Cracked or not? The SDMI saga continues.

Did hackers successfully break watermarks designed to protect digital music?

By Janelle Brown

  • Pages 1 2

Oct 19, 2000 | On Oct. 3, Salon published a story outlining serious divisions within the Secure Digital Music Initiative (SDMI) as to whether the "watermarking" system that SDMI was testing as a way to protect digitally distributed music would actually work. Then, on Oct. 12, Salon reported that hackers who had been invited by SDMI to test the security system had successfully broken all the watermarks.

Salon based its reporting on three sources who spoke only on the condition that they not be identified. It also quoted an SDMI spokesperson denying that the watermarks had been successfully "cracked." But on Oct. 13, SDMI director Leonardo Chiariglione declared in an Inside.com story that Salon's story was "completely wrong, unfounded, anonymous slander."

We returned to one of our original sources, seeking a response to Chiariglione's rebuttal. Our source replied, giving us even greater detail about what is happening behind SDMI's closed doors. We have decided to publish our insider's response, verbatim, along with additional responses from both Chiariglione and Matt Oppenheim, senior V.P. of business and legal affairs for the Recording Industry Association of America (RIAA).

Our source:

Your story (which I just re-read carefully to make sure) is 100 percent accurate. All four technologies in the public test had successful attacks submitted against them. The key is how "success" is defined. In this case, the attacked samples have been 1) run through a watermark detector to ensure that the watermark was removed, and 2) subjected to preliminary listening tests performed by "golden ears" listeners to ensure that each attacked sample still sounded better than a 64 kbps MP3 file.

Two sets of "golden ears" listeners are being used. If there's a case in which there's disagreement between the two "golden ears" listeners on whether the attacked sample meets criteria two above, a third set of golden ears will listen to the sample and break the tie.

There's one further step in the verification phase of the public testing process, which is a requirement that the attack be "reproducible," meaning that additional samples will be given to the successful testers so they can work their hacking magic all over again.

There are some developments that, in the current atmosphere of mistrust, could make some participants feel that the recording industry is trying to take complete control of the selection process. For instance, the tie-breaking "golden ears" listener, rather than being a neutral third party, will likely be an employee of Universal Music Group, a company with more than a passing interest in seeing a watermark, any watermark, be chosen. This would mean that two of the three golden ears testers would be RIAA members.

Also, in the wake of last week's published accounts, RIAA members so intimidated and berated a member of the testing committee, who they blamed for the release of information, that the member resigned from the committee. The RIAA then insisted that all testing committee members, current and past, sign a strict nondisclosure agreement. Many IT [information technology] and CE [consumer electronics] companies have very strict policies as to the type of NDA their employees can sign. It's possible that due to this fact there will not be representation from IT or CE companies on the testing committee, even though those companies have the most expertise in this area. Hopefully, though, the fact that RIAA counsel Matt Oppenheim publicly apologized to the former testing committee member [Tuesday], coupled with some rework of the NDA, might lead to a positive resolution.

Finally, the recording industry expressed interest in not holding what was expected to be the next type of testing -- known as restricted attack -- and moving instead to what was originally supposed to be the third type -- known as analytic attack. Given their druthers, I think the RIAA would not choose to return later to restricted attack testing, but I expect that other SDMI members will insist on it. More testing means more accurate data on the suitability of the technologies being evaluated.

Leonardo's comments are exactly what I expected -- holding to the party line that nothing's wrong, because indeed they have not yet made public the preliminary data (which does exist and which you accurately reported). I would expect this face-saving to continue at least through the next SDMI meeting in November, but not much further. Even if the testing process moves forward in such a way that one or two technologies survive the first round without a "confirmed" break, later rounds of more detailed testing could find that even the first-round survivors fall below the specific standards SDMI has set for its purposes.

Recent Stories

The economy crumbled
It was the worst of times for ordinary Americans. And even worse times for deregulators and supply-siders. The bright side? Their party is over.
Is the Web helping us evolve?
The truth lies somewhere between "Google is making us stupid" and "the Internet will liberate humanity."
Ask the pilot
Bailout nation: Will the airlines follow Detroit to the government trough?
Ask the pilot
Can commercial jets fly upside down? Has terrorism forced a change in transoceanic flight paths? And other probing questions for our expert.
Ask the pilot
Malcolm Gladwell claims cultural issues can play a big role in plane crashes. The pilot begs to differ.

Daily Newsletter

Get Salon in your mailbox!