Okay. A bunch of my artists rights friends and colleagues need to take a breath, because some of you are doing exactly the kind of stuff we hate when the tech industry exaggerates or fabricates negative aspects of copyright. In the last 24 hours, I’ve encountered a handful of artists rights proponents sharing links and comments proclaiming that the Copyright Act is about to be overhauled, that there is an Orphan Works proposal before Congress, and that visual artists in particular must immediately write to the Copyright Office by July 23rd to make their voices heard on these matters.
Stop. Breathe. None of this is true.
First of all, the Copyright Office is seeking input from photographers and other visual artists in order to gain insight as to how this class of creators might better monetize their works, enforce their rights, and more easily register works in the digital age. The office is soliciting comments in the interest of better protecting creators’ interests, and this July 23rd request has nothing to do with Orphan Works, even if there were such a proposal on the Hill—which there is not.
As for Congress, the Judiciary Committee began holding hearings in April of 2013 as the first step in a comprehensive review of the Copyright Act, and the last of those hearings was held in April of this year. Congress has thus far listened to 100 witnesses and, as stated by Chairman Goodlatte, “Over the next several months, the Committee will be reaching out to all stakeholders to invite them to share their views on the copyright issues we have examined over the course of our review so far, as well as any others.” In case you’re unfamiliar with the sound, that’s the proverbial wheels of justice grinding slowly, which is what they’re supposed to do. (Okay, it’s a bit of a mixed metaphor for the legislature, but you get the idea.) It’s also worth noting that the last revision of the Copyright Act took several decades, and the outcome of this review process may not be a rewrite of the law. Hence, nothing is moving as rapidly as your Twitter and Facebook feeds.
The purpose of this review—hence the word review—is not to debate any specific changes to the law, but to assess the Copyright Act in a contemporary light and to hear testimony from experts and stakeholders with differing views as to the strengths and weaknesses of the law in our new technological times. As such, there is neither an Orphan Works bill nor any other proposal before Congress to amend the Copyright Act. Not yet. Those days may come, and artists and creators should certainly remain involved when they do.
Artists and creators have typically been shouted down or bamboozled by heavily-funded corporate shills and the nouveau-savant within academia, who for various reasons have jumped on a bandwagon of hostility toward intellectual property. They are the hysterics. They are the ones who cry SOPA every time anyone thinks to protect IP in the digital age. They are the ones who deflect any attempt to impose civil law upon Internet companies by manufacturing a backdoor conspiracy involving a pair of congressmen and a bag man from the MPAA. Creators cannot afford to to play those games, not least because the antagonists to the interests of creators are masters at exploiting the hypocrisy of others while admitting no such errors in themselves.
Stay involved. Stay the course. But stay informed.
It’s not a ‘rumor.’ The US copyright office has been considering this, which means it could become legislation. During this period before that happens we were given a time to submit public comments. Many including I already have. There is a long PDF published this June by the Copyright Office that I’d recommend artists at least skim thru before commenting, to learn what it’s about. http://copyright.gov/policy/visualworks/
Cindy, if you read this blog, you know I share the concerns of all artists in these matters. But I assure you there is no Orphan Works proposal presently before Congress, and the Copyright Office is not empowered to change the Copyright Act. I work directly with people who have provided testimony on the Hill during these review hearings. It is simply too soon in the process to say that we’re anywhere near a proposed revision that needs to be addressed. The CO has requested input on other matters vis a vis the link you shared, specifically at the request of graphic arts and photography guilds. No question, you should keep a weather eye out for the issue of Orphan Works, but it really is on the distant horizon at this time.
The US Copyright Office published this Orphan Works and Mass Digitization report in June 2015. http://copyright.gov/orphan/reports/orphan-works2015.pdf It includes draft legislation for Orphan Works. As stated in this report: “Following the office’s initial orphan works report, the House and the Senate Judiciary Committees considered the problem of orphan works in some depth in 2006 and 2008, holding multiple hearings and introducing multiple bills . . .” and “Based on this input [responses to the Notice of Inquiry, further discussions with stakeholders, and possibly additional requests for written comment], the Office will draft a formal legislative proposal creating an ECL pilot program for Congress’s consideration.: NOW is the time for individual’s to submit concerns. Submissions will be considered towards shaping the proposed legislation.
Dena, I encourage you to remain involved and to watch this issue. And individuals can write to the CO anytime they want I suppose to express their concerns, though I assure you tomorrow’s deadline in requesting comments has nothing to do with Orphan Works. I am also right in saying that there is no Orphan Works legislation before Congress at this time and no proposal that requires immediate action. That report is not draft legislation but an update of a report with few major changes in CO recommendations since 2008, which ought to tell you something about the stateliness of this process. This is ongoing discussion. Here is Copyright Alliance’s 2013 response to the Copyright Office on these matters.
http://copyrightalliance.org/2015/07/orphan_works_and_mass_digitization_comments#.Va_8cFwQfBI
Is it possible to digitally code a file so that it can only be sent or uploaded from selected locations, even if the file is a copy?
I’ll leave that to any of the code-writers who sometimes comment here.
You would need to ensure that it could only be read via some secure device/application that requires a phone-home to decrypt. However once it is decrypted (even locally) anyone can copy it unencrypted. So the device/app would also need to ensure that the unencrypted version was impossible to get at.
We deter piracy of some of our software by encrypting data files via an AES algorithm on a hardware dongle. It only deters piracy because a cracked version can supply its own encrypt/decrypt (which may do nothing). So if you only use the hacked version everything is fine. However, you cannot interchange files between cracked and non-cracked versions of the software, which makes it less attractive for business users to use the cracks, as they can’t have a couple of legit seats of the software and 10 cracked version and cannot send the files to us for support.
I thank you, for your response as well.
No.
Regardless of whether a file is encrypted or is plaintext, a typical computer is capable of copying it freely, both internally, as well as sending or receiving it across a network. Whether the file is encrypted or not is only relevant with regard to whether it can be read in a meaningful way. For example, if you see the secret code DKFEJ WHCHK OHDGC EUFHO, you can copy it just as easily as if it were not a secret code; the stumbling block for you is that without being provided with a key (or figuring out the key on your own, such as by comparing encrypted and unencrypted copies) you don’t know that the meaning of the message is actually COVER BLOWN XESCA PENOW.
What you’re really asking about is some sort of DRM by which you have superior control over a computer than its owner has, so that you can instruct the computer to ignore commands to copy what it otherwise could copy (or view a copy), without risk of the owner of the computer overriding you.
But that usually doesn’t work. First, remember that most computers are general purpose computers, which obey any instruction they’re given. Unless someone involved in making or maintaining the computer agrees to play along with you and respect your wishes, you’ve got nothing.
Second, a DRM system has to be implemented on top of the already existing general purpose platform, which makes it vulnerable; somewhere in there, there has to be an instruction that tells the computer to accept commands from you over the user. This can be found and changed (either to be ignored, or to change who it is that has the superior ability). At best it might be cleverly hidden somewhere, but if anyone with technical skill who wants the unencrypted file (or who likes a good challenge) gets to work, it’s a good bet they’ll take over the DRM system. Surviving DRM systems inevitably are only those which are so obscure or boring that no one cares about them in the first place (which incidentally means that they’re unnecessary; no one was trying to get ahold of your file anyway).
Third, there is no rule that requires that an attacker is either less smart than you, or that he attacks only in ways you prefer or have foreseen. Anything goes, including waiting for you to allow the file to be unencrypted, and then copying it and sharing the technique, the unencrypted file, or both.
Consider DVDs: they’re typically encrypted with a system called CSS (Content Scrambling System). But no one can watch an encrypted DVD on a player, so the end user must be provided with the decryption key as well. Giving your attacker the cipher text and the key to decrypt it is obviously pretty stupid, but it’s unavoidable in this case. Some attacks on CSS were done by finding and copying the keys so that people could make unauthorized encrypted copies and then decrypt it at will. Then it was discovered that CSS was about as strong as a wet paper bag, and the entire system was laid bare in such a way that all possible valid keys were made discoverable.
But the other attack people were making involved ignoring the key and just waiting for the video to be decrypted. Once it was, it too had to be in the memory of the authorized computer somewhere, and it could be extracted from there. And some people did that until the easier key-based method became more popular.
Fourth, since DRM has to be implemented on a general purpose computer, it can only apply in special cases. E.g. ‘If a file starts with the magic code FIGKE, restrict copying, otherwise do whatever the user says.’ Once someone has the plaintext, it’s easy enough to get around the special case. In fact, if the DRM system is popular, and has been sufficiently broken, there’s nothing that prevents other people from issuing orders to it that are harmful to you. After all, a computer with DRM can’t know that an instruction comes from you, it only knows that it obeys instructions that are sent to it in the right way. It’s your problem to keep that a secret, and sooner or later you’ll likely fail.
Fifth, remember what I said about attackers being allowed to do anything they can in the course of an attack. If you’re contemplating the file being copied somewhere to someone with permission and being unencrypted there so the recipient can read it meaningfully, the attack can just occur on your end before encryption, or their end after decryption. Once the desired information is in the hands of the attacker, they’ve got what they want. They may even be willing to accept an imperfect copy. Movie studios now send encrypted video files to theaters to be played on digital projectors (instead of just shipping cans of film). The theater gets a key a bit before showtime and can then play the file for the crowd. Even if a would be pirate can’t get and decrypt that file successfully, he can still accomplish much of his actual goal by just sneaking in a video camera and filming the movie screen, and this happens regularly. And of course if the recipient is not trustworthy, like the people who were sent movie screeners for the Oscars, who then pirated the movies, you’re really screwed.
In summary, no, it’s not possible. There are things you can try, but they hinge on the cooperation of people you can trust, and sooner or later, one way or another, they’ll fail against determined attackers, if there are any attackers (and if no one cares enough to attack, implementing defenses was a waste of your time). At best you can get a temporary stopgap, but depending on how much protection you want against how many people, it might be more trouble than it’s worth.
Thanks for the info.
Basically it sounds like an issue that originated in the way what you describe as general use computers and software were designed.
There would have to be an interest in developing and mass marketing a different kind of computer or digital hardware with a different set of priorities.
These devices would have to be developed using another kind of “logic” (for lack of a better word).
LT–
I’m not sure that’s possible.
Fundamentally, all computers do is simple mathematical operations (and not even in such a way that they know they’re doing math, but in a mechanistic way in which it just happens). There isn’t a magic way to do math that only you, and special people you give authorization to, can do. This means that if it can be done on a computer at all, other computers can be programmed to behave identically, acting as if they were the first kind. This principle was recognized by Alan Turing long ago, and I don’t know if there is such a thing as non-Turing computing, particularly which is practical. This, and the ability to change what program is being run (which could be done on the emulated computer, even if it’s impractical on the original computer) are basically what makes a computer general purpose.
I am sure, on the other hand, that it is not practical.
General purpose computers are vastly useful, and even if you only have a specific limited use in mind, it is easier, more efficient, and more cost effective to use a general purpose computer able to do anything, and then to only use it to do the particular thing you want done.
I would strongly suggest you read the book “Information doesn’t want to be free,” by Cory Doctrow, available at Amazon here: http://www.amazon.com/gp/aw/d/1940450284/ which discusses this sort of thing, in a very accessible way.
LT,
To elaborate on Anonymous’s great post..
If you want to copy text from one paper to another piece of paper, it’s pretty straight forward. You just read the original text, and use a pen to write to a blank piece of paper.
What if you want to ‘transfer’ a piece of text to another paper, that is, have only one copy of the text? It’s the same process as copying at first. But you also have to do that and also use an eraser on the original text. And the eraser is not perfect, if someone looks hard enough they can still see what you erased.
Computers operate roughly the same way. A copy is logically a read from something and a write to something. But moving of data is a read, a write, and a erase. An extra step! It is basically copying plus another write step. And the erasing process is also not perfect, someone good with computers can find ways around it, or stop the computer from executing that final step. This is a bit of a oversimplification. But the point is, copying is easy and it will always require more work to restrict copying at literally the logical/mathematical level.
LT,
One other thing to add. Computers want to move data around a lot, obviously. That extra step is pretty expensive. If read-write-write(earse) each took the same time, it would still make a move 50% slower then a copy, and actually in reality writes often are more expensive then reads to many storage mediums. So when a computer says it’s moving something it’s usually lying. It’s doing a copy, and removing a “reference” to the data. But the data is almost always still there.
One might consider using deterrents, such as encoding the initial recipients details in the file. Say for a music or film files the bank account of the licensee. You could encrypt this data using AES-256. There is a lot of redundant data in music and film files so one could use steganography to hide the data. The result being that the source of any leaked files is potentially traceable.
John Warr–
That’s true. Of course, it would be far better to just use a serial number generated for that purpose, and to look up which client that number corresponds to in a private database, rather than to breach the licensee’s privacy by putting information about them (e.g. their bank account numbers) in the wild. After all, one uniquely identifying number is as good as another, and you don’t want to run afoul of regulations on the disclosure of private financial information, customer outrage as to the same, or to risk disclosing it if your implementation of the encryption, or the encryption algorithm itself turn out to be vulnerable.
Also, steganography is pretty weak. It’s a known technique, so people look for it, and it’s easy to find if you can compare two otherwise identical files. Once found, it is trivial to remove or perhaps even alter to pin blame on another party. And because it usually lurks in the least-significant bits of the file, there are also techniques that can be attempted to scrub a file of steganographic data if it is known or suspected to be present. (If you’ve ever seen a YouTube video that’s flipped, sped-up or slowed-down, cropped, or just plain filmed from a TV screen rather than being an upload of the original video file, these are all meant to get around something similar, and your seeing the videos means that it worked)
And since it can’t have much of a deterring effect if you don’t tell people that you’ve done it (see Dr. Strangelove), you need to decide whether you want to try to discourage file sharing by licensees who can’t figure out how to remove it or whether you want to try to track down the original licensees whose files were shared, accepting that the files will be shared and will become permanently out of your control.
Plus of course, it only reveals the source of a file, not the identity of the party who is actually culpable for its dissemination, much less the many parties who disseminate it further. I don’t know if anyone actually uses botnets for the purpose of creating file sharing networks (it sounds like it’s easy enough to get music, video, etc. without resorting to that) but it is certainly plausible that a licensee’s file could be shared without the licensee being to blame. And the more likely scenario is one in which someone with local access to the licensee’s computer uses it for things like file sharing without permission, again allowing the file to be disseminated but it being the licensee’s fault.
So by all means try it, but it’s not a panacea; at best it’s a way of blaming one of the many parties involved.
the more likely scenario is one in which someone with local access to the licensee’s computer uses it for things like file sharing without permission, again allowing the file to be disseminated but it being the licensee’s fault.
Keep the brats in your care under control.
I have no issue with holding computer users liable for acts undertaken by other – similar to allowing a motor vehicle to be used by the uninsured, or allowing some property of yours to be used in the commission of a crime. Or something similar to “failure to secure a handgun”.
or to risk disclosing it if your implementation of the encryption, or the encryption algorithm itself turn out to be vulnerable.
AES encryption has 15 years of usage. It is still (128-256 bit) thought to be unbreakable. In any case the personal data doesn’t get out unless you are making the files available.
there are also techniques that can be attempted to scrub a file of steganographic data if it is known or suspected to be present.
A movie file (for example) is a large block of data. One could scatter a few bytes of steganograph data anywhere in the file. Lets say I have 1000 random scatter points. For any file I only have to search the 1000 sequences to locate the steganographic data. And I can encode data into the files such that the most common recoders will actually re-encode other bits of data back into my steganographic identifiers.
The purpose is to discourage.
I have no issue with holding computer users liable for acts undertaken by other
Key here: you have no issue. I personally think that’s batshit insane lunacy not even worthy of a real debate. What’s even more concerning is I’m pretty sure you even know how trivial it is to impersonate another person online, and you still want to hold the victims criminally liable for the actions of criminals?
Keep the brats in your care under control.
FFS. Just a few weeks ago we learned that a significant percentage of Americans got their identities stolen through no fault of their own. Identity theft is easy for roughly the same reason filesharing is, and you won’t find any trivial OR sustainable legal solutions in either case.
The whole thing exists anyway. The major movie studios can trace what theater a movie is recorded in. We’ve even seen them use this catch movie recorders in the past. The problem is if just 1 person gets away with it, you are fucked. Even if they don’t get away with it, catching the original leaker does jack shit for the millions of copies already in circulation. Law of large numbers (billions of people in the world + cumulative probability) says that at least someone out there will risk it for a sufficiently popular release. And they might not even know what they are risking. What you get is a legal system with no tort resolution. That might make people who are retribution/revenge happy, maybe they can make a press release that they put some pirates head on a pike, but that’s about it.
Identity theft is mostly a matter of political will (or lack of it). If the financial institutions were made to bear the brunt of identity theft. If companies had to pay for all financial loss due to loss of customer data. You would find that identity theft would drop significantly. We don’t do it because banks and other businesses don’t want to accept the costs of their piss poor systems they would rather push it down onto the rest of us.
Simply you accept identity theft because you don’t have the political will to make those responsible for running systems that make ID theft easy and lucrative, pay for doing so.
Example would be smart phone thefts:
http://www.telegraph.co.uk/technology/mobile-phones/11404939/Smartphone-theft-in-London-down-by-half-thanks-to-kill-switches.html
For decades phone manufacturers and networks have avoided responsibility, making the victim pay.