Category Archives: Technology

Is French HADOPI law dead ? (11)

Posted on by
Reply

Pierre Lescure, former CEO of French broadcaster Canal +, has delivered  to the French minister of culture and communication his report “Contribution aux politiques culturelles à l’ère numérique” (i.e. contribution to cultural policies in the digital area).  Obviously, among the 88 recommendations, numerous proposals tackle copyright issues.  These recommendations got the headlines of French press.

 

Pierre Lescure and his team have deeply analyzed the current French graduated response, its organization HADOPI, and its efficiency.  Let’s navigate among the 700 page document and highlights some interesting points.

In section A-5: The release window

The report highlights that the audience wants the pieces of content as early as possible.  furthermore, VOD is drastically increasing.  Thus, they propose to reduce the current release window  of VOD by one month.  Interestingly, they would offer this earlier release only to “good citizen” operators.

Plus précisément, il est proposé d’avancer la fenêtre de la vidéo à la demande, éventuellement en réservant cette mesure aux services les plus vertueux, c’est-à-dire à ceux qui acceptent de prendre des engagements volontaristes en termes de financement de la création et d’exposition de la diversité.

Furthermore, they propose the concept of premium week end when a piece of content would be available as VOD one or two weeks after theatrical release for 30€ (40$).

 

Section A-14 tackles the issue of DRM.  They propose to extend the scope of the DAVDSI law to games and public domain content.  They recommend also to create an open standard for DRM.

Personal note:  the problem with open standard is that it cannot enforce a compliance and robustness regime that is mandatory for any DRM to be efficient Sad smile.

They highlight that DRM and French right to private copy are not well co-existing.

Section B-7 tackles the issue of the private copy levy.

As cloud computing is becoming more and more present, storage in the cloud will become prevalent.  Therefore, the current private copy levy will become useless.   Thus, the report suggests to create a levy for every connected device regardless of its internal storage capabilities.

In section C2: “Appraisal of the graduated response”.

La réponse graduée (articles L.331-24 et suivants du CPI) a pour fondement non pas l’acte de contrefaçon en lui-même, mais le  manquement à l’obligation de surveillance  du titulaire de l’abonnement Internet de son poste d’accès …
La notion de  négligence caractérisée permet ainsi, au terme de la procédure de réponse  graduée, de sanctionner le titulaire de l’abonnement sans avoir la preuve qu’il est bien l’auteur du délit de contrefaçon, dès lors qu’il n’a pas pris les dispositions pour sécuriser sa ligne.

They highlight that the cornerstone of the French graduated response is not the counterfeiting act but the fact of characterized negligence to secure his/her Internet access.  Being negligent to secure the network does not mean the owner of the network was the infringer.

 

At February 2013, content owners detected 35 millions  for 4.7 millions IP addresses.  1.6 millions first warning and 139,000 second warnings were issued with 29 cases passed to the Court.  Only two cases were sentenced with a 150€ fine.    In 2012, the direct cost of the graduated cost was 6M$, with an additional bill of 2.5Me from the three main ISPs.  This evaluation does not include the cost of TMG detecting the supposed infringing IP addresses that is bared by the content owners.

They must conclude that the efficiency is mixed.  The use of P2P has visibly declined by 40% in three years.  Nevertheless, this may just mean that the traffic moved to direct download/streaming sites that HADOPI does not monitor.

In section C-3: “Lightening the graduated response”

The report acknowledges that suppressing the graduated answer would have many advantages.  nevertheless, the disadvantages are more important.  The report proposes to clarify the concept of “characterized negligence”.  You would have to put something in place, you not to be successful. They propose also to rather focus on the counterfeiting rather than on the negligence.  The counterfeiting act should be proven and for monetary gain.

Dans l’immédiat, il pourrait être demandé aux Parquets de n’engager des poursuites pour contrefaçon que lorsqu’ilexiste des  indices sérieux et concordants tendant à prouver l’existence d’un enrichissementpersonnel ou collectif, dans le cadre d’un réseau contrefaisant.

The educational element of the graduated response should be enhanced.  Thus, the ultimate punishment, i.e. suppression of Internet access, should be replaced by throttling.  Furthermore, the fine should be reduced from 1,500€ to 60€.

The report proposes to close the HADOPI organization and forward its mission to the Conseil Supérieur de l’Audiovisuel (High Council of Audiovisual).  We anticipated that in August 2012.

Section C-4: “the fight against online commercial piracy” is going in the right direction.  It clearly highlights that direct download, streaming and referee sites are making money through piracy, estimated between 52 to 71M€ each year in France.  According to the report, these sites are the real money makers of digital piracy.  Despite the laws exist, suing these site owners is difficult. The State should be proactive in this fight.

Section C-5: “The responsibility of hosting sites”.   Currently, European and French laws imply that the hosting site cannot be responsible:

  • if it was not aware that content was infringing
  • if it did not take down infringing content once notified.

La  responsabilitécivile ou pénale des hébergeurs ne peut être engagée « s’ils n’avaient pas effectivement connaissance » du caractère illicite des contenus stockés ou « si, dès le moment où elles en ont eu cette connaissance, elles ont agi promptement pour retirer ces données  ou en rendre l’accès impossible ».

The report does not recommend to modify this status.  Nevertheless, it recommends to facilitate good practices such as using fingerprint to detect illegal content (The French INA signature is highlighted).  The report recommends that the French State support a common initiative to set up an organization that would create a database of reference fingerprints and send take down notifications to sites.

In Section C-6, the report recommends that search engines should present the legal offers in a predominant position compared to counterfeiting offers.  Currently, search engines have in Europe light responsibilities in this field.

Section C-7 highlights the role of payment organizations and advertisement agencies.  they indirectly facilitate and benefit from digital piracy.  The report calls these intermediaries to be good citizens.  Google has already proven that it may accept to play this game.

Section C-8 tackles the issue of blocking a site and domain names.  Although possible with French regulation, the report does recommend to use them only as ultimate solution.

 

Conclusion:

  • Is HADOPI dead?   It seems that this time, it is a serious blow against it.  It is only  a report, not a set of decisions.   We know the French minister of culture is not HADOPI-friendly.   Thus the likelihood of its near death is high.
  • Is the French graduated response dead?   It will continue, in its current form or in a new way, regardless of its future hosting organization.

Hadopi, VLC and BluRay (2)

Posted on by
1

Following French Hadopi’s public consultation, this institution has given its analysis about the request of VideoLan.  VideoLAN is the “publisher” of the open source  player VLC. Its advice is extremely interesting as it sheds some lights on the French official vision of handling of DRM secrets and open source.

Before jumping to the final conclusion, it is worthwhile to detail some articles.

27. En outre, cette exception porte exclusivement sur des logiciels. Elle ne saurait ainsi concerner les parties non-logicielles des mesures techniques de protection considérées. En particulier, les secrets, au nombre desquels figurent les clés de chiffrement, ne constituent pas par eux-mêmes des instructions de commandes informatiques et ne peuvent être considérés comme des éléments de logiciel.

27. Besides, this exception concerns exclusively software. It would not concern the non-software elements of the technical protection measures (TPM).  Particularly, The secrets, amongst which appear the encryption keys, are not software instruction and thus are not part of the software  (approximate personal translation)

As keys are extremely important for TPMs, this is an interesting conclusion.

33. Il résulte de ce qui précède que l’association VideoLAN ne peut se fonder ni surl’exception d’ « ingénierie inverse », ni sur l’exception de « décompilation » prévues àl’article L. 122-6-1 du code de la propriété intellectuelle pour mettre à la disposition des utilisateurs un logiciel contournant, sans autorisation des titulaires de droitconcernés, l’intégralité des mesures techniques protégeant les disques « Blu-Ray»

Here, HADOPI decides reverse engineering and decompilation are not part of the authorized exception by the law.

34. Il résulte de l’instruction que l’association VideoLAN n’a pas entrepris de solliciter, auprès des titulaires de droits sur les mesures techniques de protection « AACS » et BD+ », les informations essentielles à l’interopérabilité de ces mesures. Si toutefois elle se voyait opposer, à l’issue d’une telle demande, un refus, elle serait recevable à saisir la Haute autorité dans le cadre d’une procédure de règlement des différends sur le fondement de l’article L. 331-32 du code de la propriété intellectuelle.

Article 34 states that following the enquiry, VideoLAN has not asked to the owners of the TPM AACS and BD+ information needed for interoperability. Would it be denied this information after the request, then VideoLAN could file a procedure for litigation for disagreement at HADOPI.

35. …
En vertu de la jurisprudence du Conseil Constitutionnel, la communication de ces informations ne pourrait intervenir que contre le versement d’une indemnité appropriée.

Here, HADOPI states that receiving this information form AACS and BD+ would require to pay a proper fee. So long for free open source.

38. Dans le cadre d’une procédure de règlement des différends, l’association VideoLAN ne pourrait être contrainte de renoncer à la publication de son code source que si les titulaires de droit sur les mesures techniques AACS et BD+ étaient en mesure de démontrer que cette publication porterait gravement atteinte à la sécurité et à l’efficacité de cette mesure.

38. As part of the procedure of litigation for disagreement, the VideoLAN association could be forced to abandon the publication of its source code only the owners of AACS and BD+ could demonstrate that this publication would gravely undermine the security and the effectiveness of this TPM. (approximate personal translation)

As a conclusion, HADOPI considers that VideoLAN cannot request the secrets of AACS and BD+ under the exceptions for reverse engineering and decompilation.   Nevertheless, VideoLAN could request HADOPI to analyze against the case if VideoLAN would have requested information from AACS and BD+ and if AACS and BD+ would have not favorably answered.

Will VideoLAN ask information to AACS and BD+?   Your guess?    To be followed

Resale of digital songs: the new Eldorado?

Posted on by
2

At least, until last week.  Last week, a US court decided that the first sale doctrine was only valid for physical goods and not for digital goods.  It was bad news for ReDigi.   It may also be bad news for Apple and Amazon.  Both companies recently filed patents for a market place of used digital songs.  Interestingly, their respective approaches are different.

Amazon filed on May 5, 2009, a patent entitled “Secondary market for digital objects”. Claim 1 is extremely broad.  It is mainly the idea that the digital object to be sold is stored in a first personalized data store, and once the transfer requested, transfer it to a personalized data store for the new owner and then deleting the initial instance from first data store. 

This is rather basic.  It describes a kind of direct transfer.   The patent becomes more interesting with claim 2 and following ones.  The piece of content has a counter of authorized transfers.  Once the threshold reached, the digital object cannot be anymore exchanged/sold.

2. The system of claim 1, wherein the one or more business rules comprise a move limit business rule, and wherein authorizing transfer of the used digital object further comprises: initializing an object move counter to count a number of moves of the used digital object between personalized data stores; setting an object move threshold, the object move threshold defining a number of times the used digital object can be moved; applying the move limit business rule stored in memory to determine whether to authorize or deny the request for transfer of the used digital object, application of the move limit business rule comprising: querying the object move counter to determine a number of times the used digital object has been moved; comparing the object move counter to the object move threshold; denying the request for transfer of the used digital object as impermissible when the object move counter of the used digital object exceeds the object move threshold; and authorizing the request for transfer of the used digital object to the second personalized data store when the object move counter of the used digital object is within the object move threshold.

On June 22, 2012, Apple filed a patent entitled ‘”Managing access to digital content items”.   Its approach is different.  Apple handles ownership data (license?) and transfers the ownership data between the users.  Interesting Apple introduces the notion of track usage data that will determine the remuneration of the user.

1. A method comprising: storing, at a particular entity, first ownership data that authorizes a user to access a digital content item; storing, in association with the digital content item, track usage data that indicates how much the user used or could have used the digital content item; receiving, at the particular entity, from a device operated by the user, relinquish request data that indicates that the user wishes to relinquish authorized access to the digital content item; in response to receiving the relinquish request data, the particular entity identifying one or more conditions associated with the digital content item; based on the one or more conditions and the track usage data, determining whether to provide remuneration to the user; in response to determining to provide remuneration to the user, storing second ownership data that revokes authorization of the user to access the digital content item; and based on the second ownership data, the particular entity preventing the user from further accessing the digital content item; wherein the method is performed by one or more computing devices.

Interestingly, both approaches introduce a notion of obsolescence or loss of value to partly mimic physical objects.  It attempts artificially to limit one of the fears of content owners.   As a digital object copy remains pristine, it could be indefinitely resold without loss of “quality”, thus undermining the primary market (and thus loosing money for content owners).  Physical objects are degrading with time.  With these tricks, digital objects would also “degrade” with time.

Will these approaches be more acceptable for a judge?  Will Apple and Amazon open such market place?

Murdoch’s pirates

Posted on by
1

images   In 2008, I wrote a post about “Big Gun”, a hacker who was supposed to have worked for NDS to hack competitors.  It followed a suite of lawsuits against News.

This was only a small portion of the large picture of NDS story.  With Murdoch’s pirates, Neil Chenoweth has just published a detailed description of how NDS acted to “keep ahead” of its competitors.  And the story is as good as a good spying book.  The difference is that this is real.  And unlike in Hollywood movies, morale does not win.

You will discover the dark side of News and NDS. The book is not technical (there are even some inaccuracies).  But the story is based on all the documents that were published during the multiple trials.

I do not like the style of the author.  Despite he uses real information, he is not objective and takes clearly position.  Furthermore, the two first sections are not following a linear narrations.  This makes the introduction of the “heroes” of this book difficult to follow.  Nevertheless, if you are working, or have worked, with Conditional Access providers, you will be thrilled by the book.

From the personal view, as I have met several of the early actors of this book, while we were designing videocrypt, it was a strange experience to discover very dark parts of some of them.   I was not naïve, nevertheless it was worst than my darkest assumptions.

 

CA guys, read this book.

HADOPI, VLC and BluRay

Posted on by
2

HADOPI, the French law about digital rights has some articles that may allow to facilitate interoperability of copy protection systems.  An editor may request to have access to the APIs and documentation of a copy protection system to implement interoperability.

 

This is what VideoLan, the editor of the famous open-source media player VLC, has just requested to HADOPI.  VLC wants to get access to AACS in order to be able to play BluRay discs. VLC does not yet support BluRay as it is not a licensee of AACS.

 

HADOPI has identified where the real problem is. The documentation and API are not sufficient because AACS requires also cryptographic keys delivered by the licensing authority.  And of course, as in any encryption-based system, keys are the most important asset.

Cette définition des « informations essentielles à l’interopérabilité » ne semble pas permettre d’obtenir, s’agissantd’une mesure technique de protection sous forme d’un algorithme de chiffrement, la communication des clefs de déchiffrement du contenu protégé (et plus généralement les secrets nécessaires), qui semblent n’appartenir ni à la documentation technique, ni aux interfaces de programmation.

Thus, on 6 February, HADOPI launched a public consultation to collect opinions on the topic.  Knowledgeable people may enlighten this institution before 26 February 2013.

… la Haute autorité propose aux personnes, disposant d’une expertise dans ce domaine, de lui soumettre tous les éléments qu’elles jugeraient utiles à sa réflexion, et notamment en répondant à la question de savoir si « la documentation technique et les interfaces de programmation » visés à l’article L. 331-32 intègrent les clefs de déchiffrement d’un contenu protégé et plus généralement les secrets nécessaires.

If you have read my book, then you know that I do not believe in open-source based DRM , at least for B2C.  There is no way tp protect properly the keys.  Thus, the decision of the HADOPI on this topic will be extremely important and scrutinized by the community.  We will follow up.

Mail In Black

Posted on by
1

Mail in Black is the name of a French company that provides an interesting anti-spam solution.  Their idea is simple.  Spam is generated by robots.  Thus, if you filter out every communication issued by robots, than you would get rid of spams.   How to detect a robot?  Apply a Turing test.

 

How does it work:

  • You define an initial white list of email addresses or domains.
  • When MailInBlack receives an email, it checks whether the emitter is part of the white list.  If it is the case, then the mail is forwarded to you.
  • If the emitter is not in the white list, MailInBlack returns, on your behalf, a captcha challenge (for instance, type the orange text). 

MIBNuageMots

  • If the challenge is successful, then it forwards the message and automatically adds the recipient to the white list.
  • Else the message is quarantined and the emitter is added to a black list.
  • Of course, if you rescue a message from the quarantine, then the emitter moves to the white list.

According to me, there are some potential hiccups:

  • You may loose messages from automatic systems that are legitimate to receive (and there are many legitimate).  Therefore, the initial building of the white list is important.
  • Some surprised emitters may believe that the challenge is actually a spam or worse, a malware.  This is mitigated as they just sent you a message an d “you” ask the challenge.
  • If they are successful, how long will it take before we will we the first malware spam mimicking a MailInBlack challenge but with a malicious site?

Nevertheless, an interesting approach to anti-spam. 

CORAL consortium is dissolved

Posted on by
Reply

In October 2004, Intertrust, Philips, Matsushita, Samsung, Sony, and Twentieth Century Fox Film Corporation founded the CORAL consortium. Many companies joined it.   It was an initiative to specify an interoperable framework for DRM.  The first set of specifications was published in November 2005, and the final set in October 2007.

The actual deployment of the Coral framework is extremely limited. Nevertheless, CORAL framework has been one of the initial contributions to DECE which defines UltraViolet.

On December 13, 2012, the CORAL organization has been dissolved.   The web site, http://www.coral-interop.org/, will stay online until April 1, 2013.