Re: [dvd-discuss] A TPM without use limitations -- thoughts?

["John Zulauf" <johnzu(at)ia.nsc.com>]

Group reply (to Joshua, Michael and David):

First, lets agree on what the TPM appears to be.  My reading of it is
that it is a signature for a given work (perhaps a given pressing of a
work), so the purpose is to make searching for a given work simpler and
more accurate.  Name mangling won't hide a work, but at the same time a
book report entitled "Harry Potter and the Sorcerers Stone" won't
generate a false positive and would tend to reduce the number of
embarrassing and harassing C&D's to twelve year old children and other
innocents.  Actually I see some potential positives [note 1] from "work
fingerprinting" if generally applied.

Joshua Stratton wrote:
> 
> I remain wary of this. The systems used for tracking themselves seem to
> pose concerns of privacy to consumers and retailers, and could likely
> impose burdens -- even if merely the cost of having to hire a clerk smart
> enough to operate the new equipment, or the additional time it would take
> to perform the identification at POS -- on retailers.

Given my reading of the TPM, this isn't an issue.  Privacy and anonymity
are preserved.  The fingerprint works as "embedded meta-data" or better
a "key" to a for some meta-data dictionary (can you tell I've been doing
Python lately?).


> > On Wed, 30 Oct 2002, John Zulauf wrote:
> > > Remember that a fair objective is to reduce the number of infringing
> > > copies and copiers of copyright works. 

Michael A Rolenz wrote:
> I think that the RIAA, MPAA objective is beyond that. 

Clearly this is true in general.  However the EMI fingerprinting scheme
(again assuming it isn't used for access control, etc.) seems limited to
the smaller fair objective.  Just because the industry is acting in
foolish arrogance, it doesn't mean this particular example goes beyond a
the "reasonable man" test for what a personal wishing to assert their
limited rights would reasonably do, without infringing on the users
rights.

We shouldn't knee-jerk reject this as "too intrusive" -- this may be
"just right."

 
Michael A Rolenz wrote:
> ANother point is that the copy that is being stripped, ripped and dipped
> is PERSONAL property. One can do ANYTHING one wants with personal property
> whether they want to strip, rip,or dip it for fun in the privacy of ones
> home or even in public for any reason on can think of - curiousity, a
> challenge or even to infringe.  

Clearly Michael's comments are a more complete and accurate here than my
more terse original.

However, if the fingerprint is perfectly transparent from the end user
point of view why would the average person strip it other than to
infringe (especially if the "positives" of Note 1 are extant).  If you
want to practice picking your own locks at home, go ahead.  If you're
found at a stranger home with the picks in your pocket a midnight, the
scratched up locks at home will be awfully damaging to your "I guess I
just got lost" defense.

> So there is no reasonable cause for search
> or seizure to begin with and the "presumption of innocence" still applies.
> The presumption that one is doing so to infringe is as invalid as the
> presumption the RIAA, MPAA has that everybody who has a CDburner is a CD
> pirate.

Clearly.  Those who own AR-15's are not all serial snipers either. 
However, .223's in the stump (and fingerprint removers) are still
circumstantial evidence, and may be a piece of a "probable cause" for a
warrant.

> Should one be caught doing massive infringement, then the fact that one
> has systematically removed finger prints to prevent tracking may be used
> to preclude a defense of "I didn't know what I was doing is wrong."

Exactly so.  This is what I meant about reasonable cause for a S&S.  If
the EMI finds a cache of their works online (with fingerprint), they can
easily C&D to stop it (with fewer false C&D's and "chilling effects")
issues.  They can point Verizon to the public port of the P2P and say
scan the contents and "plug that please".  If they find a cache of
content online without fingerprints, they are liable to start sniffing
around for a DrinkOrDie type organized warez tribe, and the stripping
itself would probably be "probable cause" for a warrant and seizure.

> or " I
> just wasn't thinking" or "I didn't realize that my giant jukebox of CDs
> was accessible on the internet" 

However the fingerprint is a "win-win" indicator of intent, which should
ensure (in the "reasonable man" sense) an appropriate response.  I've
indicated how a fingerprint system helps prevents false positives, below
is an example where fingerprint indicating "intent" help resolve a real,
accidental positive, in a reasonable, measured "win-win" way.

If I set up a P2P private net with 10 of my friends (and password
protect it for just us)  the RIAA (or BayTSP) won't ever see it. 
However, if I screw up the settings and the public net becomes public
(or somebody cracks / leaks and posts the private net's password) then
leaving the fingerprint intact means that a C&D could be answered by a
password/settings change and issue closed. For example, Verizon sends
email saying "your P2P volume of the copyrighted works listed below is
publicly visible, please ensure this volume is not publicly visible
within NNN [Note 3] days, or we will suspend your account." The issue is
easily and quickly resolved without a federal case.  There is no
question about a "false positive," (no Harry Potter book report this),
Verizon doesn't have to divulge any privacy information, the private net
is private again, and the RIAA goes away.  This is an a "oops" defense
of "didn't mean for the world to see this" and never goes to trial. 
Note in all this the spirit of the AHRA is maintained, and fair use in
not reduced.  [Note 4]

> but as David has pointed out if you can't
> figure out who, then they aren't going to accomplish anything. And HOW do
> you keep track of who has what fingerprint? Or did?

The point isn't who stripped it, but that are a particular individual is
publicly sharing stripped content.

daw@mozart.cs.berkeley.edu wrote:
> 
> John Zulauf wrote:
> >(I) (Infringers take note!) If fingerprinting doesn't interfere with
> >normal, fair uses (back-up, personal copies, space-shifting, etc) then
> >anybody stripping the fingerprint is doing so *only* to attempt to
> >infringe and trade the work publicly -- and have clearly shown intent to
> >infringe. This works toward building "reasonable cause" for search and
> >seizure, and for overcoming "presumption of innocence" in the eventual
> >prosecutions.
> 
> That's useless if you can't figure out who did the ripping & stripping:
> if you don't know who they are, you can't sue or prosecute them.
> If fingerprints are easily strippable, then I don't see how they are
> going to be a competitive alternative to DRM.

I hope I've addressed some of your statement above.  The stripping
itself wouldn't be a crime, but publicly sharing stripped content
certain would indicate "intent to infringe" and thus work against any
"fair use" defense.  Also a defense of "I don't know how this got
stripped content because I don't know where I got the content from" is
essential an admission that the copy you are sharing was an infringing
copy (not from a friend or other AHRA-type or other fair-use source) in
the first place, thus adding "intent" evidence.  

Now, if a CD counterfeiter stripped the content and published fake,
stripped originals, this might confuse things a bit, but the fact that
the "positives" (noted below) would fail would (a) flag the CD as
counterfeit and (b) reduce the value of the counterfeit -- i.e. it's not
a likely scenario.


Best Regards All,

.002

Note 1: As I've defined it, there are lots of potential positives for a
fingerprint system, if made "open." Actually the "openness" of the
fingerprint will be a side effect of the "crack-to-strip" effort whether
or not EMI wants it to be open -- clearly a fingerprint reader doesn't
"circumvent. " A unique signature system, broadly adopted, would make
stuff like CDDB a whole lot easier and more accurate.  A nice enticement
to the public to keep the fingerprint intact. One can think of others. 
One could imagine a "Nielson"-like ratings systems that could run
automatically (and anonymously) on people's players (with their
permission of course), such that instantaneous "popularity" could be
assessed.  It would be an interesting way of solving the "obscurity"
problem [Note 2] as a local band could get instant visibility through
MP3 give-aways etc.  Of course their would be problems with
"astroturfing" but that's where ratings guys (and their
official/scientific statistics) would earn their money.

Note 2: An excellent point that was made in some of the post-Eldred
coverage is that the biggest risk to the profitability of a given work
isn't infringing copies, but rather obscurity.  Given the number of
works, and the finite shelf space and review space (e.g. NY Time Book
section) most works never rise above the noise.  One wonders how many
great authors there are that nobody ever heard of, this is the obscurity
problem.  Combined with long copyright terms and the lack of archival
copies, it is the largest threat to having the largest eventual public
domain.

Note 3: "NNN days" should probably at least two weeks to handle
vacations, and allow for a letter with information how to reenable the
account to be received (email with information on how to reactivate an
email account doesn't work, but has been done -- d'oh!

Note 4: I'll go on record as saying that public sharing of copyright
works WITHOUT the copyright holders permission is not fair use, based on
the "impact on market value" test.  Others may disagree, but this to me
seems a clear and reasonable boundary. The public -- with anyone/visible
to anyone -- vs.  private -- with those you know personally -- dichotomy
is common one in law, and when combined with "noncommercial" gives a
bright line about copies that are likely to be "fair"