MPAA Developing Digital Fingerprinting Technology

Danathar writes "The MPAA is looking to use digital fingerprinting technologies that in conjunction with legislation will enable and force ISPs to look for network traffic that matches the signatures. " From the article: " Once completed, Philips' technology--along with related tools from other companies--could be a powerful weapon in Hollywood's increasingly aggressive attempts to choke off the flood of films being traded online."

Encryption

[Odo]

And ISPs are going to search for fingerprints in encrypted downloads how exactly?

It would be relatively easy for the next generation of P2P applications to add very basic encryption. Possibly based on a captcha (just a regular zip file encrypted against the random letters contained in a gif).

Or will the MPAA's next trick be to purchase legislation banning encryption.

Forget it

[Karamchand]

Trying to make bits uncopyable is like trying to make water not wet. -- Bruce Schneier

Better than upstream measures

[dostalgic]

While I'm certainly no a fan of the **AA, and I don't believe we need any more legislation, this to me is the least offensive method of combatting piracy. Assuming the technology works properly, this stops the actual illegal activity (i.e., trading copyrighted material) rather than needlessly infringing upon your right to make a legitimate backup or degrading the image with copy-protection schemes.

I've long argued that such upstream measures are unfair. By moving the enforcement downstream to the proximate illegal act, we may be free to legally digitize our collections. Opinions?

Come on!

[neonstz]

Even if they managed to get the fingerprinting to work, it is dead easy to circumvent.

Instead of splitting a torrent they way it is done today, just put every N bytes in the first block etc.

Another approach can be to just encrypt each transmission from a peer to another peer with a key unique for that particular connection. XOR will work just fine. (Unless they extract the key of course, but that will require more sophisticated sniffing software).

Imagine the sheer amount of data that has to be processed...

Made by Philips?

[mr.henry]

It is sort of amusing that this technology is being developed by Philips, makers of the Philips DVP-642 [techtastic.ca], probably the most pirate friendly DVD player on the market today.

Great

[Anonymous Coward]

"legislation will enable and force ISPs to look for network traffic that matches the signatures."

Its a good thing the MPAA can essentially create legislation at will now.

5 years from now..

[evilmousse]

..govt. and coportate interests will lament the day they drove the average user to encryption.

Oh. Sure. I believe you.

[Anonymous Coward]

So they start sniffing networks for bits with the "acoustic properties" of music.

And just by coincidence-- maybe a glitch or something-- they happen to latch on to a VoIP phone conversation I'm having with a friend about a sensitive personal matter. Maybe the dryer's running in the background. And their algorithm decides it's "acoustically" music.

And they send out a subpeona, and they check, and they find oh no, you weren't trading music, you were just using the phone. And everything's dropped, and there's no problem.

But in the meantime my intercepted phone conversation is sitting on a computer at Verizon somewhere.

And this is acceptable ... why? I would not continue to do business with any ISP running this sort of software.

SneakerNet the Ultimate

[LionKimbro]

We have 1TB disks coming up soon.

I don't know how many terrabytes of released music exist in the world, but I imagine it's a finite number.

We'll probably have 100TB disks, and then 10,000 TB cubes at some point in the future.

Perhaps all the worlds music will fit in the space of a cubic centimeter.

You visit your friend's house, put your cube-disk next to his cube-disk, hit "copy", and then walk home with your copy of the entire world's music.

Really, there's not a whole friggin' lot you can do about that.

Perhaps the possesion of world-music cube-disks will be the next marijuana possesion.

Two ridiculous science fiction stories in one day?

[bigtallmofo]

First I read this story [slashdot.org] today, and I swear I still want my 5 minutes back from wasting my time reading it. Then comes along this story about the MPAA developing "fingerprinting" technology. I suppose that when someone rips a DVD using DVDShrink or DVDDecryptor or any number of other programs that said program is going to copy said fingerprint wholly intact into the resulting file even if it compresses said file. Then, after I convert it to DivX format, I'm sure the fingerprint is still going to be intact. Then after I transfer it with (Insert any of BitTorrent, WinMX, IRC, FTP, etc, etc, etc, etc) the fingerprint is going to be sent intact without using a fragmented TCP packet. Assuming all this to be true, my ISP is supposed to then pick out this needle-sized fingerprint in a galactic-sized haystick.

This is pure science fiction.

Hmm, wouldn't...

[scifience]

Wouldn't this digital "fingerprint" just be erased/garbled when it is encoded in a different format, like, say, DivX or XViD?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Encryption

[mickwd]

Maybe the MPAA's next trick is to publicise some scheme they're thinking of using, letting it get published to Slashdot, reading what Slashdotters have to say, and using this to help decide on its viability, before investing any serious amount of money in it.

Free technical review.

Doesn't anybody else here think that occasionally someone from the "usual suspects" (Microsoft, RIAA, MPAA, etc) might read what some of their "opponents" are saying about them ? Especially when people here openly post how they will get round what the organisations concerned are trying to achieve (rightly or wrongly).

Re:Made by Philips?

[fyoder]

It is sort of amusing that this technology is being developed by Philips, makers of the Philips DVP-642, probably the most pirate friendly DVD player on the market today.

Makes sense. Make money selling tech to both sides.

Re:And the best part about encryption

[chrome]

Don't think so. The DMCA is there to protect media rights holders, not the common man.

You can't, say, have a encrypted hard disk, then sue the MPAA for decrypting it when they arrest you for movie trading, based on the DMCA.

You might have a case with regards to privacy ... oh, wait, all privacy laws have been stripped away from US citizens since 9/11, so I guess that won't work either.

Face it America: You're screwed.

Re:Encryption

[J'raxis]

I'd suggest encrypting the entirety of the p2p traffic (SSL layer or something), otherwise things like headers and searches are still visible.

Re:It's funny...

[SunFan]

Perhaps this will lead to a division in society between the people who know the MPAA can't take our money and those who don't. These companies exist only because of us, the customers. I have no problem at all telling them to %$#@ off, because I know entertainment is cheap and very easy to come by. Take my kid to a movie vs. take my kid to a park vs. take my kid to a ball game, whatever. Movies really are not that big of a deal. Sure I might miss great movies like Dr. Strangelove, but, ultimately, movies are just a medium for these stories and certainly not a requirement. Indy productions, stage adaptations, etc. are all different ways for the talented people out there to tell their stories. Big company execs can kiss my ass for all I care.

ISPs

[vistic]

IANAL and IRECTAL, but why do ISPs have to then shoulder the responsibility of policing all this traffic and enforcing this proposed law? I don't think it could even be accomplished, considering how many ISPs are out there, and how hard it would be to make them all put in the same effort and follow the same procedures. It seems to me the only way to force such an internet-wide filtering scheme would be to pass all the data through a government server (or servers), and that's not going to happen considering how everyones so used to things being the way they are now, infrastructure-wise.

The MPAA/RIAA need to realize that these measures they keep proposing time and again are futile. Even if your ISP started policing your traffic, you could switch to a smaller ISP that's being more lax in its enforcement and is "below the radar".

And how does the MPAA propose getting these digital fingerprints onto ALL media? And how long would it take for someone to figure out how to strip the fingerprint from the file?

When it comes down to it, *any* DRM in audio files is defeatable by playing it back on a high quality speaker and re-recording it with a high quality recorder. A similar set-up could be used (with more difficulty) for video I suppose as well.

The MPAA/RIAA need to change their tactics in a big way and figure out how they can give the market what they want at a price they want, so that everyone who's downloading movies and music today decides that the MPAA/RIAA's new way is easier, and downloading isn't worth the hassle. I think one of the big things they're releasing is that people will pay more for special features and other things that add value to their product which are simply unavailable online.

The MPAA/RIAA's realization will come, I just don't know how many more years it will take and how many eras we need to go through (Usenet era, Napster era, Kazaa era, BitTorrent era) before they realize that people out there are innovative enough to come up with a new filesharing means, always. Maybe the current crop of CEOs and managers need to be gone before that will ever happen.

Or you can go to the library with your laptop...

[John Seminal]

All the music I can think of and many DVD's are at my library. You don't even need a library card, because you don't have to check anything out. You just toss the DVD or CD in the laptop and copy it over. Put the DVD or CD back in the collection when done, and you have your copy that you can listen to whenever you want.

I think what the MPAA and RIAA wants to do with p2p is not to shut it down (because that will be an impossible goal), but to make it so hard to copy stuff that 99% of the people will not want to even try. People will get on-line, look for a few websites, try to make a copy, and when it fails, three hours later, they will say fuck it. They did it with napster when they flooded them with mp3's that had high pitched noises in the music, or worse, gave you a loop of 10 seconds of the song. It was not usable. Then they went after torrent websites, leaving a few left that you have to register with.

I suggest that everyone who wants music go to the library and copy it while you can. Who knows what the RIAA and MPAA have comming down the pike.

Re:Encryption

[laughingcoyote]

On what grounds? Encryption has already been ruled to have substantial legal use, therefore, under Betamax, they cannot attack a technology just because it encrypts. Similarly, P2P apps have substantial legal use, therefore they cannot attack a program just on the basis that it's P2P. So what argument will the good old MPAA make?

Slower 'net access

[nurb432]

We have implemented a box at work that monitors all traffic for 'stuff', and its slowed us down significantly. Regardless if its Internet web traffic or simple SQL queries on internal servers.

Having this stuff mandated on our isp will just about kill our connection. ( and raise costs ) Between this and spam it will drive people off line ( which might be their ultimate goalanyway, cant download if you arent on the 'pirate-net' )

Actually...

[Kjella]

Testing that against a known file is trivially simple. Simply take two blocks, and subtract them. You'll have (A+XOR)-(B+XOR) = A-B. If you're going to, use proper encryption. With OpenSSL it is fairly easy anyway.

Kjella

Wow!

[rbarreira]

The trick is to make that identification process work even if the file is compressed, turned into a different computer file format or otherwise changed slightly. For a song, this means basing the fingerprint on the music's acoustical properties, rather than on the ones and zeros that make up a given digital file.

The video process is similar, but would use visual characteristics of individual video frames instead of audio qualities.

A good fingerprinting technique must be able to identify the movie even if parts of it are being downloaded out of order, or if some bits have been cut out, Maandonks said.

Wow, is this a kind of an april's fool or something? I don't even think I need to comment much on the infeasibility of this...

Next thing you know, the RIAA will be solving NP-complete problems in constant time or something...

if they build it someone will break it

[Revek]

Greedy men build new system to catch people who will never buy their products. Men with a differnt opinion break it. Personally if I pay to go see a movie one time I don't feel any need to pay for it again.

Re:Better than upstream measures

[ScrewMaster]

Frankly, I don't want to have to deal with any kind of "dispute process" or take the risk that a failure of that process might land me in court. File-sharing of music and movies isn't my problem: it's not some significant social issue that we all need to be concerned about. Racism ... sure. Health care ... certainly. Undue corporate influence in Congress ... absolutely. But ... Music? Movies? Why are we even considering subverting our national communications system to serve the needs of a few large corporations? Most of whom, I might add, are foreign interests.

This is really starting to get out of hand. I mean, the entertainment industry is not some great cultural treasure that must be preserved at all costs (the people that run it think so, but they are mistaken.) This is an economic matter, no more and no less. I didn't shed a tear when Westinghouse went belly up, I didn't lose any sleep when K-Mart filed for bankruptcy ... some organisms survive change, and other's don't. Let the RIAA and the MPAA and all their member corporations deal with the pace of progress like every other adaptable company that survived the advent of the Internet. Gee ... the public Internet makes "rampant piracy" possible? You're losing billions? THAT'S JUST TOO GOD DAMN BAD. The world changed around you, and in any event does not exist solely for your enrichment. Deal with it.

I'm afraid not

[ThreeDayMonk]

Until you produce a recording of the above compositions, the only space required to store them is the algorithm you've described above, which fits into the eminently finite space of one Slashdot post.

Even if we accept that computers can produce an infinite number of pieces of released music, the number already in existence at any moment in time is finite. The number of items of proper, human-created music that someone would conceivably want to listen to is still finite, and smaller.

Therefore, a sufficiently-large storage medium can hold all the music created and available at a given point in time.

Re:I Love Slashdot, Really I Do ...

[SpacePunk]

"This topic is absolutely chock-a-block with discussions about which burglars' tools work best to fuck over and steal from our neighbors. What next, discussions on how to cut through school zones and take kindergarten-age hostages to elude the police during a high-speed chase? "

I look at it like this. A discussion on how to preserve the privacy and liberty of those of us that do not commit copyright violations. Allowing this is like allowing the cops to tap my phone becuase my neighbor was caught committing a crime. It's unacceptable.

SSL

[Danathar]

A "little" off my own topic since I submitted the story....but the result of this I would imagine would be that p2p will start using SSL to encrypt the traffic (I put this in my text blurb for the story...but slashdot editors chopped it). Anyhow...this will NOT only defeat the MPAA, but MANY universities use trafic shapers to fingerprint Bittorrent and p2p traffic to keep it from saturating their bandwidth to the Internet. SSL encrypted p2p will effectively make packet shaping these services impossible.

Hey **IAs, I'll trade ya...

[teamhasnoi]

you can have your unbreakable copy protection in exchange for 20 year copyright length.

Of course, my right to "fair use" will stand, so I can make backup copies and time and format shift for my own personal use.

You figure it out.

Re:The scariest way ...

[Joff_NZ]

I think the banks of the world might have something to say about that, and last time I checked, they are way bigger, and wield *much* bigger sticks than the MPAA/RIAA

MITM flaw

[zbyte64]

lets ignore the increase in computational power, MITM attacks require the attacker to _know_ the encryption alogorithm. If [insert your favorite p2p app] supports plugin type encryption modules, a select group could write their own encryption module and keep it in their little circle. This would effectively keep the ISP from MITM (unless the module gets leaked)
Second is the ISP has to recognize that the people are encrypting it, if someone engineered a different handshake protocol, then this could become troublesome for the ISP to MITM.
The MPAA will always go for the biggest targets, but people are dispersing onto smaller, closer knitt communities. I currently use two, one that uses IRC and another that not even google caches. The little groups could easily implement their own encryption methods thus keeping safe from the idiotic MPAA.

Screw 'em

[Kris_J]

That's it. Movies have too much baggage. And they're crap. My mother bought "I Robot". I lasted five minutes. I had to sit through an un-skippable "ad" where I was reminded not to steal movies only to be presented with a move where the first line is a product placement. Two plot cliches could be found in just the first few minutes. (Character saved by a minority, still doesn't like them and character misjudges the action of a minority and acts like an arse.)

Quote frankly I'm having way too much fun with books at the moment. Real, Dead Tree Format books. There's some great stuff being produced, not like the pap that is a "blockbuster" movie.

I walked away from new music ages ago. I neither buy new stuff nor download anything. Because I also don't listen to the radio (*shudder*), I have no idea what music is out there. Thus I don't buy any. I'm watching less and less TV, I don't download movies and I don't go to the cinema. Movies are coming out now, I don't know what they are. When I do finally find out about them, I wonder why anyone pays money to see them, apart from being able to say they paid money and saw them.

Re:Encryption

[Yartrebo]

There are ways around it.

Here's one idea I have.
1: Peer 1 sends public key to peer 2.
2: Peer 2 concatenates his public key with the one supposedly received from peer 1 and hashes the result. This is returned to peer 1 along with peer 2's public key.
3: Peer 1 computes the hash using his public key and the public key sent from peer 2.
4: If the hash doesn't match the hash that was sent back, then the keys are compromised.

Peer 1 now signals that his key is valid. Peer 2 discards his key and both generate a new key.

Repeat steps 1 - 4, but swap peer 1 and peer 2.

Now peer 1 uses his public/private key from the first exchange, and peer 2 from the second exchange.

The key point is that the man in the middle doesn't get both public keys until after the first hash has been sent, by which time it is too late to comprimise the first peer's public key without the return hash giving away the key switching that the man in the middle did.

The second peer's key can be compromised, which is why the process is repeated with the peers switching roles with new keys.

Is there anything wrong with this?

Re:Encryption

[theLOUDroom]

"This wouldn't work with public key encryption."

sure it would, that is the whole point behind the man-in-the-middle attack.

Actually, no it wouldn't work. Not for a well-designed system anyways. As long as the initial download of the app occurs via an SSL connection, you can send as many public keys with the app as you choose.

However, this requires central registration and management of keys, something which is unlikely to be palatable to P2P users for obvious reasons and thus the man-in-the-middle problem will persist when computing session keys for encryption on P2P networks.

Trent already exists in the form of Verisign, et al and any ISP mucking around with SSL root certificates is just asking for a huge lawsuit. Not only would that create a huge potential for online fraud, but it would also directly threaten Verisign's revenue stream. And it would also violate a myriad of computer crime laws. Just as your trasfer to an encrypted connection with amazon.com is seamless and easy, so may it be on p2p.

A really clever approach to something like this would take advantage of techniques like "secret sharing" so that the comprimise of a single server, or even serveral servers would not cause the system to fail. Then the servers would be placed in various countries throughtout the world to make any sort of legal attack on the system ridiculously expensive.

Let's assume that the MPAA can stop P2P

[Simonetta]

Instead of going on for a hundred messages about the miniscule details of P2P, encryption, and the rest, let's assume that the MPAA can stop P2P and think of what the effects would be and the unintended consequences.
So... Assume that someday,
Super DRM is in place on Hollywood movies. When you download a Hollywood film, they have a record of the film and the PC address that it went to.
Now what are they going to do? Will they just have an automatic robot prosecutor (like the photo-radar that automaticly sends you a speeding ticket)? What will the fine be? $100,000 per movie? And what if no one pays? Do they automatically link to your bank account and deduct $100,000; or $10,000; or maybe just 50% of whatever's in the account? Will they have the ability to automatically garnish your wages so that 35% of whatever you earn for the rest of your life goes to them before taxes?
And just exactly how many people do they think that they are going to do this to in a country that has more guns than people before the leader of MPAA gets his pointy-little head blown off?
There are millions of people out there trading movies. Not one thinks that there is anything wrong with doing it. Not one thinks that the movie that they just spent hours downloading for a crappy little image is worth paying hundreds of dollars for, never mind hundreds of thousands of dollars. If they did, then they would pay $20 for the DVD. Or ten dollars to go to the theater and watch it.

So, what are they going to do? Have a lottery?
They gather data on 100,000 movie downloads and then pick one at random. Throw every lawyer in Hollywood and this poor schmuck, destroy his life, and require you to watch a five minute summary of it in the theater between the Pepsi ads and movie previews?

And if they did do this? Would it make their basic product any better? Would you be more willing to shell out $12 to go see White Cop, SmartAss Black Cop XXXIV and the local 12 screen multiplex? Or the latest braindead-on-arrival CGI cliche-ridden mess from a film industry on auto-pilot?

There are thousands of movies made each year. Hundreds of them are good and some are mind-boggling excellent. Most will never get seen by the people would be willing to pay real money for the opportunity to enjoy them.

P2P is the only way that Hollywood is going to get this vast reservoir of good movies together with the willing and eager audience. Frankly, P2P is the only way that Hollywood is going to be around fifty years from now.

I wish I could say to these people to just take their head out their ass, stop trying to fight the future, and start paying attention to all the people who are seriously interested in keeping the Hollywood entertainment industry in good health through this period of epic change.

But I don't really have much hope for them anymore. Hollywood is its own worst enemy, not the P2P film freaks.

Re:Okay

[Evil Trigun]

Finally somebody says something smart! Ok so what if the plan isn't feasable? So what if all we need is encryption? While all these things are good ideas, in their own sense it doesnt get to the meat and potatoes of the matter! So what if the DCMA is messed? So what if it took away a lot of creativity? Coward made a good point in saying even if they do this (which even with the DCMA its a long shot) they cannot force the ISPs to monitor this. So lets look at this logically? What it will come down to (hell its the main issue for both sides: MPAA and "Pirates") is MONEY. What the MPAA will try to do is bargin with the ISPs. Use money or some sort of incentive. HOWEVER many pirates will be pissed (as well as customeers just concerned about their privacy, like me for instance) will drop their ISP for something different... A new high speed ISP that wont hand over the logs! So the its not really in the MPAA's hands, its the ISP who have the power. And they will ultimately have to choose between MPAA or the growing pirate crowd.

Re:Encryption

[Federico2]

GPG users faces the same problem. But there is solution actually used:

1. Alice don't send her public key K(a) to Bob.
1b. Bob retrieves Alice's public key from a some repository around the world.
1c. That key is authenticated by a network-of-trust involving Alice's friends and other users, so Bob is protected against man-in-the-middle

Trivially detected?

[Anonymous Coward]

Mallory must use the same public key every time, otherwise Alice or Bob will notice something fishy when they reconnect in future.

For this reason, Mallory must either keep a database of every user and the corresponding fake key to use, or always use the same fake key on all connections.

If Mallory always uses the same key, then that key could become known, also all Alices would share the same key which would become suspicious to the Bobs.

The database idea is big and all Mallorys would have to share the same database.

Otherwise Mallory must rely on Alice and Bob not looking too closely at keys, or their software not looking too closely at keys, or communications between an Alice and a Bob being one offs and not repeated.

Of course, in the latter case perhaps the MPAA/RIAA have good cause to go after you. For communicating between friends, the man in the middle attack is far harder. You can always check fingerprints in person and build up a PGP like tree of trust. Currently too much trouble for many users, but if the MPAA/RIAA push harder, I expect many users will find themselves becoming far more competent in applied encryption.

Re:Better than upstream measures

[KarmaOverDogma]

I personally agree with what you are saying, but please remember this:

you may be sorely misunderestimating (and I use that word intentionally here) the power and connections of the *AA & Entertainment Industry.

Doubt me? Remember this:

* We now have a Federal Government firmly in control of one party (with the possible exception of the Judiciary, for now) with a clear favor towards corporate interests.
* Even under the Clinton Administration, the mother-of-all-evil, you-just-lost-your-previously-held-consumer-rights , criminalize-thought DMCA was passed
* The FCC passed the Broadcast Flag regulation despite the clear objections of consumers
* Congress decided to extend Copyright (Copywrong?) protections well beyond what most mere mortals consider neccessary to encourage and protect creative works (even the supreme court found the law to be dumb but still within the power of congress to extend it) Thanks, Sonny!
* Other seemingly more reasonable countries are being/have-been adopting DMCA like legislation under pressure from Uncle Sam and his corporate-leveraging trade interests (think Australia and the previous slashdot story where a fellow was found guilty of piracy-by-hyperlinking, amoung what I'm sure are countless other stories I cant recall)

The thing that may stop this cute little idea is ISPs that could-give-a-sh*t-less about implementing a policy that will only cost them more money choosing to ignore digital fingerprints because there is no law requiring them to do so in their host country (think of Demonoid.com's shut down and re-launching just one month later under similar circumstances). But don't you worry - Uncle Sam and his corporate sponsors are working on that one....