MPAA Developing Digital Fingerprinting Technology

Danathar writes "The MPAA is looking to use digital fingerprinting technologies that in conjunction with legislation will enable and force ISPs to look for network traffic that matches the signatures. " From the article: " Once completed, Philips' technology--along with related tools from other companies--could be a powerful weapon in Hollywood's increasingly aggressive attempts to choke off the flood of films being traded online."

Computer = COPY

[BoldAC]

As long as you can get it onto a computer, people are going to figure out how to make it copy it.

Just take the new napster mess where everybody is loading up on free music right now:

Napster/Winamp hack to get unprotected free music [tech-recipes.com]

Re:Encryption

[J'raxis]

Probably a lot easier to just use SSL [openssl.org]. Most existing protocols (like HTTP, POP3, IMAP) add an encryption layer this way.

There are already some P2P programs that support encryption, such as Freenet [sourceforge.net] and MUTE [sourceforge.net].

Re:Crypto

[J'raxis]

What prevents someone from running a p2p app across port 443? It's not like ports are hardcoded into protocols; they're simply defaults or "recommended." Maintaining a list of "known" HTTPS servers is rather unwieldy, sort of like going back to the days when we all used /etc/hosts for name->IP lookups, no? Also what about SSH, VPN, and so on? There're a lot more standard encrypted services people use than HTTPS.

It'd also be quite difficult to tell what is encrypted and what isn't -- encrypted data, like ideally compressed data, is indistinguishable from random noise.

The only route would be to outlaw encrypted p2p apps, I would guess, which would probably be unenforceable in a practical sense anyway. (It's illegal to trade copyright material already; do you see that stopping too many people?)

This does NOT matter

[AntiPasto]

... The hackers are taking over TV and movies anyway.

http://www.ourmedia.org/ [ourmedia.org]
http://www.unmediated.org/ [unmediated.org]

etc... just google for it... Get involved in your public access TV today.

Re:Encryption

[Anonymous Coward]

> Probably a lot easier to just use SSL.

Yes, but SSL still leaves you open to the MPAA running a robot to download stuff, check for fingerprints in what it has downloaded, and recording the IP addresses of where it obtained the material. A captcha means they'd have to pay someone in Bangladesh $15/day to type in codes.

Artists

[Atroxodisse]

Musical Artists make most of their money from concert sales. Most of them have prohibitive contracts where all of the money ends up in the hands of others. If an artist is good, people go to their concert.

Re:Encryption

[CodeBuster]

This wouldn't work with public key encryption.

sure it would, that is the whole point behind the man-in-the-middle attack. It was discovered as a weakness in key exchange protocols such as diffie-hellman which rely upon exchange of public keys between previously unknown parties who do not use a trusted third party to manage public keys. The premise of the man-in-the-middle attack is that an intermediary intercepts the public keys (which must be transmitted in the clear) during the exchange protocol before they reach the intended recipients and substitutes his own public key instead. Then when the symmetric key is computed by the recipients during the key exchange (using the man-in-the-middle's public key) all three of them, both recipients and the man-in-the-middle, will have the secret symmetric key and the entire session will be compromised. Moreover, the recipients will have no idea that the man-in-the-middle exists because they had not previously exchanged public keys. The solution to this problem in practice has been to have a trusted third party repository for public keys, such as Thawte, which signs public key requests with its own private key to verify the origin of each public key. However, this requires central registration and management of keys, something which is unlikely to be palatable to P2P users for obvious reasons and thus the man-in-the-middle problem will persist when computing session keys for encryption on P2P networks. Man in the Middle is somewhat difficult to implement in practice, but not impossible (ISPs would make the perfect men-in-the-middle), so this is not merely a theoretical possibility.

Re:Hmm, wouldn't...

[thpr]

No. If they take the 4 or 5 most significant bits across a song and perform (for example) an MD5 hash of them, then any encoding mechanism (MP3, OGG, etc.) would still result in the same hash. Same goes for video.

The stupid part is that even trivial encoding changes (zip) much less encryption (DES, AES, PKC) render this useless. The way around that is actually doing application layer filtering on data, and I with them luck with that. Besides encryption still getting around this in many cases, the CPU time required to do near-real-time layer 7 processing of ALL of the packets going through an ISP is obscene. (remember this type of filtering requires persistence of those packets for a period of time in order to reconstruct the resulting media, because the few bytes in a single IP frame probably isn't enough to know if it's media). Such investment would drive every ISP except Microsoft bankrupt.

What the MPAA is really pursuing right now is watermarking (mentioned later in the article). They have proposed altering each image that goes to different movie theaters or DVDs (especially previews that go to the MP Academy), etc. By watermarking the image against a master (of 'neutral' color, it is possible to determine which copy it came from even if it has been re-encoded.

The alteration is of certain items in the image. It is not on the magnitude of a least-significant bit (which different encoding schemes would then garble). What these watermarking systems do is change it by a number of bits, and do so in a recognizable fashion. In a scene, this might change brightness of the clouds, or the brown of the ground, etc. The net is that a distinct watermark can be created on the image. By altering different items in different films (and at different times), the net result is indistinguishable to the watcher; yet when the 'master' is known to the MPAA, the patterns can be distinguished to determine the source of a pirated copy of a movie or song (regardless of how it might have been re-encoded - unless it's at REALLY low quality)

Re:DMCA and encryption.

[tepples]

if you're not selling all those "vacation" JPEGs and school papers, it's damn hard to show copyright damages

If you register your photos with the US Copyright Office, which costs only $30 per photo album, they become eligible for statutory damages of $750 to $150K per infringed work unless the defendant has a clear fair use defense.

will the good old MPAA make

[oliverthered]

Anne_Caliguiri@mpaa.org Add to Address Book

Dear Oliver,

Thanks for your e-mail.

While Peer-to-Peer (P2P) networks allow for a great deal of opportunity
for distribution of entertainment, P2P networks unfortunately enable
massive amounts of pirate activity.

When people upload or download others' copyrighted works, that is, in
fact, illegal. There is nothing illegal about P2P technologies, if
you're sharing work that you have the rights to share. But, most
commercial works you find available on P2P networks (e.g., albums you
find in stores, movies you find in theatres or stores) were not posted
there legally.

It is only this illegal activity that the MPAA is fighting against. We
will continue to embrace technology and the opportunities it offers
responsible citizens using it legally.

Thanks again for writing, and please let me know if you have additional
questions.

Anne

Re:Statutory damages.

[tepples]

You mean you somehow get automatic money, despite having no conceivable real damage to yourself? Not even the debatable damages of lost sales?

Yes. If the following happen in order: 1. you create a work, 2. you register U.S. copyright in that work, 3. somebody infringes your copyright on U.S. soil, and 4. you sue and win, then even if you can't prove monetary damages, you can still recover statutory damages and attorney's fees. See 17 USC chapter 5 for the gory details.

Re:While You're Bitching ...

[shark72]

"For decades they conspired on prices and you claim they "paid the price"?!"

The price-fixing settlement was not as a result of "conspiring" for "decades." Here's what happened:

1. A couple of "big box" retailers (Wal-Mart, Best Buy and the like) started selling CDs at a loss, or for extremely low margins, as an inducement to get people into the stores and buy other high-margin stuff.
2. This started hurting a few music-only chains (Tower Records, TWE and one other that slips my mind), who didn't have an acre of high-margin children's clothing or computer equipment in the back of the store that allowed them to sell CDs at a price that competed with Wal-Mart and Best Buy.
3. Tower Records, et al complained to the record companies (notably Universal) that Wal-Mart and Best Buy were putting them out of business.
4. In response, Universal started a "MAP," or "minimum advertised price" program. Universal gave Tower, et al. funding for advertising (in newspapers and the like) with the stipulation that the advertised prices didn't fall below a particular point. In case this concept seems familiar to you... lots of other industries do it, including the computer peripheral industry.
5. Best Buy and Wal-Mart noticed this and complained to the government.
6. The government smacked Universal around a bit.
7. Wal-Mart and Best Buy had the last laugh.
8. Tower Records filed for bankrupcty.

The winners here are Best Buy and Wal-Mart. The losers are the traditional record stores and indie stores that continue to get squeezed out of the business by Wal-Mart and their loss leader prices on CDs. The record companies probably don't mind; other than sending out some settlement checks and sending some crappy CDs to some libraries (as you've mentioned), this didn't hurt their bottom line. They were selling CDs to Tower Records for the same price that they sell to Wal-Mart.

You should be happy about this if:

• You don't mind buying your music in Wal-Mart (sadly, for many people reading this, Wal-Mart is the only place they know to get music, and they'll never know what it was like to have that cool indie record store in town before Wal-Mart put it out of business.) Can't beat those great Wal-Mart prices, particularly if you like Shania Twain!
• You don't like MAP pricing programs. In that case, one industry down (the record industry) and lots more to go. This battle is fought one step at a time.
• You subscribe to the "what's good for Wal-Mart is good for America" philosophy.

You should be unhappy if:

• You miss the old days when indie record stores and stores like Tower were more prevalent, and you wouldn't mind paying a few extra bucks for more selection and the opportunity to avoid going to Wal-Mart for your music.
• It bothers you that the computer peripheral industry still uses MAPs. Doesn't bother me, as that's the industry I'm in. MAPs are great.

The bottom line is that anybody who thinks that the price-fixing settlement was a strike against big business and a win for the little guy is mistaken. They're probably still chuckling about it at Wal-Mart headquarters in Bentonville.

Re:Encryption

[mark-t]

The problem with man-in-the-middle attacks is you have to be there to intercept the connection when it begins (no problem for ISP's), but until the connection is well underway, you have no way to know if any particular connection will contain material you may have wanted to snoop on.

It's simply infeasable for an ISP to track absolutely _EVERY_ outgoing connection on its network and decrypt its contents for perusal by the MPAA, so this isn't gonna happen. At best all the ISP would be able to do is a random cross-sampling of its entire set connections, and try to infer actual usage from that (although they wouldn't be able to actually prosecute anyone without the direct evidence).

Re:Encryption

[42forty-two42]

Trivially broken:

1. Alice sends her public key K(a) to Bob.
2. Mallory intercepts K(a) and passes his own key, K(m) to Bob
3. Bob sends H(K(a), K(b)), k(b) to Alice
4. Mallory intercepts H(K(a), K(b)), k(b) and replaces it with H(K(a), K(m)), K(m)
5. Alice computes H(K(a), K(m)) and sees that it matches.

The problem is that neither Alice nor Bob know each other's keys, so they cannot differentiate between Mallory and each other. This is not circumventable. No matter what, Mallory can negotiate two seperate connections with each of Alice and Bob, and simply relay, unless one of the two knows the other's key.