Wednesday, 14 October 2015

DRM in JPEGs

wsprodlg_tis11 The group that oversees the JPEG standard (The Joint Photographic Expert Group, apparently) is considering adding DRM to the standard.  This would mean that images could force your computer to stop you from uploading the pictures elsewhere.  Software that displays JPEGs would have to make decisions about whether or not to do so based on whether it thinks you’re allowed.

The EFF’s Jeremy Malcolm is on it:

EFF attended the group's meeting in Brussels today to tell JPEG committee members why that would be a bad idea. Our presentation explains why cryptographers don't believe that DRM works, points out how DRM can infringe on the user's legal rights over a copyright work (such as fair use and quotation), and warns how it places security researchers at legal risk as well as making standardization more difficult. It doesn't even help to preserve the value of copyright works, since DRM-protected works and devices are less valued by users.

So why are they considering it?

Currently some social media sites, including Facebook and Twitter, automatically strip off image metadata in an attempt to preserve user privacy. However in doing so they also strip off information about authorship and licensing.

A reasonable concern, but as Malcolm points out, a shitty solution. A better one would be for platforms to allow users to control what metadata is stripped out and what is left behind.

This doesn't mean that there is no place for cryptography in JPEG images. There are cases where it could be useful to have a system that allows the optional signing and encryption of JPEG metadata. For example, consider the use case of an image which contains personal information about the individual pictured—it might be useful to have that individual digitally sign the identifying metadata, and/or to encrypt it against access by unauthorized users. Applications could also act on this metadata, in the same way that already happens today; for example Facebook limits access to your Friends-only photos to those who you have marked as your friends

We encourage the JPEG committee to continue work on an open standards based Public Key Infrastructure (PKI) architecture for JPEG images that could meet some of the legitimate use cases for improved privacy and security, in an open, backwards-compatible way. However, we warn against any attempt to use the file format itself to enforce the privacy or security restrictions that its metadata describes, by locking up the image or limiting the operations that can be performed on it.

That way, madness lies.

Something else I learned from that article; apparently scanning, photocopying and image editing software is hardwired to prevent you from scanning banknotes.  Whose great idea was that?

No comments:

Post a Comment