Wednesday, July 18, 2012

Possession is nine tenths of the law? Part 1

Posting the Mobile Device Remote Identity Proofing paper in parts seemed to work pretty well.   The paper as a whole received many more views than its two predecessors.  “Possession” is not as long as “Mobile” but lends itself to being divided in half.  The first half will focus on the problem, how to best handle Digital Rights Management (DRM), along with the associated legal principles.  Part Two will focus on the current methods of securing Digital Rights Management and PKI as an alternative.  I hope you enjoy the paper and encourage you to comment.

The Digital Rights Management Conundrum 


Background on digital media ownership

Every so often I run across a word that I have not heard before or had the occasion to use.  The latest entry in that category is Ostensible.  Ostensible is an adjective defined by Merriam Webster as:
1.       1: intended for display : open to view
2.       2: being such in appearance: plausible rather than demonstrably true or real.
I came across this word while conducting the research for this post.  It was used in the Wall Street Journal’s Law Blog while paraphrasing a 2010 decision by the Ninth Circuit Court in San Francesco.  The focus of the plaintiffs and the defendant’s dispute was money, no surprise.  The argument was based on the difference in royalties paid to recording artists.  A song that is licensed typically garners a hefty fifty percent share in revenue for the artist, conversely a song that is sold brings in far lower royalty.  The catalyst for the complaint, Apple I-tunes.  Time for a reality check; did you really believe the tens of millions of dollars spent on music, movies, books, and other publications in the I-Tune store actually resulted in ownership?  You may be thinking to yourself that darn fine print well in fact the opening statement to the iTunes licensing agreement tells it all.  

“The Products transacted through the Service are licensed, not sold, to You for use only under the terms of this license, unless a Product is accompanied by a separate license agreement, in which case the terms of that separate license agreement will govern, subject to Your prior acceptance of that separate license agreement. The licensor (“Application Provider”) reserves all rights not expressly granted to You. The Product that is subject to this license is referred to in this license as the “Licensed Application.” (Apple Inc., 2012)

The fact that the songs were licensed not sold precipitated the suit against Universal Music Group by producers affiliated with rapper Eminem.  Although the decision was not favorable for Universal Music Group it is also, at least according to them, not precedent setting as it is specific to one particular contract with a single artist.   They are obviously appealing the verdict.

In order to begin to grasp the issues it is necessary to have a general understanding of the three legal principles that have become ubiquitous in the digital media debate.


Merriam Webster defines copyright as the exclusive legal rights to reproduce, publish, sell, or distribute the matter and form of something (as a literary, musical, or artistic work).  A copyright is granted to the creator of an original expression of work; for example an author or composer.  There is more than one type of copyright, those that are registered and those that are implied. Without getting into too much detail suffice it to say that an implied copyright is granted on initial publication of the work and a registered copyright is granted by the US copyright office after the work is deposited along with application and fee.  The deposited work [sample] becomes the property of the U.S. Library of Congress.

First Sale Doctrine

First sale doctrine as applied to Copyrights allows the purchaser to sell or give away a particular lawfully made copy of the copyrighted work without permission once it has been obtained. This does not infringe the copyright owner's exclusive rights. Section 106 of the 1976 Copyright Act grants the owner of a Copyright six exclusive rights: reproduction, preparation of derivative works, distribution, public performance, public display, and digital transmission performance.  However, a Copyright owner’s right of distribution is limited by the First Sale Doctrine, as codified in Section 109 of the Act. Section 109(a) (Hyde, 2001)  First sale doctrine is an exception to the copy right.  This exception allows you to give a book to a friend or even sell it.  First Sale Doctrine enables libraries to lend books and video stores, before they started going the way of the dinosaur, to rent video’s.  First sale doctrine is not without conditions. In order to receive the afore mentioned privileges ownership must be established.  Keep in mind that ownership is not defined by mere possession which is why you cannot legally copy a rented video or DVD. 


Back in the pre-computer dark ages access to music, literature, video etc was controlled by copyright law.  During the personal computer enlightenment we were introduced to contract law as we accepted license agreements during software installation or even through the act of breaking the security seal.  The internet introduced the information revolution and really stood things on end with the Click Through License also known as a Click Wrap Agreement

Clickwrap agreements came into use when software vendors began distributing software by means other than disks, such as when the software is pre-installed on a computer for the user, or when the software is downloaded over the Internet. Upon downloading, installation or first use of the application, a window containing the terms of the license opens for the user to read. The user is asked to click either "I agree" or "I do not agree". If the user does not agree, the process is terminated. The clickwrap agreements often remove many factual questions whether the user had adequate notice of the license terms and manifested assent to them. With respect to software downloads, the clickwrap terms often are displayed at the very start of the contract formation process, although often the terms are contained in a scrollable window that requires the user to scroll down to read all of the terms. This positioning often eliminates U.C.C. Section 2-207 issues regarding agreement to additional or different terms. (Kunkel, 2002)

Statistics and Sigma Six expert Jeff Sauro confirmed a true lack of end user concern with end user license agreements (EULA).   Mr. Sauro examined a couple of thousand log records over e few different consumer software products.  He found;

 “The median time users spent on the license page was only 6 seconds! Generating a confidence interval around this sample tells us that we can be 95% sure at least 70% of users spend less than 12 seconds on the license page.
Assuming it takes a minimum of two minutes to read the License Agreement (which itself is fast) we can be 95% confident no more than 8% of users read the License Agreement in full.”

It could be argued that the sheer volume of these agreements in our everyday lives provided a disincentive in getting the end user to read them.  As digital content providers race to catch up with advances in technology the agreements compound often resulting in multiple EULA’s and Terms of use agreements for individual products.  Consider that the order of a Kindle Fire™ requires that you consent to ten different agreements with a combined forty eight pages of text (11point font, standard margins).  Disincentive or not click wrap agreements are likely here to stay and current case law is overwhelmingly in their favor.

Getting back to ostensible, you are in fact the ostensible “buyer” when it comes to electronic media.  The major providers are very aware of the propensity of people to actually read the license agreement before clicking the check box indicating “I agree”.   The media providers think of you as a buyer of a service whereas you may think of yourself as the buyer of a product.  You have no right to resell what you have purchased, in fact is difficult to lend or share what you have purchased outside of your family group in your own home and then only when using software designed to regulate that behavior.  Even if the majority of people were to read the license agreements chances are most would complete the purchase regardless of what the license agreement outlines.  This is in keeping with today’s instant gratification society. 

Monday, July 2, 2012

Mobile Device Remote Identity Proofing - Part 5 final thoughts


X.  Token activation

With all of the required elements in place all that is left is to do is to deal with the physical representation of the identity.  The federal government is currently both the largest issuer and relying party in the trusted identity ecosystem.  Programs like the Defense Departments Common Access Card (CAC), Homeland Securities Transportation Worker Identification Card (TWIC), and the Federal Standard FIPS 201 Personal Identity Verification (PIV) credential all have one thing in common.  They all require a physical token in the form of a Smart Card.  A smart card is a plastic card with an embedded microchip(s) that can be loaded with data which in turn can be secured with a Public Key Infrastructure (PKI) certificate or similar technology.  This brings us full circle to the ownership issue.  Having a physical manifestation of the identity can be perceived as a security liability issue as the risk of loss of the token is still inherent in the program. Despite this, current conventions are for token based programs.

It is not currently both technologically and economically feasible to use the mobile device directly for activation of an external token.   The device itself must fulfill that function.  This concept presupposes the phone in a role as a token.  To truly put identity management in the hands of John Q Public we must find a new cost effective way to support current IdM programs by greatly reducing or eliminating the currently accepted hardware intensive infrastructure required.  Because a secure connection between the mobile device and the back end systems, to include the certificate authority (CA), are inherent in the system architecture, it is not necessary to expound on the activation methodology for the device as a token scenario.  For activation of tokens other than the mobile device, the initial premise to be explored should be to leverage the “sync with my pc” capabilities of smart phones.  The synced device will provide application while using the PC in a limited role for network connection and attachments of peripherals like smart card readers, USB flash drives and other potential token variants.

XI. Policy

In theory, current technology supports all of the elements required for identity proofing in a remote or “mobile” environment, in a cost effective manner.  Truly widespread implementation will likely require changes to the currently accepted policy models.  For example, if the capture of information supporting a claimant’s identity is no longer the impediment perhaps it is time to change to change the assurance model to one that is based on the number and type of witnesses to an the initial claim.  Using this model the lowest level of assurance would be assigned to an identity remotely established and witnessed by a non credentialed individual.  A moderate level of assurance would be one based on the “witnessing” of the claim by an individual possessing a credential at a level being requested or higher.  A high level of assurance would be based on the “witnessing” of a specifically designated credentialed authority.  This would in essence be the modern digital equivalent of the traditional notary public.

With the more difficult issue of creation of the claimant’s profile being established, the comparatively easy step of binding the claim to the individual can be addressed.  There are both established precedents and regulatory guidance for this step of the process. Basic documentation proving citizenship for a Passport or eligibility for a Drivers License; I-9 Documentation for purposes of eligibility for employment; the more stringent PIV-I requirements; or the detailed requirements combining breeder documents, knowledge based quizzes and background investigations for PIV are well established.  

Once again camera technology and current application capabilities allow for a document such as a drivers license, passport, birth certificate, and other forms of identity to be captured at resolutions allowing for optical character recognition to be used.  This will speed the process flow and lessen the data exchange requirements between the mobile registration device and the processing program.  

XII. Conclusion 

More than 88% of consumers have made purchases online spending more than 142 billion dollars in 2010 with a 14% increase continuing to trend upwards through the 2nd quarter of 2011 (comScore, Inc., 2011). Within a few years this trend will represent hundreds of billions of dollars of transactions conducted with the barest of security protections.  The logical prophylactic to a multibillion dollar fraud epidemic is biometrics.  Based on physiological or behavior characteristics biometrics are distinctive and attributable to specific individuals.  Unlike the ubiquitous pin and password security that is commonplace in the United States biometrics carries a higher level of trust in information assurance.

It is evident that cell phone technology itself is mature enough to handle the requirements of the emerging need for strong general purpose identity management programs.  The computer age has ushered in an era where our identities, and the most intimate and valued attributes associated with them are immediately accessible on a twenty four seven basis.  Unfortunately we are still guarding our most valued possession with the equivalent of an old skeleton key.  With a little work that single key can open every door in our virtual house.  That house needs to be a vault with a strong identity backed with personal biometrics the only key.  Regardless of the threats, and the validity of the solutions, the one obstacle that technology cannot overcome is the mindset of the American individual.

Works Cited – Complete Paper (2012). The Histories of Polybius published in Vol. III of the Loeb Classical Library edition. In Polybius, The Roman Military System. New York City, United States of America: New York Times Company.

Ashbourn, J. (2000). Biometrics: advanced identity verification. In J. Ashbourn, Biometrics: advanced identity verification (pp. 4-7). London, United Kingdom: Springer-Veriag.

Bronstein, A. M., Bronstein, M. M., & Kimmel, R. (2004). Three-Dimensional Face Recognition. Technion, Israel Institute of Technology, Department of Computer Science. Kluwer Academic Publishers.

Clausen, S., & Christie, N. W. (2005). Live Finger Detection. IDEX ASA. Fornebu, Norway: IDEX ASA.

comScore, Inc. (2011, August 8). comScore Reports $37.5 Billion in Q2 2011 U.S. Retail E-Commerce Spending, Up 14 Percent vs. Year Ago. Retrieved March 1, 2012, from comScore, Press & Events :

Creamer, D. (2006). Understanding Resolution and the meaning of DPI, PPI, SPI, & LPI. Retrieved May 30, 2012, from 

(1966). In G. Deleuze, Bergsonism (H. Tomlinson, & B. Habberjam, Trans.). New York, New York: Zone Publishing Inc.

FBI Biometric COE. (2010, April 27). FBI Biometric Specifications FAQ. Retrieved May 31, 2012, from FBI Biometric Center of Excellence:

Foresman, C. (2012, March 2). Innovation or hype? Ars examines Nokia's 41 megapixel smartphone camera. Retrieved March 5, 2012, from arc technica:

Indovina, M., Hicklin, R. A., & Kiebuzinski, G. I. (2011). Evaluation of Latent Fingerprint Technologies: Extended Feature Sets [Evaluation #1]. U.S. Department of Commerce, National Institute of Science and Tecnhology. Washington D.C.: US Government Printing Office.

Jain, A. K., Flynn, P., & Ross, A. A. (2008). Handbook of Biometrics. New York, NY, USA: Springer Publishing Company.

Jain, A., Hong, L., & Pankanti, S. (2000, February). BIOMETRIC IDENTIFICATION. (W. Sipser, Ed.) COMMUNICATIONS OF THE ACM , 43, pp. p. 91-98.

Javelin Strategy & Research. (2012, February). ITAC Research and Statistics. Retrieved June 5, 2012, from ITAC:

Lee, S., Lee, C., & Kim, J. (2008). Image Preprocessing of Fingerprint Images. Biometrics Engineering Research Center at Yonsei University., Korea Science and Engineering Foundation, Seoul, Korea.

NIST. (2003, February 11). Both Fingerprints, Facial Recognition Needed to Protect U.S. Borders. Retrieved March 5, 2012, from NIST; Public and Business Affairs:

Ortega-Garcia, J., Bigun, J., & Reynold, D. (2004). Authentication Gets Personal with Biometrics; Increasing security in DRM systems through biometric authentication. IEEE Signal Processing Magazine , 1053-5888 (04).

Schmandt-Besserat, D. (1977, June). The Earliest Precursor of Writing. Scientific American , 238 (June), pp. 50-58.

Sinha, P., Balas, B., Ostrovsky, Y., & Russell, R. (2006). Face Recognition by Humans: Nineteen Results All ComputerVision Researchers Should Know About. Proceedings of the IEEE , 94 (11), 1957.

Wing, B. (2011). Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information. US Department of Commerce, National Institute of Science and Technology. Gaithersburg: US Government Printing Office.