Schneier on Security
A blog covering security and security technology.
« 80 Cameras for 2,400 People |
| An Economic Analysis of Airport Security Screening »
March 30, 2006
Evading Copyright Through XOR
Monolith is an open-source program that can XOR two files together to create a third file, and -- of course -- can XOR that third file with one of the original two to create the other original file.
The website wonders about the copyright implications of all of this:
Things get interesting when you apply Monolith to copyrighted files. For example, munging two copyrighted files will produce a completely new file that, in most cases, contains no information from either file. In other words, the resulting Mono file is not "owned" by the original copyright holders (if owned at all, it would be owned by the person who did the munging). Given that the Mono file can be combined with either of the original, copyrighted files to reconstruct the other copyrighted file, this lack of Mono ownership may be seem hard to believe.
The website then postulates this as a mechanism to get around copyright law:
What does this mean? This means that Mono files can be freely distributed.
So what? Mono files are useless without their corresponding Basis files, right? And the Basis files are copyrighted too, so they cannot be freely distributed, right? There is one more twist to this idea. What happens when we use Basis files that are freely distributable? For example, we could use a Basis file that is in the public domain or one that is licensed for free distribution. Now we are getting somewhere.
None of the aforementioned properties of Mono files change when we use freely distributable Basis files, since the same arguments hold. Mono files are still not copyrighted by the people who hold the copyrights over the corresponding Element files. Now we can freely distribute Mono files and Basis files.
Interesting? Not really. But what you can do with these files, in the privacy of your own home, might be interesting, depending on your proclivities. For example, you can use the Mono files and the Basis files to reconstruct the Element files.
Clever, but it won't hold up in court. In general, technical hair splitting is not an effective way to get around the law. My guess is that anyone who distributes that third file -- they call it a "Mono" file -- along with instructions on how to recover the copyrighted file is going to be found guilty of copyright violation.
The correct way to solve this problem is through law, not technology.
Posted on March 30, 2006 at 8:07 AM
• 79 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
> The correct way to solve this problem is through law, not technology.
Yes! Finally some pointing in the right direction instead of simply pointing out which way is the wrong direction.
Now maybe you'd like to elaborate on the topic, since lawmakers are famous for making a good idea in theory turn into a bad idea in practice...?
Surely the 'mono' file would simply be a derived work of the copyrighted restricted file, and therefore its creation and distribution would require a licence. A translation, after all, may contain no words in common with the original, but no-one would sanely argue that it would be an independant new work.
Maybe BitTorrent - everyone has only a piece of the munge but collectively the whole. Might be overcomplicating and messy.
It shouldn't matter "how" you get the copy, if it is ad verbatim, word for word, or otherwise derived from a word for word copy of the original, then it is still under copyright.
I doubt that anybody would buy the argument about HOW you got the copyrighted work in court. If it is a recognizable copy, it doesn't matter how crazy the path it took to get to you, it is still a copy, period!
Next week, how downloading files through an SSL tunnel avoids copyright infringement.
Isn't this just a very simple XOR encryption scheme with a larger than normal key (ie. an entire file)?
> The correct way to solve this problem is through law, not technology.
Somehow I missed the problem. Is it the "problem" of distributing others' intellectual property without their permission and without legal repercussions?
I thought the solution to *that* problem was to get a clue and outgrow the sense of self-entitlement where you believe you have free access to the efforts of others.
I agree completely. The transfer is still infringement - and the munge is still useless until converted - and all with the intent to steal.
Well, the corrolary to this technique is that for every file in the universe, there is a corresponding file it can be XORed with to create a copyrighted work.
I think that makes us all guilty.
Bruce: Agreed definately breaking the spirit of the law.
Here's where it gets interesting: If I have a pair of files which XOR to produce a copyrighted work, the pair is evidently a derived work. But one of my two files (the first-created one) might not be. The problem is it can be impossible to tell which is which. If the two are distributed separately, then one of them is definitely a breach of copyright, but it is impossible in practice to say which one.
It is difficult to see how you could use this dodge without it being obvious that you are intending to facilitate infringement.
I agree with Bob on this issue. The problem that this website is misunderstanding is the sense of self-entitlement where you believe you have free access to the efforts of others.
I also agree that the current laws do need to be revised to better balance the need for protecting the efforts of others with the right to profit from them; and the need for the public not to be gouged by corporations who put very little effort into the intellectual property that they own the rights to.
If copyright laws were interpreted in the manner they suggest, you would be able to just rot13 (or uuencode, or base64 encode, or encrypt with a known key, or pick some trivial encoding scheme) the file and distribute that. But, I wouldn’t be so quick to dismiss it with “it won't hold up in court��?; it kind of reminds me Phil Zimmermann publishing the source code to PGP in a book, using an OCR friendly font, to get around crypto export restrictions.
Exactly - for any 'munged' file, there is a corresponding file that translates it into any file of the same length. Every time someone accuses you of distributing copyright material, you could present a file that, when used to decode it, would decode it into some public-domain work.
I'm inclined to agree that legislation, not technology is the answer here, though.
The operation is something like a one-time-pad with the "free" text as the key. I don't think a judge is going to be too kind on this kind of thing.
From law point of view, isn't XORing 2 documents (one copirghted and one not) the same as crypting (using whatever other algorythm) a copyrighted document ?
If it's the same, you even may be breaking the law concerning the lenght of cryptographic keys for civilian use.
"Yes! Finally some pointing in the right direction instead of simply pointing out which way is the wrong direction."
"Security is a process, not a product" has yet to sink in, huh?
"Now maybe you'd like to elaborate on the topic, since lawmakers are famous for making a good idea in theory turn into a bad idea in practice...?"
Right, if there's one thing the Internet is lacking it's pontification about copyright.
Aren't we talking about one time pads here?
With the only difference that there is no need to keep the key secret and that the normal security problems (don't reuse the pad) don't matter.
This might place the user in a situation not of legality, but one of plausible deniability of the source of the ciphertext.
Can't blame him that a key exists do decrypt the file into one certain copyrighted work - there is a key to decrypt it into every possible result of the same length.
Still, distributing this particular key would probably not be legal.
Or as an audio engineer, could I just apply an algorithm to a file (say a little reverb or some dynamic compression) and argue that I've created a totally new work? Heck there are 24->16 bit dithering data files used in CD mastering that are remarkably similar to algorithm discussed here ( http://www.cranesong.com/analogdither.html ).
Sounds like a huge waste of effort. But some lawyers will get paid along the way...
WRT copyright and legislation, there is an interesting proposal by Dr. William Fisher at Harvard. In a nutshell, and in his own words:
"A creator who wished to collect revenue when his or her song or film was heard or watched would register it with the Copyright Office. With registration would come a unique file name, which would be used to track transmissions of digital copies of the work. The government would raise, through taxes, sufficient money to compensate registrants for making their works available to the public.
Using techniques pioneered by American and European performing rights organizations and television rating services, a government agency would estimate the frequency with which each song and film was heard or watched by consumers. Each registrant would then periodically be paid by the agency a share of the tax revenues proportional to the relative popularity of his or her creation. Once this system were in place, we would modify copyright law to eliminate most of the current prohibitions on unauthorized reproduction, distribution, adaptation, and performance of audio and video recordings. Music and films would thus be readily available, legally, for free.
Essential to such a system would be a way of tracking digital copies of songs and movies. This might be achieved by inserting into the original version of each work a unique and durable digital fingerprint, which would then be replicated in each copy of the
This comes from a book chapter he made available at http://www.tfisher.org/PTK.htm.
If we change the "filename" ID with some other of identification (a watermark containing a digital signature, perhaps), could something like this work? Evidently, the fact that all devices need to "phone home" to report on the reproduction of the relevant works could be a threat to privacy, even though in principle it could be entirely anonymous. The third big issue would be the need for a "Copyright Office" as a trusted third party, as it is not clear to me that such an arrangement could work out easily in an international/global-internet setting. Nevertheless, in my view any proposal to replace the current copyright system with something at least marginally less stupid is welcome to consideration.
What are your opinions regarding such a system? I apologize for the enormous post, but it seemed as an interesting bit to share.
It does raise on interesting point,
If Eve splits a file into say six pieces and sends them via diferent people/paths to an unsuspecting party Bob, who has commited what crime, and when.
If Bob does not mix the six files together then the original file has not been recreated, so he has not commited an offence.
However if the same files where sent to Malic then he could put the files together but do it in a manner that is not provable unless caught in the act...
With the odd judgments we have seen in the past would a court assume that anybody with some / all the files on their machine is a Malic, and convict...
I think you mischaracterize the intent of the project by omitting the fourth paragraph:
"Note: Monolith was developed on a lark. It is a philosophical experiment, a curiosity, and perhaps even a hare-brained scheme. In any case, Monolith is meant to stir debate: a perfect, flawless system would not stir debate very well, would it? Monolith exists comfortably in a world of logical gymnastics. The real world of copyright does not operate in a logical fashion. Thus, a word of warning: if you apply Monolith in the real world, your legal mileage may vary. "
I think it serves this purpose quite well.
I think there's some misunderstanding here. The claim is not that any encryption "removes" the copyright. I'll quote this which somebody has made:
>If copyright laws were interpreted in the manner
>they suggest, you would be able to just rot13 (or
>uuencode, or base64 encode, or encrypt with a
>known key, or pick some trivial encoding scheme)
>the file and distribute that.
This is not the point. If you rot13 something, it sill contains information about the original file. However, if you xor it with a random one-time-pad, *it contains NO information about the original file*. in fact, there is absolutely nothing connecting this new file to the original file. It's absolutely random. The copyright owner of the original file most definitely does not own any kind of rights towards this file. If he did, he would own it towards *all* files of this particular length.
This is fundamentally different from any other kind of encryption.
Let's imagine there were people on the net with strange hobbies. Some
of them had a newsgroup, called alt.binaries.blobs. They all posted
blobs of what seemed to be entirely random data. Each blob was
referred to by its cryptographic checksum. When asked what they
posted, they said things like "I like public domain works so much, I
XOR them together to create new works in the public domain!",
"Oh, I just XOR other posts together, it's easier than finding new
works to XOR" or "Me? I just XOR posts with stuff from /dev/random".
If you really twisted their arms about it, they could all dig up a
saved blob of entirely random data (or sometimes a PD work) and
present it with a smile: "XOR this with my post, and you'll see that
it was just that other guy's post to begin with."
In the totally unrelated newsgroup alt.blobs.discoveries prospered
another strange hobby. The people there said they liked to download
posts from alt.binaries.blobs (but they never posted there themselves)
and XOR them together to see what they could find, and then post about
their discoveries. You'd sometimes even see posts like
"Britney Spears - Toxic: d3b07384d113edec49eaa6238ad5ff00 +
So, who's infringing copyright? The blobs people are only XORing
non-copyrighted works, and they can prove it! The discoveries people
hardly share anything that's copyrighted either.
To state the obvious: if you can accuse one poster of a blob of infringing on the copyright of one work, you can accuse all of them of infringing on all and any works ever created. It's just a matter of presenting the right blob to XOR with, right?
Well, I guess I can just pick a key, a stream offset and fire off RC4 against the file; the result being totally random (within the parameters of RC4 and the key) and not related to the original file.
However, I have a feeling that since you can't *prove* distribution (see Dreamer's first comment), then the ultimate infringer, as determined by a court, will be the person who ultimately compiled Britney's latest [gag-me-with-a-spoon] hit.
You can't take the route of "if you have blobs, you must be guilty" because that type of thinking is dangerous. Just because the bullet found in the wall of a convience store after a robbery is a .45 doesn't mean the police can arrest everyone with a .45 caliber gun and charge them all. Just because I'm wearing Levi's, doesn't mean I'm the one who stole a case of Levi's from Wal-Mart.
This really isn't all that complex. While the 'munge' may have no relationship to the original content and therefore not under copyright, it's conversion to the original is still infringement. Simple. The technology is irrelevant.
I expect a court would have issues with you if you obtained any "package" which could be used to obtain the copyrighted work (eg. a file and a decryption key). Both files form such a package together but not seperately.
If you obtained each file seperately maybe you could reduce the chance of someone collecting evidence of copyright violation, but who knows eh?
One more thing: I believe any judge thinking clearly is going to declare that if "it" (the final file, the analog reproduction, etc) resembles a particular copyrighted work, then it's a derivative work and thus in need of a license from the original copyright holder.
I would argue that each instance of derivation is going to need its own court case. One can obtain shorter and shorter samples from an audio file for placement in a new audio file. It's at the point where the resemblance [to an original] is no longer detectable to a human that derivation stops.
“in fact, there is absolutely nothing connecting this new file to the original file��?
Yes there is; the onetime pad connects them, otherwise you wouldn’t be able to recover the original.
A xor P -> B
B xor P -> A1
So you are saying at even though A and A1 are identical that the author of A has no rights to A1? I would agree that he has no rights to B and probably would not care… you could sit and stare at B all you want. But distributing B and P is the same as distributing A.
I guess you could try and argue that all you did was ‘xor /dev/random /dev/random’ and the output just happened to be the LOTR extended edition DVDs :-)
I don't think too many courts would fail to rule against someone if it was shown that they created and distributed two files that combined to produce a copyrighted work.
In the examples that resolve down to two people who each claim to have posted random files, but where they join together to form a copyrighted work, you then reach "Prisoner's Dilemma", where the investigators simply offer a deal to whomever squeals.
Of course, this also heads into steganography, where you can hide a communication "A" by pretending to encrypt two communications "B" and "C" of equal or greater lengths than "A", where the keystreams for B and C happen to be usable to derive A.
[Or, slightly more devious, where a single document, of at least twice the length of A, is encrypted with a keystream that is actually the concatenation of a keystream with the result of encrypting A with that keystream.]
Matthew Skala's article should be required reading on this (and not just because I'm a fan of the game "Paranoia"). It illustrates perfectly why technical obfuscation doesn't change the legal concept of copyright one whit.
I would second jk's suggestion to read the 'What Colour Are Your Bits' article. Copyright law hinges largely on copying. If I copy a book, then I may be an infringer. If I independently create the exact same book, without reference to the other one, then I'm not. (Of course, the likelihood of this is low, and if I had the opportunity to see the first book before I did any writing, it will generally be presumed that I didn't write my book independently)
The intelligibility of a work at all points in time isn't very important, however. With the XORing scheme, you've always got a copy that was made by copying from someone else's work. Infringement is a certainty. Splitting it up doesn't change anything. Nor is the XORed file any less of a copy than the unXORed file.
Also, FYI, none of the works in question here are derivative works. That term has a very specific meaning in copyright law, and XORed copies don't fall within it. The XORed files are just copies. Copies don't have to be bit-for-bit identical.
Ultimately though, the main point is this: courts are not machines; they are run by people. The vast majority of them are very smart people. If it's obvious to you as to what this is, I guarantee that it will be to them. And that they would come down on this like a hammer. It may be possible to hack a security system by being clever. This is almost never the case for judicial systems, however, and I certainly can't imagine legal amateurs managing it.
This idea doesn't even pass the laugh test.
"What Colour are your bits?" article posted by jk -- it is a long article, but I definitely think it is really good.
> The website then postulates this as a
> mechanism to get around copyright
This sentenance is a bit misleading without the note from the top of the site:
"Monolith was developed on a lark. It is a philosophical experiment, a curiosity, and perhaps even a hare-brained scheme. In any case, Monolith is meant to stir debate: a perfect, flawless system would not stir debate very well, would it? Monolith exists comfortably in a world of logical gymnastics. The real world of copyright does not operate in a logical fashion. Thus, a word of warning: if you apply Monolith in the real world, your legal mileage may vary."
One person: Who would the courts come down on, and for what? The only person they have anything on is the one that ultimately downloads the blobs and XORs them together. And that would probably be tricky unless they were caught red handed with the clear text file.
Let's say honest citizen A creates and posts a random file F1. You have posted some holiday snaps as F2. I post a file F3 that when XORed with F1 and F2 results in a copyrighted work. Will the hammer land on me or citizen A? I can demonstrate a file F4 that XORed with my posted F3 results in a harmless PD work. Any enemy of A can post any number of files that can be XORed with F1 and F2 to create any illegal files imaginable. Is A now a criminal? What about you?
Is the mere posesssion of F1, F2, and F3 a crime? What if you also possess hundreds of other blobs, without any demonstrable knowledge of all the possible combinations?
And regarding the act of creating a copyrighted work by XORing the files? Is it a crime if you did not now what the result would be? Is it a crime to tell about your discovery?
Dreamer, my personal response:
I'd keep it to myself, and enjoy the content :-)
First, what's a "random file?" A "randomly generated" or "randomly selected" file I understand, but what's a "random file?"
But let me give the quintessential security (and, for all I know, legal) answer to your question: it depends.
The law cares about intent and information pedigree (see Matthew Skala's article). Let's assume that the "random file" user A posted was an innocuous file with no relation to the copyrighted work (call it FC). Clearly A didn't commit copyright infringement. If you create a file that can be used to generate FC through some algorithm (XOR, unzipping, increasing each letter one space in the alphabet, holding it up to a mirror, whatever), then the question is: what was your intent, and did you have access to FC? If you had access to FC, the presumption will be that you used it, and that you've infringed copyright.
Of course, IANAL (which should be followed by a sequence of letters standing for, "Although If You Take Legal Advice From Pseudonymous Strangers On The Internet You Deserve What You'll Get.")
@ Dreamer and Clive Robinson
XORing a copyrighted work with something is creating a derivative work, which is protected by copyright. Creating a system (alt.binaries.blobs) that facilitates copyright infringement is also illegal (Napster). It isn't a very big leap to "Participating in a system that facilitates copyright infringement is illegal." Especially a system as completely useless for any legitimate purpose as alt.binaries.blobs.
So, to answer Clive, everyone who knew the system was used to circumvent copyright and willingly participated is probably guilty of either infringement, or facilitating infringement. Except perhaps the network providers along the way who might be able to exempt themselves via the common carrier provisions of the DMCA.
Might I suggest a heuristic test to help guide us in determining when things are suspect?
Add up the number of files coming in. In the case of Monolith we have x blobs and one other file, making x+1 items. Now add up the number of interesting files going out. We have only x items, because each x was XOR'd with the one other file.
Should you be able to show that you can bring in n almost-random looking files, and produce MORE than n (or even n) interesting results by XOR'ing pairs of them, then we will have something to talk about.
Meanwhile, go read Matthew Skala's item on colour - excellent!
Disclaimer: I don't illegally distribute or accept copies of copyrighted material, all of the music that I listen to I either get from an acceptable source (radio) or I've purchased myself. The below is focused on the music industry as an example, but it could easily be generalized to include all IP.
> Somehow I missed the problem. Is it the "problem" of distributing others'
> intellectual property without their permission and without legal
The big problem has nothing to do with distribution and everything to do with our concept of intellectual property, which is woefully out of date and needs re-examination.
Copyright law is more or less built upon a foundation of a technological infrastructure with a high barrier to entry for production of a unique work, duplication of a unique work, and distribution of a unique work.
Only the first holds true now (admittedly, a lot of copyrighted material is drek, but that's more or less besides the point). Replication and distribution are trivial problems.
Musicians, prior to the existence of the phonograph, had to rely upon their individual performances to fund their careers. A technological advancement allowed them to gain a new revenue stream (selling recordings). Now a new technological advancement has made the old method of distributing recordings obsolete. To say that they have a "right" to sell their music is an arbitrary distinction -> why should they? They didn't have this "right" historically, it was only the advent of the phonograph that enabled them to sell recordings. Since their "right" was predicated upon a technology, assuming that the "right" transferrs to a new technology replacing that technology isn't necessarily valid.
The *name* RIAA (Recording Industry Association of America) shows how this is a dying industry. It relies upon selling *recordings* as the primary capital stream for the industry!
> I thought the solution to *that* problem was to get a clue and outgrow
> the sense of self-entitlement where you believe you have free access to the
> efforts of others.
In a very real sense, we all have free access to the efforts of others. Or rather, we have free access to some efforts of some others. You *could* say that Cerf has IP rights over TCP/IP, but he doesn't get a royalty with every packet sent.
Think of it in terms of a communication channel. There's a sender, who has a copy of the work. There's a receiver, who wants a copy.
We can abstract away the mechanisms in the middle. They might encrypt the file, split it up into packets, encode it for convenient transmission, or whatever. If the sender willfully arranges for the receiver to get a copy, and the sender has no permission to distribute, then a copyright violation has occurred. The law can do the same as communication engineers do all the time and abstract away the details of the channel. I don't think any technical details will get around the fact that a work is distributed without the permission of its copyright holder.
We can split lots of hairs about whether the people in the middle, who form parts of the communication channel, are guilty of anything. After all, the same means of obscuring who's talking to who that can help with copyright violation can also help dissidents who live in dictatorships safely talk to each other. Because of these other uses, I think that only the actual senders and receivers can really be held liable, but who knows how courts will rule.
Using XOR doesn't make the file any less a copy than using mp3, ogg vorbis, or encrypting the file with more conventional means, regardless of what key you use. Reversing the xor is easily interpreted as "recapturing" the recording, whether directly or indirectly.
Many people miss this, because they start thinking that the resulting file is a derivative work, instead of a copy.
You said "...get a clue and outgrow the sense of self-entitlement...", and you're right.
We solve that problem by punishing people who break the law so that they understand that they've done harm and hopefully so they'll reform.
I think I'd rather see someone initiate the discussion the way Mr. Rohrer did rather than wait until [insert large corporate/political interest here] puts such a squeeze on us all that we're criminalized for *mentioning* a song title, discussing a novel or describing the art in the subway.
Note that performers weren't universally happy at the creation of methods to distribute reproductions of their performances to begin with, because that would obviously prevent people from paying money to come and see / hear them perform.
Search on "player pianos" and "copyright" for more information.
Oh, sure. And that is being played out again in today's market -> you have musicians who aren't happy with the new methods of creating and distributing reproductions (Dr. Dre and Metallica) and you have other musicians who prefer the new technology or have been more or less ignoring the RIAA model for years (The Grateful Dead).
But that's a tanget. The real problem is that we need to re-examine the concept of intellectual property. In my opinion, anyway.
So, what about the people who AREN'T using those previously copyrighted works. They get taxed?! This creates a large inequity; those people who copy and listen to thousands of audio tracks then get a good deal for their taxes. Those people who do not do so get a terrible deal for their taxes. In effect, you are mandating that all people purchase some amount of entertainment.
I don't believe (personally) that the government is here to pay our entertainment bill. How can you neglect that taxes come out of people's pockets? I choose how to spend my dollars now by not buying CDs, and incidentally I do not have an illegal MP3 collection. Why should I have the government, under threat of force (fines, jail time), charge me for entertainment that I don't want?!!
Charging taxes to maintain the security of a society is one thing. Charging taxes to maintain the security of performance artists seems at best unfair. I don't mind paying for a military, courthouses, or interstate development projects with a clear benefit to the country. I do mind paying for things that could just as well be a consumer choice, such as MP3 tracks, theatres, or retirement plans.
This kind of argument smacks of the refusal to make people responsible for their own actions. Repeat after me: "The Government is not my friend. The Government is not my father. The Government is not my mother. The Government is not my big brother. The Government is not my big sister. The Government secures my rights and lets me live the life I want to."
That was me posting @ Ere.
Dreamer doesn't seem to understand that if you have a xor file called Crypt that can be xored with some file to produce a copyrighted work, then it's going to be statistically impossible to find another actual work called Cya (public domain or otherwise) that can be xored with Crypt to produce a non-infringing work, unless Cya was created specifically for that purpose, and in the latter case Cya is going to be a stream of apparently random bytes, and not useful to CYA.
This idea lived and died under another name a couple of years ago. Everyone knows it's just a wank they just want to pretend it isn't.
Basically every single pirated movie release on the internet is already released as a "munged" set of files, none of which are usable on their own, must be combined in a special way to retrieve the embedded media and on a bit-for-bit level in no way relate to the original file when examined.
It's called a RAR file set and if it ain't giving you these magical powers of IP immunity then this ain't.
If 'mono' goes untreated, it could have severe health repercussions irrespective of copyright. I suggest 500MG 3x/day of PVK and mom hiding the hard drive.
What if the byte sequence came from a commonly available PRNG?
The name of the file could be some hash value of the file's contents (as already mentioned with alt.binaries), but it could also be a seed and offset for the PRNG.
...(ad absurdum) the partnering file could also be some instructions to produce many byte series to apply to different offsets within the file.
Unfortunately, it is possible to define the creation of almost ANY copyrighted digital document from any other documents. It may not be practical or easy, but it CAN be done, and none of the participating documents needs to be the same length as the copyrighted result.
If this idea presents a significant problem to the RIAA/MPAA secret police, maybe we should restart public discussion about DRM with ALL options on the table.
Legal practicalities aside, this is a clever (if hair-splitting) counter-argument to Big Content's (equally hair-splitting) argument that a use that creates a purely incidental copy is still subject to copyright.
What about a dining cryptographers variation on this scheme? Would this be conspiracy to infringe?
Why is it different than copying something with "invisible" ink and then selling a chemical to read it again?
It appears a dumb lawyer just met a brilliant xor programmer.
I thought Bruce added levity on Fridays only :-)
I think everyone's missing the point. The way I read it is - the author isn't really (seriously) proposing that this isn't infringement. It clearly is. However, when multiple files from multiple apparent sources xor together to form a protected work, chasing down the distributor is much more difficult.
The way I understand the current state of things, the receiver and the distributor are both guilty of infringement, BUT, since there are so many receivers in an internet distribution scenario, it's a game of whack-a-mole to go after them. It's also difficult to find them, if they don't then redistribute the work. That's why the lawyers concentrate on the distributors - more bang for the buck.
What would they do if finding the distributors was (not impossible, but) damn hard as well?
I thunk it seems more interesting as a steganographic technique than as a copyright evasion tool. if two parties can independantly arrive at one of the source files, through a previously agreed technique, then the other file can be the message that on is trying to send to the other.
pdf23ds: You're missing the implication of your own statement: Every posted blob, be it genuinely random, legitimate or infringing, is only one XOR away from beeing any other of the posted blobs. There is no way to tell the blobs from each other. They are all random, legitimate, specifically crafted and infringing at the same time.
If you say to me "hey, your post is just one XOR away from beeing my copyrighted work" that is always true, even if I've never had access to a copy of your work. Anyone with any blob can claim that. And I can easily demonstrate how my post was a result of a completely different XOR operation.
I understand and, in fact, agree with all your points. I do not want to be taxed for goods/services that are not really a common good, and I am not obsessed with giving the alraedy bloated US government one more lever to fiddle with the lives of the people.
However, the fact that content duplication and distribution are now trivially easy *does* make copyright woefully anachronic (obsolete, even). In my view, it is more fruitful to contemplate alternatives than trying to fix an absurd system that is just being maintained to keep the big record/movie/etc labels happy. So, this particular system may not be perfect - in fact I doubt that any particular system will be. BUT it does solve my main issue with the RIAA: I allows the content creators to be remunerated for their intellectual property WHILST allowing the people to maintain their elemental fair use scenarios.
Anyway, that was just an idea. Does anybody else have an idea on how to remove the copyright idiocy out of IP remuneration?
And finally, Egonics use a unique method in distributing their music to their customers. The Egone may look like a head ornament instead of a headphone. This is because it doesn’t broadcast sound to the ears as normal headphones do, but instead it projects the music directly to the zones in the brain that govern hearing, bypassing the ear altogether. This has many obvious advantages, both for Egonics and the customer. Most importantly, there is no danger of illegal copying and distribution, as there is no actual sound to record. Also, there is no noise pollution and people can easily converse with each other as the ears are clear.
Music is broadcasted to the Egone over wavelength, similar to radio, so in effect every Egonics customer is listening to his own personal radio station, playing only those songs he likes and has paid for.
As somebody above wrote, the idea is merely mental gymnastics. It is basically this argument posed in a different way: It's all just a zeros and ones - why should anybody be able to make a claim on that?
And in the same everyphysical entity is made up of a combination of molecules - why should anybody be able to make a claim on some of those?
The difference is, of course, that with information we
a) already have a good knowledge of the most basic/elemantary building blocks
b) we are "all-powerful" in creating and rearranging those building blocks in any way we like, at "virtually no cost" - we are like "gods of information", each and every one of us.
As someonelese said before: given that this is a major, major breakthrough in technological terms, it seems very odd, that we are trying to hold on to the rules we made up on totally different terms. Of course this is due to the financial interests of a minority. I feel like living in those times, where somebody waiving a flag has to run in front of every car. Hopefully we'll get over it at some point... I am confident we will.
You are missing the point, it doesnt matter if its a copy or a derivative work, the important point is that illegal distributors cant be traced easily using this system because the files they distribute are not just plain text with obvious names that you can easily sniff through the communications channel and just follow their path up to the original source.
And its practically impossible for any copyright police to prosecute the receivers because there is an almost universal demand for getting copyrighted works without paying.
What a lot of people seem to be missing here is that once a file is XORd with a randomly-generated file, it is itself a random file which can be used to XOR with other files. So any given file could be the "decryption key" for any number of other files, some of them in the public domain...alternatively, it could be considered the encrypted version of any those same public-domain files. Either way, it's arguably protected by the First Amendment.
Furthermore, it's trivial to generate a new file that transforms an existing file into any other file. How do you prove anything at this point? The only point at which you can prove intent is when a person publishes the instructions to create a particular file. This could make enforcement rather difficult, since it's such a small amount of information, it could be traded on small slips of paper.
(This is quite a bit different from the Freenet algorithm, by the way.)
As for the morality of all this, my personal view is that Bruce's Street Performer paper pretty well sums up where we're at, and what the solution should be.
So what if one day my computer is finding absurdly large primes, and one of them happens to be one of these copyrighted works? I think what matters is intention - and specifically, showing intention to infringe beyond a reasonable doubt, which should be doable even with the existance of mono.
"You are missing the point, it doesnt matter if its a copy or a derivative work, the important point is that illegal distributors cant be traced easily using this system because the files they distribute are not just plain text with obvious names that you can easily sniff through the communications channel and just follow their path up to the original source."
Nobody does that now, so not being able to do that with this isn't any improvement.
"And its practically impossible for any copyright police to prosecute the receivers because there is an almost universal demand for getting copyrighted works without paying.
Posted by: Pablo at March 31, 2006 08:55 AM"
The safety in numbers concept doesn't work when your P2P network is by design many times slower than any other and requires you to host files you have no interest in hosting.
The "copyright police" are only going to need the one cell to lock up every single person using this system.
"I thought the solution to *that* problem was to get a clue and outgrow the sense of self-entitlement where you believe you have free access to the efforts of others"
Not exactly. There are huge problems with the current implementation of copyrights.
What happens when you own the vinyl version of an album? Or the audio cassetes?
The rethoric holds that you pay for the right to use them instead of the physical object, so you should have the legal right to download the CD for those.
Yet the record industry have been taking money from people for years to buy the same music over and over again.
A -> Mono -> B
The intermediate file "Mono" is more like a decryption key. Much like a password (or any public/private key), you should able to distribute it freely as you wish as described by the website. However, the second you use that password to generate B, then you have infringed copyright.
The "Mono" file is illegal, regardless of whether it is related to the source material or not, if it is distributed as a medium to reconstruct copyright work. This is like BitTorrent. While torrent files itself don't infringe on copyright, when used as a medium to distribute copyrighted works, it becomes illegal. It will be difficult for you to defend that your randomly generated file when munged with public domain file A, coincedentally produces file B.
One way to counteract copyright excess is to produce creative works that are licensed under the GNU General Public License and/or the Creative Commons Attribution Share Alike license. These licenses allow users to reuse and reproduce the works that they cover. However, all derivative works must be licensed under the same license. As such, those who are looking for works to reuse in a new work may have an increased incentive to license the new work permissively.
This isn't even a good philosophical argument. It's just single-key encryption. It's the same (almost) as distributing a PGP encrypted file of, say, "Neuromancer." The only difference could be that with a double-key encryption, only the intended party can read it, thus only one violation of the copyright laws.
what happens, if I XOR the third file, with another file?
An now we think of using a Legal file for file 2 und 4
To combine 5(4 xor 3) with 3(1 xor 2) is completely legal, because i will get 4, a legal file like gpl.txt.
So 3 is legal, 2 is legal(its a legal file), too. But 2xor3 is illegal.
If I compress a copyrighted file using zip, I get a complete new and different file.
Do im free to didtribute it? Sure not.
My example its just a simplification of the Monoliyh thing.
a XOR b = c, a XOR c = b, b XOR c = a is RAID 5 technology and also a one time pad technology. Its simplicity is beautiful and useful. A one-time-pad is proven mathematically to be unbreakable except for the problem of key distribution perhaps solvable by quantum encryption.
What Bruce has described is implemented in RAID 5 (wikipedia search for "Standard RAID levels"). The interesting thing is that the data in both 'a' and 'b' is logically duplicated in 'c' but only takes 1/2 of the space even if 'a' and 'b' are compressed! The loss of one of a, b or c means that the broken element is recoverable. In an age where priceless data on DVDs has 1/4 of the life expectancy of a hardback book, you can create large backup files or DVDs and create 'c' or mono elements (files or disks).
Now if a,b,c is described as a "trio" we can take that trio x and then take another different trio (with d,e,f) call it 'y' and make the third trio 'z' (with elements g, h, i) simply by doing x XOR y = z. OR indeed (a XOR d = g etc). This is a trio of a trio.
I would use a hash algorithm to verify the elements that way you would know what was corrupt. Old MD5 is fast enough for the job.
In a trio of a trio how many copies do we have?
How many element failures can this tolerate? What if we repeat the cycle yet again?
What is the mathematical relationship of recoverability and space used to the recursive level of trios?
Is this a useful error correction recovery technology with practical applications?
[This is "PRIOR ART" so is not patentable by parasites, neither should it be because XOR is a fundamental concept of computer science. Patenting this idea would be like patenting long devision or multiplication. It would not be ethical.] Euclides.
Dreamer and Dennis are correct.
Short Version: The only way to fight Monolith (or some more perfect form thereof) is to give rights-holders the power to demand the takedown of any particular large, apparently-random file regardless of what it can be shown to be actively used for, or else to make it illegal to host large random files altogether.
Hosts public domain files PD1-10
Create and host randomly-generated files R1-10
Possesses copyrighted file C1
XORs PD1, R1-5 and C1 into apparently-random file AR1
XORs PD2, R3-7 and AR1 into apparently-random file AR2
Posts publicly that R3-7 and AR1-2 can be XORed to produce PD2
Infringer Z now publishes, briefly and anonymously as possible, that PD1, R1-5 and AR1 can be XORed to produce C1. Let's call this the Recipe.
The rights-holder to C1 now wants to shut down infringement by legal action. They can accomplish this by forcing the removal of, or by punishing the copying of, any of the following: PD1, R1-5, AR1, the Recipe. Let's consider these potential legal attacks in order.
PD1: 1st Amendment defense. PD1 is speech. Zero risk to Innocent A. No hope for the rights-holder.
R1-5, AR1: Whether a defense would be successful or not, these can be defended identically, because they are indistinguishable by purely technical means. AR1 has been directly tainted, but without an admission from Infringer Z this cannot be established. None can prove the random origin of their files. Any file can be re-created by XORing the rest of the files (C1 included). The number of files and file-hosters means that any individual is far more likely to be innocent than guilty. The rights-holder would essentially have to be given the power of demanding the takedown of any block of data that a) appeared in an infringing recipe, and b) could not be proven to have a non-infringing origin. Many of these files would also be part of the distribution chain for non-infringing works, as in the above example where the removal of AR1 prevents the reconstruction of PD2 - at least by that method.
The Recipe: Obviously the recipe can be subjected to a legal attack. You don't even have to call it a derivative work. The rights-holder could pursue anyone who transmitted the recipe under the concept of contributory infringement. But the recipe is small. Let's say the average recipe references five files by their 128-bit hashes and then a description of the result you'll get that runs to a couple lines of text. A single recipe would occupy perhaps 0.2kB. According to rough but not-baseless estimates there are 130M books, 200M songs, and 5M movies in existence. This would yield a 67GB index file. But you can toss that number out, because there's no reason why we can't store the index file in the system itself. While people would no doubt simply host the most popular chunks of it directly while playing cat-and-mouse with rights-holders, we could avoid even that if we wanted to. All we'd have to pass around is this:
Now, this is all more complicated and less efficient than other ways of sharing legitimate files. But so are Tor and Freenet more complicated and less efficient than other ways of hosting and browsing content. As long as there were some reasonable, non-infringing reasons to participate in the passive hosting of random files, and as long as those files could not be taken down without detriment to those goals, a permanent legal defense could perhaps be maintained. It would certainly force the issue: if significant additional (practical) powers were not handed to copyright enforcers, infringement could take place right under their noses without recourse.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.