Regulating access to digital content

What is claimed is:

1. A computer-implemented method of regulating access to digital content, the method comprising:

at a client, executing an access checking process to determine whether the client holds a pre-existing permission for a resource to access the digital content,

if not, requesting permission from an external source for the resource to access the digital content;

receiving from the external source a token; and

based on the received token, executing an installation process that generates at the client a permission that is locked uniquely to the client and that may be found by a later execution of the access checking process.

2. The method of claim 1, wherein requesting the permission, receiving the token, and selectively granting the resource access are performed on the client.

3. The method of claim 2, wherein the token is not transferable to another client.

4. The method of claim 1, wherein the permission comprises a unique coded key corresponding to the digital content.

5. The method of claim 4, wherein the installation process includes installing at the client a machine identification code identifying the client on which the installation process is executed.

6. The method of claim 4, wherein the access checking process determines whether the client holds a permission and a machine identification code.

7. The method of claim 1, wherein the token is inaccessible to the resource.

8. The method of claim 1, wherein the external source comprises a server.

9. The method of claim 8, wherein the permission is requested via a public switched network and the token is received via the public switched network.

10. The method of claim 9, the method further comprising establishing a socket connection with the server computer for requesting the permission and receiving the token via the public switched network.

11. The method of claim 1, wherein the resource comprises a human initiating a computer operation.

12. The method of claim 1, wherein the resource comprises a computer program.

13. The method of claim 1, wherein requesting the permission from the external source initiates an authorization procedure, and the token received is based on a result of the authorization procedure.

14. The method of claim 13, wherein the authorization procedure is executed in real-time.

15. The method of claim 13, wherein the token comprises a data string containing a code indicating whether permission is granted.

16. The method of claim 13, wherein requesting the permission from the external source includes transmitting payment information to the external source.

17. The method of claim 16, wherein the payment information includes a credit card number.

18. The method of claim 16, wherein the authorization procedure comprises:

transmitting payment data based on the payment information to a payment authorization center;

processing the payment data at the payment authorization center; and

transmitting an authorization code from the payment authorization center to the external source based on the processing of the payment information.

19. The method of claim 18, wherein the payment data and the authorization code are transmitted via a dedicated frame relay network.

20. The method of claim 13, wherein the authorization procedure comprises:

processing use information received from a client;

searching the use information for a predefined parameter; and

transmitting the token to the client based on a result of the search.

21. A computer-implemented method for selectively granting access to an encrypted object, the method comprising:

in response to a request from a client to a server for permission for access to the encrypted object, returning to the client a token that is not unique to the encrypted object or to the client,

in response to the token, generating a permission key at the client, and

decrypting the object at the client.

22. The method of claim 21, wherein the encrypted object includes digital content, a copy of the key corresponding to the object, and an authorization form for collecting authorization information.

23. The method of claim 21, wherein the object includes a file comprising digital content, and decrypting the object initiates copying of the file comprising the digital content to a temporary location at the client.

24. The method of claim 23, the method further comprising reencrypting the object and removing the file comprising the digital content from the temporary location at the client based on a request to close the object.

25. The method of claim 24, wherein the object is stored in encrypted format at the client until another request to access the object occurs.

26. The method of claim 21, wherein the objects is transferable to another client and the permission key corresponding to the object is not transferable to another client.

27. The method of claim 21, wherein the object includes a file comprising digital content, decrypting the object allows use of the digital content, and the file comprising the digital content is protected from copying while the digital content is being used.

28. The method of claim 27, wherein the file comprising digital content is encrypted, decrypting the object causes the encrypted file comprising digital content to be copied to a temporary location at the client, and use of the digital content is enabled by decrypting the file comprising digital content as a continuous data stream in real-time.

29. The method of claim 28, wherein the file comprising digital content is encrypted using at least one algorithm selected from the group consisting of Blowfish, RSA, DES, Triple DES, Twofish, Cast-128, Cast-256, Gost, IDEA, Mars, Mistyl, RC2, RC5, RC6 and Rijndae.

30. The method of claim 21, the method further comprising:

requesting the object from a merchant server via a public switched network;

receiving the object from the merchant server via the public switched network; and

storing the object at the client.

31. The method of claim 30, wherein the object is received as an electronic mail attachment.

32. A computer-implemented method of regulating access to protected digital content at a client, the method comprising:

including the protected digital content in a package that comprises an executable process,

providing the package to the client,

in connection with a request at the client for access to the protected digital content, executing the executable process at the client to request permission from a server for access to the protected digital content,

receiving from the server a token;

based on the token received, selectively

granting access at the client to the digital content.

33. The method of claim 32, wherein the digital content is contained in a file that is part of a locked, compressed object.

34. The method of claim 33, wherein the digital content is reusable at the client and the locked, compressed object is transferable to another client.

35. The method of claim 33, wherein granting access to the digital content comprises decoding and decompressing the object, creating a temporary copy of the file containing the digital content at a location at the client, and upon notification that the resource is finished accessing the digital content deleting the temporary copy of the file containing the digital content, and encrypting and compressing the object.

36. The method of claim 32, wherein the token is inaccessible to the resource.

37. A system for selectively granting access to digital content, the system comprising:

a client for executing an access checking process to determine whether a client holds a pre-existing permission for a resource to access the digital content; for transmitting access information if the access checking process fails to determine that the client holds the permission; for receiving a token; and for executing an installation procedure based on the received token to install a permission that is unique to the client and may be found by a later execution of the access checking process;

a server for receiving access information transmitted by the client; for processing the access information; for submitting authorization information based on the access information; for receiving an authorization code; and for transmitting the token to the client based on the authorization code received; and

an authorization process for receiving the authorization information submitted by the server; for confirming the authorization information; and for providing the authorization code to the server.

38. The system of claim 37, wherein the access information comprises use information.

39. The system of claim 37, wherein the access information comprises payment information.

40. The system of claim 39, wherein the payment information includes a credit card number.

41. The system of claim 37, the system further comprising a public switched network for transmitting the access information and the token.

42. The system of claim 41, wherein a secure socket connection is established between the client and the server for transmitting the access information and the token via the public switched network.

43. The system of claim 42, wherein the secure socket connection is opened before transmitting the access information and the secure socket connection is closed after receiving the token.

44. The system of claim 37, the system further comprising a frame relay network for transmitting the authorization information and the authorization code.

45. The system of claim 37, wherein the resource comprises a computer process.

46. The system of claim 37, wherein the digital content has an associated key, and the installation procedure comprises writing the associated key to a location at the client.

47. The system of claim 46, wherein the installation procedure further comprises writing machine identification data to a location at the client, the machine identification data enabling access to the digital content at the client.

48. The system of claim 47, wherein the associated key and the machine identification data are written to the registry file on a Windows operating system.

49. The system of claim 46, wherein the access check comprises checking the client for the associated key and the machine identification data.

50. The system of claim 37, the system further comprising a merchant server for receiving requests electronically for delivery of the object; and for delivering the object electronically.

51. The system of claim 50, wherein the object is requested and the object is delivered via a public switched network.

52. The system of claim 50, wherein the object is requested via the Internet and the object is delivered in compressed format via the Internet.

53. The system of claim 50, wherein the object is delivered in compressed format using electronic mail.

54. The system of claim 37, wherein the object is obtained from a read-only removable storage medium.

55. The method of claim 9, the method further comprising establishing a secure socket connection with the server for requesting the permission and receiving the token via the public switched network.

56. The method of claim 55, the method further comprising opening the secure socket connection before transmitting the access information and closing the secure socket connection after receiving the token.

Description Submit all comments and votes

BACKGROUND

This invention relates to regulating access to an object containing digital information or content stored at a client computer.

Content traditionally has been packaged in physical form, and physically delivered from one point to another. For example, the stories and images contained in most morning newspapers are arranged in electronic form, on computers, but the newspapers are published in printed form and delivered to the subscribers' doorsteps by newspaper carriers. Business documents that need to be delivered to an associate or customer often are placed in an envelope and delivered by an overnight express service to their destination.

Computer networks, including public switched networks using Transmission Control Protocol/Internet Protocol (TCP/IP) such as the Internet, represent a potentially economical and efficient conduit for the electronic delivery of content. Digital files including text, graphics, sound, video, or any number of media formats can be created, and stored electronically, and delivered from one point to another via a network.

Applications for transfer of content via computer networks have proliferated in recent years, in part due to the popularity of the Internet. For example, one widely used application is electronic mail ("email"), a messaging protocol for the delivery of text-based messages from one user to another. An email message also can include attachments, which are files that the sending party selected and designated for delivery along with the email message.

Another application, the Internet browser, provides a mechanism for viewing World Wide Web ("Web") pages. Web pages are multimedia files written in a hypertext format, for example, utilizing the hypertext mark-up language (HTML), and stored at servers computers ("Web servers") on the Internet. A Web server responds to a request from a client to view a Web page by downloading the appropriate file to the client. The file is displayed by the client's browser, and usually is stored in the client's cache directory and/or memory along with other recently accessed Web page files. Each time a user at the client computer wishes to view a new Web page, the user must enter the address, or Uniform Resource Locator (URL) of the file corresponding to the Web page, or select a hypertext link corresponding to the URL of that page. The client then requests from the Web server the file at the designated URL, and the server delivers this file to the client.

Because content often is produced originally in digital form, a potential has arisen for the producers of such content to sell directly to their customers, without the need for physical production or a distribution chain, or third-party sales intermediaries such as retailers. For example, authors or publishers may offer their books for sale in digital form on the Internet, for immediate download by customers, without incurring the cost of printing and distributing the book in paper form. Likewise, newspaper publishers could deliver their daily content electronically, to the user's home computer desktop, instead of in paper form to their doorstep, and music producers could sell their recordings online without producing and distributing tapes or compact disks. Electronic distribution could result in cost savings to the consumer and increased profitability to the content producer, due to the reduction in printing and distribution costs.

In an electronic delivery or distribution scheme, a baseline requirement is that content producers or sellers must have a way to regulate access to their product, for example, by first receiving payment before making the content accessible. Furthermore, since digital files are extremely easy to copy and distribute, sellers and producers have an interest in locking or encrypting the files containing the content, so as to limit access to those who have paid for it.

The efficacy and desirability of delivering and receiving content via a computer network such as the Internet is determined by several additional factors. For example, the speed and capacity of the server and client computers, and the communication link therebetween, may significantly affect content delivery and sometimes prohibit, as a practical matter, delivery of certain media formats. The speed of file transfer is affected by, among other things, the bandwidth of the communications link between the server and the client, the traffic on the network at the time of file transfer, and the size of the file(s) to be transferred. While small, plain text files normally can be delivered quickly using existing systems and networks, other file types, such as multimedia files containing graphics or sound, can be quite large and therefore may take significantly longer time to deliver. This is particularly true of delivery to home computers, which usually have a relatively low-bandwidth connection (e.g. a modem and standard telephone line) to the network. Also, memory capacities, including Dynamic Random Access Memory (DRAM) and disk space, can limit the size and complexity of files that can be executed and stored by a client or server computer.

Factors associated with maintaining a network connection also may affect the desirability of electronic content delivery, particularly from the standpoint of the client. For example, most Web sites consist of multiple pages including hypertext links to related pages at the same server, and to other Web sites located at other servers. When browsing, or jumping from page to page, on the Web, an Internet connection should be maintained continuously, because each file is accessed by a separate request from the client. Maintaining a connection can be inconvenient because it may tie up the user's telephone line, the connection may be slow (requiring the user periodically to wait for the next page to be downloaded), or the connection may terminate unexpectedly before the user has completed viewing the document. Moreover, some Internet access providers charge customers based on connection time, so maintaining a connection over a long period of time can become expensive.

Yet another factor associated with electronic content delivery is the level of privacy protection afforded the sending and receiving parties. For example, electronic documents undergoing transmission may contain confidential business information, thus users may be reluctant to deliver such documents over a computer network for fear that the document may be intercepted by a third party, either intentionally or unintentionally. A message sent via a packet-switching network such as the Internet passes through many different computers on the network, or nodes, on the way to its final destination. The message potentially could be intercepted at any one of these nodes, or at the final destination.

Also important for content delivery are the attractiveness and ease of use of interfaces presented to the user for interacting with the computer or other content-providing vehicle. In the physical world, interfaces are important for a variety of purposes. A newspaper, for example, is arranged to have an aesthetically pleasing layout, eye-catching graphics and titles, and easy browsing from one page to the next, in order to facilitate viewing its content. Also, an interface can govern the manners in which separate physical documents are arranged and delivered. When sending physical documents, for example, related documents often are grouped by paperclip or staple, or by packaging in an envelope. Like the physical world, in the digital environment, using a network for sending a document, receiving a document, viewing a document, paying for a document, or requesting permission to access a document all may be controlled through user interfaces. The properties and characteristics of the particular interface(s) used will affect the desirability of conducting such operations electronically.

SUMMARY

Access to digital content is regulated by the mechanisms described herein, based on, for example, proper payment or other authorization information submitted by a user or computer process. Embodiments may include various combinations of the following features.

Objects embodying digital content (such as newspaper text, executable computer programs, or music) are arranged in a format for electronic delivery, the format comprising an encrypted, compressed, parsed data string which includes the files containing the content, a unique coded key corresponding to the object, an access authorization form, and a setup file. The data string also may include applications necessary for viewing the content, such as browsers or viewers. The object may be copied and transmitted freely between computers. For example, a merchant server on the Internet may advertise objects representing newspapers or magazines available for delivery to client computers. Users at client computers may download an object using, for example, File Transfer Protocol (FTP), or users request that the object be sent to the client computer via electronic mail. Delivery is facilitated by the fact that the object is compressed and therefore requires relatively less time to transmit across the network. As an alternative to network delivery, the object may be acquired from a CD-ROM or other physically transportable medium. The object can be stored at the client computer, on a hard drive, for example, or on a transportable medium.

Completion of an authorization process is required in order to unlock, or gain access to, the object. Access to the object may be requested at the direction of a human user, or may be requested without human intervention, such as during execution of a computer program or script. Once the authorization process has been completed successfully, an install process is initiated at the client computer, wherein the object's unique coded key is copied to a location at the client. The install process also causes a machine identification code corresponding to the client to be copied to a location at the client. On the Microsoft Windows Operating System, the Registry file is used for storing the unique coded key and the machine identification code. The installation process allows the object to be executed, or "published," locally, at that particular client computer, as opposed to occurring across a network, and "locks" the installed object to that particular machine. The object can be copied and is freely transmissable between computers, but the authorization process will be executed again if access is attempted at a different computer.

When access to an object is requested initially at a client computer, for example by a human user or by an automated computer script, the client computer conducts an access check. The access check may comprise searching one or more designated system files at the client computer for the unique key corresponding to the object and the machine identification code corresponding to the computer at which the request occurred. If the access check reveals that the required files are present, then the object is automatically decoded and executed. The files containing the digital content are copied to a temporary directory, and the content is available for use. When the resource using the content has completed such use, the temporary directory is deleted and the object is encrypted. The content can be reaccessed and reused at that particular computer as many times as the user or resource desires.

If the access check fails, then an external authorization procedure is implemented. Payment and/or use information is collected at the client computer at which the access request occurred. The payment/use information can be input by a human user, or can be automatically collected by the resource based on existing, stored information. Payment information may be required if the producer or supplier of the object requires such payment for execution of the object (i.e. the object is being sold or licensed to the user). Alternatively or in addition to payment information, use information may be required, such as employment-related data, educational information, family information, or any other information which a content producer or supplier wishes to consider in regulating access to the object. The payment/use information is transmitted from the client to a payment server, using a communications link such as the Internet.

The payment server directs the external authorization procedure, based on the payment/use information received. The payment server first may process, at a "preprocessing" stage, the payment/use information. During preprocessing, the payment server may search the information for payment information in correct format, such as valid credit card number (i.e. proper number of digits) and expiration date. Alternatively, if only "use" information is required for accessing the object, the payment server may search for the required "use" information. For example, a magazine may require th