In the ongoing P2P wars between the RIAA, the file sharing networks, and file sharers themselves, the RIAA has been of late talking up the capabilities of Audible Magic’s “acoustic filtering” technology, urging its adoption upon universities, corporations, and Congress. There are three main considerations: Does it work? How much does it cost? Does it infringe upon privacy? Questions 2 and 3 aren’t all that germane if it doesn’t even work.
A study by EFF technologist Chris Palmer suggests it isn’t worth the cost because it’s easily circumvented:
- While we at EFF support universities taking steps to educate staff and students about copyright law and to control excessive bandwidth usage, it is important that universities are not sold expensive, ineffective solutions simply to appease the public relations needs of the RIAA. It is also important that policymakers not be misled by the bullish pronouncements of the RIAA and Audible Magic regarding the effectiveness of “acoustic filtering” technologies.
Information from public sources suggests that Audible Magic’s filtering technology is trivial to defeat. For universities, this means an investment today may well be worthless tomorrow. Policymakers, meanwhile, would do well to examine all filtering technologies closely before putting faith in the promises of vendors. A close look at Audible Magic’s technology suggests that its filtering is no silver bullet.
Acoustic Fingerprinting – How It Works
Audible Magic’s CopySense, a network appliance product, examines network traffic at the content layer — that is, it analyzes the actual file transferred in an application-layer transaction. In order to determine whether the content is a copyrighted song, CopySense treats the content as audio and analyzes its acoustic properties. It examines only a small portion of the content, extracting an “acoustic fingerprint.” This fingerprint is then matched against the fingerprints of copyrighted musical works in a pre-compiled database. Audible Magic boasts a database of more than 3.7 million fingerprints, growing continually.
This method is a clear improvement over earlier “hash”-based filtering approaches. With those earlier approaches, changing even a single bit in a file would frustrate efforts to match the file to a pre-calculated hash. Audible Magic’s approach should be more robust against this kind of subterfuge. As detailed below, however, Audible Magic’s technology can easily be defeated by using one-time session key encryption (e.g., SSL) or by modifying the behavior of the network stack to ignore RST packets.
….There are two obvious ways to defeat Audible Magic’s CopySense network appliance.
Encrypt the data transfer with a one-time session key. This can be accomplished easily by employing SSL for file transfers. Because SSL is widely used for a variety of e-commerce applications, blocking or otherwise interfering with SSL communications would be problematic for most network administrators.
Change the TCP/IP stack to better defend against spoofed TCP RST packets. It is not possible to perfectly defend against this attack, and most users will have to wait for an upgrade from their operating system vendor to get any defense at all. Over time, however, it is likely that many systems will incorporate such defense, limiting the effectiveness of CopySense’s mechanism.
Rather than wasting time and money on filtering, the copyright industry should be working to make money from P2P, as our Bill Wallo suggests here.
Interestingly, some people think any kind of copy protection is unconstitutional:
- It’s not unusual for my readers to have some strong things to say about DRM, product activation and the like. But one reaction to my column last week on Roxio’s product activation was particularly remarkable, the more so because it came from the president of a software company.
“We are a small company which does a lot of customized software, so there is a difference there between us and the Microsofts, et. al. of the world,” the reader wrote. “However, our philosophies cannot be too dissimilar, since we all make our money off our software.”
“All that said, I view copy protection as an absolute immoral, illegal, and unconstitutional intrusion of individual rights,” the reader wrote. “I have gotten fed up with companies and people in general treating everyone like a criminal until they prove otherwise. I will not allow anyone at my company to even suggest a copy protection scheme, because I believe in going after the offenders, and not everyone else.”
Unconstitutional intrusion? “Absolutely” the reader wrote, citing the Fourth Amendment’s protection against unreasonable searches and seizures. “It is my belief that these activation schemes are essentially a search as it keeps track of the hardware in the system. It may be general information, but still nonetheless a search. Secondly, when the software is disabled as a result of a hardware change, again, this is a search, but also a seizure. I understand all too well that software is licensed, and title and copyright is retained with the authoring entity; however, the price paid for the software is essentially a rental price. How often in this country can a person be thrown out of their residence without the owner going to court first? It just doesn’t happen.”… [Gripe Line]
that’s food for thought.