enabling independent trust based on real world representations that are not physically available to a consumer or user. A second is the ability to match informational needs between buyers and sellers that may not be universally appealing or cost effective in given market situations. These include auction models based on recognition of the interests or demand of consumers and market participants which make trading profitable by focusing specialized buyers and sellers. Another use for the information matching is to establish limits on the liability of such institutions and profit-seeking entities, such as insurance providers or credit companies. These vendors lack appropriate tools for determining intangible asset risk or even the value of the information being exchanged. By encouraging separate and distinct “trust” arrangements over an electronic network, profitable market-based relationships can result.


The present invention can make possible efficient and openly accessible markets for tradable information. Existing transaction security (including on-line credit cards, electronic cash or its equivalents, electronic wallets, electronic tokens, etc.) which primarily use cryptographic techniques to secure a transmission channel—but are not directly associated or dependent on the information being sold—fails to meet this valuable need. The present invention proposes a departure from the prior art by separating transactions from authentication in the sale of digitized data. Such data may include videos, songs, images, electronic stamps, electronic trademarks, and electronic logos used to ensure membership in some institutional body whose purpose is to assist in a dispute, limit liability and provide indirect guidance to consumers and market participants, alike.


With an increasingly anonymous marketplace, the present invention offers invaluable embodiments to accomplish “trusted” transactions in a more flexible, transparent manner while enabling market participants to negotiate terms and conditions. Negotiation may be driven by predetermined usage rules or parameters, especially as the information economy offers potentially many competitive marketplaces in which to transact, trade or exchange among businesses and consumers. As information grows exponentially, flexibility becomes an advantage to market participants, in that they need to screen, filter and verify information before making a transaction decision. Moreover, the accuracy and speed at which decisions can be made reliably enables confidence to grow with an aggregate of “trusted transactions”. “Trusted transactions” beget further “trusted transactions” through experience. The present invention also provides for improvements over the prior art in the ability to utilize different independently important “modules” to enable a “trusted transaction” using competitive cryptographic and steganographic elements, as well as being able to support a wide variety of perceptually-based media and information formats. The envisioned system is not bound by a proprietary means of creating recognition for a good or service, such as that embodied in existing closed system. Instead, the flexibility of the present invention will enable a greater and more diverse information marketplace.


The present invention is not a “trusted system”, per se, but “trusted transactions” are enabled, since the same value-added information that is sought may still be in the clear, not in a protected storage area or closed, rule-based “inaccessible virtual environment”.


A related additional set of embodiments regards the further separation of the transaction and the consumer's identification versus the identification of the transaction only. This is accomplished through separated “trusted transactions” bound by authentication, verification and authorization in a transparent manner. With these embodiments, consumer and vendor privacy could be incorporated. More sophisticated relationships are anticipated between parties, who can mix information about their physical goods and services with a transparent means for consumers, who may not be known to the seller, who choose not to confide in an inherently closed “trusted system” or provide additional personal information or purchasing information (in the form of a credit card or other electronic payment system), in advance of an actual purchase decision or ability to observe (audibly or visibly) the content in the clear. This dynamic is inconsistent with the prior art's emphasis on access control, not transparent access to value-added information (in the form or goods or services), that can be transacted on an electronic or otherwise anonymous exchange.


These embodiments may include decisions about availability of a particular good or service through electronic means, such as the Internet, or means that can be modularized to conduct a transaction based on interconnection of various users (such as WebTV, a Nintendo or Sony game console with network abilities, cellular phone, PalmPilot, etc.). These embodiments may additionally be implemented in traditional auction types (including Dutch auctions). Consumers may view their anonymous marketplace transactions very differently because of a lack of physical human interactions, but the present invention can enable realistic transactions to occur by maintaining open access and offering strict authentication and verification of the information being traded. This has the effect of allowing legacy relationships, legacy information, and legacy business models to be offered in a manner which more closely reflects many observable transactions in the physical world. The tremendous benefits to sellers and consumers is obvious; existing transactions need not reduce their expectations of security. As well, the ability to isolate and quantify aspects of a transaction by module potentially allows for better price determinations of intangible asset insurance, transaction costs, advertising costs, liability, etc. which have physical world precedent.


It is contemplated that the publisher and/or owner of the copyrights will want to dictate restrictions on the ability of the purchaser to use the data being sold. Such restrictions can be implemented through the present invention, which presents a significant advantage over the prior art (which attempts to effect security through access control and attempted tight reigns over distribution). See U.S. Pat. No. 5,428,606 for a discussion on democratizing digital information exchange between publishers and subscribers of said information.


A goal for providers of value-added content is to maximize profits for the sale of their content. Marketing and promotion of the informational content cannot be eliminated, considering the ever-increasing amount of information vying for consumers and other market participant's attention. Nonetheless, in a market where the goods are speculatively valued, marketing budgets are inherently constrained, as you are trying to create demand for a product with little inherent value. Where such markets have participants, both buyers and sellers and their respective agents, with access to the same information in real time, market mechanisms efficiently price the market goods or services. These markets are characterized by “price commoditization” so buyers and sellers are limited to differentiating their offerings by selection and service. If the markets are about information itself, it has proven more difficult to accurately forecast the target price where sellers can maximize their profits. Quality and quantity provide different evaluation criteria of selection and service relating to the information being traded. The present invention regards a particular set of implementations of value-added content security in markets which may include unsecured and secure versions of the same value-added data (such as songs, video, research, pictures, electronic logos, electronic trademarks, value-added information, etc.).


Transactions for value-added information can occur without any physical location. So, there is a need for a secure personal content server for which the value added information can be offered for transactions in a manner similar to real world transactions. One feature is to offer seemingly similar value added information in differing quality settings. These settings have logical relationships with fidelity and discreteness and are determined by market participants. Another issue is that because purchasers may be anonymous to sellers, it is more important to have a particular value-added information object available so that market participants can fulfill their role are consumers.


One fundamental weakness of current information markets is the lack of mechanisms to ensure that buyers and sellers can reach pricing equilibrium. This deficit is related to the “speculative”, “fashion”, and “vanity” aspects of perceptual content (such as music, video, and art or some future recognition to purchasers). For other goods and services being marketed to an anonymous marketplace, market participants may never see (and indeed, may choose to never see, an actual location where the transaction may physically occur. A physical location may simply not exist. There are a number of such virtual operations in business today, which would benefit from the improvements offered under the present system.


The present invention also seeks to provide improvements to the art in enabling a realistic model for building trust between parties (or their agents) not in a “system”, per se. Because prior art systems lack any inherent ability to allow for information to flow freely to enable buyers and sellers to react to changing market conditions. The present invention can co-exist with these “trusted systems” to the extent that all market participants in a given industry have relatively similar information with which to price value-added data. The improvement over such systems, however, addresses a core features in most data-added value markets: predictions, forecasts, and speculation over the value of information is largely an unsuccessful activity for buyers and sellers alike. The additional improvement is the ability to maintain security even with unsecured or legacy versions of value-added information available to those who seek choices that fit less quantitative criteria—“aesthetic quality” of the information versus “commercial price”. Purchase or transaction decisions can be made first by authenticating an electronic version of a song, image, video, trademark, stamp, currency, etc.


Additional anticipated improvements include the ability to support varying pricing models such as auctions that are difficult or impossible to accomplish under existing prior art that leaves all access and pricing control with the seller alone, and the separation of the transaction from the exchange of the value-added information, which gives more control to buyers over their identities and purchasing habits, (both sensitive and separately distinct forms of “unrelated” value-added information). Essentially, no system known in the art allows for realistic protocols to establish trust between buyers and sellers in a manner more closely reflecting actual purchasing behavior of consumers and changing selling behavior of sellers. The goal in such transactions is the creation of trust between parties as well as “trusted relationships” with those parties. The present invention is an example of one such system for media content where the “aesthetic” or “gestalt” of the underlying content and its characteristics is a component of buying habits. Without an ability to open distribution systems to varying buyers and sellers, media content may be priced at less than maximum economic value and buyers may be deprived of a competitive, vigorous marketplace for exciting media content from many different creative participants.


To the extent that recognition plays such a key role in an information economy, value-added data should be as accessible as possible to the highest number of market participants in the interests of furthering creativity and building a competitive marketplace for related goods and services. This is to the benefit of both buyers and sellers as well as the other participants in such an economic ecosystem. The Internet and other transmission-based transactions with unknown parties presents a number of challenges to information vendors who wish to develop customer relations, trust and profitable sales. The information economy is largely an anonymous marketplace, thus, making it much more difficult to identify consumers and sellers. The present invention provides remedies to help overcome these weaknesses.


The present invention is concerned with methods and systems which enable secure, paid exchange of value-added information, while separating transaction protocols. The present invention improves on existing means for distribution control by relying on authentication, verification and authorization that may be flexibly determined by both buyers and sellers. These determinations may not need to be predetermined, although pricing matrix and variable access to the information opens additional advantages over the prior art. The present invention offers methods and protocols for ensuring value-added information distribution can be used to facilitate trust in a large or relatively anonymous marketplace (such as the Internet's World Wide Web).


We now define components of the preferred embodiments for methods, systems, and devices.


DEFINITIONS

Local Content Server (LCS): A device or software application which can securely store a collection of value-added digital content. The LCS has a unique ID.


Secure Electronic Content Distributor (SECD): An entity, device or software application which can validate a transaction with a LCS, process a payment, and deliver digital content securely to a LCS. In cryptographic terms, the SECD acts as a “certification authority” or its equivalent. SECDs may have differing arrangements with consumers and providers of value-added information. (The term “content” is used to refer generally to digital data, and may comprise video, audio, or any other data that is stored in a digital format).


Satellite Unit (SU): A portable medium or device which can accept secure digital content from a LCS through a physical, local connection and which can either play or make playable the digital content. The SU may have other functionality as it relates to manipulating the content, such as recording. The SU has a unique ID. An SU may be a CD player, a video camera, a backup drive, or other electronic device which has a storage unit for digital data.


LCS Domain: A secure medium or area where digital content can be stored, with an accompanying rule system for transfer of digital content in and out of the LCS Domain. The domain may be a single device or multiple devices—all of which have some common ownership or control. Preferably, a LCS domain is linked to a single purchasing account. Inside the domain, one can enjoy music or other digital data without substantial limitations—as typically a license extends to all personal use.


SecureChannel™: A secure channel to pass individualized content to differentiate authentic content from legacy or unauthorized, pirated content. For example, the Secure Channel may be used as an auxiliary channel through which members of the production and distribution chain may communicate directly with individual consumers. Preferably, the Secure Channel is never exposed and can only be accessed through legitimate methods. SecureChannel may carry a value-adding component (VAC). The ability to provide consumers with value adding features will serve to give consumers an incentive to purchase new, secure hardware and software that can provide the additional enhanced services. The SecureChannel may also include protected associated data (“PAD”)—data which is associated with a user and/or a particular set of content.


Standard Quality: A transfer path into the LCS Domain which maintains the digital content at a predetermined reference level or degrades the content if it is at a higher quality level. In an audio implementation, this might be defined as Red Book CD Quality (44100 Hz., 16 bits, 2 channels). This transfer path can alternately be defined in terms of a subset of VAC's or a quality level associated with particular VAC's. If a VAC is not in the subset, it is not passed. If a VAC is above the defined quality level, it is degraded.


Low Quality: A transfer path into the LCS Domain which degrades the digital content to a sub-reference level. In an audio implementation, this might be defined as below CD Quality (for instance, 32000 Hz., 16 bits, 2 channels). This transfer path can alternately be defined in terms of an absence of VAC's or a degraded quality level associated with particular VAC's.


High Quality: A transfer path into the LCS Domain which allows digital content of any quality level to pass unaltered. This transfer path can alternately be defined in terms of a complete set of VAC's or the highest quality level available associated with particular VAC's.


Rewritable Media: An mass storage device which can be rewritten (e.g. hard drive, CD-RW, Zip cartridge, M-O drive, etc. . . . ).


Read-Only Media: A mass storage device which can only be written once (e.g. CD-ROM, CD-R, DVD, DVD-R, etc. . . . ). Note: pre-recorded music, video, software, or images, etc. are all “read only” media.


Unique ID: A Unique ID is created for a particular transaction and is unique to that transaction (roughly analogous to a human fingerprint). One way to generate a Unique ID is with a one-way hash function. Another way is by incorporating the hash result with a message into a signing algorithm will create a signature scheme. For example, the hash result may be concatenated to the digitized, value added information which is the subject of a transaction. Additional uniqueness may be observed in a hardware device so as to differentiate that device, which may be used in a plurality of transactions, from other similar devices.


Value-added: Value-added information is differentiated from non-commoditized information in terms of its marketability or demand, which can vary, obviously, from each market that is created for the information. By way of example, information in the abstract has no value until a market is created for the information (i.e., the information becomes a commodity). The same information can be packaged in many different forms, each of which may have different values. Because information is easily digitized, one way to package the “same” information differently is by different levels of fidelity and discreteness. Value is typically bounded by context and consideration.


Authentication: A receiver of a “message” (embedded or otherwise within the value-added information) should be able to ascertain the original of the message (or by effects, the origin of the carrier within which the message is stored). An intruder should not be able to successfully represent someone else. Additional functionality such as Message Authentication Codes (MAC) could be incorporated (a one-way hash function with a secret key) to ensure limited verification or subsequent processing of value-added data.


Verification: In cryptographic terms, “verification” serves the “integrity” function to prevent an intruder from substituting false messages for legitimate ones. In this sense, the receiver of the message (embedded or otherwise present within the value-added information) should be assured that the message was not modified or altered in transit.


One-way hash function: One-way hash functions are known in the art. A hash function is a function which converts an input into an output, which is usually a fixed-sized output. For example, a simple hash function may be a function which accepts a digital stream of bytes and returns a byte consisting of the XOR function of all of the bytes in the digital stream of input data. Roughly speaking, the hash function may be used to generate a “fingerprint” for the input data. The hash function need not be chosen based on the characteristics of the input. Moreover, the output produced by the hash function (i.e., the “hash”) need not be secret, because in most instances it is not computationally feasible to reconstruct the input which yielded the hash. This is especially true for a “one-way” hash function—one that can be used to generate a hash value for a given input string, but which hash cannot be used (at least, not without great effort) to create an input string that could generate the same hash value.


Authorization: A term which is used broadly to cover the acts of conveying official sanction, permitting access or granting legal power to an entity.


Encryption: For non digitally-sampled data, encryption is data scrambling using keys. For value-added or information rich data with content characteristics, encryption is typically slow or inefficient because content file sizes tend to be generally large. Encrypted data is called “ciphertext”.


Scrambling: For digitally-sampled data, scrambling refers to manipulations of the value-added or information rich data at the inherent granularity of the file format. The manipulations are associated with a key, which may be made cryptographically secure or broken into key pairs. Scrambling is efficient for larger media files and can be used to provide content in less than commercially viable or referenced quality levels. Scrambling is not as secure as encryption for these applications, but provides more fitting manipulation of media rich content in the context of secured distribution. Scrambled data is also called “ciphertext” for the purposes of this invention. Encryption generally acts on the data as a whole, whereas scrambling is applied often to a particular subset of the data concerned with the granularity of the data, for instance the file formatting. The result is that a smaller amount of data is “encoded” or “processed” versus strict encryption, where all of the data is “encoded” or “processed.” By way of example, a cable TV signal can be scrambled by altering the signal which provides for horizontal and vertical tracking, which would alter only a subset of the data, but not all of the data—which is why the audio signal is often untouched. Encryption, however, would generally so alter the data that no recognizable signal would be perceptually appreciated. Further, the scrambled data can be compared with the unscrambled data to yield the scrambling key. The difference with encryption is that the ciphertext is not completely random, that is, the scrambled data is still perceptible albeit in a lessened quality. Unlike watermarking, which maps a change to the data set, scrambling is a transfer function which does not alter or modify the data set.


DETAILED DISCUSSION OF INVENTION

The LCS Domain is a logical area inside which a set of rules governing content use can be strictly enforced. The exact rules can vary between implementations, but in general, unrestricted access to the content inside the LCS Domain is disallowed. The LCS Domain has a set of paths which allow content to enter the domain under different circumstances. The LCS Domain also has paths which allow the content to exit the domain.


A simple example provides insight into the scope of an LCS domain. If an LCS is assigned to an individual, then all music, video, and other content data which has lawfully issued to the individual may be freely used on that persons LCS domain (though perhaps “freely” is misleading, as in theory, the individual has purchased a license). A LCS Domain may comprise multiple SUs, for example, a video player, a CD player, etc. An individual may be authorized to take a copy of a song and play it in another's car stereo, but only while the individual's device or media is present. Once the device is removed, the friend's LCS will no longer have a copy of the music to play.


The act of entering the LCS Domain includes a verification of the content (an authentication check). Depending upon the source of the content, such verification may be easier or harder. Unvalidateable content will be subjected to a quality degradation. Content that can be validated but which belongs to a different LCS Domain will be excluded. The primary purpose of the validation is to prevent unauthorized, high-quality, sharing of content between domains.


When content leaves the LCS Domain, the exiting content is embedded with information to uniquely identify the exiting content as belonging to the domain from which the content is leaving. It is allowed to leave at the quality level at which the content was originally stored in the LCS Domain (i.e. the quality level determined by the validation path). For example, the exiting content may include an embedded digital watermark and an attached hash or digital signature; the exiting content may also include a time stamp—which itself may be embedded or merely attached). Once it has exited, the content cannot return to the domain unless both the watermark and hash can be verified as belonging to this domain. The presence of one or the other may be sufficient to allow re-entry, or security can be set to require the presence of more than one identification signal.


This system is designed to allow a certifiable level of security for high-quality content while allowing a device to also be usable with unsecured content at a degraded quality level. The security measures are designed such that a removal of the watermark constitutes only a partial failure of the system. The altered content (i.e., the content from which the watermark has been removed or the content in which the watermark has been degraded) will be allowed back into the LCS Domain, but only at a degraded quality level, a result of the watermark destruction and subsequent obscurity to the system, consumers will not be affected to the extent that the unauthorized content has only been degraded, but access has not been denied to the content. Only a complete forgery of a cryptographically-secure watermark will constitute a complete failure of the system. For a discussion on such implementations please see U.S. Pat. No. 5,613,004, U.S. Pat. No. 5,687,236, U.S. Pat. No. 5,745,569, U.S. Pat. No. 5,822,432, U.S. Pat. No. 5,889,868, U.S. Pat. No. 5,905,800, included by reference in their entirety and pending U.S. patent applications with Ser. No. 09/046,627 “Method for Combining Transfer Function . . . ” (issued as U.S. Pat. No. 6,598,162), Ser. No. 09/053,628 “Multiple Transform Utilization and Application for Secure Digital Watermarking” (issued as U.S. Pat. No. 6,205,249), Ser. No. 08/775,216 “Steganographic Method and Device” (issued as U.S. Pat. No. 5,687,236), Ser. No. 08/772,222 “Z-Transform Implementation . . . ” (issued as U.S. Pat. No. 6,078,664), Ser. No. 60/125,990 “Utilizing Data Reduction in Steganographic and Cryptographic Systems” which corresponds to U.S. patent application Ser. No. 09/594,719, filed Jun. 16, 2000, entitled “Utilizing Data Reduction in Steganographic and Cryptographic Systems” (issued as U.S. Pat. No. 7,123,718).


Provable security protocols can minimize this risk. Thus the embedding system used to place the watermark does not need to be optimized for robustness, only for imperceptibility (important to publishers and consumers alike) and security (more important to publishers than to consumers). Ideally, as previously disclosed, security should not obscure the content, or prevent market participants from accessing information, which in the long term, should help develop trust or create relationships.


The system can flexibly support one or more “robust” watermarks as a method for screening content to speed processing. Final validation, however, relies upon the fragile, secure watermark and its hash or digital signature (a secure time stamp may also be incorporated). Fragile watermarks, meaning that signal manipulations would affect the watermark, may be included as a means to affect the quality of the content or any additional attributes intended to be delivered to the consumer.


LCS Functions


The LCS provides storage for content, authentication of content, enforcement of export rules, and watermarking and hashing of exported content. Stored content may be on an accessible rewritable medium, but it must be stored as ciphertext (encrypted or scrambled), not plain text, to prevent system-level extraction of the content. This is in contrast to the prior art which affix or otherwise attach meta-data to the content for access control by the variously proposed systems.


Typically, an LCS receives secured data from one or more SECDs. The SECD transfers content only after it has been secured. For example, the SECD may use an individualized cryptographic container to protect music content while in transit. Such a container may use public/private key cryptography, ciphering and/or compression, if desired.


The LCS may be able to receive content from a SECD, and must be able to authenticate content received via any of the plurality of implemented paths. The LCS must monitor and enforce any rules that accompany received content, such as number of available copies. Finally, it is preferred for the LCS to watermark all exported material (with the exception of Path 6—see below) and supply a hash made from the unique ID of the LCS and the content characteristics (so as to be maintained perceptually within the information and increase the level of security of the watermark).


SU Functions


The SU enables the content to be usable away from the LCS. The SU is partially within the LCS Domain. A protocol must exist for the SU and LCS to authenticate any connection made between them. This connection can have various levels of confidence set by the level of security between the SU and LCS and determinable by a certification authority or its equivalent, an authorized site for the content, for example. The transfer of content from the SU to the LCS without watermarking is allowed. However, all content leaving the SU must be watermarked. Preferably, the SU watermark contains a hash generated from the SU's Unique ID and the content characteristics of the content being transferred. If the content came from a LCS, the SU watermark must also be generated based, in part, upon the hash received from the LCS. The LCS and SU watermarking procedures do not need to be the same. However, the LCS must be able to read the SU watermarks for all different types of SU's with which it can connect. The SU does not need to be able to read any LCS watermarks. Each LCS and SU must have separate Unique IDs.


Sample Embodiment





BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention, the objects and advantages thereof, reference is now made to the following descriptions taken in connection with the accompanying drawings in which:



FIG. 1 shows in block diagram form a system for one embodiment of an LCS, showing the possible paths for content to enter and exit the system.



FIG. 2 is flow diagram illustrating the functions performed by the LCS of FIG. 1 when content enters the LCS Domain from the rewritable media.



FIG. 3 is flow diagram illustrating the functions performed by the LCS of FIG. 1 when content enters the LCS Domain from the read-only media.



FIG. 4 is flow diagram illustrating the functions performed by the LCS of FIG. 1 when content enters the LCS Domain from the satellite unit.



FIG. 5 is flow diagram illustrating the functions performed by the LCS of FIG. 1 when content leaves the LCS Domain.



FIG. 6 is flow diagram illustrating the functions performed by the LCS of FIG. 1 when content leaves the LCS Domain from the read-only media.



FIG. 7 is flow diagram illustrating the functions performed by the LCS of FIG. 1 when content leaves the SU to a receiver other than the LCS.





DETAILED DESCRIPTION OF THE INVENTION

The preferred embodiment of the present invention and its advantages are best understood by referring to FIGS. 1 through 7 of the drawings, like numerals being used for like and corresponding parts of the various drawings.



FIG. 1 is a block diagram showing the components of a sample LCS system and showing the possible paths for content to enter and leave the LCS. In the embodiment of FIG. 1, the LCS is a general purpose computing device such as a PC with software loaded to emulate the functions of a LCS. The LCS of FIG. 1 has a Rewritable media (such as a hard drive), a Read-Only media (such as a CD-ROM drive), and software to control access (which software, in effect, defines the “LCS Domain”). The Secure Electronic Content Distributor (SECD) is connected via a network (such as the Internet, intranet, cable, satellite link, cellular communications network, or other commonly accepted network). The Satellite Unite (SU) is a portable player which connects to the LCS and/or to other players where applicable (for example by way of a serial interface, USB, IEEE 1394, infrared, or other commonly used interface protocol). FIG. 1 also identifies seven (7) path ways.


Path 1 depicts a secure distribution of digital content from a SECD to a LCS. The content can be secured during the transmission using one or more ‘security protocols’ (e.g., encryption or scrambling). Moreover, a single LCS may have the capability to receive content transmissions from multiple SECDs, and each SECD may use the same security protocols or different security protocols. In the context of FIG. 1, however, only a single SECD is displayed. It is also contemplated that the same SECD may periodically or randomly use different security protocols. A typical security protocol uses an asymmetric cryptographic system, an example being a public key cryptography system where private and public key pairs allow the LCS to authenticate and accept the received content. Another security protocol may involve the ability to authenticate the received content using a signature scheme.


In FIG. 2, content enters the LCS Domain from the rewritable media (such as a hard drive). This communication path is identified as Path 2 on FIG. 1. The LCS Domain analyzes the content to determine if a watermark is present in the content. If no watermark is present, then the quality of the content is downgraded to Low Quality before it is stored in the LCS Storage. If a watermark is present, then the watermark is extracted and compared with the watermark of the LCS in order to determine if a match exists. In the event of a match, the content is permitted to be stored on the LCS Storage at the same level of quality which the content entered the LCS Domain. Optionally, if a watermark is present, the hash may be checked as further verification; and if the hash matches, the content is allowed in at High Quality. If it does not match, the content is rejected. If the extracted watermark does not match the expected watermark, then the content is denied access to the LCS Storage (i.e., the content is rejected).


In FIG. 3, content enters the LCS Domain from the Read-Only media. This communication path is identified as Path 3 on FIG. 1. The LCS Domain analyzes the content to determine if a watermark is present in the content. If no watermark is present, then the LCS attempts to further analyze the content using other methods (i.e., other than watermarking) to try and verify the content for originality. If the content cannot be verified or is deemed to have been altered, then the content is downgraded to Standard Quality (or even Low Quality) before it is stored in the LCS Storage. If a watermark is present, then the watermark is extracted and compared with the watermark of the LCS in order to determine if a match exists. In the event of a match, or in the event that the content is verified by means other than the watermark, the content is permitted to be stored on the LCS Storage at the same level of quality which the content entered the LCS Domain (which is likely to be High Quality). For example, the Read-Only media may also contain a media-based identifier which verifies the content as an original, as opposed to a copy—and hence, a non-watermark method may be used to verify authenticity.


Optionally, even in the event of a watermark match, a hash may be checked as further verification; and if the hash matches, the content is allowed in at High Quality, but if there is no match, the content is rejected. If the extracted watermark does not match the expected watermark, or if the LCS is unable to identify any other method for verifying the content's authenticity, then the content may be denied access to the LCS Storage (i.e., the content may be rejected), or if preferred by the user, the content may be permitted into the system at a degraded quality level. It is the user's prerogative to decide how the system will treat non-authenticated content, as well as legacy content.


In FIG. 4, content enters the LCS Domain from the satellite unit. This communication path is identified as Path 4 on FIG. 1. Content from an SU is marked with an SU watermark before exiting the SU. The LCS analyzes the content from the SU for watermarks, and in particular to determine if there is a watermark that matches that of the LCS. If the watermarks match, the content is permitted access to the LCS at the highest quality level. If there is a mismatch, then the content is denied access (i.e., the content is rejected). If the content does not contain a watermark, the quality is downgraded to Low Quality before permitting access to the LCS. Optionally, even in the event of a watermark match, a hash may be checked as further verification; and access at the highest quality level may depend upon both a match in watermarks and a match in hashes.


In FIG. 5, content is shown leaving the LCS Domain. This communication path is identified as Path 5 on FIG. 1. Content is retrieved from the LCS storage and then the content may be watermarked with a watermark that is unique to the LCS (for example, one that is based upon the LCS's Unique ID). Optionally, a hash may be attached to the watermarked content, and/or the hash may be embedded as part of the watermark. If an external hash is used, preferably, for security purposes, the external hash should be created in a different manner from the embedded, watermark hash. Optionally, other information may be included in the watermark, for example, information to specify a time stamp, the number of allowable copies, etc. After watermarking, the content may be permitted to exit the LCS Domain, and may be exported to a device outside the LCS Domain, including for example, a rewritable media, a viewer, player, or other receiver.


In FIG. 6, content is shown leaving the LCS Domain. This communication path is identified as Path 6 on FIG. 1. This path is similar to Path 5, with a few important differences. The output receiver is an SU, and because the receiver is an SU, the content may leave the LCS without being watermarked. Path 6 requires a secure protocol to determine that the receiver is in fact an SU. Once the path is verified, the content can be exported without a watermark. The LCS may optionally transmit the content together with a hash value which will be uniquely associated with the content.


In FIG. 7, content is shown leaving the SU, to a receiver other than the LCS. This communication path is identified as Path 7 on FIG. 1. Content is retrieved from the SU storage and then the content may be watermarked with a watermark that is unique to the SU (for example, one that is based upon the SU's Unique ID). Optionally, a hash may be attached to the watermarked content, and/or the hash may be embedded as part of the watermark. If an external hash is used, preferably, for security purposes, the external hash should be created in a different manner from the embedded, watermark hash. Optionally, other information may be included in the watermark, for example, information to specify a time stamp, the number of allowable copies, etc., and may even include the hash which the LCS attached to the content After watermarking, the content may be permitted to exit the SU, and may be exported to a device other than the LCS, including for example, a rewritable media, a viewer, player, or other receiver. The quality level of the content leaving the LCS is generally the same quality level as that of the content when stored internally to the LCS.


The system of the present invention is utilized to complete digital data transactions. A typical transaction would have the following steps:


1.) Using an LCS, a user connects to a SECD.


2.) The user reviews a collection of data sets which are available for license (which for purposes of this application, may be equated with a purchase). The user then selects a data set (e.g., a song or other content), and purchases (or otherwise obtains the right to receive) a copy of the data set. (The user may transmit purchase information, for example, credit card information, using digital security that is known in the art of electronic commerce.)


3.) The SECD transmits the secured content to the LCS. Before transmitting any digital content, the SECD embeds at least one watermark and may also transmit (perhaps through cryptography) at least one hash value along with the data being transmitted. The at least one hash value may be embedded with the at least one watermark or may be attached to the beginning or end of the data being transmitted. Alternately, the hash output may be combined in ways that are known in the art.


4.) The LCS optionally may send its public key to the SECD, in which case the SECD may use the LCS public key to apply an additional security measure to the data to be transmitted, before the data is actually transmitted to the LCS.


5.) The LCS receives the secured content transmitted by the SECD. The LCS may optionally use its private key to remove the additional layer of security which was applied with the LCS's public key.


6.) The LCS may authenticate the secure content that was received from the SECD by checking the watermark(s) and/or hash values. Optionally, the LCS may unpack the secured content from its security wrapper and/or remove any other layers of security. If the content can be authenticated, the content may be accepted into the LCS domain. Otherwise, it may be rejected.


Fragile Watermark Structure


A fragile watermark—one that is encoded in the LSB of each 16 bit sample—can actually hold all of the data that would typically comprise the information being transmitted in the SecureChannel™. At a typical sampling rate of 44.1 kHz, there is 88,200 16 bit samples for each second of data in the time domain (44,100×2 stereo channels). This provides 88,200 bits per second which may be used for storing a fragile watermark. A typical 3 minute stereo song could therefore accommodate 1.89 MB of data for a fragile watermark. (The watermark is called fragile, because it is easily removed without greatly sacrificing the quality of the audio data.) 1.89 MB represents an immense capacity relative to the expected size of the typical data to be transmitted in a SecureChannel (100-200 K).


Preferably, the fragile watermark is bound to a specific copy of a specific song, so that “information pirates” (i.e., would-be thieves) cannot detect a watermark and then copy it onto another song in an effort to feign authorization when none exists. A fragile watermark may also contain information which can be utilized by various receivers which might receive the signal being packaged. For instance, a fragile watermark may contain information to optimize the playback of a particular song on a particular machine. A particular example could include data which differentiates an MP3 encoded version of a song and an AAC encoded version of the same song.


One way to bind a fragile watermark to a specific data set is through the use of hash functions. An example is demonstrated by the following sequence of steps:


1.) A digital data set (e.g., a song) is created by known means (e.g., sampling music at 44.1 kHz, to create a plurality of 16 bit data sets). The digital data set comprises a plurality of sample sets (e.g., a plurality of 16 bit data sets).


2.) Information relative to the digital data set (e.g., information about the version of the song) is transformed into digital data (which we will call the SecureChannel data), and the SecureChannel data is then divided into a plurality of SecureChannel data blocks, each of which blocks may then be separately encoded.


3.) A first block of the SecureChannel data is then is encoded into a first block of sample sets (the first block of sample sets comprising—at a minimum—a sufficient number of sample sets to accommodate the size of the first block of Secure Channel Data), for example by overwriting the LSB of each sample in the first block of sample sets.


4.) A hash pool is created comprising the first block of encoded sample sets.


5.) A first hash value is then created using i) the hash pool, ii) a random (or pseudorandom) number seeded using a code that serves to identify the owner of the digital data set, and iii) the SecureChannel data;


6.) The first hash value is then encoded into a second block of sample sets, the second block of sample sets being sufficient in size to accommodate the size of the first hash value.


7.) The second block of sample sets is then added to the hash pool


8.) A second block of the SecureChannel data is then is encoded into a third block of sample sets.


9.) The third block of encoded sample sets is added to the hash pool.


10.) A second hash value is then created using i) the hash pool, ii) a random (or pseudorandom) number seeded using a code that serves to identify the owner of the digital data set, and iii) the SecureChannel data;


11.) The second hash value is then encoded into a fourth block of sample sets.


Steps 7-11 are then repeated for successive blocks of SecureChannel data until all of the SecureChannel data is encoded. Understand that for each block of SecureChannel data, two blocks of content data are utilized. Moreover, for efficiency, one could use a predetermined subset of the samples in the hash pool, instead of the whole block.


Each SecureChannel block may, for example, have the following structure:














{











long
BlockIdentifier;
//A code for the type of block



long
BlockLength;
//The length of the block



...

//Block data of a length matching





BlockLength










char
IdentityHash[hashSize];



char
InsertionHash[hashSize];







}









In theory, each SecureChannel block may be of a different type of block (i.e., may begin with a different BlockIdentifier). In operation, a software application (or even an ASIC) may read the BlockIdentifier and determine whether it is a recognized block type for the particular application. If the application does not recognize the block type, the application may use the BlockLength to skip this block of SecureChannel.


Certain block types will be required to be present if the SecureChannel is going to be accepted. These might include an identity block and a SecureChannel hash block. The SecureChannel data may or may not be encrypted, depending on whether the data is transfer-restricted (a type of value-adding component, that is, VAC) or simply informative. For instance, user-added SecureChannel data need not be encrypted. A BlockIdentifier may also be used to indicate whether a SecureChannel data block is encrypted or not.


Robust Open Watermark (ROW)


A Robust-Open Watermark may be used to divide content into three categories. (The term “open watermark” is used merely to indicate that the watermark relies on a secret which is shared by an entire class of devices, as opposed to a secure watermark—which is readable only by a single member of a class of devices.) A binary setting may be used, whereby one state (e.g., “1”) may be used to identify secure protected content—such as content that is distributed in a secured manner. When the LCS detects a secured status (e.g., by determining that the ROW is “1”), the content must be accompanied by an authenticatable SecureChannel before the content is permitted to enter the LCS Domain (e.g., electronic music distribution or EMD content). The other binary state (e.g., “0”) may be used to identify unsecured content, for example, non-legacy media that is distributed in a pre-packaged form (e.g. CD's). When the binary setting is “0”, the content may or may not have a SecureChannel. Such “0 content” shall only be admitted from a read-only medium in its original file format (e.g., a 0 CD shall only be admitted if it is present on a Redbook CD medium). On the other hand, if the ROW is absent, then the LCS will understand that the content is “legacy”. Legacy content may be admitted, or optionally, may be checked for a fragile watermark—and then admitted only if the fragile watermark is present. It would be possible to permit unfettered usage of legacy content—though again, it is the prerogative of the user who sets up the LCS.


Robust Forensic Watermark


Preferably, a robust forensic watermark is not accessible in any way to the consumer—or to “information pirates.” A forensic watermark may be secured by a symmetric key held only by the seller. A transaction ID may be embedded at the time of purchase with a hash matching the symmetric key. The watermark is then embedded using a very low density insertion mask (<10%), making it very difficult to find without the symmetric key. Retrieval of such a watermark is not limited by real-time/low cost constraints. The recovery will typically only be attempted on known pirated material, or material which is suspected of piracy. A recovery time of 2 hours on a 400 MHz PC may, therefore, be reasonable.


Sample Embodiment
Renewability

The system of the present invention contemplates the need for updating and replacing previously-embedded watermarks (which may be thought of generally as “renewing” a watermark). If someone is able to obtain the algorithms used to embed a watermark—or is otherwise able to crack the security, it would be desirable to be able to embed a new watermark using a secure algorithm. New watermarks, however, cannot be implemented with complete success over night, and thus, there inevitably will be transition periods where older SPCS are operating without updated software. In such a transition period, the content must continue to be recognizable to both the old SPCSs and the upgraded SPCSs. A solution is to embed both the original and the upgraded watermarks into content during the transition periods. Preferably, it is the decision of the content owner to use both techniques or only the upgraded technique.


The operation of the system of the present invention is complicated, however, by the presence of “legacy” digital content which is already in the hands of consumer (that is, digital content that was commercially distributed before the advent of watermarking systems) because legacy content will continue to be present in the future. Moreover, pirates who distribute unauthorized content will also complicate matters because such unauthorized copies are likely to be distributed in the same formats as legacy content. As it is unlikely that such unwatermarked content can ever be completely removed, the present system must try to accommodate such content.


Hardware can be configured to read old ROW content and extract the old ROW and insert in the content a new ROW.


Sample Embodiment
SPCS Audio Server

Tables 1, 2 and 3 depict a sample embodiment for an SPCS Audio Server, and in particular show how secured content packages are created as downloadable units (Table 1), how the LCS works on the input side for an SPCS Audio Server (Table 2), and how the LCS works on the output side (Table 3). “PAD” refers to “Protected Associated Data”.


While the invention has been particularly shown and described by the foregoing detailed description, it will be understood by those skilled in the art that various other changes in form and detail may be made without departing from the spirit and scope of the invention.









TABLE 1





SAMPLE EMBODIMENT- SPCS Audio Server Stage









embedded image


















TABLE 2





SPCS Audio Player Input Stage









embedded image


















TABLE 3





SPCS Audio Player Output Stage









embedded image










Claims
  • 1. A local content server (LCS), comprising: a) an LCS communications port; an LCS storage unit for storing digital data; and an LCS domain processor for processing digital data; and an LCS identification code uniquely associated with said LCS;wherein said LCS stores in said LCS storage unit a plurality of rules for processing a data set;wherein said LCS is configured to receive via said communications port a first data set that includes data defining first content;wherein said LCS is configured to use said domain processor to determine from inspection of said first data set for a watermark, a first data set status value of said first data set to be at least one of unsecure, secure, and legacy;wherein said LCS is configured to use said first data set status value to determine which of a set of rules to apply to process said first data set prior to storage of a processed second data set resulting from processing of said first data set, in said LCS storage unit;wherein said LCS is configured to determine, at least in part from rights associated with a user identification associated with a prompt received by said LCS for said first content, a quality level at which to transmit said first content, wherein said quality level is one of at least unsecure, secure, and legacy; andwherein a quality level of legacy means that said first content does not include said watermark.
  • 2. The LCS of claim 1, wherein said LCS comprises a watermark extractor for extracting a watermark from said data sets.
  • 3. The LCS of claim 1 further comprising an interface configured to enable the LCS to communicate with a Satellite Unit (SU).
  • 4. The LCS of claim 3 configured to: (1) determine if said SU is an authorized device for communicating with the LCS;(2) determine if a SU data set received in said LCS via said interface is authorized; and(3) store said SU data set in said LCS storage unit only if said data set is determined by said LCS to be authorized.
  • 5. The LCS of claim 4 configured to determine if a SU data set received via said interface is authorized by extracting a watermark and to determine if said watermark encodes said LCS identification code.
  • 6. The LCS of claim 4 configured to determine if said SU data set contains data indicating it is associated with said LCS.
  • 7. The LCS of claim 4 configured to store content contained in said SU data set at a degraded quality level if said LCS fails to identify authentication information in or associated with said SU data set.
  • 8. The LCS of claim 1 configured to determine, at least in part from said first data set status value, a quality level of said first content to transmit out of said LCS in response to a prompt for said content.
  • 9. A method for using a local content server (LCS), said LCS comprising an LCS communications port; an LCS storage unit for storing digital data; and an LCS domain processor for processing digital data; and an LCS identification code uniquely associated with said LCS, said method comprising: said LCS storing in said LCS storage unit a plurality of rules for processing a data set;said LCS receiving via said communications port a first data set that includes data defining first content;said LCS using said domain processor to determine from inspection of said first data set for a watermark, a first data set status value of said first data set to be at least one of unsecure, secure, and legacy;said LCS using said first data set status value to determine which of a set of rules to apply to process said first data set prior to storage of a processed second data set resulting from processing of said first data set, in said LCS storage unit;said LCS determining, at least in part, from rights associated with a user identification associated with a prompt received by said LCS for said first content, a quality level at which to transmit said first content, wherein said quality level is one of at least unsecure, secure, and legacy; andwherein a quality level of legacy means that said first content does not include said watermark.
  • 10. The method of claim 9, wherein said LCS comprises a watermark extractor for extracting a watermark from said data sets.
  • 11. The method of claim 9, wherein said LCS further comprises an interface, and said LCS communicating via said interface a Satellite Unit (SU).
  • 12. The method of claim 9 further comprising: said LCS determining if said SU is an authorized device for communicating with said LCS;said LCS determining if a SU data set received in said LCS via said interface is authorized; andsaid LCS storing said SU data set in said LCS storage unit only if said data set is determined by said LCS to be authorized.
  • 13. The method of claim 12 further comprising said LCS determining if a SU data set received via said interface is authorized by extracting a watermark and determining from said watermark if said watermark encodes said LCS identification code.
  • 14. The method of claim 12 further comprising said LCS determining if said SU data set contains data indicating it is associated with said LCS.
  • 15. The method of claim 12 further comprising storing content contained in said SU data set at a degraded quality level if said LCS fails to identify authentication information in or associated with said SU data set.
  • 16. The method of claim 9 further comprising said LCS determining, at least in part from said first data set status value, a quality level of said first content to transmit out of said LCS in response to a prompt for said content.
CROSS-REFERENCE TO RELATED PATENTS AND APPLICATIONS

This application is a continuation of pending U.S. patent application Ser. No. 10/049,101, filed Jul. 23, 2002, which is a 371 of international application PCT/US00/21189 filed Aug. 4, 2000, which claimed the benefit of U.S. Patent Application Ser. No. 60/147,134, filed Aug. 4, 1999, entitled, “A Secure Personal Content Server” and U.S. Patent Application Ser. No. 60/213,489, filed Jun. 23, 2000, entitled “A Secure Personal Content Server.” Each of the foregoing applications is incorporated by reference in their entireties as if set forth separately hereunder. This application also incorporates by reference the following applications: pending U.S. patent application Ser. No. 08/999,766, filed Jul. 23, 1997, entitled “Steganographic Method and Device”; pending U.S. patent application Ser. No. 08/772,222, filed Dec. 20, 1996, entitled “Z-Transform Implementation of Digital Watermarks” (issued as U.S. Pat. No. 6,078,664); pending U.S. patent application Ser. No. 09/456,319, filed Dec. 8, 1999, entitled “Z-Transform Implementation of Digital Watermarks” (issued as U.S. Pat. No. 6,853,726); pending U.S. patent application Ser. No. 08/674,726, filed Jul. 2, 1996, entitled “Exchange Mechanisms for Digital Information Packages with Bandwidth Securitization, Multichannel Digital Watermarks, and Key Management” (issued as U.S. Pat. No. 7,362,775); pending U.S. patent application Ser. No. 09/545,589, filed Apr. 7, 2000, entitled “Method and System for Digital Watermarking” (issued as U.S. Pat. No. 7,007,166); pending U.S. patent application Ser. No. 09/046,627, filed Mar. 24, 1998, entitled “Method for Combining Transfer Function with Predetermined Key Creation” (issued as U.S. Pat. No. 6,598,162); pending U.S. patent application Ser. No. 09/053,628, filed Apr. 2, 1998, entitled “Multiple Transform Utilization and Application for Secure Digital Watermarking” (issued as U.S. Pat. No. 6,205,249); pending U.S. patent application Ser. No. 09/281,279, filed Mar. 30, 1999, entitled “Optimization Methods for the Insertion, Protection, and Detection . . . ” (issued as U.S. Pat. No. 6,522,767); U.S. patent application Ser. No. 09/594,719, filed Jun. 16, 2000, entitled “Utilizing Data Reduction in Steganographic and Cryptographic Systems” (issued as U.S. Pat. No. 7,123,718) (which is a continuation-in-part of PCT application No. PCT/US00/06522, filed 14 Mar. 2000, which PCT application claimed priority to U.S. Provisional Application No. 60/125,990, filed 24 Mar. 1999); and U.S. patent application Ser. No. 09/731,040, entitled “Systems, Methods and Devices for Trusted Transactions,” filed Dec. 7, 2000 (issued as U.S. Pat. No. 7,159,116) which claimed priority to U.S. Application No. 60/169,274, filed Dec. 7, 1999, entitled “Systems, Methods And Devices For Trusted Transactions.” All of the patent applications previously identified in this paragraph are hereby incorporated by reference, in their entireties, as if fully stated herein.

US Referenced Citations (387)
Number Name Date Kind
3947825 Cassada Mar 1976 A
3984624 Waggener Oct 1976 A
3986624 Cates, Jr. et al. Oct 1976 A
4038596 Lee Jul 1977 A
4200770 Hellman et al. Apr 1980 A
4218582 Hellman et al. Aug 1980 A
4339134 Macheel Jul 1982 A
4390898 Bond et al. Jun 1983 A
4405829 Rivest et al. Sep 1983 A
4424414 Hellman et al. Jan 1984 A
4528588 Lofberg Jul 1985 A
4672605 Hustig et al. Jun 1987 A
4748668 Shamir et al. May 1988 A
4789928 Fujisaki Dec 1988 A
4827508 Shear May 1989 A
4876617 Best et al. Oct 1989 A
4896275 Jackson Jan 1990 A
4908873 Philibert et al. Mar 1990 A
4939515 Adelson Jul 1990 A
4969204 Jones et al. Nov 1990 A
4972471 Gross et al. Nov 1990 A
4977594 Shear Dec 1990 A
4979210 Nagata et al. Dec 1990 A
4980782 Ginkel Dec 1990 A
5050213 Shear Sep 1991 A
5073925 Nagata et al. Dec 1991 A
5077665 Silverman et al. Dec 1991 A
5113437 Best et al. May 1992 A
5136581 Muehrcke Aug 1992 A
5136646 Haber et al. Aug 1992 A
5136647 Haber et al. Aug 1992 A
5142576 Nadan Aug 1992 A
5161210 Druyvesteyn et al. Nov 1992 A
5210820 Kenyon May 1993 A
5243423 DeJean et al. Sep 1993 A
5243515 Lee Sep 1993 A
5287407 Holmes Feb 1994 A
5319735 Preuss et al. Jun 1994 A
5341429 Stringer et al. Aug 1994 A
5341477 Pitkin et al. Aug 1994 A
5363448 Koopman et al. Nov 1994 A
5365586 Indeck et al. Nov 1994 A
5369707 Follendore, III Nov 1994 A
5379345 Greenberg Jan 1995 A
5394324 Clearwater Feb 1995 A
5398285 Borgelt et al. Mar 1995 A
5406627 Thompson et al. Apr 1995 A
5408505 Indeck et al. Apr 1995 A
5410598 Shear Apr 1995 A
5412718 Narasimhalv et al. May 1995 A
5418713 Allen May 1995 A
5428606 Moskowitz Jun 1995 A
5450490 Jensen et al. Sep 1995 A
5469536 Blank Nov 1995 A
5471533 Wang et al. Nov 1995 A
5478990 Montanari et al. Dec 1995 A
5479210 Cawley et al. Dec 1995 A
5487168 Geiner et al. Jan 1996 A
5493677 Balogh et al. Feb 1996 A
5497419 Hill Mar 1996 A
5506795 Yamakawa Apr 1996 A
5513126 Harkins et al. Apr 1996 A
5513261 Maher Apr 1996 A
5530739 Okada Jun 1996 A
5530751 Morris Jun 1996 A
5530759 Braudaway et al. Jun 1996 A
5539735 Moskowitz Jul 1996 A
5548579 Lebrun et al. Aug 1996 A
5568570 Rabbani Oct 1996 A
5579124 Aijala et al. Nov 1996 A
5581703 Baugher et al. Dec 1996 A
5583488 Sala et al. Dec 1996 A
5598470 Cooper et al. Jan 1997 A
5606609 Houser et al. Feb 1997 A
5613004 Cooperman et al. Mar 1997 A
5617119 Briggs et al. Apr 1997 A
5625690 Michel et al. Apr 1997 A
5629980 Stefik et al. May 1997 A
5633932 Davis et al. May 1997 A
5634040 Her et al. May 1997 A
5636276 Brugger Jun 1997 A
5636292 Rhoads Jun 1997 A
5640569 Miller et al. Jun 1997 A
5646997 Barton Jul 1997 A
5657461 Harkins et al. Aug 1997 A
5659726 Sandford, II et al. Aug 1997 A
5664018 Leighton Sep 1997 A
5673316 Auerbach et al. Sep 1997 A
5677952 Blakely et al. Oct 1997 A
5680462 Miller et al. Oct 1997 A
5687236 Moskowitz et al. Nov 1997 A
5689587 Bender et al. Nov 1997 A
5696828 Koopman, Jr. Dec 1997 A
5719937 Warren et al. Feb 1998 A
5721788 Powell et al. Feb 1998 A
5734752 Knox Mar 1998 A
5737416 Cooper et al. Apr 1998 A
5737733 Eller Apr 1998 A
5740244 Indeck et al. Apr 1998 A
5745569 Moskowitz et al. Apr 1998 A
5748783 Rhoads May 1998 A
5751811 Magnotti et al. May 1998 A
5754697 Fu et al. May 1998 A
5757923 Koopman, Jr. May 1998 A
5765152 Erickson Jun 1998 A
5768396 Sone Jun 1998 A
5774452 Wolosewicz Jun 1998 A
5790677 Fox et al. Aug 1998 A
5799083 Brothers et al. Aug 1998 A
5809139 Girod et al. Sep 1998 A
5809160 Powell et al. Sep 1998 A
5818818 Soumiya et al. Oct 1998 A
5822432 Moskowitz et al. Oct 1998 A
5828325 Wolosewicz et al. Oct 1998 A
5832119 Rhoads Nov 1998 A
5842213 Odom et al. Nov 1998 A
5848155 Cox Dec 1998 A
5850481 Rhoads Dec 1998 A
5859920 Daly et al. Jan 1999 A
5860099 Milios et al. Jan 1999 A
5862260 Rhoads Jan 1999 A
5870474 Wasilewski et al. Feb 1999 A
5884033 Duvall et al. Mar 1999 A
5889868 Moskowitz et al. Mar 1999 A
5893067 Bender et al. Apr 1999 A
5894521 Conley Apr 1999 A
5903721 Sixtus May 1999 A
5905800 Moskowitz et al. May 1999 A
5905975 Ausubel May 1999 A
5912972 Barton Jun 1999 A
5915027 Cox et al. Jun 1999 A
5917915 Hirose Jun 1999 A
5918223 Blum Jun 1999 A
5920900 Poole et al. Jul 1999 A
5923763 Walker et al. Jul 1999 A
5930369 Cox et al. Jul 1999 A
5930377 Powell et al. Jul 1999 A
5940134 Wirtz Aug 1999 A
5943422 Van Wie et al. Aug 1999 A
5949055 Fleet Sep 1999 A
5963909 Warren et al. Oct 1999 A
5973731 Schwab Oct 1999 A
5974141 Saito Oct 1999 A
5991426 Cox et al. Nov 1999 A
5999217 Berners-Lee Dec 1999 A
6009176 Gennaro et al. Dec 1999 A
6029126 Malvar Feb 2000 A
6041316 Allen Mar 2000 A
6044471 Colvin Mar 2000 A
6049838 Miller et al. Apr 2000 A
6051029 Paterson et al. Apr 2000 A
6061793 Tewfik et al. May 2000 A
6067622 Moore May 2000 A
6069914 Cox May 2000 A
6078664 Moskowitz et al. Jun 2000 A
6081251 Sakai et al. Jun 2000 A
6081587 Reyes et al. Jun 2000 A
6081597 Hoffstein Jun 2000 A
6088455 Logan et al. Jul 2000 A
6131162 Yoshiura et al. Oct 2000 A
6141753 Zhao et al. Oct 2000 A
6141754 Choy Oct 2000 A
6148333 Guedalia et al. Nov 2000 A
6154571 Cox et al. Nov 2000 A
6173322 Hu Jan 2001 B1
6192138 Yamadaji Feb 2001 B1
6199058 Wong et al. Mar 2001 B1
6205249 Moskowitz Mar 2001 B1
6208745 Florenio et al. Mar 2001 B1
6226618 Downs et al. May 2001 B1
6230268 Miwa et al. May 2001 B1
6233347 Chen et al. May 2001 B1
6233684 Stefik et al. May 2001 B1
6240121 Senoh May 2001 B1
6263313 Milstead et al. Jul 2001 B1
6272634 Tewfik et al. Aug 2001 B1
6275988 Nagashima et al. Aug 2001 B1
6278780 Shimada Aug 2001 B1
6278791 Honsinger et al. Aug 2001 B1
6282300 Bloom et al. Aug 2001 B1
6282650 Davis Aug 2001 B1
6285775 Wu et al. Sep 2001 B1
6301663 Kato et al. Oct 2001 B1
6310962 Chung et al. Oct 2001 B1
6330335 Rhoads Dec 2001 B1
6330672 Shur Dec 2001 B1
6345100 Levine Feb 2002 B1
6351765 Pietropaolo et al. Feb 2002 B1
6363483 Keshav Mar 2002 B1
6373892 Ichien et al. Apr 2002 B1
6373960 Conover et al. Apr 2002 B1
6374036 Ryan et al. Apr 2002 B1
6377625 Kim Apr 2002 B1
6381618 Jones et al. Apr 2002 B1
6381747 Wonfor et al. Apr 2002 B1
6385324 Koppen May 2002 B1
6385329 Sharma et al. May 2002 B1
6385596 Wiser et al. May 2002 B1
6389538 Gruse et al. May 2002 B1
6398245 Gruse et al. Jun 2002 B1
6405203 Collart Jun 2002 B1
6415041 Oami et al. Jul 2002 B1
6418421 Hurtado et al. Jul 2002 B1
6425081 Iwamura Jul 2002 B1
6430301 Petrovic Aug 2002 B1
6430302 Rhoads Aug 2002 B2
6442283 Tewfik et al. Aug 2002 B1
6446211 Colvin Sep 2002 B1
6453252 Laroche Sep 2002 B1
6457058 Ullum et al. Sep 2002 B1
6463468 Buch et al. Oct 2002 B1
6480937 Vorbach et al. Nov 2002 B1
6484264 Colvin Nov 2002 B1
6493457 Quackenbush Dec 2002 B1
6502195 Colvin Dec 2002 B1
6522767 Moskowitz et al. Feb 2003 B1
6522769 Rhoads et al. Feb 2003 B1
6523113 Wehrenberg Feb 2003 B1
6530021 Epstein et al. Mar 2003 B1
6532284 Walker et al. Mar 2003 B2
6539475 Cox et al. Mar 2003 B1
6557103 Boncelet, Jr. et al. Apr 2003 B1
6584125 Katto Jun 2003 B1
6587837 Spagna et al. Jul 2003 B1
6590996 Reed Jul 2003 B1
6598162 Moskowitz Jul 2003 B1
6606393 Xie et al. Aug 2003 B1
6647424 Pearson et al. Nov 2003 B1
6658010 Enns et al. Dec 2003 B1
6665489 Collart Dec 2003 B2
6668246 Yeung et al. Dec 2003 B1
6668325 Collberg et al. Dec 2003 B1
6674858 Kimura Jan 2004 B1
6687683 Harada et al. Feb 2004 B1
6725372 Lewis et al. Apr 2004 B1
6754822 Zhao Jun 2004 B1
6775772 Binding et al. Aug 2004 B1
6784354 Lu et al. Aug 2004 B1
6785815 Serret-Avila et al. Aug 2004 B1
6785825 Colvin Aug 2004 B2
6792548 Colvin Sep 2004 B2
6792549 Colvin Sep 2004 B2
6795925 Colvin Sep 2004 B2
6799277 Colvin Sep 2004 B2
6813717 Colvin Nov 2004 B2
6813718 Colvin Nov 2004 B2
6823455 Macy et al. Nov 2004 B1
6834308 Ikezoye et al. Dec 2004 B1
6842862 Chow et al. Jan 2005 B2
6853726 Moskowitz et al. Feb 2005 B1
6857078 Colvin Feb 2005 B2
6931534 Jandel et al. Aug 2005 B1
6950941 Lee et al. Sep 2005 B1
6957330 Hughes Oct 2005 B1
6966002 Torrubia-Saez Nov 2005 B1
6968337 Wold Nov 2005 B2
6977894 Achilles et al. Dec 2005 B1
6978370 Kocher Dec 2005 B1
6986063 Colvin Jan 2006 B2
6990453 Wang Jan 2006 B2
7007166 Moskowitz et al. Feb 2006 B1
7020285 Kirovski et al. Mar 2006 B1
7035049 Yamamoto Apr 2006 B2
7035409 Moskowitz Apr 2006 B1
7043050 Yuval May 2006 B2
7046808 Metois et al. May 2006 B1
7050396 Cohen et al. May 2006 B1
7051208 Venkatesan et al. May 2006 B2
7058570 Yu et al. Jun 2006 B1
7093295 Saito Aug 2006 B1
7095874 Moskowitz et al. Aug 2006 B2
7103184 Jian Sep 2006 B2
7107451 Moskowitz Sep 2006 B2
7123718 Moskowitz et al. Oct 2006 B1
7127615 Moskowitz Oct 2006 B2
7150003 Naumovich et al. Dec 2006 B2
7152162 Moskowitz et al. Dec 2006 B2
7159116 Moskowitz Jan 2007 B2
7162642 Schumann et al. Jan 2007 B2
7177429 Moskowitz et al. Feb 2007 B2
7177430 Kim Feb 2007 B2
7206649 Kirovski et al. Apr 2007 B2
7231524 Burns Jun 2007 B2
7233669 Candelore Jun 2007 B2
7240210 Michak et al. Jul 2007 B2
7266697 Kirovski et al. Sep 2007 B2
7286451 Wirtz Oct 2007 B2
7287275 Moskowitz Oct 2007 B2
7289643 Brunk et al. Oct 2007 B2
7343492 Moskowitz et al. Mar 2008 B2
7346472 Moskowitz et al. Mar 2008 B1
7362775 Moskowitz Apr 2008 B1
7363278 Schmelzer et al. Apr 2008 B2
7409073 Moskowitz et al. Aug 2008 B2
7457962 Moskowitz Nov 2008 B2
7460994 Herre et al. Dec 2008 B2
7475246 Moskowitz Jan 2009 B1
7530102 Moskowitz May 2009 B2
7532725 Moskowitz et al. May 2009 B2
7568100 Moskowitz et al. Jul 2009 B1
7647502 Moskowitz Jan 2010 B2
7647503 Moskowitz Jan 2010 B2
7664263 Moskowitz Feb 2010 B2
7743001 Vermeulen Jun 2010 B1
7761712 Moskowitz Jul 2010 B2
7779261 Moskowitz Aug 2010 B2
20010010078 Moskowitz Jul 2001 A1
20010029580 Moskowitz Oct 2001 A1
20010043594 Ogawa et al. Nov 2001 A1
20020009208 Alattar Jan 2002 A1
20020010684 Moskowitz Jan 2002 A1
20020026343 Duenke Feb 2002 A1
20020056041 Moskowitz May 2002 A1
20020071556 Moskowitz et al. Jun 2002 A1
20020073043 Herman et al. Jun 2002 A1
20020097873 Petrovic Jul 2002 A1
20020103883 Haverstock et al. Aug 2002 A1
20020161741 Wang et al. Oct 2002 A1
20030126445 Wehrenberg Jul 2003 A1
20030133702 Collart Jul 2003 A1
20030200439 Moskowitz Oct 2003 A1
20030219143 Moskowitz et al. Nov 2003 A1
20040028222 Sewell et al. Feb 2004 A1
20040037449 Davis et al. Feb 2004 A1
20040049695 Choi et al. Mar 2004 A1
20040059918 Xu Mar 2004 A1
20040083369 Erlingsson et al. Apr 2004 A1
20040086119 Moskowitz May 2004 A1
20040093521 Hamadeh et al. May 2004 A1
20040117628 Colvin Jun 2004 A1
20040117664 Colvin Jun 2004 A1
20040125983 Reed et al. Jul 2004 A1
20040128514 Rhoads Jul 2004 A1
20040225894 Colvin Nov 2004 A1
20040243540 Moskowitz et al. Dec 2004 A1
20050135615 Moskowitz et al. Jun 2005 A1
20050160271 Brundage et al. Jul 2005 A9
20050177727 Moskowitz et al. Aug 2005 A1
20050246554 Batson Nov 2005 A1
20060005029 Petrovic et al. Jan 2006 A1
20060013395 Brundage et al. Jan 2006 A1
20060013451 Haitsma Jan 2006 A1
20060041753 Haitsma Feb 2006 A1
20060101269 Moskowitz et al. May 2006 A1
20060140403 Moskowitz Jun 2006 A1
20060251291 Rhoads Nov 2006 A1
20060285722 Moskowitz et al. Dec 2006 A1
20070011458 Moskowitz Jan 2007 A1
20070028113 Moskowitz Feb 2007 A1
20070064940 Moskowitz et al. Mar 2007 A1
20070079131 Moskowitz et al. Apr 2007 A1
20070083467 Lindahl et al. Apr 2007 A1
20070110240 Moskowitz et al. May 2007 A1
20070113094 Moskowitz et al. May 2007 A1
20070127717 Herre et al. Jun 2007 A1
20070226506 Moskowitz Sep 2007 A1
20070253594 Lu et al. Nov 2007 A1
20070294536 Moskowitz et al. Dec 2007 A1
20070300072 Moskowitz Dec 2007 A1
20070300073 Moskowitz Dec 2007 A1
20080005571 Moskowitz Jan 2008 A1
20080005572 Moskowitz Jan 2008 A1
20080016365 Moskowitz Jan 2008 A1
20080022113 Moskowitz Jan 2008 A1
20080022114 Moskowitz Jan 2008 A1
20080028222 Moskowitz Jan 2008 A1
20080046742 Moskowitz Feb 2008 A1
20080075277 Moskowitz et al. Mar 2008 A1
20080109417 Moskowitz May 2008 A1
20080133927 Moskowitz et al. Jun 2008 A1
20080151934 Moskowitz et al. Jun 2008 A1
20090037740 Moskowitz Feb 2009 A1
20090089427 Moskowitz et al. Apr 2009 A1
20090190754 Moskowitz et al. Jul 2009 A1
20090210711 Moskowitz Aug 2009 A1
20090220074 Moskowitz et al. Sep 2009 A1
20100002904 Moskowitz Jan 2010 A1
20100005308 Moskowitz Jan 2010 A1
20100064140 Moskowitz Mar 2010 A1
20100077219 Moskowitz Mar 2010 A1
20100077220 Moskowitz Mar 2010 A1
20100098251 Moskowitz Apr 2010 A1
20100106736 Moskowitz Apr 2010 A1
20100153734 Moskowitz Jun 2010 A1
20100182570 Matsumoto et al. Jul 2010 A1
20100202607 Moskowitz Aug 2010 A1
20100220861 Moskowitz Sep 2010 A1
Foreign Referenced Citations (37)
Number Date Country
0372601 Jun 1990 EP
0372601 Jun 1990 EP
0565947 Oct 1993 EP
0565947 Oct 1993 EP
0581317 Feb 1994 EP
0581317 Feb 1994 EP
0649261 Apr 1995 EP
0651554 May 1995 EP
0651554 May 1995 EP
0872073 Jul 1996 EP
1547337 Mar 2006 EP
1354276 Dec 2007 EP
100523 Sep 1998 NL
1005523 Sep 1998 NL
WO 9514289 May 1995 WO
WO 9514289 May 1995 WO
9629795 Sep 1996 WO
WO 9629795 Sep 1996 WO
WO 9642151 Dec 1996 WO
WO9701892 Jan 1997 WO
WO9726733 Jan 1997 WO
9724833 Jul 1997 WO
WO 9724833 Jul 1997 WO
WO9726732 Jul 1997 WO
WO 9744736 Nov 1997 WO
WO9802864 Jan 1998 WO
WO9837513 Aug 1998 WO
WO9837513 Aug 1998 WO
WO 9952271 Oct 1999 WO
WO 9962044 Dec 1999 WO
WO 9962044 Dec 1999 WO
WO 9963443 Dec 1999 WO
WO 0057643 Sep 2000 WO
WO0118628 Mar 2001 WO
WO0143026 Jun 2001 WO
WO0203385 Jan 2002 WO
WO02003385 Oct 2002 WO
Related Publications (1)
Number Date Country
20090089427 A1 Apr 2009 US
Provisional Applications (2)
Number Date Country
60147134 Aug 1999 US
60213489 Jun 2000 US
Continuations (1)
Number Date Country
Parent 10049101 US
Child 12287443 US