Re: [dvd-discuss] A TPM without use limitations -- thoughts?

[microlenz(at)earthlink.net]

On 31 Oct 2002 at 11:16, John Zulauf wrote:

Date sent:      	Thu, 31 Oct 2002 11:16:32 -0700
From:           	"John Zulauf" <johnzu@ia.nsc.com>
To:             	dvd-discuss@eon.law.harvard.edu
Subject:        	Re: [dvd-discuss] A TPM without use limitations -- thoughts?
Send reply to:  	dvd-discuss@eon.law.harvard.edu

> Group reply (to Joshua, Michael and David):
> 
> First, lets agree on what the TPM appears to be.  My reading of it is
> that it is a signature for a given work (perhaps a given pressing of a
> work), so the purpose is to make searching for a given work simpler and
> more accurate.  Name mangling won't hide a work, but at the same time a
> book report entitled "Harry Potter and the Sorcerers Stone" won't
> generate a false positive and would tend to reduce the number of
> embarrassing and harassing C&D's to twelve year old children and other
> innocents.  Actually I see some potential positives [note 1] from "work
> fingerprinting" if generally applied.

OK then it's the equivalent of a secure hash function designed for searching. 
It can't just be the first 1023 Bytes of the file that says "THIS IS THE 
PROPERTY OF BLAH BLAH AND YOU HAVE STOLEN IT FROM BLAH BLAH. HEREBY COMES YOUR 
DOOM..."etc That's too easy to strip out. So it's gotta be embedded somehow 
into the work. Something that allows them to identify it as THEIR copyrighted 
work. <exercise for the alert reader. That means that they must automate their 
search and begin doing massive downloads of stuff to check for watermarks. SO 
what we now have is a bunch of programs downloading stuff automatically and 
checking for copyright infringment...Hey this may be the biggest reason for 
MASSIVE broadband yet but  I don't think the ISPs should pay for the extra 
bandwidth. If RIAA and MPAA want to fund this fine. Let them. I wouldn't mind 
an upgrade to DSL courtesy of JackBoots...now if he starts searching my machine 
they'll be electrons spilled..>

> 
> Joshua Stratton wrote:
> > 
> > I remain wary of this. The systems used for tracking themselves seem to
> > pose concerns of privacy to consumers and retailers, and could likely
> > impose burdens -- even if merely the cost of having to hire a clerk smart
> > enough to operate the new equipment, or the additional time it would take to
> > perform the identification at POS -- on retailers.
> 
> Given my reading of the TPM, this isn't an issue.  Privacy and anonymity
> are preserved.  The fingerprint works as "embedded meta-data" or better
> a "key" to a for some meta-data dictionary (can you tell I've been doing
> Python lately?).
> 

Yes without some personal identifier this is not an issue. The signature tells 
you that "THIS IS IT". If privacy and anonymity are preserved the how does this 
allow tracking - only identification.

> 
> > > On Wed, 30 Oct 2002, John Zulauf wrote:
> > > > Remember that a fair objective is to reduce the number of infringing
> > > > copies and copiers of copyright works. 
> 
> Michael A Rolenz wrote:
> > I think that the RIAA, MPAA objective is beyond that. 
> 
> Clearly this is true in general.  However the EMI fingerprinting scheme
> (again assuming it isn't used for access control, etc.) seems limited to
> the smaller fair objective.  Just because the industry is acting in
> foolish arrogance, it doesn't mean this particular example goes beyond a
> the "reasonable man" test for what a personal wishing to assert their
> limited rights would reasonably do, without infringing on the users
> rights.
> 
> We shouldn't knee-jerk reject this as "too intrusive" -- this may be
> "just right."

I agree. They can put anything they want on their files. What is a problem is that removing it becomes apriori evidence of piracy. Presumption can be merely  legal prejudice. Of course I don't know why anyone would bother to remove them...the issue is infringement. In stead of the Salem Witch 
Trials we get the Intellectual Property trials. Guilty now prove your innocence.

> 
> 
> Michael A Rolenz wrote:
> > ANother point is that the copy that is being stripped, ripped and dipped
> > is PERSONAL property. One can do ANYTHING one wants with personal property
> > whether they want to strip, rip,or dip it for fun in the privacy of ones home
> > or even in public for any reason on can think of - curiousity, a challenge or
> > even to infringe.  
> 
> Clearly Michael's comments are a more complete and accurate here than my
> more terse original.
> 
> However, if the fingerprint is perfectly transparent from the end user
> point of view why would the average person strip it other than to
> infringe (especially if the "positives" of Note 1 are extant).  If you
> want to practice picking your own locks at home, go ahead.  If you're
> found at a stranger home with the picks in your pocket a midnight, the
> scratched up locks at home will be awfully damaging to your "I guess I
> just got lost" defense.

The average person? The law is not concerned with the average person. It is not 
up to anyone to demonstrate that their deviation from the mythical average 
person is illegal but that they have done an illegal act. The real issue with 
the DCMA is not that you found someone in your home with lockpicks at midnight 
but that they had lockpicks elsewhere. If you find someone in you home you 
don't need the lockpicks for a conviction.It merely adds additional evidence 
supporting the charge - breaking and entering. DItto for removal of the 
signature. It makes it a deliberate act but it is the act that is illegal not 
the evidence that points to it being deliberate.

> 
> > So there is no reasonable cause for search
> > or seizure to begin with and the "presumption of innocence" still applies. The
> > presumption that one is doing so to infringe is as invalid as the presumption
> > the RIAA, MPAA has that everybody who has a CDburner is a CD pirate.
> 
> Clearly.  Those who own AR-15's are not all serial snipers either. 
> However, .223's in the stump (and fingerprint removers) are still
> circumstantial evidence, and may be a piece of a "probable cause" for a
> warrant.
> 

The old little thing called "probable cause" and "due process"..circumstantial evidence 
AFTER a crime has been committed but not before. 


> > Should one be caught doing massive infringement, then the fact that one
> > has systematically removed finger prints to prevent tracking may be used
> > to preclude a defense of "I didn't know what I was doing is wrong."
> 
> Exactly so.  This is what I meant about reasonable cause for a S&S.  If
> the EMI finds a cache of their works online (with fingerprint), they can
> easily C&D to stop it (with fewer false C&D's and "chilling effects")
> issues.  They can point Verizon to the public port of the P2P and say
> scan the contents and "plug that please".  If they find a cache of
> content online without fingerprints, they are liable to start sniffing
> around for a DrinkOrDie type organized warez tribe, and the stripping
> itself would probably be "probable cause" for a warrant and seizure.
> 

It certainly warrants further investigation. Is this a private P2P or are 
they offering works to the public? And to what extent are they doing so. Maybe the P2Ps
should adopt the old Borland License "use it like a book. You can't read two books at the same time
in different places" 


Actually I have no problem with this (aside from the problem that all the 
scanning the MPAA, RIAA are likely to do will reduce the capacity of the 
internet causing it to be over sized for what it does. If that oversize is 10%, 
then maybe OK but a 1000% is too much of a burden. THe people who are so 
concerned about their intellectual property are a $10B a year industry 
dictating to a $100B industry..maybe the $100B industry should just say to the 
$10B industry...Here's $1B, how many copyright works do I get for that...No...I 
don't want "Ma and Pa Kettle" I want Casablanca"

> > or " I
> > just wasn't thinking" or "I didn't realize that my giant jukebox of CDs
> > was accessible on the internet" 
> 
> However the fingerprint is a "win-win" indicator of intent, which should
> ensure (in the "reasonable man" sense) an appropriate response.  I've
> indicated how a fingerprint system helps prevents false positives, below
> is an example where fingerprint indicating "intent" help resolve a real,
> accidental positive, in a reasonable, measured "win-win" way.
> 
> If I set up a P2P private net with 10 of my friends (and password
> protect it for just us)  the RIAA (or BayTSP) won't ever see it. 
> However, if I screw up the settings and the public net becomes public
> (or somebody cracks / leaks and posts the private net's password) then
> leaving the fingerprint intact means that a C&D could be answered by a
> password/settings change and issue closed. For example, Verizon sends
> email saying "your P2P volume of the copyrighted works listed below is
> publicly visible, please ensure this volume is not publicly visible
> within NNN [Note 3] days, or we will suspend your account." The issue is
> easily and quickly resolved without a federal case.  There is no
> question about a "false positive," (no Harry Potter book report this),
> Verizon doesn't have to divulge any privacy information, the private net
> is private again, and the RIAA goes away.  This is an a "oops" defense
> of "didn't mean for the world to see this" and never goes to trial. 
> Note in all this the spirit of the AHRA is maintained, and fair use in
> not reduced.  [Note 4]



> 
> > but as David has pointed out if you can't
> > figure out who, then they aren't going to accomplish anything. And HOW do you
> > keep track of who has what fingerprint? Or did?
> 
> The point isn't who stripped it, but that are a particular individual is
> publicly sharing stripped content.
> 
> daw@mozart.cs.berkeley.edu wrote:
> > 
> > John Zulauf wrote:
> > >(I) (Infringers take note!) If fingerprinting doesn't interfere with
> > >normal, fair uses (back-up, personal copies, space-shifting, etc) then
> > >anybody stripping the fingerprint is doing so *only* to attempt to
> > >infringe and trade the work publicly -- and have clearly shown intent to
> > >infringe. This works toward building "reasonable cause" for search and
> > >seizure, and for overcoming "presumption of innocence" in the eventual
> > >prosecutions.
> > 
> > That's useless if you can't figure out who did the ripping & stripping:
> > if you don't know who they are, you can't sue or prosecute them.
> > If fingerprints are easily strippable, then I don't see how they are
> > going to be a competitive alternative to DRM.
> 
> I hope I've addressed some of your statement above.  The stripping
> itself wouldn't be a crime, but publicly sharing stripped content
> certain would indicate "intent to infringe" and thus work against any
> "fair use" defense.  Also a defense of "I don't know how this got
> stripped content because I don't know where I got the content from" is
> essential an admission that the copy you are sharing was an infringing
> copy (not from a friend or other AHRA-type or other fair-use source) in
> the first place, thus adding "intent" evidence.  
> 
> Now, if a CD counterfeiter stripped the content and published fake,
> stripped originals, this might confuse things a bit, but the fact that
> the "positives" (noted below) would fail would (a) flag the CD as
> counterfeit and (b) reduce the value of the counterfeit -- i.e. it's not
> a likely scenario.
> 
> 
> Best Regards All,
> 
> .002
> 
> Note 1: As I've defined it, there are lots of potential positives for a
> fingerprint system, if made "open." Actually the "openness" of the
> fingerprint will be a side effect of the "crack-to-strip" effort whether
> or not EMI wants it to be open -- clearly a fingerprint reader doesn't
> "circumvent. " A unique signature system, broadly adopted, would make
> stuff like CDDB a whole lot easier and more accurate.  A nice enticement
> to the public to keep the fingerprint intact. One can think of others. 
> One could imagine a "Nielson"-like ratings systems that could run
> automatically (and anonymously) on people's players (with their
> permission of course), such that instantaneous "popularity" could be
> assessed.  It would be an interesting way of solving the "obscurity"
> problem [Note 2] as a local band could get instant visibility through
> MP3 give-aways etc.  Of course their would be problems with
> "astroturfing" but that's where ratings guys (and their
> official/scientific statistics) would earn their money.
> 
> Note 2: An excellent point that was made in some of the post-Eldred
> coverage is that the biggest risk to the profitability of a given work
> isn't infringing copies, but rather obscurity.  Given the number of
> works, and the finite shelf space and review space (e.g. NY Time Book
> section) most works never rise above the noise.  One wonders how many
> great authors there are that nobody ever heard of, this is the obscurity
> problem.  Combined with long copyright terms and the lack of archival
> copies, it is the largest threat to having the largest eventual public
> domain.
> 
> Note 3: "NNN days" should probably at least two weeks to handle
> vacations, and allow for a letter with information how to reenable the
> account to be received (email with information on how to reactivate an
> email account doesn't work, but has been done -- d'oh!
> 
> Note 4: I'll go on record as saying that public sharing of copyright
> works WITHOUT the copyright holders permission is not fair use, based on
> the "impact on market value" test.  Others may disagree, but this to me
> seems a clear and reasonable boundary. The public -- with anyone/visible
> to anyone -- vs.  private -- with those you know personally -- dichotomy
> is common one in law, and when combined with "noncommercial" gives a
> bright line about copies that are likely to be "fair"
>