TM: An alternative to DRM? Let's discuss.

[Steven Lyle Jordan]

I was inspired by Taylor514ce to start this discussion, which I touched on in another thread. In light of the fact that DRM doesn't do the job in preventing e-book piracy, I wanted to suggest an alternative, independent of the other discussions, and I'd like to hear comments on the idea.

The idea is based on current efforts in law enforcement, with internet developers, to devise a way to cut down child porn and find child pornographers through web traffic monitoring and detection. Their methods have been based around the idea of devising a way for child porn images to be identified by web technology as it moves through the web, even drilling into encrypted files to identify the elements common to child porn images. The theory is that any bit of data so identified can be tracked to a sender and a recipient, using new or existing technology at the ISP level, allowing the authorities to locate the computer used and apprehend the owner.

Substitute child porn images with copywritten texts, and you have the idea.

The first part of this idea, ID'ing possibly encrypted files as they go from place to place, is obviously the hard part, and the main sticking area with authorities and tech developers at this point. Nonetheless, they are supposedly making progress. The matter might be easier with text, as it is easier to capture text and compare it directly with a database of text stored somewhere, than it is for a computer to examine pixels and make a determination of the context of the picture. Programs are already in use by law enforcement and governments, designed to recognize key words and phrases linked to crime and terrorism, and flag those messages. An offshoot of that tech might be applicable here.

If the text can be identified, tracking it is relatively easy. It would only require cooperation from an ISP to track and identify an account or computer, something ISPs are already providing to law enforcement agencies. A copywritten text could therefore be tracked to the person who sent it, supposedly the one who illicitly copied it, and the recipient, determine who (if either) is operating against the law, and act accordingly.

Like so many methods of crime prevention, there are clearly issues of privacy here. The public will have obligations to meet, just as they do when they bring their driver's license to drive a car, or agree not to share cable service with their neighbor. The question is whether or not this system would be workable and fair enough to justify sacrificing an amount of privacy to allow it? How much of an amount? Is any sacrifice of privacy worth catching copyright violators?

And of course, how likely is such a system to work well enough to curb e-book piracy, bring improved confidence to the publishing industry, and foster increased e-book marketing and sales?

For the purposes of ease of discussion, I will refer to this idea as Traffic Management, or TM.

I invite comments. I'm interested to hear what others think of the workability of this idea.

[NatCh]

I think you're right that it's technologically possible ... not even difficult, really. I do see some privacy issues -- how do you get that warrant approved?

"Yes, Your Honor, I'd like you to sign a warrant for unknown persons passing unknown, possibly copyright-infringing materials to other unknown persons.

"What's that? No, we don't know who any of these folks are. No we don't know what the materials are. No we don't even know where they are, so they may not be anywhere near your jurisdiction.

"How would we do this? Well we have to look at every file that comes through the intartubes and ....

I'm not sure that warrant would get signed, and I'm pretty sure it shouldn't. Not in a free nation, anyway.

With child porn, there's actually a crime committed, so they may have better luck slipping that through, but copyright infringement is a civil matter, isn't it? (Regardless of what the RIAA might like us to think ) I can't see that getting much traction.

Its an interesting idea, and a very clever solution to the puzzle, but I don't think I like it.

[Steven Lyle Jordan]

Quote:

Originally Posted by NatCh

I think you're right that it's technologically possible ... not even difficult, really. I do see some privacy issues -- how do you get that warrant approved?...

Good point. Actually, I was thinking it would not require a warrant: It could potentially become a fairly automated process that would spit out data type (copywritten text), sender and recipient to local law enforcement, leaving it up to the law to contact either and have them establish lawfulness, or face fines/punishment.

It's a little different from, say, child porn, because it is legal to have an e-book... but not to illicitly transmit it to others. So search and seizure isn't necessarily in order, which means a warrant is not needed.

If you think of a cable company that can determine, through their cable box, that you are illicitly sharing your cable with others, they can simply shut off your service, then send you a notice informing you of your violation of their agreement, their demand that you pay a fine, and a threat to send your case to the authorities if you refuse (and even if you don't). An ISP could use that same method to exact punishment for illegal activities.

That, I think, is where the privacy sticking point is, because it could potentially punish one person for the actions of another... and said punishment (being cut off) could happen prior to actual establishment of guilt. Still, both of those possibilities serve as good incentive for households to make sure no one in the house is participating in ilicit activities...

Edit: No, I wouldn't consider that ideal. Ideal would be the ISP getting in touch with you with the accusation that you have been disseminating copywritten works without authorization, and charging you to contact them to prove legality OR be cut off. I mean, this isn't child porn...

[kovidgoyal]

How would it drill through encryption? Using simple end to end public key cryptography (e.g. the https protocol) should make this impossible. It takes massive amounts of computing power to decrypt something encrypted with large enough prime numbers. And monitoring this traffic in real time, I don't think so.

[Steven Lyle Jordan]

Quote:

Originally Posted by kovidgoyal

How would it drill through encryption? Using simple end to end public key cryptography (e.g. the https protocol) should make this impossible. It takes massive amounts of computing power to decrypt something encrypted with large enough prime numbers. And monitoring this traffic in real time, I don't think so.

In all honesty, I don't know how this is being approached, so I don't know how the authorities expect to be able to "break" or "drill into" any encryption system. I suspect maybe they think quantum computing will be their answer... they could easily be counting on some as-yet-undeveloped technology.

They may also be attempting to develop models that "guess" at the contents of an encrypted file, based on some attribute of the encrypted file, even without it being actually decrypted (sort of like systems that "guess" pictures are pornographic by detecting large percentages of flesh-colored pixels... not accurate, but a place to start).

Would there be any other conceivable way to determine the contents of even a piece of a data file (enough to positively identify it) in transit?

[kovidgoyal]

I actually work on quantum computation, and let me say that ISPs are not going to be using quantum computers to do real time decrpytion of internet traffic in at least the next 20 years.

As for guessing the contents of files:

Encrypted files are not really like pictures. A *unencrypted* picture has a recognizable patterns in it. You can encrypt a picture as well. An *encrypted* picture if viewed would look like a random collection of pixels, something like the "snow" you used to see on TV screens (though in full color).

Basically what encryption does is "randomize" the patterns in a file. It does this in a way that is very hard (though not impossible) to "un-randomize".

[Steven Lyle Jordan]

Okay, accepted. It would be well-nigh impossible to break encryption to identify a file.

Are there any other methods that can examine a data file in-transit and, if not determine its actual contents, make an "educated guess" as to the likely contents of the file? (Something like seeing a box, 1x1x1-foot, and heavy, and guessing that it contains a bowling ball.)

[Taylor514ce]

No. A randomized series of ones and zeros looks like a randomized series of ones and zeros. What those ones and zeros represent in terms of content depends entirely on what is interpreting those ones and zeroes, and that interpretation is not often done at the transfer/traffic level. What is often done, though, is to package those ones and zeroes into different container envelopes. The envelope may contain metadata, such as "here is your PDF file".

[Sunlite]

I see several problem with this idea.

1) I don't know exactly how a picture search like you described is implemented, but it is definitely not done by comparing each image with the content of a database. As far as I know images with certain content are found by analyzing the image in question by edge detection for example and comparing the the result with a parameter set, which is thought of representable of the kind of image you are looking for. I guess in the case of child porn it would be shapes and color schemes.

The analysis of text, if unencrypted, is of course a lot easier than analyzing images, but how would you find the parameters to differentiate between copy protected text and non-protected text?

2) If you give up the comparing scheme used for images, you need to compare a questionable text to a data base.Therefore you would need a data base of all copyrighted text in digital form. Since we know that not all text published in print are available in digital form to the publisher, how would it be created? Using the pirated versions from the darknet?

3) Even if you had a data base like that, you would need to determine which data sent through the web you have to check against it. I don't think key words would do it. Just think about any of the books from PG. What do you think how many of the words would you need to find it as an exact match in google with only a few or better none links to citations?

If you use need an exact match you need most of the text, which gets close to checking every possible text exchanged in the web. Even more, if you try to find key word for all possible text you probably end up with a dictionary worth of words. And with them you would find not only the copyrighted text but all citations, discussion, reviews and exerts of that text.

4) I'm against copyright infringements. I think the creators of media content should be paid for their work. But I don't think copyright infringement can or should be used to give anyone - either a government or even worth private companies - the right to check, read or analyze the communication of their citizen or customers at their will. That does sound way too much 1984 to me.

5) Lets leave out all of the above points for a moment. Lets say you have found a text sent from person A to person B that matches a copyrighted text in its entirety. How do you determine if this exchange was legal or not? I have the PID of my friend Iliad put into my Mobipocket account and I do send him the books I bought and downloaded. As far as I know that is legal, but how would you know? (Just a side thought: American lawyer have not the best track record of knowing or accepting the national law of other countries.)

Quote:

Originally Posted by Steve Jordan

If you think of a cable company that can determine, through their cable box, that you are illicitly sharing your cable with others, they can simply shut off your service, then send you a notice informing you of your violation of their agreement, their demand that you pay a fine, and a threat to send your case to the authorities if you refuse (and even if you don't). An ISP could use that same method to exact punishment for illegal activities.

The cable company does this for its own good. It will loose money on customers sharing one connection. They might even profit from punishing some innocent customers, the ISP does not. The ISP does not loose money through the copyright infringements of its customers. It will only loose money if it cuts customers off. You would need to find a very convincing reason for them to do as you suggested.

Quote:

Originally Posted by Steve Jordan

Edit: No, I wouldn't consider that ideal. Ideal would be the ISP getting in touch with you with the accusation that you have been disseminating copywritten works without authorization, and charging you to contact them to prove legality OR be cut off. I mean, this isn't child porn...

In most non-totalitarian system the justice works with "innocent until the guild is proved". I thought the United States were still one of them. If they are, why would the customer have to prove his innocence?

I'm all for a system that is better that DRM to protect the creators of media, but I don't think this is one. Sorry.

[NatCh]

Quote:

Originally Posted by Steve Jordan

Good point. Actually, I was thinking it would not require a warrant: It could potentially become a fairly automated process that would spit out data type (copywritten text), sender and recipient to local law enforcement, leaving it up to the law to contact either and have them establish lawfulness, or face fines/punishment.

Trouble is, that in looking for these things would require monitoring the communications of millions of people, and the Gubmint does need some sort of authorization to do that. Within the U.S. it requires a warrant (think phone taps), for communications that have one end outside the U.S. things are less stringent.

Of course you're actually talking about private organizations doing the policing, so different constraints may apply.

Quote:

Originally Posted by Steve Jordan

If you think of a cable company that can determine, through their cable box, that you are illicitly sharing your cable with others, they can simply shut off your service, then send you a notice informing you of your violation of their agreement, their demand that you pay a fine, and a threat to send your case to the authorities if you refuse (and even if you don't). An ISP could use that same method to exact punishment for illegal activities.

A cable company protecting its salable product and an ISP attempting to police illegal activities (and only civilly "illegal" at that) are two rather different things. The cable company's reasons for doing so are obvious, but why the name of little green apples would an ISP do this? And for every ISP that did go round the twist and decide to do so, thirty others would announce that people should switch to them because they don't.

Oh, yeah: if the ISP is doing this at the behest of a Gubmint organization, regardless of level, they would then fall under the same constraints as the Gubmint, because they're acting as agents of the Gubmint. Without the warrant or equivalent authorization, they not only effectively grant immunity to any prosecution, they also open themselves, and the Gubmint, up to law-suits out the wazoo.

They're not liable for what goes through their intartubes, so the best they could do would be to quietly collect the information and pass it along to whatever equivalent of the RIAA rises up to undertake the suing people for the sort of infringement we're talking about, and the ISP(s) might find themselves civilly liable for that when it came out, and it would come out. (I have no idea whether there'd be legitimate grounds for suits like that, but I'm sure they'd get sued bunches regardless, standing or no standing)

[moz]

Quote:

Originally Posted by Steve Jordan

I invite comments. I'm interested to hear what others think of the workability of this idea.

I think you misunderstand encryption.

Insofar as encryption works, it does so by making it much, much cheaper to encrypt something than to decrypt it without the secret. Over time, of course, the quantity "cheaper" changes in absolute terms, making last decade's "hideously expensive" todays "embedded processor". So provided you're willing to wait 10 years, anything you find today can be decrypted and inspected for naughty content. But for any given instant, it's possible to build an encryption system that cannot be broken in any reasonable time - to date the graph of "increasingly easy to crack because of improvements in cryptography" intersects with "processing power available at any price" a few years in the future. As we find problems with RSA we invent TwoFish and so on.

The consequence of that is that I can encrypt a file today using AES/7zip and send you something called "totally illegal filez.7z" and without the key for it you just have to wait. Either for your billion dollar supercomputer/cracking array to grind through AES key attempts, or for some smarty to find a problem with AES that means you only need a $20M array of computers to crack it within a month. Wait 10 years and you'll be able to download a crack tool off the net that will crack it in a week on your home PC (assuming political compatibility for both you and your chosen place of residence).

So: inspecting everything that goes over the net in near-realtime is not possible.

FWIW, pedophile rings are normally cracked because of human factors, not technical attacks. Viz, some moron slips up.

[Steven Lyle Jordan]

I know how it sounds, but it's not that I don't understand encryption. I'm simply reporting that there are organizations that are realistically trying to find "workarounds" that will identify the general contents of an encrypted file, not the actual content, but enough to flag improper files and prompt investigations. At any rate, I agree with the comments here that doing so will be exceedingly unlikely, so I suppose the TM system would not work. (Unless someone sees some other way around the problem that I'm not aware of.)

Quote:

Originally Posted by moz

FWIW, pedophile rings are normally cracked because of human factors, not technical attacks. Viz, some moron slips up.

They are also cracked by raw effort, i.e., officers haunting chat rooms, doing gumshoe work, setting up stings... IOW, sometimes even the smart ones get nailed. I understand that, too. And who knows... maybe that's what we should expect to see, an e-books version of the RIAA, kicking in the doors at your local pirate's house...

[Lemurion]

The last thing I want to see anywhere is another RIAA. It's already poisoning millions of people against both the legal system and intellectual property rights.

What's needed is a mitigation strategy more than an elimination strategy. Copyright infringement is like shoplifting, or shrinkage as the accountants call it. It's not going away any time soon. Do what Stardock does. If you can get enough people to pay for your product cater to them not to those who may pirate it. Social DRM and getting people to feel ashamed of pirating your product will work better in the long run.

[Steven Lyle Jordan]

Quote:

Originally Posted by Lemurion

Social DRM and getting people to feel ashamed of pirating your product will work better in the long run.

I agree with everything you said, except, unfortunately, this. The impression I've gotten (especially from the many threads on this site) is that "social DRM" and guilt trips simply don't work to deter anyone who just wants to take your stuff.

[Lemurion]

Quote:

Originally Posted by Steve Jordan

I agree with everything you said, except, unfortunately, this. The impression I've gotten (especially from the many threads on this site) is that "social DRM" and guilt trips simply don't work to deter anyone who just wants to take your stuff.

As far as I know, the truth is NOTHING will deter anyone who just wants to take your stuff. Having said that, the "social DRM" and sense of community has worked quite well for Baen toward reducing the amount of piracy.

It won't deter those who are serious about taking your stuff, but it appears to have an effect on reducing their numbers.