Saturday, May 12, 2007

Fingercerting: an alternative to DRM or collective licensing

There was good news for Audible Magic yesterday when MySpace announced that it would use their software to filter out uploads that infringed copyright. Recognizing media clips using fingerprinting (more) has become fashionable as content owners begin to sue hosters.

Fingerprinting, combined with digital certificates, offers a way around the drawbacks of two currently favored ways to govern digital media use. I will focus here on video, since I recently attended a workshop on the future of video copyright at the USC Annenberg Center.

The core of the digital copyright problem is reconciling two valid interests:

Interest 1: Creators’ need to be compensated in order to cover costs and encourage more creation.

Interest 2: Consumers’ ability to make copies of copyrighted material under limited circumstances (loosely, “fair use”).
Here are two fashionable approaches to solving this problem. Each is biased to addressing one of these interests, while ignoring the other.

Solution 1: DRM

In this model, content is locked by DRM under terms specified by the creator/distributor. The consumer can only get access by observing these rules; circumvention is prevented (in the US) by the reverse-engineering terms of the DMCA.

A major difficulty arises in the intersection of DRM with fair use, since the criteria for fair use cannot be encoded in machine-executable form. Thus, Interest 2 above is generally not respected. Other difficulties include the vulnerability to a single hack that puts a piece of content in the clear, particularly if hosted off-shore; the anti-trust consequences of Content/CE/IT standardization; and usability problems with consumer experience.

Solution 2: Collective Licensing

In this model, ISPs would pay a monthly license fee on behalf of each subscriber. This would then be distributed among rights holders a la BMI/ASCAP (cf. EFF’s proposal for music).

A difficulty arises because content creators lose the ability to negotiate their compensation with consumers, thus undermining Interest 1. Owners would be compensated on the basis of some rigid formula determined by the collecting agency. Other difficulties include deriving a formula, since video isn’t as homogeneous as music; anti-trust issues in a collection monopoly; and charging users on enterprise rather than consumer networks. Option 2 also implicitly assumes that DRM is outlawed; if it were allowed to remain, then content creators could get two bites of the apple.

Another way: Fingerprinting + Certificates = FingerCerting

Option 1, the DRM approach, puts the control of content on the user’s device; however, the control is draconian and makes accepted uses like sharing around a user’s personal domain or fair use clumsy at best. Option 2, collective licensing, removes content control by levying a blanket license fee on all broadband subscribers through their ISP, but at the cost of creating an inflexible collecting monopoly and outlawing DRM.

In the “FingerCert” approach, fingerprinting is used to identify content, and an accompanying digital certificate (or “cert”) indicates that the owner has approved its transmission. If the content is registered as copyrighted but not accompanied by a valid digital certificate, an intermediary (ISP or hoster) is obliged to block it. There can still be a negotiation between an owner and a purchaser, but DRM isn’t required, only attaching a cert to indicate a contract. Once the media has been delivered, the cert can evaporate. If the media is provided without encryption, the end user can make copies for fair use without having to worry about arcane and unexpected restrictions.

The big problem with digital media is not personal copies; it’s large-scale illegal distribution. Content owners could use light-weight DRM as a “bump in the road” to mark their rights, but heavyweight (and futile) restrictions intended to prevent even a single hack won’t be necessary. This means a good experience for the vast majority of users who are happy to pay for content, but who would be deterred from buying if DRM were rigorous enough to persuade content executives that their assets were protected against all possible infringement. If you’re only willing to sell sandwiches wrapped in bank vaults, you won’t sell many sandwiches. FingerCerting prevents large-scale distribution by stopping the flow across the Internet, not in someone’s house or between friends’ iPods; it addresses and, not somebody making a mash-up for their friends. The gates don’t have to be in many places – just the major intersections, like big content sites, or perhaps just at the major IXCs.

FingerCerts gives content owners a way to control distribution of their content (protecting Interest 1), while allowing them to do so without harsh DRM that undermines fair use copying (protecting Interest 2).

What Fingercerting Isn’t

FingerCerting doesn’t require watermarking, that is, embedding (often hiding) a copyright notice in a file. Fingerprinting sets out to recognize the file from its visible characteristics. Watermarking, just like fingerprinting, has to be keep working even when videos are manipulated, e.g. by cropping or transcoding. My uneducated guess is that fingerprinting is more robust in these cases than watermarking since it’s not trying to hide the indicia.

FingerCerting doesn’t require DRM, but neither does it preclude it. It creates an environment where DRM isn’t essential to protecting mass abuse of copyright, and hopefully takes the sting out of the argument over this technology.


Any solution to a complex problem will have weaknesses. Here are some I can think of regarding FingerCerting:

Will you need a standard for fingerprints? Audible Magic has a mechanism to register media and recognize clips; so do other companies like Philips. Cert standards exist, but one can imagine different content owners using different solutions. The complexity may be too great for intermediaries if they have to support more than a small number of mechanisms.

Packet inspection technologies to do stream identification are available. Attaching certs to streams is a different issue; I can imagine solutions, but I haven’t stumbled across any yet. Pointers, please.

False negatives – not recognizing an illegal file or stream – will occur, but that’s OK; large scale distribution can stopped since intermediaries will have multiple shots at catching streams. The bigger problem is false positives, that is, when an intermediary mistakenly blocks content. This will annoy users, and present a wonderful scenario for denial of service attacks.

Content hosters/routers will have to be motivated, by litigation or legislation, to implement such a scheme. Current US law provides a disincentive to implementing fingerprinting: Google/YouTube would rather not know that it’s hosting infringing content, because that increases its liability under the DMCA. I presume some legislation or regulation would be required to set up the incentives for a fingercerting process; I don’t know if it will be more or less onerous than that required for DRM (cf. the DMCA) or for collective licensing.

No comments: