Open Letter to the RIAA and MPAA member companies

Greetings and salutations! I would like to introduce myself. My name is Bryan Elliott, and I'm a 26 year old programmer. Like many people in my age group, and those younger than myself, I grew up hating you and your ilk for each P2P-related debacle, starting with Napster and progressing all the way to the Pirate Bay.

I don't like to hate. I want to make peace with you folks. You produce my entertainment; the stuff that keeps me sane when my mind is on the blink; the stuff I look forward to watching every week and listening to every day; the stuff I anxiously wait in line to buy tickets to see. In short, you produce a good portion of my fun time. For this I am thankful.

I know you've got a problem, and that the problem is an old and dirty word: piracy. In the past years, because of a combination of new technology and bad PR, casual piracy has risen sharply to the point where it's hurting you. I never wanted to hurt you; I just wanted to watch 'Serenity' on my Dell Axim.

You produce a product which has enormous initial costs but - due to recent technological innovations - also has the potential for zero duplication costs. As a result, with every copy produced, the product's percieved value decreases. At some point the price of the product is far higher than the percieved value of it. It's at this point that piracy begins. It may be illegal, but it's just natural law.

From an objective standpoint, piracy can be seen as a form of market correction; ideally, it adjusts the average price of a product to a level that provides a modest profit to the producer. However, piracy is more or less unencumbered by law or regulation, and so it never plateaus at a stable, macroeconomically ideal point.

Unfortunately, in an effort to modify the effects that contribute to this tragedy of the commons, you've thrown your chips in with vultures^*. Companies that prey on your shareholders' insecurities and who provide a product with a fundamental flaw in design (ie: DRM), and lawyers who have you convinced that strong-arming a few of your customers can scare the rest - rather than just pissing them off.

Yes, I know I suddenly sound like Cory Doctrow, and that you're very likely to stop reading at this point. Please don't look away. I have a viable solution to curtail casual piracy below - but I want you to read everything between here and there.

DRM doesn't work against pirates because it is, as I said, flawed in principle. It's a form of encryption in which the attacker and intended recipient are the same guy. Essentially, the fox (end-user) is guarding the hen house (media).

The solution is to provide incentive for the fox to not eat the hens. You have thus far failed in this task, but it's primarily because you haven't been thinking as consumers. Essentially, you've been attempting to sell the media equivaltent of a book with a padlock on it, then expecting people not to try and break the padlock.

I would suggest that you, instead, use the technological equivalent of a VIN.

DCT Resistant Steganography (DCTRS) has been around for a while. What it does, essentially, is write a message, in indelible digital ink, into a media file. At the point of purchase, you can record the media's ID and purchaser's information and store it in a database that you all will share, and that will be administrated by a joint committee between yourselves and the US Copyright Office.

The term comes from the method of compression that is used in everything from JPEGs to MP3s to video: the Discrete Cosine Transform.

The DCT is a way of converting a signal into the frequency domain. You've seen its output everytime you've looked at a spectrographic analysis of the music you're listening to. Because of properties of DCT output (most data at the front of the analysis) and of human perception (we don't notice quiet sounds or low contrast stuff), you can take quite a chunk of information out of the data stream. This is why you can get your music files down to one fifth their uncompressed size with no notable loss in quality, and video down by an order of tens with the same imperceptable quality loss.

What DCTRS does is embeds a short message, such as a 256 bit ID, throughout the file. It does so in subtle ways, but tries to ensure that the compressor will be fooled into leaving it in by making the changes in a way that the output data looks the same, but the compressed data is /logically/ different. The upshot of all of this is that the ID is obtainable through only a few seconds of audio or video, and in order to remove the 'indelible ink', you have to damage the whole product (ie: significantly reduce the encoded quality). This ID even passes unchanged through the 'analog hole', because the hidden data is encoded in the same part of the media data that one seeks to preserve: that which we can percieve.

At the point of sale, this 256 bit ID would be linked to your account, or to a swipe of your credit card, drivers license, or the data from some other form of ID. As a result, the customer can be held personally responsible for the unauthorized distribution of content in any way that violates standard copyright law. Meanwhile, that same customer is free to format shift their media in any way they please; the files are unencrypted.

There are benefits and challenges to this approach for the content industry:
• Benefits:
  • Sharp drop in 'casual' piracy, as your casual buyer now knows he *will* be caught if his purchased content is in the wild.
  • No need to deal with technology companies in creating new and innovative ways to protect content from consumer
  • Can be applied to all existing rich media format (ie: CDs, DVDs, HD-DVDs, Blu-Ray, Downloads).
  • Faster uptake of new media distribution technologies, as a far smaller portion of the technologically savvy population (also known as 'early adopters') will boycott an unrestricted format
  • Happier customers and a reuptake of trust between yourselves and your market
  • Can make use of existing P2P infrastructure to provide unrestricted demos and singles, much in the way radio has for ages.
  • DCTRS has the advantage of being 'spread spectrum', ie: if you try to remove it by averaging two copies of the same media, you end up with both IDs instead.
  • An 'ID-stripped' media file will have to be of significantly lower quality than the original - by significantly, I mean you have to reduce the encoding quality more than the change between DVD and VHS-LP. As a result, the only casual downloaders tht will be interested in pirate rips will be those who simply can't afford the real thing
  • Because DCTRS works with any DCT-based compression scheme, you can take advantage of MPEG4 and AVC compression, as well as new compression technologies, in ways you haven't even dreamed of.
  • DCTRS can improve over time, and as a result, so can the ID embedding of media produced after the upgrades, without having to update the devices that will play it. I'm not saying it will be hacked, but I am saying that improvements in DCTRS would lower the maximum qulity bar for stripped files.
• Challenges:
  • Existing CD and DVD manufacturing process using glass templates must end, as each CD and DVD must be encoded uniquely. Since CD and DVD burners are relatively cheap, and since you no longer need the CSS key area of a DVD, these platforms can be migrated to commodity writable media with little work.
  • Infrastructure must be put in place at brick-and-mortar retailers to provide for transfer of license of media IDs (ie: point-of-sale transactions)
  • There is a certain level of shareholder insecurity about taking that padlock off the media; execs will have a difficult time explaining how this new technology works, the failings of DRM, and the advantages to both the consumer and the content provider of DCTRS. The exec smart enough to be among the first to use this technology should have no problem making a convincing argument.
  • You will very likely have reservations about disclosing the reasons for and the consequences of your collection of personal data. Firstly, hiding this would be folly; you want the public to know about this to get the desired deterrant effect. Even with the copyright board watching over your shoulder, the public is unlikely to trust you, initially, with this data in the brick and mortar setting. To gain that trust, you will have to lobby congress to pass laws strictly limiting what that data can be used for: litigation over copyright infringement. You won't have a tough time; the public would support such laws wholeheartedly.

On the subject of development, I must say that AACS is very, very well developed. It is a very tight implementation of the DRM concept, and that it's already been broken does not speak to the merits of its developers - only to the flawed nature of DRM in general. I would suggest that these very people be the ones to implement the DCTRS you use in your content management.

Execs can stop reading here. I want to speak to to potential developers of this DCTRS implementation:

You may be tempted to embed the ID only in the audio segment of a video file. This is a terribly bad idea. Due to the lower standard held to audio in video streams, a pirate may attempt to do a hybrid attack (ie: reduce quality in multiple copies in different ways, and reimprove the quality to a reasonable threshold by recombining them with an eye towards increasing the per-sample PCM delta. Kind of like combining images while keeping a weight on the higher contrast of the two.) While the stripped copy will remain lower quality to the original to a degree that would be unacceptable for music, it may end up acceptable for video. The resulting 'wild' file would thus become a competitor for the Real Thing.

Such an attack doesn't work on the video stream, as that's the central point of attention in video; the output would still be of sufficiently lower quality to warrant a higher value placed on the Real Thing. So don't be lazy; put the ID in all video and audio streams.

I would also suggest implementing DCTRS under an OSS license with paid commercial use, so that even independent artists can benefit from your work.

^* I apologize for calling the DVD-CCS, AACS-LA, Apple and Microsoft vultures. It's economic reality that wherever there is a profit to be made, there will be someone to step in and take the job. They're only really doing what you ask them to.