Resale of digital songs: the new Eldorado?

At least, until last week.  Last week, a US court decided that the first sale doctrine was only valid for physical goods and not for digital goods.  It was bad news for ReDigi.   It may also be bad news for Apple and Amazon.  Both companies recently filed patents for a market place of used digital songs.  Interestingly, their respective approaches are different.

Amazon filed on May 5, 2009, a patent entitled “Secondary market for digital objects”. Claim 1 is extremely broad.  It is mainly the idea that the digital object to be sold is stored in a first personalized data store, and once the transfer requested, transfer it to a personalized data store for the new owner and then deleting the initial instance from first data store. 

This is rather basic.  It describes a kind of direct transfer.   The patent becomes more interesting with claim 2 and following ones.  The piece of content has a counter of authorized transfers.  Once the threshold reached, the digital object cannot be anymore exchanged/sold.

2. The system of claim 1, wherein the one or more business rules comprise a move limit business rule, and wherein authorizing transfer of the used digital object further comprises: initializing an object move counter to count a number of moves of the used digital object between personalized data stores; setting an object move threshold, the object move threshold defining a number of times the used digital object can be moved; applying the move limit business rule stored in memory to determine whether to authorize or deny the request for transfer of the used digital object, application of the move limit business rule comprising: querying the object move counter to determine a number of times the used digital object has been moved; comparing the object move counter to the object move threshold; denying the request for transfer of the used digital object as impermissible when the object move counter of the used digital object exceeds the object move threshold; and authorizing the request for transfer of the used digital object to the second personalized data store when the object move counter of the used digital object is within the object move threshold.

On June 22, 2012, Apple filed a patent entitled ‘”Managing access to digital content items”.   Its approach is different.  Apple handles ownership data (license?) and transfers the ownership data between the users.  Interesting Apple introduces the notion of track usage data that will determine the remuneration of the user.

1. A method comprising: storing, at a particular entity, first ownership data that authorizes a user to access a digital content item; storing, in association with the digital content item, track usage data that indicates how much the user used or could have used the digital content item; receiving, at the particular entity, from a device operated by the user, relinquish request data that indicates that the user wishes to relinquish authorized access to the digital content item; in response to receiving the relinquish request data, the particular entity identifying one or more conditions associated with the digital content item; based on the one or more conditions and the track usage data, determining whether to provide remuneration to the user; in response to determining to provide remuneration to the user, storing second ownership data that revokes authorization of the user to access the digital content item; and based on the second ownership data, the particular entity preventing the user from further accessing the digital content item; wherein the method is performed by one or more computing devices.

Interestingly, both approaches introduce a notion of obsolescence or loss of value to partly mimic physical objects.  It attempts artificially to limit one of the fears of content owners.   As a digital object copy remains pristine, it could be indefinitely resold without loss of “quality”, thus undermining the primary market (and thus loosing money for content owners).  Physical objects are degrading with time.  With these tricks, digital objects would also “degrade” with time.

Will these approaches be more acceptable for a judge?  Will Apple and Amazon open such market place?

Murdoch’s pirates

images   In 2008, I wrote a post about “Big Gun”, a hacker who was supposed to have worked for NDS to hack competitors.  It followed a suite of lawsuits against News.

This was only a small portion of the large picture of NDS story.  With Murdoch’s pirates, Neil Chenoweth has just published a detailed description of how NDS acted to “keep ahead” of its competitors.  And the story is as good as a good spying book.  The difference is that this is real.  And unlike in Hollywood movies, morale does not win.

You will discover the dark side of News and NDS. The book is not technical (there are even some inaccuracies).  But the story is based on all the documents that were published during the multiple trials.

I do not like the style of the author.  Despite he uses real information, he is not objective and takes clearly position.  Furthermore, the two first sections are not following a linear narrations.  This makes the introduction of the “heroes” of this book difficult to follow.  Nevertheless, if you are working, or have worked, with Conditional Access providers, you will be thrilled by the book.

From the personal view, as I have met several of the early actors of this book, while we were designing videocrypt, it was a strange experience to discover very dark parts of some of them.   I was not naïve, nevertheless it was worst than my darkest assumptions.


CA guys, read this book.

HADOPI, VLC and BluRay

HADOPI, the French law about digital rights has some articles that may allow to facilitate interoperability of copy protection systems.  An editor may request to have access to the APIs and documentation of a copy protection system to implement interoperability.


This is what VideoLan, the editor of the famous open-source media player VLC, has just requested to HADOPI.  VLC wants to get access to AACS in order to be able to play BluRay discs. VLC does not yet support BluRay as it is not a licensee of AACS.


HADOPI has identified where the real problem is. The documentation and API are not sufficient because AACS requires also cryptographic keys delivered by the licensing authority.  And of course, as in any encryption-based system, keys are the most important asset.

Cette définition des « informations essentielles à l’interopérabilité » ne semble pas permettre d’obtenir, s’agissantd’une mesure technique de protection sous forme d’un algorithme de chiffrement, la communication des clefs de déchiffrement du contenu protégé (et plus généralement les secrets nécessaires), qui semblent n’appartenir ni à la documentation technique, ni aux interfaces de programmation.

Thus, on 6 February, HADOPI launched a public consultation to collect opinions on the topic.  Knowledgeable people may enlighten this institution before 26 February 2013.

… la Haute autorité propose aux personnes, disposant d’une expertise dans ce domaine, de lui soumettre tous les éléments qu’elles jugeraient utiles à sa réflexion, et notamment en répondant à la question de savoir si « la documentation technique et les interfaces de programmation » visés à l’article L. 331-32 intègrent les clefs de déchiffrement d’un contenu protégé et plus généralement les secrets nécessaires.

If you have read my book, then you know that I do not believe in open-source based DRM , at least for B2C.  There is no way tp protect properly the keys.  Thus, the decision of the HADOPI on this topic will be extremely important and scrutinized by the community.  We will follow up.

CORAL consortium is dissolved

In October 2004, Intertrust, Philips, Matsushita, Samsung, Sony, and Twentieth Century Fox Film Corporation founded the CORAL consortium. Many companies joined it.   It was an initiative to specify an interoperable framework for DRM.  The first set of specifications was published in November 2005, and the final set in October 2007.

The actual deployment of the Coral framework is extremely limited. Nevertheless, CORAL framework has been one of the initial contributions to DECE which defines UltraViolet.

On December 13, 2012, the CORAL organization has been dissolved.   The web site,, will stay online until April 1, 2013. the resale locker

indexI must confess that I became aware of this interesting initiative only this summer, although ReDigi operates since October 2011.

ReDigi is a site that allows you either to resell your music songs that you do not want anymore, or purchase music songs that people do not want anymore.  In other words, a second-hand market for music.

How does it work, from the user point of view:

  1. Alice user subscribes to the service
  2. ReDigi locates the songs Alice may resell (either purchase with iTunes, or ReDigi)
  3. Alice selects the songs to sell and reDigi stores them in the cloud while wiping out the copies on the computers
  4. As long as the song is not yet sold, Alice can stream it
  5. Once Bob purchased it, she cannot anymore listen to it.
  6. If ever a copy of the sold song appears again on Alice’s device(s), she is notified.


How does it work (partly using the details provided by ReDigi in a court trial, an interview, and my guesses)

  1. She has to install a software called Music Manager
  2. Music Manager explores the directories and spots the iTunes and ReDigi songs.  It most probably directly jumps to the FairPlay protected directory to find the licenses.  It checks if it is legal (in other words if it can access the key, then meaning that it was bound to the device)
  3. It uploads the file (and probably the license) to the cloud and erases the accessible song.  At next sync, all iTunes copies should disappear.
  4. The uploaded copy is marked as such until it is sold
  5. Mark it for somebody else.  I would like to know if they rebuild their own license or a new iTunes license.
  6. During phase 3, it extracts a fingerprint of the song.  Music Manager scouts the hard drive to find copies.  I was not able to find if the fingerprint is a basic crypto hash (md5) or a real audio fingerprint.  If it is the second case, then funny things may happen. 
    Alice purchased Song1 on iTunes.  Later she purchase the full album on a CD.  Thus, she resells the iTunes song1, and rips her CD.  A legit copy of Song1 will reappear on her drive.  Music Manager will complain (ReDigi claims that after numerous complaints that would not be obeyed, i.e., the song is erased, the subscription is cancelled)
    Obviously, if it is just the hash, then the system can be easily bypassed.


The interesting question is not if the system can be bypassed.  I am sure that the readers of this blog have already guessed at least one or two ways to hack it.  It is not complex, and I will not elaborate on it.


The interesting question is to know if it is legal to resell a digital song.  There is a US first sale doctrine that allows to resell your own goods, nevertheless the answer may perhaps not be so trivial.  See this article.  We will soon have a (first) answer.  On January 2012, Capitol Records filed a suit against ReDigi.  On February 2012, the district court rejected the preliminary injunction.  Oral arguments should start on October 5.  This article gives a good summary of the legal case. 

“Securing Digital Video” is now available!

My book, “Securing Digital Video: Techniques for DRM and Content Protection” is now available on sale.   It can be found directly at Springer (about one week delay), from US amazon (2-4 weeks delay) and from French Amazon (available only in August).

This is the last step of a long process.  I hope that the reader will enjoy it and that it will be useful to the community.   More details on the book are available here.

I would be glad to hear your suggestions, appreciations (even negative ones), and answer any question.  For that, use preferably the address  I will always answer.