Tangled Webs

    Let the Music Play: Part II
Issue 6.3
May 23, 2001

Saving Face

I have never written two consecutive articles on the same topic, but the activities of the Recording Industry Association of America (RIAA) continue to be a source of amazement to most and outrage to many. Granted, almost no one like to lose, but absolutely no one likes a sore loser. When you make the rules and still end up beaten at your own game, it is rather poor sportsmanship to sick a pack of lawyers on the winners.

But I am getting ahead of myself.

The RIAA has the driving force behind the comically unsuccessful Secure Digital Music Initiative (SDMI.) The SDMI was an industry coalition formed in 1999 to provide a more secure alternative to music file formats like MP3.

In September of 2000, the SDMI issued a "Public Challenge." They posted six of their encryption and watermarking technologies on the Internet and challenged all hackers to try to crack them. Press releases boldly proclaimed that this would prove the invulnerability of their technology and would pave the way to secure digital music.

To ensure their desired outcome, the RIAA stacked the deck a bit. The files provided very little information. Most consisted of tiny audio clips rather than the CDs full of data that actual music pirates would have to work with, and the encryption had to be cracked within three weeks of the initial announcement. Furthermore, the prize money was not only small, but was to be split among all who broke the encryption -- provided they were willing to sign confidentiality agreements.

In November the SDMI announced the challenge was over and that only one of the six technologies had been cracked. The two successful entrants would split the $10,000 prize. Apparently the other five technologies had proven uncrackable. Unfortunately, that was not the whole story.

In Your Face

A group of nine researchers led by Princeton University's Edward Felten decided to forgo the small cash prize so that they would not be bound by the confidentiality agreement. These researchers managed to break not just one of RIAA's encoding schemes, but all six of them. To be fair, however, the researchers could only verify that they had cracked five of the schemes since the verification tool provided by RIAA did not function correctly.

The group submitted their findings for peer review, and copies were inevitably leaked on the Internet. The researchers detailed the weaknesses in each of the six technologies and were scathing in their criticism of their simplicity. Dr. Felton was scheduled to formally present his paper at the International Information Hiding Workshop on April 26.

The RIAA responded to this potentially embarrassing situation in their usual manner; by threatening legal action against the authors, their employers and the conference organizers. In a letter to Professor Felten, RIAA layers stated that the Verance Watermark technology his team had cracked was protected as a trade secret. The letter further asserted that since disclosure of the team's findings could lead to the illegal distribution of copyrighted material. Felton's team would be subject to unspecified "enforcement actions under the DMCA and possibly other federal laws." The attorneys requested that the paper be pulled from the conference, and that it not be disclosed to anyone other than the SDMI.

About Face

I'm not a lawyer, but RIAA's threats ring a bit hollow. The DMCA specifically allows encryption technologies to be cracked for the purpose of academic research. Furthermore, since the details of the Verance Watermark have been publicly disclosed in the patent application, it cannot be protected as a trade secret. Add to this RIAA's underlying assertion that computer scientists should not be permitted to discuss commercial cryptography at a cryptography conference, and I can't imagine a court in America siding with the RIAA.

Of course, as with so many legal maneuvers, legality is largely irrelevant. Princeton seemed willing to stand behind the researchers, but other organizations collapsed like a pin-priced balloon, and the paper was pulled from the conference. For those who are interested, Dr.Felten's paper and the letter from RIAA is available at a third-party site at http://cryptome.org/sdmi-attack.htm.

After the paper was pulled, the SDMI issued a statement saying that they are fully committed to free speech and never had any intention of bringing legal action against anyone. They would have us believe that the threatening letters from their legal department were simply misunderstood.

Fair-play and freedom of speech issues aside, I simply can't see the logic to RIAA's actions. Their lawyers will probably be able to frighten law-abiding organizations into not talking about their technological weaknesses. However, they will have no effect on those who actually pirate music and are willing to break the law. The SDMI needs to spend less energy trying to silence legitimate criticism and focus on developing some technological barriers to music piracy. That is, after all, supposed to be their reason for existence.

[ Home Page] [ Back to Index ] [ Previous Issue ] [ Next Issue ]

© Copyright 2001, Tim Romero, t3@t3.org
This article fist appeared in the May 16th edition of The Japan Times.
Tangled Webs may be distributed freely provided this copyright notice is included.
The Tangled Webs Archive is located at http://www.t3.org/tangledwebs/index.shtml