Computer underground Digest Sun Oct 26, 1997 Volume 9 : Issue 77 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #9.77 (Sun, Oct 26, 1997) File 1--Telerights II - Current Digital Copyright Controversy File 2--Cu Digest Header Info (unchanged since 7 May, 1997) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Sun, 26 Oct 1997 13:46:48 -0600 (CST) From: Wade Riddick Subject: Telerights II - Current Digital Copyright Controversy Open Letter to Chairman Tauzin Concerning the Current Digital Copyright Controversy (c) 1997 By Wade Riddick All rights reserved Circulate freely without alteration The following is an edited version of an open letter sent to House Telecommunications Subcommittee Chairman Billy Tauzin (R-Houma, LA) calling for legislative action (and in some instances, inaction). It is an overview of market forces involved in the current digital copyright debate and an analysis of the broad evolutionary changes occurring in technology. Because of its general nature, more advanced readers will no doubt find some technical inconsistencies and omissions. I make it available to encourage you to support Chairman Tauzin and others in Congress in their effort to forge a compromise between the conflicting interests involved. This is not easy work and our representatives deserve our assistance and sympathy in this matter. Wade Riddick Department of Government University of Texas-Austin RIDDICK@JEEVES.LA.UTEXAS.EDU ---------------------------------------------------------- The Honorable Billy Tauzin 2183 Rayburn House Office Building Washington, DC 20515 (o)202-225-4031 Dear Chairman Tauzin, 10/23/97 My name is Wade Riddick. I am in graduate school studying political science at the University of Texas, with a particular focus on technology and economic regulation. As a fellow Louisiana citizen, I have for some time followed your work on HDTV, data privacy and encryptionA0issues with keen interest, most recently with respect to H.R. 2368. You are one of the few members of Congress witha deep understanding of the concerns involved and the balance that must be struck between public and private interests to make the digital economy work. I am writing to bring to your attention the important way in which these issues intersect with respect to digital copyrights and the opportunity this provides you. As you know, the Internet Service Provider (ISP) liability problem has recently flared up again on Capitol Hill, which is disappointing. There is a fairly simple method for creating strong digital property rights which will benefit both authors and consumers-namely through the use of public key encryption-and yet, for several years now, the industry has been at loggerheads over whether and how to do this. I believe Congress can provide the leadership to unite these diverse and often opposing viewpoints. A little over a year ago, I proposed just such a solution that would favor most parties in this debate (_BYTE Magazine_, Feb. '96). My work is by no means unique and in the following year several companies including powerhouses like Xerox and IBM have moved forward in marketing various components of this digital copyright enforcement model. However, these commercial solutions have tended to be closed, proprietary in design and niche oriented. Their development has also tended to exclude players outside the computer industry, where lies much of the impetus for making harmful revisions to the copyright law. Because no uniform standards exist, companies have been reluctant to invest in these systems and use them to sell their most valuable forms of property. It is no surprise given the relative youth of the computer industry that it lacks the political experience necessary to forge a broad consensus and lay the foundations for the public infrastructureA0necessary to address these digital concerns. Bold (and incorrect) statements like 'information wants to be free' frequently leave copyright holders ill at ease and casting about for ways to strengthen their rights. Congress, however, is in a position to bring these opposing sides together, reduce the anxiety surrounding such solutions and create a level playing field of benefit to the greater economy. If I may, I would like to briefly outline how such a copyright system would function, how it would benefit the currently squabbling interest groups, what kind of opposition it might encounter and why Congress should get involved in brokering a settlement. My personal position on digital IP reform is quite simple; I do not have one. I believe it is first necessary to enforce current property rights before we can address their inadequacies. The existing copyright code provides adequate *legal* protection for authors and gives them the ability to seek restitution for their work. What is lacking electronically is a *practical* means of enforcing these rights which makes it easy for consumers to comply with the law. My research goal has been to discover and then advocate such methods in the hopes that we can return to more of an open market in intellectual property. I believe that if someone buys a book in hardback, they ought tobe able to buy, 'own' and resell its digital 'copy' in exactly the same fashion they can with the physical document. Decisions like 'renting' software are most efficiently left to free enterprise and not mandated in the law. Once intellectual property is open to rental, lease, outright purchase and even bundling like financial options-just as any other form of property-then its market will expand as fruitfully as other capital markets have in the last decade. The more flexible the law is in rewarding entrepreneurs, the more complex, developed and profitable the marketplace will become. I do not believe this will come about by adding further restrictions and regulations: How will it happen? The technical alterations which must be made to digital 'publishing' are quite simple, though they require a great deal of forethought and coordinat ion among many companies to implement. The changes rely on one basic foundation of digital communication-that while information can be easily *copied*, it cannot always be easily *used*. The best example of this is encryption. Without the proper key, any encrypted document is worthless. If that key can be protected and monitored by networking utilities, then the entire document can be tracked as well without regard to how its encrypted form is duplicated. This thinking is the basis of many different efforts in digital copyright protection. Under a system which I call telerights and others call 'cryptolopes' (or, more generally, 'digital libraries') *each* copy of a document which is published for sale is encrypted with a key unique to that document, thus personalizing the copy for each purchaser. In the accompanying diagram, I have outlined four different steps illustrate how such a system works. In the first stage, the publisher creates several different copies of the same document using distinct private encryption keys. The public key is later passed out to read the document. Because of the nature of public key encryption, only the owner of the private key (the publishing house) can ever fix content into a publishable form that matches the public key. This makes it impossible for an outsider to switch content and steal property during the transaction process. A special bank or escrow agent is used to complete the actual sale, thereby shielding the user's identity from the publisher in much the same way cash does in a bookstore. The publisher collects payment and passes along the encrypted document, together with a small signature which combines information about the publisher, the document and the privileges granted to a user. By using a signature to communicate about the document, it is not necessary to reveal the nature of the content in any transaction. The escrow agent forwards the user's identity to a bookstore, which al so collects a copy of the signature and the actual public key from the publisher. When the user is ready to 'view' the document-and this could include anything from running PC software to listening to music-he sends the signature to the bookstore which returns the public key. Because these bits of data are very small, this process requires very little time to complete. Even on a fairly slow modem, up to a dozen keys per second can be transmitted compared to the minutes or hours it would take to re-download, say, a large movie. (Pay Per View films and digital TV broadcasts could avoid this speed problem by transmitting each frame in a series of single smaller documents). When the user requests the key, the bookstore notifies the publisher that his particular key is in use, allowing them to search other bookstores for evidence that the key has been pirated (e.g., someone else is using it simultaneously). If it has been, then the publisher can either block access and contact the owner or go to the extreme of invalidate the key and starting an investigation, depending on whatever prior arrangement was reached at the time of sale. Notice how this puts the burden of preventing intellectual property theft on the actual purchaser of the material and not the publisher, which is as it should be with any form of property that is sold. It becomes the user's du ty to keep copies of his document out of circulation, incurring a significant risk of having his key invalidated if he carelessly 'loans out' his material or fails to take other precautions. It is *his* property that is stolen in any act of piracy. The crucial part of this process-and where the need for corporate coordination is most evident-comes in the safeguards which must be built into the user's computer itself. When the machine receives the key in the final part of the third stage, it is placed in a tamper resistant area of RAM where it is used to decrypt the document. This is essentially a portion of the computer that is tied into the network and off limits to the user. These types of secure memory are already widely used in many inexpensive smart cards and, even when combined with the other alterations, should only add a few dollars to the physical cost of a PC. When the user finishes viewing the document in the final stage, the key and decrypted content are erased and a message is sent back to the bookstore (and on to the publisher) informing them the material is secured again. The user, of course, retains the encrypted document to store and do with as he pleases. He may make unlimited multiple backups of his information without raising the author's fears of illicit use. He can also move copies around between his home and office or take them on vacations and business trips. While this method of protection may seem quite simple, it changes a variety of important behaviors in the marketplace, giving digital materials the properties we have come to appreciate in most physical goods. For example, users could band together to purchase one copy of a book and shareit among themselves at prearranged times, much like a household can now 'share' software. Several public libraries could pool their meager funds and purchase a single copy of an expensive document that would be available to patrons from several geographic areas to check out. Users could also carry materials cr oss country and access them from several different computers, provided they take the proper precautions. What is truly interesting is the way such an arrangement would expand the publishing world. The low cost of digital distribution would be turned from a drawback into an advantage. Individuals could very inexpensively sell thei r own content or repackage and distribute the content of others, adding valuein any of a dozen ways. By collecting a fee for what was once considered piracy, such distributors would be encouraged through market incentives to enforce the property rights of other publishers. A new rental market would also be opened. Users would be able to loan out their copies or even rent them by acting, in effect, as their own publisher. They could encrypt an item they have purchased with their own set of keys and just follow the four steps again, this time from the seller's point of view. Getting to the real content would require the borrower to go through both keys. The borrower would have to go through both keys to get to the real content. 'Returning' such borrowed material would be quite easy. The bookstore would be instructed to simply stop honoring the new signature after a given period of time. Thus keeping track of materials on loan in a public library would become automatic, not to say inexpensive. Material could be republished this way several times. Indeed, multiple copyright holders could easily mix their work together and get reimbursed according to a prearranged formula, thus simplifying, for example, the negotiations a movie producer might have to go through to acquire the rights of a hit song for the soundtrack. This infrastructure could also be used as a broadcast conduit for ostensibly free information. As I pointed out earlier, only those individuals with the private key can publish material that matches the public key. A television network, in order to protect its advertisers from having their messages stripped out, could encode their signals with a single key whose brother would then be provided freely to the public. Rebroadcasters would not be able to piggyback their own commercials over legitimate ones and users who 'tape' the programs would not be able to avoid the commercials without purchasing separate, clean copies. And by tracking requests for the public key, networks could also assemble valuable demographic numbers. By breaking up the information needed to pay for and use copyrighted materials and limiting the players to their own spheres of self-interest, this process reinforces not only royalty collections but also privacy rights. Bookstores, for instance, would be in the business of monitoring keys, the one duty they are contracted with both parties to perform. A bookstore would have no interest in the type of content it was monitoring the same way the phone company has no interest in what two parties are saying, only in making the connection. Likewise a publisher would not care who in particular buys their product, only that they can collect their money and stem losses from piracy. They might like to know demographic information about their consumers, but this could be collected quite easily though a third party auditor who could scan bookstore records on behalf of the entire publishing industry, stripping away individual user identities before matching the pertinent statistics up with the nature of the content. In this way, user privacy can be protected while still allowing businesses to acquire the much needed marketing information which benefits everyone. Of course, as with any financial transaction, allowances would have tobe made for other types of auditing to prevent piracy and money laundering and to insure proper bookkeeping standards-but these last two issues will have to be faced in the broader context of digital commerce anyway and proper benchmarks for such regulation already exist in the financial world. The first issue, piracy, actually becomes much easier to deal with under this system. In order to make money, a pirate will either have to enter the market as a legitimate publisher (in essence 'publishing' stolen material) or he will have to settle for selling the decrypted content and disguising his profits. Given the ease of legal republishing and assuming that digital distribution will vastly lower prices, pirates should usually opt to go legitimate as redistributors of goods. On the user side, most consumers should shy away from purchasing decrypted goods, particularly if the costs of the commercial items can be lowered sufficiently. In any event, one thing would stand in the way of exchanging pirated goods, decrypted or not: watermarks. It is becoming quite easy to insert permanent, indelible watermarks into audio and video information to identify the true author and purchaser. The user's computer could be instructed to scan for one of these marks in a random audit of a decrypted document and then forwarding it on to the bookstore or a third party association specifically set up to check for stolen goods. This would provide a check on unscrupulous publishers who dupe well-meaning consumers, vastly increasing the risk associated with trafficking in pirated goods. What I have just outlined is only one possible way to structure digital copyright transactions. A user's identity and privacy, for instance, could easily be shielded much earlier in the process. The network provider might simply send the bank a guaranteed pseudonym and retain all the user's personal information to themselves. One could also add more privacy through multiple banks and escrow agents in the transaction. As well, the bookstore does no t necessarily need to hold the actual decryption key. It could merely act asa conduit through which the key passes in a private channel to the user. Should the publisher go bankrupt or cease operations, the user could rely on a thi rd party warehouse agreed to with the publisher for archiving keys. I will turn now to the political questions involved in developing sucha system. This model makes two key technical assumptions, neither of which is far-fetched but both of which lie at the heart of Hollywood's fears. The first assumption is that the personal computer will become the ubiquitous device through which we consume information. The second is that every one of these computers will have a continuous network connection out of the home. In terms of technical advances, neither of these are terribly difficult obstac les to overcome. The know-how exists; it only needs deployment in high volume consumer goods. The question is who will pay for it and who will try to throw up regulatory hurdles. On the hardware side, it is becoming increasingly clear that advanced computing power will in a few years penetrate homes to the same degree that telephones and TVs have, perhaps even replacing both devices. It makes little difference whether the end product will be a smart TV or a PC adapted to accept multimedia broadcasts. Right now, the abilities of these devices to quickly and cheaply reproduce digital information in volume has copyright holders justifiably worried. So far, their response has been quite typical: They have either tried to retard these advances through litigation turned to dedicated hardware like DVD players which limit the flow of information. This is not a viable long term strategy. Computing history is littered with the remains of dedicated platforms and proprietary designs. DVDs are simply one more data storage format in a long line. It is inevitable that consumers will acquire some kind of mass storage technology and eventually some arrangement of two-way accounting between publishers and consumers must be agreed to. Whether publishers like it or not, PCs will become widespread, will overwhelm any dedicated player and any long term solution must take th is into account. The mistake made in past DVD negotiations is not that encryption was used, but that it was not taken far enough. DVD keys are tied into the players themselves, which in turn are geared toward distinct geographic regions. The goal, basically, is to prevent Chinese pirates from cracking the code in their region and then distributing movies released in China back in to the U.S. If these keys were geared to the individual purchaser instead of an arbitrary region, then Chinese utilities could be given a small financial incentive to monitor and enforce the copyrights as key managers. But Hollywood interests did not turn to encryption with this goal in mind. They did so to protect their current distribution system using the same logic that saved them from the analog electronics revolution of the VCR. When you copy a movie onto videotape, its quality degrades quickly-as does that of CDs transferred to audiotape. Digital technology eliminates this problem, but Hollywood has sought to use these same methods to reign in pirates. In the case of Digital Audio Tape, individual recorders are specifically designed to degrade the signal when copies are made. However, the worlds of software and movies are in for a rude collision2E Computer data cannot tolerate any such degradation. Mass storage devices like CDs, hard drives and tape backups must do their jobs of reproduction perfectly. So far the entertainment industry has been protected by the high costs of devices like CD-ROM burners, but as prices for them drop rapidly and they become standard components in computers the consumer electronics and PC industries will inevitably collide. The second assumption this new copyright system makes is that homes will have a continuous network connection. Technically, this is not an onerous requirement for the kind of model I have outlined. Most homes already havea continuous cable feed, often times bi-directional. Several companies are also working on using power lines to transmit information continually into and out of electrical sockets. By the time such a copyright management system could be developed and marketed, these technologies will probably be widely available to consumers. Even if they are not, the system I have proposed can work with the intermittent contact of a regular phone line. Indeed the phone, coupled with the video store, becomes more efficient at delivering movies than cable. The data required to transmit a key is minuscule compared to that o f constantly rebroadcasting a movie on Pay-Per-View each time a viewer wants to watch it. Politically, however, the issue of network connections is a more subtle problem that tends to be finessed differently by different players. Here the focus of the fight is not on preventing piracy from happening, as it is with DVD players, but in shifting around the legal liability once it does happen: The main target for the entertainment industry are the Internet Service Providers (ISPs) who supply networking services to personal computer owners2E Since ISPs lack the tools to track piracy on every PC plugged into their network, they have little choice but to try to claim that they are not in the content business and seek protection under the common carrier statutes. This is indeed an ironic trend. Most companies in the aftermath of the 1996 Telecommunications Act have been more than happy to jump feet first into the content business. Just the opposite is true for ISPs. Copyright liability legislation being considered would vastly increase their costs with little or no reward on their part for enforcing any of these laws. The phone companies, who are ambivalent about the internet and have not yet fully committed to being ISPs, are happy to stand by and watch their ISP competitors get taken to the cleaners on this issue. Not only does it clear the ISP field for the bells to enter (by vastly increasing the administrative costs of regulatory compliance-something they are very good at), it also knocks out all the companies who are competing with their phone business by using the internet. Both ISPs and the Bells must be convinced that they can profit from the liability 'problem' by collecting key management fees. When ISPs object th at they are not in the business of monitoring content, pay them to make it in their interest. Turn that liability into an advantage by making them a rewarded part of the 'publishing' process. Allow them to collect a toll for keeping track of this valuable information. Convince publishers, in turn, that such fees are be minimal compared to the money they would save through digital distribution. In this part of the fight, phone companies are potentially your savviest ally if they can be convinced in the merits of altering the copyright landscape. They already have an extensive accounting infrastructure that could easily track these multiple individual transactions (unlike cable companies and most ISPs). The Bells are also far more experienced with these kinds of large industry negotiations and lobbying efforts, particularly on the international front where much work would have to be done. The one major objection the bells might have lies in moving closer to a packet switched network. However, confounding any such rapprochement among the industries is the decision of the 1996 Telecommunications Act to further blur the barriers between content carriers and producers. There is ample incentive now for companies who act as both a creator and distributor of content to use both to their advantage. Microsoft, for instance, can propose proprietary software solutions that only benefit *its* MSN network and *its* content partners and/or charge others an exorbitant fee for the same service. Its recent acquisition of Web TV and its investments in the cable industry only multiply the possibilities. Under a telerights-like system, users would no long be locked in to particular channels of distribution when they buy a product. A user on the Microsoft Network, for instance, could purchase advice formerly supplied only through AOL. Producers would cut deals with bookstores based on the price of monitoring their keys, not on the type of digital content they provided. I f this blur is allowed to persist without clear regulatory controls, one might see a market restriction tantamount to, say, only Merrill Lynch traders being allowed to buy and sell IBM stock. The problem is more pernicious within movie studios themselves where content and distribution have been wed the longest. For decades studios have relied on the huge expense of developing negatives of film stock and making and distributing prints as ways of protecting their property from piracy-aided by the fact that theaters are also a relatively public business. The new analog technologies of VCRs and cable-TV were adapted to this mold closely enough to suit Hollywood's expectations and they are now merely extra stages in a film's release. And in some case, companies like Disney have sought even better integration by combining with broadcast and cable entities. Under this new copyright model the increased profits due to gains in efficiency should benefit most publishing *and* distributing operations-provided the two can be separated-but the movie making business continues to be a tightly knit industry and, if not properly appeased, may prove a further obstacle to change. The key problem will probably center around formats of distribution. Once a film goes from theatrical release (where it can be closely tracked) to digital consumer form, the *type* of format it is distributed on becomes irrelevant. Bits are bits whether delivered over a cable connection, the airwaves, the phone or purchased on a disk platter. Indeed, consumers may choose to forgo spending the extra dollars on, say, printed liner notes or fancy box artwork and instead have material copied directly to their own blank disks. Freeing the market this way will, no doubt, prove beneficial for consumers, the industries and the country as a whole but not without first having an impact on advertising and marketing in the film industry (if not to say the entire video rental/retail and cable/broadcast sectors). As I have pointed out, most of the friction in the digital copyright fight has centered on the two fronts of computer hardware and networking liability. This conflict would be more profitable for all parties concerned if it were not split in this fashion. As it stands, ISPs cannot turn the lobbying pressure around to encourage PC makers to build monitoring devices into their products. It raises the traditional hackles of Big Brother intrusion even though phone companies already keep track of this kind of information. Computer companies, in turn, cannot rely on ISPs to alleviate the fear film makers have about the copying abilities of things like DVD drives. ISPs have to claim they are not in the content monitoring business because they are not even in a position to develop the necessary hardware tools. The result is two separate industry battles inching forward. It must be the business of Congress to address all of these concerns at the same time. Despite this muddied copyright terrain, some companies have already sensed the underlying logic of the convergence. They have tried to bridge the gap on their own but so far their efforts have been fragmented and far from comprehensive. IBM, for example, has proposed a system called cryptolopes which sends purchased information across the internet in encrypted form. However it lacks the ability to protect and track such information once it is downstream. Xerox's work on digital libraries-which perhaps comes closest to the ideal-is not currently geared toward the consumer PC market. Neither company's system shows any signs of turning into a universal data standard for conveying books, movies, music and other consumer goods. One of the most interesting recent innovations comes out of the DVD industry itself. Circuit City is developing a special rentable DVD movie format that makes consumers dial over the telephone for the unlocking key if they decide to purchase the material. Unfortunately, this appears to be a one time call and, once again, it is far from being an industry standard product. Neither is it adapted for the most important digital appliance, the personal computer, nor can it handle any of the vast array of other forms of information like CDs and computer software. These partial efforts are not enough. As you can see, the problems the market has had to date in reaching a solution are mostly organizational and not technological. For the public good, a unified method of handling copyrighted information needs to be developed to ensure tha