|
Summary: No conclusions here... I've
just noticed how the same problem manifests itself
in different ways, and I'm rambling a bit over ways
to ease certain situations.
All of us who deliver digital content risk
having that content copied and reused without our
consent. Photographs are reused without notice...
site
designs are used anew on different sites... SWF
applications are often swiped
for other sites... Macromedia's applications are stolen
and impersonated... music and movies are pressed
onto CDs without compensation to the creators.
We humans have succeeded in making it easy to copy
digital content, but we're still struggling with ways
to route perceived value back to the real creators,
without having it leeched out by parasites.
I have a feeling this is a short-term bump in the
road... my gut tells me that people parasitize when
they're just on the road to prosperity, and that once
they actually become prosperous they find more value
in becoming close to the creator. Look at the market
for counterfeit clothing in China... people buy fake
labels to show they're more prosperous than they are,
but there is then a higher status in the actual connection
to the true designer label.
The bell curve is similar to that for pollution
rates in developing countries, or deforestation rates...
as Julian Simon and others have shown,
environmental degradation increases while a country
is developing, but after a certain point of prosperity
there is value found in a natural environment again.
It's not a linear trend, but is instead a bell-shaped
trend. I think we'll see the same type of curve with
digital theft.
But still, it can be distressing to see some schmuck
ripping off your own site design, or linking to your
bitmaps on your server, or otherwise using the fruits
of your creative gifts and labor without your consent.
Generally, you're more protected if your production
is very specific to the problem at hand. A general
solution is easier to steal than a specific solution.
You can help protect a piece by branding it strongly.
Put the client name in the photo, or specific names
inside text, or use photos of real people rather than
clip art, or call back to a specific server. Storing
links within a file rather than in an external text
file makes it harder for anyone to change. A strongly-branded
element is harder for others to reuse.
The goal is to make it more expensive to steal your
work. Any solution is hackable, but if you can increase
the hacking costs you'll lower overall theft.
When taking measures against a thief, try using
intermittent
reinforcement rather than perfect reinforcement.
If they see that something always fails then they
know what they have to work around. But if something
fails only once every ten times, or fails on one day
and works the next, then you've massively increased
their detection costs and proof costs.
The flip side of all this is true too... if you
download any digital content, you should be confident
of the source. A company like AOL, CNET or Macromedia
has a lot invested in their reputation, and while
we may not be perfect we have great incentives to
only distribute safe materials. But a fly-by-night
warez site has no real reputation to protect, and
you can't be sure whether the material you're receiving
is actually what it represents itself to be.
Here are some notes from what I've heard online
about protection of various media types:
-
Photos: Slicing makes it a
hassle to swipe. Sometimes people have put a DIV
with transparent GIF above a photo, so a context-click
copies the empty GIF instead of the photo. Digital
watermarking can be used to prove where an image
comes from, but it doesn't protect against the
image being re-used. Putting a photo inside a
SWF prevents direct copying. All of these fail
against screen capture, however. Using different
resolutions or adding visible watermarks is one
way to separate demo artwork from deliverable
artwork.
If someone links to photos on your server, they'll
show up in your server logs. This is particularly
sleazy, because they're not only stealing your
content, they're stealing your bandwidth too.
Fortuntately you can have some fun with these
people by changing your HTML to match new images
in a new location, and then changing the images
at the original location to change the meaning
of the thief's site. (If you give them evil images
for only an hour a day, and normal images the
rest of the time, then you can increase the number
of complaints they receive by lengthening the
time before they can detect and resolve the problem.)
-
Maps: Cartographers have used
"bunnies"
to mark their work... these are sort of like easter
eggs, and occur as fake streets or names. Not
all digital content can use similar techniques,
but if you have a proprietary description of public
events, then false identifying data is a good
technique to keep in mind.
-
Markup: In the late
'90s the HTML-authoring newsgroups would see
"How can I protect my markup?" threads with astounding
regularity. I think it was because those folks
regarded markup as being very difficult to produce,
so it would have implied value. The thread has
died down in recent
years. Dreamweaver has seen a competing tool
directly swipe its JavaScript routines. Generally,
though, people don't seem as worried about protecting
markup and JavaScript as they did a few years
ago.
-
Deep links: I'm not sure what
the fuss is in the courts over this... you can
do a server-side or client-side detection of the
referring link, and route the viewer elsewhere
if they don't come from your domain. This may
be another example of heavy-handed political rules
having more unimagined side-effects than simple
and evolving technical protections would.
-
Applets: Shockwave and Flash
applets have been stolen in the past, but these
interactive elements offer more means to recognize
where they are and to take appropriate action.
There are TechNotes
detailing some protection techniques, and Gary
Rosenzweig recently wrote an
article on various approaches. A thief can
still reach inside the SWF or DCR to change protection
strings, but this increases their theft costs
dramatically. As with other protection methods,
having it fail intermittently can cost a thief
much more than having it fail reliably every time.
Techniques here include having the applet query
its serving location; having the applet call for
a local file to act as key; having explicit timeouts
in the copy of the aplet; having the applet report
its serving location to your server; requiring
matching keycode in the HTML's OBJECT/EMBED parameters;
using a host file which calls multiple content
files; more.
SWF files are publicly documented, and so can
be read by other applications. The "protect" bit
on a SWF is respected by the Macromedia Flash
authoring application, but other applications
cannot
be compelled to respect these privileges.
Sometimes people want to protect their ActionScript
from inspection. This cannot be done, but you
can make it more expensive to read these scripts
by obfuscating function and variable names with
nonsense strings, by padding with dummy scripts,
by setting global variables in an obscure part
of the file, by including misleading comments.
(I'm not sure that these techniques aren't more
trouble than they're worth, myself.)
-
Web services: This hasn't come
up yet, but I imagine it will be an issue soon...
what happens when someone swipes book descriptions
from Amazon for their own order-fulfillment? How
can we prevent a service from being misused? This
type of issue will likely come up more and more
over the next two years.
-
Applications: If you download
an application from a criminal site and run it
on your machine, then you're acting like a moron.
You're acting like a dangerous moron too. It doesn't
matter whether it's a full application or just
a crack for a trial... by willingly executing
admitted-criminal instructions on your machine
you've left yourself open to remote
control, and you risk hurting
the rest of us too.
Virus writers, spyware
bundles and other malefactors go to a lot of trouble
to try to get people to execute their code. If
you do so willingly, then that's just dumb, dumb,
dumb.
Does anti-viral software help? It can only detect
known signatures... it's rear-guard protection
against known and popular dangers, but cannot
protect your machine from dangers it hasn't been
written to recognize. Why would anyone want to
insert control code on my machine? For a massive
coordinated denial-of-service attack that can
cripple the net from just a horde of infected
machines. We're in a war, and when stupid [expletive
deleted] humans fly airplanes into buildings they'll
certainly want to crash the net too.
Please, if you're going to steal from me and
my friends here at Macromedia, then at least have
the basic intelligence to steal a serial number
rather than downloading weird code from who-knows-where.
You've just got to know whose instructions
you're obeying these days!!
-
Music and movies: These are
files, rather than applications, and so usually
don't have the security risks of warez. But if
you run utility apps like Kazaa then you've probably
got some associated spyware installed on your
machine. There have been a few exploits where
image or music files have actually contained data,
which was then executed by a smaller app which
came in through another avenue. Once you go into
the grey market for digital content you can't
really be sure what you're getting.
Music is sort of a funny situation, because
it has been an artificially-maintained
market for so long. The early popular music
business was very diverse, but now there are five
major labels which control the bulk of the money.
Radio spectrum has been politically controlled
far in excess of technological realities, and
radio content is heavily manipulated. Copyright
law has been extended, thanks to Sonny
Bono, from the incredible to the absurd...
there's something wrong with a world where you
can't sing "Happy
Birthday" in public. Music creators can generate
millions
in sales, but others may end up with this
money instead of them. It may take awhile for
this house of cards to topple over, but something
has gotta give here, the music business is just
too nuts.
(If you're a musician, then there are efforts
underway now to build a post-Big5 music business...
the adage "you
can't steal a gift" shows where the strongest
economic structures may be.)
Will movies follow the same trend? They require
more capital than music-making, and aren't something
that people do everyday. But video capture and
editing are rapidly increasing, and I suspect
there are major shifts up ahead for the large
studios soon. As video becomes an everyday means
of mutual communication the evolutionary pressures
on big-budget film will rapidly mutate.
I don't know what the solutions for the music
and movie businesses are, and fortunately I don't
have to know. I strongly suspect that they'll
end up de-emphasizing the digital bits, and instead
focus on the relationship between creators and
those who find value in their work. But they may
just try to pass a Volstead
Act on certain chipsets, who knows....
We humans haven't been in a position before
where it has been so easy to duplicate, transmit,
and reuse creative work, much less a situation where
so much human value is carried in creative work rather
than agriculture, manufactured goods or non-creative
services. There's definitely abuse out there, but
we're also gradually evolving social mechanisms to
deal with it. There's a risk that ham-handed political
rules may blockade
this social evolution.
Myself, I strongly suspect we're due for a plague
from rampant file-copying... that vector is too convenient
a transmission path for pathologies to ignore. Such
a disaster will bring into sharper relief the necessity
of trusting the digital content you're using.
But until then, a general approach is to make your
solutions specific to the task at hand... use general
components during construction, sure, but strive for
the tightest fit to your client's particular needs.
The more closely your project fits into the one ecology,
the more mutation it would have to do to be transplanted
into other ecologies.
See? I told you I didn't have any final
answers to this problem.... ;-)
|
