SDMI Challenge Participants May Face DMCA Action

ssimpson writes "Everyone has probably forgotten the SDMI challenge to hackers to try to break a handful of proposed watermarking and "other" protection mechanisms? Well, it was recognised that a group of researchers at Princeton University broke all of the protection mechanisms and were due to publish a paper on at the 4th International Information Hiding Workshop (25-29 April) but have been threatened with the DMCA if they publish the results. So much for academic freedom, eh? SDMI seem particularly upset because one of the protection mechanims broken in the paper, The Verance Watermark, is currently used for DVD-Audio and SDMI Phase I products. Oops. Somehow, a copy of the threatening letter and the full paper entitled "Reading Between the Lines: Lessons from the SDMI Challenge" has appeared on John Young's excellent Cryptome site. SMDI's urge to "withdraw the paper submitted for the upcoming Information Hiding Workshop, assure that it is removed from the Workshop distribution materials and destroyed, and avoid a public discussion of confidential information." seems a little weak now...."

Weak

[Mike+Connell]

Whilst I'm happy to see the results published, it's dissapointing to see them leaked anonymously. I would have far prefered the faculty at Princeton to stand up, give the RIAA the finger and say "We're scientists. We do research and publish. If you don't like the fact that some of our guys cracked your methods, don't make them so weak".

Now the appearance is that university researchers *are* in fear of RIAA and the bizarre legal state of affairs that exists. After all, if Princeton can't/won't stand up to them, who will?

It's nice that the paper is out, and that, (presumably), they can now present it at the IHW conference without repercussions, but it still leaves a bad taste in my mouth.

proof the RIAA is stupid.

[moller]

They addressed the letter wrong:


April 9, 2001

Professor Edward Felton
Department of Computer Science
Princeton University
Princeton, NY 08544

Dear Professor Felten,

(etc.)


Well, it's a good thing that they got the Zip code right. Last time I checked, Princeton University wasn't in NY. The RIAA can't even send threatening letters correctly.

I'm going to disagree for this instance

[moller]

Colleges and Universities also have a time honored tradition of bending over for anyone who is or might be a contributor. If Princeton's development office has them on file as a donor, you'll be disappointed how quickly they'll act to shut up their own students and faculty.

Well...I don't know how true that is in general. But specifically regarding this case, from the FAQ (http://www.cs.princeton.edu/sip/sdmi/faq.html) on their webpage, they state that:

Fortunately, the DMCA did not apply to this challenge, since SDMI granted explicit permission to study their technologies. We are not sure whether it would have been legal to study these technologies outside the context of this challenge. We think the DMCA, by criminalizing some kinds of study of important technologies, represents an "ignorance is bliss" approach to technological copyright enforcement, which will not work in the long run. We lobbied against certain aspects of the DMCA while it was before Congress, and we still consider it to be a seriously flawed law. (my emphasis)


Above, we mentioned the important role of analysis in the design of security systems. The main problem with the DMCA is that it hinders this analysis, restricting it in order to provide an extra layer of legal protection for existing copyright systems. But this causes the scientific process to stagnate. Imagine a federal law making it illegal for anyone (including Consumer Reports) to purposefully cause an automobile collision. While this may be a well-intentioned attempt to stop road-rage, it also bans automobile crash-testing, ultimately leading to unsafe vehicles and the inability to learn how to make vehicles safe in general. The situation with the DMCA is analogous.

So this group of researchers lobbied against the DMCA. This would be the perfect opportunity for them to fight it. Seeing as how they've said that they disagree with the DMCA, it seems that it would be more likely for them NOT to fold under the RIAA's pressure.

Moller

The Verance Watermark

[Apotsy]

The thing that really sucks about the Verance watermark is that it is designed to survive lossy compression and analog copying. Of course, in order to do that, it has to be so obtrusive that you can hear it, despite the company's claims to the contrary.

According to this article, recording engineer Tony Faulkner was able to spot the watermark 75% of the time on his first chance at hearing it. What does that tell you? That this stupid watermark is going to be something you will hear on every DVD-A disc you buy! Doesn't that suck?! Well, the recording companies don't care ... they just want to stop those Napster punks from stealing their content -- quality be damned!

will this trigger them, as well?

[TheGratefulNet]

I just downloaded the latest Mandrake install .iso

I mounted the iso image in loopback mode (mount -o loop ...) and did a find on the filesystem to see what the latest Mandrake has.

imagine my surprise when I found they had a copy of DE-CSS in there:

% find /mnt -print
/mnt
/mnt/autorun.inf
/mnt/COPYING
.
.
.
/mnt/tutorial/style/de.css
/mnt/VERSION

its the 2nd to last file in the distro.

sorry for blowing the whistle on you, Mandrake, but I'm just doing what my country wants; turning in my fellow man for the Greater Good.

--

Felten is amazing.

[e_lehman]

Edward Felten is amazing.

• This is the same guy that provided Boies with his technical ammunition in the Microsoft trial. It was while trying to prove that Felten's IE-remover program didn't work that Microsoft was devastatingly caught showing a faked video.
• Would you prefer this incident has been used as a First Amendment challenge on DMCA? Say by the ACLU? Back in January, baby!!! (See page 15, or 8 by the document's own numbering.)
• And now, just to pour salt on the wounds, his group leaks the SDMI cracks anyway. I love it!

This guy is my hero! Looks so *innocent*, doesn't he? :-)

DMCA will protect the scholars, not SDMI

[sparkane]

From the law his own self:

USS Code, Section 1201(g)(2):

Permissible acts of encryption research. - Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if -

(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;
(B) such act is necessary to conduct such encryption research;
(C) the person made a good faith effort to obtain authorization before the circumvention; and
(D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.

Let's see: the scholars recd the copy lawfully (they didn't infringe copyright to get it); their act was not just necessary for research, but was research itself; I am sure they are making a good faith effort, as is evidenced in the harrassing letter; I'll eat my hat if releasing their paper breaks any other laws.

That's 4 for 4.

But wait there's more:

1201(g)(3):

Factors in determining exemption. - In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include -

(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;
(B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and
(C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time
when such notice is provided.

The scholars *are* disseminating the information to further encryption study; if they are not employed in the proper field, then no one is; clearly they have notice of the findings to the copyright holder, to wit the harrassing letter.

Conclusion: Those bastards don't have a leg to stand on.

SDMI are loosers

[Zeinfeld]

The SDMI effort has been pretty disorganized and chaotic from start to finish. I was at an SDMI conference in 1999 where the premise was that the scheme had to ship for Xmas 1999. Needless to say they missed.

The whole premise of SDMI is pretty funky, the idea is that the device manufacturers will spike their devices to protect the interests of the labels. This is a pretty forlorn hope since the consumer electronics companies bought up content companies to help them sell hardware. Sony and Philips have content divisions but they play thrid or fourth fiddle to the consumer electronics divisions.

For SDMI to succeed there must be no way to get a non SDMI player. That ain't going to happen. The other premise is that there must either be no way to rip a CD - a futile effort in itself or no more material will be released on CD.

The alleged rip protection for CDs on the street at the moment make use of widespread bugs in CDROM device drivers. An audio CD player that encounters an error makes a best effort attempt to continue. A CDROM driver will in many cases report an error and stop. This can be fixed by simply patching the driver to emulate CD Audio players - a process that was already in progress since users were complaining about lack of robustness when playing CDs.

Meanwhile the sales of CDs have actually started to decline for the first time ever. I suspect that this is not just the result of Napster. I suspect that the ultra aggressive tactics of the labels have discouraged many purchases.

I have no sympathy for the crooks running Napster, the idea you can build a billion dollar business helping people rip off everyone else in the music business is one extreeme of the debate. The other is the equally greed RIAA and DVD crew who want to use digital technology that is not up to the task to massively increase their profits. I have sat through presentations from DRM companies who claim that they will not only protect content, they will make higher profits possible through product placement, advertising, co-marketting and extortionate pay per view charges.

Between these poles I think that there is a rational middle ground. The type of rights enforcement technology the RIAA is insisting upon cannot work, as with DeCSS every player has to have the secret key.

I think that a digital download format with a watermark could work. But the detection software would have to be closely held and used only to identify individuals who were ripping lots of tracks and putting them onto the Internet. Their access to the download service would be cut off. Such a scheme would probably be as good a limit on piracy as can be obtained. There would be minimal incentive to break the watermark scheme since it would not prevent a person from listening to the pirate tracks, merely discouraging the piracy. The attackers could not know in any case whether their de-watermarking technology had succeeded. The distributors could deploy new schemes without prior notice.

DMCA

[dachshund]

I was under the impression that "encryption research" was specifically excepted under the DMCA anti-circumvention clause. Does this letter take that into account? I would love to see this go to court, even though today's (apparently bought and paid for) federal courts give me little reason for optimism.