Category Archive: Copyright

May 02 2016

Is French HADOPI law dead (13)?

We know now for sure that HADOPI will be dead in 2022. On 27 April 2016, The French National Assembly approved an amendment that decrees that the HADOPI will expire on 4th February 2022.

ARTICLE 43 BIS

Compléter cet article par l’alinéa suivant :

« II. – La même soussection est abrogée à compter du 4 février 2022. Par dérogation à l’article L. 33116 du même code, la durée du mandat des membres nommés après la publication de la présente loi expire le 4 février 2022. »

EXPOSÉ SOMMAIRE

Comme le proposait le rapporteur en commission, cet amendement inscrit dans la loi la fin de vie de la Haute Autorité pour la diffusion des œuvres et la protection des droits sur internet (HADOPI) à compter de l’expiration du mandat en cours du dernier de ses membres nommés, soit le 4 février 2022.

It is a far milestone. Nevertheless, since a few months, HADOPI is in turmoil. In October 2015, the French Senate issued a report about the creation and management of the independent administrative authorities. The HADOPI is such authority. At page 70 of the report, the commissioner proposed to suppress the HADOPI as it has not proven its efficiency as the policeman of the Internet and that the graduated response is not operative to fight piracy.

Votre rapporteur propose ainsi la suppression de la Haute autorité pour la diffusion des œuvres et la protection des droits sur internet (HADOPI), considérant que cette autorité n’a pas apporté la preuve de son efficacité en tant que gendarme de l’internet et que les moyens de lutte contre le piratage à travers le mécanisme de la réponse graduée sont inopérants. En cas de réorientation de cet organisme, pour en faire un outil parmi d’autres de la lutte contre la contrefaçon culturelle et de la protection du droit des auteurs sur internet, il pourrait subsister sous forme de commission spécialisée voire d’établissement public.*

When will its actual death be?

 

* Therefore
your rapporteur proposes the deletion of the high authority for the dissemination of works and protection of rights on the internet (HADOPI), considering that this authority provided no proof of its efficiency as a Constable of the internet and the means of fighting piracy through graduated response mechanism are inoperative. If reorientation of this organization, to make one tool among others cultural counterfeiting and protection of the right of the authors on the internet, it could subsist in the form of commission or public institution. (draft translation from French to English)

Feb 10 2016

DMCA triennial exemptions

Every three years, the Librarian of the Congress revisits the exemptions to the Digital Millennium Copyright Act (DMCA). These exemptions list the cases when circumventing technological measures that protect copyright works is not illegal. On October 28, 2015, the Librarian has issued the new list valid for three years. The new exemptions (compared to six years ago) are:

  • The jailbreaking of cellphones to be used on other carrier networks has been extended to tablets, wearable devices, and connected TVs.
  • Jailbreaking portable devices to execute lawfully acquired software
  • Owners can circumvent diagnosis and repair software for cars and farm equipment
  • For research purpose on consumer devices, medical devices, and cars
  • For sourcing ink for 3D printers from alternative suppliers

The previous exemptions are still valid.

Apr 14 2015

France: charter of good practices in online advertising

On 23 March 2015, the representatives of the French advertising industry signed a charter of good practices to fight piracy.  This charter is an initiative of the French minister of culture and communications.

My highlights of the three page long charter:

1- the signing companies establish and implement clear and transparent recommendations to prevent pirate sites to deal with them.

2- these recommendations will be published and widely disseminated

3- The signatories implement the means at their disposal, each according to its role to prevent of advertisements on pirate sites.   Each signatory may use its own blacklist and own mitigation techniques.

4- A Committee will monitor and publish the results.

Most of the revenues of pirate sites are coming from advertisement.  Unfortunately, legitimate businesses sometimes advertise on these pirate sites.   With the current automatic auctioning systems, often these brands are even not aware where they advertise.  This practice has three consequences:

  1. It provides revenue to pirate sites
  2. It gives some feeling of legitimacy to these sites as famous brands advertise there.   People may be less suspicious on the legality of a site advertising known brands than the same site advertising Russian brides.
  3. It tarnishes the reputation of the advertising brand.

The text of the charter is available here.  Of course, it is in French.

 

Jan 08 2015

Tribler: a (worrying) P2P client

triblerTribler is a new P2P client that made the headlines last month.   It was claimed to make bitTorrent  unstoppable and offer anonymity.   I had a look at it and played with.

This is an open source project from the University of Delft.  It has been partly funded by the Dutch Ministry of Economic Affairs.  The project started in January 2008.  Tribler is worrying to both content owners and users.

To content owners, Tribler is worrying with its features.

  •  Tribler is more convivial than other P2P clients.   It integrates in the client several functions.  First, it allows to search torrents from the client user interface within its currently connected clients.  In other words, it does not need a central tracker to keep the torrents pointers.   Thus, it is more robust and also easier to use than other clients.  If the expected content is popular, the likelihood to find it within the connected community is high.  Thus, it is unnecessary to leave the application to find torrents on trackers. Of course, it can import torrents from any external trackers such as mininova.  Thus, when content is not available in the community, the user may use traditional trackers.
    The second interesting feature is that it emulates video streaming using standard torrents.  In this mode, it buffers the video and starts to play it within the application after a few seconds.  From the user point of view, it is similar to streaming from a cyberlocker (with the difference that, once viewing completed, there is a full copy of the content on the user’s computer).
    These features are not new (emule allowed to search within it, Bittorrent Pro offers an HD player inside it…).  However,  Tribler nicely packages them.  The user experience is neat.
  • Tribler promises anonymity.  It uses a Tor-like onion structure to access the different peers.  Or at least, it should do in the future.  With the current version, it is clearly announced that it is still beta.   Furthermore, all the current peers were directly connected.  Only an experiemental torrent used the feature.  However, once validated and activated, it should become harder to trace back the seeders.

To users,Tribler is worrying for its security.  Tribler promises anonymity.  Unfortunately, this is not the case.  “Yawning angel” analyzed the project.  Although his analysis was not thorough, it highlighted several critical flaws in the used protocol.  As it is possible to define circuits of arbitrary length, it would be possible to create congestion and thus create a kind of DoS.  More worrying there are several severe cryptographic mistakes such as improper use of ECB mode, fixed IV in OFB…  His conclusion was:

For users, “don’t”. Cursory analysis found enough fundamental flaws, and secure protocol design/implementation errors that I would be reluctant to consider this secure, even if the known issues were fixed. It may be worth revisiting in several years when the designers obtain more experience, and a thorough third party audit of the improved code and design has been done.

Lessons:

  • P2P seems not yet dead.  Streaming emulation may change the balance with streaming cyber lockers.
  • Be very cautious about claimed anonymity.  Developing a robust Tor-like solution requires an enormous effort and deep knowledge of cryptography and secure protocols.  Tor is continuously under attack.
  • Universities may finance projects that will facilitate piracy.  “Openess of the Internet” to fight censorship does not mandate to watch content within the client.  The illustrating screenshot of Tribler on the Delft university page clearly shows some copyrighted movies offered to sharing.

Dec 10 2014

Some notes on Content Protection Summit 2014

The conference was held on 9th December at Los Angeles. The audience was rather large for such event (more than 120 attendees) with representatives of content owners, service and technology providers and a few distributors.

The big trend and message is that cyber threats are more and more severe.  Traditional Content Protection is not anymore sufficient.  It has to be extended to IT cyber threats.  The SPE issue was cited very often.

The conference did not disclose surprisingly new information and technology.  Nevertheless, the event is a good occasion to share knowledge and basic best practices.  The following part will highlight interesting points or figures I collected during the event.

Welcome Remarks (by ROSE M., Ease)

He highlighted that the cyberwar is a reality.  It is performed by government funded teams or hacktivists,  It has serious implications such as wild censorship…

The Global State of Information Security (by BANTHANAVASI S., PcW)

The cyber world becomes more dangerous.  The state seems to degrade.  Some interesting figures from PcW’s annual report:

  • In 2014, the U.S. government notified 3,000 U..S. companies that they had been attacked
  • There was 48% more reported incidents in 2014.  Furthermore, the average cost of a breach increased.
  • Investment in security diminished
  • More and more incidents are attributed to third parties with trusted access

What to do (and who to call) (panel)

The usual stuff.  The most interesting advices were:

  • Log must be switched on.   This is essential in a cloud environment where low-cost plans may not have the logging feature available.  It is worthwhile to pay for it.  It is mandatory to learn and analyze when an incident occurs.
  • Have a response team available beforehand.  You will not have to time to look for and organize it when the incident will occur or will be detected.

The focus of the discussion was always on script kiddies, and never on Advanced Persistent Attack (APT)

This script will self destruct in 2 hours (panel)

The script is of high value, especially when the actual shooting was not started, or that the decision was not yet taken.  Nevertheless, it needs to be convenient.   Typical challenge for a confidential sensitive document that needs controlled distribution.  Warner announced that sometimes they even used 3-factor authentication.  Creative people may have hard feeling about privacy and traceability.

Protecting content: where creativity and security meet (panel)

Key message:  embed security within the existing ecosystem

According to Fox, TV is more forgiven than feature movie in case of leakage (excepted perhaps for the opening and closing episodes).  The biggest coming challenge is the request of international day+1 release of TV shows.

How to Secure Workflows in the age of digital services (panel)

Key message:  be aware of third parties (and their own third parties) and freelancers

The creative process behind great storytelling (panel)

Refreshing session with creative people.  The end of the session was a playdoyer for copyright.  The arguments were similar to the ones in the book Free Ride.

It’s about the money: strategies to disrupt funding piracy (LAWRENCE E., ABS-CBN and SUNDERLAND J., Lionsgate)

According to me, the most interesting session.  They presented real use cases.

Elisha explained how she drastically reduced the online piracy against ABS-CBN (the Philippines Netflix).   She performed different steps:

  1. Analyze the pirate landscape
  2. With SEO, increase the RANK to get the official sites as the first links in Google and bring pirate sites back to farther pages.
  3. Use investigators to collect proofs to enable shutdown sites
  4. Lawsuits with high fines.  The arrested webmaster are interviewed to learn all their techniques and tricks,

Jane explored the methods to have good brands advertising on pirate sites.   80% of the revenues of streaming cyberlockers are coming from advertisement.  Among them, 22% are coming from institutional brands. Tools exist to filter out placement on malicious sites, but brands have to opt-in. Brands should be worried to place their advertisement in such sites as they are sometimes also hosting malwares.

The culture of piracy: A European perspective (VERSTEEG G., Rights Alliance)

He explained the historical rationales why much piracy went from Sweden (Kazaa, The Pirate Bay…)  He asked that there should be a transactional VOD release window concurrent with Theatrical and Home windows.   The price could be dynamic, starting high and decreasing with time.

Being European, I did not see what was specifically European.   It was more his opinion.

What’s the forecast for securing the cloud? (panel)

According to me, the worst session.   No serious discussion on actual security of the cloud.   No discussion of hybrid clouds.  No precise definition of cloud (even no mention of NIST definition).  It seemed even to me that there was a consensus that implementations in cloud would be more secure than today’s implementations.

The topic is far more complex than the simplified vision drawn during the panel.

Jul 15 2014

Dr Who’s leaked

Bad week for the BBC.   Last week, scripts of five episodes of next season of Dr Who leaked online.  The scripts were accessed from a Miami-based BBC worldwide server.  It seems that that they were publicly available (with a lot of material) and was indexed by Google.   A typical Google request provided access to this confidential material.

Unfortunately, other material was available.  A black & white unfinished watermark version of the first episode has also been put online.  The copy is visibly watermarked for a given recipient.   Drei Marc is a Brazilian company that provides subtitling and dubbing services.  Nevertheless, it seems that it comes from the same server.  It is not sure that other episodes may not surface in the coming days.  Broadcast of the first episode is planed on 23 August.

dr-who

BBC asked its fans not to spoil the release.

We would like to make a plea to anyone who might have any of this material and spoilers associated with it not to share it with a wider audience so that everyone can enjoy the show as it should be seen when it launches.

"We know only too well that Doctor Who fans are the best in the world and we thank them for their help with this and their continued loyalty

Several lessons:

  • Secure your servers and be aware of the indexing robots.   No server should be put online without prior pen testing.
  • Encryption at rest should be mandatory for early content.  If ever the attacker access the video server, he will access an encrypted video without the decryption key.  Useless.
  • Forensic marking should only occur at delivery time.  If prepared and stored before release, it is useless.  It will not hold in front of a Court with good security expert.
  • TV series are the new Eldorado of the movie industry

Jul 09 2013

Is French HADOPI law dead (12)?

In his long report, Pierre Lescure proposed to lighten the graduated response.   He recommended to replace the controversial suppression of Internet access by a fine about 60€.  He has been listened.

This morning, a decree has modified the law.  The suppression of Internet is officially annulled.

Objet : infraction de négligence caractérisée ; abrogation de la peine complémentaire de suspension de l’accès à un service de communication au public en ligne ;

It has been replaced by a fine.  The fine will not be automatic but decided by a court order.

Seule une peine d’amende contraventionnelle de 5e classe pourra désormais être prononcée pour l’infraction de négligence caractérisée prévue à ce même article.

A fifth class penalty cannot exceed 1,500€ (about 1,900$) but can reach up to 3,000€ in case of  recidivism.

End of the story?

Older posts «