Selling "downloadable" content - handling behind the scenes

Question

I was thinking of throwing together a quick PHP or Django site for independently selling some "downloadable" content (music/mp3's) to which I am the artist/rights-holder.

I began to wonder if there are already some decent best-practices on how to handle the downloads - like how long a link should last for a user, the process of allowing a user to re-download bought content, protecting against abuse, etc.

After doing a couple quick searches, I didn't see any immediate examples where the topic was discussed. (I did find that most storefronts do allow you to sell digital content, thought without a lot of explanation as to how they support re-downloads, etc.)

Any thoughts/experiences you can share?

I'm primarily using PHP or Django/Python, although this questions should be very language agnostic.

EDIT:

To clarify: some of my first thoughts were that a user would get an initially working download link that would work for a number of hours. After that, they would need to log in and specifically "re-activate" their item, generating a new link. This could potentially solve the problem of failed downloads, and allow legitimate purchasers an easy way to re-activate a link, while providing a thin layer of security against someone simply posting a download link in some forums somewhere, etc.

Answer 1

Personally, if I purchased something as a download, at the very least I want to know up-front how long I will be able to download that item for. Also, I would be willing to pay slightly more for the ability to download the item as many times as I want. Due to the rather iffy (at times) nature of the Internet, I would say that allowing the user to download as many times as they wish is the safest bet if happy customers are the priority.

No matter how content is delivered, if someone wants to distribute it themselves for free, they can. For the most part, if your product is worth selling, and worth buying, people will pay for it. Sure, loss of revenue due to pirated things is a problem, but it is more of a fact of life given the open nature of the Internet. Think of it more as overhead than as lost revenue.

Answer 2

"decent best-practices" don't currently exist. Most music downloading is simply illegal. It's either an illegal copy (a violation of the artists rights) or corrupted with DRM (a violation of the consumer's fair-use rights).

If you sell an MP3, the link should work forever. They bought it forever, they can keep it forever. The link should last forever.

See this cartoon, which explains why DRM and expiring links are a bad idea. http://www.boingboing.net/2008/10/13/xkcd-strip-explains.html

The fundamental question is How will you pay the artists?

Some abuse (i.e., piracy) exists, but is chronically overstated by the RIAA. The facts indicate that piracy is actually small. See http://www.boingboing.net/2002/12/16/riaa-cooked-the-book.html for some information.

Indeed, people will voluntary pay non-zero amounts for a download that they could have had for free. Radiohead was sure of this. Some artists offer MP3's for download, but sell higher-quality DVD's or CD's with bonus material. This is how Nine Inch Nails makes some of their money -- offering more if you pay more.

Please avoid the RIAA trap of suing your customers. Instead simply act as a thin, direct conduit from artist to consumer, doing as little as possible except moving content one way and money the other.

Answer 3

This seems to me like a fairly general "secured content" question. The type of content, be it webpages or MP3 files doesn't really have any effect on the methods.

I'm an ASP.NET guy, but as you say the techniques are platform-agnostic. The most obvious method is to secure the content by folder, including the page(s) that link to the secured files. A few ideas:

1. You'll need role-based security with login to secure the pages and files.
2. If the secured content are files, you could encrypt and compress the downloaded file(s) to enhance security. Send the password to unencrypt in a separate email.
3. Use SSL to secure traffic to your protected content.

4. Track what has been downloaded by each user so they can see a list of previously downloaded files.

   The specific implementation will depend partly on your billing model. Do you charge monthly for all content, file by file, or do your users buy credit and spend it by downloading files with a value attached?

Answer 4

Mini case study: My wife sells patterns for knitting off of her blog (site is here, if anyone is interested). When she makes a sale, an email is sent to the purchaser with a PDF attached. It hasn't come up in the past year or so of selling, but if one of her customers lost the pattern, I'm sure my wife would email it to her again. She only needs to deal with a handful of sales a week.

You don't really have the email option available, since you'd be sending MP3's around.

My recommendation: keep it simple. When/if you're successful, you'll be able to make a better decision about what to do in your case.

I think you'll find that the type of person that buys from a small business is typically not going to redistribute/pirate maliciously. The few that do are edge cases.

I'd build custom links that don't expire. Make sure you can track the usage of the links via weblogs. If you run into a situation of someone abusing links, you can turn that link off. If it becomes a problem, you can make your links expire in the future.

Good luck!

Answer 5

Here's how I would do it:

1. When the user purchases the content and her payment clears, the purchase is recorded in her purchase history, just as with any online order-taking system.
2. You provide her with a link to a page that takes the item number in the URL (HTTP GET), checks her purchase history to confirm that she has purchased the item, and returns the file to her browser.
3. She gets an "Open file with application/save file as" dialog from her browser, and does what she pleases.

If she gives that link to someone else, he will simply get an error message because he doesn't have a session. Even if he does have a session (perhaps he is also one of your customers, but has not purchased this particular item), he doesn't have it in his purchase history.

If she gives the FILE to someone else, there isn't really much you can do.

Answer 6

You dont need a programming language for this.. all you need is a lighttpd webserver with mod_securedownload http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModSecDownload

Answer 7

I strongly recommend Shopify (shopify.com), a really well made ecommerce solution that integrates with practically everything and is easily customizable.

Check out this forum post for how to use it for digital content: http://forums.shopify.com/categories/1/posts/14087#comment-24206

Disclosure: made by friends of mine, but I do use it myself

Answer 8

Whatever you are selling make it so that customer doesn't need to create account on your site. Make that optional for people that are returning customers - just put a list of benefits of having account with a link to create new account in purchase process don't just trow "create new account" form in purchase process - make it just barely visible.

Considering downloadable goods, I usually make it that after purchase is completed customer gets download immediately and system sends him email with same link/invoice, info on link expiration and instructions how to re-download if time is expired (usually reply to this email) and again benefits of having account (list of all purchased items, easier re-download, etc...).

In the mean time DB tracks them by their email address, and I'm trying to store as less private data as I can about them.

Answer 9

Don't re-invent the wheel, there are many MP3 selling sites that cater to un-signed artist, some of them pay you a large majority (like 90% of the cost), I suggest you look into PayPlay.FM but you can even use Amazon's MP3 store to reach more people (but they take more).