Apple's New Scanning Tools Raising More Concerns, Even Inside Apple

from the take-a-step-back dept

Last week, we wrote about our concerns about Apple's newly announced scanning efforts that the company claimed were to protect children. Lots of security experts raised concerns about how this was being rolled out -- and none of the complaints were meant to take away from the very real and legitimate concerns about child sexual abuse. Security guru Alex Stamos wrote one of the most thoughtful threads about the whole thing, noting (as with so many of these issues) that there are no easy answers here. I highly recommend you read the entire thread, but here's a little snippet:

Similar to many of these debates involving nuanced tech policy issues with no easy answers, a big part of the problem here is, as Stamos notes in his thread, there are tons of conversations happening about the nuances and tradeoffs, and even though Apple's approach is not as disastrous and dangerous as it could have been (i.e., clearly a lot of thought was put by the team at Apple into minimizing many -- though not all -- of the risks here), this approach was still done without talking to the many, many people who have been trying to find a reasonable balance here. And that messes a lot of stuff up.

Stamos, along with computer science professor/security guy Matt Green, have now published a good piece in the NY Times highlighting their concerns. The article notes there is less concern about the iMessage child safety features (Apple's initial description of that seemed much more concerning, but the details show why it's not that bad). But the photo scanning on the phone raises a lot of concerns:

But the other technology, which allows Apple to scan the photos on your phone, is more alarming. While Apple has vowed to use this technology to search only for child sexual abuse material, and only if your photos are uploaded to iCloud Photos, nothing in principle prevents this sort of technology from being used for other purposes and without your consent. It is reasonable to wonder if law enforcement in the United States could compel Apple (or any other company that develops such capacities) to use this technology to detect other kinds of images or documents stored on people’s computers or phones.

While Apple is introducing the child sexual abuse detection feature only in the United States for now, it is not hard to imagine that foreign governments will be eager to use this sort of tool to monitor other aspects of their citizens’ lives — and might pressure Apple to comply. Apple does not have a good record of resisting such pressure in China, for example, having moved Chinese citizens’ data to Chinese government servers. Even some democracies criminalize broad categories of hate speech and blasphemy. Would Apple be able to resist the demands of legitimately elected governments to use this technology to help enforce those laws?

Another worry is that the new technology has not been sufficiently tested. The tool relies on a new algorithm designed to recognize known child sexual abuse images, even if they have been slightly altered. Apple says this algorithm is extremely unlikely to accidentally flag legitimate content, and it has added some safeguards, including having Apple employees review images before forwarding them to the National Center for Missing and Exploited Children. But Apple has allowed few if any independent computer scientists to test its algorithm.

The computer science and policymaking communities have spent years considering the kinds of problems raised by this sort of technology, trying to find a proper balance between public safety and individual privacy. The Apple plan upends all of that deliberation. Apple has more than one billion devices in the world, so its decisions affect the security plans of every government and every other technology company. Apple has now sent a clear message that it is safe to build and use systems that directly scan people’s personal phones for prohibited content.

In a separate thread, Stamos has a suggested path forward for Apple, which involves pumping the brakes quite a bit on some of these features.

Meanwhile, Reuters revealed on Thursday that inside Apple there are widespread concerns as well.

Apple employees have flooded an Apple internal Slack channel with more than 800 messages on the plan announced a week ago, workers who asked not to be identified told Reuters. Many expressed worries that the feature could be exploited by repressive governments looking to find other material for censorship or arrests, according to workers who saw the days-long thread.

Past security changes at Apple have also prompted concern among employees, but the volume and duration of the new debate is surprising, the workers said. Some posters worried that Apple is damaging its leading reputation for protecting privacy.

The article notes that many of the concerns are coming from outside of the security team at Apple -- suggesting that the concerns are more about perception than they are technical. But, really, this highlights the same problem that Stamos noted earlier: Apple's standard operating procedure of doing everything alone, and then also doing "surprise" announcements regarding products. That's great for a new gadget in your pocket. It's not so great for dealing with a massively challenging and very legitimate problem with no easy answers, where getting things even a little wrong can have significant negative consequences.

Unlike many companies that rush out offerings that do more harm than good, I do think that Apple did think this through internally with lots of smart and thoughtful people. But these are problems and challenges that go beyond just one company -- and Apple's famously insular approach is exactly the wrong thing for this sort of challenge.

Filed Under: backdoors, csam, encryption, icloud, iphones, privacy, scanning, security, surveillance
Companies: apple

New Report Says Apple Dropped Plans To Fully Encrypt Backups After FBI Complained

from the encrypt-all-the-things dept

As Attorney General William Barr and other law enforcement officials continue to insist (falsely) that Apple refuses to cooperate with them in undermining encryption and security on all iPhones, plenty of people have been pointing out for years that the reality is that most iPhone encryption is effectively meaningless, because if a user has iCloud backups on, Apple retains the key to that data and can (and does!) open it up for legitimate law enforcement requests. In other words, it's extremely rare that full device encryption actually keeps law enforcement out (and that leaves aside the fact that technological solutions exist for law enforcement to hack into most iPhones anyway). Indeed. as you might recall, during the FBI's last big fight about encryption with Apple, over San Bernardino shooter Syed Farook's iPhone, it was revealed that the FBI's own incompetence resulted in Farook's backups being wiped out before the FBI had a chance to access them.

For quite some time now, EFF and others have urged Apple to close this loophole and allow for truly encrypted iCloud backups, such that even Apple can't get in. Apple has toyed with the idea, but as Tim Cook has said a few times, the company chose not to do it this way after weighing the pros and cons from a user's perspective. The key issue: if something is fully encrypted and Apple doesn't have the key, if you lose your password, the data is effectively gone. There is no "password reset" if Apple doesn't retain the key:

There our users have a key and we have one. We do this because some users lose or forget their key and then expect help from us to get their data back.

However, in that same interview, Cook did suggest that Apple would move towards encrypting backups as well:

It is difficult to estimate when we will change this practice. But I think that will be regulated in the future as with the devices. So we will not have a key for it in the future.

I think that there are legitimate user-centric reasons for the decision that Apple made, though it seems clear that many, many people don't realize that Apple still has the key to their backups. However, a new report from Reuters says that Apple killed plans to offer fully encrypted backups after the FBI got upset about it:

Apple Inc dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.

The tech giant’s reversal, about two years ago, has not previously been reported. It shows how much Apple has been willing to help U.S. law enforcement and intelligence agencies, despite taking a harder line in high-profile legal disputes with the government and casting itself as a defender of its customers’ information.

At the very least, this shows (yet again) that Barr and other law enforcement officials are blatantly lying when they say that Apple does not cooperate with law enforcement or that it doesn't take the concerns they raise seriously. On the flip side, it is a bad look for Apple, in that it has chosen to avoid a more secure option for its users' data, going against the company's long-standing public support for encryption and protecting users' data.

Again, even if there is a legitimate reason for not encrypting backups -- and it's equally true that if Apple did offer it, there would be public complaints of people no longer having access to their data -- it's troubling that Apple won't even make this an option (with clear warning statements) for end users, and that they're doing so because of blatant fearmongering by law enforcement officials.

Of course, the other way one might look at this decision is that if Apple had gone forward with fully encrypting backups, then the DOJ, FBI and other law enforcement would have gone even more ballistic in demanding a regulatory approach that blocks pretty much all real encryption. If you buy that argument, then failing to encrypt backups is a bit of appeasement. Of course, with Barr's recent attacks on device encryption, it seems reasonable to argue that this "compromise" isn't enough (and, frankly, probably would never be enough) for authoritarian law enforcement folks like Barr, and thus, it's silly for Apple to even bother to try to appease them in such a manner.

Indeed, all of this seems like an argument for why Apple should actually cooperate less with law enforcement, rather than more, as the administration keeps asking. Because even when Apple tries to work with law enforcement, it gets attacked as if it has done nothing. It seems like the only reasonable move at this point is to argue that the DOJ is a hostile actor, and Apple should act accordingly.

Filed Under: backups, doj, encryption, fbi, going dark, icloud, pressure
Companies: apple

Apple Agrees To Store Chinese iCloud Data In China, Making It Much Easier For The Chinese Gov't To Access It

from the joining-the-Big-Brothers-program dept

In a time when law enforcement officials are calling Apple "evil" and demanding access to encrypted communications, it doesn't make much sense for the company to be doing this.

When Apple Inc begins hosting Chinese users’ iCloud accounts in a new Chinese data center at the end of this month to comply with new laws there, Chinese authorities will have far easier access to text messages, email and other data stored in the cloud.

That’s because of a change to how the company handles the cryptographic keys needed to unlock an iCloud account. Until now, such keys have always been stored in the United States, meaning that any government or law enforcement authority seeking access to a Chinese iCloud account needed to go through the U.S. legal system.

Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.

This will allow the Chinese government to quell dissent and hunt down wrong-thinkers much more efficiently. It also shows the company is willing to drastically change the way it does business in order to maintain a large foreign customer base. This move will prompt questions from Congressional reps and FBI officials about Apple's refusal to work with the US government to provide access to locked devices and encrypted communications. Thanks to its acquiescence to the Chinese government, these questions won't be so easy to answer.

This change in policy won't budge the needle much in terms of US lawful access. US authorities will now have to route requests for Chinese data through the Chinese government, but it's unlikely there's much of that going on now. Requests for domestic data and communications stored in Apple's iCloud will be handled the way they always have been. Apple's always held keys domestically for iCloud accounts, which makes the cries of "going dark" a bit melodramatic.

But it does indicate Apple is willing to change policies for governments far less freedom-friendly than ours. And if it's willing to do that, why won't it stash encryption keys for locked devices where US law enforcement can access them?

Apple's defense of this move is interesting. It claims denying the Chinese government access would have meant shutting down the service in China. According to Apple's statements, this would make Chinese users less safe than the company decrypting iCloud data on demand.

“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” it said. Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers.

Presumably, data would have migrated to smaller cloud services offering even less protection to Chinese citizens. But that's hard to square with the fact that Apple's Chinese iCloud infrastructure is reliant on state-owned cloud firm Guizhou -- a company with close ties to the Chinese government.

Apple says the government won't have access to keys. It will still hold the keys, but the data's location means there won't be any prolonged battles over jurisdiction. Its "contractual arrangement" with Guizhou possibly makes Apple's decision to hold the keys inconsequential. The government may be able to approach Apple's partner and obtain direct access, bypassing the very minimal legal requirements Chinese law enforcement needs to meet before demanding user data.

Apple used to resist the Chinese government's demand for cloud data. Now it's pretty much engaged in a partnership with a state-owned business. If it's willing to do this, its resistance to US government overtures seems hypocritical at best. I don't want Apple to lower its defenses against US government intrusion, but I'd rather it took a consistent stance on these issues. Right now, it appears to be willing to submit to authoritarian governments rather than sacrifice part of its user base. It punches holes in its defenses of its actions on the domestic side and makes it easier for US law enforcement officials to sell encryption-damaging legislation to Congress and the White House.

Filed Under: china, human rights, icloud, privacy, security, surveillance
Companies: apple

Apple Uploading Call Data, Including From Third-Party Call Apps, To Users' iCloud Accounts

from the everything-in-its-right-place dept

So much for encryption turning phones into inscrutable blocks of plastic, metal, and glass. The Intercept is reporting that Apple is doing some of law enforcement's work for it, routing call records to users' iCloud storage.

Russian digital forensics firm Elcomsoft has found that Apple’s mobile devices automatically send a user’s call history to the company’s servers if iCloud is enabled — but the data gets uploaded in many instances without user choice or notification.

“You only need to have iCloud itself enabled” for the data to be sent, said Vladimir Katalov, CEO of Elcomsoft.

The logs surreptitiously uploaded to Apple contain a list of all calls made and received on an iOS device, complete with phone numbers, dates and times, and duration. They also include missed and bypassed calls. Elcomsoft said Apple retains the data in a user’s iCloud account for up to four months, providing a boon to law enforcement who may not be able to obtain the data either from the user’s carrier, who may retain the data for only a short period, or from the user’s device, if it’s encrypted with an unbreakable passcode.

Plain vanilla call records aren't that difficult to obtain. They've long been considered third-party records and can be obtained without a warrant. The Intercept quotes a former FBI agent as saying this is a "boon" for law enforcement because the four-month retention period is longer than most service providers'.

That doesn't seem to be correct at all. The EFF's Nate Cardozo points out that most service providers retain call logs for at least a year, with some retaining records for as long as a decade. Kim Zetter, who wrote the piece for The Intercept, believes it might be a misunderstanding. Providers may retain content (messages, etc.) for a shorter time frame than the four months of records Apple automatically uploads, but former agent Robert Osgood (quoted in The Intercept's piece) clearly states he's referring to call logs.

The concerning part of this isn't the normal call logs. Those are retained for years by carriers and can be obtained with a subpoena or a pen register/trap and trace order (for "real-time" data). There are two aspects of this automatic collection that should worry iPhone users.

First, it's not solely limited to calls placed directly through carriers.

FaceTime, which is used to make audio and video calls on iOS devices, also syncs call history to iCloud automatically, according to Elcomsoft. The company believes syncing of both regular calls and FaceTime call logs goes back to at least iOS 8.2, which Apple released in March 2015.

And beginning with Apple’s latest operating system, iOS 10, incoming missed calls that are made through third-party VoIP applications like Skype, WhatsApp, and Viber, and that use Apple CallKit to make the calls, also get logged to the cloud, Katalov said.

Trying to route around service providers to limit easily-obtainable records of your call activity is somewhat pointless on Apple devices. It all gets captured and can be obtained directly from the company. Presumably this information would still fall under the Third Party Doctrine, meaning law enforcement most likely won't have to present a warrant to collect this data from Apple.

The other concerning part of this collection is that Apple does it without informing customers that it's doing it. It does list several forms of data it syncs to users' iCloud accounts, but never states that it's collecting call records. Kate Cox of The Consumerist digs into the iCloud fine print.

Under the header “Privacy and security,” Apple writes:

Apple takes data security and the privacy of your personal information very seriously, and iCloud features are designed with your privacy in mind. All your iCloud content — like photos, documents, and contacts — is encrypted when sent over the Internet and, in most cases, when stored on our servers. If we use third-party vendors to store your information, we encrypt it and never give them the keys. And security enhancements like two-factor authentication help to ensure that the important information in your account can only be accessed by you, and only with your devices.

And the full list of features Apple mentions on the site includes backup for “important stuff like photos and videos”; Notes; iTunes and Apple Music; Mail, Calendar, Contacts, and Reminders; Safari browser history and passwords; Safari password keychain; and Find my [Device]. Nowhere is “call history data” mentioned.

Apple's explanation for this hidden syncing is "convenience:" "history syncing" allows users to "return calls from any device." That's fine but it doesn't explain why Apple doesn't list that in the data it syncs to iCloud or why it doesn't give users an easy way to exclude call data from this process.

Not that users of other devices should feel superior. Android and Windows phones do the same thing and give users no easy way to disable call tracking.

But it does drill another hole in the "going dark" theory. Tons of information from locked phones is being synced to cloud storage that manufacturers hold the keys to. And, in the case of Apple, content from end-to-end encrypted iMessages could be no more than a warrant away from law enforcement's possession.

Filed Under: call records, control, data, icloud, metadata, privacy, transparency
Companies: apple

Remember, It Was A 'Lawful Access' Tool That Enabled iCloud Hacker To Download Celebrity Nudes

from the lawful-access-opens-a-door-that's-difficult-to-close dept

You may have heard, recently, that the guy who was apparently behind the celebrity nudes hacking scandal (sometimes called "Celebgate" in certain circles, and the much more terrible "The Fappening" in other circles) recently pled guilty to the hacks, admitting that he used phishing techniques to get passwords to their iCloud accounts. But... that's not all that he apparently used. He also used "lawful access" technologies to help him grab everything he could once he got in.

We keep hearing from people who think that just "giving law enforcement only" access to encrypted data is something that's easy to do. It's not. Over and over again, security experts keep explaining that opening up a hole for law enforcement means opening up a hole for many others as well, including those with malicious intent. ACLU technologist Chris Soghoian reminds us of this by pointing to an earlier article about how the guy used a "lawful access" forensics tool designed for police to get access to such data (warning, link may ask ask you to pay and/or disable adblocker):

On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.

Obviously, the situation with encryption on the iPhone is a bit different, but the same basic principle applies. Opening up a door is, by definition, opening up a vulnerability. And we should be very, very, very wary about opening up any kind of vulnerability. It's tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.

Filed Under: backdoors, celebgate, celebrity nudes, hacking, icloud, law enforcement, lawful access, nudes
Companies: apple, elcomsoft

Apple's VP Of Software Engineering: No, We Have Never Given A Backdoor To Any Government

from the shut-up-DOJ dept

One of the more ridiculous claims in the DOJ's filing against Apple last week, was its decision to pick up on former NSA lawyer Stewart Baker's conspiracy theory that Apple had built backdoors into its products for China (side note: I met Stewart in person for the first time recently, and he mocked me about this, saying that I should agree with him on this point). However, as we noted in our post last week, there doesn't seem to be much evidence to support Baker's claims. The two key issues were using the Chinese wireless standard WAPI -- which some have claimed includes some sort of backdoor, but it was also the only real local area wireless tech in China for a while -- and the decision to store iCloud data in China. However, as we noted, there have been reports that the Chinese government tried to then conduct a man in the middle attack against the iCloud servers. If Apple had actually given the government a backdoor, then why would it need to do that?

Either way, in a declaration attached to Apple's response, Apple had Craig Federighi, its senior VP of software engineering, tell the court directly that it has never installed a backdoor for any government ever:

Apple uses the same security protocols everywhere in the world.

Apple has never made user data, whether stored on the iPhone or in iCloud, more technologically accessible to any country's government. We believe any such access is too dangerous to allow. Apple has also not provided any government with its proprietary iOS source code. While governmental agencies in various countries, including the United States, perform regulatory reviews of new iPhone releases, all that Apple provides in those circumstances is an unmodified iPhone device.

It is my understanding that Apple has never worked with any government agency from any country to create a "backdoor" in any of our products or services.

Now, some may push back on the point about WAPI, but again, making use of a third party technology that potentially has backdoors (some of which could be protected against) and being told by the government to build special backdoors just for that government are still vastly different scenarios.

Filed Under: all writs act, backdoors, china, craig federighi, doj, encryption, fbi, going dark, icloud, wapi
Companies: apple

FBI's Own Actions Likely Made Farook's iPhone Data Inaccessible

from the oops dept

On Friday, we noted that one of the reasons that the FBI was unable to get access to the data on the remaining iPhone from Syed Farook was because after the shooting and after the phone was in the hands of the government, Farook's employer, the San Bernardino Health Department, initiated a password change on his iCloud account. That apparently messed stuff up, because without that, it would have been possible to force the phone to backup data to the associated iCloud account, where it would have been available to the FBI. But, after we published that article, a rather salient point came out: the Health Department only did this because the FBI asked it to do so.

From a San Bernardino County Twitter account:

The County was working cooperatively with the FBI when it reset the iCloud password at the FBI's request.

— CountyWire (@CountyWire) February 20, 2016

If you can't read that, it says: "The County was working cooperatively with the FBI when it reset the iCloud password at the FBI's request."

In short: a big reason why the FBI can't get the info it wants is because of an action taken... by the FBI.

Apple has also provided further information on this, showing how it was perfectly willing to cooperate in reasonable ways with the FBI -- but that it was the FBI that messed things up:

The Apple executive told reporters that the company’s engineers had first suggested to the government that it take the phone to the suspect’s apartment to connect it to the Wi-Fi there. But since reporters and members of the public had swarmed that crime scene shortly after the shootings occurred, it was likely that any Wi-Fi there had been disconnected. So Apple suggested the government take the phone to Farook’s former workplace and connect the phone to a Wi-Fi network there.

The executive said that Apple walked the government through the entire process to accomplish this, but the government came back about two weeks later and told Apple that it hadn’t worked.

Apple didn’t understand why it had not worked—until the company learned that sometime after the phone had been taken into the custody of law enforcement, someone had gone online and changed the Apple ID that the phone uses to conduct backups.

Two interesting points in there: first, do you remember how there was all this discussion about the insane media scrum that ransacked Farook's house? And lots of people pointed out that useful evidence may have been harmed by it. At the time, the FBI insisted they were all done with the house, but it appears that may have been part of the reason why they couldn't get the backup.

The second is that Apple had not revealed this tidbit earlier. The company explained that it had felt that its conversations with the government had been confidential until the FBI revealed this detail in the totally unexpected Motion to Compel it filed Friday. It appeared that the FBI was so eager to push its PR stunt that it filed the document (which it had no reason to file), and then revealed even more of its own bungling in this particular case.

Whether intentional or not, this is only going to add support to people who say that the FBI doesn't actually care what's on the phone, but wanted to be able to go after the data in this case because they knew they could set a precedent in a case where their argument will generate the most sympathy. Remember, back in September, after the Intelligence Community lost the fight to get a law banning strong encryption, intelligence officials said out loud that they'd just wait until the next terrorist attack:

Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

Two months later, you get a "terrorist attack" (or a workplace dispute that can be painted as a terrorist attack) and a sorta, kinda encrypted phone, and voila. Just what the intel community asked for. It would be crazy to suggest that any of this was done on purpose -- it's almost certainly a bit of convenience for the intel and law enforcement communities. But the fact that the FBI directed the Health Department to change the password, and that's part of the reason they're now locked out, really raises some questions about what the FBI's priorities were here. It also raises a separate question of whether or not companies should be forced to hack their own system in cases where the FBI's own bungling was responsible for the loss of information. But, really, that's a minor point, given that the DOJ wants that power even in cases where the FBI didn't mess things up itself.

Filed Under: encryption, fbi, icloud, password reset, san bernardino county, syed farook

Idiot Phone Thief Uploads His Selfies, Plural, To His Victim's iCloud Account

from the face-time dept

Earlier this year, I wrote about a dumb criminal who reportedly broke into someone's home and incriminated himself by taking a selfie with his victim's phone. Our always helpful community did the digging they so dig to do and uncovered that the story had since been debunked. Many of you must have thought that this should have been obvious. After all, some of you surely thought, even the most idiotic bad guys aren't going to go out of their way to photograph themselves in the midst of committing their crimes.

Ah, sweet vindication is such a wonderful side-dish in a main course of schadenfreude. Not only has a recent dumb criminal proved he's perfectly willing to take a selfie with a phone he stole from his victim, but he's been taking multiple selfies. All these self-incriminating bits of narcissism are, of course, being uploaded to the victim's iCloud account and are currently being shared by police, who I imagine are also rolling around on the ground laughing.

Police in Stockton, Calif. are sharing the photo of a man they say stole a victim's iPhone. The police have identified the man because he's continued to take selfie photos that show up on the victim's iCloud account.

Oh, yes, and there have been all kinds of follow up reports on this, indicating that I won't be getting egg on my face this go around. In the meantime, the police are of course blasting this wonderful gentleman's self-portrait all over social media and local news. I expect he'll be in custody shortly, if he isn't already. Look now upon the face of a mastermind.

And, as I said, the selfies reportedly are still rolling in. Here's to our unnamed phone thief getting a nice, big mirror in his holding cell.

Filed Under: cloud, criminals, icloud, iphone, selfies, thief

Music Exec Says Too Many Silly Things To Put In This Headline

from the 34%-of-statistics-are-made-up dept

If anything, Apple's announcement of iTunes MusicMatch has made opposing sides equally uncomfortable (a sign of disruption?). Whereas some are concerned about its possible use as a tool to identify infringers, others are more concerned about it 'legitimizing piracy' and are not afraid to pull numbers out of thin air to back up their claims.

One of these people is PRS for Music's chief executive Robert Ashcroft. Ashcroft claims collection societies like PRS for Music could experience an 80% drop in online licensing revenue if unauthorized downloads were to be admitted in locker services and then legitimized. It seems very unlikely that collection societies would even exist if one innovation would cut 80% of their business, but I'm very curious to see evidence to back up this claim.

I've been trying to come up with a scenario that would warrant this 80%, but most would be too far-fetched for a non-fiction blog like Techdirt. The existence of these locker services would have to lead to governments deciding there is no reason to keep downloading illegal. Then either new 'pirate' platforms would have to start outcompeting already existing platforms or most legitimate platforms would have to decide there is no value in having good relations with the artists and labels their users adore. Then most users must stop spending money on music. Why is this not realistic? Despite the increasing convenience of unauthorized downloads, authorized platforms such as Netflix are beating piracy in terms of traffic. If the suggested 80% decline would be realistic, it would have already happened. It didn't.

He further stated that:

“We are at a turning point. Either the internet becomes an economically viable replacement to CDs or else there is an admission you can’t get fair value from the internet, which would lead to lasting damage to the music industry.”

No, just no. Either the internet becomes an economically viable replacement to CDs or else? The internet is a revolution in computer networking and communication - it was never intended to be a replacement to CDs. The internet is a disruptive technology which among many great things has helped thousands (if not millions) of artists and musicians reach global audiences they would otherwise not have reached. It has helped artists gain exposure and popularity to generate the licensing revenue which helps pay for the salary of collection societies' staff. For this reason the new generation doesn't blame the internet (although sometimes they forget where they came from). Just recently I interviewed Para One, a successful French electro producer, who said:

“I personally see the internet as a blessing. It would be unfair to hate it, since it pretty much kickstarted our careers through forums, then MySpace, etc, a while ago.”

Let's just label the part where he says that the internet should be a CD replacement "or else" as the FUD that it is and move on. Actual research into this suggests there's actually money to be made for the music industry. Of course that remains to be seen and depends on a few factors such as how good consumers are at predicting their own behaviour. It's also dependent on the moves of other competing platforms such as Spotify and Google Music.

However, these are intelligent platforms, built in a reality where they have to compete with free and in which they must convert 'free users' into paying users. This is why I cringe when I hear people from a less reality-based side of the business say "piracy" needs to be stopped in order for these startups to succeed. A piracy-free internet would have to be so restricted (three strikes is not enough) that it would devastate these startups and most other future innovation along with human rights.

Filed Under: copyright, icloud, itunes, music match, stats

Could Apple's MusicMatch Be A Tool To Identify Infringers?

from the wouldn't-that-be-interesting dept

When Apple announced its iCloud Music Match service, a lot of people started suggesting that it "legitimized" infringement, or in some manner created an amnesty program for infringers: pay $25/year and all of your infringing copies get replaced by licensed copies from Apple. In fact, this really pissed off some copyright holders. The whole thing struck me as a huge exaggeration, because no one was looking at the files on your hard drive to see if they were infringing anyway.

But... what if they started now? And what if they started now because they could... thanks to Apple's iCloud Music Match.

I still think this is a huge stretch (and I'll explain why below), but Slashdot points us to a story from someone suggesting that rather than "amnesty" for unauthorized file sharers, Music Match could be used to track down infringers. My initial response was that this was totally crazy, because it wouldn't know if the non-iTunes-bought tracks were authorized or not. After all, you could have bought them elsewhere or ripped them. However, the author of the article, Daniel Nolte, does a good job walking through both scenarios and explaining why Apple might still be able to figure out what files were likely infringing:

Although the �DRM free� MP3 now being provided from many of the the major music download companies can be played anywhere, each download is watermarked with header information specific to the exact purchase and purchaser.  This article from Techcrunch gives more details on �dirty� MP3s.  Consequently, if you purchase a �DRM free� MP3 file from iTunes and then share it, and the person(s) who received it saves it to their iCloud, then Apple will know both (i) who shared their copy and (ii) whose copy is illegal.  For files from other watermarked retailers, the same information would only require coordination with the other site.

Next consider music purchased from sites that sell legal but �clean� MP3s without watermarks.  These files will have unique MD5 or SHA-2 signatures that can distinguish them to a particular company.  They will certainly have different signatures than the watermarked versions (because the addition of the watermark) and they will be unique from versions of the same song encoded by others.  When Apple�s servers detect a number of copies far in excess of the �clean� mp3 company�s reported sales, they will know where to suspect illegal copying.

Then there will be MP3s that individuals created themselves from, for example, �ripping� their CD collections.  While these are not watermarked to the individual, they appear to be unique for each �rip�.  To confirm this, I ran a test with fresh installations of the exact same CD ripping software on two different computers.  I then had them rip the same track from the exact same CD using the unchanged system default settings on both computers.  The MD5 hashes did not match. Small differences between the two reads, the internal timestamps, the system metadata, etc. likely resulted in the mismatch.  It will almost certainly also be different from the file hashes from legal download sites, both those that watermark and those that do not.    In short, if you and thousands other people have MP3s of the same song with the same file hash value, you will not be able to credibly claim it occurred because all of you ripped it from your CD collections.

The obvious next response is that Apple would never let its data be used in this manner, as it would kill the service. But Nolte notes that might not matter either:

Apple would not have to.  They would simply have to comply with an information demand from the RIAA, who has had no problem with being seen as the bad guy in hardball enforcement against file sharing.  Moreover consider this:

1. Apple is the largest music retailer on the planet.
2. Apple believes, possibly justifiably, that it loses billions of dollars annually to illegal music file sharing.
3. The easiest way out of the legal jam over challenged content in your iCloud storage would be to convert the suspected iCloud music by buying it from Apple.  Apple becomes almost like a white knight in the process.

While this is possible, I don't think it's probable for a variety of reasons. While the RIAA may not have a problem being seen as the bad guy in hardball enforcement, I think that even it has some limits, and this almost certainly passes those limits. I could actually see a random misguided indie label seeking this kind of information, but I'm not convinced it would really get that far. I would hope that most courts would recognize that this was a fishing expedition, rather than a reasonable search based on evidence of specific infringement. Simply demanding all data would (hopefully) be a non-starter.

In the end, I think both claims are probably overblown. Music Match is neither a way to launder infringing files, nor is it a honeypot to get you in trouble for your infringing files. It's just a service to sync music.

Filed Under: icloud, infringement, music match
Companies: apple