This paper presents a technical analysis of the capabilities and characteristics of technologies proposed for use as a means of providing copyright protection for digital information resources:
a) Watermarks and fingerprints provide indication of ownership, and indication of the identity of a licensed user, respectively, by embedding security information in the digital object. This information may be visible (as in a backwash image), or, more conventionally, invisible. While this has some attraction to copyright owners, the security properties of this technology are limited.
b) 'Digital signatures' is a popular term for one of the capabilities of public key cryptosystems (PKCS). As well as providing signature services (origin authentication), this technology supports content confidentiality and content integrity services. These services are reliable ('strong' in the terminology of cryptography), but the technology is not designed for use in environments where data objects are subject to modification (e.g. by compression). Moreover, its deployment would be likely to incur a significant cost.
The paper also considers developments in US law, concerning the digital information environment, which may influence developments in European law, and affect commercial practice for providing access to digital information resources.
With the substantial growth in the use of web technology, and the ease with which digital documents can be retrieved and manipulated, there is a need for institutions to become aware of technical and legal measures that may affect academic use and management of digital resources. This paper, prepared with support under the initiative announced in JISC Circular 14/98 , considers the capabilities and use of technologies that provide document security. Whereas 14/98 refers only to digital signatures, the original invitation to tender contained in JISC Circular 2/98  proposed a broader scope of study. This broader scope is addressed in this paper.
Section I provides an introduction. Section II considers the technical aspects of watermarking and its various applications. Section III discusses developments in copyright law that may raise issues for HEIs in the use of information resources stored in digital form. Section IV contains conclusions.
While the rapid development and deployment of new IT technologies has improved the ease of access to digital information, it has also led to fears that copyright could be eroded by the illegal copying and redistribution of digital media. This is of particular concern, for example, to commercial publishers of digital audio and video content whose existence depends on defending the copyright of their information assets. If content owners cannot be assured that they will be properly compensated for use of their works, they will be unlikely to make these available for access over public networks. Mechanisms to protect content are seen, therefore, as a necessary step towards the creation of a global commercial information infrastructure.
While equipment capable of copying audio, video, and text content has long been available for domestic use, the loss of quality that analogue copying entails, and the labour involved in the physical process of copy production has acted to limit copyright abuse. With digital media, however, perfect copies can be produced and distributed with little effort, and modern compression algorithms have reduced the safeguard once possessed by digital content by virtue of its sheer size.
Some technologies (such as watermarking and fingerprinting) are emerging that attempt to provide copyright owners with the desired degree of protection, and to act as a disincentive to data piracy. Others, such as digital signatures, are familiar from cryptography, and provide services for origin authentication and content integrity.
In brief, the three technologies under consideration in this paper can be described as follows:
a) Watermarking: A technique for embedding hidden data that attaches copyright protection information to a digital object. This provides an indication of ownership of the object, and possibly other information that conveys conditions of use.
b) Fingerprinting: A type of watermark that identifies the recipient of a digital object as well as its owner (i.e. a 'serial number' assigned by the vendor to a given purchaser). This is intended to act as a deterrent to illegal redistribution by enabling the owner of the data object to identify the original buyer of the redistributed copy.
c) Digital signatures: A mechanism employed in public-key cryptosystems (PKCS) that enables the originator of an information object to generate a signature, by encipherment (using a private key) of a compressed string derived from the object. The digital signature can provide a recipient with proof of the authenticity of the object's originator.
The first two of these, watermarking and fingerprinting, are closely related, as aspects of 'data hiding' technology (also known as steganography). Digital signatures support origin authentication and content integrity services and belong to the field of cryptography.Section II -Technology Overview
The following services are claimed as capabilities of watermarking/fingerprinting:
a) Indication of originator's identity (watermark): This service provides the originator of a data object with evidence that supports a claim of ownership of the object. To claim proof of ownership would be an overstatement of service capability in two senses. Firstly, a watermark providing indication of origination may be subject to various forms of attack, and may even be forged. Secondly, the indication of origination service cannot actually proves ownership. An agent does not prove ownership of an object simply by marking it. Ownership can be proved only by a scheme that involves a trusted third party.
b) Indication of recipient's identity (fingerprint): This service provides the originator of a data object with an indication that a copy of the object in the possession of a third party was made from the copy of the object originally provided to a particular recipient. This is intended to assist the data owner in identifying the recipient responsible for disclosing the data to a third party.
In watermarking, the security information is embedded throughout the digital object in a manner that does not impede its normal use. As well as maximising the quantity of security information that can be conveyed, this embedding approach may permit the detection of the watermark even where only an isolated sample of the original object is made use of (e.g., a 'soundbite'). For many applications, there is the requirement that the watermark should be robust (i.e. capable of surviving routine transformations to the digital object, such as compression) to fulfil its purpose. A watermarking technique that is fragile (i.e. fails to protect its embedded security information from accidental or deliberate damage), may be of limited value for copyright protection purposes.
A rather different set of services are supported by public key cryptosystems (PKCS):
c) Origin authentication: This service enables the originator of a data object to provide the receiver with the means by which the origin of the object can be authenticated (i.e. a digital signature).
d) Content confidentiality: This service enables the originator of a data object to protect the content of the object from disclosure to receivers other than the intended receiver (i.e., encryption).
e) Content integrity: This service allows the originator of a data object to provide the receiver with the means by which the receiver can verify that the content of the object has not been modified.
f) Non-repudiation of origin: This service enables the originator of a data object to provide the receiver with irrevocable proof of the origin of the object and the integrity of its content.
To support PKCS services, an external security token is attached to the data object this contains a collection of security information: algorithm-identifiers, signatures, content-integrity check, encryption key, et cetera. Subject to a suitable choice of algorithm and key size, considerable confidence can be placed on the veracity of these services (i.e., forgery is very difficult). They are said to provide 'strong authentication' by contrast with 'simple authentication', where the mechanisms typically involve shared keys.
However, the external token of PKCS can be easily removed, and so these services are effective only where it is in the interest of all users of the data to preserve tokens (e.g. for support of the content integrity service). Furthermore, PKCS is rendered ineffective if even a single bit of the token or the data object itself is changed. Paradoxically, therefore, the mechanism is strong in security terms, but fragile in the sense of its tolerance to modification.
Numerous watermarking techniques have been reported in the literature that considers these from a purely technical viewpoint. Often, the actual purpose of the technology, and the context within which it will be used, is overlooked: what services do we wish to support? What are the relative strengths and weaknesses of different techniques? How susceptible are these to various forms of attack? What contribution to present copyright management practice and grievance resolution is actually provided by watermarks?
Watermarking techniques may be relevant in the following application areas  :
a) Applications that convey ownership assertions: The primary use of watermarking is where an organization wishes to assert its ownership of copyright for digital objects. This is of great interest to 'big media' organizations, and of some interest to other vendors of digital information, such as news and photo agencies.
These applications require a minimal amount of information to be embedded, coupled with a high degree of resistance to signal modification (since they may be subjected to deliberate attack).
b) Collaborative copy protection applications: Some schemes have attempted to satisfy more complex copy protection requirements. An early example is the serial copy management system (SCMS), introduced in the 1980s, which enabled a user to make a single digital audio tape of a recording they had purchased but prevented the recording of further copies (i.e. second generation) from that first copy. The scheme failed ultimately because not all manufacturers of consumer equipment were prepared to implement the scheme in their products.
More recently, a working group representing media and consumer electronic manufacturers, has attempted to agree a copy management scheme for the digital versatile disc (DVD). This is intended to enable a consumer to make copies of his home videos without restriction, to permit single-generation recording of broadcast programmes (for time shifting), but to prohibit copying of purchased media.
c) Applications requiring data integrity checks: In these applications, it is necessary to have assurance that the origin of a data object can be demonstrated and its integrity can be proved. One example is photographic forensic information that may be presented as evidence in court. Given the ease with which digital images can be manipulated (as the newspapers demonstrate daily) there is a need to provide proof that an image has not been altered. Such a mechanism could be built into a digital camera .
Watermarks are not particularly effective in assuring data integrity, in that they are usually resilient only to small changes in the data object (cropping, tone-scale correction) and are invalidated by large changes (such as the removal of a figure from an image). Indeed, there is some doubt whether any data-hiding technique will be sufficient for an application that requires data integrity. In cases where proof of data integrity is required, only PKCS mechanisms, which are intolerant of any transformation of the marked object, will provide this level of security.
d) Annotation applications: In this applications area, watermarks convey object-specific information (" feature tags" or " captions" ) to users of the object. For example, individual features in a still image might be labelled, and the whole image given a caption. This may be used to attach patient identification data to medical images, or to highlight regions of diagnostic significance. These applications require relatively large quantities of embedded data. While there is no need to protect against deliberate tampering, normal use of the data object may involve such transformations as image cropping, or scaling, and will require the use of a technique that is resistant to those types of modification.
Different techniques may be required according to the type of media (audio, image, video), and the encoding format used. In addition, each applications area may require different technologies to address the specific service requirements of that area. Finally, further choices may be made depending on the types of transformation (e.g. the compression algorithms) the object is likely to encounter.
Given these technical complexities, and the temptation to think purely in terms of technology, it is well to remember the practical issues of the real world environment within which any scheme will operate.
The term " invisible watermark" should be understood in the context of human perception. A mark may be in plain view, but so designed as to escape the attention of the visual or aural perception systems. (For example, the numbers hidden in the test cards used for diagnosing colour-blindness are plainly perceptible to those with full colour vision, but are invisible to the colour-blind.)
Various properties of the human perception systems are exploited in the design of the encoding methods used for different visual and aural media: in general, the point below which an alteration to a signal is perceptible (the 'just noticeable threshold') encloses a data space within which it may be possible to embed a mark. The mark may be amplified wherever the changes are less obtrusive, and is embedded in the perceptually significant parts of the signal, where attempts at removal would be likely to cause perceptible damage to the signal. Numerous techniques for exploiting various aspects of the human visual and aural systems are described in  and.
This opens yet another area of research both for those developing novel data-hiding techniques and for those devising attacks on them.
The utility of any security mechanism can be judged only in the context of the security framework in which it will operate. Without a security policy that identifies the rationale, objectives, and operation of information security management within an organization, the introduction of a particular security mechanism is unlikely to improve information security in any significant way.
The HEI security context may, in broad terms, be characterized as a compliance rather than an enforcement environment. In an enforcement environment, either unbreakable technologies or strong legal barriers are needed, usually to protect high value assets. In a compliance environment, the expectation is that the user base is reasonably well-educated in copyright, and that leakages will occur through occasional mistakes and even rarer deliberate acts. The latter in general do not lead to major asset loss unless they occur on a large scale. The technologies reviewed look different when seen in this light. This split is also related to another split, between esoteric/scholarly publishing on the one hand and royalty/profit publishing on the other. There is no clear division but there are significant differences, and they too may affect the appropriateness of technological solutions. So a Disney movie is always likely to require an enforcement-oriented solution, but a digitised ancient journal may only require a compliance solution, while a digitised modern text licensed for class use may require something between the two.
Consideration of the nature of the security policies that may be appropriate for HEIs is beyond the scope of this brief study. These are likely to entail information resource auditing, analysis of vulnerabilities, risk management, and the development of suitable control mechanisms.
Useful guidance towards the development and implementation of an appropriate security policy may be found in BS 7799  . Some first thoughts on the organizational requirements of HEIs in the use of digital information resources are given in Section III.
Digital watermarks are intended to confer properties on digital objects similar to those that traditional watermarks confer on printed objects. Paper watermarks were first produced in the manufacturing process from the pattern of the mould left when paper slurry is pressed between frames to expel moisture. These have been used at various times to record the manufacturer's trademark and certify the composition of the paper. Today, most countries use watermarked paper for printing currency, to act as a safeguard against forgery. While this does not provide foolproof protection, it makes forgery that much more difficult.
With the growth in the importance of digital media, accessed over computer networks, much interest has been shown in the development of techniques for embedding digital data in information objects to convey copyright information. The technology is relatively immature, and the extent to which it can satisfy this requirement is not yet proven.
A diverse range of requirements have been proposed for watermarking. For example :
a) Erasing the watermark should be difficult.
b) Adding a new watermark should be difficult.
c) The watermark should survive routine transformations such as filtering, compression, resampling, cropping, channel noise, digital/analogue conversion, and other signal processing artefacts.
d) It should be proof against well-known forms of attack (e.g., collusion attacks, where multiple versions of the same content, stamped with different watermarks, are compared).
e) The watermark should be unobtrusive, and should not impede proper use of the object.
f) The watermark should be pervasive and locally contained, to permit its recovery from a small portion of the data object.
Other requirements, apparently contradictory, have been proposed that vary according to the needs of specific applications:
g) watermarks should be perceptually visible, to reduce the commercial value of a stolen data object (though it could be argued that an authenticated object will have higher street value than an object of unknown provenance)
h) watermarks should be invisible, so that a thief will be unaware that evidence of his illegal copying exists.
As with any emerging technology that is both technically attractive and commercially relevant, many workers have entered the field, proposing different analyses of requirements and different technical solutions.
The first international workshop on Data Hiding agreed some terminology to clarify the basic concepts . The clear input data, or cover object (comprising sound, image, video, or text) is combined with the information to be concealed, the embedded object (the watermark or fingerprint), to produce a stego object. The process of embedding may make use of a secret key known only to the data owner, or one shared with another agent (such as a detector function). This key is required to recover the watermark or fingerprint from the marked (stego) object.
While the scope of data hiding is extensive, and includes a variety of forms of covert communication (of interest both in criminal and military contexts)  , the present focus of interest is in its application to copyright protection of digital media. Watermarking provides a mechanism to mark all copies of a data object with the owner's mark to assert ownership and copyright properties. In fingerprinting, a unique mark is embedded for each customer who purchases the data object. This acts as a hidden serial number, and enables the owner of the data object to identify which customer was responsible for copying the object to a third party. For example, a publisher of audio content who becomes aware of a copy of his material circulating on the web can identify and challenge the errant subscriber responsible for the copyright infringement.
Unlike traditional steganography, where the detection of the presence of a mark constitutes a successful attack, the detection of a watermark does not necessarily reduce its value (while the watermark should not interfere with normal use of the object, it may leave some trace detectable by analysis). A successful attack on a watermark will usually involve its removal, or its being rendered illegible. For many applications, the effectiveness of a given watermarking technology is dependent on its ability to resist attack.
The volume of data to be embedded is traded-off with the robustness of the watermark. A given data-hiding method will provide either a high embedded data volume or a high resistance to signal transformation or tampering. According to the requirements of the application, a technique which favours one or other of these properties would be selected.
Redundancy is a key factor in the operation of a watermarking scheme. The embedded mark is encoded in bits that should not be obvious to an attacker and that do not alter the appearance (or sound) of the covertext. In other words, the embedded mark occupies the same bits as those that may be removed by an efficient compression algorithm. Since compression techniques balance a trade-off between computational cost and compression ratio achieved, embedding should occupy only those low-bandwidth channels of the cover object that are not considered for compression. (Of course, the informed attacker may use the same reasoning and attack those same low-bandwidth channels.) In addition, the embedded mark should occupy the low-bandwidth channels in a way that is resistant to a wide range of signal transformations.
If it is known in advance which compression algorithm will be used, then this problem can be turned to advantage by selecting the method of embedding according to the characteristics of the cover data and of the compression algorithm that will be applied subsequently.
Simple systems act on the least significant bits of the image plane or audio sample, which are simply replaced by bits of the embedded object. While use of this method may be not be obvious to the eye, it is easy to detect computationally, and equally easy to remove.
An improvement to this is to use a secret key, shared by the sender and recipient (in this context, the sender may be the copyright owner, and the recipient the watermark detector mechanism). The key is used to generate a pseudo random keystream that in turn is used to select pixels or sound samples that will carry the embedded mark  . Not all pixels can be changed without leaving some visible trace for example, in a large monochromatic field, or on a high-contrast boundary. This can be countered by use of an algorithm that checks whether a candidate pixel is suitable for tweaking (by comparing its luminosity with that of its neighbours), and only changing those pixels that pass the test of unobtrusiveness.
This method is susceptible to attack by a variety of filtering processes that commonly alter the values of least significant bits. Some protection may be gained by reducing the size of the watermark and embedding it many times over. Except in applications where the data object is unlikely to be tampered with, these methods do not afford adequate protection, and more robust techniques are required.
Visible watermarking differs from data hiding schemes, and operates by adding a layer of watermark image to a cover image. This is readily susceptible to attack. For example, since the watermark detector is the human eye, this gives an effective opportunity for mounting iterative attacks. Minor modifications can be applied repeatedly until the watermark plane is rendered illegible.
Numerous techniques have been proposed for different media types and different applications, where resistance to modification is traded against the volume of embedded data. A variety of techniques are described in  :
a) Data hiding in still images: Various characteristics of the human visual system may be exploited to hide data:
- insensitivity to small changes in luminance
- insensitivity to continuous changes in brightness across an image
- the masking effect of edges.
The " Patchwork" algorithm developed by Bender at al. uses a statistical approach, and hides bits of data by increasing the variance in luminosity of a large number of pseudorandomly selected pixel pairs (one pixel is lightened while the other is darkened). This has a low embedded data rate (though adequate for simple watermarks) and is vulnerable to transformations that disrupt the location of the pixel pairs in which the mark is hidden (by cropping, for example). One main advantage, however, is that without the key for the pseudorandom number generator the mark is very difficult to remove entirely. Anderson and Petitcolas  describe possible methods of attack, but, of course, counter-measures against these attacks are also being developed.
Another method, " texture block coding" , hides data within the random texture block patterns of an image by copying a block from a random texture region to an area that has a similar texture. Again, this method has a low embedded data rate but is reasonably resistant to modification by filtering, compression, and rotation.
High bit-rate methods are vulnerable to certain transformations and are effective only where control can be exercised over the handling of the image (these methods can be made more robust by the use of supplementary error-correction coding). In feature tagging and caption applications, where there is little motivation for attack, this limitation is acceptable. One useful property is that a portion of a caption can be made to refer directly to an item in the image. If that item is cropped, the reference to it in the caption may be removed automatically.
b) Data hiding in audio signals: The sensitivity of the human auditory system creates particular difficulties for data hiding. It operates over a very wide dynamic range and has high sensitivity to random noise. One area that can be exploited is its limited differential range: loud sounds mask out quieter ones. Other distortions, so familiar to the listener that they are ignored, can also be exploited.
Audio signals are subject to substantial variation in the choice of digital storage representation and transmission pathway. Sample quantization methods include 16-bit linear for high quality digital audio, and 8-bit mu-law for lower quality audio. Algorithms such as MPEG-AUDIO preserve the perceptual characteristics of the signal but introduce substantial statistical changes. Other changes may be introduced by the transmission medium, such as digital resampling, or digital/analogue conversion.
A simple high-capacity method uses the least significant bit of each sound sample to hold the mark. The main disadvantages are the perceptible introduction of noise, and the high susceptibility to routine transformations such as resampling and channel noise reduction. While these effects can be ameliorated (at the cost of a lower embedded data rate), they limit the application of this method.
Other techniques provide more robust encodings:
- In phase coding, the phase of an audio segment is replaced by a reference phase that represents the data. The relative phase between subsequent segments is preserved by adjusting the phase of those segments.
- In spread spectrum communication, information is encoded using the entire available frequency spectrum (this improves reception at the cost of additional use of bandwidth and power). Embedding the mark across the frequency domain improves its resistance to compression and filtering, and permits several marks to co-exist independently.
- In echo data hiding, the mark is embedded in the cover signal by adding an echo. If the delay between the original sound and the echo is sufficiently small, the user perceives the echo as resonance. Each mark bit is encoded by varying the delay and relative amplitude of the echo  .
c) Data hiding in text: A variety of methods are available for hiding data in hard-copy text: by introducing variations in letter, word, and line spacing, by changes to letter forms, and by other techniques developed for use with images .
Soft-copy text offers other opportunities for data hiding. For text encoded in a document formatting language (such as Postscript, PDF or TeX) the language provides sufficient redundancy to make data hiding possible (i.e. a variety of encodings will all produce identical text on paper).
A more difficult case is where plain ASCII text is encoded. This is a highly compact format where even minor changes may be apparent to the reader. Nevertheless, some methods are available:
- Mark bits may be encoded by varying the white space between words, between sentences, and at the end of lines. End of line spacing has the advantage that it is imperceptible to the reader, but the disadvantage that the mark is lost on a printed copy. Another disadvantage, common to all soft-copy text, is the ease with which a mark can be removed by generating a canonical form of the encoding (whether the encoding is ASCII, PDF, or any other document format).
- Limited use may be made of syntactic variation (minor changes in punctuation, word
isation, and use of contractions and abbreviations). Used carelessly, the inconsistent application of syntactic rules may be obvious to the reader.
- With semantic variation, each member of a set of synonyms is assigned a different value, and the use of a particular member encodes the corresponding value. This approach can quickly get into deep water, where the use of forced expressions may raise suspicion, or seriously alter the intended meaning. For example, the sentence " Mine's a large one" can be fatally altered from a request to a boast by changing the adjective.
Petitcolas et al.  and Craver et al  describe a variety of attacks on watermarking systems. These have shown significant shortcomings in various commercial marking schemes, including PictureMarc, SysCoP, JK-PGS, SureSign, EIKONA-mark, and Signum. The methods of attack are described below:
a) Jitter attack: A number of techniques operate by changing low-order bits in pseudorandomly selected locations in the signal. Adding jitter can attack these methods: the signal is sampled and random samples are deleted or duplicated. This does not introduce perceptible change, but leaves the detector unable to locate the marked bits. Similar attacks may be effective on spread spectrum systems that are not able to recover from loss of synchronisation. In an attack on the SysCoP Demo 1.0 image watermarking system, the deletion and duplication of columns of pixels caused the detection check to fail.
b) Stirmark: This is a tool developed by Petitcolas et al. to test the robustness of image marking systems. Stirmark resamples an image that has undergone minor geometric distortion. The authors report that this attack defeats the majority of commercial image marking products tested. While this is bad news for commercial marking systems, worse still is to note that the process simulates distortions of a limited type (those commonly produced by printers and scanners). Where a specific distortion method is chosen for a specific watermark technology, the survivability of any image watermarking scheme may be in question.
In the game of measure and countermeasure, two can play. IBM researchers have recently announced a technique that defeats the StirMark attack  . This detects and measures geometric distortion in images, and removes the distortion to restore image geometry. As StirMark does not actually remove watermarks (rather, it renders them undetectable), this countermeasure enables the original watermark to be recovered from the realigned image. It would seem necessary, however, to develop a new countermeasure every time the distortion algorithm is altered.
c) Mosaic attack: One scheme for the detection of copyright infringement involves the use of a web crawler whose function is to download image files and inspect them for the presence of specific watermarks. This can be defeated trivially by dividing an image into subimages with rendition instructions that will cause common browsers to reassemble the complete image when displayed. The subimages must be sufficiently small that no single image on its own will contain a recognisable mark. To counter this, the web crawler would need to render each web page (which may involve execution of Java applets, in itself another possible area of interest) before it attempts watermark detection. This attack, like StirMark, does not attempt to remove the watermark, but simply makes it undetectable.
A further difficulty of this approach is where a web site is locked behind a portal that requires credit card payment. It is a little galling to pay a site in order to police it.
d) Echo hiding attack: The echo hiding marking scheme was found to be robust against the jitter attack, but was susceptible to an iterative attack using an approach developed from time series analysis  .
e) Inversion attack: Another class of attack described by Craver et al.  disrupts ownership claims, not by attempting to remove an embedded mark, but by adding a second mark. If a data object contains two copyright marks there is no intrinsic proof as to which is the original.
It appears obvious that examination of the original image should reveal the true owner: if the two parties (by convention, Alice and Bob) reveal what each claims is the original image, then the true owner's mark (Alice's, let's say) will be present in Bob's 'original'. Alice's original will not contain Bob's mark. So all that a publisher needs to do is to keep a safe copy of each original image with the details of its watermark, and publish only marked images. Unfortunately, this does not provide reliable proof of ownership.
In this attack, Bob derives a counterfeit 'original' from the watermarked image without access to the true original. Bob selects some arbitrary features of the watermarked image and applies an inverse function which subtracts this 'watermark' to create a corresponding fake original. Applying this derived watermark to the fake original yields an image identical with Alice's watermarked image. Furthermore, if Alice's true original is now passed to a watermark detector with Bob's fake original, it appears to show the presence of Bob's derived watermark. In effect, by subtracting an arbitrary watermark from Alice's watermarked image Bob has made it appear that Alice's true orriginal contains his mark.
While this method of attack will defeat most current watermarking schemes, Craver et al. suggest that it may be possible to devise 'non-invertible' techniques (though these have unwelcome side-effects, such as reducing the confidence with which a watermark can be detected).
Alternatively, it may be that this attack demonstrates a basic limitation of digital watermarking, and shows the need to rely on conventional copyright protection procedures, such as document registration, to establish ownership. The effective scope of digital watermarking may be narrower than many researchers currently envisage.
f) Collusion attack: Several conspirators acquire copies of a data object each of which has been marked with a different fingerprint (to enable the vendor to identify the source of any subsequent leakage of the document). If the copies are compared, an 'average' version of the object can be derived that is very close to the original (unmarked) version, and unattributable to any of the conspirators.
Another form of collusion attack is effective against frame-based data objects (i.e. those that comprise pixels, or other data quanta), where the original signal is encoded as a bit stream comprising a sequence of frames. Given several copies of the data object, each marked with a different fingerprint, a new object can be assembled by taking successive frames from each copy at random.
g) Attacks using a watermark detector: An attacker with access to a watermark detector may exploit this to discover how minor changes to an image affect the strength of watermark detection (many detectors report the probability of the presence of a watermark, but attacks can be equally effective where the detector simply returns a binary result)  .
h) Attacks on copy control mechanisms: A scheme for serial copy management of DVD is described in 3.2. The experience of satellite TV piracy suggests that some attackers may approach the problem not by attacking the watermark, but by tampering with the consumer electronics equipment. One simple attack is to interfere with the output signal of the watermark detector so that it always reports " watermark absent"  . A more subtle attack applies a weak scrambling to the copy protected signal, prior to recording. The detector will permit copies to be made. On playback, the scrambled signal is unwatchable, but the use of a descrambler will render a perfect image. This type of scrambling and descrambling hardware may be marketed for the legitimate purpose of supporting a content confidentiality capability for a user's personal video recordings.
i) Other attacks: Some products are vulnerable to relatively simple attacks:
- Attack on SafeImage: This scheme creates a wrapper for images stored on a Web site that permits their display only by the use of a Java applet that disables the browser's Save command. The image, however, can be readily retrieved from the browser's cache (a number of cache inspection tools will facilitate this).
- Attack on PictureMarc: A user acquires an ID and a two-digit password on subscription, and these are verified whenever the display software is executed. A debugger can be used to short-circuit the password check, and, with a little more effort to overwrite an existing mark.
A further concern is where uncritical faith is placed on the reliability of watermarks, which can lend spurious authority to a counterfeit digital object, such as a forged document, or a compromised item of commercial software. In some instances, watermark counterfeiting could cause more harm than watermark removal.
The courts may find that reasonable doubts arise over the reliability of the evidence provided by watermark detection. For example, detection may be possible only after the object has been converted to a suitable format. If only the content owner himself is able to detect a watermark, and can do so only after the application of some complex in-house pre-processing, his case is certainly weakened, and lacks the independent third-party verification that the courts may require.
While it appears from the cases described above that current digital watermarking technology provides little real protection, it does not follow that watermarking has no role to play in copyright protection. Though today's poachers are well ahead of the gamekeepers, the commercial demand for effective watermarking technology is urgent, and copyright owners may take the view that some safeguard is better than none. But in addition to techniques that offer greater security, it may be necessary to develop a broader framework (involving protocol, procedures, and standards) within which copyright protection can function effectively.
Anderson et al.  consider some of the difficulties to be overcome in the development of a general model for data hiding systems, and propose a number of techniques that test the limits of data hiding technology. It may be repeated that watermarking is itself an application of data hiding technology.
A technique that embeds mark bits in pixels selected using a keystream generator was described in 4.2. Locations are avoided where the presence of the mark bits may be detectable. An improvement to this is to select sets of pixels (again, using the keystream generator) and embed a mark bit as the parity of each set. The advantage of this is that any pixel whose modification will be inconspicuous may be changed.
The use of synonyms to encode hidden data has already been described in 4.3 c), and illustrates the notion of equivalence classes of data objects (where two objects are equivalent in effect, when rendered, but different in form). In general, where a formal language (e.g., Postscript, PDF) is used to encode a data object, this provides ample bandwidth for embedding additional information.
Executable code offers many opportunities to exploit equivalence. While compiled code will always push and pop registers in a consistent way, assembly language code can accommodate great variation, to produce software 'birthmarks' that may be used to prove authorship. Compilers can be modified to introduce random variation in equivalent code fragments. Of course, if a pirate has a better tool for exploiting code equivalencies than an author, any variations introduced by the author will be lost in noise. Again, this is a game two can play.
In general, adding noise to a signal may be an effective way for a pirate to limit the bandwidth of the stego-channel and thus disrupt any hidden data.
Earlier work on steganography was based on the assumption that a sender and receiver could exchange hidden data safely only by the use of a shared secret (a symmetric key). Anderson has pointed out the application of public-key cryptosystems (PKCS) to steganography. In PKCS, two keys are used (asymmetric keys), one public, and one private, rather than the single key used in conventional cryptography. Each key pair is associated with a single user. The public key may be used by any user to encipher data that only the recipient (Alice, let's say) can decipher (using her private key). Conversely, Alice can generate a message and sign it (using her private key), so that any user can verify the signature (using Alice's public key). See X.509  for further information.
In steganography, Alice can encode a message for Bob (without prior exchange of secret information), by enciphering it using Bob's public key. The enciphered message is embedded in the covertext using one of the techniques described above. Bob then uses his private key to decipher the message (of course, he does not know beforehand which messages contain hidden data, so must attempt to decipher every one received). (In practice, as in conventional cryptography, it is customary to generate a one-off session key to encipher the message, and transmit the session key enciphered using Bob's public key.)
Whereas PKCS supports services such as origin authentication, content confidentiality, content integrity, and non-repudiation of origin, public key steganography adds the capability of covert communication.
In the 'passive warden' case (where a third party can merely eavesdrop on the exchange between Alice and Bob) the technique described here provides secure, covert communication. In the case of an 'active warden' (where a third party can change bits in each message with the intention of disrupting any hidden data present) it would appear that public key steganography would be easily defeated, since any change to the hidden data will cause decipherment to fail, though this disruption would be apparent to Bob. In this context, the data pirate performs the role of active warden. Anderson suggests the use of error correcting codes and out-of-band communication of session keys as ways of thwarting the active warden.
The literature on watermarking suffers an unfortunate lack of orthodoxy in the use of terminology. Confusion may arise from use of the term 'digital signature' when all that is meant is an owner's simple watermark. Conventionally, the term digital signature is used in the context of public key cryptography, where it refers to the origin authentication service of PKCS systems. Further confusion may arise from the use of the terms 'public watermark' and 'private watermark'. The former refers to the case where the watermark detector is generally available the latter applies where the watermark key is not disclosed (and therefore only the owner can perform detection). In PKCS, the terms public key and private key refer to the key pair associated with a single user. Finally, the term 'asymmetric fingerprint' should not be confused with the asymmetric key concept of PKCS. The misuse of terminology is, unfortunately, an enduring feature of IT.
A brief description of PKCS is given in 4.5.3, and some of the services it supports in 3.1. Differences between watermarking and PKCS properties have already been noted but are worth summarizing:
a) Location: Watermarks are embedded throughout a cover object, both as a way of using bandwidth effectively, and, in some applications, to protect any data fragment abstracted from the stego object, such as a sound bite. PKCS tokens are encoded as external attachments to the data object.
b) Robustness: Certain watermarks are designed to be capable of surviving routine transformations of the stego object (such as compression, cropping) as well as surviving deliberate attacks. This confers the useful property that the watermark will persist regardless of the data format used to encode it. PKCS tokens are fragile and are rendered ineffective if either the token itself or the signed data is changed in any way.
c) Cryptographic strength: No unequivocal claims can be made about the resistance of a watermarking technique to tampering (its ability to resist a deliberate attempt to remove the watermark or generate a counterfeit). For PKCS, pragmatic statements can be made about the 'computational infeasibility' of breaking a given algorithm, with a given key size, within a specific time, and using a specific computing resource.
In PKCS, it has been found necessary to introduce key replacement mechanisms (certificate revocation) as an essential component of key management. The reason for this key ageing is to indicate the period after which the key could be compromised by computational attack. The requirement here is to guarantee the security of a data object for a finite period - the value of the information diminishes rapidly over time (e.g. the message " sell pork-bellies after 3.17pm" loses its value shortly after that time). For digital resources such as commercial music, however, the value of the object may not diminish over time (e.g. a 1955 Callas recording is still sold today as a full price CD). A considerable problem for watermarking, therefore, is that pirates will value watermarked objects well into the future, and marks produced now will be exposed to attack by pirates with ready access to computing resources greatly in excess of those available today.
d) Function: PKCS provides capabilities that support encryption and authentication services. Within the constraints indicated (time, key size, computing resource) it provides evidence that would satisfy tests of proof and non-repudiation. PKCS could be used to establish a document notarisation service, which supplies a dated signature when presented with a document, even without the existence of a public key infrastructure (only the trusted notary possesses a key). Watermarking supports covert communication, but given its susceptibility to attack (see 4.4), may not reach the standard of proof required by the courts.
e) Scalability: Fingerprinting does not scale well. While the method may be effective for low-volume sales, it is impractical in mass production to supply every customer with a unique copy. Nor is it likely that customers would be willing to divulge personal information every time they make a routine purchase (fingerprinting is effective only if the customer can subsequently be identified). In addition, the covert bandwidth available may not be sufficient to hold the quantity of data required for unambiguous identification.
PKCS solutions fare not much better than fingerprints. While there is no shortage of bandwidth, the absence of a public key infrastructure is something of a showstopper. Moreover, once the customer has received a data object and processed the token (which may provide origin authentication, data integrity, and perhaps content confidentiality) he obtains an unprotected cleartext.
From this, it appears that PKCS has a limited role in copyright protection. It is very effective in satisfying the security requirements of data objects in command and control environments, but does not appear to adapt well to the requirements of the commercial media environment. The comparison does serve, however, to emphasise the relative weakness of watermarking technology and the practical limits to its effectiveness for copyright protection. Nevertheless, this remains the most promising technology for implementing some form of copyright protection, albeit imperfectly.
Just as compression techniques are effective only when they become widely adopted by industry, so standards for watermarking are needed to assist potential users in evaluating the relative strength of different watermarking products, in assessing their suitability for specific applications, and in integrating watermark software in existing environments. The following areas of standardization have been suggested  :
a) Benchmarks of robustness: A wide range of signal manipulations are applied routinely in the everyday use of digital content (filtering, compression, cropping, conversion, etc.). A standard benchmark of robustness against various forms of transformation would assist users in matching watermarking products to specific requirements.
A further benchmark should test the ability of a watermarking product to resist the well-known types of attack that have already been documented in the literature. It may be anticipated that the list of these attacks will lengthen.
b) Application Programming Interface: While manufacturers are often highly resistant to the adoption of common interfaces (particularly those whose products are market leaders), there is some recognition that customers are aware of the risks of becoming locked-in to a single manufacturer's products and prefer products that support industry-standard APIs.
Statements on additional properties would also inform a potential user:
c) Characterisation: Other properties of a watermarking technology (capacity, localisation, key type) would indicate its suitability for a specific application, such as one that requires annotation, or data integrity.
While standardization in the areas described is likely to emerge, it may be premature to expect any moves towards this for some time. New techniques are proposed in every new edition of the relevant journals. The subject is discussed in numerous conferences every year (in some, it is the exclusive topic). It may be some time before the technology and the markets are sufficiently mature to accept the adoption of standards.
Digital data hiding technology is still in its infancy, and lessons may be drawn from recalling developments in the related field of cryptology  . From the 1970s, numerous cryptographic algorithms were proposed, effective attacks were devised, and improved algorithms developed. (A good, if rare, example of the Popperian 'bold conjecture and refutation'.) Theoretical advances eventually led to a better understanding of the nature of the various cryptographic algorithms and their relative strengths and weaknesses.
Still today, developers of cryptographic products will publish details of the principles on which an algorithm is based and issue challenges inviting attack. One reason is that the strength of a cryptographic algorithm cannot be proven (i.e. only the converse can be proven, that it is susceptible to a given form of attack). The most that can be said is to assert that it is 'computationally infeasible' to break a given algorithm with a given key size within a specific time and using a specific computing resource. Confidence in the strength of a cryptographic algorithm grows over time, therefore, as its history of resistance to attack grows. Researchers are aware, however, that new methods of attack may be devised at any time, and that weaknesses in secure protocols may be discovered after years in use. Furthermore, the absence of a public announcement of a successful attack does not guarantee that one has never occurred.
It is a familiar principle of cryptology that the strength of a particular approach cannot depend on the obscurity of the technique. Unfortunately, many vendors of watermarking products have made the false assumption that the security of their products is strengthened by keeping secret the details of their manner of operation.
It can be hoped that watermarking schemes will gradually improve in strength, following a similar iterative pattern of proposal, testing, and improvement. Moreover, the strong demand for the technology should stimulate the development of better solutions. However, the kind of breakthrough that Diffie and Hellman made in 1976 in public key cryptography cannot be predicted for watermarking.
To conclude this overview of watermarking technology, it is well to recall that most failures of secure systems are not the result of cryptographic attack by clever opponents, but arise from the exploitation of implementation and management shortcomings of these systems. Where a direct attack on the cryptographic algorithms is too expensive, or too difficult, the opportunistic attacker will turn his attention to more readily exploited weaknesses.
a) In a simple prepayment electricity meter system, the value of a token purchased by a customer was protected on the token itself but the tariff was not. By modifying the unprotected tariff setting to a fraction of its correct cost per unit, a token could be made to deliver electricity almost indefinitely.
b) To maintain an ATM service for its customers while the bank's mainframes went off-line for overnight batch processing, one bank started encoding each client's PIN number on the magnetic strip on the client's card. One thief discovered that if he changed the account number encoded on his own card to that of another client, using card writing equipment, he could enter his own PIN number and withdraw money deposited by that other client. The encrypted PIN number provided no protection since it was not salted with the account number.
c) One make of ATM provided a test transaction facility that issued ten banknotes when the correct fourteen digit sequence was entered. A bank published this number in its branch manual, with predictable results (though the trick took three years to catch on).
d) A programming error in one bank's ATM software caused the insertion of a telephone card into an ATM to be interpreted as the reinsertion of the previous client's card. The thief would queue up, observe the last client's PIN as it was entered, and simply decide on the size of the withdrawal.
e) Italy's unfortunate distinction as the leader in ATM fraud can be explained by the failure of its banks to close two well-known loopholes first exploited in other countries: firstly, bogus ATMs abound, providing a prosaic means of garnering customers' account and PIN numbers secondly, the high proportion of off-line ATMs enables an attacker to open an account, acquire a card and PIN, and organise a group of confederates, each supplied with a copy of the card, to make synchronized withdrawals from as many different off-line ATMs as they can visit.
f) Some security products acquired by banks contain trapdoors provided for the convenience of product engineers. With the best will, no control procedures can compensate for such weaknesses. Elsewhere, control procedures can become compromised, or can fall into disuse with staff turnover. For example, a standard safeguard in key management is to provide two key holders with key components that each enters to form the complete key. In practice, managers are often willing to reveal their key components to service engineers to save themselves the trouble of remaining in attendance during maintenance (or, Anderson suggests, because older managers regard use of a keyboard as beneath their dignity!). An engineer in possession of the complete key can forge cards at will.
The purpose of these examples is to indicate the broad range of weaknesses that have been discovered in secure systems. There is more than one way to skin a cat, and without a strong procedural framework for copyright protection of digital resources, it would appear that present watermarking technology can give media owners only a false sense of security.
The watermarking techniques described above are passive - they require an additional active policing mechanism that inspects digital objects for the presence of copyright protection information. This mechanism may take the form of hardware protection (as used in collaborative copy protection applications where it is built into consumer electronic equipment), automatic inspection (web crawlers), or traditional policing methods.
A fair question must be to ask:- what additional protection mechanisms are required over those provided by existing copyright protection procedures, and to what extent does watermarking provide these? The following issues may be relevant:
a) Establishing proof of ownership: It is unclear whether this is a serious problem. The origin of works by artists such as Ivor Cutler or Gerald Scarfe is rarely in dispute. Arguments between pop artists may be another matter. In any case, watermarking cannot be relied upon to provide more than an indication of ownership. To establish proof will often require a demonstration of provenance. For digital objects, this could be provided by a document notarisation service, where the possession of a dated signature by a trusted third party could show possession of a document at a given time.
b) Discovery of copyright infringement: Watermarking may become an effective technology for identifying instances of use of copyright material. Whether a given use is in violation of, or within the terms of a licence agreement may require legal determination. Of course, media owners do not begrudge the cost of lawyers' retainers: some years ago Disney tried to squeeze royalties from a day care centre in Florida for painting Mickeys and Plutos on its walls  . If media owners are already alert to such minutiae, do they really need additional mechanisms to flag instances of use?
c) Volume of data: It might be argued that the existing protection mechanisms, however effective, would be overwhelmed by the sheer volume of digital data now available electronically. On the other hand, is it worth the hue and cry to track down the use of a copyright image on an obscure home page? After all, the majority of web-based material is inconsequential. A serious infringement of copyright presumably entails high volume distribution which is very likely to be discovered by conventional means.
d) Legal enforcement: In countries where copyright law is mature, and a well-established protection framework is in place, enforcement by the courts is possible. In other countries, copyright law is enforced less effectively, and the use of watermarks may have little effect. (Of course, retribution may take the form of trade barriers levelled at an unrelated industry in the errant country. Anyone for a banana war?)
For practical applications, a calculation of the cost-benefit of using a technology such as watermarking must show a positive outcome before a decision on its use can be made. It might be thought that the major media conglomerates are more than able to look after themselves, and their own copyright interests. HEIs may have no particular concern over the measures adopted by Hollywood to protect film and sound media. One emerging development, however, is the speculative purchase of media resources by companies who anticipate a near eternal revenue stream from pay-per-view use of the material. An extension of copyright law, championed by the majors, may be acceptable for the blockbuster movie, but is not acceptable for scholarly use, say, of images from the National Gallery.
A brief reading of the mission statements adopted by Universities shows that they place a clear emphasis on the advancement and dissemination of knowledge, and the promotion of research, learning, and teaching. The primary role of University Libraries is the acquisition, management, and provision of access to information resources, in support of study and research activities within the University and the wider community.
On the face of it, therefore, there appears to be scant need for mechanisms that police scholarly use of information resources. There is, of course, a responsibility to observe copyright, and fulfil obligations stipulated by the owners of information protected by copyright. The present challenge, however, is to exploit the new opportunities made possible by web technology for improved access to digital information resources.
Traditionally, the focus of attention on copyright issues within Universities has been to protect the institution from the charge that it has acted in a way that enabled a member of staff or a student to violate copyright. While respect for copyright remains an essential duty, it may now be appropriate for Universities to develop policies for the protection of intellectual property generated within the institution. The following classes of information may require protection:
a) teaching material, user guides, help desk knowledge base, directories of staff and students placed on the web
b) material offered for external publication a member of staff should ensure that rights to use such material for internal teaching purposes are retained
c) information generated during a period of study the rights of a student to intellectual property developed during his period of study should be clarified equally, any constraints on the subsequent use of intellectual property acquired during a period of study should be clearly stated.
In practice, the placement of an academic work on the web is regarded as an open invitation to make use of it at best, the writer may hope for the courtesy of an acknowledgement. With present communications technology, the only certain way to retain exclusive rights to your work may be to lock it in a filing cabinet
The purpose of this paper has been to provide an overview of copyright protection technology, and consider its possible application to the academic environment. In exploring the literature, however, a more important question for HEIs has become apparent, namely, will the currently proposed extensions to the legal framework governing copyright issues impede the legitimate research, learning and teaching functions of Universities?
Ever since the US copyright industries became aware that free exchange of digital media over the Internet could damage their commercial interest, they have lobbied hard to extend the copyright laws, and thereby turn a threat to an opportunity  . What with the costs of election campaigning these days, and the economic power at the disposal of the media industries, the lobbyists have recruited many allies in Washington.
The most extreme proposals of this lobby (representing the major film producers, sound recording companies, and print publishers) have been rejected at international level, at meetings of the World Intellectual Property Organization (WIPO)  , but the stakes are sufficiently high that the industry is unlikely to accept defeat gracefully. They aspire to the following extensions to copyright law:
a) designate the temporary storage of material in computer memory as copyright violation
b) extend control over digital transmission, so that it will be regarded as copy distribution
c) replace " fair use" provision with licence agreements, wherever possible
d) deny " first sale" rights to digital media (i.e. those rights that allow you to lend, donate, or resell a book, or tape, or CD purchased from a retailer)
e) attach copyright management information to digital media, to control and monitor its use
f) make it illegal to attempt to circumvent any copyright protection mechanism attached to digital media
g) make ISPs responsible for policing their customers' behaviour
h) educate the public (in particular, children) on the obligations placed on them by the new copyright laws.
While the more extreme of these measures have been successfully opposed, the copyright industry in the US has won its battle to extend copyright term by an additional twenty years. Why the untalented nephews of creative artists should be rewarded for a full 95 years may be hard to justify. As Pete Seeger said, " The grandchildren should be able to find some other way to make a living, even if their grandfather did write 'How Much Is That Doggie in the Window'."  Of course the main supporters of the extension are the major corporations, like Disney, whose copyright on Mickey Mouse was due to expire in 2003, on Pluto in 2005, on Goofy in 2007 and on Donald Duck in 2009  . The fact that no works will now enter the public domain in the US for a full twenty years amounts to a straight handover of public interest to private hands.
The Uniform Commercial Code is a model law designed for enactment by state legislatures to unify commercial transactions throughout the US. Draft Article 2B extends the law to cover transactions in information products and services. Given the scale of the information market (the US exports over $40 billion worth each year) the draft law is likely to have a substantial effect on international commerce  .
The central pillar of Article 2B is a move towards the licensing of information products rather than the outright sale of works under traditional copyright law. This move began in the early 1980s, when the copyright status of software was unclear, and software vendors introduced the " shrink-wrap" licence. Until now, the US courts have generally held that the terms of these licences are unenforceable both under contract law and intellectual property law. The effect of Article 2B will be to validate " shrink-wrap" licences under contract law, and hence to greatly advance the interests of copyright proprietors. The following consequences of Article 2B may be noted:
a) The sale of a work entails a complete transfer, from the vendor to the buyer, of ownership rights over a particular copy. Thereafter the buyer may sell his copy, lend it to a friend, or donate it to a library. By contrast, a licence transfers limited rights to use information on stated terms and conditions  . This may seriously constrain the use of information resources. Moreover, licensing may be extended to cover all forms of information dissemination: CDs, books, magazines, videos, may all be shrinkwrapped.
b) Mass-market licences typically disclaim warranty, prohibit resale, and forbid modification and even backup of content. Most purchasers consider these conditions unreasonable, and judicial opinion has tended to agree, regarding the contract of sale as binding, rather than the additional terms contained in the licence (to which the purchaser has not explicitly agreed). Under article 2B, restrictive licence terms will be enforceable, and breach of these may terminate the limited rights the purchaser does enjoy.
c) Vendors are permitted to embed software that will electronically disable a product it they believe the terms of the licence have been breached, and presumably they will be able to disclaim responsibility for lost business if the off-switch is triggered in error.
d) One notorious provision prohibits consumers from criticizing a vendor's product (though this may fall foul of the safeguard against 'unconscionable' terms).
e) When a consumer clicks the 'I agree' button, or downloads information after having been presented with the terms of a long and complex licence, this token assent may be considered sufficient to bind the consumer to the terms of the licence.
f) Vendors will be able to evade normal warranty provision: if a software failure in a critical application shuts down a business, the vendor's liability may be confined to a simple refund, even if the vendor knew at the time of sale that the product was defective.
The level of opposition to Article 2B has caused a one year delay in its passage. It is now expected that the wording will be settled in 1999 and presented to state legislatures in 2000. Unless a better balance is struck between the interests of information users and information providers, the commercialisation of information products can have only negative consequences for education and research.
The Digital Millenium Copyright Act (DMCA) which passed into US law in October 1998, amended US copyright law for the digital information environment. While this does not entirely enact the agenda of the copyright maximalists, it offers strictly limited 'fair use' protection to the users of copyrighted works.
a) Circumvention of copyright protection measures: There is a general prohibition on the circumvention of copyright protection measures or the supply of technology whose main effect would assist circumvention. Over a two year period, the Librarian of Congress is to determine appropriate exemptions to the prohibition. A number of exceptions are already provided: reverse engineering for certain limited purposes law enforcement encryption research libraries and educational institutions (solely to enable them to determine whether to acquire a work).
b) Copyright management information: The law prohibits the alteration of any copyright management information embedded in digital works. Transgressors who commit violations for commercial gain are liable to criminal penalties.
c) On-line service provider liability: The DMCA limits the liability of OSPs for copyright infringement in several situations (the broad definition of " OSP" may allow some non-commercial service providers to shelter under the same provisions). The rules grant exclusion from liability for copyright infringement to OSPs that transmit and store information for on-line access, provided that their systems comply with prescribed operational procedures, that they are unaware of any copyright infringement, and that they cooperate with copyright owners to disable access to copyrighted information (" take down" procedures).
d) Exemption for libraries and archives: The act permits limited use of digital technologies in support of preservation activities, but prohibits public access outside the premises of the library or archive. Libraries also have a limited exception to use works in their last twenty years of copyright protection (i.e. those additional years provided under the Sonny Bono Copyright Term Extension Act).
Libraries should be aware of the implications of DCMA for the academic community:
e) Anti-circumvention: The new anti-circumvention rules will encourage the distribution of digital content in encrypted form (both on-line, and by physical media), as concerns over piracy should be lessened by the severity of the penalties for tampering with copyright protection information. In turn, this is likely to encourage the use of licence agreements and the possible introduction of 'pay-per-view' conditions of use. Some US commentators believe that this constraint on access and use of information represents a threat to the proper function of libraries, and restricts the role they will be able to play in an increasingly information-rich world. The US library community has two years to make representation to the Library of Congress before it publishes regulations controlling access to particular classes of work. The needs of teaching, learning and research will require some persuasive advocacy.
f) OSP liability: Given the complexity of the rules, it is not entirely clear whether libraries should attempt to take shelter under the provisions that limit OSP liability. Some institutions may find it too onerous to fulfil the obligations necessary to qualify for limitation on liability. For others, the need to protect against monetary damages may be a decisive factor.
g) Distance learning: While DMCA does extend protection to certain educational activities, the transmission of information over the Internet for the purpose of distance learning is an open issue, and currently the subject of study by the Copyright Office. Unless educators can argue the case to grant the same exemptions to online education as apply to classroom learning, then use of this important new teaching medium will become impractical.
In the interests of balance, it may be wise to return Chicken Little to the coop for a moment, and consider whether changes in US law have any real significance for libraries and academics in the UK. The basic advice is that we should " not be desperately concerned" , since UK law prevails in this country, even where copyright is vested in a US owner. It may be, however, that DMCA will change the model of publication to one where product licensing displaces outright sale altogether. US publishers may push the limits of copyright law in other countries using commercial marketing and pricing models developed in the US. Its virtual ownership of the Internet gives the US a dominant position in the regulation and future direction of Internet technology.
JISC and other responsible bodies have made extensive studies of copyright issues in higher education and have made considerable progress towards achieving consensus with the Publishers Association on the definition of activities that constitute " fair dealing"   . The publishers of academic works share considerable interest with the producers of those works and each side recognizes its dependence on the other.
Future changes in UK law are likely to arise from the proposed European Copyright Directive which may be approved by 2000. Unfortunately, the European Parliament has a weak grasp of the technology involved (does it make sense to outlaw caching?) and, so far, has erred on the side of protectionism. The European academic community could productively participate in this debate.
This paper has reviewed the technical details of watermarking and PKCS technologies, and has considered the services and classes of application where these technologies might be effective. These technologies are undergoing rapid development, and it should be cautioned that the shelf-life of commentary is brief. Nevertheless, some conclusions may be offered:
a) The service capabilities of watermarking and cryptography differ. The former are often robust, but do not embody provable assertions. The latter are fragile, but can be validated with a high degree of confidence.
b) Watermarks may be most effective in applications where they are not subject to attack (e.g. the annotation of medical images).
c) Watermarking is an active area of research, and new techniques are constantly emerging. Effective methods of attack are appearing with similar frequency. Some attacks (such as StirMark, and the inversion attack) are so effective as to raise doubts over the intrinsic limitations of the technology. With all its imperfections, however, watermarking will remain attractive to copyright owners, on the grounds that some protection is better that none.
d) Even with techniques better able to resist attack, watermarking, of itself, confers limited protection against copyright infringement. Any security technique is ineffective outwith the context of a security framework, involving protocol, procedures, standards and regulation.
e) PKCS supports a number of cryptographic services, such as data integrity and origin authentication, that are highly effective in certain applications, but their susceptibility to minor modification limits their value as a copyright protection mechanism.
f) The experience of cryptographic attacks suggests that where protection mechanisms are too expensive to confront directly, a resourceful attacker will exploit a softer weakness of the security system.
g) The existing copyright protection regime provides reasonable, though far from perfect, security. The new problems thrown up by developments in digital access may be best addressed by extending the existing regime through agreement. A wholesale replacement of existing practices with a model in which information resources are licensed, and 'fair use' provision is eroded, may have negative consequences for academic activity.
h) On this subject, the main issues for higher education are:
- to protect the institution from any charge of copyright infringement
- to protect intellectual property developed within the institution
- to exploit innovative methods for the access and dissemination of digital information, and realize the opportunities that C& IT presents for the promotion of academic interests.
i) While developments in US and European copyright law give some cause for concern, the UK has made good progress in achieving consensus between publishers and libraries. There may be good reason, however, to participate in the European debate which, at present, does not adequately consider the practical requirements of higher education for access and use of digital information.
Thanks to Chris Rusbridge for many helpful suggestions. Any inaccuracies remain, of course, the responsibility of the author.
ATM Automatic Teller Machine
DMCA Digital Millenium Copyright Act
DVD Digital Versatile Disc
OSP On-line Service Provider
PIN Personal Identification Number
PKCS Public-key cryptosystems
WIPO World Intellectual Property Organization
WTO World Trade Organization
 J-P Linnartz, AAC Kalker, GFG Depovere, RA Beuker. A reliability model for the detection of electronic watermarks in digital images. http://diva.eecs.berkeley.edu/~linnartz/benelux.pdf
 Fabien AP Petitcolas, Ross J Anderson, Markus G Kuhn. Attacks on copyright marking systems. Second Workshop on Information Hiding, Portland , USA, April 1998. http://www.cl.cam.ac.uk/~fapp2/papers/ih98-attacks/
 Ross Anderson, Roger Needham. Programming Satan's Computer.
 Birgit Pfitzmann. Information hiding terminology. Information hiding: first international workshop, Cambridge, UK, May 1996. http://www.cl.cam.ac.uk/~fapp2/papers/steganography/bibliography/054156.html
 Ross J Anderson, Fabien AP Petitcolas. On the Limits of
Steganography. IEEE Journal on Special Areas in Communications, 16(4):474-481, May
 E Franz, A Jerichow, S Moller, A Pfitzmann, I Stierand. Computer Based Steganography. In Information Hiding, Springer Lecture Notes in Computer Science, v1174 (1996).
 ITU-T Recommendation X.509 (1997) | ISO/IEC 9594-8:1999, Information technology - Open Systems Interconnection - The Directory: Authentication Framework
 Fred Mintzer, Gordon W Braudaway, Alan E Bell. Opportunities for Watermarking Standards. In Communications of the ACM, v 41, no 7, July 1998.
 G Friedman. The trustworthy digital camera. IEEE Transactions on Consumer Electronics, 39, 4 (Nov 1993) 93-103. http://www.cl.cam.ac.uk/~fapp2/steganography/bibliography/043125.html
 Raymond B Wolfgang, Christine I Podilchuk, Edward J Delp. Perceptual Watermarks for Digital Images and Video.
 W Bender, D Gruhl, N Morimoto, A Lu. Techniques for data hiding. IBM Systems Journal, Vol 35, No 3& 4, 1996.
 D Gruhl, A Lu, W Bender. Echo Hiding. In Information Hiding, Springer Lecture Notes in Computer Science v1174 (1996) pp 295-315. http://www.cl.cam.ac.uk/~fapp2/papers/steganography/bibliography/054134.html
 J Brassil, S Low, N Maxemchuk, L O'Gorman. Electronic Marking and Identification Techniques to Discourage Document Copying.
 Scott Craver, Nasir Memon, Boon-Lock Yeo, Minerva M Yeung. Can invisible watermarks resolve rightful ownerships? IBM Research Report, RC 20509, July 1996.
 Gordon W Braudaway. Recovering Invisible Image Watermarks from Images Distorted by the " StirMark" Algorithm. IBM Research Report, RC 21396, 1999.
 British Standard 7799-1 : 1995, Information security management - Part 1. Code of practice for information security management systems.
 British Standard 7799-2 : 1998, Information security management - Part 2. Specification for information security management systems.
 Ingemar J Cox, Jean-Paul MG Linnartz. Public watermarks and resistance to tampering. Proceedings of the IEEE International Conference of Image Processing (1997). http://diva.eecs.berkeley.edu/~linnartz/icip.pdf
 Ross Anderson. Why Cryptosystems Fail. Communications of the ACM, v 37 no 11 (November 1994) pp 32-40
 Steve Zeitlin. Strangling Culture with a Copyright Law. New York Times, 25 April 1998. http://www.public.asu.edu/~dkarjala/commentary/zeitlin.html
 Pamela Samuelson. The Copyright Grab. WIRED Archive , 4.01 - Jan 1996, http://www.wired.com/wired/archive/4.01/white.paper_pr.html
 Associated Press. Disney Lobbying for Copyright Extension No Mickey Mouse Effort. Chicago Tribune, October 17, 1998. http://www.public.asu.edu/~dkarjala/commentary/ChiTrib10-17-98.html
 Pamela Samuelson. Intellectual Property and Contract Law for the Information Age. California Law Review, Vol 87, January 1999. http://www.sims.berkeley.edu/~pam/papers/clr_2b.html
 Pamela Samuelson. Legally Speaking: Does Information Really Want to be Licensed? Communications of the ACM, September 1998. http://www.sims.berkeley.edu/~pam/papers/acm_2B.html
 Jonathan Band. Digital Millenium Copyright Act.