Some notes on Content Protection Summit 2014

The conference was held on 9th December at Los Angeles. The audience was rather large for such event (more than 120 attendees) with representatives of content owners, service and technology providers and a few distributors.

The big trend and message is that cyber threats are more and more severe.  Traditional Content Protection is not anymore sufficient.  It has to be extended to IT cyber threats.  The SPE issue was cited very often.

The conference did not disclose surprisingly new information and technology.  Nevertheless, the event is a good occasion to share knowledge and basic best practices.  The following part will highlight interesting points or figures I collected during the event.

Welcome Remarks (by ROSE M., Ease)

He highlighted that the cyberwar is a reality.  It is performed by government funded teams or hacktivists,  It has serious implications such as wild censorship…

The Global State of Information Security (by BANTHANAVASI S., PcW)

The cyber world becomes more dangerous.  The state seems to degrade.  Some interesting figures from PcW’s annual report:

  • In 2014, the U.S. government notified 3,000 U..S. companies that they had been attacked
  • There was 48% more reported incidents in 2014.  Furthermore, the average cost of a breach increased.
  • Investment in security diminished
  • More and more incidents are attributed to third parties with trusted access

What to do (and who to call) (panel)

The usual stuff.  The most interesting advices were:

  • Log must be switched on.   This is essential in a cloud environment where low-cost plans may not have the logging feature available.  It is worthwhile to pay for it.  It is mandatory to learn and analyze when an incident occurs.
  • Have a response team available beforehand.  You will not have to time to look for and organize it when the incident will occur or will be detected.

The focus of the discussion was always on script kiddies, and never on Advanced Persistent Attack (APT)

This script will self destruct in 2 hours (panel)

The script is of high value, especially when the actual shooting was not started, or that the decision was not yet taken.  Nevertheless, it needs to be convenient.   Typical challenge for a confidential sensitive document that needs controlled distribution.  Warner announced that sometimes they even used 3-factor authentication.  Creative people may have hard feeling about privacy and traceability.

Protecting content: where creativity and security meet (panel)

Key message:  embed security within the existing ecosystem

According to Fox, TV is more forgiven than feature movie in case of leakage (excepted perhaps for the opening and closing episodes).  The biggest coming challenge is the request of international day+1 release of TV shows.

How to Secure Workflows in the age of digital services (panel)

Key message:  be aware of third parties (and their own third parties) and freelancers

The creative process behind great storytelling (panel)

Refreshing session with creative people.  The end of the session was a playdoyer for copyright.  The arguments were similar to the ones in the book Free Ride.

It’s about the money: strategies to disrupt funding piracy (LAWRENCE E., ABS-CBN and SUNDERLAND J., Lionsgate)

According to me, the most interesting session.  They presented real use cases.

Elisha explained how she drastically reduced the online piracy against ABS-CBN (the Philippines Netflix).   She performed different steps:

  1. Analyze the pirate landscape
  2. With SEO, increase the RANK to get the official sites as the first links in Google and bring pirate sites back to farther pages.
  3. Use investigators to collect proofs to enable shutdown sites
  4. Lawsuits with high fines.  The arrested webmaster are interviewed to learn all their techniques and tricks,

Jane explored the methods to have good brands advertising on pirate sites.   80% of the revenues of streaming cyberlockers are coming from advertisement.  Among them, 22% are coming from institutional brands. Tools exist to filter out placement on malicious sites, but brands have to opt-in. Brands should be worried to place their advertisement in such sites as they are sometimes also hosting malwares.

The culture of piracy: A European perspective (VERSTEEG G., Rights Alliance)

He explained the historical rationales why much piracy went from Sweden (Kazaa, The Pirate Bay…)  He asked that there should be a transactional VOD release window concurrent with Theatrical and Home windows.   The price could be dynamic, starting high and decreasing with time.

Being European, I did not see what was specifically European.   It was more his opinion.

What’s the forecast for securing the cloud? (panel)

According to me, the worst session.   No serious discussion on actual security of the cloud.   No discussion of hybrid clouds.  No precise definition of cloud (even no mention of NIST definition).  It seemed even to me that there was a consensus that implementations in cloud would be more secure than today’s implementations.

The topic is far more complex than the simplified vision drawn during the panel.

When DRM sends personal information in the clear…

Adobe proposes an eBook reader called Digital Editions.  Current version is 4.  So far, so good.

Unfortunately, on 7 October, the website “The Digital Reader” reported that Digital Editions 4.0 collected information about the reading usage.  The announced gathered data were eBooks that were stored in the reader, eBooks that have been opened, pages that were read, and the order.   This information was sent back to the server in the CLEAR.  Thus, this version had two issues regarding privacy:

  • It collected information without informing the end user.
  • It sent personal information in the clear.  Any sniffer could extract this information.

Adobe answered

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy

Obviously this answer is not satisfactory.   Last week, Adobe published a revised version 4.0.1 that sent back the information using SSL.  Furthermore, in a note published on October 23, 2014, Adobe listed the collected information:

  • User ID
  • Device ID
  • App ID
  • Device IP
  • Identification of the book
  • Duration for which the book was read
  • Percentage of the book read

The information is collected only for DRM protected eBooks.  The aim of this data gathering is used for potential clearing house.  Some business models of publishers may be based on the actual consumption.

The lesson is that technologists never learn from the past errors. It is not anymore acceptable that private information is sent over the Internet in the clear.  HTTPS is an easy solution to transfer secure data and servers scale properly in our days.

Dr Who’s leaked

Bad week for the BBC.   Last week, scripts of five episodes of next season of Dr Who leaked online.  The scripts were accessed from a Miami-based BBC worldwide server.  It seems that that they were publicly available (with a lot of material) and was indexed by Google.   A typical Google request provided access to this confidential material.

Unfortunately, other material was available.  A black & white unfinished watermark version of the first episode has also been put online.  The copy is visibly watermarked for a given recipient.   Drei Marc is a Brazilian company that provides subtitling and dubbing services.  Nevertheless, it seems that it comes from the same server.  It is not sure that other episodes may not surface in the coming days.  Broadcast of the first episode is planed on 23 August.


BBC asked its fans not to spoil the release.

We would like to make a plea to anyone who might have any of this material and spoilers associated with it not to share it with a wider audience so that everyone can enjoy the show as it should be seen when it launches.

"We know only too well that Doctor Who fans are the best in the world and we thank them for their help with this and their continued loyalty

Several lessons:

  • Secure your servers and be aware of the indexing robots.   No server should be put online without prior pen testing.
  • Encryption at rest should be mandatory for early content.  If ever the attacker access the video server, he will access an encrypted video without the decryption key.  Useless.
  • Forensic marking should only occur at delivery time.  If prepared and stored before release, it is useless.  It will not hold in front of a Court with good security expert.
  • TV series are the new Eldorado of the movie industry

The war between Digital Rights Locker starts

The Walt Disney Studios Announces Disney Movies AnywhereIn 2010, two initiatives around Digital Rights Locker (DRL) were bubbling.  On one hand, DECE was a large consortium of companies that created UltraViolet (UV).  On the other hand, Disney was designing its own solution KeyChest.

During these four last years, UV has started to have mild adoption and deployment.  The latest news is that UV is available in more European countries. For instance, in France, we start to see on TV advertisement the presence of the UV logo for new titles.  Nevertheless, UV did not make an awareness campaign (at least in France).  Most French customer have no clue of what UV is.

Meanwhile, Disney did not join UV, neither promote KeyChest.   Some people thought KeyChest to be dead.  Since February 2014, the situation has changed.   Disney launched a new service: Disney Movie Anywhere.  User can open a KeyChest account to access the DRL and also use her iTunes account (Remember that Disney and Apple have very close connection).  The service is currently only available in the US.  It is said that other content owners may join.

Of course, currently UV and KeyChest are not interoperable, meaning that users should have both a UV account and a KeyChest account to access a large catalog.  Is a new war of standard starting?   DIsney, with its interesting catalog (cartoons, movies, Marvel, Star Wars…) and Apple are serious opponents.

A little bit of auto-congratulation:my book describes in details both UV and KeyChest.   Not a bad decision.

Is French HADOPI law dead ? (11)

Pierre Lescure, former CEO of French broadcaster Canal +, has delivered  to the French minister of culture and communication his report “Contribution aux politiques culturelles à l’ère numérique” (i.e. contribution to cultural policies in the digital area).  Obviously, among the 88 recommendations, numerous proposals tackle copyright issues.  These recommendations got the headlines of French press.


Pierre Lescure and his team have deeply analyzed the current French graduated response, its organization HADOPI, and its efficiency.  Let’s navigate among the 700 page document and highlights some interesting points.

In section A-5: The release window

The report highlights that the audience wants the pieces of content as early as possible.  furthermore, VOD is drastically increasing.  Thus, they propose to reduce the current release window  of VOD by one month.  Interestingly, they would offer this earlier release only to “good citizen” operators.

Plus précisément, il est proposé d’avancer la fenêtre de la vidéo à la demande, éventuellement en réservant cette mesure aux services les plus vertueux, c’est-à-dire à ceux qui acceptent de prendre des engagements volontaristes en termes de financement de la création et d’exposition de la diversité.

Furthermore, they propose the concept of premium week end when a piece of content would be available as VOD one or two weeks after theatrical release for 30€ (40$).


Section A-14 tackles the issue of DRM.  They propose to extend the scope of the DAVDSI law to games and public domain content.  They recommend also to create an open standard for DRM.

Personal note:  the problem with open standard is that it cannot enforce a compliance and robustness regime that is mandatory for any DRM to be efficient Sad smile.

They highlight that DRM and French right to private copy are not well co-existing.

Section B-7 tackles the issue of the private copy levy.

As cloud computing is becoming more and more present, storage in the cloud will become prevalent.  Therefore, the current private copy levy will become useless.   Thus, the report suggests to create a levy for every connected device regardless of its internal storage capabilities.

In section C2: “Appraisal of the graduated response”.

La réponse graduée (articles L.331-24 et suivants du CPI) a pour fondement non pas l’acte de contrefaçon en lui-même, mais le  manquement à l’obligation de surveillance  du titulaire de l’abonnement Internet de son poste d’accès …
La notion de  négligence caractérisée permet ainsi, au terme de la procédure de réponse  graduée, de sanctionner le titulaire de l’abonnement sans avoir la preuve qu’il est bien l’auteur du délit de contrefaçon, dès lors qu’il n’a pas pris les dispositions pour sécuriser sa ligne.

They highlight that the cornerstone of the French graduated response is not the counterfeiting act but the fact of characterized negligence to secure his/her Internet access.  Being negligent to secure the network does not mean the owner of the network was the infringer.


At February 2013, content owners detected 35 millions  for 4.7 millions IP addresses.  1.6 millions first warning and 139,000 second warnings were issued with 29 cases passed to the Court.  Only two cases were sentenced with a 150€ fine.    In 2012, the direct cost of the graduated cost was 6M$, with an additional bill of 2.5Me from the three main ISPs.  This evaluation does not include the cost of TMG detecting the supposed infringing IP addresses that is bared by the content owners.

They must conclude that the efficiency is mixed.  The use of P2P has visibly declined by 40% in three years.  Nevertheless, this may just mean that the traffic moved to direct download/streaming sites that HADOPI does not monitor.

In section C-3: “Lightening the graduated response”

The report acknowledges that suppressing the graduated answer would have many advantages.  nevertheless, the disadvantages are more important.  The report proposes to clarify the concept of “characterized negligence”.  You would have to put something in place, you not to be successful. They propose also to rather focus on the counterfeiting rather than on the negligence.  The counterfeiting act should be proven and for monetary gain.

Dans l’immédiat, il pourrait être demandé aux Parquets de n’engager des poursuites pour contrefaçon que lorsqu’ilexiste des  indices sérieux et concordants tendant à prouver l’existence d’un enrichissementpersonnel ou collectif, dans le cadre d’un réseau contrefaisant.

The educational element of the graduated response should be enhanced.  Thus, the ultimate punishment, i.e. suppression of Internet access, should be replaced by throttling.  Furthermore, the fine should be reduced from 1,500€ to 60€.

The report proposes to close the HADOPI organization and forward its mission to the Conseil Supérieur de l’Audiovisuel (High Council of Audiovisual).  We anticipated that in August 2012.

Section C-4: “the fight against online commercial piracy” is going in the right direction.  It clearly highlights that direct download, streaming and referee sites are making money through piracy, estimated between 52 to 71M€ each year in France.  According to the report, these sites are the real money makers of digital piracy.  Despite the laws exist, suing these site owners is difficult. The State should be proactive in this fight.

Section C-5: “The responsibility of hosting sites”.   Currently, European and French laws imply that the hosting site cannot be responsible:

  • if it was not aware that content was infringing
  • if it did not take down infringing content once notified.

La  responsabilitécivile ou pénale des hébergeurs ne peut être engagée « s’ils n’avaient pas effectivement connaissance » du caractère illicite des contenus stockés ou « si, dès le moment où elles en ont eu cette connaissance, elles ont agi promptement pour retirer ces données  ou en rendre l’accès impossible ».

The report does not recommend to modify this status.  Nevertheless, it recommends to facilitate good practices such as using fingerprint to detect illegal content (The French INA signature is highlighted).  The report recommends that the French State support a common initiative to set up an organization that would create a database of reference fingerprints and send take down notifications to sites.

In Section C-6, the report recommends that search engines should present the legal offers in a predominant position compared to counterfeiting offers.  Currently, search engines have in Europe light responsibilities in this field.

Section C-7 highlights the role of payment organizations and advertisement agencies.  they indirectly facilitate and benefit from digital piracy.  The report calls these intermediaries to be good citizens.  Google has already proven that it may accept to play this game.

Section C-8 tackles the issue of blocking a site and domain names.  Although possible with French regulation, the report does recommend to use them only as ultimate solution.



  • Is HADOPI dead?   It seems that this time, it is a serious blow against it.  It is only  a report, not a set of decisions.   We know the French minister of culture is not HADOPI-friendly.   Thus the likelihood of its near death is high.
  • Is the French graduated response dead?   It will continue, in its current form or in a new way, regardless of its future hosting organization.

Hadopi, VLC and BluRay (2)

Following French Hadopi’s public consultation, this institution has given its analysis about the request of VideoLan.  VideoLAN is the “publisher” of the open source  player VLC. Its advice is extremely interesting as it sheds some lights on the French official vision of handling of DRM secrets and open source.

Before jumping to the final conclusion, it is worthwhile to detail some articles.

27. En outre, cette exception porte exclusivement sur des logiciels. Elle ne saurait ainsi concerner les parties non-logicielles des mesures techniques de protection considérées. En particulier, les secrets, au nombre desquels figurent les clés de chiffrement, ne constituent pas par eux-mêmes des instructions de commandes informatiques et ne peuvent être considérés comme des éléments de logiciel.

27. Besides, this exception concerns exclusively software. It would not concern the non-software elements of the technical protection measures (TPM).  Particularly, The secrets, amongst which appear the encryption keys, are not software instruction and thus are not part of the software  (approximate personal translation)

As keys are extremely important for TPMs, this is an interesting conclusion.

33. Il résulte de ce qui précède que l’association VideoLAN ne peut se fonder ni surl’exception d’ « ingénierie inverse », ni sur l’exception de « décompilation » prévues àl’article L. 122-6-1 du code de la propriété intellectuelle pour mettre à la disposition des utilisateurs un logiciel contournant, sans autorisation des titulaires de droitconcernés, l’intégralité des mesures techniques protégeant les disques « Blu-Ray»

Here, HADOPI decides reverse engineering and decompilation are not part of the authorized exception by the law.

34. Il résulte de l’instruction que l’association VideoLAN n’a pas entrepris de solliciter, auprès des titulaires de droits sur les mesures techniques de protection « AACS » et BD+ », les informations essentielles à l’interopérabilité de ces mesures. Si toutefois elle se voyait opposer, à l’issue d’une telle demande, un refus, elle serait recevable à saisir la Haute autorité dans le cadre d’une procédure de règlement des différends sur le fondement de l’article L. 331-32 du code de la propriété intellectuelle.

Article 34 states that following the enquiry, VideoLAN has not asked to the owners of the TPM AACS and BD+ information needed for interoperability. Would it be denied this information after the request, then VideoLAN could file a procedure for litigation for disagreement at HADOPI.

35. …
En vertu de la jurisprudence du Conseil Constitutionnel, la communication de ces informations ne pourrait intervenir que contre le versement d’une indemnité appropriée.

Here, HADOPI states that receiving this information form AACS and BD+ would require to pay a proper fee. So long for free open source.

38. Dans le cadre d’une procédure de règlement des différends, l’association VideoLAN ne pourrait être contrainte de renoncer à la publication de son code source que si les titulaires de droit sur les mesures techniques AACS et BD+ étaient en mesure de démontrer que cette publication porterait gravement atteinte à la sécurité et à l’efficacité de cette mesure.

38. As part of the procedure of litigation for disagreement, the VideoLAN association could be forced to abandon the publication of its source code only the owners of AACS and BD+ could demonstrate that this publication would gravely undermine the security and the effectiveness of this TPM. (approximate personal translation)

As a conclusion, HADOPI considers that VideoLAN cannot request the secrets of AACS and BD+ under the exceptions for reverse engineering and decompilation.   Nevertheless, VideoLAN could request HADOPI to analyze against the case if VideoLAN would have requested information from AACS and BD+ and if AACS and BD+ would have not favorably answered.

Will VideoLAN ask information to AACS and BD+?   Your guess?    To be followed