I’ve been afflicted by this very problem myself lately, which is why this post has been sitting in my head (along with a slight hangover) for the last few days.

It should go without saying that a single developer can only achieve X number of features/fixes/improvements in Y time (and not every value of X is equal), but the moment you substitute “X” with specific feature names, it suddenly becomes urgent priority for everyone to stop work on it and get that done, to hell with everything else - although we want that too … and a pony.

The facts of life

The reality is - we’ve got a finite number amount of time, a finite number of developers, and a not-quite-so-finite list of features and improvements we have to spend time on, this means we prioritise stuff. We say “We think stability is a prerequisite before you go about implementing an example micropayments system.” - and with good cause, if the system didnt have that prerequisite stability, why the hell would you trust it to handle important or sensitive information?

This is not to say some of us havnt devoted time to thinking about it, it’s just that we each have our own ideas about what we think is important, and unless you are actively assisting in some capacity (food, booze, code, testing, etc), your personal wish list probably isn’t going to get any attention.

It’s harsh - but there it is. At the end of the day, each developer has a finite amount of time to work on projects, and when they are working on things - there is a strong chance that a specific goal is in mind and needed. If you want to change that goal, you either must have a convincing reason that that person is interested in and agrees with, or you need to provide an incentive to compensate for time that would otherwise be spent elsewhere. It’s also quite possible to just get in there, and do it yourself then submit those changes back.

Backseat Driving

There’s a lot of developers working on the OpenSim project - and each of them has their own ideas, goals and projects. Some of them are working on commercial projects that rely on OpenSim - and hence have some very specific feature and stability requirements that they work on. Others have more free reign by virtue of doing this in their spare time. There is a common misconception that the OpenSim team has an agenda - there’s somewhere around 200 developers on the project which means there’s 200 sets of agenda’s.

Right now, my personal agenda (which by proxy does carry a little across to what the DeepThink developers are working on) looks something like this:

• Abstract login and client initialisation to a more generalised interface to allow third party login and authentication routines to be fitted more easily as loadable DLLs.
• Find where we have remaining hard-coded references to LLClientView bits and bobs, and recode them in a more vendor neutral manner.
• Have a look at some of the terrain control issues reported on the mailing list recently.

It’s a pretty short list - this list gets revised, updated and changed pretty regularly based on what I need to do at the very moment, it’s the same for a lot of the other central developers - they are built on a task-by-task basis.

So - if you have a feature you really want to see happen, that you really think is important we tackle and address, your options include:

• Do it yourself - the code is there and we dont bite when it comes to new contributions. (Just as long as the code matches our other guidelines about quality, modularity, etc.)
• Convince someone to do it for you - this it the hardest of the options since we’re already very busy as a group, but it’s certainly possible. Make a convincing argument - it helps if you can research it and break it down into specific tasks. (”Improve stability” is not a task - “Fix crashes when/while XYZ happens” is.)
• Hire someone to do it for you - it’s an option on the table too. There’s a lot of developers familiar with the codebase now, lots of them are looking for beer money and can implement your pet project or ideas for a fee.

So in conclusion - if you have something you really think is important, really want to see - think it through, ask yourself “Is this more important than what people are working on already”, “Is this something that OpenSim is ready to support”, “Is this important enough that I am willing to work to see it done?”, and finally “If no-one thinks it’s that important, ready or <insert reason here>, am I willing to pay to see it happen?”. Because at the end of the day, features take time, and time is a non-renewable resource - people like to see it invested wisely.

Justin recently wrote an article about the likelihood of the concept of a “Grid” to vanish fairly completely. I think he’s bang on there and I expect to see things play out fairly similar to how he describes. The reason for this is that the concept of a “Grid” is completely and utterly irrelevant in the long term.

What?

I suspect in the long term, some of the models presented by alternate virtual worlds (Croquet in particular) are largely correct. While the ability to “load balance” a larger 3D space across multiple servers by partitioning the geometry accordingly is a very valid feature - it restricts you to creating giant contiguous landmasses.

And I dont think this is something either users nor companies want.

The analogue with the traditional web is the concept of somewhere like Geocities - under the contiguous space model, every user from geocities has their webspace crammed right next to someone elses, and you can see it whether you like it or not.

If someone makes any parallels here with the Second Life™ Mainland, you are probably right on target - it’s probably one of the reasons that Private Islands in Second Life eclipse the number of mainland regions. Now that’s not to say that users wont want to congregate together on occasion - consider the Steampunk themed Caledon sims - but in that occasion it is strictly by choice, and not representative of the majority of users.

Supporting both is of course a priority - but I suspect in the long term that the abitrary collections of regions wont be crammed together. Most will be linked by the same technologies that link the internet today - IP and DNS, and any organisation will be built ontop of that rather than the concept of the grid itself.

So what about users?

Right now - the single most inconvenient factor to visiting the OpenSim grids today is the requirement that you create a user account before visiting. Unlike email where you can login with a single username and send a message anywhere - you need a seperate account for each server you want to visit.

If we seperate these out (as the AWG OGP spec does) we get to the point where your username comes from someone like an email provider (ISP, Free Hosting site, etc), and the regions are seperate things that you can connect to like visiting a webpage.

In this case, grids become groups of commonly themed regions that are visitable with either commonly themed URLs (ogp://grid.com/regionname/x/y/z/) or contiguous landmasses and not much more.

One of the beauties of the internet’s design is that you only need a single number to represent every server connected (an IP address), there’s millions of servers connected each with their own address - if you tried to organize those millions of servers into a set of finite artificial constructs, you would probably fail - the operators of those servers tend to like to run their own environments and not be reliant on other people for stability and uptime (there’s a bit of a commercial incentive there).

Why proposing things that rely on grids is probably a bad idea

There’s been a lot of suggestions lately about things like content enforcement being locked to a specific grid for example. The catch here is that there’s potentially one “grid” for every independent region online under the AWG spec. Only places such as the Caledon-equivilents are forming grids with multiple servers in them.

In this case the question becomes - if grids are not a good analogue for the operator group, what is? The answer here is probably the hosting companies. While I don’t have a firm number here - I’d say that probably 50-80% of the web hosting on the internet today is done by a small group of companies and their resellers (1and1, GoDaddy, etc) - and those are the groups you will want to get contracts for enforcement with.

The remainder may sign onto the contracts, but you can easily get the large groups with a smaller amount of effort just by hitting the hosting companies.

Usual disclaimer: This is a personal opinion piece, it represents my views alone and may not represent that of any colleagues. It’s fairly long and rambling too.

No, I’m not going to be discussing DRM / Copy protection’s feasibility again - I’ve done that enough lately, and really there’s not a whole lot new to say on the matter - if you can put it in a contract, you can then enforce it. I’ve spelled that one out before.

This post is to explore some options for some permissions that can realistically survive other people hosting regions for themselves, and stand a reasonable chance of being respected. The inspiration to this post being a musing on the validity of ‘no-mod’ and ‘no-copy’, in both cases these permissions tend to stick in the way of what a consumer wants to do with a piece of content, and in both cases the permissions are fairly arbitrary.

I’m looking a lot at the past for ideas here - the web itself actually has some very strong analogues to where virtual worlds are heading, and surprisingly enough these kinds of permission games have been played out before there.

As with everything there is a bit of a balance here - evading the permissions model is always going to be fairly trivial for someone with a few skills, video game piracy still occurs - even when the copy protection schemes get so onerous that there have been claims it’s physically damaged hardware. If one makes the permissions too tight, it’s going to dissuade legitimate consumers, and inspire others to break it.

Thou shalt not modify.

Let’s start with no-mod, and first examine why creators use this permission. There are two big reasons that seem to spring up when discussing this permission with content creators. First - any object with mod permissions can be cloned via scripts (or manual copy-by-numbers), and Second - the creators have a desire to develop a brand image around their products being recognizable, or have a secondary market for product modifications.

The first reason is more of a problem for “no-copy” - I’m going to leave that for when I touch on no-copy, since it’s fundamentally that trait they want, not denying consumer customization rights. The second is potentially more understandable - consider the example of a major motion picture company offering free content - for their intents they want it to stay the same, keep logos and trademarks, etc.

So what can you replace this with? Well first the potential exists for marking whether something is original or not - that much can be done with a form of ‘object hashing’ (or fingerprinting), determining whether something is identical to as it was shipped is actually a lot easier than determining if something is a derivative of it.

This means that potentially if you ‘travel’ with the modified component, recipient servers can say “Hey, this looks unauthorized. I’m not letting you bring that in here”. These checks being easy and hopefully efficient enough to do.

When on a users own server in their own environment however this one is effectively unenforceable - trying to prevent users modifying content on their own servers is akin to trying to prevent someone from modifying an image that’s stored on your local machine.

Sure modifying it might be more difficult than the original creation (without layered source files, etc), but all the pieces are there and certainly a degree of blunt force can be applied.

On the inverse however - I’d like to suggest that perhaps this isn’t something you actually want to do 90% of the time. Returning to my analogues - let’s assume you are producing landscaping objects, something to decorate a scene with. The closest equivalent is that of the website template or stock imagery. While the composition is an important factor in the development of the scene, most people are going to want to customize it slightly - the best users are going to be the ones who do major customizations and bring their own flair into the design. It’s possible to then point to these customized versions in your own marketing (Hey you can do this!).

So expressing this in permissions, we have a few new options potentially for legitimizing user behavior while at the same time marking what the creator will/will not allow.

Please note - by suggesting these I am not saying anything different to what I have before. Permissions are at their heart completely unenforceable without legally binding contracts dictating their use, in which case those contracts are enforceable, not the permissions.

• Plain No Modifications Allowed - This one is pretty broad, but it’s still somewhat valid in it’s construction. Enforcement requires some legal magic - but technical enforcement alone is a toothless tiger.
• No Transmit Modify - Consider this the situation above where you can customize it on your own space legitimately. The permission is you cant transmit it to other servers or users in a modified state.
• Attribution Required - Modified objects must contain an original creator tag that can be examined by visitors and observers. Any attribution built into the objects themselves should not be removed.
• Modification Limited To - A list of attributes on the object which can be modified (such as say color, size/dimensions, etc) but leaves the rest of it marked as no-mod.

Thou shalt not copy.

This one is a little tougher to enforce, and I’ve gone into great detail about copy protection before. The heart of this permission is to make sure that content is licensed for a single usage at a time - traditionally there is two types of enforcement on this in Second Life: “no-copy+trans”, being there is a singular copy of this item which can be transfered to another user and “copy+no-trans” the inverse, you are allowed unlimited copies, but not allowed to transmit them to other users - in both cases the goal being that only one user can use the content at a time, and if more want it they need to pay for it.

It’s possible here to think of some new permissions which actually fit these roles better - consider the idea of a license. You have a license to use piece of content X. This license can be transfered to another user, however you then lose the ability to use “X” until you acquire another license.

No-copy doesn’t have many analogues with the web itself, the major reason being that on digital computers it’s actually impossible to “move” something. “Moving” is actually “make a copy, then delete one”, enforcing singular copies of a license is very difficult.

The closest we can find is content protection used on Video, Audio and similar - be it through iTunes or somewhere else. In this case, the analogue isn’t very good since in those cases you are explicitly denied from transferring the content to another user. Full stop, end of discussion.

Perhaps a better analogue comes from cryptographic keys - companies such as VeriSign maintain something called a “Key Revocation List” which is the list of keys that they have removed from active service - while those keys still work, if someone does a look on the KRL for it they will say “Hey wait a moment, that’s not valid.”

Licenses then become something that is authorized through a monolithic provider (either run or contracted by the original copyright holder to handle the licenses). If you wish to transfer a piece of content, you let the provider know you are transferring it to X. The provider revokes your license and grants a new one to the new holder - licenses can be checked before content is transmitted to a new server, and the server can decide whether to accept it or not based on the results of the license server’s check. (Of course the server might just ignore those results too.)

It is also possible to consider some alternate “no copy” bits here too - such as allowing the content to be licensed on a “per-server” rather than “per-user” basis. Certainly commercial content is likely to be licensed in such a manner since it handles ‘group usage’ better.

Potential permissions?

• Singular Usage Only - Only a single copy of the item may exist. To enforce this serial numbers will be required on the item (This is #17). This is equivalent to the “no-copy+trans” permission in SL today, of course there is the concern about content being deleted accidentally, etc, so mechanisms need to exist to replace lost content.
• Singular User Only - This content is licensed to a single specific named user. No other users may use this license, however this use may make copies for their personal use.
• Singular Server Only - This content is licensed to server the server located at W.X.Y.Z, or addresses in the range W.X.Y.Z/24. In English - a single server or group of servers only. Transferring out of this range is explicitly not allowed. Within this range unlimited copies may be allowed.

Thou shalt not transfer.

The last permission is the concept of transferring your license to other users. Secondary resale markets, etc. Certainly a number of creators embrace the resale model and provide bulk packs of content for resellers.

This is pretty simple and I’ve described it above. The permission is pretty simple too - and potentially you could enforce more complex licenses (such as say a viral license) through this mechanism.

The permissions here?

• Transfer not allowed - License transfer is expressly forbidden.
• Unmodified Transfer Allowed - License transfer forbidden if content is modified
• Modified Transfer Allowed - License transfer only allowed if the content is sufficiently modified (the “stock photos” license)
• Transfer allowed only under these terms - You cannot modify the permissions if you wish to transfer his item.

On the inability to express every scenario with permissions

One of the problems with the above is that you simply cannot express every possible legal license with a few check boxes. While it does make it easy to generate a license from these (in the way that Creative Commons does with 3 check boxes), in these cases it would be nice to be able to provide a custom string that can let you define custom permissions and actions and have it interpreted on the server.

At risk of seeing everything a nail (if all one has is a hammer) - a highly limited interpreted programming language may actually be a more flexible solution here. Especially if the language is close enough to English that it’s understandable to the casual observer.

Consider something akin to the following paragraph

COPY:
   IF USER HAS LICENSE AND
      COUNT OF OBJECT IN REGION IS LESS THAN TEN AND
      TODAY IS MONDAY
   THEN
      ALLOW
   ELSE
      DENY

MODIFY:
   DENY

TRANSFER:
   IF OBJECT IS MODIFIED
   THEN
      DENY
   ELSE
      ALLOW

While slightly less than perfect English - it’s relatively understandable. Copying of the object is allowed on Monday and only if you have less than ten copies of the object in this region. Modification of the object is always denied, and transfer is limited only to the original unmodified object.

In this manner, a complex license such as the GPL could have a programatically interpreted helper to assist in license enforcement (although the legal bindings behind the GPL are the real teeth). Such a license would look very simple: “COPY: ALLOW, MODIFY: ALLOW, TRANSFER: ONLY UNDER THESE TERMS: ALLOW.”

Server side Enforcement

Servers ultimately have the final abitration on whether to enforce these or not. If Joes server decides not to use these permissions, well there’s not much you can do if you dont have a contract with Joe forcing him to. (Of course if he gets your content unlicensed - then that’s copyright infringement.)

It should be noted that it should be possible to design a server that will also expressely refuse content marked under certain permissions. (That is it will not rez), for instance if the server is unable to prevent someone from modifying something, then the server may say “Well, I’m not going to touch anything that could get me in legal trouble - public domain content is the only type accepted here.”

There’s actually a number of reasons why people would want to be able to mark those kinds of permissions - the legal angle is definitely one, ideological is another - a group may want to only allow Public Domain or F/OSS content. Another group might want to avoid the problems with viral licenses and simply deny access to virally licensed content, ultimately the flexibility to decide should be in place.

At the heart with this issue - flexibility is king. Permissions managers, etc should be designed under the implication that they need to support a wide variety of models - and ultimately it will be the market and users that decide which models succeed and which do not, there is probably going to be a lot of ideas surfacing over the next 12 months on how to handle this. This is merely one of them.

Let’s run through the quick checklist for the recently semi-announced “LivePlace“, who claims to do some pretty nifty things with distributed server side rendering.

• Buzzwords like “Cloud Computing” and “Virtual Worlds”? Check.
• VC Capital Funding? Check.
• Implausible Technology that doesn’t stand up to basic analysis by an industry professional? Check.

Say hello to serverside cloud based renderered virtual worlds. Somehow, against all odds a small unheard of Silicon Valley company has developed a real time renderer that not only exceeds the current best of breed distributed real-time rendering research projects by huge margins - does so in a way that’s scalable to deploy a major concurrent project on.

Doesn’t anyone in Silicon Valley do basic fact checking with a technical adviser before giving capital?

Assuming this company has actually succeeded in developing such a renderer (big if) isn’t there the additional problem of bandwidth? Let’s be kind and say the average user has a 1024×768x32 screen - that’s 24mbit of data that needs sending 30 frames a second (720mbit/sec), now yes you can use some video encoding to cut that down significantly - but that’s a heck of a lot of data, and the compression is going to induce processor load seizures too.

The answer to the above question is apparently not.

There is a big reason we do client-side rendering today, and that is it distributes the load better than any “cloud”. 100,000 clients = 100,000 processors, 100,000 graphics accellerators, etc. Yes some of them suck and can’t do pretty graphics (Intel I’m looking squarely in your general direction), but the rendering they can do is going to be better than what a foreign service can do for you, and it’s going to be speedier - not only do you not have to wait 200ms ping and a x megabyte download to happen before you see the results of your movement.

While I am not claiming that this technology couldnt be made to work - it’s just not going to be pretty, I dont believe it will scale anywhere near effectively, and the bandwidth requirements alone are going to cause some very tough questions to be asked about whether this will run at all. (After all - anyone with a internet connection fast enough to support this is going to probably have a decent video card anyway.)

Count me very skeptical.

Shouts to Belaya for adding to the snark contained within this post.

I briefly touched on previously the concept of fingerprint registration as a method of verifying object legitimacy before. What I’d like to now go into is the technical side of things, first answering whether it’s possible, and secondly answering how much “tamper-proofing” one of these signatures can withstand before.

This post is aimed at researchers and programmers in the field. It contains lots of unashamedly technical language. You have been warned. Second warning is - we’re only going to cover Primitive Groups (”Objects” in Second Life) as things such as sound and texture fingerprinting have been covered in far more detail by researchers far more knowledgeable than myself.

Firstly: Is it possible?

The short answer here is yes - the long answer is still yes - but the solution isnt very good if a single change is enough to break the entire fingerprint. Most fingerprinting schemes such as MD5/SHA are designed to signify if any slight change has occured, but in our case we dont want to know if a slight change has occured so much as if it’s still similar to the original.

In the cases above, you can make very “short” fingerprints since you have very specific criteria you are matching against for tampering. In our case, if someone resizes the object slightly it shouldnt break the entire scheme.

So, onto some ideas on how to measure similarity between objects - any good fingerprint is going to take into account a number of these measurements and decide on how many are similar. The fingerprints should be easily comparable too - because searching a database of a million such fingerprints should be doable quickly and easily without too much database load.

Volume to container volume ratio

The idea here is to measure the volume of the entire object (that is, the space it would displace if dipped into a bucket of water), compared to the volume of a box big enough to fit it exactly. A square object would leave no water remaining, and hence have a ratio of “1.00″, but a sphere leaves a much more distinct mark.

Objects which are very similar are going to have very similar volume displacement ratios, resizing a single component (or primitive) of a larger set is going to do very little at changing the ratio unless it is a very significant change.

It is worth noting that you need a minimum complexity for this metric to be of much value - very simple objects are likely to generate lots of collisions and false objects (as there is only so many spheres and boxes that can be described), which brings us to point #2.

Caveat: The bounding box needs to be the smallest possible bounding box for any possible rotation of the object to be effective at comparison. Computing the optimal rotation may be expensive (although something that might in theory be doable with a boolean search through rotations)

Simple facts about the group - Minimum Complexity

Things such as the number of primitives, the types of primitives used, etc all form a group of simple facts - unfortunatley these are the most distortable and easily changeable - but again if you change too many you end up with a very different looking object.

It’s important to note however, it’s possible to add a lot of “invisible” primitives onto it to add numbers to this, but not change the object, so it’s key that we use this metric simply one way - the minimum complexity must be close to equal or exceed the original fingerprinted object (give it a say 20% fudge-factor for people who can clean off bits and pieces trying to dodge this metric).

Primitive “Levenshtein” Distance

In computer science, the Levenshtein distance is the number of characters you need to alter, delete or insert between two pieces of text to get the same string. It’s used in spell checkers to try correct common typos (ie it picks the thing closest to what you had).

I think it could have a practical application here too - if we consider two seperate objects as pieces of text, then we calculate the number of primitives that need to be changed, inserted or deleted to match the other object. If we consider each change seperately (size, rotation, shape, etc), an object derived from another object would have a fairly small distance, however this solution does break down when we consider objects with a very small number of primitives to begin with.

Creating a signature with these

It’s best if we consider each of these a seperate signature that is never combined, rather when you compare the signature, you actually compare a set of signatures like the ones above seperately, then you calculate how many of them hit a collision vs how many did not.

The ultimate caveat here is that none of the solutions work very well when the object is not very complex to begin with. I suspect on any object with less than 20 primitives this is not going to work too well (although the effectiveness of the measure will increase dramatically with each additional primitive in the group.)

It is also worthwhile to take watermarks of any associated assets such as textures and materials and handle those seperately as this should try to survive an object being retextured, or in the case that someone rips other peoples textures for an unassociated product.

For computational expense purposes, each signature should produce a number - ideally a nice integer number, a database table can then be indexed by each signature so that you can search for a range within say 10% of each and every index quickly and easily with minimal of lookup expense.

Final notes

The above can be used fairly indiscriminantly as checks that can be done on any client anywhere since the algorithms do not rely on any form of obfuscation. An agency setting up something to mark signatures of popular items would likely want to employ these style signatures, plus a bunch of hidden ones so that an attacker did not know exactly what they were looking for — however any good long-term solution should survive public scrunity of the algorithm as well, it just may be difficult to do so due to the lack of large amounts of data to compare (unlike say sounds of textures).

So, in my previous few posts on this topic - I have somewhat neglected covering the practical alternatives. Things that can be made to work, and can be difficult if not impossible to break. I’ve made some mentions before on things that can be done, but I’m going to elaborate on them here.

The Good, the Bad, and the Ugly.

To begin with, we’re going to need to make a divide between ‘good’ and ‘bad’ consumers - good consumers are going to be defined as your standard consumers - the people who like to purchase legitimate content from the legitimate sellers - and like to know that they have bought legitimate content.

The second group are the group who dont really mind if they purchase pirated content (or get it for free), this group is somewhat of a lost cause. They dont tend to buy content today, and they probably wont change that habit in the future.

What you want to target is not minimising the size of the second group (all that will do is waste time and is unlikely to get you any kind of extra revenue), but preventing as many of the first group from slipping into the second group (intentionally or unintentionally)

Signing content

Just like a signed copy of a book is worth more than the plain hardcover, it’s possible to sign a purchase with a “To <buyer>, I <content creator here> can affirm this is a legitimate copy that was sold to you.”, there’s a few ways of doing this, number one:

Verifying purchases via a server

Have a registration server - anyone can see the signature of your item and confirm it against the server to see if the person who has it legitimately bought it. This does have the downside that you need to maintain your server ad-infinium if you want people to be able to verify your content.

Verifying purchases via cryptography

This is a niftier solution, and should work for all time as long as people have a copy of something called your “public key”. This means that when you sell the item to someone, you add a digital signature to the purchase with “XYZ bought this from me.” and then sign that message with something called your “private key”. As long as your public key is public - anyone can use it to verify it was you who really signed it.

Pros of Signing Content

• People can verify that a purchase they made came from the original creator legitimately.
• Other people can verify it too - lowering the social value of possessing fakes.
• Helps build up a brand

Cons of Signing Content

• Relies on people recognising content to be able to say it was a fake of designer X.
• You need to probably rely on a mix of both cryptographic signatures and verification services which will likely involve a cost - for a identity-verified cryptographic keypair (such as the ones Verisign provide), and the cost of hosting the service.

Fingerprinting (”Watermarking”)

It’s possible to take a digital asset, and produce a fingerprint of it - fingerprints, like their physical counterpart are very good signatures of someone, but they arent someone themselves. In digital terms this means producing a smaller version of the asset that is unique to it, and registering it so that if any “clone” shows up, it can be said to be derived from the original asset.

Services exist already for print media which register these fingerprints so that if they are ever used elsewhere, someone can verify who originally made the asset.

Pros of fingerprints

• You can verify a fingerprint with a third party to see the original creator of the item.
• Help when filing copyright infringement notices because you have the registration to act as a “I did this first”.

Cons of fingerprints

• Fingerprints cannot tell if something is or is not legitimate alone.
• Fingerprints can be “smudged” by tampering with the asset, the more “smudge-resistant” you make it, the higher chance false positives can occur.

Make it as easy to buy legitimate content, reward those who do.

This one is more of a business opportunity for some individual or group - but make it possible to buy your content on an amazon/iTunes equivilent which is quick and easy to purchase from, and guaruntees legitimate content.

If your content is a pain to purchase, the chances of someone getting frustrated and either nor purchasing, or getting via less-than-legitimate means increases. Reward the consumers who do purchase legitimate content with updates and other services that people getting the false one wont - as a side bonus this will instill some brand loyalty and likely get them buying more content from you in future.

None of these ideas are mutually exclusive - they work best together.

Fingerprinting is complemented nicely when you have signatures attached - in doing so, you can combine them to say “This is not a legitimate item, the original was created by XYZ who’s signature is missing”. By doing so, you can place social pressure on people to purchase the real thing.

While there will always be a group (mentioned above) who dont care - the majority (the good consumer group) will, and will likely try purchase legitimate whenever possible. If merchants present their digital signatures and a third-party verification as part of the purchase process, then it becomes signficiantly more difficult to buy a fake unintentionally.

One last thing

This list is not a total list - it’s what I thought of in five minutes. There’s plenty of other ideas which can be made to work, a lot of it requires third party verification from reputable services, but thankfully neither of these is a new thing. Digimarc provide watermark/fingerprinting services with registration already today for print/web media, and Verisign provide the cryptographic keys nessecary for signing content. (The algorithms for which are very well documented already having been invented at least thirty years ago)

So it turns out, that I need to make another post on this topic (although I’d like to say this is hopefully the last for a while - I do have some more interesting topics to talk about).

OpenSim supports C/M/T-style Permissions on Regions, by default (as it’s shipped), it’s enabled.

You can take a look at the code if you want. If you only read one line, read the one above. It’s important. Keep it in mind as I continue, please.

Now, yes - someone can come in and override those, and say “I want my region never to support permissions” and anything rezzed in them will never have any, however that is no different to someone taking the official server software (whenever it is released), opening it up in SoftICE and doing exactly the same thing.

The point I have been trying to make is: You cannot rely on permissions, even today, to be infallible - because they are not. Adding “copy protection” schemes (which are *not* the same thing as a permissions system) will not make it any different, because they simply do not work.

Permissions are different to copy protection

Both of these are technical terms, permissions mean “I the gatekeeper will allow you to do these things on my service”.That is, the service itself will say “No” if you try use them to do something they forbid, and all their assistance ceases (and you may be banned/disconnected/whatever)

Copy protection on the otherhand means “I’m forbidding you from touching this thing I give you”, one is enforcable becuase you need the gatekeepers assistance to do something and he wont provide it if you violate the permissions, but the second is not because there’s absolutely nothing stopping you from walking over and doing it anyway.

A better example might be say a key and a lock. A permissions system is setup so that you have a key, and the lock understands that key. It says “You can open this door, if you have the key.” - assuming solid enough construction, it’s a reasonable barrier to mischief.

A copy protection system is a locked box, with a key dispenser right next to it. It’s kinda pointless when described that way, but that is effectively what they are.

OpenSim supports the “gatekeeper” style permissions - SL does exactly the same thing.

Permissions have limits

The big problem here is, and something you may construe from the above is that permissions provide absolute protection. It’s something I have tried to clear up previously (and why I have been saying that it is not worthwhile to rely on these)

Limit #1: Permissions are only as reliable as the service that is enforcing them.

This means, that if someone decides to swap the default gatekeeper with one that’s less scrupulous, there’s nothing you can do. The best you can do here is pick a service that is going to be fairly rigid about making sure they behave properly. Second Life does this today, other services will likely do it too.

The key is probably going to be that services allowed to interconnect with popular reputable services are going to be legally enforced and contracted (and likely have large sums of money in the balance of it) to make sure they play together nicely.

Limit #2: You are only protected as strong as the weakest link.

At this point, the client is the weakest link. To use a phrase that has been repeated often enough “If you can see it, you can copy it.” It actually strikes me personally as significantly more difficult to go to the bother of connecting to a service as a server in order to rip content, when you could just take it from the client using reasonably well tested tools such as GLIntercept, Copybot, Cache rippers, and others - and do so without the service being able to easily detect you.

The above tools cause posts about content theft at least once a month in Second Life - your content is effectively “easy” to steal right now, and it wont get any easier. Yet people continue to make sales, to make new content - in the long run, this wont make anything substantially different than it is today.

OpenSim’s current permission support

OpenSim is still alpha software (as we keep saying), but it does have a permissions manager, as far as I’m aware at time of typing, it supports all the C/M/T permissions roughly as intended. As always however, there are probably bugs in our implementation - if something isnt working right (such as say sitting on an object suddenly makes it copyable) then reporting that as a bug is always appreciated.

The intent of the developers has been to provide modules to let you create SL-style environments out of the box, and part of that does include creating permissions managers which emulate SL-style functionality, the current permissions manager is based on two previous versions, and 90% of the ‘core’ developers have been inside of it at one point or another tweaking and adjusting it, there’s a group effort involved in it’s development.

Returning to the point I made at the beggining of this post:

Point #1: OpenSim supports a basic C/M/T permissions module right now. It’s not perfect, but there it is. It’s been there in some form for a while (probably 6-7 months at least.), it’s the current developers set of intentions to support this - it’s on the list (admittedly there is a lot of other things on the list too, but then again it’s alpha software)

Point #2: It’s enabled by default - that means if you download a precompiled version of OpenSim today, it will be in there and turned on. Yes someone can go into the code and turn it off - and being able to customise opensim is part of it’s design because not everyone is building SL-style worlds with it.

Finally, this is nothing that hasnt been said before.

By default OpenSim - right now, supports your standard SL-flavoured permissions as the default permission module, it’s there today - yes you can swap one permission module with one that doesnt respect those, and yes you could remove it entirely.
- Copy Protection Nuances

The presence of the Open Grid Protocols allows one more potential avenue of attack, but to a malicious individual, this is more difficult than just grabbing the asset from the local cache, or using a tool such as GL Intercept, because it requires connecting in additional servers and dealing with a lot more than you absolutely have to.
- Copy Protection Nuances

Infact we’ve never ever said anything to this effect. The environment we build by default (and that’s the components we ship to do things like a Second Life™ environment), we’ll try our best to respect permissions infrastructure as best we can - but there are limits to what we can practically do, we cannot alter the fundamental laws of mathematics and computer science (see my previous post for more on this) for example.
- OpenSim is not a Virtual World

I had a very interesting discussion with David Levine (SL: Zha Ewry) last night at the Metaverse Meetup, several luminaries were present, including Prokofy Neva, Tish Shute, and others. We had a varied discussion ranging from the possible future of Virtual Worlds to an informative discussion on the feasibility of copy protection in open standards and worlds.

Reuters has some interesting coverage over here, however I do feel the need to make some corrections on a few points made. While Eric has got lot of interesting points covered, some of them are a bit more nuanced than first appear and I’d like to cover a few of them.

In OpenSim, by default, no copy protection will exist at all. “You cannot know what a foreign piece of software will do with a piece of digital content once it receives it,” Levine said. To insert a digital rights management tool into OpenSim is to invite criminal hackers to find ways to circumvent it and undermine the credibility of the software, he argued.

This isn’t quite true - at least some of it anyway. While he’s spot on with David’s comment that you cant tell what a foreign system will do with a piece of data. OpenSim does support permissions by default - the nuance here is that permissions do not equal copy protection. Copy protection (also known as DRM) I’ve covered in more detail previously.

By default OpenSim - right now, supports your standard SL-flavoured permissions as the default permission module, it’s there today - yes you can swap one permission module with one that doesnt respect those, and yes you could remove it entirely.

Unfortunately as I’ve stated before, there’s no rule of computer science that stops someone from modifying something. Good or bad it is always possible, even if you need to go down to the level where you have a soldering iron installing a “mod chip”. With open source software this is admittedly easier - but any professionally schooled programmer will have all the grounding needed to defeat a copy protection system.

This is why both myself and David Levine believe that the solution is to engineer something that involves assisting and speeding up legal systems. Modern societies decide to respect copyright laws, and therefor they built institutions such as courts to handle disputes, however Prokofy does raise the point that lawyers tend to be expensive, and if the only way to sell content is to have a professional lawyer, then we’re back to old media conglomerates.

As I have stated before, I’m not entirely sure this will be the case, there’s a number of reasons for that, first - something being broken is somewhat black and white - if there is any way to get content under terms not licensed to you, then you can do it. It doesnt really matter that suddenly there is an additional method for doing so, because it was already possible.

The presence of the Open Grid Protocols allows one more potential avenue of attack, but to a malicious individual, this is more difficult than just grabbing the asset from the local cache, or using a tool such as GL Intercept, because it requires connecting in additional servers and dealing with a lot more than you absolutely have to.

Returning to my point - I think we will find that actually people want to be legitimate, purchase content from legitimate providers - and hosting companies (who are actually powering the systems running the World) will have big financial incentives to obey the law and not have copyright infringing content on their systems (since it makes them liable, and corporate lawyers really don’t like that.)

The solutions I’ve mentioned before still hold, first - you can keep on keeping on, in all probability sales will increase rather than decrease because you will be dealing with a much much wider audience. Second - hosting providers will want to be allowed to receive content from top creators, and that means signing contracts which indicate they will enforce permission models wanted by creators (and moderated by consumer demands).

I think for us, the developers the key is to make it possible for people to say “Well, I want my content handled in these five ways.” and be able to host a world that interoperates obeying those laws. Likewise we need to make the inverse easy too so that people who want to share content themselves can, and do so easily. This part comes down to tools - which is in the domain of the technical, however if someone violates that contract, then that’s the moment that social systems need to be employed.

Social solutions do not necessarily mean legal systems - it’s possible that it’s as simple as “Well, you violated our contract, therefor we’re never sharing any more content with you”. Legal contracts will likely be the mainstay at the higher levels (as they always are), but there is nothing stopping the establishment of guilds or other groups which represent groups of content creators to enforce en-masse.

Certainly commercial pressures will cause people doing hosting services to enforce these, because if they do not, their customers will be denied access to new content which will hurt business.

It’s also possible for people to consider alternative models of distribution, including the possibility of say subscriptions to content providers, for instance paying a regular fee to be allowed access to the content creators library of content (done either per user, or per region, I can see plenty of use for this).

For those of you interested in hearing more, and exactly what myself and David discussed, a video of the presentation has gone online - you can hear our exact words and all the nuances therein (and unfortunately with a topic this complex, there’s a lot.).

There’s a very fundamental problem facing many content creators in Virtual Worlds these days (such as Second Life™, IMVU™ and others), and that is the problem of Piracy - where one unscrupulous individual takes content from a designer or developer, and then attempts to resell it as their own.

It’s a problem - no-one can deny that, but the solution to the problem is not ‘deep’ DRM. There are a few reasons for this, especially when it comes to content (scripts and backend programming are another matter entirely and something I will get to in a moment)

Three reasons why this wont work for visual content

First, the obvious one - content must be displayed on the users screen. This means it must be presented to the video card in an unencrypted form. I’ve heard a few silly ideas to prevent this one, such as encrypting the texture and using a shader to decrypt it on the video card (just run the shader in a virtual machine).

At a very fundamental level, the laws of mathematics do not allow you to say “This number cannot be copied.”, computers which are based on very high level mathematics are still subject to these immutable laws. There’s a parallel law here which states that you can always modify something - sure you can make it a house of cards that breaks if you make a change, but someone can always employ superglue to prevent that.

It’s technical, but it’s worth reading the examination of the Skype binary (PDF) done by a security analysis team, the Skype developers know their stuff, exactly how to use cryptography properly, how to try prevent debuggers from being run, etc. Every single one of their protections has been examined and detailed specifically in that document - no matter how clever you think you are, there are cleverer people out there and not all of them have good motivations.

Second reason why this wont work - You hand the legitimate user both the content and the key to decrypt it to display it - there’s no way to avoid this without disallowing the user to view the item (which defeats the purpose of content). There’s nothing stopping them from making a copy of both parts, and once the schema is broken, there’s no going back - it’s out there. You cant revise the encryption scheme after it’s been broken, your content is now available unencrypted.

This has been a big problem with things like DVD encryption, because to release a new encryption scheme you need to get every user to update, and titles released under the old scheme are still broken. DRM used in popular products tends to have a life somewhere between a week and three months - assuming point #1 doesn’t hold, this still means you have to assume all your content more than at most 3 months old is piratable - how many content producers produce enough content every month to make their old lines completely redundant from a sales perspective?

Third reason - DRM tends to annoy customers. Consider the possibility where you want to teleport your avatar around a hypothetical super-grid the size of the internet. You enter a sim which hasnt been authorised (and I’d say in the long term, most will fall into this class - similar to only how a small % of sites have SSL certificates), and bam, your avatar vanishes.

Well, what can you do? Not much - but you arent likely to buy avatars from this user again that’s for certain. There is likely going to be a commercial incentive towards content which after you buy is free to do what you want with. (With copyright law enforcing violators and pirates).

So - how the hell do you protect your revenue/sales in an environment where anything goes?

This question is the real question that should be asked, the answer hasnt yet been determined (market forces will likely be the ones to figure out which models work, and which dont)

• Custom Content - in a world where everything is mass produced and cloned, unique content that has been hand crafted for what you want is a drawcard. It’s unique, it’s yours, it’s $50.00/hour design fees.
• Keep on keeping on - The current model is unlikely to collapse, brands seem to matter and people like being able to say they have legitimate content. Systems will likely appear that allow you to verify whether someone has paid for a piece of content or not. Piracy goes on in virtual worlds today, but sellers seem to keep making sales (I’d like to know more from specific sellers how their sales have gone when a piece of content has been pirated significantly).
• Mark your intent - Tying in with the above point is the idea that you can mark your intent - this is ’shallow’ DRM - it’s nothing that cannot be removed, but it does signify what the creator wanted you to do with this content and has licensed you to do. If someone violates these terms, you can deal with them the same way copyright infringement is handled in the real world, courts. For all the complaints that go on about the DMCA, the act does provide a relatively sane way to deal with IP infringement from a content creator perspective (however beware, filing a false DMCA claim IS perjury).

So what about scripts?

Well, if your script is going to be transmitted from host to host - you have the same problems that commercial web scripts have - and all of the above applies. With sufficient bandwidth and processor time however, it is possible to run scripts on your servers for other peoples (the “hosted” model). OpenSim supports this hosted model via the ScriptEngine that can be run as a grid server - hopefully these kinds of things will become easier to setup and maintain, and perhaps a giant such as Akamai will take to the role for other people.