CDT’s recent paper on digital watermarks and privacy got some positive reviews here and here; however, it also prompted criticism from Timothy Lee on ars technica. Lee argues that the paper “misses the point” because it does not come out and say that individualized watermarks — watermarks that correspond to individual users, devices, or transactions — pose an “inherent threat to privacy” and should be avoided.
Certainly it is true that the simplest way for a company to steer clear of privacy issues is to refrain from using individualized watermarks in the first place. If a company would rather avoid the effort and hassle of working through the list of our proposed privacy principles, it can limit itself to what the paper terms “generic” watermarks — watermarks that are not specific to individual copies of the content. (The same point applies to other areas where CDT has worked on privacy best practices; for example, if you don’t want to wrestle with the privacy questions relating to RFID, you can always avoid the technology altogether.)
But the point of the paper was to address the more complicated case, where a company’s intended application requires individualized marks. As Lee rightly notes, the main use currently envisioned for individualized watermarking relates to deterring copyright infringement and tracking down possible violators. We’re not confident that is the only possible use — one could imagine personalization applications, where the identity of a file’s owner triggers some kind of response — so the paper spoke in more general terms. But for now at least, copyright is the focus. And we do suspect that use of individualized watermarks for copyright deterrence purposes will be attractive enough that companies will experiment with it, perhaps on an increasing basis. So “just say no” may not be a sufficient recommendation in many cases, in terms of providing actionable guidance that companies would actually follow.
Just as important, we don’t share the view that individualized watermarks inherently and inevitably pose major privacy problems. The extent of the privacy impact depends on how they are used. For example, Lee’s article characterizes the purpose of individualized watermarks as “tracking” individual customers. But there is a big difference between actively tracking how I use a file (say, by recording or “phoning home” information about my ongoing behavior) and inserting a code into my file that is never read or recognized unless I upload the file to a P2P network. The privacy impact of inserting a watermark into a song I buy depends partly on the payload of the watermark, but also on when and how that mark will be read and used. While individualized watermarks may carry potential risks that don’t arise if such watermarks aren’t used, the mere presence of such watermarks doesn’t mean that privacy problems are inevitable.
Moreover, watermarking may have some advantages over other technologies from a consumer perspective. Embedding individualized data in a watermark could make it significantly harder for third parties to decipher than if the same data were included in an ordinary file header. And watermarks, as a means of recording information, should have little direct impact on the flexible use or interoperability of the watermarked files. As compared to encryption-based DRM, therefore, watermarking approaches to deterring copyright infringement could allow greater leeway for fair use and for the practical ability of individuals to take full advantage for lawful purposes of the capabilities of digital technology. For example, several years ago, the Fraunhofer Institute in Germany proposed a “Light Weight DRM” scheme that envisioned watermarking as an enabler for private copying of files that otherwise would be locked by DRM. The potential benefits of watermarking may be arguable, but I see no reason to assume in advance that there can’t be any. (CDT’s earlier paper on how consumers can evaluate different DRM schemes highlighted privacy as one factor for evaluation; privacy would appear to be the main question for individualized watermarking, which is why we chose to drill down on it further.)
Lee argues that watermarks will be an ineffective piracy deterrent. Perhaps; it certainly is true that individuals determined to engage in infringement will have plenty of options for obtaining and circulating non-watermarked files. But it is at least possible that, for other consumers, knowing that files can be traced back to them would create a sense of accountability that could discourage illegal file sharing. My point is not that CDT endorses forensic watermarking — it is simply that this is an approach to deterrence that content holders may reasonably feel is worth experimenting with. CDT’s paper offers guidance for thinking through the privacy issues that would then arise.
Of course, CDT’s principles include a call for notice to end users when individualized watermarks are used. If individualized watermarks are used in this transparent fashion as we believe they should be, and if consumers agree with Lee that the privacy implications are unacceptable, consumers are free to voice their objections in the marketplace, which could cause the technology to fail. But CDT believes the privacy implications vary significantly depending on how the technology is implemented, and we don’t agree that the starting point for our paper should have been an across-the-board condemnation of individualized watermarks. We vetted the paper in advance with a number of public interest groups and privacy advocates, and none of them argued that the paper should take a strong general stance against individualized watermarks in all cases. That said, we’re interested in further feedback, including privacy concerns that we may have missed or understated.