Definition, Role, and Implementation of DRM (Digital Rights Management) – iQIYI Case Study

DRM (Digital Rights Management) is a set of technologies, tools, and processes used to protect intellectual property during digital content transactions. Its purpose is to prevent unauthorized copying, modification, and distribution of digital content, thereby safeguarding the rights of content owners.

Initially, content providers delivered services directly to users (e.g., street performers, teachers, concerts). With the emergence of media platforms, users could watch performances online, and platforms paid licensing fees to content owners. However, piracy emerged as some users attempted to distribute cracked copies for profit, prompting the development of DRM solutions.

In the online video industry, membership and advertising are major revenue sources. For example, iQIYI reported 120 million members in Q4 2022. Without copyright protection, content loss would lead to user churn, reduced membership conversion, and lower advertising revenue, resulting in substantial financial damage.

Traditional digital media (optical discs, cable TV, cinemas) rely on hardware devices for protection, such as CD/DVD players or set‑top boxes. Traditional DRM often depends on specific physical devices and carriers.

Network‑based content, however, does not require dedicated physical media and can be played on a wide variety of devices (smartphones, tablets, smart TVs, computers). This diversity makes devices harder to control, and once cracked, piracy can spread rapidly.

Early distribution models offered free content without DRM, relying only on simple anti‑hotlinking measures. As free services proved unsustainable, content providers began charging fees (membership, tickets) and required platforms to enforce exclusive access, leading to the need for robust DRM.

Pirates employ various methods—pirate video sites, short‑video platforms, cloud storage, hotlinking—to obtain clear streams and redistribute them for profit.

To prevent piracy, a DRM system must authenticate users and lock content, restricting playback to authorized applications (e.g., iQIYI app on specific devices). The two fundamental DRM functions are authorization and encryption, which together form the basic DRM architecture.

Secure playback is a critical component. Commercial DRM typically provides a secure decryption SDK in two forms: (1) hardware‑level DRM using TrustZone (TZ) Trusted Applications (TA), and (2) software‑level DRM SDK that operates independently of TEE.

Hardware DRM TA runs within the Trusted Execution Environment (TEE), receiving licenses and encrypted streams, decrypting them inside TZ, and passing the clear stream to a hardware player, ensuring no plaintext appears in the OS.

Software DRM SDK creates a software‑based trusted execution space to protect the clear stream, but it cannot leverage hardware protections for components like system players or hardware output, making it less robust against certain attacks.

iQIYI’s DRM business faces a trade‑off: hardware DRM TA offers higher security but higher device cost and dependency, while software DRM SDK is more flexible but requires more development effort.

iQIYI’s DRM product architecture consists of two parts: MultiDRM (integrating commercial solutions such as Widevine, PlayReady, FairPlay, and Intertrust) and the native iQIYI DRM‑S built with native code. Together they protect browsers, mobile, PC, and TV platforms.

Since 2018, iQIYI’s DRM system has undergone multiple security assessments (ChinaDRM 1.0, Riscure, Farncombe) to certify its safety, reflecting a continuous learning and improvement process.

Future plans include exploring more feasible hardware DRM solutions, supporting additional cryptographic algorithms, enhancing the SDK’s response to attacks, and balancing strong copyright protection with a good user experience.