March 29, 2024

How Watermarks Fail

I wrote Wednesday about Randy Picker’s suggestion of using digital watermarks to embed users’ personal financial information into media files, to discourage users from sharing the files. Today, I want to talk more generally about watermarks and how they tend to fail.

First, some background. Watermarks are subtle signals embedded in the background of media files. They are supposed to be unobtrusive but easy to detect if you know where to look. Different media have different kinds of watermarks. In a photo, the watermark might be hidden in subtle patterns of shading. In music, it might be in a very soft background buzz, or a barely audible echo.

In many applications, a watermark must resist attempts by an adversary to remove it. For example, in Randy’s scheme, a user might want to remove the identifying watermark from a media file because he wants to share the file illegally, or because he doesn’t want his personal information exposed to cyber-intruders. It is often important to know how resistant a particular watermark is to removal. There has been plenty of research on this topic, from which we can draw lessons about how watermark removal tends to work.

One theme is the power of Rosetta Stone attacks. The original Rosetta Stone was a stone tablet with the same text written in three ancient languages. This gave scholars who understood one of the languages a big boost in deciphering another one that they didn’t understand. Similarly, watermarks tend to be defeated if an adversary can get his hands on a watermarked file, and the same file without the watermark. By comparing the two, the adversary can determine where the watermark lives, which is usually sufficient to remove the watermark from other files. Alex used this method in deciphering the MediaMax watermark (as described in our Sony CD DRM paper), and my colleagues and I used it also in analyzing the SDMI watermarks back in 2000.

Almost as powerful as a Rosetta Stone attack is a comparison attack, where the adversary does not have an unwatermarked file, but does have the same file with several different watermarks in it. Any place where two of the files differ is a place where watermark information lives. Given several marked files, an attacker can locate all or most of the places the watermark is hidden, which is again the first step in removing the watermark.

(In theory it might be possible to stop an adversary with access to a limited number of individually watermarked files from completely removing the watermark, if the watermark has lots of places to hide and is constructed cleverly. There is an interesting body of theory about how to do this and when it works. But in practice the assumptions underlying that theory rarely hold.)

Even if the adversary cannot get access to multiple versions of a file (so that Roseta Stone or comparison attacks are not possible), he can usually still defeat a watermark if he has access to a device that can detect watermarks. By reverse engineering the device, he can figure out where it is looking for the watermark, which again puts him in a position to remove it. (Even if he can’t dissect the device, he can use it as an oracle that tells him whether a particular file has a detectable watermark. Oracles are very helpful in attacking watermarks – Alex used one in his MediaMax watermark analysis, and my colleagues and I used one in our SDMI analysis.)

All of this helps us to understand where watermarks are likely to be effective and where they’re not. The best case for watermarking is where each file is published in a single version, with a watermark in a location that is not disclosed to the public and is not implemented in a device available to the public. This would hold true, for example, in a system that put a distinctive mark into all released versions of a file, and then looked for such watermarks in content broadcast on the radio or TV or downloaded from the net.

Not nearly as strong is a system where there is a single watermark per file, and consumer devices check for the mark – it is subject to reverse engineering and oracle attacks.

Weaker yet is a system where files are watermarked individually for each consumer – it is subject to comparison attacks.

Weakest of all is a system where files are watermarked individually for each consumer and everyone is told how to read the watermarks. Here the adversary can use comparison attacks, and reverse engineering is not even necessary because the inner working of the watermark detector are well known.

Alert readers will have noticed that all of the uses of watermarks for DRM (copy protection) seem to fall into the weak categories. That is because DRM applications require either that all devices check for the watermark – opening up reverse engineering and oracle attacks – or alternatively that a file be given separate watermarks for separate consumers – opening up comparison attacks. Watermarking has its uses, but it doesn’t seem well suited for DRM.

Comments

  1. Most albums on aMule are archived in Rar or Zip format. Can watermarks be detected within the archive?

    • No reason to believe you couldn’t. If you can scan for viruses and other file discrepancies within an archive, the case with watermarks should be the same.

  2. Parts of the following only applies to watermarking of audio-files, so don’t bother pointing out issues with other media types.

    For proper use of watermarking, it’s not really necessary to identify the owning computer, as the watermarked file must be expected to originate from a shopsite that already has personal information on the customer. E.g., the watermark code identifies that this article was originally bought through iTunes, by the customer with ID so-and-so. If iTunes went from DRM to watermarking, we assume that they are cooperating in giving out the personal details they have for said customer (otherwise the concept is fundamentally flawed).
    The distinct advantage of watermarking over DRM is that the changes made to the file in no way interferes with the general file specification of an mp3, thus ensuring full compatibility with any and all playing devices. The owner of the file is perfectly able to do absolutely anything with this file that he could do with an ordinary mp3 (but he’s obviously not allowed to).
    Furthermore, the watermark is retained through any process that does not alter the quality of the file, unlike DRM which can be circumvented by any average user, simply by burning it to an audio CD, which most DRM settings will allow.
    Burning an audio CD with DRM-protected files is both an easily available way of breaking the protection for those with those intensions, as well as a highly annoying necessary step for those who legally wish to play their DRM-protected music on a playing device that doesn’t support DRM.
    Other means of permanently removing DRM (such as FairUse4WM) are easy-to-use tools to get rid of the DRM.
    Of course, with watermarking not being the standard way to protect files, I can’t rule out that similar easy tools won’t be made once the hackers find it sufficiently interesting to tinker with, but it DOES seem a much more difficult task. Removing a certain spectrum of the raw wave at a certain timeframe in the audio file is not as simple as removing part of the file, or even performing a decryption of a file using a hidden key.
    The nature of watermarking makes it an easily achieveable extra precaution to make the exact watermark unique per downloaded file, so having a watermark remover look for a specific pattern can be made impossible.
    Generally scanning for repeating patterns in an audio file is not feasible, as these are naturally present in all (but the most avant-garde) music. A watermarking algorithm could even be made to synch watermark repetition with the beat of the music, thus forcing the hacker to scan for repeating patterns outside the audible spectrum. This would require more knowledge of human hearing than what the average hacker can be asumed to posess.
    The occasionally suggested approach to isolate the watermark by comparing the file with an unwatermarked version of the same file is just plain stupid. This comparison can only be performed if both files are encoded exactly alike, and if you have such a file to your avail, why would you be attempting to remove the watermark in the first place?

    “Hey, I can totally alter this protected file so I can share it and never get caught, because I have the same file right here that’s not protected. Huh, why I don’t just share the unprotected file? Well, uh…”

    Different industries, different issues… but I’m all for watermarked mp3’s over DRM.

  3. I believ that it is true and also i am sexy in case you didn’t know:D

  4. [Watermarks by varying the brightness of video]

    Easy to remove — disassemble into frames, separately run photoshop’s autoequalize on each, and reassemble. Or, randomly tweak gamma on each frame, if you don’t care about introducing a bit more noise.

    [Assorted stuff about the PC as “Magic Castle”, variations on the Sony rootkit scheme, etc.]

    Sorry — nice effort, but you’re not quite evil enough and aren’t thinking like the big corps. Particularly whoever said “holes due to be closed soon”. Sony will simply buy MS, or MS buy Sony, and the next version of the OS will have disabled the ability to disable CD-Autorun, at least for stamped (not burned) discs. “What about security and viruses and such!” Well, there’s a big difference between being infected by any old schmuck and being infected by someone who has the facilities to stamp CDs en masse! As long as only other big corps can infect you, it’s fine, of course, since they presumably won’t do so without a good (i.e. profitable) reason.

    “Can somebody comment on the legal aspects of secret (as in proprietary) watermarks, or other content tags? How does the plaintiff demonstrate the existence of the alleged watermark in court, beyond “reasonable doubt”? I can imagine disclosure to some kind of (independent) expert witness is necessary.”

    Maybe, in some theoretical democratic court that doesn’t exist in the real world and if it did would be highly unstable with a half-life measured in hours. Or do you actually believe the usual naive stuff about the accused having the right to face the evidence and witnesses against them, and a fair and impartial trial, and etc.? That only applies to crimes against person, e.g. Joe Murderer, not to crimes against big business, e.g. Joe Serial Killer of People Who Wear Three-Piece Suits And Change Their Mercedes More Often or, worst of the lot, Joe Filesharer.

    Besides, it’s not “the accused” that have those rights in practise anyway, it’s “the rich”; nobody else can afford the court and attorney’s fees and they are forced to settle. When was the last time one of the RIAA’s random targets actually had anything resembling a jury trial or an (independent) expert witness they could face? Never? Or maybe it was even further back…Remember how in the US, blacks are disproportionately likely to be found guilty of murder, and disproportionately likely to get the chair rather than just imprisonment; with the notable exception of OJ. What did OJ have going for him again? Oh yeah … that root-of-all-evil stuff I keep being warned about…

  5. A note to commenters: Comments that do not relate to the topic of the main post will be reported as spam and removed.

  6. @BetterLate:

    The use you describe might be reasonable, depending on the details. As you say, the motive to remove a watermark may be greatly reduced. The motive to add a watermark may increase, but there are measures that can be taken to address that problem (using cryptography or spot checks for watermark accuracy).

  7. BetterLateThanNever says

    Perhaps I’m a little late to this discussion to get a response but was wondering whether you would also consider the use of watermarks for the purposes of tracking p2p downloads, inorder to distribute advertsing royalties, a waste of time. I think Terry Fisher proposed it a few years ago and suggested that under this arrangement there would be no incentive to remove them? Does anyone know if this is also one of the capabilities of Snocap?

  8. On a lighter note:

    http://groups.google.com/group/alt.internet.p2p/browse_thread/thread/b757dc450cad12f3/c0174ef8c04e0dc2#c0174ef8c04e0dc2

    Looks like a leak of some tech news site’s april fools article a whole month ahead of schedule. The original link doesn’t work anymore — the hostname doesn’t even resolve, and I tried zdnet as well in case it was a typo — no go. But it’s cute, and it makes explicit reference to this site in the first couple of paragraphs. Especially check out the related story link at the end — the one that mentions Ed Felten by name. I nearly died laughing.

    Anyone want to lay odds how well the described DRM scheme would work if the RIAA actually genuinely deployed it this Christmas? And whether their sales would continue to slide, or go up? And whether those presumably fake stocks would really respond that way? 🙂

  9. Can somebody comment on the legal aspects of secret (as in proprietary) watermarks, or other content tags? How does the plaintiff demonstrate the existence of the alleged watermark in court, beyond “reasonable doubt”? I can imagine disclosure to some kind of (independent) expert witness is necessary.

    Another category of “secret” watermark is the variety where the parameters of modulation (e.g. where and how the watermark is placed) is secret. I can imagine one can come up with a scheme where there are two algorithms, a public algorithm that verifies the presence of a watermark given a “key” (the modulation parameters), and a secret algorithm that recovers the hidden key from the content. In order to foil key forgery (in order to make up a claim of copyright violation for a given file), the key could be cryptographically signed by an independent (ha!) entity.

    A variation on this is that the key is not embedded in the content, because it is known to the plaintiff (tagging of ownership) or all applicable keys are known and can be tried in sequence (all keys ever used are archived).

    Another variation is that part of the watermark can be verified by the public, and another part requires a secret key.

    But all those variations merely shift the problem from proving presence of the watermark to proving presence of the key.

    And in the end, any watermark has to withstand degradation of the signal in the domain where the watermark is stored. There are many ways of distorting the content ever so slightly.

  10. the zapkitty says

    It’s easy Says:

    “The point is just easy:
    LOWER the prices… … …Now instead why not sell a new game for 15$ and a 6 months old for 10$?”

    Economics?

    … (The zapkitty idly watches a dragonfly)…

    Say, fella, how much does something like a hot new PC game cost to develop anyways?

    Hint: Even with the RIAA peddling their unneeded “indispensable middlemen” there is a real cost to doing business, and folks have the right to charge whatever they wish for services they provide.

    It’s up to the consumer to decide whether to pay that price… or to seek satisfaction elsewhere.

    P.S.

    Apparently SuncMax and F4I spent little, if any, money on stress testing before the disaster.

    The expensive part came afterwards…

  11. The point is just easy:
    LOWER the prices.

    with all this thecno hype on the DRM the result is that to return on the investment on the technology they will have to higher the prices again.

    Now instead why not sell a new game for 15$ and a 6 months old for 10$?
    You can REMOVE any watermark, drm and all other useless thing, simplify the production and coding lowering the production prices and rising the margins.

    For music is the same, just lower prices! Even on the internet.
    Or, for example, have a new cd for 10$, a high quality DVD for 15$ and a 3 month old cd for 5$.

    Which is the meaning of copying if it is cheap?

    I do suggest to perform an analysis on the revenue streams to evaluate how much money is used to try a DRM algorithm that will last 3 months, in lawyers to sue the “pirates” and so on.
    If we CLEAR all that expences we will be able to have that kind of prices WW.

    Keep it simple!
    Address the root cause!

  12. the zapkitty says

    Shr Fang-tian Says:

    (snip strange “evil corporate” stuff)

    “Also, i don’t see why the watermark encryption couldn’t work both ways, simultaneously:”

    (The zapkitty wonders: Just what is it about the supposed magic of watermarks this week… a set of good arguments having been made showing that it is weak as DRM, people now keep saying “yes it can work!…” sans evidence.)

    “the computer receives a watermarked file from the content provider — a watermark which contains, say, an IPv6-based “serial number” within it, something that should be small and easily hidden and so difficult as hell to pull out of a multi-gigabyte media file —”

    “IPv6-based”? Why? What relation does the next generation IP porotocol have to the downloaded media? And IPv6 is a very public open standard. It has encryption capability, but this is not built in to user’s PCs even now.

    Nothing special about IPv6 unless you’re trying to hide the watermark in the headers of the transporting IP packets? Oi vey… keep waving those hands, but do it at a measured pace… you’ll be at it a long time 🙂

    Errr… and even with such all-out handwaving you’ve stumbled here. Most delivered content is measured in megabytes, not gigabytes. And size doesn’t matter all that much if an oracle is handy…

    … and speaking of oracular pronouncements…

    ” and then, as the viewer watches it, the receiving computer automatically encrypts and returns to the content provider another IPv6 code that’ll tag the file itself with the new number, thus signalling both to the provider the receipt of the file as well as locating within their storage space the item received.”

    Assuming that “as well as locating within their storage space the item received.” means reporting the location of the downloaded file both IP-wise and where on the hard disk as well?

    If so then you’ve handed an oracle to your prospective vict- er- customer. And an encoder to boot.

    “Something so small would require a lot of processing power to identify and eliminate”

    Er… wishful thinking even if you hadn’t handed the tools needed over to the user PC. Far more processing power is needed for video reencoding… and those that do such reencoding number in the tens of thousands at a minimum
    … the number is vastly greater if you accept RIAA stats :)…

    And if they could save several steps and get stuff fresh from the source then be assured that they will happily turn their PC to the job for a few hours… and there are, of course, many folks who will be happy to supply the tools to do it with.

    But this isn’t needed because you’ve handed over the tools needed anyway…

    Is this the “PC as Magic Castle” mindset again? “We’ll sneak into the user PC and once we’re there we’ll be immune!”

    I do not mean to offend you, but, really, between the handwaving, lack of technical explanations, and the apparent ignoring of established facts that counter your idea… this stuff sounds like a corporate sales talk to sell yet even more snake oil.

    Not from evil intent… just from overconfidence in unproven, unexplained, or disproven concepts.

  13. Shr Fang-tian says

    Aw, damn —

    Sorry, i’m a newb to blog-posting — the above is a correction of this text:

    — and then, as the viewer watches it, the receiving computer automatically encrypts and returns to the content provider another IPv6 code that’ll identify both the receipt of the file as well as the file itself as the item received.

  14. Shr Fang-tian says

    Correction:

    that’ll tag the file itself with the new number, thus signalling both to the provider the receipt of the file as well as locating within their storage space the item received.

    Wasn’t clear about that. Sorry.

  15. Shr Fang-tian says

    Y’all should all remember that this is just a small part of the overall strategy.

    If the watermarks are used to identify the Ma & Pa & kiddies who might be uploading copyrighted P2P material while — at the same time — media corporations pursue a vigorous, merciless prosecution of copyright violators on P2P networks, then the effect would be to eliminate — within a hardware-generation or two — the vast majority of more or less innocent uploaders.

    Also, i don’t see why the watermark encryption couldn’t work both ways, simultaneously: the computer receives a watermarked file from the content provider — a watermark which contains, say, an IPv6-based “serial number” within it, something that should be small and easily hidden and so difficult as hell to pull out of a multi-gigabyte media file — and then, as the viewer watches it, the receiving computer automatically encrypts and returns to the content provider another IPv6 code that’ll identify both the receipt of the file as well as the file itself as the item received.

    Something so small would require a lot of processing power to identify and eliminate — and that’s in addition to the standard watermark we’re discussing at the moment, and which could serve as a smokescreen for the other identifying label. While any one of us could ultimately pull it out of the file and float it online, it’d be time-consuming and depend on no small bit of knowledge to guarantee that we evade identification.

    Such an environment would, when coupled with the prosecutions, create an environment where P2P copyright-violators on the ‘Net would be “only” the “hardened” “criminal” element — people who make money or unethically abuse the P2P sharing of content. Certainly, P2P abusers would be identified as “organized crime” and their sins exaggerated to the point that yes, indeed, they’d ultimately consist of only hardened criminals.

    In that context, moving on to a strategy of telling Ma & Pa that they’ve got to “register” their computers with a centralized, randomized scanning database so that the gu’mint can guarantee they’re not participating in “illegal file sharing” would be a small step. By that time, “only criminals” — “media mafias” and “terrorists” — would fear having their content scanned for digital copies of copyrighted, regulated media.

    Remember: the big corporations are accustomed to thinking in terms of decades of development cycles, and they’re putting that same planning and organizational determination to work here. In that context, it isn’t necessary for the watermarks to be able to keep knowledgable computer people from using their computers to break and copy the content. It’s only necessary for the watermarks to basically guarantee that lazy, busy, or young people aren’t able to blithely copy or — even better yet — conveniently access it. That is the goal for this stage of the game —

    If VEIL can manage to set up a system where content providers can independently validate what media the average person is accessing while making it only *more* troublesome for them to copy and share copyrighted works, then at the next stage they can simply use that technological development to solidify their legal position by criminalizing the elements they oppose.

  16. the zapkitty says

    Goldenpi hath writ:

    “But if I were a developer for an evil enough media organisation, I would look into a varient – if I could embed a watermark in each file specific to the individual who owned it (my DRM wouldn’t allow resale, of course) then it would be possible to monitor p2p and see who was leaking what.”>

    ? This seems basic… and does not take into consideration the failings of watermark DRM as listed above.

    ” From there it would be easy to determine who was putting my content on p2p and either disable their account with the music service (probably rending all their purchases usless) or initiate legal action.”

    ITunes Redux… hobbled by the failings of watermark DRM.

    “It wouldn’t be any use on CDs though…. … … I suppose I could adapt one of the software CD copy-prevention programs so that it autoruns, hides the real CD, and instead returns what looks like a red-book audio but actually contains added watermark data of the IP address, time and MAC address of the system. That would be usful to the lawyers.”

    Between relying on holes in one OS that are due to be closed, the publicity surrounding the abuses of Sony BMG, and the failings of watermark DRM… this seems Dead On Arrival.

  17. the zapkitty says

    Anonymous de la 1473rd begged:

    “Or do you only discuss MMX… ?”

    Actually, of course, we’re not discussing your SuncMax junk… either the past malware or the present vaporware… at all.

    Which must upset you terribly.

    “… and XCP?”

    A change! An acknowledgment that their are things beyond SuncMax! Yay! 🙂

  18. What about MacroVision’s TotalPlay? Or the german rootkit (Alpha DVD)? What happened to optical DRM reverse engineering? Or do you only discuss MMX and XCP?

  19. Oh, and for reference – embedded an invisible, durable watermark into audio is hard. Embedding one in a video more than a few minutes long is easy, providing you have access to the whole video and an unwatermarked version for recovery. Simple varying of the brightness.

  20. Financial information isn’t going to be embedded for obvious reasons of legality and publicity. But if I were a developer for an evil enough media organisation, I would look into a varient – if I could embed a watermark in each file specific to the individual who owned it (my DRM wouldn’t allow resale, of course) then it would be possible to monitor p2p and see who was leaking what. From there it would be easy to determine who was putting my content on p2p and either disable their account with the music service (probably rending all their purchases usless) or initiate legal action.

    It wouldn’t be any use on CDs though. Pressed media, no way to uniquely identify them. I suppose I could adapt one of the software CD copy-prevention programs so that it autoruns, hides the real CD, and instead returns what looks like a red-book audio but actually contains added watermark data of the IP address, time and MAC address of the system. That would be usful to the lawyers.

  21. I think the only use for watermarking is to know who originally owned the file, not for DRM per se. Sure people might still be able to remove them but the RIAA/MPAA aren’t out to get the hackers they are out to get mom and dad.

  22. the zapkitty says

    Anonymous espoused:

    “That’s exactly where, in my worse moments, I fear this whols mess is headed.”

    “Headed”…? We’re already there… literally. See Ed’s posts hereabouts on the Sensenbrenner/Conyers analog hole bill.

    http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=Sensenbrenner+Conyers+site%3Ahttp%3A%2F%2Fwww.freedom-to-tinker.com&btnG=Search

    Under this badly designed media-industry-bought wet dream if you ain’t approved by the media giants you ain’t allowed to touch the gear.

  23. “This video card doesn’t allow me to play some raw MPEG files? Do it mean that I cannot create my own video using my own PC?”

    That’s exactly where, in my worse moments, I fear this whols mess is headed. Big Media fears competition even from J. Random Videographer putting up a clip of the kids for Grandma, and would like nothing better than to have the technology require an imprimatur for all video.

  24. the zapkitty says

    Eric enscribbled:

    “This video card doesn’t allow me to play some raw MPEG files? Do it mean that I cannot create my own video using my own PC?”

    Of course not. Who the hell do you think you are? 🙂

  25. the zapkitty says

    Steve Novoselac escribed:

    “… People that record TV shows onto their computer, say for example, FOX, see the little FOX watermark at the bottom of the screen…”

    “Yes, Senator… we had to destroy the content to save it.”

    “Since we as the public (99% of us) don’t have raw access to the “clean” unwatermarked version of show, it would be tough to remove the watermark from the recorded version.”

    Actually there are are software programs out there that do exactly that, with variable degrees of success.

  26. “Users could use the public decryption algorithm to create raw MPEG files with the watermark stripped, but would not be able to play them on commercially available video cards”

    This video card doesn’t allow me to play some raw MPEG files? Do it mean that I cannot create my own video using my own PC?

  27. after reading this, one of the only places I see watermarks as something that couldnt be removed easily would be on TV shows. People that record TV shows onto their computer, say for example, FOX, see the little FOX watermark at the bottom of the screen. Since we as the public (99% of us) don’t have raw access to the “clean” unwatermarked version of show, it would be tough to remove the watermark from the recorded version. As far as pictures and music go, I think there is enough access to unwatermarked versions that the watermarks could be easily removed from that type of media. Informative post 🙂

  28. the zapkitty says

    Hal Says:

    (Abbreviated for brevity)

    “The decryption and watermark detection algorithm could be public; however the encoding/embedding algorithm would be secret…. … … Users would not be able to create new videos with altered watermarks because the algorithm to do that is secret.”

    If I understand you correctly you’ve given out the oracle of the decoder, which makes reverse-engineering possible.

  29. Let’s imagine a case where Microsoft’s post-Vista OS, codenamed Blacksheep, will only work with video cards that require a watermark in order to play Super-HD video (2048-4096 lines of resolution). Then such videos could be distributed in encrypted form with the watermark embedded. The decryption and watermark detection algorithm could be public; however the encoding/embedding algorithm would be secret.

    Users could use the public decryption algorithm to create raw MPEG files with the watermark stripped, but would not be able to play them on commercially available video cards (similar to how video cards are now requiring monitors with HDCP support in order to play HD video). Users would not be able to create new videos with altered watermarks because the algorithm to do that is secret.

    The watermarks could be used for DRM and individually identify consumers (or their computers, more likely). This is your “weakest of all” system. Even though the watermark detection algorithm is public and the detection devices are widely available, it seems like the DRM would work.

    • No it wouldn’t for the reason that consumers will need to retain the right to playback user generated content lets say from a super HD camcorder, and even if that device had an encoding algorithm built in you’d be back to the reverse engineering scenario.

  30. An approach for a watermark that would be very difficult to remove would perhaps start with creation of stegongraphic filesystem with the file. If the size of that file system would be say about 1.5 or so the size of the file itself, it would get very difficult to remove, the larger the stegongraphic filesystem would be, right. I suppose that the meaningful contents of the filesystem would be quite small, and a very large amount of garbage data, just there to make deciphering difficult.

    Has this been tried?

  31. There’s also a fundamental tension between watermarking and lossy compression.

    Watermarks are supposed to be imperceptible, so they have to be hidden in places that humans can’t see/hear/etc. But lossy compression is based on storing only the parts that humans can see/hear/etc. and removing everything else. If you want to hide a watermark, you need to hide it somewhere that lossy compression won’t touch. You need to know something about what humans can perceive that the makers of lossy compression systems don’t know, and that’s pretty much necessarily going to be a temporary situation.

    Furthermore, someone who’s going to remove watermarks by applying lossy compression will be able to make do with a lower level of understanding of human perception, because they generally won’t mind if they lose some perceptible quality. They can tune their compression to remove all the imperceptible information and some perceptible information as well; whereas the watermarkers really had better not touch the perceptible information at all. Legitimate users demand that music sound *perfect*; pirates are willing to make do with (e.g.) 128-kbps MP3 files.