DE:PICT Framework

This post is a transcript of a presentation that was given on 22 April 2021 at the LUISS Law School during a webinar on “Rules and Tools: Exceptions and technologies in the DSM Directive” within the activities of BILL Blockchain, artificial Intelligence and digital innovation Law Lab.

With this post, I would like to introduce you to the DE:PICT framework.

The DE:PICT framework makes use of a set of open standards for decentralised identifiers for individuals, entities and content, based on technologies and protocols such as blockchain, cryptographic hashing and public-key cryptography.

It can be used to support digital content licensing at scale, e.g. in the context of the Directive 2019/790 on Copyright in the Digital Single Market (DSM).

“Relevant and Necessary Information …”

To give an example how this framework could be used in the context of the DSM, let me jump right in into the Directive by quoting the infamous Article 17. There it says that:

“an online content-sharing service provider shall … obtain an authorisation from the rightholders, for instance by concluding a licensing agreement, in order to communicate to the public.” (Directive 2019/790, article 17(1))

Seen from a business perspective, this section is quite astonishing.

To be clear, in the case of user-generated content we are speaking of billions of “works or other subject matter” from millions of rightsholders on hundreds, if not thousands of platforms that are affected by the Directive.

Everyday, 350 million photos are uploaded to Facebook (which is an equivalent of about 4.000 uploads each second.).

100+ Million photos & videos are uploaded to Instagram every day.

Anyone who ever tried to license only one single digital image online will have experienced that currently, licensing digital content often is an all too complicated and inefficient process that involves time consuming and manual work by all parties: Identifying content and rightsholders … finding out how to get in touch with them … understanding the correct metadata and licensing terms … negotiations … payments …

Imagine going through all these steps when dealing with millions of publications a day? — Obviously, platforms will have to comply. Because …

“Online content-sharing service providers shall be liable for unauthorised acts of communication to the public … unless they have …

b) made, in accordance with high industry standards of professional diligence, best efforts to ensure the unavailability of specific works and other subject matter for which the rightholders have provided the service providers with the relevant and necessary information.” (Directive 2019/790, article 17(4b))

I am not a lawyer, but in my interpretation of the DSM, the articles and recitals are a bit vague with regards to what “high industry standards”, “professional diligence” or “best efforts” exactly mean. On the other hand it is also quite unclear what “relevant and necessary information” exactly means.

In my understanding, article 17(4b) formulates a precondition to make the DSM work and it implies an obligation for rights holders — in their own self-interest: They need to “provide the relevant and necessary information” that allow them to conclude licensing agreements.

From an operational perspective, this means that they need to make metadata and rights management information broadly and publicly available, easily accessible on a global scale. The data needs to be accurate, comprehensive and provided in a timely manner. Furthermore, rights management information needs to be expressed in a machine-readable way for an efficient and automated exchange and processing of information in order to facilitate automated licensing transactions peer-to-peer or machine-to-machine.

DE:PICT Framework

DE:PICT Framework

The DE:PICT framework suggests four steps in order to reach this goal:

1) Rightsholders need to publish metadata and rights management information in such a way that anyone can get access to the data.

2) Parties involved, like natural persons and legal entities, but also the content needs to be identifiable by decentralised identifiers so that each party knows what they are dealing about, and with whom.

3) Content certificates need to be issued so that all parties can cryptographically verify and trust metadata and rights management information, which have been provided by rightsholders.

4) Automated transactions need to be possible on a large scale.

New Generation of Identifiers

The DE:PICT framework makes use of a new generation of open standards for decentralised identifiers (DIDs, see These DIDs are self-generated (issued decentrally) and cryptographically verifiable. It is possible to connect attributes or metadata to the DIDs. DIDs can identify things, people, companies — and digital content. Regarding the latter, let me introduce you to the ISCC, the International Standard Content Code.

The ISCC is an open and decentralized identifier for digital media assets of all media types from all media sectors (text, image, audio, video). It can identify and cluster same or similar digital media assets. The open specification and open source development are maintained by the not-for-profit ISCC Foundation. This will ensure interoperability and transparency of decentralised digital content identification. In 2019, ISCC has been accepted as PWI at ISO TC 46/SC 9/WG 18.

Decentralised Content Identification

The main distinguishing feature of the ISCC — in comparison to existing content identifiers — is the fact that the ISCC is derived from the digital media assets itself . This means that an ISCC can be generated by anyone with access to the content — decentrally, without metadata or manual effort, free of charge by using open-source software.

decentralised content identification

This is interesting in the case of decentralized media environments: Because anyone with access to the digital media asset — it could be the original creator, a publisher, an intermediary, an online content-sharing service provider or an Internet user — can decentrally generate the same or a similar ISCC from the same or similar digital asset — even if the content has been unintentionally or maliciously modified or if it is available in different file formats. And if the rightsholder provided metadata or rights management information to the content, anyone with access to the digital asset can also learn about the terms that are connected to the image. Eventually, online content-sharing service providers (OCSSPs) can license and offer the content on the basis of an agreement, based on verifiable data that have been provided by the legitimate rightsholders!

Blockchain Networks

Considering the fact, that decentralised identifiers do not necessarily need blockchains, one question remains to be answered: What is the function of blockchain in the DE:PICT framework?

Public blockchains networks provide a trust architecture that can be used as a decentralized registry and matching service for DIDs, ISCCs and other identifiers. In contrast to centralised services, the trust is created on the blockchain through the immutability of transactions and data, the transparency of the network and the technical protocols of the technology. This transparency allows anyone to cryptographically verify data on the blockchain.

Cryptographic Basics

Blockchains are based on asymmetric public-key cryptography and cryptographic hashing.

For our purposes, the cryptographic protocols of public-key cryptography support two basic use cases:

1. The use of digital signatures that establish a relationship between any content, an identity that signs a transaction and its public key.

2. With this public key, it is possible for anyone to cryptographically verify this relationship and trust the content and metadata provided by the signee.

And because of the fact that we do not want to deal with assets or metadata on the blockchain itself, instead we will work with (multi-component) content hashing that creates short, unique identifiers which are derived from the digital assets. This is what the ISCC brings to the table.

Open Content Certification Protocol (OCCP)

You might be familiar with browsers certificates that allow you to make sure whether the controller of a domain is the expected and a trusted source. So why not use (basically) the same technology for digital media content, in general, in order to identify the party that published a claim to the content? Exactly this is what the Open Content Certification Protocol (OCCP) protocol is trying to address.

OCCP suggests a process and technologies that can be used by the creative community to generate or verify certificates for digital media content by using digital signatures and public key cryptography.

Content certificates allow rightsholders to be identified, and to inseparably and verifiably connect metadata and rights management information to digital content.

It is the goal of the certification process to create trust in assertions, claims and the authenticity of original content, and to ensure accountability of entities, even if they must or prefer to remain pseudonymous.

Certification Authorities

OCCP will be based on a hierarchical trust model. This means that the Certification Authorities themselves need to be publicly identifiable. And for that purpose OCCP will recommend to use the virtual Legal Entity Identifier — vLEI.

Unfortunately, I cannot go into the details, now. But what is important for us is that the Global Legal Entity Identifier Foundation will establish a reliable public-key infrastructure(PKI) that will provide a root of trust that can be used for content certificates. And this root of trust is eventually anchored in a mandate by the G20 organisation.


The decentralised publication of cryptographically verifiable metadata and rights management information, the use of decentralised identifiers for rightsholder and digital media assets, and the use of content certificates will allow decentralised and automated transactions peer-to-peer or machine-to machine using verifiable credentials (VCs).

But in order to make this work, we need more academic research and more support for standardisation and actual prototyping of applications that will deliver actual solutions for challenges and goals of the DSM Directive.

I would like to encourage you to reach out and join the discussion! Thanks!

[Disclosure: The author is co-initiator of the ISCC and Chairman of the Board of the ISCC Foundation, for further affiliations see my LinkedIn profile:]