On Sept. 15, the Secure Digital Music Initiative issued the "Hack SDMI" challenge, offering enterprising hackers $10,000 if they could successfully break the proposed SDMI watermarking system. The response from the hacker community -- led by vocal leaders of the open-source software developer community -- was immediate, negative and even vicious. Everyone from the editor of Linux Journal to the readers of Slashdot to the founders of the Electronic Frontier Foundation lashed out against SDMI. If they weren't denouncing it as a corporate attempt to freeload off of hacker brainpower, they were railing against the damage SDMI would wreak on the possibilities for online distribution of music.
But hackers aren't the only people unhappy with SDMI. The hack-SDMI challenge is revealing deep fissures within SDMI itself -- a rift separating the technology companies charged with implementing digital watermarking from the entertainment companies that want their music protected now. Specifically, the technology companies are convinced that the watermarking "solutions" SDMI has created are fundamentally flawed.
A successful effort by hackers to break the watermarks, suggest representatives of some of those technology companies, might jeopardize almost two years of work by the coalition of record labels, consumer electronics companies, technology start-ups and computer manufacturers that makes up SDMI. But this wouldn't necessarily be a bad thing.
I spoke with half a dozen SDMI project members, all of whom requested anonymity. All hailed from computer, software or other technology-related firms; all were disgusted with SDMI and the so-called solutions the recording industry is pushing. For them, the hack-SDMI challenge is a huge opportunity. Some of SDMI's geekier members are actually rooting for the hackers to bust all the different watermarks. They want to return to square one -- and possibly be forced to come up with new models for music distribution that would be both consumer and artist friendly.
For two years, executives at these technology companies have watched in frustration while the record labels have strong-armed the SDMI project to conform to their own ideas of the future of digital music. Although many of the participating technologists say they do want to help build an online music industry, they think that so far SDMI is going about it in entirely the wrong way.
In the words of one frustrated member: "I'm completely amazed at the idiocy of the open-source movement in opposing ["Hack SDMI"]. If I were a hacker or an open-source person and I didn't like what SDMI is trying to do, I would think that I would want to break the technology -- to make sure that it doesn't work, and to make sure that it doesn't get implemented." After all, if watermarks fail, there is nothing else for SDMI to fall back on: "Not breaking it is the worst thing they can do. If they break SDMI, there will be nothing to implement."
Or, in the words of another insider: "The only people who like SDMI are the record labels and the companies trying to sell them technology ... [The rest of us are] mainly there to prevent bad things from happening; I would say this is most of the participating computer and consumer electronics companies, if not all of them."
December 1998: The record industry is in turmoil. The sudden explosion of the MP3 movement has surprised the slow-moving labels, and millions of music fans are already trading bootleg MP3s. The first commercial MP3 players are hitting stores across America -- now you can take your collection of MP3s anywhere you want, far away from your desktop. A panicky Recording Industry Association of America, representing the country's major record labels, slaps Diamond Multimedia with a lawsuit claiming that Diamond's Rio MP3 player is helping music fans traffic in pirated tunes.
But the RIAA is also working behind the scenes, hoping to wrest back control of a distribution medium it sees slipping out of its grasp. In December it announces the formation of SDMI, a "working group" helmed by MPEG compression technology pioneer Leonardo Chiariglione and entrusted with the job of figuring out a way to "protect copyrighted music in all existing and emerging digital formats and through all delivery channels." The companion press release includes a long list of technology and hardware companies that are supposed to be supportive of the initiative -- AOL, AT&T, IBM, Lucent, Matsushita, Microsoft, RealNetworks, Sony, Diamond Multimedia, Headspace, Iomega, Liquid Audio, Samsung and Texas Instruments.
Today, not quite two years later, technology industry support for SDMI has weakened, according to representatives of some of the participating companies. Now they are saying that most of them scrambled to join SDMI only because they believed the alternative was soliciting interference from the federal government.
"We weren't very happy about getting involved," explains one computer industry member. "We would have preferred to have a more serious discussion with the record industry about what rationally can and can't be done to limit unauthorized copying of music. But they wanted to create this huge forum with all these participants, and Leonardo the Great leading it."
The picture attendees paint of the past 18 months of SDMI meetings isn't pretty. Bickering was rife, thanks to rooms full of representatives of companies with competing products and interests and executives who displayed what one observer called a high "blowhard factor." Some SDMI members described Chiariglione as an "autocratic" executive director prone to tirades; others complained about the glacially slow pace of decision making.
Today, the list of SDMI participants is a who's who of the technology and recording industries, featuring 175 companies ranging from Nokia to Napster, Universal Music to ASCAP, Compaq to Intel. But the responsibility of making SDMI work was placed squarely on the shoulder of the technologists. Says one member: "The labels looked to the computer industry to really carry the burden here of stopping digital music; they didn't know how to do it themselves and they blamed us for the position that they're in today. It's been a struggle to be cooperative and address their concerns, but bring realism to this whole space."
The problem that the record industry chose to focus on is the basically insecure nature of the compact disc. Right now anyone can copy a CD's contents and distribute it across the Net. SDMI's solution was to propose a watermarking system that would be built into future CDs and read by software and hardware devices. Anyone who downloaded a pirated MP3, for example, would find that his SDMI-compliant software wouldn't read that watermark and would refuse to play the song.
Several of the participating technologists believed SDMI's solution to be a futile waste of time. Watermarks, many geeks feel, can and will always be broken. The proposed watermarking systems are also inherently not consumer friendly, say some SDMI members. Instead of trying to deal with the problem of insecure CDs, suggested several representatives, SDMI should be focusing on encryption and digital rights management systems that could be used for new digital music.
But that wasn't going to happen. SDMI had devolved into a futile attempt to protect something that couldn't be protected; but the record labels still felt obliged to try. As one member explains, "The record industry has a business valued in the tens of billions built around selling music on plastic. What they might see in revenues over the next few years in terms of electronically distributed music is not great enough to make them shift their focus to that yet."
So what has SDMI come up with, after two years of work? A complex and convoluted watermarking system, contributed primarily by Verance (an SDMI member company that specializes in watermarking technology). In Phase 1, SDMI-compliant devices (such as digital music players) will be sent out into the marketplace; and in Phase 2, SDMI-compliant music (CDs and digital music) with watermarks will go on sale. The system will limit when and how you are allowed to play watermarked music. And for the system to work, consumers with SDMI-compliant devices will have to download additional SDMI software.
SDMI-compliant players will let consumers play their MP3s, but this is a concession that hardware companies had to battle fiercely to win. Even so, according to SDMI members, early tests of some watermarked music showed an audible degradation in the quality of the sound.
The technology companies were biased against watermarks from the beginning for other reasons, too. Watermarks are expensive to implement, stretch the resources of one's computer and make copying CDs more time-consuming. And they aren't at all consumer friendly -- as one insider puts it, "From a consumer standpoint, the only thing this watermarking system does is not let you play you music."
Talal Shamoon, who heads up SDMI's "perimeter technologies" working group, disagrees with this assessment. "The record industry is extremely sensitive to consumer experience," he says. "I'm confident that the technology that's chosen will go through enough testing to guarantee that it's a good consumer experience."
Shamoon is convinced that SDMI-compliant music will permit anything except downloading and playing pirated files -- an assertion that has been virulently dissented by the Electronic Frontier Foundation.
In any case, the companies building SDMI-compliant hardware and software music players are in a no-win situation: They will be forced to pay millions in licensing fees for a watermarking system that might not even work, and will undoubtedly anger consumers. And since hardware SDMI compliance is voluntary, there will almost certainly be companies that choose not to comply, putting those that do comply at a disadvantage. If consumers have an option to purchase an entertainment system that doesn't follow SDMI guidelines, why will they opt for an SDMI-compliant system that limits what they can do with their music?
Most important, few experts believe that watermarks are a good way to protect music. Most technologists I spoke to think that watermarks can easily be broken; already, various bulletin boards boast posts from programmers declaring how watermarks can be cracked.
"The whole focus on using watermarks to screen music is not wise use of resources -- it's expensive, doesn't provide good protection from content and I suspect we'll discover the watermarks are easily broken," says one member. He pauses, and adds: "I'd be shocked if they weren't easily broken."
At the "Hack SDMI" Web site, visitors can currently download six different music files. The challenge is to eradicate the watermark from the files without causing any significant degradation to the music. If you succeed in doing this -- and supply detailed information to SDMI about how you did it -- you can win up to $10,000. (Alternatively, you don't have to provide this information, but you won't win the money.)
No one remembers where the concept of the hacking challenge originated, but everyone I talked to agreed that it was a good idea -- even if some of them claimed that from the beginning they saw the hacking challenge as a great way to undermine the mess that was SDMI's watermarking "solution."
"The record companies wanted the test to see how effective the technologies are -- but the record companies didn't understand fully that all the technologies are going to be broken," explains one member. "They just wanted the most secure system, and wanted to see which ones were going to be broken. But the technology companies knew that all of them would be broken."
Then came the call to boycott the hack-SDMI challenge. Those SDMI members who had been secretly hoping that hackers would breeze through the challenge and prove once and for all that SDMI was wasting its time were dismayed. If the system wasn't tested and broken, SDMI would forge ahead and release a solution that many considered fallible.
So far, the boycott hasn't completely staved off interest. As of Sept. 27, there had been more than 17,500 downloads of the files and 150 uploads of possible breaks. One SDMI member reported that the breaks so far have been of a variety that would be very simple for other users to copy: "From what we're hearing, it sounds like the technologies that have been broken so far are using fairly easy means, [like] audio software that's easily available for download. This isn't rocket science." But there's also concern that if hackers stay away in droves, perhaps one or two of the watermarks won't be broken -- in which case SDMI will steam ahead with its "proven" solution and cost the technology companies millions of dollars in implementation costs. And worse, consumers will face a system that makes it harder to listen to music.
But if SDMI is broken, insiders say, a number of things could happen. SDMI could go ahead and try to implement watermarks anyway. Or the watermarking companies could take a look at the ways the hackers broke those marks, and then try to fix them before release -- although several of those I spoke with thought this was a relatively futile task.
Stanton McCandlish, advocacy director for the EFF, believes the latter option is most likely. As he angrily explains, "The industry is trying to get the people who actually could crack their system to try until they fail, and then SDMI knows they've got a winner. If the six [watermarks] they picked initially don't work, they can pick a seventh or eighth or ninth or 10th that does work. It's all just math -- at some point you get an algorithm that works."
But those inside SDMI believe that the breaking of all the watermarks would mean that SDMI would have to start again from scratch -- if it has the energy to start again at all. That will force a major rethinking on the part of the companies, opines one member. "Everything SDMI has done has been based on watermarking being the way to protect legacy content -- or CDs, in short. We'd be going back to square one."
Even Shamoon, chairman of the perimeter technologies working group at SDMI, thinks that "if they are all broken, as a group we'll either have to issue another call for new [watermarking] technologies -- not everyone in this space has bid, and some will be enticed to bid again -- [or] the other option is to look at a completely new protection paradigm for the screening operation. There are other options that have been discussed."
SDMI could go back to the drawing board and come up with new ideas -- such as, for example, focusing on encryption and rights management systems rather than watermarking. Or it could just give up altogether; after all, the fast pace of digital distribution advances online suggests that natural market forces will move faster than any interindustry coalition. It may simply be impossible to find a standard that will stay ahead of ever-accelerating digital music technology. As one member posits: "If SDMI continues to search for something that simply doesn't exist, then you have to wonder, Why continue this process? I'm skeptical."
Is the disaffection within the ranks of SDMI news to the record industry? Probably not: As one person puts it, "I think they know. We've made our disdain for SDMI fairly clear. We hope that we are proven correct that the technologies are breakable; that's what we've been telling them for quite some time now."
Hackers afraid of getting co-opted, record labels desperate to protect their intellectual property, technology companies anxious to avoid sinking millions into an unworkable system -- with so many divergent voices on the issue, common ground is hard to find. But there's some room for optimism. If SDMI's "solution" proves not to be a solution at all, perhaps it will instead be a wake-up call declaring that it's far past time to start focusing energies elsewhere.
Which, the frustrated technologists insist, is their ultimate goal. They may have joined SDMI in part to protect themselves; but they are also in it, they say, because they truly want to help shape the future of digital music -- a future in which artists get justly compensated for their work. As one insider explains heatedly, "There's two reasons tech companies are in SDMI: One is to not get fucked, and the other is to make sure there's a viable music industry online. The only way to do that is if artists feel that making music is worth their time." And artists will only feel it's worth their time if they believe that their music is somewhat secure, and that they'll get paid for their efforts.
It's easy to be cynical when anyone, excluding the artists themselves, declares that making things right for the artists is a primary goal. And given the current turmoil, one could also be cynical about the possibility that SDMI will ever come up with a timely, easy-to-use system that consumers and artists and record labels and technology companies all enjoy.
Representatives of the technology companies are currently throwing up their hands in frustration, but SDMI's party line is that it hasn't given up hope yet: "There are definitely people who attend SDMI who wish it would drop dead," sighs Shamoon. "It's a constant debate, an evolution. But the dissension fuels the consensus."
Or maybe dissension obliterates the consensus. Whatever the case, hackers who are sure they are doing the right thing for online distribution of music by boycotting the hack-SDMI challenge might want to consider rethinking their stance.