Can P2P Filter Copyrighted Content?

scubacuda writes "DRMwatch reports that technologists acting on behalf of porn publisher Titan Media reported to Congress that P2P networks could (if they wanted to) use "fingerprinting" (aka "hashing") to detect copyrighted works and then filter them with the "spyware" installed on all nodes in the network."

Doomed to fail.

[grub]

Did common sense go on holidays?

Load a fingerprinted file.

Change one bit.

It has a new fingerprint.

The eDonkey/eMule network already identify files by an MD4 hash to ensure you get what you ask for. For instance: if a file has many sources then that means they have the same hash, you can be quite sure that it isn't a bogus loop of a pr0n flick when you really wanted that latest DVD rip.

If this goes through you'll see a new kazaa-compatible P2P client appear that pops a few random bytes into the ID3 tag of an MP3, the comment section of a JPG or in the headers of a video file. Each one will then have a new hash. Oops.

Oh, the new KazaaDRM(tm) ignores comments & tags and only looks at the actual data? OK, the new client toggles a bit that won't cause any visual or audio degradation of the file. Oops.

That all said if 100 people rip an MP3 or DivX file they won't generate the same byte-identical file. This is doomed to fail at the expense of your computer's CPU cycles as it generates these useless hashes.

Fuzzy Fingerprinting?

[diamondsw]

However, anyone who has used a P2P network knows that for any given file people are looking for, there are about a dozen variants with very slight differences (encodings, cropping, someone added a few frames of "encoded by..."). Since we don't have digital purchase of data, there is no "authoritative" version of a file to fingerprint in the first place.

Considering the vast amounts involved...

[Svartalf]

The person making the statement that the apps can filter anything doesn't realize the sheer volume of fingerprints, etc. that the app has to keep track of.

Nice try- better than most, actually... But it still doesn't resolve the real problem which is that most of what the labels are selling is crap and grotesquely overpriced at that. People swapping all of that music is more a response to that than anything else.

too easy to defeat

[jeffy124]

just change a random bit or two somewhere in the general data section (ie - where the actual video or audio is stored) and the hash gets defeated easily. (yes - an oversimplification, but it'll do)

Yeah, they could try....

[autopr0n]

Well, he's wrong. If they used hashing, then people would only have to change a few bytes of the files to get around the filter. In audio and video, this could be done without any notice at all. And it would require people to have a huge hash database on their computer. Tens of Megabytes at least, if not hundreds. It would make performance really slow.

So, watermarking? Well, so far all watermarks that have been tried have been broken, and it would be much easier to figure out how the watermark worked if you had a binary file sitting on your computer that checked it. Just disassemble to find out how it's checked (and once one person does, this everyone will be able to). Plus, you could always just zip+password any file anyway, to prevent watermark checking.

Of course, that doesn't mean they wouldn't try to include this stuff, but why would anyone ever download something so restrictive in the first place?

It'll never work

[radionotme]

For every man hour of time that's put into 'protecting' their work, there's a thousand man-hour's worth of effort that will freely be contributed from the "public" to try and break it. All encryption like this can and will be broken over time, the only way to beat it seems to be for the companies to try and repeatedly adapt and stay one step ahead. Unfortunately that's very expensive and can't be maintained for long. Regardless of your stance on the argument of p2p, this is the way it looks like continuing for the near future.

Checking

[Beer_Smurf]

Realistically, how much storage space are we talking about for fingerprints for all know copyrighted works and how much processing power to check against them for every file you up and or download?

Easily Defeated

[akpoff]

This sounds all well and good but there are so many ways to defeat this: encoding using different formats or different bit rates, segmenting files, flipping random bits, truncating silent sections from the front and back of the track, adding "throw-away" garbage to the end of the track and I'm sure numerous others.

It's also predicated on the idea that the hashes exist. Taking the first example of encoding at different bit rates and using different formats. Who's responsible for providing a reasonably exhaustive and authoritative list of the hashes? If Sharman et al. implement these schemes do they get bullet-proof immunity from criminal and civil liabilities?

Also, who says users will continue to use these "spyware" enabled P2P products once it becomes widely known that blocking has been enabled?

There are just too many excpetions to this idea to be really workable.

Two "Duh" Fallacies

[Speare]

There are two fallacies with the proposal:

• Never trust the client.
  Spyware on the nodes? Even if you could somehow ensure that all compatible clients comply with the spying requirements, how long will those clients be left unmolested? Any P2P "server" is really just a client of many other "servers."
• Math cannot define a human concept
  This depends on a mathematical hash performed on a given rendering of a copyrighted sample. Resample and the hash is broken. Hell, even a second-rate email spammer knows how to avoid hash detection: just tweak an unused ID3 field.

This...

[xankar]

..will be roughly as effective as shutting down napster.

That is to say, not effective at all.

User hostile software...

[hanssprudel]

This would end up working about as well Kazaa's user rating (or whatever it was called) thing. It had been out for how many days before people started showing up with their points maxed out? And it is worth noting that the second and third most common file sharing tools, dc++ [sourceforge.net] and emule [emule-project.net] are both open source, so that anybody who feels like removing the controls can do so, and recompile.

Peer to peer networks that control what people communicate are possible. As are ones that control who talks to whoom, that people really allow the uploads they purport to, etc etc. As is any software that acts against, rather than for, the person that is running it. We just need to get Palladium in place first. What are you waiting for Microsoft!!!

Re:Doomed to fail.

[turnstyle]

"Did common sense go on holidays?

Load a fingerprinted file.

Change one bit.

It has a new fingerprint."

Actually, no. Changing one bit should affect a uniqueness hash, but not necessarily so a fingerprint.

As a simple example, think of the little logo that you sometimes see down in the corner of a video as a fingerprint -- changing one bit of that doesn't remove the fingerprint.

Again, you'll change the hash but not necessarily the fingerprint...

Hmm

[adrianbaugh]

I assume this is more than a worthless md5 sum: certainly in terms of the images that this guy is talking about it should be possible to steganographically hide a watermark in the image. If the p2p bots checked for this there might be a chance his scheme could work: some watermark techniques are apparently quite robust to re-encoding of the image, etc. Where all this falls down is that it'll be 5 seconds before some w4r3Z d00d releases a p2p client that just lies about having checked for the watermark and allows distribution regardless. That's the thing about the p2p model: there is no central server where the running code can be verified - to implement any kind of workable security model you have to assume that everyone on the network is going to be trying to defeat it and design it so that it's core to the whole application - unless the security validates, and other machines can prove to themselves that it validates on your machine, no transfer should work. I suspect something along those lines is possible albeit very difficult, but the fact that that kind of application isn't what p2p users want would still render the entire thing useless. Nobody would use such an app.

Re:Considering the vast amounts involved...

[Mike Hawk]

People "swapping" all of that music is a response to it being crap? That is the most illogical thing I have ever heard. Demand is through the roof so it must be crap? High demand would seem to hint otherwise, unless you are in the camp that being popular makes it crap, I guess. Now, I agree being popular doesn't make it quality, but likewise it doesn't make it crap either. I gotta say, if this is the new math, that high demand means something is crap, I'll take my good old math please.

Re:If it was truly peer-to-peer...

[petabyte]

Peer to Peer networks have to go from Peer to another Peer. For almost everybody this means going across the routers, switches and wires of ISPs, backbones, and other telecommunications providers. Laws can mandate that these companies be held responsible for things going across their wires and forcing them to filter content.

I do that very same thing here. The internet connection comes in, goes through a firewall and then to snort both of which squeeze off peer to peer connections. This is to reduce bandwidth consumption and to make the boys over in legal happy.

The software might be independent but the pipes it travels across are not. Lessig's book goes into this in great detail.

Re:Hmm..

[TwistedGreen]

"could develop into"? The cat and mouse have been going back and forth for years!

Kazaa is just the current filesharing stepping stone. If you look back you'll see a great deal more stones sunk behind you. And if you look ahead there are a great deal more being built.

Nothing can stop these new stones from bubbling to the surface. They cam destroy old stones, but We will build new ones. And the 'idiots' will just follow the path, as always.

Re:This...

[R.Caley]

..will be roughly as effective as shutting down napster.

Shutting down napster was very effective. It was effctive in turning in a hard to control problem into an uncontrolable one...

And what if it _is_ possible in one scenario ?

[rcastro0]

IANAL, but taking off the tech hat, and trying to think from a legal standpoint...What would it mean if they can prove to the judge that there is a P2P scenario in which nearly foolproof copyrighted file identification exists ?

Would that then ruin the argument that "P2P should not be shut down because there are plenty of legitimate uses" by countering with "there is an equally efficient P2P architecture that brings all the same functionality to legitimate uses without hurting copyright law" ?

By doing that, wouldn't they change the issue of whether or not to allow P2P into one of which P2P can be allowed ? (or what is required of a legal P2P ?).

Just wondering...

Do you really mean what you wrote?

[lurker412]

The recent decision in a Washington DC federal court in the RIAA vs. SBC case said that ISPs are not responsible for copyright infringement if they are merely conduits, meaning that they do not host the stuff that is going across their wires.

Your company is free to establish whatever policies it chooses on your internal network. But I think it is very dangerous to suggest that we create laws that require the providers of public networks to filter content. Have you really considered the implications for free speech and privacy? Who controls the list of banned materials? Who controls the controllers?

And the false assumption is...

[OmniGeek]

"...all nodes on the network."
Haven't we seen a plethora of P2P protocols developed precisely because someone we don't trust controls the older protocol? The reality check on this clearly bounces. Even if Microsoft, er, someone did manage to grab a monopoly on the US network's P2P population, which is VERY unlikely, the REST of the world would definitely not play along with those American imperialists. Scheme fails, game over.

Filter Away!

[Xesdeeni]

What a bunch of morons. Sure, maybe with enough computing power you can detect a copyrighted work...maybe. But so what? Who's going to download P2P software, or use a network with this type of filtering in place? Only people who wouldn't have stolen stuff in the first place.

Besides, P2P users will just scramble the content in some ridiculously simple way that will invalidate the filters and they'll have to go back to square one. Ig-pay atin-lay anyone?

Xesdeeni

Re:Victims of porn

[TechBCEternity]

I don't think he's trolling here, the human mind has a failing in that it likes to form habits. You can see that with non physically addicting things like chronic or in this case p0rn. Sure you might live a healthy life with it.

but if you're addicted you'd probably be better off without. It's such a marketting gimic to disregard the posibilities of addiction. Then there's the fact that he posts anonymously, how hard is it to sign up.

** back on topic ** There's no way the porn industry could do anything about "copyrighted" material being distributed cause all it takes is a slight change in the archive to change the hash and blow the system away. The only way it would work is if the porn industry started setting up tons of high traffic nodes distributing all sorts of stuff just to block some porn on some searchs, but they'd just get blocked anyways.

censorship as damage

[TheSHAD0W]

"The internet treats censorship as damage, and routes around it."

Lots of MP3s were shared via FTP in the past, until the RIAA began a campaign to root out and shut down pirate MP3 servers. Then people jumped to Napster, but were eventually frustrated first by the forced filtering of some searches and then the service's discontinuation. Now supernode-based P2P networks like Kazaa are being used, and the central company can't be sued Napster-style because they never see any search data. When they are forced to change their code to allow searches and data to be filtered, users will jump to another service designed to avoid the law.

I've said it before and I'll say it again. Short of locking down every computer in the world, there is no way of preventing the digital trading of copies of information. Entities like the RIAA, MPAA and MPA know this. They may try having everything locked down via Palladium or something similar, but knowing they may not succeed, they are trying to fight a holding action, to keep the cash flowing in as long as is possible.

The music and movie industries didn't exist a hundred years ago; I sincerely doubt they'll exist a hundred years from now, no matter how hard they try.

THe Obvious Question

[Sloppy]

P2P networks could (if they wanted to) use "fingerprinting" (aka "hashing") to detect copyrighted works and then filter them with the "spyware" installed on all nodes in the network."

Regardless of whether this is feasible or not, there's a much more basic question to ask first. Are users asking for this feature? If they aren't, then the very idea is ridiculous and doomed to fail in any marketplace.

Which is totally nuts.

[Ungrounded Lightning]

You've looked at this too naively... Take around a hundred MD5s of nonoverlapping chunks of the file. If 90% of these match, you have near certainty that the files match except for exactly such tampering as you suggest.

So the "content" industry would want operators of P2P software to store 100 MD5 hashes of EVERY PIECE OF COPYRIGHTED WORK IN DIGITAL FORM, and compare EVERY SET OF THEM against EVERY FILE TRANSFERRED.

That is just wacko.

For starters you'd requre every peer machine to have a copy of all those hashes and/or every indexing service to actually transfer the indexed files to compare them. How big would that be? How much bandwidth would it take to update it, or to do an extraupload of everything that gets indexed (possibly by many indexers)? WHO PAYS FOR THE BANDWIDTH AND STORAGE? Note that the BENEFIT goes entirely to the copyright holder, not the P2P user.

The onus of detecting copyright violation and proving their case is, and properly should be, on the copyright holders, who are the recipients of the benefit.

Yes, it's hard. Which means that the copyright holders only catch a few of the violators. But it's ALWAYS been that way. That's why the copyright law provides draconian penalties for the ones they DO catch - to balance the equation and deter violators.

(And THAT'S why you see hundred grand fines laid on little old ladies whose underage grandkids used their computer to download some MP3s.)

Re:It'll never work

[ichimunki]

1) Money exchanges are done in secret by parties who both have an interesting in protecting the transaction.

2) When money goes from A to B, B has a greater interest in protecting the financial data after the transaction than A does.

3) Creative works exchanges are rarely done in secret. Especially not on P2P networks. Or on web sites. Even most providers of content take no measures to secure the transfer of said content (i.e. ever heard of an adult site using only HTTPS from the login page on in?)

4) When creatives works go from A to B, B almost never has any interesting in protecting that data after the transaction.

Not that your conclusion isn't possible or likely, just that it relies on assumptions which are hard to agree with (because financial transactions are fundamentally different than selling creative works).

Re:It'll never work

[A55M0NKEY]

Hes, you could calculate the SHA256 hash and know that a file was *probably* the same as a known copyrighted one, but the P2P service would have to maintain a database of hashes of all copyrighted files and take queries from each node that check on each file in their shared folder. This is alot of bandwidth when you consider all the nodes. There would have to be a way of adding new hashes to the database of unshareables too that was fair. For instance you wouldn't want to have the Church of Scientology submit the hashes of all the anit-scientology rantfiles they want censored claiming copyright violation.