Over the last week, it has been become clear that Apple is embedding some identifying information in songs purchased from iTunes, including the name of the customer and his or her e-mail address. This has raised the ire of consumer advocates, including the Electronic Frontier Foundation which addressed this again yesterday.
Last year, I published a paper entitled Mistrust-Based Digital Rights Management (online preprint available here). In that paper, I argued that as we switched from content products such as CDs and DVDs to content services such as iTunes, Google Video and YouTube, we would embrace identity-based digital rights management. This is exactly what we are seeing from iTunes. How should we assess identity-based DRM?
Take a step backwards. As long as I keep my songs to myself and don’t share them, the embedded information shouldn’t matter. The information may facilitate interactions between Apple and its customers and might make it easier to verify whether a particular song was purchased from iTunes, but this doesn’t seem to be the central point of embedding identity in the songs.
Instead, identity matters if I share the song with someone else. Identity travels with the content. If I know that and care, I will be less likely to share the content indiscriminately over p2p networks. Why should I care? It depends on what happens with the embedded information. One use would make it possible for Apple to identify who was sharing content on p2p networks. Having traced content to its purchaser, Apple might choose to drop that person as a customer.
But Apple could do this without embedding the information in the clear. As Fred von Lohmann asked in his post on the EFF blog, why embed identity in the clear rather than as encrypted data? After all, if Apple intends to scour p2p networks, it could do so just as easily looking for encrypted identities.
Apple might have a different strategy, one that relies on third-party sanctions, and that strategy would require actual identities. Suppose Apple posted the following notice on iTunes:
“Songs downloaded from iTunes are not to be shared with strangers. We have embedded your name and email address into the songs. Our best guess is that if you share iTunes songs on p2p networks, your name and email will be harvested from those songs and you will receive an extra 10 spam emails per day from third parties.”
Encrypted information works if Apple is doing all of the detection. It would even work, as I suggested in my paper, if Apple relied on third parties to do the detection by turning in p2p uploaders to Apple. We could run that system with encrypted information. All that is required is that the rat knows that he is turning in someone; he doesn’t need to know who that person is exactly.
But a third-party punishment strategy would probably be implemented using actual identity. The spammer who harvests the email address inflicts the penalty for uploading, not Apple itself. For Apple to drop out of the punishment business, it needs to hand off identity. Obviously, extra spam is just one possible cost for disclosing names and emails; other costs would further reduce the incentive to upload.
Disclosing identity is a clumsy tool. It doesn’t scale very well. It will work most powerfully against the casual uploader. It offers no (marginal) deterrence against someone who would upload lots of songs anyway. My mistrust-based scheme (described in the paper) might work better in those circumstances.
So far, Apple doesn’t seem to be saying much about what it is doing. It needs to be careful. As the Sony BMG fiasco—also discussed in the paper—emphasizes, content owners may not get that many opportunities to establish technological protection schemes. Each one they get wrong makes it that much harder to try another scheme later, given the adverse public relations fallout. As I suggest above, Apple may have a legitimate strategy for disclosing identity in the clear. It will be interesting to see what Apple says next.
Thanks to the magic of public key encryption, I don't think identity information needs to be embedded in the clear, even if you envision third party enforcement. Apple simply shares its key with authorized third party enforcers (either through voluntary negotiations or in response to a subpoena filed in a John Doe action).
Moreover, if intended as an identity-based DRM system, it makes little sense for Apple to keep this secret, while embedding information in a readily-editable form (I predict a batch editing tool will be made available that re-writes all names to Steve Jobs and all email addresses to [email protected], which tool, incidentally, would appear to be perfectly legal to distribute and use).
So, whatever your view on identity-based DRM, it is no excuse for embedding PII in the clear. All that does is create the possibility that unauthorized individuals will get it (iPod thieves, eBay hard drive harvesters, etc). However remote you think that possibility might be, it's hard to discount when weighed against the nonexistent justification for in the clear embedding.
Posted by: Fred von Lohmann | June 06, 2007 at 10:46 AM
1. I agree on the probably tech response; something to strip the identity info or to switch it.
2. As to the legitimacy of that tool, presumably that will be a tool that will be making derivative works of the original works. That will take us down the path of assessing the legitimacy of that tool under Sony, Grokster and the like.
3. On the public key encryption point, I don't think that I get it. Decentralized punishment means that third parties inflict costs on sharers. These will not be parties authorized by Apple or in privity with Apple and so Apple would never be in the position of sharing a key, public or private, with them. These will be strangers to Apple who will benefit from the disclosed information by harvesting it and using it in the way that I describe. The information needs to be generally available to strangers for this to work.
Posted by: Randy Picker | June 06, 2007 at 11:07 AM
On point #3, since we're only talking about materials made available through the iTunes Store (the only materials in which Apple is embedding names/emails), Apple does have privity with the most relevant third parties intent on "inflict[ing] costs on sharers" (i.e., major record labels).
Moreover, any strangers not in privity who have legitimate copyrights (joint authors, music publishers) likely can obtain the key via a subpoena obtained after filing a John Doe suit.
Posted by: Fred von Lohmann | June 06, 2007 at 11:56 AM
I'm not getting it still and either don't understand the encryption scheme or am being unclear about the punishment scheme.
Having any third party able to read identity from the file means that some third parties will grab that information and use it in a way that the file sharer doesn't like. That possibility will deter sharing. These won't necessarily be third parties that have anything to do with Apple. These may be spammers in the Caymans who constantly troll the Internet looking for email addresses. It could be someone else who uses the email address in a way that the sharer dislikes. Apple itself isn't in the spamming business and wouldn't be willing to inflict a spam penalty, but it makes it possible for third parties to inflict that penalty if the email address is readable by third parties who are willing to put the address to a use disliked by the sharer. I don't know that that address needs to be in the clear, but it needs to be readily readable by my Caymans spammers. These spammers need to be strangers to Apple, as Apple doesn't want anything to do with them directly, even though it will be delighted by their activities--inflicting the spamming punishment--should the sharer upload the file.
This is a version of the difference between compensation models and deterrence models. If we think that file sharing hurts the labels then we might want to compensate them (or artists (fighting issue I understand but doesn't matter for this point here)). If we are just doing deterrence, then we just need to have sharers face penalties, and it doesn't matter who inflicts the penalty, so long as it occurs. So compensation could be a penalty and it could be paid to labels/artists, but for deterrence, third party penalties will suffice as well. The Cayman spammers are exactly that.
Posted by: Randy Picker | June 06, 2007 at 02:35 PM
What happens when someone who didn't intentionally share their files on public networks gets their email harvested by spammers? Perhaps, as Fred suggested, their iPod gets stolen or their hard drive hacked. You're not addressing the possible negative PR that could result for Apple if a victim of thievery receives further punishment in the form of spam, due to Apple's policy of embedding purchasers' personal information in the clear.
Posted by: Doug Lay | June 06, 2007 at 05:15 PM
This 'what if an ipod were stolen' thing is absurd - your contacts and photos might be on your ipod too. You've got a lot more to worry about than someone having your name and AppleID. Your name and address are on a lot of junk mail you through away too....
Not to mention your name and appleid are in any iTunes bought DRM'ed tracks in this stolen ipod scenario, which no one was complaining about a few weeks ago.
Privacy and anonymity are not the same thing.
Posted by: Marcos | June 07, 2007 at 10:53 AM
Thank you, Marcos. This whole iTunes thing is over-reaction on the internet at it's finest. That VCF file is much more valuable than the string that names the account the file is linked to.
People asked for files they could play on all of their devices, then they got those files with the exact same metadata they had before, and now it's suddenly a huge problem? Shame on you. You didn't want fair-use, you wanted to share files anonymously. Don't like it? Don't use iTunes. Use eMusic, rip CDs. iTunes is not the only way to get music. End of story.
Posted by: Noah | June 07, 2007 at 01:19 PM
For the record, I'm addressing Prof. Picker's ideas about mistrust-based DRM, and not engaging in generalized bitching about Apple. Apple can do what they want with embedding ID info in their products, but I submit that it would be very poorly received for them to advertise that file-sharers will be punished with loss of personal info, because of the real possibility that innocent users will be punished along with the file sharers. True enough that someone whose iPod gets stolen has bigger problems than their e-mail address getting leaked to spammers, but that doesn't mean they will react well to Apple reminding them of this additional minor "punishment" on top of their greater losses. Note that Apple isn't actually advertising this, it's just an idea of Prof. Picker's. A pretty dubious idea, I think.
Also, I don't share music files anonymously (nor download them anonymously, except in authorized contexts). Not sure where Noah got that idea.
Posted by: Doug Lay | June 07, 2007 at 02:15 PM
It seems like an important point has been skipped over here. Who says Apple wants to punish anyone for sharing music? I think we've gotten so wrapped up in the DRM argument, and so conditioned by the RIAA lawsuits to think that if you upload a song to a file-sharing network, you'll be hunted down like a dog, that we've forgotten Apple never wanted to be in the DRM business in the first place. Their arm was twisted by the recording industry. Now, it may be the case that EMI required some form of identity embedded as a condition of going DRM-free, but I certainly don't think _Apple_, on their own, said "hey, if we put the user's e-mail address in here, they can be punished by third-party enforcers". In my opinion, it was most likely a case of simply putting the info in "because it was there", with little or no thought whatsoever to becoming or enabling a copyright enforcement squad. If they had known so many people were going to get their panties in a bunch over it, it probably wouldn't have happened. It's not important to their model.
Let's also not forget that the actual audio portion of the file isn't watermarked or encrypted in any way, so it's rather trivial to simply extract the music, leaving the metadata behind. Any decent programmer could slap together a tool to do that in a couple of minutes.
Posted by: Chris | June 08, 2007 at 07:04 AM
I agree with the earlier comment that casts doubt on whether DRM is actually the purpose behind the name/email embedding. It is just as likely that Apple uses this as "proof of purchase" information for their own internal use.
But I think I understand now -- it's Prof. Picker's view that iTunes customers should be vulnerable to online predators, spammers, etc. if their purchased songs find their way onto the Internet. Of course, I object categorically to this approach (which would justify embedding credit card numbers and SSNs, as well).
And, in any event, if deterrence is the goal here, it is hard to see how it is served by Apple's failure to tell anyone about the embedding of PII. That leaves customers without the necessary information to make ex ante decisions that respond to the deterrence you propose. (Of course, publicizing this will simply hasten the deployment of tools meant to remove the PII, which means only the unsophisticated will be subject to the punishment you propose.)
Posted by: Fred von Lohmann | June 08, 2007 at 03:58 PM
On the surface, Apple's approach doesn't appear to harm people unless they are sharing their music with others. However, this isn't always true.
Music sharing is not always intentional. For example, a college student who uses his roommate's computer with permission may copy the music on the computer without permission. The student may share the songs with other friends, and they eventually end up on the internet. As a result, people would have to protect their music like they protect other personal information.
Having to protect your music because it contains personal information presents problems. First, people must actively protect their music, which creates more work or potentially the expense of software. Second, many people may not realize that they must protect their software, so Apple has essentially exposed them to this risk without their knowledge.
Based on this, the encrypted email address seems to be a much better option.
Posted by: Law Student | December 28, 2007 at 10:33 AM