Secure Music Initiative Meets in L.A.: Will They Declare Victory and Go Home?

Secure Music Initiative Meets in L.A.: Will They Declare Victory and Go Home?

Everyone agrees that another Christmas can't go by without setting a standard to protect digital music. But delays have one member wondering: 'If not now, when exactly? ... If not now, just shoot us in the head and end our misery.'

©Inside.com, January 19, 2001, by Roger Parloff

When it convenes on Tuesday, Jan. 23, in Los Angeles, the 200-odd companies that compose the much-reviled Secure Digital Music Initiative (SDMI) will attempt to figure out precisely where, if anywhere, to go from here.

Since at least mid-October the group has been stymied, unable to reach consensus about which of several competing technologies to make the centerpiece of its exceedingly unpopular mission: arriving at a technological framework for the distribution of 'secure music.' That is, music that consumers cannot freely copy and distribute over the Internet like just another e-mail attachment.

Yet none of the half-dozen SDMI attendees interviewed for this story believe the group is close to reaching that consensus -- a task that members had once naively hoped to accomplish by Spring 2000. On the contrary, at the group's last plenary meeting in Maui in early December, a consensus emerged instead in favor of reassessing whether any of the five remaining technologies being considered should be approved. Due to changes in the marketplace and problems with each of the proposed technologies --including, but not limited to, their susceptibility to being hacked -- SDMI might choose instead to redefine its objectives and rebid the project, or, perhaps, place itself on some new track altogether.

If it is a new track, it had better be a fast one, since many SDMI members are clearly fed up with the group's glacial progress. (Early this month EETimes.com reported that Micronas Semiconductors, Inc., a maker of chips for MP3 players, became one of the first SDMI members to drop out, citing the interminable delays.) Device manufacturers cannot bear to see another Christmas shopping season pass without a fully functioning SDMI-compliant product to show for their efforts, while the proponents of the various competing secure music technologies are weary of spending time and resources pursuing a prize that never seems to get awarded.

'If not now, when exactly?' asks Scott Moskowitz, CEO of Blue Spike, a digital watermarking company that makes one of the five technologies that are still in the running. 'If not now, just shoot us in the head and end our misery.'

SDMI will also have to reorganize itself at next week's meeting, since, in a side development in Maui, the group's mercurial executive director, Leonardo Chiariglione, dissolved SDMI's existing structure of working groups. Evidently angered that the proposal to reassess SDMI's objectives had emerged from an ad hoc caucus, rather than from a formally established SDMI body, Chiariglione disbanded the existing administrative bodies. According to three participants at the December meeting, Chiariglione also threatened to resign or to take SDMI's mission to another standards-making body like, for instance, the Motion Picture Experts Group (MPEG), which Chiariglione also heads.

'It was not a matter of threatening -- certainly not threatening -- and not to resign,' says Chiariglione, in an interview. 'The point was, we were in a transition phase. Until now we've been working with the idea of collecting the data. Now we have the data, and we have to process the changes.'

Accordingly, the next meeting promises to be a crucial one for the future of SDMI. Conceivably, the organization could even choose to disband, though none of those interviewed thinks this is likely. 'It's survived more death threats than a Latin American dictator,' says an attorney for several consumer electronics firm who are members. 'Every six months it has a near-death experience, but it always seems to plow ahead.'

ACHIEVEMENTS, THUS FAR, HAVE LARGELY BEEN SYMBOLIC

Founded in December 1998 at the instigation of the major record labels, SDMI has received virtually nothing but bad press. Consultants and analysts have insisted that consumers will reject copy protection schemes. Encryption experts have promised that the planned defenses will not work. Civil liberties advocates have protested that any secure defense would somehow violate the U.S. Constitution.

Nonetheless, against all odds -- and an unwieldy decision-making structure that requires virtual unanimity before the disparate membership can adopt a standard -- SDMI has actually made some modest, if unheralded, headway. Its most tangible achievement was the publication of its specifications for a so-called Phase 1 portable audio player in June 1999. Nevertheless, the Phase 1 specifications remain today an almost totally symbolic accomplishment -- some would say a meaningless one -- since the defining attribute of a Phase 1 device is merely its ability to be upgraded into a Phase 2 device. And it is the Phase 2 technology that SDMI has been unable to agree upon, and that it is now considering redefining -- or even jettisoning.

What would Phase 2 do? Theoretically, once a Phase 2 technology is agreed upon and deployed, record labels would begin issuing CDs and digital downloads that are impregnated, by means of an agreed upon 'digital watermarking' process, with copy-control information that would be intelligible to, and honored by, Phase 2 SDMI-compliant devices. Members would not be required to manufacture SDMI-compliant devices, but noncompliant devices would be unable to play the new, secure music.

Compliant devices would still be able to play all existing CDs and MP3s in consumers' libraries, including MP3s downloaded from, for instance, Napster. But they would impose constraints on the handling of new music that any label chose to issue in secure, watermarked form, whether as CDs or as digital downloads. Although consumers would still be allowed to 'rip' songs from protected CDs onto their own hard drives, and to transfer copies of secure songs from hard drives onto at least three portable devices (an attempt to honor consumers' current 'fair use' rights to copy music for personal use), SDMI-compliant players would reject secure music that had been sent over the Internet without permission via, for instance, Napster.

The Phase 2 devices would 'know' if secure music had been sent over the Internet, because secure files would be embedded with a pair of watermarks -- one 'robust' and one 'fragile.' The robust watermark would be designed to survive the compression and decompression process required to send a file over the Internet, but the fragile watermark would be designed not to. Phase 2 players would then be programmed to play files that have both watermarks, but to reject files with just the robust watermark. Phase 2 devices would also play files with neither watermark, ensuring that consumers could still play all their old, so-called 'legacy' CDs and MP3s.

ISSUING A CALL TO HACKERS

Last February, SDMI solicited proposals for technologies that could meet these requirements and 12 companies submitted bids by April. A testing committee then began to subject the candidate technologies to a battery of trials to ensure that the protections didn't affect sound quality, resisted destruction in normal use, were not so computationally demanding as to cripple player performance, and were reasonably resistant to hackers. As part of the last phase of testing, SDMI staged a public challenge last fall, in which members of the public were invited to try to neutralize the six remaining technologies under consideration -- four of which used watermarks and two of which used cryptographic protections to supplement the watermarking efforts.

The public challenge turned into yet another public relations fiasco when, shortly after its completion, a team of academic researchers led by Princeton University computer science professor Edward Felten announced that it had successfully hacked all four watermark technologies. Because Felten's team had only participated in the first stage of the multi-step challenge -- proceeding to later steps, which included verifying the sound quality of hacked files, among other things, would have required Felten to sign a nondisclosure agreement -- Chiariglione says that SDMI has been unable to assess the accuracy of Felten's claims. Nevertheless, even Chiariglione does not appear to doubt Felten's key claims, stating at a music conference last week that he would 'take (Felten's) word for it.'

Still, susceptibility to hack attack may not be the decisive factor that sinks the current crop of Phase 2 technologies. To begin with, the danger of such attack has been exaggerated, according to Paul Jessop, who heads SDMI's testing committee. 'The risk model is not missile defense,' Jessop emphasizes. Instead, the objective is only the much less demanding one of 'keeping honest customers honest. Putting a barrier in the way so a consumer doesn't steal without realizing they're doing something outside the rules.'

What could more likely prove fatal to the Phase 2 technologies, however, is their fast-approaching technological obsolescence. All of the fragile watermark systems currently being tested are premised on the assumption that compression will be required in order to send a music file over the Internet. (It is unauthorized compression that is supposed to break the fragile watermark, signaling the Phase 2 device not to play the file.) But as more and more people gain access to 'fatter pipelines' to the Internet, it may eventually be possible to send music in an uncompressed form -- defusing the fragile watermark. Accordingly, unless the Phase 2 technology is deployed very quickly, it may soon become pointless.

TIME COULD ALSO BECOME AN ENEMY

It might be possible to dispense with Phase 2 altogether, suggests one participant, while elevating the existing Phase 1 technology to a role that could accomplish many of the same objectives. The Phase 1 technology already uses a Verance Corporation watermark which can itself be encoded with commands that compliant devices could read as 'copy never,' 'copy once,' or 'copy freely.'

On the other hand, it could be that SDMI has run its course. While the record industry has clearly not yet given up on the idea of secure music, it might be ready to give up trying to accomplish it through a United Nations where every tiny principality has an absolute veto.

Perhaps it is telling that when Cary Sherman, the general counsel of the Recording Industry Association of America, is asked about SDMI's future, he emphasizes what SDMI has already accomplished -- rather than what it still has left to do.

'SDMI has established the principle that security is an appropriate component of a legitimate market,' Sherman says. 'Second, it brought together all the relevant players interested in digital music market. It created an opportunity for deal-making that has helped launch digital music. . . . Third, it created a mechanism for dialogue that we hadn't had before.' And fourth, Sherman concludes, it adopted the Phase 1 specifications, which, he claims, really represent a much greater achievement than might appear at first glance. 'It may be limited to first-generation portable devices on paper,' he says, 'but all the device manufacturers have used it as a guideline for what content companies would like to see in order to make music available in (digital download form). It created the framework. It answered the question: What are the basic principles that should serve as guideposts for legitimate digital market?'

Sounds like, to some, SDMI has already been such a success, we may not really need it any more. Watch this space.