Monday, May 10, 2010

Been Caught Stealing: One "Hacker" Exposed How Insecure "Secure" Promo Services Are

The music industry has taken a lot of hits in recent years, particularly as digital music has become a dominant force. As a result, it's now the norm for albums to find their way onto file-sharing and torrent sites well before their release date. Naturally, the industry considers this a huge detriment to potential sales. There are a number of ways that record labels have sought to stem that tide of free-flowing music online, through watermarking systems and the like meant to discourage piracy, but there has never been a completely secure process for delivering pre-release material to critics. From the looks of things, there might never be.

Since launching in 2003, Play MPE, a digital delivery system that enables invited parties to access watermarked files, seemed like the best bet. Billed as the most secure system available, it's used by major labels like Universal Music Group and Warner Bros. and indies like Epitaph and Bridge Nine to get their pre-release albums into the hands of tastemakers. Long considered the figurative Titanic of secure content delivery, the company finally encountered its iceberg. According to reports, late last month a hacker posing as a music journalist was able to access the system and found his way to a number of albums from high-profile bands that he was never intended to receive. He then leaked those records to the online public. The casual manner in which this individual strolled through the digital gates of Play MPE sent shockwaves through the industry, and it seems to be yet another blow in the inevitable cycle of new technologies being exposed as vulnerable against the onslaught of fervent music piracy. There have been many stories online alluding to the alleged events behind this breach. But what actually happened?

"A European user impersonated an Australian music reviewer and was granted an account by our partner in Australia," says Steve Vestergaard, CEO of Destiny Media Technologies, the company that owns Play MPE. "Between the labels and ourselves, we add over 200 new users per week, so occasionally this happens." While the hacker was able to spread the music illegally, he wasn't able to do so anonymously. "Our proprietary watermarking security worked as intended," says Vestergaard, who also says that previous stories written about the incident weren't entirely true. "He was identified and his account disabled within a half-hour of his upload to other users against his license agreement. He's been identified based on our security logs and because there is an active industry investigation, we're not able to comment further, except to say that you're the first one to contact us to verify the story and that stories being carried elsewhere attribute leaks to our system that didn't come from us."

The labels with music involved are now wrapped up in the investigation, he says, and Play MPE has shared forensic evidence against the alleged hacker. Due to the ongoing investigation, Vestergaard declined to comment on the steps the labels plan to take now.

So how did the breach occur? "We offer both locked access which restricts playback through our proprietary Mac/PC/iPhone players, secure access through our partners (Mediabase, RCS, internal radio network systems) and unlocked access through a direct web browser interface," Vestergaard says. "If the labels grant export rights, the song is available in unlocked form in the web browser system. The user was able to access music through the unlocked system, through an exploit, which he did not have access rights to, but that content was watermarked to identify him. The exploit was fixed at the same time his access was disabled."

An explanation from the "hacker."

A watermark, commonly used on important documents including passports and bank notes, is a recognizable pattern that can be obvious or hidden to prove the authenticity of the document. A digital watermark works in a similar way. "Music is always encoded with a proprietary watermark, which survives on air broadcast, filtering, compression and conversion to other formats, but which doesn't show up in spectral analysis and which is completely inaudible," says Vestergaard. "The technology allows any leaks to be forensically traced to the source." Although he declined to confirm the number or names of the albums that were leaked due to the ongoing investigation, he says that this is the first time a user has accessed unauthorized music on the system.

All of the labels and bands alleged to have been affected by the leak contacted for this story declined to comment. One of the reasons for that, says Cathy Pellow of Sargent House--the label behind acts like Rx Bandits, Good Old War and Omar Rodríguez-López--is because for a label, sometimes ignoring a rumored leak is the best strategy. "I don't want to answer you because I don't want more people to know it's leaked," she says.

For people in the technology world, this sort of breach involving Play MPE is an inevitability. "To say I'm not surprised is the understatement of the century," says Scott Steinberg, head of high tech consulting firm TechSavvy and AP's resident tech writer. "I'm stunned that it hasn't happened sooner." He says that any security system, no matter how high level or how complex, is subject to human error. "If you look at the supposed facts in this case, essentially what [Play MPE] had was ostensibly one of the most secure systems in the world, and yet via social engineering and the ancient art of bullshit as we used to call it back in the day, an individual was able to gain access to the system and then by simply changing the URL, he realized he could procure copies of additional albums that he wasn't intended to receive."

The bigger lesson this incident points to is that there is always going to be a way to work around security systems. "When you're dealing with digital content, no matter how secure you think it's going to be, there's always a loophole," says Steinberg. "There's always a way to crack the safe. So it's inevitable in my mind that anything that is made accessible to any group of individuals beyond a tiny small core is without a doubt going to leak. It's just a matter of when."

The interesting part about this break-in is the ease with which it was accomplished. To call what the perpetrator did "hacking" isn't quite accurate, says Kaiser Wahab of Wahab & Medenica, a New York law firm that regularly deals with technology and media issues and run the business media blog "This guy is not really a hacker in a traditional sense," says Wahab. "A hacker is someone who tinkers with or undermines some kind of software or security apparatus--people who can break into things. This guy is more of a prankster. He didn't break any super-secure systems. He just saw that the URL was a database query and just flipped the numbers. It was like, 'Oh, a new track.'"

The problem is that Play MPE exists exactly to make something like this difficult. "This is a company whose job it is to prevent this from happening. They get paid to do this," says Wahab. "The Motion Picture Association of America does the same thing for the Academy Awards. They have these specially encrypted super-secret briefcase-with-a-handcuff type of scenarios when they deliver DVDs. What happens? They're leaked. Leaks are always going to happen."

Steinberg says that leaks like the Play MPE breach happen commonly but this one only received media attention due to its magnitude. "Is it comically inept when you see banks lose millions of addresses and governments leave laptops with top secret data lying around?" he asks. "We like to assume that the gatekeepers are all smarter than we are, that someone is in charge. But they get sleepy, they get tired, someone in IT forgets to put up a password. It's human nature. No matter how many levels of checks and balances, inevitably there's always going to be a glitch in the system."

The public at large is savvier than they've ever been, and more empowered. "We have to assume that the collective brainpower of the public at large, even when it comes to things like security, is smarter than we are," says Wahab. "Their time and resources are literally unlimited." Taking that as a given, it still behooves the industry to try to discourage this sort of piracy. But the options for using the law to prevent further digital breaches are not always clear. Because what was done here was not technically "hacking," the labels probably won't be able to go after the perpetrator with any kind of anti-hacking or encryption laws like those outlined in the Digital Millennium Copyright Act dealing specifically with the manipulation of digital rights management rules. But there is an issue with regard to terms of service. "That's an argument that Play MPE is making," says Wahab. "Any time you sign up to use any website, you agree to their terms of service. It usually says things like we can cut you off at any time and we can take certain actions if you violate these terms of service. So they can try to pursue on a contractual theory, saying you and I had a contract, you were supposed to play nice but you did not. That may be true, but if they go to court, I'm not sure what the damages will be or, in other words, what the court will say this guy actually did."

Play MPE aren't necessarily the ones who have claims against this fraudulent user. It's the copyright holders, the publishers, labels and artists who do. "Somebody has the copyright to these songs," says Wahab. "This guy, just like anybody, did not have the right to take a track and distribute it on the 'net. I don't think it's Play MPE who has the right to pursue that." In almost any country, be it Australia--where this user was pretending to be from--or the U.S. or the U.K., all of which have similar copyright laws, distributing copyrighted material is illegal. The place where this case gets complicated is that the user in question entered into the contract with Play MPE under false pretenses. "It's interesting to say, 'Oh, okay. You pretended to be a journalist but you're not, so we're gonna enforce the contract that you had no interest in following because the whole thing was a sham."

What court the case ends up in will likely dictate the consequences. A pro-business court, one not sympathetic to the freedom of information movement, or the "copyleft," will likely side with the music industry. Although since the perpetrator is rumored to be a teenager in Finland, the international scope of the issue complicates matters. It depends on the terms of service for any given website. Some, like Facebook, say when you sign up that you agree that if there is a lawsuit it will be conducted in the United States under Unites States law. "It depends on which country is going to go with it," says Wahab. "Where did the infringement even happen? If we have to fight a case in Finland, do we get to use American law? Maybe the infringement happened there, or because it went all over the net do we get to pick the one we like?"

That's the inherent issue in internet cases like this--the lack of specific geography. The global scope of music sharing makes it a difficult problem to pin down. "Generally, most albums leak before release. It's not always clear who's doing the leaking, or how," says Matt Rosoff author of Digital Noise, a blog about music and technology. He thinks it's unlikely something like this is going to change the way labels go about distributing music. "I think labels still want to get music out to interested parties digitally ahead of release, and leaks are probably an acceptable and manageable cost. Watermarking is already used, so it's fairly easy to trace leaks back to their source. It's possible that labels and artists might stop pre-releases in some cases, but only for acts that have devoted fans who are likely to buy the album without much advance marketing."

Some, however, see the system as overall effective. Mark Kates of Fenway Recordings, the management company behind bands like MGMT and Saves The Day, says security hasn't been an issue with albums he's worked as of late. "The system works because people realize that watermarks actually work. It's a weird thing, because on a certain level it's almost like the honor system." Being too protective of your music creates a fundamental contradiction in the interest of artists and labels. "At some point, the person you're protecting against, the intended listener, is the same person who has to have access to the audio," says Rosoff. A"t that point, there's always going to be a way to make a recording. The only solution would be to have no advance copies, release music to everybody at the same time. Some folks have tried that. This could work with certain artists whose fans are likely to buy whatever they put out. The problem comes when you're trying to break a lesser-known act, or hype an act without an organic fanbase, the old pump-and-dump method of music marketing."

Some artists actually consider the leaking of their record to be a boon to generating interest. "From my point of view, the leaking of tracks online is an essential part of the new music industry--especially in establishing an artist," says Rene Symonds, manager of New York production duo the Knocks. "From the point of view of an act with an eagerly anticipated pop album hoping to shift millions of units, it's a total pain in the ass. But what better way to break cool, credible, organically self-developed acts than by taking control of the leak and using it to our advantage?" His partner, Ben Ruttner, agrees. "It's due to the internet and being able to 'leak' tracks that we have built a fanbase and a following. If we had to wait on official releases or a major label, no one would know who we are." Justin Boreta of Los Angeles electronic act the Glitch Mob sees the positive side of leaks as well. "We fully embrace the leak," he says. "If our fans get hold of the album before the release date and are excited by it and want to share it with their friends, that's a beautiful thing."

That may be an outlook that more and more artists are going to have to embrace as the idea of music being free becomes even more prevalent than it already is. "Bands are helped and hurt by leaks," says Pellow of Sargent House. "For some bands, it's not helpful to have their record released so far in advance. I didn't give a shit when [Fang Island's self-titled debut] leaked because no one knew who they were, and if it hadn't leaked, no one would have found out. It actually really helped that band because it was a good album and people started talking about how good they were. Usually people who download leaks weren't gonna pay for it anyway. As long as they like the album, it can really benefit a band." From a marketing and publicity standpoint, a label will often have to change their release strategy once a record is leaked. "You change your strategy depending on how bad [the leak] is," says Pellow. "I don't think any album worth anything in the first place doesn't leak. Ultimately if there are people interested in your band, [the album is] gonna leak."

Steinberg says that's the lesson everyone should take from this incident. "I think we should all plan for these items, whether it's songs, video games, movies or TV shows to leak. There's a fine line between piracy and viral marketing, as we like to call it in this business. Maybe if there's a way, instead of selling a CD as a packaged good--a single, static experience that doesn't change--so if someone happens to leak my track, they just got one-twelfth of my final album. Maybe the better way would be to offer legitimate customers bonus content that they can access online on the back end. Maybe that's through a serial number, maybe it's going online and the disc registers and speaks with a remote server. Then the buyer gets extra tracks, remixes, photos, videos, updates and other exclusive content. Then suddenly, we've completely switched the paradigm. Those tracks that leaked actually serve to build anticipation and hype. Pass-along actually becomes a very powerful marketing tool. Instead of sitting on our eggs and worrying that a fox is gonna get in the hen house, we should assume one will. But even if he or she does, it just serves as a teaser of what's to come. If we offer more value on the back-end, we can use that leak to build buzz, and in many ways it can be more beneficial if we sat around praying and keeping our fingers crossed."

In other words, the horse is out of the barn when it comes to the free flow of digital music and there's probably no way to stop it. "I'm taking a very unpopular position as an attorney," says Wahab. "They expect me to say that rule of law should conquer all, but I think the answer is no." There are legislative frameworks that could make this a more palatable situation for everybody and deter people from doing things like this. "But to say outright, 'Well, the law says if you do this you're going to go to jail.' Really? You're gonna criminalize some of this behavior? I don't think that's going to have a positive effect. I think that may work for a certain segment, but I don't think that's the way you want to go about it. There's a cultural war here. The more you try to make the law sharper and more aggressive, the more you're going to have young people taking it on as sort of their revolution--rightly and wrongly."

Information may end up being free in most users' minds, and that may be a reality that artists have to face, but it still doesn't make it just. "Let me put it to you this way, if you distribute musically illegally, you are directly taking money out of the artists' pockets. You are stealing, there is no two ways about it," says Steinberg. "But let's be realistic about this whole thing. It's like trying to push back the ocean by flailing away with a bucket. It's just become so widespread, so casually expected, so blasé. It's human nature. I'm not going to tell you we should lynch every teenager who decides he or she wants to save 10 bucks on the latest All-American Rejects album. I don't think that's doing anyone a service."

Wahab agrees. "Artists need to eat," he says. "I don't agree that content is free. That's stupid. I'm also of the mind that the legislative apparatus is not the only thing or the best thing. In America, we have the Digital Millennium Copyright Act and it's a crime if you break it. There was a DVD encryption code for movies [but] somebody figured it out, posted it on YouTube and people were making songs out of it. It was amazing and crazy at the same time. How do you stop that? They all knew what the law was. They didn't care. Are you gonna sue all of them? It's the pied piper syndrome. Are you gonna send them all into the sea? You have to adjust the culture to make it clearer that it's wrong morally and economically. You're gonna have to try to be more creative, and I don't think using the law to become sharper is gonna help."

You can't legislate against the desire for being ahead of the curve, or to accumulate scene points by possessing an album months before release. That's the motivation that is the driving force behind most leaks, says Pellow. "I think what people aren't talking about in the conversation about leaks is that the true reason people leak records in the first place is to show off. If it's the young writer who is writing his blurb for whoever and he gets that thrill of, 'I have these records that no one else has,' he or she can't help but brag about it. Then their friend says, 'Dude, just let me have it. I'm not gonna do anything.' Then it goes down the line."

So it isn't surprising to Pellow that it was a teenager behind the Play MPE break. "It's all a quest to brag that they got the record they weren't supposed to have," she says. "I know for a fact that the people leaking records are teenagers and kids writing blogs. I don't want to say mean things about blogs, because I love anybody who's passionate about music. I just think it's really sad that the people who are most passionate about it think giving away a band's entire album is a good way to help the artist. A good way to help a band is to say, 'This is a great album. You can hear tracks here. I highly recommend you go get this album.' [They shouldn't say,] 'Here's the whole album, now you don't need to [buy it].' You're giving away the album and you're bragging. You're giving away people's property to have people come look at your opinion."

Why is it that releases from popular rock bands like Nickelback don't leak, she asks? "No one gives a fuck about bragging about having Nickelback records. But, man, if you have the new Animal Collective or whatever, and you have something you know that will get you cool points, you'll leak the shit out of it."

The only way to avoid a leak, she says, is to release a record out of nowhere with no advance notice like Sargent House does with Omar Rodríguez-López's solo output. "We just release them. We don't need to do the old-fashioned system. I call them surprise releases. All of Omar's fans and Mars Volta fans have started to get into this new thing where they just watch Twitter, because on a random Wednesday night, I'll say, 'We just put out a new album. Wanna hear it?' And they all freak. Everyone gets to hear it at the same time. No one got it special. I wish I could do it with every record I have."

Going forward it may become a more likely release scenario. When the only way to prevent a pre-release leak is to make sure no one has it, the entire way music is covered in the press may have to be altered. "You compromise your album with leaks in an effort to potentially get a review," she says. "It's kind of not worth risking."

No comments: