Dr Who’s leaked

Bad week for the BBC.   Last week, scripts of five episodes of next season of Dr Who leaked online.  The scripts were accessed from a Miami-based BBC worldwide server.  It seems that that they were publicly available (with a lot of material) and was indexed by Google.   A typical Google request provided access to this confidential material.

Unfortunately, other material was available.  A black & white unfinished watermark version of the first episode has also been put online.  The copy is visibly watermarked for a given recipient.   Drei Marc is a Brazilian company that provides subtitling and dubbing services.  Nevertheless, it seems that it comes from the same server.  It is not sure that other episodes may not surface in the coming days.  Broadcast of the first episode is planed on 23 August.


BBC asked its fans not to spoil the release.

We would like to make a plea to anyone who might have any of this material and spoilers associated with it not to share it with a wider audience so that everyone can enjoy the show as it should be seen when it launches.

"We know only too well that Doctor Who fans are the best in the world and we thank them for their help with this and their continued loyalty

Several lessons:

  • Secure your servers and be aware of the indexing robots.   No server should be put online without prior pen testing.
  • Encryption at rest should be mandatory for early content.  If ever the attacker access the video server, he will access an encrypted video without the decryption key.  Useless.
  • Forensic marking should only occur at delivery time.  If prepared and stored before release, it is useless.  It will not hold in front of a Court with good security expert.
  • TV series are the new Eldorado of the movie industry

Is French HADOPI law dead (12)?

In his long report, Pierre Lescure proposed to lighten the graduated response.   He recommended to replace the controversial suppression of Internet access by a fine about 60€.  He has been listened.

This morning, a decree has modified the law.  The suppression of Internet is officially annulled.

Objet : infraction de négligence caractérisée ; abrogation de la peine complémentaire de suspension de l’accès à un service de communication au public en ligne ;

It has been replaced by a fine.  The fine will not be automatic but decided by a court order.

Seule une peine d’amende contraventionnelle de 5e classe pourra désormais être prononcée pour l’infraction de négligence caractérisée prévue à ce même article.

A fifth class penalty cannot exceed 1,500€ (about 1,900$) but can reach up to 3,000€ in case of  recidivism.

End of the story?

Is French HADOPI law dead ? (11)

Pierre Lescure, former CEO of French broadcaster Canal +, has delivered  to the French minister of culture and communication his report “Contribution aux politiques culturelles à l’ère numérique” (i.e. contribution to cultural policies in the digital area).  Obviously, among the 88 recommendations, numerous proposals tackle copyright issues.  These recommendations got the headlines of French press.


Pierre Lescure and his team have deeply analyzed the current French graduated response, its organization HADOPI, and its efficiency.  Let’s navigate among the 700 page document and highlights some interesting points.

In section A-5: The release window

The report highlights that the audience wants the pieces of content as early as possible.  furthermore, VOD is drastically increasing.  Thus, they propose to reduce the current release window  of VOD by one month.  Interestingly, they would offer this earlier release only to “good citizen” operators.

Plus précisément, il est proposé d’avancer la fenêtre de la vidéo à la demande, éventuellement en réservant cette mesure aux services les plus vertueux, c’est-à-dire à ceux qui acceptent de prendre des engagements volontaristes en termes de financement de la création et d’exposition de la diversité.

Furthermore, they propose the concept of premium week end when a piece of content would be available as VOD one or two weeks after theatrical release for 30€ (40$).


Section A-14 tackles the issue of DRM.  They propose to extend the scope of the DAVDSI law to games and public domain content.  They recommend also to create an open standard for DRM.

Personal note:  the problem with open standard is that it cannot enforce a compliance and robustness regime that is mandatory for any DRM to be efficient Sad smile.

They highlight that DRM and French right to private copy are not well co-existing.

Section B-7 tackles the issue of the private copy levy.

As cloud computing is becoming more and more present, storage in the cloud will become prevalent.  Therefore, the current private copy levy will become useless.   Thus, the report suggests to create a levy for every connected device regardless of its internal storage capabilities.

In section C2: “Appraisal of the graduated response”.

La réponse graduée (articles L.331-24 et suivants du CPI) a pour fondement non pas l’acte de contrefaçon en lui-même, mais le  manquement à l’obligation de surveillance  du titulaire de l’abonnement Internet de son poste d’accès …
La notion de  négligence caractérisée permet ainsi, au terme de la procédure de réponse  graduée, de sanctionner le titulaire de l’abonnement sans avoir la preuve qu’il est bien l’auteur du délit de contrefaçon, dès lors qu’il n’a pas pris les dispositions pour sécuriser sa ligne.

They highlight that the cornerstone of the French graduated response is not the counterfeiting act but the fact of characterized negligence to secure his/her Internet access.  Being negligent to secure the network does not mean the owner of the network was the infringer.


At February 2013, content owners detected 35 millions  for 4.7 millions IP addresses.  1.6 millions first warning and 139,000 second warnings were issued with 29 cases passed to the Court.  Only two cases were sentenced with a 150€ fine.    In 2012, the direct cost of the graduated cost was 6M$, with an additional bill of 2.5Me from the three main ISPs.  This evaluation does not include the cost of TMG detecting the supposed infringing IP addresses that is bared by the content owners.

They must conclude that the efficiency is mixed.  The use of P2P has visibly declined by 40% in three years.  Nevertheless, this may just mean that the traffic moved to direct download/streaming sites that HADOPI does not monitor.

In section C-3: “Lightening the graduated response”

The report acknowledges that suppressing the graduated answer would have many advantages.  nevertheless, the disadvantages are more important.  The report proposes to clarify the concept of “characterized negligence”.  You would have to put something in place, you not to be successful. They propose also to rather focus on the counterfeiting rather than on the negligence.  The counterfeiting act should be proven and for monetary gain.

Dans l’immédiat, il pourrait être demandé aux Parquets de n’engager des poursuites pour contrefaçon que lorsqu’ilexiste des  indices sérieux et concordants tendant à prouver l’existence d’un enrichissementpersonnel ou collectif, dans le cadre d’un réseau contrefaisant.

The educational element of the graduated response should be enhanced.  Thus, the ultimate punishment, i.e. suppression of Internet access, should be replaced by throttling.  Furthermore, the fine should be reduced from 1,500€ to 60€.

The report proposes to close the HADOPI organization and forward its mission to the Conseil Supérieur de l’Audiovisuel (High Council of Audiovisual).  We anticipated that in August 2012.

Section C-4: “the fight against online commercial piracy” is going in the right direction.  It clearly highlights that direct download, streaming and referee sites are making money through piracy, estimated between 52 to 71M€ each year in France.  According to the report, these sites are the real money makers of digital piracy.  Despite the laws exist, suing these site owners is difficult. The State should be proactive in this fight.

Section C-5: “The responsibility of hosting sites”.   Currently, European and French laws imply that the hosting site cannot be responsible:

  • if it was not aware that content was infringing
  • if it did not take down infringing content once notified.

La  responsabilitécivile ou pénale des hébergeurs ne peut être engagée « s’ils n’avaient pas effectivement connaissance » du caractère illicite des contenus stockés ou « si, dès le moment où elles en ont eu cette connaissance, elles ont agi promptement pour retirer ces données  ou en rendre l’accès impossible ».

The report does not recommend to modify this status.  Nevertheless, it recommends to facilitate good practices such as using fingerprint to detect illegal content (The French INA signature is highlighted).  The report recommends that the French State support a common initiative to set up an organization that would create a database of reference fingerprints and send take down notifications to sites.

In Section C-6, the report recommends that search engines should present the legal offers in a predominant position compared to counterfeiting offers.  Currently, search engines have in Europe light responsibilities in this field.

Section C-7 highlights the role of payment organizations and advertisement agencies.  they indirectly facilitate and benefit from digital piracy.  The report calls these intermediaries to be good citizens.  Google has already proven that it may accept to play this game.

Section C-8 tackles the issue of blocking a site and domain names.  Although possible with French regulation, the report does recommend to use them only as ultimate solution.



  • Is HADOPI dead?   It seems that this time, it is a serious blow against it.  It is only  a report, not a set of decisions.   We know the French minister of culture is not HADOPI-friendly.   Thus the likelihood of its near death is high.
  • Is the French graduated response dead?   It will continue, in its current form or in a new way, regardless of its future hosting organization.

French Graduated Response: some figures

As I am currently reading in details the 478 page report “Culture-acte 2” from Pierre Lescure, I found an interesting pointer.   The data published by HADOPI concerning its activity related to the graduated response.  http://www.hadopi.fr/actualites/reponse-graduee/chiffres-cles.

Following is the evolution of the number of first notification.


Since the beginning of 2013, the activity is stable with around 80,000 first notifications.   Since the beginning of the graduated response, HADOPI sent more than 1,700,000 such notifications.

Following is the evolution of the number of second notifications


Since last summer, it seems that the trend is to have a growing number of second notifications.

I will come back soon on this report with a future post.  The recommendations are interesting.  I need to read the detailed chapters before reporting about it.

Hadopi, VLC and BluRay (2)

Following French Hadopi’s public consultation, this institution has given its analysis about the request of VideoLan.  VideoLAN is the “publisher” of the open source  player VLC. Its advice is extremely interesting as it sheds some lights on the French official vision of handling of DRM secrets and open source.

Before jumping to the final conclusion, it is worthwhile to detail some articles.

27. En outre, cette exception porte exclusivement sur des logiciels. Elle ne saurait ainsi concerner les parties non-logicielles des mesures techniques de protection considérées. En particulier, les secrets, au nombre desquels figurent les clés de chiffrement, ne constituent pas par eux-mêmes des instructions de commandes informatiques et ne peuvent être considérés comme des éléments de logiciel.

27. Besides, this exception concerns exclusively software. It would not concern the non-software elements of the technical protection measures (TPM).  Particularly, The secrets, amongst which appear the encryption keys, are not software instruction and thus are not part of the software  (approximate personal translation)

As keys are extremely important for TPMs, this is an interesting conclusion.

33. Il résulte de ce qui précède que l’association VideoLAN ne peut se fonder ni surl’exception d’ « ingénierie inverse », ni sur l’exception de « décompilation » prévues àl’article L. 122-6-1 du code de la propriété intellectuelle pour mettre à la disposition des utilisateurs un logiciel contournant, sans autorisation des titulaires de droitconcernés, l’intégralité des mesures techniques protégeant les disques « Blu-Ray»

Here, HADOPI decides reverse engineering and decompilation are not part of the authorized exception by the law.

34. Il résulte de l’instruction que l’association VideoLAN n’a pas entrepris de solliciter, auprès des titulaires de droits sur les mesures techniques de protection « AACS » et BD+ », les informations essentielles à l’interopérabilité de ces mesures. Si toutefois elle se voyait opposer, à l’issue d’une telle demande, un refus, elle serait recevable à saisir la Haute autorité dans le cadre d’une procédure de règlement des différends sur le fondement de l’article L. 331-32 du code de la propriété intellectuelle.

Article 34 states that following the enquiry, VideoLAN has not asked to the owners of the TPM AACS and BD+ information needed for interoperability. Would it be denied this information after the request, then VideoLAN could file a procedure for litigation for disagreement at HADOPI.

35. …
En vertu de la jurisprudence du Conseil Constitutionnel, la communication de ces informations ne pourrait intervenir que contre le versement d’une indemnité appropriée.

Here, HADOPI states that receiving this information form AACS and BD+ would require to pay a proper fee. So long for free open source.

38. Dans le cadre d’une procédure de règlement des différends, l’association VideoLAN ne pourrait être contrainte de renoncer à la publication de son code source que si les titulaires de droit sur les mesures techniques AACS et BD+ étaient en mesure de démontrer que cette publication porterait gravement atteinte à la sécurité et à l’efficacité de cette mesure.

38. As part of the procedure of litigation for disagreement, the VideoLAN association could be forced to abandon the publication of its source code only the owners of AACS and BD+ could demonstrate that this publication would gravely undermine the security and the effectiveness of this TPM. (approximate personal translation)

As a conclusion, HADOPI considers that VideoLAN cannot request the secrets of AACS and BD+ under the exceptions for reverse engineering and decompilation.   Nevertheless, VideoLAN could request HADOPI to analyze against the case if VideoLAN would have requested information from AACS and BD+ and if AACS and BD+ would have not favorably answered.

Will VideoLAN ask information to AACS and BD+?   Your guess?    To be followed

Resale of digital songs: the new Eldorado?

At least, until last week.  Last week, a US court decided that the first sale doctrine was only valid for physical goods and not for digital goods.  It was bad news for ReDigi.   It may also be bad news for Apple and Amazon.  Both companies recently filed patents for a market place of used digital songs.  Interestingly, their respective approaches are different.

Amazon filed on May 5, 2009, a patent entitled “Secondary market for digital objects”. Claim 1 is extremely broad.  It is mainly the idea that the digital object to be sold is stored in a first personalized data store, and once the transfer requested, transfer it to a personalized data store for the new owner and then deleting the initial instance from first data store. 

This is rather basic.  It describes a kind of direct transfer.   The patent becomes more interesting with claim 2 and following ones.  The piece of content has a counter of authorized transfers.  Once the threshold reached, the digital object cannot be anymore exchanged/sold.

2. The system of claim 1, wherein the one or more business rules comprise a move limit business rule, and wherein authorizing transfer of the used digital object further comprises: initializing an object move counter to count a number of moves of the used digital object between personalized data stores; setting an object move threshold, the object move threshold defining a number of times the used digital object can be moved; applying the move limit business rule stored in memory to determine whether to authorize or deny the request for transfer of the used digital object, application of the move limit business rule comprising: querying the object move counter to determine a number of times the used digital object has been moved; comparing the object move counter to the object move threshold; denying the request for transfer of the used digital object as impermissible when the object move counter of the used digital object exceeds the object move threshold; and authorizing the request for transfer of the used digital object to the second personalized data store when the object move counter of the used digital object is within the object move threshold.

On June 22, 2012, Apple filed a patent entitled ‘”Managing access to digital content items”.   Its approach is different.  Apple handles ownership data (license?) and transfers the ownership data between the users.  Interesting Apple introduces the notion of track usage data that will determine the remuneration of the user.

1. A method comprising: storing, at a particular entity, first ownership data that authorizes a user to access a digital content item; storing, in association with the digital content item, track usage data that indicates how much the user used or could have used the digital content item; receiving, at the particular entity, from a device operated by the user, relinquish request data that indicates that the user wishes to relinquish authorized access to the digital content item; in response to receiving the relinquish request data, the particular entity identifying one or more conditions associated with the digital content item; based on the one or more conditions and the track usage data, determining whether to provide remuneration to the user; in response to determining to provide remuneration to the user, storing second ownership data that revokes authorization of the user to access the digital content item; and based on the second ownership data, the particular entity preventing the user from further accessing the digital content item; wherein the method is performed by one or more computing devices.

Interestingly, both approaches introduce a notion of obsolescence or loss of value to partly mimic physical objects.  It attempts artificially to limit one of the fears of content owners.   As a digital object copy remains pristine, it could be indefinitely resold without loss of “quality”, thus undermining the primary market (and thus loosing money for content owners).  Physical objects are degrading with time.  With these tricks, digital objects would also “degrade” with time.

Will these approaches be more acceptable for a judge?  Will Apple and Amazon open such market place?

Court rules against ReDigi

The resale locker, ReDigi, has been convicted of copyright infringement by the US District Court of New York in its case with Capital records.   ReDigi proposes to the user to sell the digital audio tracks that they do not want anymore, as if they would resale a CD.  On January 2012, Capitol Records filed a suit against ReDigi.

On 30 March 2013, the District Judge, Richard Sullivan, granted Capitol’s motion and denied ReDigi’s one.  His memorandum and order document is extremely interesting as it sheds some light on the rationales behind his decision.  He summarizes the question: Can a digital music file, lawfully made and purchased, be resold by its owner?  The Court determines that it cannot.

The first issue was to know if ReDigi violates Capitol Records’ reproduction rights.  According to the Court, the transfer of a music file to a new hard drive is equivalent to a physical copy.

Because the reproduction right is necessarily implicated when a copyrighted work is
embodied in a new material object, and because digital music files  must be embodied in a new material object following their transfer over the Internet, the Court determines that the embodiment of a digital music file on a new hard disk is a reproduction within the meaning of the Copyright Act.

According to the judge, any transfer from one computer to another computer or server is a reproduction, regardless that the initial one has been erased and does not anymore exist.

The second issue was about the applicability of fair use.   As the operation is related to a sale, according to the judge, it falls out of the scope of fair use.  Furthermore, this sale may be slightly detrimental to the initial market.

In sum, ReDigi facilitates and profits from the sale of copyrighted commercial recordings, transferred in their entirety, with a likely detrimental impact on the primary market for these goods. Accordingly, the Court concludes that the fair use defense does not permit  ReDigi’s users to upload and download files to and from the Cloud Locker incident to sale.

The third issue was about the first sale.  In a nutshell, if you have purchased a physical item, you can resale it.  ReDigi defends that it is applying the first sale doctrine.   The judge believes that the first sale is only applicable to physical goods.

… the first sale defense is limited to material items, like records, that the copyright owner put into the stream of commerce. Here, ReDigi is not distributing such material items; rather, it is distributing  reproductions  of the copyrighted code embedded in new material objects, namely, the ReDigi server in Arizona and its users’ hard drives.

ReDigi complained that the law was not taking into account technological changes and became ambiguous.  the judge estimates that it is still not ambiguous.  Although technical changes may render a law unsatisfactory to consumers is not an argument.  Furthermore, changing it is a legislative prerogative.

The judge decided that ReDigi directly infringed Capitol distribution and reproduction rights.  The judge decided that ReDigi was not liable for its users’ direct infringements.

Thus, some interesting outcomes to keep in mind.

  • Transferring a digital from a copyrighted piece of content is a reproduction, even if the source piece of content has been deleted.  This may be extremely controversial, for instance when buffering a file during progressive download are you making a reproduction?   Have you the reproduction rights?  I am sure that we will have additional debates on this topic.
  • First sale doctrine is only valid for physical goods.   Will the US Congress propose an evolution to cover digital goods?

This is a serious stroke against ReDigi but also to a potential new market of “digital” songs.   We will wait for its reaction.  Next post, I will examine the ideas of two big players who wanted to enter this arena: Apple and Amazon.