April 21, 2014

avatar

Amazon’s MP3 Store Wisely Forgoes Watermarks

Last week Amazon.com launched a DRM-free music store. It sells tracks from two major labels and many independents in the unprotected MP3 file format. In addition to being DRM-free, Amazon’s songs are not individually watermarked. This is an important step forward for the music industry.

Some content companies see individualized watermarks as a consumer-friendly alternative to DRM. Instead of locking down files with restrictive technology, individualized watermarking places information in them that identifies the purchasers, who could conceivably face legal action if the files were publicly shared. Apple individually watermarks DRM-free tracks sold on iTunes, but every customer who purchases a particular track from Amazon receives the exact same file. The company has stated as much, and colleagues and I confirmed this by buying a small number of files with different Amazon accounts and verifying that they were bit-for-bit identical. (As Wired reports, some files on Amazon’s store have been watermarked by the record labels, but each copy sold contains the same mark. The labels could use these marks to determine that a pirated track originated from Amazon, but they can’t trace a file to a particular user.)

Individualized watermarks give purchasers an incentive not to share the files they buy, or so the theory goes, but, like DRM, even if watermarking does reduce copyright infringement, that doesn’t necessarily mean it makes business sense. Watermarks create legal risks even for customers who don’t engage in file sharing, because the files might still become publicly available due to software misconfigurations or other security breaches. These risks add to the effective cost of buying music for legitimate purchasers, who will buy less as a result.

The difference in risk between a customer who chooses to share purchased files and one who does not is ultimately determined by computer security issues that are outside the content industry’s control. Aside from users who are caught red-handed sharing the files, who can be sued even without watermarks, infringers and noninfringers will share a multitude of plausible defenses. Their songs might have been copied by spyware. (If watermarking becomes widespread, spyware authors will probably target watermarked files, uploading them to peer to peer networks without users’ knowledge.) They might have been leaked from a discarded hard drive or backup tape, or recovered from a stolen laptop or iPod. The industry will need to fight such claims in order to bring suit against actual infringers, leaving noninfringers to worry that they could face the same fate regardless of their good intentions.

With individualized watermarking, there’s no knob that the content industry can set that varies the disincentive for sharing purchased files independently of the disincentive for purchasing them at all. Inevitably, legitimate customers will be scared away. This makes individualized watermarking a blunt antipiracy tool and a bad bet for the content industry. Amazon was wise not to use it.

Comments

  1. jambarama says:

    Certainly it is preferable to consumers not to have watermarking for the reasons you identified. On the other hand, unless information like a credit card number (http://www.michaelrobertson.com/archive.php?minute_id=245) is embedded the risk seems to be no greater than the risks of having any other personal data on your computer. Due to a security breach or misconfiguration you could leak any information – personal documents, web history, et cetera – that is likely to be far more damaging than having say, your name in a watermark. The thief would have to not only know your mp3s have the watermark, but they’d have to know how to pull the information out. Both are possible, but it seems easier to just look at other documents likely to be exposed by the same kinds of breaches or misconfiguration.

    You might say, since the RIAA has proved themselves unscrupulous with lawsuits in the past, leaking an mp3 with your name exposes you to all kinds of RIAA litigation. I don’t trust the RIAA any farther than I can throw them, but I don’t trust identity thieves any more. Is settling with the RIAA for 3 grand that much worse than trying to expunge fraudulent charges from your credit report?

  2. Libertys Bell says:

    With a bit of reverse engineering and enough examples of watermarked files, a person with time on their hands and some knowledge of machine code could identify and change the watermark. With enough different examples of the watermarked files, they could probably even be able to insert their own watermark in place of the watermark that came with it. Once that problem is solved, then all that remains is to write a program that will change the watermark for you and distribute it as freeware through an anonymous bittorrent server. At that point, watermarks become completely unusable.

  3. Michael Donnelly says:

    Well, if they were smart, the watermark would be signed with a key to prevent outright forgery.

    The other 99% of the issue remains: a competent engineer could find and alter/copy/destroy the watermark. And, of course, the major problem at the root of this is that identifying a watermark in a recording does not create any evidence of anything.

    Since when does logic play a factor in the RIAA’s decisions, anyway?

  4. john erickson says:

    With regards to the robustness (or lack thereof) of some of the watermarking technologies considered for music, see for example How Watermarks Fail
    (Ed Felten, February 24th, 2006).

  5. jambarama says:

    Clearly watermarks are don’t work with people who know what they’re doing. And clearly most of the illegitimate copies out there will have had the watermarks stripped. However, I still don’t see the harm of including them. Unlike DRM, watermarks do not reduce the functionality of the file in any way, they don’t harm/modify the system they run on, and they don’t damage the system.

    The enforcement value, or any value, is dubious, but the harm seems to be equally dubious. If the recording industry wants other valueless considerations, I don’t see why we should care. DRM is offensive to me for a variety of reasons, watermarking is not offensive to me for any of these reasons. So again, why should we care if the mp3s have some totally functionless fake security measures?

  6. J. Alex Halderman says:

    jambarama: Sure, other personal data on your computer could be more damaging if leaked, but the fact that such data often *does* leak shows how helpless (or indifferent) many users are when it comes to security. Rational people will take steps to reduce the harm they would suffer, including applying extra security measures and storing less personal information. Another rational step that some will take is to not purchase watermarked music so as to avoid the potential for a lawsuit.

    Libertys: Depending on the kinds of watermark used, it might be very difficult to remove them with confidence. The content owners wouldn’t need to make their watermark detectors public, so you couldn’t test whether you really removed all traces of the marks. (In contrast, watermarks like SDMI where the detector must be built into player devices are almost certain to fail.)

  7. jambarama says:

    J. Alex Halderman: If I understand you right, you are saying a watermark with personally identifiable information is dangerous (and should be left off purchased mp3s) because a user will be more careless with an mp3 than other documents – thus it will be leaked more often. That is a pretty good argument. I would disagree only in that my guess is that purchased mp3s are leaked with the same frequency as other personal information stored on a computer, but given stuff like iTunes music sharing, p2p apps searching for mp3s, and other factors, you may be right.

    As I see it, for a watermark to be dangerous, it as to be 1 – leaked, 2 – have personally indentifiable information and 3 – it must be able to be read by those wishing to do harm to the leaker. 1 is dealt with above, mp3s may be leaked more often. 2 is important too, you don’t want credit card number, addresses, phone numbers or other such stuff in the watermark. Even a name could be dangerous if you are worried about the RIAA going after you for leaking. For 3, the difficulty in reading a watermark is conceivably non-trivial for anyone other than the maker of the watermark. Assuming it could be done, 3 could also be satisfied.

    My point is that meeting all three of these (which is bad) is probably not much more likely than using the watermark for enforcement purposes (which is good). If the harm far outweighed the enforcement value, yeah lets fight watermarking. But as it stands I don’t see the potential harm far outweighing the potential enforcement benefits. (PS, sorry for writing so much on the blog, and for all the spelling/grammatical errors that make my posts hard to understand).

  8. Don Marti says:

    They could use the info for marketing purposes. The person is either an infringer or someone with bad computer security–so Amazon could see whose music is showing up on p2p nets and sell those customers the appropriate products.

  9. J. Alex Halderman says:

    jambarama: “… why should we care if the mp3s have some totally functionless fake security measures?” True, watermarks aren’t as pernicious as DRM. DRM reduces sales and causes significant collateral damage to innovation. Watermarks, if implemented in a privacy sensitive manner, will just reduce sales. (Efficient online distribution systems will ensure that pirated content is widely available as long as there are at least a few original sources.) Personally, I want to see artists succeed at selling more music online, and watermarks aren’t going to make this happen.

  10. jambarama says:

    J. Alex Halderman: “Watermarks, if implemented in a privacy sensitive manner, will just reduce sales.” Not to belabor the point, but I don’t see watermarks deterring sales largely for the reasons I posted before. With watermarks you get none of the inconvenience of DRM – you can use watermarked files in any media player, on any portable device, on any operating system – without mucking around. I’ve never bought anything with DRM for these reasons (except once I bought a Sony/BMG CD with that rootkit, luckily Debian doesn’t mind Windows rootkits) – but I would by a watermarked mp3 without thinking twice.

    The question I’d ask is why would someone refuse to buy an mp3 because of a watermark? It doesn’t seem likely to me that someone who is paranoid about personal information being embedded in audio files is the same type of person who would “lose” those files (through lax security or whatever). Why wouldn’t you, personally, buy a watermarked mp3?

    I absolutely also want to see artists succeed online as well. I’m not arguing for watermarking, I’m arguing against demanding labels/artists drop it. If selling without watermarks helps artist succeed online, great. But I can also see artists/labels being more willing to sell non-DRM’d mp3s online if they have some sort of “protection”, even if the protection is largely illusory. Why should we required they drop non-imposing, inoffensive protections?

  11. Alex says:

    Apple do not watermark iTunes Plus or normal iTunes FairPlay tracks. They simply attach your appleid to the tracks metadata. It is rather easy to remove it if you want to.

    I’m not trying to defend Apple, but set your facts straight.

    No personally identifiable data is embedded in the *recording* stenographically. Watermarking refers to exactly that, hiding additional data within the media. And Apples approach is definitely not the same thing, although certainly similar in effect.

  12. Context says:

    Forget spy-ware, MP3-players are frequently stolen or left on buses around the world.

  13. J. Alex Halderman says:

    Alex: I would any kind of invisible data embedded in a file for tracking purposes to be a watermark. Apple’s tracking data is easy to remove, but functionally it’s still a kind of watermark.

  14. Rich says:

    As @Context said, if your MP3 player is stolen (and the larger assumption that the thief likes your choice of music), then they won’t feel any compunction about sharing your watermarked music on p2p networks.

    This raises an interesting defense if you are prosecuted. Since MP3 players can be bought anonymously (with cash from a local shop), you can simply argue in court that you bought an MP3 player, loaded it with the watermarked music, and left it on a bus. It was a cheap player so you didn’t have time to file a report with the bus company or the police. But “obviously” someone picked it up and shared your music.

    [rant mode ..]
    The fundamental issue here, yet again, is that copyright is a social construct which is very very hard to enforce. In fact nothing short of a complete police state will suffice. And that is why we need to be sure that the War on Copying doesn’t become like the other two impossible Wars (the War on (some) drugs and the War on (some) terrorists).

  15. Anonymous says:

    As a consumer I will NOT purchase anything that has DRM or watermarks. In otherwords, I do not purchase downloadable content, period.

    The whole thought of companies thinking they can control music and movies is pointless. If people want their stuff for free, they will get it.

  16. Anonymous says:

    It is disgusting how much effort people put into ripping of musicians and artists. These people provide the joy and spirit of life for so many people, and often suffer a lot, expressing their feelings and emotions for all to share. Why on earth dont they deserve to make a living out of their hard work? This attitude that it is fine to steal off them really upsets and disgusts me. If a musician offers their work for free, then thats what it is – a gift to enjoy, otherwise you may as well break into their house and knick all their belongings, and while you’re at it , why not kick them while they are down, as well?