Readium LCP

What are the main objectives of Readium LCP?

EDRLab decided to develop a new Digital Rights Management solution to ensure that digital publications in different formats (EPUB, PDF, Audiobooks and Divina comics) can easily be distributed across reading apps, when the enforcement of usage rights is required (think about library lending, where the reading experience must stop at some point).

Other DRMs are either developed for proprietary and closed silos (e.g. Amazon, Apple, Google) or highly deceptive because buggy and expensive (Adobe). By contrast, LCP is a standard and interoperable DRM, which focuses on ease of integration, ease of use, privacy, vendor neutrality and minimal cost.

Who can implement Readium LCP?

Any trusted organization can develop an LCP compliant Reading System, and any trusted organization can setup an LCP compliant distribution solution. Trusted here means that the developer will need to show that he is working for an established organization in the publishing industry and we can safely provide him with confidential information about LCP.

There is still a constraint to the implementation of LCP: in order to guarantee the interoperability of the different LCP servers and reading apps which constitute the “LCP network”, any implementation (either client-side in a Reading System, or server-side in a distribution solution) must be certified by EDRLab (as Certification Authority) before it is deployed.

What are the fees associated with the use of Readium LCP?

Managing the LCP ecosystem (X509 certificates, client and server software …) has a cost and the certification process is labor intensive.

Therefore, each implementer of LCP (either Reading System or License Provider) has to pay a yearly fee to EDRLab. It’s a fix annual cost, based on the annual gross revenue (a.k.a. sales) of the LCP integrator, or its annual budget if it is a non-profit organization. We do not expose on this website the fee structure: please contact us to get details. You can fill this document with your gross revenue to speed up the process.

It is important to note that there is no transaction fee in the model, i.e. no cost per license.

Note that the fee structure has been decided by our board of directors; we are a non-profit association with members from the publishing sector; fees are therefore as low as possible.

Is Readium LCP vendor-neutral?

The LCP specification is maintained by the Readium Foundation, which is a non-profit organization managed by elected board members.

The interoperability and security of the Readium LCP ecosystem is guaranteed by EDRLab, chosen as worldwide Certification Authority. EDRLab is also a non-profit organization managed by elected board members.

Is Readium LCP an open standard?

The LCP specification, split into two documents named Licensed Content Protection and License Status Document, is public and royalty-free. It is an industrial standard.

LCP is also the first DRM solution accepted as an ISO (International Standards Organization) Technical Specification. It is identified as ISO TS 23078 part 2. The editors of the ISO specification are Taehyun Kim (DRM Inside) and Laurent Le Meur (EDRLab). The ISO document can be acquired online; it is technically speaking identical to the Readium LCP Specification, with some language and presentation differences.

The specification is now in the process of becoming a “real” ISO standard, with the support of ISO international experts. This should be finalized by the end of 2023.

Note that the Readium LCP specification is using a concept of  “profiles” and defines a “basic profile”, which is not secured because disclosed openly. This is why EDRLab has defined a “production” profile, which is not part of the open standard, and is implemented as part of the confidential binary sent only to LCP Licensees.

Is Readium LCP open-source?

Readium is offering a complete set of open-source software on Github to ease the implementation of LCP compliant Reading Systems and LCP Servers.

Trusted organizations who wish to use LCP to protect their content or access to protected content need to obtain from EDRLab some confidential information and a small binary corresponding to the “production” profile introduced above, and integrate this closed software into their reading application. This procedure is key to avoiding the open-source software being used for hacking LCP-protected publications.

We can therefore state that the vast majority of the code provided by Readium for LCP is open-source, but a tiny part is closed software.

The confidential LCP precompiled libraries are available for iOS, Android, Windows, MacOS and Linux applications.

Is Readium LCP available for Web applications?

No, LCP is not available for Web applications, e.g. applications built using the Readium Web toolkit.

Web applications do not provide ways to avoid developers having access to their code. Developers can obfuscate information in a Web application and make it harder to find, but it is not possible to include in a Web application a real DRM solution, using secrets concealed in precompiled libraries.

It is still possible to consume LCP protected content from a Web application, but in such a case the content must be decrypted server-side and properly obfuscated via confidential techniques until it is sent to the client Web engine. It is not possible to develop generic code for that purpose, as this code would be too easily defeated if made public.

Is Readium LCP able to protect PDF files?

An extension of the Readium LCP specification provides a way to protect PDF files.

PDF support has been added to the Readium LCP open-source server in Q1 2020. It has also been added to Readium Mobile iOS in Q1 2020 and to the Readium Mobile Android codebase since Q4 2020.

Note that because Adobe products (Adobe Digital Editions especially) would not recognize LCP protected content, the publication format resulting from an LCP encryption is specific to the Readium Architecture, i.e. a zip file containing a Readium WebPub Manifest and the PDF document as a resource.

Is Readium LCP able to protect Audiobooks?

An extension of the Readium LCP specification provides a way to protect W3C Audiobooks and Readium Audiobooks.

Audiobook support has been added to the Readium LCP open-source server in Q3 2020. It has also been added to Readium Mobile Android and to Readium Desktop (and Thorium Reader) in Q3 2020. It has been added to Readium Mobile iOS in Q4 2020.

Is Readium LCP able to protect Web publications?

By Web publications, we mean here any set of web pages accessed online from a web browser. Many people call it streaming, even if technically speaking this is improper.

Like every other DRM, LCP is not applicable to web content. The reason is that DRMs are based on data encryption and some secret way to decrypt data. Web browsers are so transparent that no secret used for decryption can stay hidden for long into a web browser. The requirement to use DRMs for video on the Web, imposed by big VoD suppliers, have given birth to Encrypted Media Extensions (EME) and Content Decryption Modules (CDM), controversial technologies that are not applicable to textual content.

The Readium community is studying if there is a way to protect web content, a technology that could be shared between all Readium Web implementations; but this web protection will not be call “LCP”.

What are the advantages of Readium LCP for publishers?

LCP helps publishers licensing content through a secure, user friendly, accessible, global and open ecosystem. Detailed information is found on Advantages of LCP for publishers.

What are the advantages of Readium LCP for users?

Users can obtain e-books from LCP-based services and use LCP-based apps and devices, secure in the knowledge that their e-books will interoperate across these devices, legally and with little or no effort (a simple passphrase, given to the user by the ebook provider at the time the user has acquired the ebook, along with a hint used as a reminder for this passphrase).

The only situation where a user has to enter a passphrase is when he opens an ebook for the first time on a given device; the reading application will then store securely the passphrase and use it silently the next time the user opens the same ebook on this device. This same passphrase is also tested each time the user opens another ebook from the same provider: as long as the passphrase has not been modified, the user will therefore be able to open every ebook from the same provider without entering the corresponding passphrase.

Users can freely transfer a publication from one device to another. They can expect being able to continue reading it year after year after download, even if their bookseller closes its operation, thanks to the offline capabilities of the solution.

Other advantages include a provision for accessibility to the print-disabled and the confidence that no usage data will leak through the Readium LCP technology to feed commercial appetites.

What are the advantages of Readium LCP for Booksellers and Public Libraries?

Retailers, libraries, and other service providers benefit from costs that are lower than those of existing commercial DRM systems, while meeting publishers’ content protection requirements. Our open source model also ensures that LCP will evolve to meet future needs.

The integration of an LCP Server on their platform is quite easy, thanks to a well documented REST API. To succeed, they still need to have a professional software team, and be able to modify their ebook distribution software in order to manage (and give access to) the user passphrase and textual hint required by LCP.

Retailers can therefore deploy an LCP Server in their premises and get real-time feedback on core data, like the number of delivered licenses or the number of active devices for a given license.

Alternatively, they can decide to use a hosted solution provided by a third-party. See the list of LCP Technology Providers for more info.

Every provider we have talked to states that user support has drastically gone down since they adopted LCP (especially compared to the Adobe DRM).

The only issue is when users lose the passphrase which has been given to them by the library or bookseller. This is why the passphrase must be either:

  • the identifier of the user (e.g. as shown on his library card)
  • something easy to retrieve from the “forgot your password?” link every LCP-compliant application should display.
  • something the user can find on its profile page on the library or bookseller website.
  • something the user does not have to enter in a text field because the reading application implements something like the LCP Automatic Key Retrieval protocol.

Why isn’t there a strict device limit on LCP licenses?

LCP has been built to avoid oversharing of published material. When a license is shared on the web, along with its passphrase, a large number of people will feel free to use the passphrase to read the corresponding ebook. A large number of devices will therefore register themselves on the LCP Server that generated the license. The ebook distributor will be immediately alerted, and he will be able to revoke the license immediately. This is how oversharing is stopped in the LCP case.

Limiting to a small number of devices (let’s say 6) is a bad idea, we think. People change their smartphone every 18 months. People can have good reasons to pass a license with its corresponding passphrase to a companion, a child, a friend. Limiting the number of registered devices to a low and unflexible number is a receipt for expenses in client support. And client support is what ebook distributors want to avoid.

Is the Readium SDK required for implementing Readium LCP in my reading system?

Not at all. One can develop a Readium LCP compliant Reading System (application or e-reader) directly from the specification, using classic cryptographic libraries.

The Readium LCP open-source codebase provided on the Readium Github is currently optimized for use within the Readium architecture, but the core C++ code can be ported to any other environment, especially e-readers, for free.

Is Readium software designed to work with Readium LCP only?

Not at all. The Readium development kits are designed to work with multiple DRMs. This ensures that Readium-based apps and devices can be built if they have requirements for DRM features that go beyond what Readium LCP offers.

How does Readium LCP differ from other DRMs?

Readium LCP is intended to cover basic use cases (sale, rental) with an adequate level of security as well as a provision for accessibility to the print-disabled, with open source code for both client and server and an absolute minimum of vendor dependency.

Readium LCP is particularly well tailored for the library lending use case, with notions like early return and extended loan, the latter being uncovered by most DRMs. The high level of privacy offered by Readium LCP is another crucial aspect for public libraries.

Also, Readium LCP is intended to operate on a cost recovery basis and therefore may be less expensive than commercial DRMs. Other DRMs for Readium may be offered through commercial entities, support content access models that Readium LCP does not support, have enhanced security features that are required for certain applications, and/or support additional related services.

How do I test my reading system for compliance with the specification?

Compliance testing tools are under development at EDRLab; they are included in the open-source code provided by the Readium LCP Server project.

As a service provider, what do I have to install?

Please follow the steps detailed here.

What are Robustness Rules and how do I test my app or device against them?

Robustness Rules specify the levels of protection that a Readium LCP-based app or device must provide against the exposure of secrets, such as cryptographic keys, through reverse engineering, debugging, and other techniques. Compliance to Robustness Rules may involve some obfuscation of the app codebase. The Readium LCP Terms of Use require licensees to make sure that their implementations are compliant with Robustness Rules and to submit to reasonable requests to audit their implementations. EDRLab has no direct interest or involvement in Robustness Rule audits.

What is the sustainability of Readium LCP?

EDRLab has a role of Certification Authority for the Readium LCP ecosystem. All confidential information will be archived by a key escrow agent. Should EDRLab activities end one day, the certification process will be easily taken over by another organization.

Is Readium LCP protected by anti-circumvention laws?

Many countries, including the United States, European Union Member States, Australia, New Zealand, Japan, Singapore, India, China, and Brazil have various forms of laws against circumvention (cracking) of DRM systems and distribution of circumvention tools. Such laws are intended to provide “legal backstops” for DRMs that can be cracked. Different countries’ laws contain different definitions of the systems to which such laws apply, and such laws have been clarified to greater or lesser degrees in each country through litigations. Neither Readium Foundation nor EDRLab represents or guarantees that an implementation based on Readium LCP enjoys protection under such laws; please consult qualified legal counsel.

Is Readium LCP at risk against patent infringement?

Various organizations exist that own portfolios of patents that they may claim are related to digital rights management. Some of these organizations maintain patent licensing programs that require royalty payments; some have engaged in litigation against service providers, application developers, and others for alleged infringement of those patents. Readium Foundation has not consulted with any such entity to determine whether or not any aspect of Readium LCP “reads on” their patents. Neither Readium Foundation nor EDRLab take a position on whether any system, device, application, or service that incorporates any aspect of Readium LCP “reads on” any particular patents, nor does Readium Foundation or EDRLab endorse any patent holder’s patent claims or patent licensing program; please consult qualified legal counsel.

No technology is immune against patent claims; Readium LCP is based on standard cryptographic technologies (AES-256, SHA-256 …) and processes; we are therefore confident that Readium LCP is a simple and reliable solution that does not put implementers at risk.

Other Readium projects

Readium-2

The major evolution of the Readium SDK codebase, the objectives being better performances and stability, clarity of source code and documentation.

Discover Readium-2

Readium SDK & JS

The reference EPUB 3 open-source reading engine for Web, desktop and mobile apps, on active maintenance by the Readium community.

Discover Readium SDK & JS

Copyright © 2023 EDRLab. Legal informations

Log in with your credentials

Forgot your details?