Category Archives: Copyright

Unlocking phone in the US: is it illegal?

Posted on by
Reply

In 2010, the Librarian of Congress ruled that unlocking a phone to be able to move to another carrier was legal.   On 26th October 2012, the Librarian of Congress has changed his mind.  Unlocking phones purchased after January 2013 will be again illegal.

 

In the same ruling, the Librarian of Congress allowed the jailbreaking of iPhones for interoperability, but did forbid it for iPads!

Wireless telephone handsets – software interoperability
Computer programs that enable wireless telephone handsets to execute lawfully obtained  software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications with computer programs
on the telephone handset.
This exemption is a modification of the proponents’ proposal. It permits the circumvention of computer programs on mobile phones to enable interoperability of non-vendor-approved software applications (often referred to as “jailbreaking”),but does not apply to tablets – as had been requested by proponents – because the record did not support it.

Recently, the White House officially announced that it was

Time to Legalize Cell Phone Unlocking

How the White House will try to revert the Librarian ruling is unclear.

Once more, we see that interpretation of DMCA is complex and evolving with time.  Some decisions may even seem strange: authorizing mobile phone but not tablets (despite they use the same OS, and may act as phones), is difficult to understand for consumers.

HADOPI, VLC and BluRay

Posted on by
2

HADOPI, the French law about digital rights has some articles that may allow to facilitate interoperability of copy protection systems.  An editor may request to have access to the APIs and documentation of a copy protection system to implement interoperability.

 

This is what VideoLan, the editor of the famous open-source media player VLC, has just requested to HADOPI.  VLC wants to get access to AACS in order to be able to play BluRay discs. VLC does not yet support BluRay as it is not a licensee of AACS.

 

HADOPI has identified where the real problem is. The documentation and API are not sufficient because AACS requires also cryptographic keys delivered by the licensing authority.  And of course, as in any encryption-based system, keys are the most important asset.

Cette définition des « informations essentielles à l’interopérabilité » ne semble pas permettre d’obtenir, s’agissantd’une mesure technique de protection sous forme d’un algorithme de chiffrement, la communication des clefs de déchiffrement du contenu protégé (et plus généralement les secrets nécessaires), qui semblent n’appartenir ni à la documentation technique, ni aux interfaces de programmation.

Thus, on 6 February, HADOPI launched a public consultation to collect opinions on the topic.  Knowledgeable people may enlighten this institution before 26 February 2013.

… la Haute autorité propose aux personnes, disposant d’une expertise dans ce domaine, de lui soumettre tous les éléments qu’elles jugeraient utiles à sa réflexion, et notamment en répondant à la question de savoir si « la documentation technique et les interfaces de programmation » visés à l’article L. 331-32 intègrent les clefs de déchiffrement d’un contenu protégé et plus généralement les secrets nécessaires.

If you have read my book, then you know that I do not believe in open-source based DRM , at least for B2C.  There is no way tp protect properly the keys.  Thus, the decision of the HADOPI on this topic will be extremely important and scrutinized by the community.  We will follow up.

Mega is running: does it hold its promises?

Posted on by
Reply

King Dot Com, the owner of previous MegaUpload, is back.  And he is making the headlines of the Internet and other medias.  Hiimages new baby is the sharing site Mega.   Since Monday, it is online.  Where is the difference with MegaUpload?   You have noted “the privacy company”.

The uploaded data are encrypted before being sent to the server.  Encryption uses AES 128 bit and the encryption key is protected by a personal RSA 2048 bit key.  Every crypto calculations are done in your browser.   Therefore, Mega does not know what is uploaded.  This is safe harbor for Mega, at least in theory.

Furthermore, the Terms of Services are very clear.

Protection against copyright holders.

17. You can’t:

17.3 infringe anyone else’s intellectual property (including but not limited to copyright) or other rights in any material.

Good faith and will with copyright holders

19. We respect the copyright of others and require that users of our services comply with the laws of copyright. You are strictly prohibited from using our services to infringe copyright. You may not upload, download, store, share, display, stream, distribute, e-mail, link to, transmit or otherwise make available any files, data, or content that infringes any copyright or other proprietary rights of any person or entity.

We will respond to notices of alleged copyright infringement that comply with applicable law and are properly provided to us…

It will be interesting how Mega will handle the cease and desist form content owners.  mega is not supposed to know if the claim is legitimate or not.   Blind obedience or nit picking?   The future will tell.

Furthermore, Mega protects itself from its users.

5. If you allow others to access your data (e.g. by, amongst other things, giving them a link to, and a key to decrypt, that data), in addition to them accepting these terms, you are responsible for their actions and omissions while they are using the website and services and you agree to fully indemnify us for any claim, loss, damage, fine, costs (including our legal fees) and other liability if they breach any of these terms.

 

Of course, with the claims of security, Mega got a lot of attention from the security community.  It seems already that it is possible to get the master key of somebody if you intercept her confirmation email.  Steve Thomas has published a first hack (MegaCracker).  Some other weaknesses seem around.

 

The blogosphere is no claiming that Mega did a bad job.  Is it really true?  I am not sure.  of course, if you believe that Mega’s purpose is to securely store your data, then it may be true.  I would not recommend to use it if confidentiality is at stake.   If you believe that encryption is just a way to claim safe harbor for Mega and build a new MegaUpload (without taking the infringing risk) then it is another story.  Then Mega does not care to be hacked (by the way, the TOS do not guarantee confidentiality of your data).

 

In any case, weak security or not, Mega did already an extremely good job of public relation.   The news of Mega launch is all around the world.

Security Newsletter 22 is available

Posted on by
Reply

The  Security Newsletter 22 is available. We are proud to have as guest Joan DAEMEN. Joan is one of the authors of KECCAK, the new algorithm selected by NIST to become the new official SHA-3 function. Mohamed is presenting this new hash function. SSL is the most deployed security protocol on the Internet, thus it is highly scrutinized by the community. Olivier, Christoph and Benoit have a deep dive into the latest attacks against SSL.

Hoping that you will enjoy its reading. Do not hesitate to comment.

How BitTorrent is monitored…

Posted on by
Reply

In a recent study, CHOTIA Tom et al., four researchers from the University of Birmingham, attempted to check whether BitTorrent was monitored, how it was, and by whom.  They studied the two types of monitoring:

  • Indirect monitoring where the copyright infringement agency does not participate to the transaction and just collects clues with not extremely convincing evidence
  • Direct monitoring where the agency is part of the transaction.  in that case, the evidence is better.

For the first type of monitoring, they used six heuristics (5 that they collected from the literature and one that they created).  The conclusion is clear: many agencies are scouting the swarms.  Funnily, they spotted the French INRIA team who was making a similar study.  ( see Identifying providers and downloader in bittorrent).   Without surprise, this part of the study was conclusive.

For direct monitoring, they tried other heuristics such as checking whether the reported completion progresses or is consistent, or the duration of connection.  Once more, they detected monitoring activity.

The study presents also several interesting (but not surprising) conclusions:

  • The most popular pieces of content are far more monitored than less popular.  This is logic as monitoring as a cost and who would pay for the long tail?
  • When sharing a popular piece of content, the likelihood to be monitored within three hours is high.
  • The block lists of supposed monitors (which are available for most popular clients) are not complete.

The definition of the heuristics is interesting.   It gives a good hint to the agencies on what they should do to become stealthier.

Twitter and DMCA

Posted on by
Reply

As Google with its transparency program, Twitter is also offering a better transparency when removing twitters following a DMCA notification.  Previously, the infringing tweet was removed without any explanation.  For a month, Twitter has changed its policy.   In case that Twitter decides it is legitimate to takedown a tweet, the following process is applied:

  1. The affected user is notified once the tweet is removed
  2. The affected user received the complaint as well as the procedure to file a counter-notice
  3. A copy is sent to Chilling Effects;  Chilling effects is a project from EFF and many US universities (Harvard, Stanford, Berkeley…) that collects all the Cease & Desist (C&D) in the World
  4. The with held tweet is clearly marked

image

Since 2010, Twitter became a convenient vector for distributing pointers to shared infringing content.  Soon, content owners emitted C&D.  

Like Google, Twitter tries to find a tradeoff between the content owners and their users.  Transparency is probably a good solution. 

Google: explosion in the number of takedown URL

Posted on by
Reply

image

Every semester, Google publishes its biannual transparency report.  This semester, the focus was on the increase of the number of user data requests issued by government agencies.  The press communicated a lot on this topic.

I prefer to analyze the URL removal requests.  They are requested by content owners and governments.   The picture displays the URLs requested to be removed from Search per week.  It clearly highlights an explosion on the number of requests in the last month.   Compare with the same snapshot captured on September 3.

The top organisms requesting removals were Degban (a company specialized in multimedia copyright protection), RIAA and BPI (British Recorded music Industry).   The top copyright owners concerned by the takedown URLs were RIAA, Froytal Services Ltd (a porn producer!) and BPI.  The affected domains were mainly a search engine for cyber lockers and of course torrent sites (the iconic Pirate Bay was not among the top sites!)