Copyright, Code and Creativity A Note of Caution About DRM in JPEG Jeremy Malcolm JPEG Workshop, Brussels October 13, 2015 JPEG, October 13, 2015 Outline Problems with DRM Technical and Security Problems Legal and Social Problems Alternatives to DRM Technical and Security Alternatives Legal and Social Alternatives Copyright, Code and Creativity Jeremy Malcolm eff.org 2 JPEG, October 13, 2015 Introduction • Some of the proposals for the JPEG Privacy & Security activity threaten to create a form of DRM for images Copyright, Code and Creativity Jeremy Malcolm eff.org 3 JPEG, October 13, 2015 Introduction • Some of the proposals for the JPEG Privacy & Security activity threaten to create a form of DRM for images • This would not be effective at protecting intellectual property rights in images and would have unwanted side-effects Copyright, Code and Creativity Jeremy Malcolm eff.org 4 JPEG, October 13, 2015 Introduction • Some of the proposals for the JPEG Privacy & Security activity threaten to create a form of DRM for images • This would not be effective at protecting intellectual property rights in images and would have unwanted side-effects • Most other objectives of the JPEG Privacy & Security activity can be achieved without resorting to DRM Copyright, Code and Creativity Jeremy Malcolm eff.org 5 JPEG, October 13, 2015 Problems with DRM Alternatives to DRM Copyright, Code and Creativity Jeremy Malcolm eff.org 6 JPEG, October 13, 2015 Cryptographers Don’t Believe That DRM Works “Digital files cannot be made uncopyable, any more than water can be made not wet.” — Bruce Schneier • To allow use of DRM-protected works requires distributing both the “lock” and the “key” to the user • It only ever takes time for the key to be extracted! Copyright, Code and Creativity Jeremy Malcolm eff.org 7 JPEG, October 13, 2015 Cryptographers Don’t Believe That DRM Works “Digital files cannot be made uncopyable, any more than water can be made not wet.” — Bruce Schneier • To allow use of DRM-protected works requires distributing both the “lock” and the “key” to the user • It only ever takes time for the key to be extracted! • At worst, the analog hole can always be used Copyright, Code and Creativity Jeremy Malcolm eff.org 8 JPEG, October 13, 2015 Cryptographers Don’t Believe That DRM Works Copyright, Code and Creativity Jeremy Malcolm eff.org 9 JPEG, October 13, 2015 DRM Does Not Map Cleanly To Legal Rights • Does not account for copyright limitations such as fair dealing, fair use and quotation Copyright, Code and Creativity Jeremy Malcolm eff.org 10 JPEG, October 13, 2015 DRM Does Not Map Cleanly To Legal Rights • Does not account for copyright limitations such as fair dealing, fair use and quotation • Allows anti-competitive conduct like region coding Copyright, Code and Creativity Jeremy Malcolm eff.org 11 JPEG, October 13, 2015 DRM Does Not Map Cleanly To Legal Rights • Does not account for copyright limitations such as fair dealing, fair use and quotation • Allows anti-competitive conduct like region coding • Even archives often (wrongly) claim copyright-like rights in public domain images Copyright, Code and Creativity Jeremy Malcolm eff.org 12 JPEG, October 13, 2015 DRM Doesn’t Achieve Standardization Goals DRM does not actually protect media, but it does: • Restrict media from being used with free and open source tools. • Make interoperability more difficult to engineer. • Expose coders and researchers to additional legal risk. • Extend a bad precedent for the extension of DRM to other forms of digital content. Copyright, Code and Creativity Jeremy Malcolm eff.org 13 JPEG, October 13, 2015 DRM Doesn’t Achieve Standardization Goals DRM does not actually protect media, but it does: • Restrict media from being used with free and open source tools. • Make interoperability more difficult to engineer. • Expose coders and researchers to additional legal risk. • Extend a bad precedent for the extension of DRM to other forms of digital content. EME standardization at W3C EME has not produced a reliable solution – it’s a support/implementation nightmare that members can’t make sense of. Copyright, Code and Creativity Jeremy Malcolm eff.org 14 JPEG, October 13, 2015 DRM Reduces the Value of Content Apple TV 2, with lower specs than Apple TV 3, sells for three times as much Copyright, Code and Creativity Jeremy Malcolm eff.org 15 JPEG, October 13, 2015 DRM Reduces the Value of Content Apple TV 2, with lower specs than Apple TV 3, sells for three times as much Copyright, Code and Creativity Jeremy Malcolm eff.org 16 JPEG, October 13, 2015 Exposure to Liability for Vulnerability Reporting • Anti-circumvention laws threaten liability for those reporting vulnerabilities in DRM implementations Copyright, Code and Creativity Jeremy Malcolm eff.org 17 JPEG, October 13, 2015 Exposure to Liability for Vulnerability Reporting • Anti-circumvention laws threaten liability for those reporting vulnerabilities in DRM implementations • Especially worrying in JPEG world, since their images find their way into so many products and UIs Public health and safety If your pacemaker’s app uses JPEG icons, it could potentially criminalize vulnerability reporting Copyright, Code and Creativity Jeremy Malcolm eff.org 18 JPEG, October 13, 2015 Exposure to Liability for Vulnerability Reporting • Anti-circumvention laws threaten liability for those reporting vulnerabilities in DRM implementations • Especially worrying in JPEG world, since their images find their way into so many products and UIs Public health and safety If your pacemaker’s app uses JPEG icons, it could potentially criminalize vulnerability reporting • The end-result: long-lived critical vulnerabilities that are never reported for fear of prosecution Copyright, Code and Creativity Jeremy Malcolm eff.org 19 JPEG, October 13, 2015 DRM Infringes Freedom of Expression • Felten, et al., v. RIAA, et al. • The music industry used the Digital Millennium Copyright Act (DMCA) to threaten Princeton and Rice University Professors from discussing security flaws in its SDMI DRM technology. Copyright, Code and Creativity Jeremy Malcolm eff.org 20 JPEG, October 13, 2015 DRM Infringes Freedom of Expression • Felten, et al., v. RIAA, et al. • The music industry used the Digital Millennium Copyright Act (DMCA) to threaten Princeton and Rice University Professors from discussing security flaws in its SDMI DRM technology. • Dmitry Sklyarov prosecution • A Russian programmer was charged with violating the DMCA for speaking at DEF CON about breaking e-book encryption (even though this was legal in Russia!) Copyright, Code and Creativity Jeremy Malcolm eff.org 21 JPEG, October 13, 2015 DRM is Out of Step With Emerging Policy Norms • 2014 OECD recommendation requires disclosure of “any technical measures that have been put in place, including any effects that these measures may have on product or device usage.” Copyright, Code and Creativity Jeremy Malcolm eff.org 22 JPEG, October 13, 2015 DRM is Out of Step With Emerging Policy Norms • 2014 OECD recommendation requires disclosure of “any technical measures that have been put in place, including any effects that these measures may have on product or device usage.” • July 2015 European Parliament report emphasizes problems with “portability and geoblocking” and notes that “lack of interoperability hampers innovation, reduces competition and harms the consumer”. Copyright, Code and Creativity Jeremy Malcolm eff.org 23 JPEG, October 13, 2015 DRM is Out of Step With Emerging Policy Norms • 2014 OECD recommendation requires disclosure of “any technical measures that have been put in place, including any effects that these measures may have on product or device usage.” • July 2015 European Parliament report emphasizes problems with “portability and geoblocking” and notes that “lack of interoperability hampers innovation, reduces competition and harms the consumer”. The bottom line: DRM is considered antithetical to the public interest Copyright, Code and Creativity Jeremy Malcolm eff.org 24 JPEG, October 13, 2015 Problems with DRM Alternatives to DRM Copyright, Code and Creativity Jeremy Malcolm eff.org 25 JPEG, October 13, 2015 Cryptography • Many use cases for JPEG Privacy & Security only require signing not encrypting metadata • Integrity of an original version of the image • Tracking of modifications • Integrity of the metadata (date, copyright) • For encryption of the entire image file to prevent access, common container formats for this exist already • For encryption of plain text metadata only, this can be done without locking the whole image Copyright, Code and Creativity Jeremy Malcolm eff.org 26 JPEG, October 13, 2015 Rights Management Information • Even without technical protection for metadata, the law already limits removal of rights information • InfoSoc Directive Article 7(1)(1), DMCA Section 1202 • This does not only apply to user-visible marks, therefore likely includes IPTC, Exif and XMP metadata Copyright, Code and Creativity Jeremy Malcolm eff.org 27 JPEG, October 13, 2015 Rights Management Information • Even without technical protection for metadata, the law already limits removal of rights information • InfoSoc Directive Article 7(1)(1), DMCA Section 1202 • This does not only apply to user-visible marks, therefore likely includes IPTC, Exif and XMP metadata • Watermarking Copyright, Code and Creativity Jeremy Malcolm eff.org 28 JPEG, October 13, 2015 Rights Management Information • Even without technical protection for metadata, the law already limits removal of rights information • InfoSoc Directive Article 7(1)(1), DMCA Section 1202 • This does not only apply to user-visible marks, therefore likely includes IPTC, Exif and XMP metadata • Watermarking • Stegonography Copyright, Code and Creativity Jeremy Malcolm eff.org 29 JPEG, October 13, 2015 Licensing • Good (if unsurprising) news — licenses are enforceable • All active Creative Commons image licenses include an Attribution condition Copyright, Code and Creativity Jeremy Malcolm eff.org 30 JPEG, October 13, 2015 Recommendations. 1 Online platforms should be encouraged to preserve image metadata (the law may even require this) Copyright, Code and Creativity Jeremy Malcolm eff.org 31 JPEG, October 13, 2015 Recommendations. 1 Online platforms should be encouraged to preserve image metadata (the law may even require this) 2 Those concerned with attribution should utilize an appropriate license that allows reuse with attribution Copyright, Code and Creativity Jeremy Malcolm eff.org 32 JPEG, October 13, 2015 Recommendations. 1 Online platforms should be encouraged to preserve image metadata (the law may even require this) 2 Those concerned with attribution should utilize an appropriate license that allows reuse with attribution 3 JPEG Privacy & Security group should work on extensions to allow signing of image metadata Copyright, Code and Creativity Jeremy Malcolm eff.org 33 JPEG, October 13, 2015 Recommendations. 1 Online platforms should be encouraged to preserve image metadata (the law may even require this) 2 Those concerned with attribution should utilize an appropriate license that allows reuse with attribution 3 JPEG Privacy & Security group should work on extensions to allow signing of image metadata 4 JPEG Privacy & Security group should not create a DRM-protected image format that inhibits access Copyright, Code and Creativity Jeremy Malcolm eff.org 34 JPEG, October 13, 2015 Summary JPEG Privacy & Security has some worthwhile aims • Validating (not preserving) image and metadata integrity • Encrypting plain text metadata for protection of privacy It also has some which are probably not achievable • Protecting intellectual property rights • Preserving the economic value of protected images For those that are not achievable, alternatives exist • Existing protection of copyright law and license terms • For preventing copying, encrypt the image in a container Copyright, Code and Creativity Jeremy Malcolm eff.org 35 JPEG, October 13, 2015 Questions? Jeremy Malcolm jmalcolm@eff.org Copyright, Code and Creativity Jeremy Malcolm eff.org 36