Don't Shoot the Messenger

Computerworld - Would you invest in a digital access control system whose biggest users are trying to suppress evidence that it can be hacked?

Licensees of a digital watermarking system created by Verance Corp. should be asking themselves that question. The San Diego-based company was sued in June by a group of researchers who contend that Verance's biggest users in the music industry are trying to prevent them from revealing flaws in the company's watermarking technology.

Verance's watermarking system uses cryptography to secure content from unauthorized copying. In 1999, it was adopted as the worldwide industry standard for copy control of DVD-Audio and digitally delivered music under the first phase of the recording industry's Secure Digital Music Initiative (SDMI). The system's initial licensees included five major record labels and a broad spectrum of recorded music and Internet-based music delivery companies.

In September, the Washington-based Recording Industry Association of America (RIAA) and the SDMI Foundation invited anyone to try to break the watermark scheme to test its strength. Scientists from Princeton University and Rice University obliged and wrote a paper describing their successful attempt to remove a Verance watermark from a digital music file.

The researchers also documented vulnerabilities in other watermarking technologies. When Princeton computer science professor Ed Felten and his research team announced that they planned to publish their paper, the music industry tried to silence them.

Matt Oppenheim, an officer of both the RIAA and SDMI, sent Felten a letter threatening legal action if he published the results. Oppenheim contended that disclosure of the research could directly lead to the illegal distribution of copyrighted material. He claimed that Felten and his team had violated the contest rules and were subject to prosecution under the Digital Millennium Copyright Act, which prohibits discussion of technology that might be used to bypass copy controls. Verance and the RIAA declined to comment for this story.

Mathematics and computer code aren't circumvention devices. But Felten and his researchers were concerned about possible prosecution and withdrew their paper. The San Francisco-based Electronic Frontier Foundation sued the RIAA, SDMI, Verance and the U.S. Department of Justice. The plaintiffs asked the court to rule that they have a First Amendment right to present their research. "Studying digital access technologies and publishing the research for our colleagues are both fundamental to the progress of science and academic freedom," said Felten. "The recording industry's interpretation of the copyright act would make scientific progress on this important topic illegal."

Users of the Verance watermarking system should ask themselves if it's wiseto invest in products from a company that suppresses peer review and full disclosure of flaws. They should take a close look at the value of digital rights-management systems that depend on litigation rather than strong cryptography to secure content. And they should figure out what they will say to their content providers and their shareholders if their watermarking scheme fails to prevent unauthorized copying of their intellectual property. ROI

Read more about roi in Computerworld's ROI Knowledge Center.