Earth: Mostly Harmless

More on the proposed enactment of section 3 of the Regulation of Investigatory Powers Act. Looks like some parliamentary types are starting to catch on to the reasoning coming from the computing communities.

“But the draft code of conduct has no guidance on weighing privacy against the demands of law enforcement,” said Caspar Bowden, former head of FIPR.

He questioned how police could balance the rights of victims, suspects and the general public if this was not made explicit.

Mr Bowden also questioned the wisdom of making it an offence to refuse to unscramble evidence. He said there were many scenarios that made it possible for a suspect to deny they ever had the key that unlocked encrypted data.

Already, he said, there had been one court case in which a suspect was acquitted after claiming a computer virus under someone else’s control had caused the offences for which he faced trial. Mr Bowden speculated that other suspects could use the same tactic or would fake a virus infection to get themselves off the hook.

Some fear the powers will stop people taking care with data
He also asked how someone would prove they had genuinely lost or forgotten a password and wondered if the threat of a jail sentence would hamper efforts to make users take more care of personal data.

“Will it deter the mass of honest users from properly securing their data?” said Mr Bowden.

You bet.

BBC story

An eminently sensible proposal. However, the real test will be in the final legislation (if any) which comes out of this. I wouldn’t be surprised to find that a vindication of private copying rights is accompanied by an expansion of the content lobby’s legal instruments for pursuing infringers.

I’ll be keeping track of this one. Watch this space.

BPI Calls for Private Copying Right:

Interesting news this morning from the UK, where the BPI (the CRIA equivalent) has called for a right to private copy
music from CDs to other devices.  It is technically illegal for anyone
to copy a CD onto their computer
for the purposes of downloading music onto their own portable music
player.  While that form of fair use makes sense (and should be adopted
in Canada), it should be noted that the BPI likely still envisions a
world where they can use DRM, rather than the law, to limit such
copying.

(Via Michael Geist Law RSS Feed).

Now there’s an idea. May I suggest “WikiPatents”?

Patent office will ask the public to “peer review” inventions:

Cory Doctorow:
The US Patent and Trademark Office has launched “Peer to Patent,” a community patent peer review project. The USPTO is overloaded with patent filings, so it does little or no investigation into patnets before rubber-stamping them, expecting that the courts will sort out who invented what. This changes the patent system from something that promotes invention to something that rewards companies who aggressively sue inventors.

Peer to Patent aims to address this by encouraging the public to review patents, to determine whether they are valid based on the at-large expert knowledge about what has already been invented and what is a new, useful, nonobvious invention. IBM has agreed to have its patents vetted by the public as a guinea pig in the project.

Project founder Beth Novacek sez,

This Friday, May 12, the United States Patent and Trademark Office (USPTO) will hold a briefing on the community patent peer review project.

The May 12 briefing will be hosted by John Doll, Commissioner for Patents, USPTO, and Jay Lucas, Deputy Commissioner for Patent Examination Policy.

The purpose of the May 12, 2006 briefing is to provide greater in-depth analysis of the peer review pilot project as well as answer the question of what constitutes valid prior art.

The represents a kick-off of the peer review project and the effort to move from proposal to working prototype with a launch at the beginning of 2007.

Link

(Thanks, Beth!)

(Via BoingBoing).

#If I had a million dollars / I’d reform copyright in Canada (but not real copyright, that’s cruel) #

Barenaked Ladies frontman on copyright reform:

Cory Doctorow:
The Barenaked Ladies’ Steve Page has a great editorial in today’s Canadian National Post, writing on behalf of the Canadian Music Creators Coalition, a great new organization that represents many prominent Canadian musicians who reject their labels’ attempts to sue and intimidate their fans.

We, as Canadian music creators, have identified three simple principles that should guide copyright reform and cultural policy.

- First, we believe that suing our fans is destructive and hypocritical. We do not want to sue music fans, and we do not want to distort the law to coerce fans into conforming to a rigid digital market artificially constructed by the major labels.

- Second, we believe that the use of digital locks, frequently referred to as technological protection measures, are risky and counterproductive. We do not support using digital locks to increase the labels’ control over the distribution, use and enjoyment of music, nor do we support laws that prohibit circumvention of such technological measures, including Canadian accession to the World Intellectual Property Organization’s Internet Treaties. These treaties are designed to give control to major labels and take choices away from artists and consumers. Laws should protect artists and consumers, not restrictive technologies.

- Third, we strongly believe that cultural policy should support actual Canadian artists. We call on the Canadian government to firmly commit to programs that support Canadian music talent. The government should make a long-term commitment to grow support mechanisms such as the Canada Music Fund and FACTOR, invest in music training and education, create limited tax shelters for copyright royalties, protect artists from inequalities in bargaining power and make collecting societies more transparent.

Link

(Via BoingBoing).

Hopefully a sign of things to come…

Consumer Electronics Association ad campaign slams RIAA:

Cory Doctorow:

The Consumer Electronics Association is taking a brave stand against the entertainment companies’ attacks on the public’s right to record from digital radio. This is brilliant — and maybe it signals that the CEA’s members will stop manufacturing technnoloogy that controls their customers instead of empowering them. (Click for larger image)

Link

(Via BoingBoing).

High-Bandwidth Digital Content Protection (HDCP) is an emerging digital rights management technology which is intended to plug the analogue hole for the upcoming high-def broadcast and disc formats. It operates over HDMI cables, and is about the worst idea I’ve heard this year. And that’s going some.

It’s a requirement for both Blu-Ray and HD-DVD discs - so without an HDCP-enabled TV you could be locked out of playing high-def versions of content on these discs. Instead you’ll see the standard-definition version. The problem is, just because your TV has an HDMI port doesn’t mean that it supports HDCP. Only about 10% of HDTVs currently in US homes support it, for example. And to make matters worse, whether the locking-out takes effect is entirely the decision of the disc publisher. At the moment most of the major studios have promised not to use the HDCP ‘flag’ for launch titles, but who knows what they’ll do in the future?

All of this ignores the fundamental problem with HDCP, and all other forms of DRM though. HDCP attempts, as you’ll see from Ed Felten’s excellent article, to apply cryptographic principles in a completely non-sensical way.

In traditional cryptography, two people want to send a message to each other (in examples, it’s usually Alice to Bob) without nasty Eve being able to eavesdrop. Aside from the requirements of exchanging a key and using a reliable crypto algorithm, the critical point is that both Alice and Bob want the message to stay secret. And Eve should never be able to see the key - as this would render the process of encryption useless.

HDCP works like this: the studios play the role of Alice, the sender. The ‘message’ is the movie, send from the high-def player to the TV. The consumer, owns a TV. The consumer has no interest in maintaining the integrity of the encryption, as in practice all the crypto means is restrictions on usage. But wait a minute - if the consumer is has no interest in maintaining the crypto, then they have all the ‘nefarious’ properties of Eve. And by effectively receiving the ‘message’, they must also have all the advantages of Bob - i.e. being in possession of the key.

In practice the way this works is that you buy a TV that has to be capable, somehow, of decrypting protected content. Therefore, it must know about, and contain, the encryption keys used. So you have them in your possession. And you also have the encrypted media, being sent from your high-def DVD or satellite box to your TV. And, crucially, you have no reason to maintain the encrypted state of the content.

So what’s stopping you from permanently decrypting the media?

Well, nothing really. As Ed points out, HDCP is mathematically flawed as well as possessing fundamental logical errors as I’ve shown. Far from attempting to actually break the crypto by force, you would only need to take the decryption keys out of your TV and build a ‘receiver’ to decode the media into its native format. As HDCP will eventually be available for computers as well as TVs, it’s probable to certain that someone will firstly come up with a physical box which decrypts content and sends it along a wire. And eventually someone (perhaps DVD Jon) will come up with a blanket cracking tool for it and its companion system AACS, just like DeCSS did for DVD. After all, it could use your own device’s decryption keys to do the job.

All will take is for one person to figure it out and write the software. In fact, academic researchers like Niels Ferguson and separately a team led by Scott Crosby of Carnegie Mellon University have already done full cryptananalysis of HDCP. Of course, if they publish their findings they’ll probably be prosecuted (or extradited then prosecuted like DVD-Jon) under the Digital Millennium Copyright Act.

Update: I found Crosby’s paper here, hosted on a Dutch server.

This all points out the degree to which DRM is a really bad deal for consumers. These technologies aren’t designed to protect content. They’re intended to protect markets.

Isn’t technology great?

HDCP, by the way, will also be used in Sky’s upcoming HD satellite service.

Making and Breaking HDCP Handshakes:

I wrote yesterday about the HDCP/HDMI technology that Hollywood wants to use to restrict the availability of very high-def TV content. Today I want to go under the hood, explaining how the key part of HDCP, the handshake, works. I’ll leave out some mathematical niceties to simplify the explanation; full details are in a 2001 paper by Crosby et al.

Suppose you connect an HDMI-compliant next-gen DVD player to an HDMI-compliant TV, and you try to play a disc. Before sending its highest-res digital video to the TV, the player will insist on doing an HDCP handshake. The purpose of the handshake is for the two devices to authenticate each other, that is, to verify that the other device is an authorized HDCP device, and to compute a secret key, known to both devices, that can be used to encrypt the video as it is passed across the HDMI cable.

Every new HDCP device is given two things: a secret vector, and an addition rule. The secret vector is a sequence of 40 secret numbers that the device is not supposed to reveal to anybody. The addition rule, which is not a secret, describes a way of adding up numbers selected from a vector. Both the secret vector and the addition rule are assigned by HDCP’s central authority. (I like to imagine that the central authority occupies an undersea command center worthy of Doctor Evil, but it’s probably just a nondescript office suite in Burbank.)

An example will help to make this clear. In the example, we’ll save space by pretending that the vectors have four secret numbers rather than forty, but the idea will be the same. Let’s say the central authority issues the following values:

	secret vector	addition rule
Alice	(26, 19, 12, 7)	[1]+[2]
Bob	(13, 13, 22, 5)	[2]+[4]
Charlie	(22, 16, 5, 19)	[1]+[3]
Diane	(9, 10, 15, 17)	[3]+[4]

Suppose Alice and Bob want to do a handshake. Here’s how it works. First, Alice and Bob send each other their addition rules. Then, Alice applies Bob’s addition rule to her vector. Bob’s addition rule is “[2]+[4]”, which means that Alice should take the second and fourth elements of her secret vector and add them together. Alice adds 19+7, and gets 26. In the same way, Bob applies Alice’s addition rule to his secret vector — he adds 13+13, and gets 26. (In real life, the numbers are much bigger — about 17 digits.)

There are two things to notice about this process. First, in order to do it, you need to know either Alice’s or Bob’s secret vector. This means that Alice and Bob are the only ones who will know the result. Second, Alice and Bob both got the same answer: 26. This wasn’t a coincidence. There’s a special mathematical recipe that the central authority uses in generating the secret vectors to ensure that the two parties to any legitimate handshake will always get the same answer.

Now both Alice and Bob have a secret value — a secret key — that only they know. They can use the key to authenticate each other, and to encrypt messages to each other.

This sounds pretty cool. But it has a very large problem: if any four devices conspire, they can break the security of the system.

To see how, let’s do an example. Suppose that Alice, Bob, Charlie, and Diane conspire, and that the conspiracy wants to figure out the secret vector of some innocent victim, Ed. Ed’s addition rule is “[1]+[4]”, and his secret vector is, of course, a secret.

The conspirators start out by saying that Ed’s secret vector is (x1, x2, x3, x4), where all of the x’s are unknown. They want to figure out the values of the x’s — then they’ll know Ed’s secret vector. Alice starts out by imagining a handshake with Ed. In this imaginary handshake, Ed will apply Alice’s addition rule ([1]+[2]) to his own secret vector, yielding x1+x2. Alice will apply Ed’s addition rule to her own secret vector, yielding 26+7, or 33. She knows that the two results will be equal, as in any handshake, which gives her the following equation:

x1 + x2 = 33

Bob, Charlie, and Diane each do the same thing, imagining a handshake with Ed, and computing Ed’s result (a sum of some of the x’s), and their own result (a definite number), then setting the two results equal to each other. This yields three more equations:

x2 + x4 = 18
x1 + x3 = 41
x3 + x4 = 26

That makes four equations in four unknowns. Whipping out their algebra textbooks, the conspiracy solves the four equations, to determine that

x1 = 25
x2 = 8
x3 = 16
x4 = 10

Now they know Ed’s secret vector, and can proceed to impersonate him at will. They can do this to any person (or device) they like. And of course Ed doesn’t have to be a real person. They can dream up an imaginary person (or device) and cook up a workable secret vector for it. In short, they can use this basic method to do absolutely anything that the central authority can do.

In the real system, where the secret vectors have forty entries, not four, it takes a conspiracy of about forty devices, with known private vectors, to break HDCP completely. But that is eminently doable, and it’s only a matter of time before someone does it. I’ll talk next time about the implications of that fact.

(Via Freedom to Tinker).

Nice to see someone else getting as hot and bothered about DRM (and poor journalism) as I do!

Decoding the Drivel:

I hate the inability of reporters to think critically, acting instead as echoing mouthpieces for whatever corporation, government, or entity has released the press clipping they’re using in place of doing their actual job of, you know, reporting.

Today’s prime sample comes via the AP, bylined Gary Gentile. Sorry Gary, but you deserve this.

First up, the headline: “Hollywood studios sell movies on the Web”. Actually, what they’re selling is the ability to download and view a copy of the movie. So a better headline would be “Hollywood studios sell additional movie viewings via the Web.” Let’s call a spade a spade and refer to these as “tickets” because that’s the model at work here.

Next, the subhead proclaims: A FIRST: MAJOR FILMS ARE AVAILABLE ONLINE TO OWN (caps in original). Leaving aside torrents and other illegal sharing, this ignores every other download scheme that has preceded it. It also carefully elides the key word “some.” In fact a better phrasing would be “Hollywood makes some big-budget films available.” I dispute the word “own” here because in fact what’s being sold is some DRM-wrappered package of bits that you very clearly do NOT own. I *own* my DVDs. I can copy them, watch them on different players, resell them, et cetera. None of these things are do-able with these latest downloads. Thus “own” is… well, let’s be charitable and say it’s misleading.

Bravely we soldier forward to the body text where we read: “The films can’t be burned onto a disc for viewing on a DVD player. Still, the move is seen as a step toward full digital distribution of movies over the Internet.” This prompts any critical thinker above the age of 12 to say “by whom?” What person outside of the Cartel could possibly view this as a step forward? This is along the lines of stores that tell you they’ve reduced their hours, cut service, eliminated perks “for your benefit.” Um, no.

Then we’re told that these download tickts “will be priced similar to DVDs — between $20 and $30.” Now I don’t know about you, but the last time I paid $30 for a DVD was quite some time ago. Most are going hot off the press for $12-18, depending on which discount outlet you frequent. Perhaps Mr. Gentile shops at more upscale boutiques for his DVDs, but more likely he didn’t even bother to check one basic fact before filing his copy.

Finally, we get a quote in which Jim Ramo, chief executive at Movielink (the Cartel arm with exclusive license to sell these tickets) gets to gush rapturously that “Digital delivery hasn’t arrived until the major studios allow home ownership, and now they have and now digital delivery is very real.” Gag me with a sycophant. First off, digital delivery arrived in my home the day the cable company put in a digital box, about three years ago. Second, “allowing” home ownership makes it sound like the king has deigned to bestow his blessings on the populace. OK, sure, that’s how they see the world, but it’s still disgusting and shouldn’t be mentioned in public. And finally, I think i already addressed the “ownership” lie. Letting a Cartel exec repeat the lie unchallenged doesn’t make it true.

OK, I can’t bear to continue the point-by-point dissection. The gist is that it’s PC-only, some movies, doesn’t include Disney at all, only gives a few of the films on the same day as DVD release - most are delayed 45 days, and is just overall a continuation of the sad sorry attempts by the Cartel to defend their antiquated business models. Oh, for a press reporter who would actually report THAT news.

(Via Copyfight).

A well-written piece from my good friend Monsieur Chuf.

See also the Say No2ID web site.

No To ID Cards:

No to IDYou may have heard that legislation creating compulsory ID Cards passed a crucial stage in the House of Commons. You may feel that ID cards are not something to worry about, since we already have Photo ID for our Passport and Driving License and an ID Card will be no different to that.

What you have not been told is the full scope of this proposed ID Card, and what it will mean to you personally.

The proposed ID Card will be different from any card you now hold. It will be connected to a database called the NIR, (National Identity Register) where all of your personal details will be stored. This will include the unique number that will be issued to you, your fingerprints, a scan of the back of your eye, and your photograph. Your name, address and date of birth will also obviously be stored there.

(Via Chuffy - MySpace Blog).

More on the Cato Institute’s criticism of the DMCA, which I added to my del.icio.us yesterday. The Internet is going wild over this one. See also Slashdot’s coverage.

Cato has the ear of the Republicans. Let’s hope they’re listening.

Don’t Miss Cato vs. the DMCA:

When organizations allaroundthe political spectrum can agree a law is broken, you’d think that would lead to quick passage of the bill to fix it. Unless that law is the DMCA’s anticircumvention.

The Libertarian Cato Institute has released a terrific report (PDF link) documenting ways the Digital Millennium Copyright Act hinders innovation.

Why won’t iTunes play on Rio MP3 players? Why are viewers forced to sit through previews on some DVDs when they could have fast-forwarded through them on video? Why is it impossible to cut and paste text on Adobe eBook? In a just released study for the Cato Institute, Tim Lee, a policy analyst at the Show-Me Institute, answers these questions and more.

The new legislation’s most profound
effects will be on the evolution of digital media
technologies. We have grown accustomed to,
and benefit from, a high-tech world that is
freewheeling, open-ended, and fiercely competitive.
Silicon Valley is a place where upstarts
like Apple, Netscape, and Google have gone
from two-man operations to billion-dollar
trendsetters seemingly overnight. The DMCA
threatens to undermine that competitive spirit
by giving industry incumbents a powerful legal weapon against new entrants.

Sound copyright policy has obvious attractions for advocates of small-government and deregulation. Copyright has become more regulatory, and more market-crippling, as it expands, and the DMCA is a case in point. As Lee describes, the DMCA has been (ab)used to prevent competitive development of audio and video players, cable boxes, and even, for a time, printer cartridges. Instead of a free-market rush toward the best technology to meet public demand, we get a trickle of major-label “approved” devices that must be bug-compatible: region-coded DVD players and can’t-record cable boxes.

I don’t agree with Cato on everything, but this report is spot-on. Let’s hope it inspires more in Congress to join Reps. Boucher, Doolittle, and Barton in support of the DMCA.

(Via Copyfight).

This project could have some really interesting consequences. For one thing, if the treaty effort gets off the ground, we might look forward to worldwide protection of educational fair use for copyrighted materials.

Yale Access to Knowledge Treaty, Apr 21-23:

Cory Doctorow:
Yale University is throwing a conference on “Access to Knowledge” — an umbrella term that encompasses the humanitarian, creative, entrepreneurial and scholarly elements of the copyfight. Access to Knowledge (A2K) is also the name of a proposed treaty at the UN copyright agency, WIPO, which sets out the information rights every nation should guarantee to its archivists, educators, and disabled people. It would be the first treaty to establish minimum user rights for copyrighted works, including limits on DRM.

From April 21st to April 23rd, 2006, join policy makers, activists, industry leaders, and academics at Yale Law School for a conference addressing this topic in areas such as intellectual property policy, telecommunications, education, culture, science, and health care. Leading thinkers and advocates from North, South, East and West will focus on generating cutting edge research agendas, concrete policy solutions, and strategic partnerships for the next decade.

Plenary Panels defining Access to Knowledge include:

— Framing A2K in human rights and development
— Political economy of trade treaties and intellectual property
— The economics of information
— Privacy, national security, and free expression
— Innovative public and private solutions to knowledge access and knowledge production in developing countries

Access to Knowledge Conference
Yale Information Society Project, Yale Law School
April 21-23, 2006

Link

(Thanks, Eddan!)

(Via BoingBoing).