4.

1
Cryptograp
hy
 What is Cryptography?
 Cryptography, or cryptology, is the study and practice of
techniques for secure communication in the presence of
adversaries. It involves constructing and analyzing
protocols to protect private messages from unauthorized
access, ensuring data confidentiality, integrity,
authentication, and non-repudiation. Modern cryptography
is rooted in mathematics, computer science, and electrical
engineering, with applications in ATM cards, computer
passwords, and electronic commerce.
 What is Cryptography?
Historically, cryptography was synonymous with
encryption, where information was transformed
into unreadable text, only decipherable by intended
recipients. Today, cryptographic algorithms rely on
computational hardness assumptions, making them
difficult to break in practice. While some schemes,
like the one-time pad, are theoretically
unbreakable, they are less practical compared to
computationally secure methods, which must
constantly evolve to counter advancements in
 What is Cryptography?
The widespread use of cryptography has led to legal
and ethical challenges, as it can be used for
espionage and sedition. Some governments classify
cryptography as a weapon and impose restrictions
on its use and export. In certain jurisdictions,
investigators have the legal authority to compel the
disclosure of encryption keys. Cryptography is also
crucial in digital rights management, helping to
protect copyrighted digital content from
infringement. As technology continues to advance,
cryptography remains essential in securing digital
 Some
Terminologies: Alphabet Shift
Ciphers

A simple encryption technique believed to have been used

by Julius Caesar over 2000 years ago. It involves shifting
letters in the alphabet by a fixed number (e.g., k=3) to
encrypt a message and shifting back by the same number to
decrypt it. Encryption &
Decryption
Encryption is the process of converting plaintext
(ordinary information) into unintelligible text called
ciphertext to prevent unauthorized access. Decryption
is the reverse process, converting ciphertext back into
 Some
Terminologies:
Cipher

A cipher (or cypher) is a set of algorithms that facilitate

encryption and decryption. The effectiveness of a cipher
depends on both the algorithm and the secret key used to
control the process.

Key
A secret value used to encrypt and decrypt data. Ideally, the
key should be known only to the sender and recipient.
Without a variable key, a cipher can be easily broken and
rendered ineffective.
 Some
Terminologies:
Cryptosystem

A structured system that consists of a defined set of

plaintexts, ciphertexts, possible keys, and encryption and
decryption algorithms. It ensures secure communication by
systematically applyingSymmetric
cryptographic techniques.
Cryptosystem
A type of cryptosystem where the same secret key is used
for both encryption and decryption. It is generally faster due
to shorter key lengths and is commonly used in secure data
transmission. Example: Advanced Encryption Standard
(AES), which replaced the older Data Encryption Standard
(DES).
 Some
Terminologies: Asymmetric
Cryptosystem

A more secure cryptosystem that uses two different keys: a

public key for encryption and a private key for decryption.
This enhances security and is commonly used in secure
communication. Examples include Rivest-Shamir-Adleman
(RSA) and Elliptic Curve Cryptography (ECC).
Code
Often confused with ciphers, a code in cryptography refers
specifically to replacing meaningful words or phrases with
designated code words rather than applying mathematical
encryption methods.
 Some
Terminologies:
Cryptanalysis

The study of methods used to break encryption and

decipher messages without access to the decryption key. It
involves analyzing encryption algorithms and identifying
vulnerabilities that could be exploited.

Cryptography
The practice and application of cryptographic techniques to
secure communication, ensuring confidentiality, integrity,
and authentication of data.
Some
Terminologies:
Cryptology

The broader study that combines cryptography

(securing data) and cryptanalysis (breaking encryption)
to understand and improve secure communication
methods.
Crypto-linguistics
A specialized field that examines the characteristics of
languages and their applications in cryptography or
cryptology, often used in codebreaking and language-
based encryption methods.
 History of
Cryptography
and
Cryptanalysis
 Early Cryptography
Before the modern era, cryptography was primarily
concerned with ensuring message confidentiality. This
was achieved by converting comprehensible messages
into incomprehensible ones, rendering them unreadable
to unauthorized parties without secret knowledge.
Encryption played a crucial role in maintaining secrecy
in communications for spies, military leaders, and
diplomats. Over time, cryptography has expanded
beyond confidentiality to include techniques for
message integrity verification, sender/receiver
authentication, digital signatures, interactive proofs,
 Classical Cryptography

One of the earliest forms of cryptography was simple secret

writing, which required no more than basic literacy. As
literacy increased, more sophisticated cryptographic
techniques emerged. The two primary classical cipher types
were:
• Transposition Ciphers These rearrange the letters of a
message (e.g., "hello world" becomes "ehlol owrdl").

• Substitution Ciphers: These systematically replace

letters or groups of letters with others (e.g., "fly at once"
becomes "gmz bu podf" by shifting each letter forward in
the alphabet).
 One of the earliest substitution ciphers was the
Caesar cipher in which each letter in the plaintext was
replaced by a letter some fixed number of positions
further down the alphabet, used by Julius Caesar with
a shift of three to communicate with his generals. The
Atbash cipher was an early Hebrew example. The
oldest known cryptographic use dates back to Egypt
(circa 1900 BCE) with carved ciphertext on stone,
possibly for amusement rather than secrecy.
 The Greeks used the scytale transposition cipher, a
tool employed by the Spartan military. Steganography,
the practice of concealing the existence of a message,
was also used by the Greeks. For example, Herodotus
recorded an example where a message was tattooed
on a slave’s shaved head and concealed under
regrown hair. More modern steganographic methods
include invisible ink, microdots, and digital
watermarks.
0
1 In India, the Kamasutra of Vātsyāyana
(circa 2000 years ago) described two
cipher types:
0
2
 01  Kautiliyam: Cipher letter
substitutions based on
phonetic relations (e.g.,
0 vowels becoming
2
consonants).
 • Mulavediya: Pairing
02
letters and using their
reciprocal ones.
 The Rise of Cryptanalysis
Classical ciphers were vulnerable to frequency analysis, a
method pioneered by the Arab mathematician Al-Kindi in the
9th century. His book Risalah fi Istikhraj al-Muamma detailed
frequency analysis techniques, enabling cryptographers to
break many ciphers.

To counter frequency analysis, homophonic ciphers were

developed, distributing character frequencies more evenly.
The polyalphabetic cipher, credited to Leon Battista Alberti
(1467), was a significant advancement. Alberti’s method
used multiple substitution alphabets, changing the cipher at
intervals. His cipher disk was an early cryptographic device.
 The Rise of Cryptanalysis

The Vigenère cipher extended Alberti’s idea by

employing a keyword to dictate letter substitution.
However, it was vulnerable to Kasiski examination,
discovered by Charles Babbage and published by
Friedrich Kasiski in the mid-19th century.
Kerckhoffs’s Principle and Modern Developments

In 1883, Auguste Kerckhoffs proposed that a cipher

should remain secure even if the encryption
method is known, relying solely on the secrecy of
the key. Claude Shannon, the father of information
theory, reinforced this principle as Shannon’s
Maxim: "The enemy knows the system."
us mechanical aids have been used in cryptograp
The scytale (Spartan transposition cipher tool).
The cipher grille (a medieval steganographic aid).
The cipher disk (Alberti’s device for polyalphabetic encr
The tabula recta (Trithemius' polyalphabetic table).
Thomas Jefferson’s multi-cylinder cipher
(precursor to modern encryption devices).
The Enigma machine, used by Germany during
World War II (WWII), significantly increased
cryptanalytic difficulty.
 Modern Cryptography
The modern field of cryptography can be divided into several areas
of study.
 Modern Cryptography

1. Symmetric-key cryptography – Uses the same key

for both encryption and decryption. It includes:
Block ciphers – Encrypts data in fixed-size blocks.
Examples include:
 Data Encryption Standard (DES) – Once a
widely used encryption standard, now
considered insecure.
 Advanced Encryption Standard (AES) – The
current encryption standard, used in various
applications.

 Modern Cryptography

2. Cryptographic hash functions – Converts data into a fixed-

length hash, which is useful for digital signatures and integrity
checks. Examples include:
o MD4 and MD5 – Early hash functions, now considered
insecure due to vulnerabilities.
o SHA-1 – An improvement over MD5 but still susceptible to
attacks.
o SHA-2 – A more secure family of hash functions, but
adoption has been slow.
o SHA-3 (Keccak) – Selected as the new US national standard
 Modern Cryptography

2. Cryptographic hash functions – Converts data into a fixed-

length hash, which is useful for digital signatures and integrity
checks. Examples include:
o MD4 and MD5 – Early hash functions, now considered
insecure due to vulnerabilities.
o SHA-1 – An improvement over MD5 but still susceptible to
attacks.
o SHA-2 – A more secure family of hash functions, but
adoption has been slow.
o SHA-3 (Keccak) – Selected as the new US national standard
 Message Authentication Codes (MACs)

Similar to hash functions but with a secret key,

providing authentication and data integrity. MACs help
prevent attackers from tampering with messages by
ensuring the recipient can verify their authenticity.
 Public-Key Cryptography
Symmetric-key cryptosystems use the same key for encryption and
decryption, requiring complex key management. To solve this, Diffie
and Hellman introduced public-key cryptography in 1976, where a
public key encrypts data while a private key decrypts it. The RSA
algorithm, developed in 1978, became widely used alongside Diffie-
Hellman and elliptic curve techniques. British intelligence (GCHQ)
later revealed they had discovered similar concepts earlier. Public-
key cryptography is also used for digital signatures, ensuring
message authenticity and integrity.

Public-key algorithms rely on complex mathematical problems, such

as integer factorization (RSA) and discrete logarithms (Diffie-
Hellman). Due to their computational expense, hybrid cryptosystems
 Cryptanalysis

Cryptanalysis aims to find vulnerabilities in cryptographic

scheme. While the one-time pad is theoretically
unbreakable, most ciphers can be cracked with enough
computational effort. Attacks vary in complexity, including
ciphertext-only, known-plaintext, chosen-plaintext, and
chosen-ciphertext attacks. Side-channel attacks exploit
weaknesses in real-world implementations, such as timing
analysis and traffic analysis. Poor key management and
social engineering remain significant threats.
 Cryptographic Primitives and Cryptosystems
Cryptographic primitives are basic algorithms like
pseudorandom functions and one-way functions, forming
the foundation of more complex cryptosystems.
Cryptosystems like RSA and El-Gamal ensure security for
communication and transactions. More advanced systems
include electronic cash and zero-knowledge proofs. The
field of provable security seeks to formally prove the
difficulty of breaking cryptographic systems, enhancing
reliability.

The implementation of cryptographic techniques in

software is a separate field, focusing on secure and
 Legal Issues
Prohibitions

• Cryptography has been a subject of legal controversy

due to its role in intelligence, law enforcement, and
privacy protection. While it enables secure
communication, governments often regulate its use to
prevent criminal activities.

• Some countries, like China and Iran, require licenses

for cryptography, while others, including Belarus,
Kazakhstan, and Vietnam, impose strict restrictions.
France once had similar limitations but relaxed them
 Legal Issues
Prohibitio
ns
• In the U.S., cryptography is legal domestically but has
faced legal conflicts, particularly regarding its export.
After World War II, encryption was classified as
military equipment and placed on the U.S. Munitions
List, making its sale or distribution overseas illegal.
However, as personal computers, the internet, and
public key encryption advanced, high-quality
cryptography became widely accessible, reducing the
effectiveness of these restrictions.
 Legal Issues

Digital Rights
Management (DRM)
• Cryptography plays a key role in Digital Rights
Management (DRM), which controls the use of
copyrighted content. In 1998, the Digital Millennium
Copyright Act (DMCA) was signed into law in the
U.S., criminalizing cryptanalytic techniques that
could bypass DRM. Similar laws exist globally,
including the EU Copyright Directive and treaties
under the World Intellectual Property Organization
(WIPO).
 Legal Issues

Digital Rights
Management (DRM)
• While enforcement of the DMCA has not been as
strict as initially feared, it remains controversial.
Researchers like Niels Ferguson avoided publishing
security research due to legal risks. Others, such as
Alan Cox and Edward Felten, faced DMCA-related
issues, while Dmitry Sklyarov was arrested for
developing DRM-circumventing software legal in his
home country. In 2007, leaked cryptographic keys for
Blu-ray and HD DVD led to widespread backlash,
 Legal Issues
Forced Disclosure of
Encryption Keys
• In some countries, laws mandate individuals to hand
over encryption keys or passwords during criminal
investigations. The UK's Regulation of Investigatory
Powers Act allows police to compel suspects to
decrypt files, with non-compliance leading to
imprisonment (up to five years for national security
cases). Similar laws exist in Australia, Finland,
France, and India.
 Legal Issues
Forced Disclosure of
Encryption Keys
• In the U.S. case United States v. Fricosu (2012), a
court ruled that a defendant must provide an
unencrypted hard drive, despite arguments from the
Electronic Frontier Foundation (EFF) that this violated
the Fifth Amendment.
• To counter forced disclosure, some cryptographic
software enables plausible deniability, making
encrypted data appear as random, unused data
 4.2
Enterprise
Information
• Enterprise information security architecture (EISA) is a
part of enterprise architecture focusing on information
security throughout the enterprise. EISA is the
practice of applying a comprehensive and rigorous
method for describing a current and/or future
structure and behavior for an organization’s security
processes, information security systems, personnel
and organizational sub-units, so that they align with
the organization’s core goals and strategic direction.
Although often associated strictly with information
security technology, it relates more broadly to the
security practice of business optimization in that it
addresses business security architecture,
 Enterprise information security architecture
is becoming a common practice within the
financial institutions around the globe. The
primary purpose of creating an enterprise
information security architecture is to ensure
that business strategy and IT security are
aligned.
 Enterprise Information Security Architecture Topics

Positioning
Enterprise information security architecture was first
formally positioned by Gartner in their whitepaper
called “Incorporating Security into the Enterprise
Architecture Process”. Since this publication, security
architecture has moved from being a silo-based
architecture to an enterprise focused solution that
incorporates business, information and technology.
Security architectural change imperatives now include things
like:
 Business roadmaps
 Legislative and legal requirements
 Technology roadmaps
 Industry trends
 Risk trends
 Visionaries
 Enterprise Information Security Architecture Topics

Goals

 Provide structure, coherence, and cohesiveness.

 Must enable business-to-security alignment.
 Defined top-down beginning with the business strateg
 Enterprise Information Security Architecture Topics

Goals
 Ensure that all models and implementations can be traced
back to the business strategy, specific business
ss. requirements and key principles.
 Provide abstraction so that complicating factors, such as
geography and technology religion, can be removed and
strategy.
reinstated at different levels of detail only when required.
 Establish a common “language’’ for information security
within the organization
 Enterprise Information Security Architecture Topics

Methodology
The practice of enterprise information security architecture
involves creating an architecture security framework that
defines “current,” “intermediate,” and “target” reference
architectures to guide organizational change. These
frameworks outline the organizations, roles, entities, and
relationships necessary for carrying out business processes.
They establish a structured taxonomy and ontology to
precisely identify business operations and provide detailed
insights into how these processes are executed and secured.
 Enterprise Information Security Architecture Topics

Methodology
As a result, the framework produces a set of artifacts that
document, at varying levels of detail, the business’s
operational structure and the security controls required. With
these descriptions, decision-makers gain valuable insights to
determine where to allocate resources, adjust organizational
goals and processes, and implement policies and procedures
that support the organization’s core missions and business
functions.
 A strong enterprise information security architecture
process helps to answer basic questions like:

• What is the information security risk posture of the organization?

• Is the current architecture supporting and adding value to the
security of the organization?
• How might a security architecture be modified so that it adds more
value to the organization?
• Based on what we know about what the organization wants to
accomplish in the future, will the current security architecture
support or hinder that?
• Enterprise information security architecture must align
with an organization’s strategy, goals, and operations. It
defines the current security state, an ideal future state,
and a practical "Target" state that balances security and
business needs. This structured approach creates
interconnected models, often managed using specialized
software, ensuring adaptability, scalability, and long-term
success.

• Effective implementation follows a structured approach

similar to city planning. A key outcome is a
comprehensive inventory of security strategies, business
processes, system interactions, and network topologies,
The organization must design and implement a process that
ensures continual movement from the current state to the
future state. The future state will generally be a combination of
one or more:

• Closing gaps that are present between the current

organization strategy and the ability of the IT security
dimensions to support it
• Closing gaps that are present between the desired future
organization strategy and the ability of the security
dimensions to support it
• Necessary upgrades and replacements that must be made to
the IT security architecture based on supplier viability, age
and performance of hardware and software, capacity issues,
known or anticipated regulatory requirements, and other
issues not driven explicitly by the organization’s functional
management.
• On a regular basis, the current state and the future state are
redefined to account for evolution of the architecture,
changes in organizational strategy, and purely external
factors such as changes in technology and
customer/vendor/government requirements, and changes to
both internal and external threat landscapes over time.
 High-level Security Architecture
Framework
Enterprise information security architecture
frameworks is only a subset of enterprise
architecture frameworks. If we had to simplify the
conceptual abstraction of enterprise information
security architecture within a generic framework, it
would be acceptable as a high-level conceptual
security architecture framework.
 Relationship to Other IT Disciplines

Enterprise information security architecture is a key

component of the information security technology
governance process at any organization of significant
size. More and more companies are implementing a
formal enterprise security architecture process to
support the governance and management of IT.
Enterprise Information Security Architecture is also
related to IT security portfolio management and
metadata in the enterprise IT sense.
 4.3
Network
Security
 Network security involves policies and practices designed
to prevent unauthorized access, misuse, modification, or
denial of network resources. It includes access
authorization managed by network administrators, where
users are assigned IDs and passwords or other
authentication methods. Network security applies to both
public and private networks used for daily operations,
transactions, and communications across businesses,
government agencies, and individuals. It ensures the
security of the network and monitors its operations. A basic
yet effective security measure is assigning unique names
and passwords to network resources.
 Network Security Concepts
Network security begins with authentication, typically using a
username and password (one-factor authentication). Stronger
security methods include two-factor authentication (e.g., ATM
card or mobile phone) and three-factor authentication (e.g.,
fingerprint or retinal scan). After authentication, firewalls
enforce access policies but may not detect malware, which is
where antivirus software and intrusion prevention systems
(IPS) help. Anomaly-based intrusion detection systems can
monitor network traffic for threats, with tools like Wireshark
logging data for audits and analysis. Additionally, network
communication can be encrypted to ensure privacy.
 Security Management

Security management for networks is different for all

kinds of situations. A home or small office may only
require basic security while large businesses may
require high-maintenance and advanced software
and hardware to prevent malicious attacks from
hacking and spamming.
 Types of Attacks

Networks are subject to attacks from malicious sources.

Attacks can be from two categories: “Passive” when a
network intruder intercepts data travelling through the
networks, and “Active” in which an intruder initiates
commands to disrupt the network’s normal operation.
Types of attack include:

1. Passive
• Network

 Wiretapping
 Port scanner
 Idle scan
Types of attack include:

2. Active
• Denial-of-service attack
• DNS spoofing
• Man in the middle
• ARP poisoning
• VLAN hoping
• Smurf attack
• Buffer overflow
• Heap overflow
• Format string attack
Types of attack include:

2. Active
• SQL injection
• Phishing
• Cross-site scripting
• CSRF
• Cyber-attack
 4.4
Digital Rights
Management
 Digital rights management
Digital rights management (DRM) schemes are various
access control technologies that are used to restrict
usage of proprietary hardware and copyrighted works.
DRM technologies try to control the use, modification,
and distribution of copyrighted works (such as software
and multimedia content), as well as systems within
devices that enforce these.
DRM: Controversy and Criticism

The use of DRM is not universally accepted. Proponents

argue it prevents intellectual property from being copied
freely. Opponents claim there is no evidence that DRM
prevents copyright infringement, instead inconveniencing
legitimate customers and stifling innovation and
competition.
DRM: Controversy and Criticism

DRM can make works permanently inaccessible if the

scheme changes or a service is discontinued. It also
restricts users from exercising legal rights under
copyright law, such as backing up CDs/DVDs, lending
materials through libraries, accessing public domain
works, or using copyrighted content for research and
education under fair use and French law.
DRM: Controversy and Criticism

The Electronic Frontier Foundation (EFF) and Free

Software Foundation (FSF) consider DRM anti-
competitive. DRM is also referred to as “copy protection,”
“technical protection measures,” “copy prevention,” or
“copy control,” though the correctness of these terms is
debated.
 The shift to digital media has raised copyright
concerns, especially in music and film, since digital
copies retain perfect quality. The internet and file-
sharing have made unauthorized distribution easier.
DRM (Digital Rights Management) helps control
access by restricting copying and usage. It is widely
used in entertainment (e.g., iTunes, e-books,
streaming) and has expanded to hardware, with
companies using DMCA laws to limit DIY repairs.
Common DRM
Techniques
Restrictive Licensing
Agreements
 Controls access to digital materials, copyright, and public
domain.

 Users must agree to restrictions before entering a

website or downloading software (e.g., Terms of Service
agreements).
 Common DRM
Techniques
Restrictive Licensing
Agreements
 Controls access to digital
materials, copyright, and
public domain.

 Users must agree to

restrictions before
entering a website or
downloading software
(e.g., Terms of Service
Common DRM
Techniques
Encryption

 Uses encryption and digital tags to restrict access

and prevent copying of digital content.
Common DRM
Techniques
Encryption

 Uses encryption and digital tags to restrict access

and prevent copying of digital content.
Technologies – DRM and Computer
Games

Limited Install
Activations
Some computer games use DRM to limit the number
of systems they can be installed on, requiring
authentication with an online server. Most games
allow three to five installs, with some permitting
installation recovery after uninstallation.
Technologies – DRM and Computer
Games
Persistent Online
Authentication
It is a DRM method that requires an internet
connection to verify a game’s legitimacy before and
during gameplay. This ensures only authorized users
can access the game and prevents piracy.
Games

Persistent Online
Authentication
some games need an internet connection to verify
ownership before playing.
 In 2008, Ubisoft removed DRM from Prince of Persia to see if
piracy would decrease. However, over 23,000 illegal
downloads happened in just 24 hours.
 In 2010, Ubisoft brought back online authentication using
Uplay, requiring players to stay online while playing. Cracked
versions only accessed limited parts of the game.
 Other companies like Blizzard also use this system, storing
key game logic on their servers to prevent hacking and
piracy.
Games

Persistent Online
Authentication
some games need an internet connection to verify
ownership before playing.
 In 2008, Ubisoft removed DRM from Prince of Persia to see if
piracy would decrease. However, over 23,000 illegal
downloads happened in just 24 hours.
 In 2010, Ubisoft brought back online authentication using
Uplay, requiring players to stay online while playing. Cracked
versions only accessed limited parts of the game.
 Other companies like Blizzard also use this system, storing
key game logic on their servers to prevent hacking and
piracy.
Games

Persistent Online
Authentication
some games need an internet connection to verify
ownership before playing.
 In 2008, Ubisoft removed DRM from Prince of Persia to see if
piracy would decrease. However, over 23,000 illegal
downloads happened in just 24 hours.
 In 2010, Ubisoft brought back online authentication using
Uplay, requiring players to stay online while playing. Cracked
versions only accessed limited parts of the game.
 Other companies like Blizzard also use this system, storing
key game logic on their servers to prevent hacking and
piracy.
Technologies – DRM and Computer
Games
Software Tampering
refers to built-in countermeasures that detect
unauthorized or pirated copies of a game and
deliberately alter gameplay to discourage piracy.

• Bohemia Interactive uses technology that

introduces annoyances in unauthorized game
copies, such as reduced accuracy or turning
players into birds. This deters piracy by making the
game less enjoyable.
Technologies – DRM and Computer
Games
Product Keys

A product key is a DRM method used to verify

software licenses, especially in games. This
alphanumeric code is entered during installation and
checked against a database. While simple and widely
used, product keys can be bypassed by hackers or
"keygen" programs. To enhance security, they are
often combined with other DRM measures.
 DRM in Documents and E-books
1 Enterprise DRM (E-DRM)
Also known as Information Rights Management (IRM), E-
DRM controls access to corporate documents like Word,
PDF, and AutoCAD files. It prevents unauthorized use of
proprietary information, often integrating with content
management systems.
2 E-books
DRM limits copying, printing, and sharing of e-books on
computers and e-readers. It restricts usage to a limited
number of devices, with some publishers preventing any
copying or printing. Common formats include EPUB, KF8,
Mobipocket, PDF, and Topaz.
DRM in Film and Music
Film Music
• Content Scrambling • Audio CDs with DRM are
System (CSS) encrypts CD-ROM media, not
DVD content, requiring standards-compliant CDs,
licensed DVD players to causing compatibility
decrypt it. DeCSS, an issues. Sony BMG's DRM
application, allowed installed rootkits without
playing CSS-encrypted consent, creating security
DVDs on Linux, raising vulnerabilities and leading
to recalls and lawsuits.
DRM in Internet Music
and Television

Internet music stores use DRM CableCard restricts content to

to restrict music usage, with subscribed services. The
services often not broadcast flag concept aimed to
interoperable. Some stores, like control recording of HDTV
eMusic and Amazon, offer DRM- streams but faced legal
free music, gaining popularity challenges in the US. Metadata
for their flexibility. and watermarks are also used
for copyright enforcement.
 Services
Metadata
 Metadata in purchased media stores details like the
buyer’s name, account, and file information. It is
kept within the file but separate from the content.
For example, iTunes includes metadata in both DRM-
free and protected media.
Watermarks
 Digital watermarks are embedded in media to track
ownership, distribution, and purchases. While not a
standalone DRM method, they help enforce
copyright by providing legal evidence. Some editing
tools can alter or remove watermarks.
 Streaming Media
Services
 Since the late 2000s, streaming services like Spotify
and Netflix have become popular for renting content.
Copyright holders require DRM to protect licensed
media on these platforms.
 Opposition to DRM
Criticism
Organizations, individuals, and computer scientists oppose
DRM. Critics like Richard Stallman argue DRM is a malicious
feature designed to harm users.
Private Property Rights
DRM opponents argue that it violates existing private property
rights and restricts normal and legal user activities, limiting
control over purchased content.
Trade Barriers
The Foundation for a Free Information Infrastructure criticizes
DRM's effect as a trade barrier from a free market perspective,
hindering the free flow of information.
 Opposition to DRM

Terminology
Stallman suggests using "Digital Restrictions Management"
4
instead of "rights" to accurately reflect DRM's purpose. This
term has been widely adopted.
Alternatives
Creative Commons offers licensing options encouraging the
5
expansion of creative work without DRM. DRM use breaches the
Baseline Rights of Creative Commons licenses.
DRM-Free Works

• In response to DRM opposition, many publishers and

artists label their works as "DRM-free." Major
companies like Apple, Comixology, and Google Play
offer DRM-free content to provide more flexibility to
consumers.
Shortcomings and Methods to Bypass DRM
Bypass Methods
Methods to bypass DRM
include burning content to
Shortcomings 2 audio CDs and ripping it,
intercepting data streams,
DRM systems can suffer and using the "analog hole" to
from server outages, 1 record analog signals.
locking users out of Analog Recording
content. They can also
accelerate hardware The analog hole allows
obsolescence and raise users to record audio or
moral and legitimacy 3 video signals as they are
concerns. played, creating DRM-free
copies. HDCP attempts to
address this but is largely
ineffective.
 DRM on Computing Platforms and
Environmental Issues
General Platforms
1
DRM on general computing hardware is vulnerable because decryption keys
can be extracted.

2 Purpose-Built Hardware
Purpose-built hardware can be compromised, leading to pirate decryption.

3 Environmental Issues
DRM can accelerate hardware obsolescence, increasing electronic waste.
 Relaxing DRM Can Be Beneficial
Some experts argue that reducing DRM restrictions can benefit digital
rights holders. Former Microsoft executive Jeff Raikes suggested that if
piracy happens, it's better for it to be within their ecosystem. Studies
show that DRM-free content can boost sales by increasing value for
legal buyers. Additionally, free distribution can help small creators gain
popularity, leading to higher revenues from merchandise, concerts, and
paid content.
Can Increase Infringement
While DRM aims to prevent piracy, some models suggest it can
actually increase infringement and reduce profits. Strict DRM
restrictions can frustrate legal buyers, making piracy a more attractive
option. In the gaming industry, some DRM systems require constant
internet access, limiting user convenience. However, research shows
that DRM is not always the main reason for piracy, as some heavily
protected games are not among the most pirated titles.
 4.5
Copyright Infringement
Understanding Copyright
Infringement
Copyright infringement involves using
protected works without permission,
violating the rights of the copyright holder.
This includes reproducing, distributing,
displaying, or creating derivative works.
Copyright holders use legal and
technological measures to prevent and
penalize infringement. Disputes are
typically resolved through negotiation, a
notice and takedown process, or litigation.
Egregious cases may face criminal
prosecution.
The Terminology of Infringement:
Piracy and Theft
The terms "piracy" and "theft" are often associated with copyright
infringement. "Piracy" originally meant robbery at sea but has
been used for centuries to describe copyright violations. "Theft"
emphasizes the commercial harm to copyright holders. However,
copyright is intellectual property, distinct from laws covering
tangible property. The U.S. Supreme Court ruled in 1985 that
infringement does not easily equate with theft.

Piracy Theft

Unauthorized copying, Emphasizes the potential

distribution, and selling of commercial harm of infringement
copyrighted works. to copyright holders.
Motivations Behind Copyright
Infringement
1 Pricing
Unwillingness or inability to pay the price requested by legitimate sellers.

2 Unavailability
No legitimate sellers providing the product in the end-
user's country due to launch delays or geographical
restrictions.
3 Usefulness
Legitimate products come with DRM, region locks,
or annoying advertisements removed in
unauthorized versions.

4 Anonymity
Downloading works does not require identification,
unlike direct downloads from copyright owners.
Copyright Infringement in
Developing Countries

In emerging economies, high prices for

media goods, low incomes, and cheap digital
technologies drive media piracy. Digital
piracy offers the main access to media
goods in these countries. Due to censorship,
copied videos and DVDs spread when a
country's government bans a movie. In
Romania, Irina Margareta Nistor dubbed over
3,000 bootlegged American movies,
becoming the country's second-most famous
voice.
Motivations Due to
Censorship
In some countries, government
censorship leads to media piracy.
When movies or content are banned,
unauthorized copies spread as people
seek alternative access. Censorship
can unintentionally increase piracy
instead of preventing it.
 A well-known example is Romania under
Nicolae Ceaușescu’s regime. Due to strict
censorship, foreign films were banned.
However, Irina Margareta Nistor secretly
dubbed over 3,000 bootlegged American
movies, making her voice one of the most
recognized in the country.
Existing and Proposed Copyright
Laws
Most countries protect authors' copyrights. While enforcement is
typically the copyright holder's responsibility, some jurisdictions
impose criminal penalties.

Civil Law
Violation of exclusive rights occurs when copyrighted
material is used without permission. Remedies include
injunctions, damages, and the destruction of
infringing products as required by TRIPs Article 50.
Some jurisdictions impose large statutory damages to
deter infringement.
Criminal Law
Severe cases of copyright infringement can lead to jail
time and fines, as stated in TRIPs Article 61. Laws like
ACTA and SOPA propose harsher penalties, including
felony charges for online piracy.
Noncommercial File Sharing
Downloading
Copyright law in some countries permits downloading copyright-protected
content for personal, noncommercial use. Examples include Canada and
EU member states like Poland, The Netherlands, and Spain.

Uploading

Although downloading is sometimes permitted, public distribution—by

uploading or otherwise offering to share copyright-protected content—
remains illegal in most countries.

 Some countries, like Canada and Germany, have limited the penalties for
non-commercial copyright infringement. Germany has passed a bill to limit
the fine for individuals accused of sharing music and movies to $200.
 DMCA and Anti-circumvention
Laws
 Title I of the U.S. DMCA & WIPO Copyright Act prevent
bypassing technological protections on copyrighted
works.Circumvention of software, passwords, or access devices
may result in legal action.Exemptions exist for malfunctioning
copy protections and ineffective website filters.
 Circumvention of software, passwords, or access devices may
result in legal action.

 Exemptions exist for malfunctioning copy protections and

ineffective website filters.
Online Intermediary Liability
Definition of Intermediary
Internet intermediaries include ISPs, backbone
providers, cable companies, mobile communications
providers, portals, software and games providers,
forums, aggregators, search engines, chat rooms, web
blogs, and websites with hyperlinks.
Litigation and Legislation
Early cases focused on ISP liability for user-supplied
content. Laws varied widely. The debate shifted to
whether intermediaries should be responsible for all
content accessible through their services.
Peer-to-peer Issues
Peer-to-peer file sharing intermediaries are denied safe
harbor provisions for copyright infringement. Legal
action is taken based on secondary liability principles
like contributory and vicarious liability.
Limitations on Copyright Protection

Fair Practice Fair Use/Fair Dealing

Based on the Berne Legal exceptions allowing
Convention, allows limited use use of copyrighted works
of copyrighted works, such as without permission for
short quotations in journalism purposes like criticism,
and education. 1
commentary, or research.
3
Compulsory Licensing
Originality Requirement
Compulsory licensing forbids
copyright owners from A work must have originality
denying licenses for certain 4 and be in a fixed medium to
2
uses, such as compilations qualify for protection.
and live performances of
music.
 Preventative Measures
The BSA outlined strategies for governments to reduce software piracy: increase public
education, modernize protections for software, strengthen enforcement of IP laws, and lead by
example using licensed software. Corporations and legislatures take preventative measures,
focusing on preventing digital infringement.
Education 1
Raising awareness about piracy and IP rights.
2 Legislation
Civil and criminal laws to deter infringement.
Copy Protection 3
DRM and anti-circumvention laws.
4
Open Licensing
Permissive licenses for certain uses.
 Economic Impact of Copyright
Infringement
Organizations disagree on the scope and magnitude of copyright infringement's
economic effects. The GAO clarified that estimating the economic impact of IP
infringements is extremely difficult due to the absence of data. In 2008, the
MPAA reported $6.1 billion in losses to piracy. Industry estimates in the U.S.
range from $6.1B to $18.5B per year.
 According to a 2007 BSA and IDC study, the five countries with the highest
rates of software piracy were Armenia, Bangladesh, Azerbaijan, Moldova, and
Zimbabwe. The five countries with the lowest piracy rates were the U.S.,
Luxembourg, New Zealand, Japan, and Austria.

$6.1B 57% $63.4B

MPAA Loss PC Users Shadow Market
Reported losses to piracy in 2008. Admit to pirating software. Value of pirated software in 2011.
 Organizations Involved
 Pro-Open Culture
 Free Software Foundation (FSF)
 Electronic Frontier Foundation (EFF)
 Creative Commons (CC)
 Demand Progress
 Fight for the Future
 Pirate Party
 Anti-Copyright Infringement
 Business Software Alliance (BSA)
 Canadian Alliance Against Software Theft (CAAST)
 Entertainment Software Association (ESA)
 Federation Against Software Theft (FAST)
 International Intellectual Property Alliance (IIPA)
 Association For the Protection Of Internet Copyright (API
 Copyright Alliance