The Joint Photographic Experts Group is a working group of the International Organization for Standardization (ISO). They’re best known for the JPEG standard for image compression, and for various related image standards.

They had their 78th quarterly meeting from 27 January to 2 February 2018 — with the press release afterwards prominently namedropping “blockchain.”

The Twitter reaction was “lol what,” and even the cryptocurrency press ignored it — but there’s more to this than slapping on a buzzword, and it’s not good. They seem to think they can advance the cause of Digital Rights Management (DRM) for JPEG images — automated copy protection and access control — with a bit of applied blockchain. And that this will make DRM work — rather than be an idea that fundamentally doesn’t work, despite sounding interesting and potentially useful to some people.

The February announcement

The press release after the 78th meeting included the following tantalising text:

JPEG explores blockchain and distributed ledger technologies During the 78th JPEG meeting in Rio de Janeiro, the JPEG committee organized a special session on blockchain and distributed ledger technologies and their impact on JPEG standards. As a result, the committee decided to explore use cases and standardization needs related to blockchain technology in a multimedia context. Use cases will be explored in relation to the recently launched JPEG Privacy and Security, as well as in the broader landscape of imaging and multimedia applications. To that end, the committee created an ad hoc group with the aim to gather input from experts to define these use cases and to explore eventual needs and advantages to support a standardization effort focused on imaging and multimedia applications. To get involved in the discussion, interested parties can register to the ad hoc group’s mailing list.

There’s more detail in the List of Ad-Hoc Groups from this meeting. The chair is Frederik Temmermans (ETRO-VUB) and co-chair is Deepayan Bhowmik (Stirling University).

I emailed both asking about the genesis of the group, and Dr Bhowmik pointed me to his conference proceeding “The multimedia blockchain: A distributed and tamper-proof media transaction framework” from 2017.

The Mandates/Objectives of the committee are:

Explore use cases related to blockchain technology;

Investigate implications for JPEG Privacy and Security;

Explore standardization needs associated to the use cases.

The Deliverables are:

Use cases related to blockchain technology;

Report on identified standardization needs in JPEG.

The white paper: what “JPEG has determined”

The ad-hoc group has continued to collaborate via mailing list, and it met at the 79th and 80th JPEG meetings.

After six months’ collaboration, the group has produced a white paper — “Towards a Standardized Framework for Media Blockchain” — as announced in the press release following the 80th meeting in July.

The Executive Summary declares:

Fake news, copyright violation, media forensics, privacy and security are emerging challenges for digital media. JPEG has determined that blockchain technology has great potential as a technology component to address these challenges in transparent and trustable media transactions.

“JPEG has determined” is a large statement. Unfortunately, this list of generic claims of “blockchain”‘s surprisingly wide applicability is not substantiated.

This is the first paragraph:

JPEG (Rec. ITU T.81 | ISO/IEC 10918) is the most dominant still image format across the world and the standardization committee continues to work on improving various components of the standard. This includes incorporation of new technologies addressing current challenges related to transparent and trustable media transactions such as JPEG Privacy and Security.

The first sentence is true, and it’s why people pay attention to JPEG.

The second sentence is more problematic. “JPEG Privacy and Security” is described later in the paper:

JPEG Privacy & Security aims at developing a standard for realizing secure image information sharing, capable of ensuring privacy, maintaining data integrity, and protecting intellectual property rights.

That is, “Privacy and Security” is a euphemism for Digital Rights Management (DRM) in JPEG.

Dr Temmermans stressed to me that “JPEG is not working on DRM in particular but on a more generic framework that supports privacy and security features.” But DRM is very much a significant part of this.

The paper lists claimed use cases:

Blockchain technology is currently adopted in number of application areas outside cryptocurrency, such as, financial management (e.g., interbank payment, clearing and settlement, audit etc.), healthcare (pharma, biotechnology and medicine), government and public sector (e.g., taxes, voting, land registry, intellectual property management etc.) and many other industries including manufacturing, energy, retail and supply chain management. Recently, emerging number of use cases are noticed in the multimedia domain that use blockchain for media distribution.

These claims are substantially false — this is a standard list of hypothetical blockchain use cases. They’ve turned a string of “blockchain could” statements into “blockchain is.”

Section 3.3 purports to be a list of real-world implementations supplying “Challenges and opportunities in media industries”:

• Access and distribution — OPUS, a generic music-on-the-blockchain project of the sort that really obviously can’t possibly scale.

• Global distribution — DECENT, a generic video-on-the-blockchain project. The name was misspelt in this official JPEG document as “DECNET“.

• Commercial viability — Imogen Heap, whose blockchain project’s commercial viability was to the tune of $133.20 total gross takings, as I detail in Chapter 12 of Attack of the 50 Foot Blockchain.

• Managing assets and digital rights — The 21 Million Project, who aspired in January to produce a Bitcoin-related TV action thriller called Children of Satoshi — and the project has since busted up, the ICO tokens were removed from their last exchange (archive) in May, and one of the two parties is currently at work on a documentary about the ICO, to be titled Never Mind The Bitcoin, Here’s The Great ICO Swindle.

• Combating piracy — Custos Media, which claims to protect movies with “imperceptible watermarking” on the Bitcoin blockchain. They claim to have customers.

These examples are either nothing special, or dismal failures. Why did they pick these? Because both the categories and the examples were lifted directly from this “contributor” piece in TheNextWeb — that is to say, a promotional blog post that the site itself explicitly editorially disclaims.

Next is a list of “Example use cases relevant to multimedia”:

• KODAKOne and KODAKCoin — the ad-hoc group seem to have just seen the words “blockchain” and “images” and thought, “use case!” They don’t appear to have done even cursory research into what the product is (nonexistent as yet), or how it relates to blockchain — apart from the token sale, the blockchain bit is literally an extra piece hanging off the bottom.

• The multimedia blockchain framework — this is the conference proceeding of Bhowmik’s that launched this JPEG blockchain initiative.

• Current — “An incentivized, blockchain enabled multimedia ecosystem,” whose status updates are almost entirely concerned with their ICO token sales and “when airdrop?”

• Blockchain for JPEG images tracking — This is not quite the DRMed JPEG use case — it’s just tracking use of an image. The plan is to add every instance of usage to a blockchain, and branching a new chain off if the images is modified. Just imagine implementing this as a blockchain, in a manner that is useful for image tracking, and yet which will scale.

• OpenstreetVR — “A blockchain based 360 image view for virtual reality.” This was a vague plan to compile a collection of virtual reality images of the world’s roadways and paths — like OpenStreetMap, but on the blockchain, with tokens. Their “Geostreet” token appears never to have been released. Their site now redirects to SOC Robotics, which does not mention blockchains.

Section 5 is a list of “Current blockchain standardisation efforts” — other groups inside large standards organisations, similarly looking forward to one day producing a list of things a “blockchain” might be useful for — specifically, ISO TC 307, CEN/CENELEC’s Focus Group on Blockchain and Distributed Ledger Technologies and ITU’s Focus Group on Application of Distributed Ledger Technology.

Section 6 is a list of next steps. The final step is:

Decision on issuing a call for proposal A formal call for proposals will be issued if there are enough interests and requirements of a standard or protocol are identified.

That is — after six months of working on the question, the ad-hoc group has yet to come up with an answer to the question: “Yes, but why are you bothering with all of this?” But they hope to at some point.

DRM in JPEG

JPEG doesn’t just work on image compression standards — they’ve also been exploring options for how to apply Digital Rights Management to ordinary JPEG images — the “JPEG Privacy and Security” group mentioned above. That specifically means per-image access control.

The EFF made some fuss about this terrible idea in 2015, and it got some press at the time. There have been no real-world implementations as yet.

There’s already a DRM extension for the JPEG 2000 format — this would backport that DRM to ordinary JPEGs. The inspiration is this paper co-authored by Touradj Ebrahimi, who is active on the blockchain ad-hoc group mailing list.

JPEG 2000 compresses images better than JPEG, but was strangled in the crib by fear of patents. It’s used a bit by archives and for geospatial data.

I have heard of one case of someone trying to use JPEG 2000 DRM — a pornographic site selling DRMed pictures around 2009. Customers had to run a Java applet in their web browser. It didn’t work well, and was a tech support nightmare — I was told about it by one of said tech support people. The porn site gave up on this terrible idea very quickly. The Java applet company apparently went bust a few months later.

Why DRM is a second-rate idea

It’s worth noting here that DRM literally, mathematically, doesn’t work — it’s the trusted client problem. Your whole threat model is to declare your own user the enemy. As Wikipedia puts it:

Trusted client software is considered fundamentally insecure: once the security is broken by one user, the break is trivially copyable and available to others. As computer security specialist Bruce Schneier states, “Against the average user, anything works; there’s no need for complex security software. Against the skilled attacker, on the other hand, nothing works.”

As I detail in chapter 12 of Attack of the 50 Foot Blockchain, about blockchains in the music industry, the main thing DRM does in practice is to frustrate users and give them a worse experience:

They tried to stop piracy with Digital Rights Management (DRM), which bred massive consumer resentment and meant that piracy literally gave listeners a better product than the paid version. This peaked with the Sony rootkit malware fiasco of 2005, where if you put a CD into your PC, it would install a hidden software backdoor that blocked CD ripping, phoned home to Sony and left new security holes for other malware to use. And DRM can’t possibly work in the first place — you can’t give someone the lock and the key, then keep the key secret from them forever. No DRM that end users wanted to break has ever stayed unbroken.

In the case of an image, you could do the incredibly obvious and take a screenshot — or even just photograph the displayed image.

Snapchat tried to sell itself on timed images that would self-destruct — but they turned out to be recoverable, and of course anything on a display that’s visible to the eye can just be photographed.

Why do we keep seeing DRM come up, over and over? Because the market is nontechnical record and movie executives, who are reliable suckers for any unworkable snake oil, which they keep loudly demanding — and funding — even though it’s mathematically impossible. Here’s a great quote from the Record Industry Association of America, from 2008:

“I made a list of the 22 ways to sell music, and 20 of them still require DRM,” said David Hughes, who heads up the RIAA’s technology unit, during a panel discussion at the Digital Hollywood conference. “Any form of subscription service or limited play-per-view or advertising offer still requires DRM. So DRM is not dead.”

That is — he really, really wants DRM to work. Therefore, it has to work! Stop saying it can’t work!

And not to mention that regular consumers despise DRM, and consider it a warning sign of a bad and unusable product.

Compare to blockchain hype, and its tendency to fabulous and elaborate scenarios of the future — that turn out to rely on magical flying unicorn pony technology that doesn’t exist yet. But it’s definitely coming soon!

The principals’ past work on blockchains

Bhowmik has one blockchain-related paper listed on his university web page: “The multimedia blockchain: a distributed and tamper-proof media transaction framework” — the conference proceeding he pointed me to as the genesis of the present initiative.

The paper proposes to apply digital watermarking — putting a coded signal into the sound or image down at the noise level, below human perception — to track all audio or visual content, and record logs of this tracking on a blockchain. They ran a proof-of-concept on the Ethereum testnet.

Watermarking video content does in fact work, and you can make the signals usably robust against re-encoding. The practical problem appears to be doing anything about it — e.g., the politics of taking action against someone when an Academy screener DVD leaks. Blockchain is unlikely to solve the human element.

Temmermans doesn’t have any listed publications related to blockchains — but he does have his 2017 paper, “JPEG Privacy and Security Framework for Social Networking and GLAM Services,” which attempts to sell the reader on DRMed JPEGs, claiming galleries, libraries, archives and museums (GLAMs) as a use case. Co-authors include Ebrahimi and Takaaki Ishikawa, chair of the DRM in JPEG committee. The conclusion is that GLAMs should use ISO/IEC 19566-4, the DRM in JPEG initiative.

The paper’s title is aspirational. There’s no evidence of actual museums or galleries asking for this — there are some discussions of why things that can’t work would be nice, a few of which are sourced from GLAM-sector people. (Workshop proceedings: [1] [2] [3].)

I have slight knowledge of this area from my Wikipedia work. The GLAM-Wiki initiative works closely with museums, galleries and so on. We work really hard to help them get their stuff out to the world, under a free content license (so it can go in Wikipedia) — and with tremendous attention to not screwing over the institution in the process. Sustainable cultural institutions are a lot of work, but we have quite the string of successes to point to — it turns out that getting your stuff into Wikipedia works.

Also … copyright expires. And organisations make incorrect claims of owning copyrights. How will this be accounted for?

The closest I can think of to a GLAM use case for DRM is that time the National Portrait Gallery in the UK mounted a copyright claim against a US-based Wikipedia user. They claimed copyright over a scan of a public domain work — a fraudulent claim under US law, and one that didn’t hold under EU law either. I blogged about it at the time: [1] [2] [3] [4]. The National Portrait Gallery later reused Wikipedia content, and falsely claimed copyright in it.

That’s the other huge problem with automated DRM systems — organisations will attempt to enforce claims of rights they don’t hold, just because they can. Blockchain won’t solve this either, though it might make it worse.

The crossover with the DRM group

The work of the blockchain ad-hoc group is explicitly intended to cross over with the work of the DRM group. Per Temmermans in email:

It is expected that if additional specifications are required to support blockchain applications that these will fit within the Privacy and Security framework, but some specifications might fit elsewhere. Again, it is the aim of the AhG to further investigate this.

The JPEG Privacy & Security, Metadata Working Group also gathered at this 2018 meeting. Chair is Ishikawa, co-chair is Temmermans. In this case, the Mandates/Objectives are:

Continue work on WD of ISO/IEC 19566-4;

Continue work on WD of ISO/IEC 19566-5;

Disseminate JPEG Privacy and Security information;

Follow up discussion of AhG (ad-hoc group) on blockchain.

The Deliverables are:

updated WD of ISO/IEC 19566-4;

updated WD of ISO/IEC 19566-5;

overview of dissemination activities;

summary of discussion related to blockchain.

That is — the point of all this blockchain bafflegab does indeed seem to be to advance the cause of DRMed JPEGs with a bit of applied blockchain.

Summary

This is great news for both DRM and Blockchain, because no work to implement DRM can ever be called first-rate — and Blockchain is the hype on top to really sell unusable rubbish that can’t possibly ever work.

JPEG plans a “free public workshop during its 81st meeting in Vancouver on Tuesday October 16th.” More information will be available on jpeg.org in due course — and if any readers are in Vancouver then, I’d be delighted to hear how it goes.

i can’t wait to have to wait for 7 confirmations on the jpegchain before i’m allowed to see the latest distorted, over-compressed cat macro my aunt sent me, thanks joint photographic experts group — ate all the Oreos

galaxy brain: bitcoin is drm for money — infernal machines

A photocopy of a phone displaying a photo of a photo of a screenshot, correctly identified using ISO/IEC 19566-4 blockchain-based digital watermarking on the YOSPOS blockchain.

