drm03-tr.pdf

Loading ...
Global Do...
News & Politics
Analysis of Security Vulnerabilities in the Movie Production and
Distribution Process
Simon Byers, Lorrie Cranor
Dave Kormann, Patrick McDaniel
AT&T Labs - Research
Florham Park, NJ
□
byers,lorrie,davek,pdmcdan
 @research.att.com
Eric Cronin
University of Pennsylvania
Philadelphia, PA
ecronin@cis.upenn.edu
September 13, 2003
Abstract
Unauthorized copying of movies is a major con-
cern for the motion picture industry. While unau-
thorized copies of movies have been distributed via
portable physical media for some time, low-cost,
high-bandwidth Internet connections and peer-to-
peer file sharing networks provide highly efficient
distribution media. Many movies are showing up
on file sharing networks shortly after, and in some
cases prior to, theatrical release. It has been argued
that the availability of unauthorized copies directly
affects theater attendance and DVD sales, and hence
represents a major financial threat to the movie indus-
try. Our research attempts to determine the source of
unauthorized copies by studying the availability and
characteristics of recent popular movies in file shar-
ing networks. We developed a data set of 312 pop-
ular movies and located one or more samples of 183
of these movies on file sharing networks, for a to-
tal of 285 movie samples. 77% of these samples ap-
pear to have been leaked by industry insiders. Most
of our samples appeared on file sharing networks
prior to their official consumer DVD release date. In-
deed, of the movies that had been released on DVD
as of the time of our study, only 5% first appeared
after their DVD release date on a web site that in-
dexes file sharing networks, indicating that consumer
DVD copying currently represents a relatively minor
factor compared with insider leaks. We perform a
brief analysis of the movie production and distribu-
tion process and identify potential security vulnera-
bilities that may lead to unauthorized copies becom-
ing available to those who may wish to redistribute
them. Finally, we offer recommendations for reduc-
ing security vulnerabilities in the movie production
and distribution process.
1 Introduction
The U.S. motion picture industry estimates that its
revenue losses due to unauthorized copying and re-
distribution of movies via physical media (video cas-
settes, DVDs, VCDs etc.) exceeds $3 billion annu-
ally [22].1 Each year over 400 facilities for illegally
duplicating audiovisual content are discovered in the
U.S., and many more are believed to remain undis-
covered in both the U.S. and overseas [30]. In 2001,
74 such facilities were raided in Asia [32]. Malaysia,
Pakistan, and China are believed to be among the
largest producers of unauthorized copies of audiovi-
sual content. The movie industry has not released
estimates of revenue losses due to Internet redistribu-
tion of unauthorized copies; however, recent studies
have estimated that there are 350,000 to 400,000 ille-
gal movie downloads each day and projected revenue
loses of up to $4 billion annually within the next two
years [11, 33].
Estimating revenue losses due to illegal down-
loads is problematic because it is difficult to deter-
mine what fraction of illegal downloads result in lost
revenue for the industry and whether illegal down-
1In some statements the MPAA has claimed this number in-
cludes only analog video cassette distribution [32], while in other
statements the MPAA has claimed this number covers all illegal
distribution except Internet distribution [22].
1
loads, through the “free publicity” they generate,
have any positive impacts on box office revenues.
Nonetheless, it is likely that redistribution of unau-
thorized copies via the Internet will increasingly af-
fect DVD movie sales and paid Internet distribution
of movies. As the ease of downloading unautho-
rized copies of movies grows with the availability of
low-cost, high-bandwidth Internet connections and
peer-to-peer file sharing networks, the movie indus-
try’s concerns about illegal downloads is intensify-
ing. These concerns are heightened by unauthorized
copies of movies becoming available on the Internet
prior to their U.S. theater release [29].
Much of the discussion about preventing unau-
thorized copying of movies has focused on shutting
down the mass production and distribution of pirated
movies and on schemes to prevent consumers from
making unauthorized copies of movies from DVDs,
VCDs, paid Internet downloads, or digital televi-
sion broadcasts [32]. Until recently, there was lit-
tle public discussion about security measures to pre-
vent unauthorized copies of movies from falling into
the hands of those who will mass produce them—
sometimes before their theatrical release. In a recent
interview with The Guardian, one industry watcher,
Mark Endemano, director of Deloitte Consulting’s
media practice, criticized the movie industry for con-
centrating on bootleg DVDs and video cassettes [33].
In a Wall Street Journal interview, Walt Disney Stu-
dios chief Dick Cook criticized the common industry
practice of sending out thousands of screener DVDs
to Academy voters, saying that the industry had been
slow to acknowledge that this practice was facilitat-
ing movie piracy. “The unfortunate part of this in-
dustry sometimes is that it has to get hit over the head
before something happens,” he said [18].
In the Spring of 2003 several press reports high-
lighted security measures that movie studios were
putting in place to prevent unauthorized copying of
movies during the pre-screenings conducted for the
media or as part of marketing research [12, 26, 29].
Despite these measures, some movies are becoming
available on the Internet before their theatrical re-
lease, and in some cases before a movie has been
fully edited. For example, an early version of Univer-
sal’s The Hulk began circulating on the Internet two
weeks before its June 20, 2003 U.S. theater release
date (see Figure 1). The version illegally released
on the Internet had incomplete computer graphics,
Figure 1: A preliminary version of the film “The
Hulk” was criticized for the poor quality of its CGI.
The watermarks in the bottom right corner were re-
moved in an attempt to mask its origin.
which were widely criticized on Internet message
boards [15]. Within three weeks Kerry Gonzalez was
charged with posting the purloined film on the Inter-
net. Gonzalez reportedly obtained a video tape of a
pre-release “work print” of the movie from a friend,
who had in turn received it from an employee of a
Manhattan print advertising firm that was promoting
the movie. He plead guilty to a single count of felony
copyright infringement and faces fines and up to three
years in prison [20, 27].
Our research attempts to classify the sources of
unauthorized Internet copies of movies that were in
the U.S. box office top 50 during an 18-month pe-
riod beginning in January 2002. Much unsubstan-
tiated debate has occurred, but we know of no reli-
able data on this subject in the public domain. In
this paper we present a brief analysis of the movie
production and distribution process and identify se-
curity vulnerabilities that may lead to unauthorized
copies of movies becoming available to those who
may wish to redistribute them. We present our anal-
ysis of time lags between Internet, theater, and DVD
releases during our study period. We describe our
methodology for determining the probable source of
Internet copies and the results of our analysis. Fi-
nally, we offer recommendations for reducing secu-
rity vulnerabilities in the movie production and dis-
tribution process.
2 Movie Production and Distribu-
tion
Our examination of security vulnerabilities begins
with the movie production process, in which vari-
2
ous audio, video, and digital artifacts are created and
combined into the finished product. We then examine
the movie distribution process, which includes the
physical or electronic distribution of movies to con-
sumers as well as to critics, awards judges, and oth-
ers. Marketing and related activities may occur dur-
ing both the production and distribution processes.
Figure 2 describes one possible production and
distribution workflow. Note that this is but one model
of the production environment. Each studio has a
unique set of tasks and participants, but we believe
that most studios’ processes include almost all of
those shown here. While our analysis is driven by
this workflow, it is not dependent on the particular
details of this structure.
The nexus of the production process is the edit-
ing room. This is the place where the film is as-
sembled by cutting and mixing the physical loca-
tion video and audio recordings (shots). Once rough
cuts of these shots are available, additional aspects
such as computer generated special effects (FX) and
music and sound synthesis (aud) are added by out-
side parties. In all cases, the enhanced content is re-
turned to the editing room, possibly for further cut-
ting, modification, and enhancement. Finally in the
post-production stage, the visual and audio elements
of a movie are fine-tuned. As with most of the other
parts of the production process, post-production may
be outsourced to other companies.
Parallel to the development of the content itself are
related business activities. Marketing departments
develop advertisements to promote the movie, often
long before the content is actually completed. Trail-
ers and posters are created to raise awareness of the
movie. The marketing department also gauges audi-
ence reaction to early cuts of the movie shown in pri-
vate focus group screenings. The film is altered in re-
sponse to audience reaction and surveys. Often when
the content is nearing completion, studio executives
and financial backers view the content and make sug-
gestions. The final version to be shown in theaters
is completed when the editors, directors, producers,
and marketing department are satisfied.
The distribution process replicates and delivers the
final version to authorized parties. Of key interest
to us is the timing of delivery to the various partic-
ipants. We consider three distinct periods: prior to
theater release, between theater release and DVD re-
lease, and after DVD release.2 This last phase, after
DVD release, represents an opportunity for end con-
sumers to make unauthorized copies (e.g., by directly
ripping the content from purchased DVDs).
Prior to theater release, the final version may be
distributed to many parties. Critics and awards judges
may receive copies. Note that this process serves an
essential function in the movie industry: to publi-
cize and draw (hopefully positive) commentary about
the movie. However, the sheer number of people in-
volved at this stage considerably complicates content
security. Many studio employees have access to the
final version: marketing and executives continue to
view the content and build and execute strategies for
its promotion. The content is typically delivered in
some portable format (VHS or DVD) to all these par-
ties.
The content itself must be replicated by a film pro-
duction facility, where any number of employees may
have access to it. On or immediately prior to the re-
lease date, the content is delivered to the cinema. His-
torically, movie releases have been staggered across
locations. However, because of concerns about unau-
thorized copying, some studios are compressing their
release time frames [26, 29]. Once a cinema receives
a movie, it becomes accessible to cinema employees.
When a movie is projected it is exposed to members
of the public who may make unauthorized copies of
the projected image as well as to cinema employees
who have direct access to the projector.
Several months after theater release, movies are
replicated on DVDs at DVD pressing plants. DVDs
are then distributed to stores and movie rental com-
panies. It is not unusual for U.S. DVD distribution
to begin a month or more before the official DVD re-
lease date. (Typically, overseas DVD distribution of
American movies does not begin until after the U.S.
release date.) Thus, store employees may have ac-
cess to DVDs several weeks before their release, and
in some cases, stores may begin selling DVDs prior
2There are, of course, other important events in the movie
distribution process including international releases, hotel pay-
per-view releases, airline releases, home pay-per-view releases,
etc. Our analysis focuses only on the three periods we have out-
lined. In addition, some movies have separate DVD and VHS
release dates; however, in our analysis we consider only the ear-
lier of these two dates. Note that the DVD release date is the
date on which a movie becomes available on DVD in the U.S.
for both sale and rental.
3
Studio/Location
Work Print
Post Production
Pre-
screening
Editing
DVD
production
Production
Distribution
Film
Production
Cinema
Projector
35mm 
or Digital
35mm 
or Digital
Cinema
Employee
Screener
Media
Production
(DVD, VHS)
Marketing
(posters, TV)
Critics
Execs
DVD or
VHS
Final
Version
Final
Version
Public
Final
Version
Projected
through
the air
Screeners
Taping/
Filming
Rushes
Sound
Tracking
Picture
Elements
Editing
Computer
Graphics
Audio
Processing
Picture
Processing
Storage
Figure 2: Movie production and distribution workflow. Content is cooperatively generated during the produc-
tion process. The final product is replicated and delivered to the consumer during the distribution process.
to the release date contrary to studio policy.3
3 Security Vulnerabilities
A variety of attacks against movie content produc-
tion and delivery systems are already proving suc-
cessful. In studying these attacks we make the critical
distinction between insider and outsider attacks [24].
In general, insiders are members of the (at least par-
tially) trusted community. As is true of information
security more generally, most of the precautions and
countermeasures used to address insider threats in the
movie industry are necessarily different than those
that address outsider threats.
Insider attacks can be extremely difficult to protect
against. As an example we take the case of Robert
Hanssen, who managed to pass large amounts of sen-
3Anecdotal evidence, for example from the release of the lat-
est Harry Potter book, suggests that book publishers have been
more successful than movie studios in preventing stores from
selling their products before the official release date. It might be
useful to compare the strategies used by these two industries to
enforce their release dates.
sitive FBI data to the Russians. The FBI presumably
takes strong measures against exactly such an insider
attack. Yet Hanssen was incredibly successful in his
attack against FBI protected content. On the whole
though, despite the seeming difficulty of preventing
insider attacks, an organization can wield consider-
able power against insiders and impose strong con-
straints on how insiders conduct their legitimate af-
fairs. In contrast, many organizations (including the
FBI) have very weak control over outsiders. Preven-
tion of outsider attacks is often a wasted effort when
strong measures are not first put in place to prevent
insider attacks.
3.1
Insider attacks
Our analysis reveals many types of potential insider
attacks on the movie production and distribution pro-
cess. The following lists but a few of the many po-
tential threats to secure movie production and distri-
bution:
□ Unauthorized copying of a movie in the editing
room or nearby in the supply chain, whether first
4
Figure 4: Studio “property” marking.
Figure 5: Production copy — note time code on bot-
tom left and two blurred watermarks at bottom center.
Figure 6: Screener text.
Figure 7: Copy marked as being for awards consid-
eration.
Figure 8: Copy marked as being a promotional DVD
with explicit instructions for reporting leak.
Figure 9: A frame from an unauthorized copy of a
movie probably recoded through-the-air using a cam-
corder from a cinema seat. Note the slightly angled
studio URL.
cut or final product. These copies often have
small differences from the released version or
include incomplete audio or visuals, as shown
in Figure 3. Some are marked with obtrusive
text that identifies their source, as shown in Fig-
ure 4, or include on-screen counters, as shown
in Figure 5.
□ Unauthorized copying of a critic’s advanced
copy of a movie.
This may have the text
“Screener copy only, property of some name”
appearing on the screen occasionally, as shown
in Figure 6.
□ Unauthorized copying of a promotional or pre-
view screening copy. This may be marked in a
similar fashion to critics’ versions, as shown in
Figure 8.
□ Unauthorized copying of an awards judge pre-
sentation of a movie. Copies may be marked
with the text “For your consideration,” as shown
5
Figure 3: Editing room artifact – boom microphone
in top center of film.
in Figure 7.
□ Digital through-the-air video recording by a
projectionist at a cinema with aspect-correct
video, suitable exposure, and direct audio.
These copies have highly variable video quality,
but often can be very good.
□ Unauthorized copying of a consumer medium
such as DVD or VHS at the factory or any other
point prior to sale. These copies are unmarked
and of near perfect quality.
Note that we consider all participants in the movie
production and distribution process other than the
end consumer to be insiders, although some are not
employed directly by movie studios.
3.2 Outsider attacks
For comparison we also show some examples of out-
sider attacks:
□ Digital through-the-air video recording by a
consumer using a camcorder from a cinema
seat. These copies generally have bad video and
audio quality due to the through-the-air nature
of the acquisition. Often it is noticeable that the
copy was not recorded at the same angle from
which it was projected, as shown in Figure 9.
□ Unauthorized copying of a consumer rental
DVD or VHS tape. These copies (and the fol-
lowing two types) can be near perfect in quality
but do not appear until some time after the cre-
ation and release of the content.
□ Unauthorized copying of a consumer purchased
DVD or VHS tape.
□ Unauthorized copying from cable, satellite, or
broadcast TV.
Outsider attacks seemingly represent a greater
threat due to the much larger number of potential at-
tackers and the fact that these attacks occur when the
movie is in final form and is free from studio mark-
ings. However, in the next section we examine some
important attributes of these copies that can override
these concerns.
3.3 Freshness and quality
Unauthorized copies can vary in many ways, two of
which are of particular importance: freshness and
quality. A film’s freshness depends on how new it
is: a film is most fresh at or prior to its theatrical re-
lease. Freshness is important because demand tends
to be highest for new movies and marketing efforts
are greatest for recent releases. Unauthorized copies
of movies that have not yet been released in theaters
or in a particular market are especially valued be-
cause they are viewable before a movie is available
through legitimate channels.
The path that unauthorized copies flow through
may result in copies not becoming widely available
when they are very fresh. For example, unauthorized
copies may be distributed initially in relatively closed
communities via FTP sites, IRC channels, or inter-
nal university servers, and only later emerge onto full
scale peer-to-peer file sharing systems. Ultimately,
unauthorized copies may be indexed by content ver-
ification sites, making the copies widely accessible.
Content verification sites act as indexes for movies
shared on peer-to-peer networks, providing informa-
tion such as file names, date of first appearance (on
the verification site), file size, checksum,4 and qual-
ity. The time it takes an unauthorized copy to make
4The checksum provides an identifier for each unique copy of
a movie uploaded to a peer-to-peer network. All identical copies
of the same movie have the same checksum. The checksums
are useful for identifying movies, and they allow for client soft-
ware that can download different blocks of a movie from multi-
ple sources simultaneously.
6
its way into an index may range from one day to sev-
eral weeks or more.
Content quality is also of prime importance. Due
to the size of files required to hold a digital repre-
sentation of a movie, aggressive video compression
is often employed. For example, a 1.5 hour film can
be as large as 4.7 gigabytes at full DVD quality and
is usually compressed to one or more 700 megabyte
files for Internet distribution. Degraded quality due to
lossy video compression coupled with quality prob-
lems introduced by the copying method (for exam-
ple, through-the-air capture) can result in poor qual-
ity copies that are not satisfying to end consumers.
On the other hand, high-quality unauthorized copies
may be indistinguishable or nearly indistinguishable
from legal copies distributed via portable media or
TV broadcast.
There is considerable desire for movies that are
both fresh and of high quality. (We note that in the
music arena freshness and quality play a different
role due to differences in the marketing and usage
of the media, the files sizes involved, and fundamen-
tal differences between audio and video.) Generally,
unauthorized copies with these characteristics can be
obtained only through insider attacks. Fresh (be-
fore or during cinema release), good quality copies
(TV quality or better) are almost impossible to obtain
through an outsider attack. This observation is of key
importance to our analysis of movie production and
distribution security vulnerabilities. The number of
holes to be plugged in preventing insider attacks is
miniscule compared to those required to prevent ac-
quisition and re-transmission of outsider originated
copies. Moreover, the people involved in insider at-
tacks are by definition under some influence of the
content owners in that they have jobs in the indus-
try and have something to lose. This has important
implications for preventing unauthorized copying of
movies.
4 Empirical Analysis
In order to gain additional insights into the source of
leaked movies, we conducted an empirical analysis
of movies that were in the U.S. box office top 50 be-
tween January 1, 2002 and June 27, 2003. This sec-
tion describes our methodology and the results of our
analysis.
4.1 Methodology
We developed our data collection procedure with the
following requirements in mind:
□
It must be documented and reproducible.
□ An analysis that requires only publicly available
data is preferable over one that requires priv-
ileged access. Clearly such analyses are also
more reproducible.
□
It should be consistent with fair use provisions
of U.S. Copyright Law.
□
It should be automatable to the extent that both
ongoing study and bulk retrospective analyses
can be performed.
Our methodology was also influenced by the mod-
est resources we had available to us for this project.
We expect that the movie industry could devote sig-
nificantly more resources to conducting a similar
study, given the economic consequences of this issue
for them.
4.1.1 Movie Data Set
We developed a suite of programs that access pub-
licly available movie web sites and compile lists of
movies that were in the U.S. box office top 50 any
time between January 1, 2002 and June 27, 2003.
This process automatically collects and organizes a
variety of data including cinema release date, DVD
release date, distributor, MPAA rating, box office
take, and some crude popular ratings. We gathered
statistics on 409 movies that met our criteria. We re-
moved from our data set those movies that were re-
leased outside the U.S. prior to their U.S. release, in-
cluding those screened at foreign film festivals prior
to U.S. release. We also removed several movies
from our data set that we had incomplete information
about. Our resulting data set includes 312 movies.
4.1.2 Unauthorized Copy Identification
For each movie in our data set we used our software
to search an online content verification site and au-
tomatically find all the unauthorized copies indexed
there. The information on content verification sites
is posted and maintained by volunteers, and may not
be completely accurate. Furthermore, there is often
7
a delay of several days to a few weeks from the time
a movie is first made available on a peer-to-peer net-
work until it is indexed on a content verification site.
However, use of the content verification site allowed
us to obtain data for movies posted over more than an
18 month period without monitoring the peer-to-peer
network for that entire period. In addition, it allowed
us to avoid downloading files that do not contain the
content they claim to contain (often referred to as de-
coys).
Some of the movies we queried on the content ver-
ification site resulted in no hits, others resulted in
multiple hits (indicating that multiple versions of a
particular movie were available on a peer-to-peer net-
work). We limited our search to a single content ver-
ification site; querying multiple content verification
sites would likely have produced more hits. The con-
tent verification site we used usually does not index
poor quality copies of movies.
4.1.3 File Sample Acquisition
Using the information obtained from the content ver-
ification site, we located the corresponding files on
a peer-to-peer network automatically and acquired a
small part of each relevant copy (on average, about
five percent of each movie).5 We were unable to
download the files corresponding to a few of the rel-
evant hits, and 27 of the files we downloaded were
unplayable. We also discovered that 18 files were
foreign releases (for example, with non-English sub-
titles), and we did not consider those further. We suc-
cessfully downloaded and played files corresponding
to 285 relevant hits for the 312 movies we studied.
These hits referenced online copies of 183 movies
(59% of the movies in our data set).
We wrote a Perl module to provide a convenient in-
terface to a peer-to-peer client running on a 200 MHz
computer connected to the Internet via cable modem.
5The file sharing software we used obtains movies in blocks,
usually beginning first with a block at the very end of the movie
file and then proceeding with a block from the very beginning of
the movie file. Since some movies are stored in multiple files, the
beginning and end of the file does not always correspond to the
beginning and end of the movie itself. We found that by setting
our scripts to download eight percent of one file from each movie
we could acquire a complete block from the beginning of most of
the movies we studied. A block from the beginning of the movie
is especially useful, as this is where many studio markings are
found.
The module allowed us to initiate, monitor, pause,
and cancel file downloads in such a way as to end up
with a sample of any required size of each of the de-
sired files. It took approximately one week to acquire
312 playable samples, totaling over 18 gigabytes of
data.
4.1.4 Content Classification
Once the samples were acquired an automated script
served the samples to a pool of human observers for
judgment, along with a form in which to enter vari-
ous data. The data recorded included a judgment on
video and audio quality along with the presence or
absence of the various possible features of unautho-
rized copies. Some automated analysis methods were
performed also at this stage. In most cases it was
straightforward for the observers to judge the audio
and video quality. However, there were 38 samples
for which observers commented on their forms that
they were not entirely sure that their judgments were
correct. In most cases their uncertainty was about au-
dio quality.6
It should be noted that some of the samples may
have had studio-inserted text tags indicative of a critic
release or other pre-release that were removed before
the movie was posted to the Internet. If the text is in-
serted only at the beginning and not superimposed on
the movie content, it is particularly easy to remove.
We found one sample where someone had attempted
to remove this text but appeared to have inadvertently
left one frame in the version they posted to the Inter-
net. We suspect that many of our other samples had
the studio text removed completely.
4.1.5 Analysis
Based upon the data collected in the above processes
we examined the interaction between freshness, copy
quality, and attack point. For each movie we calcu-
lated the time lag between its theater release and its
first appearance on the content verification site. If the
movie had been released on DVD we also calculated
the time lag between the DVD release date and its
first appearance on the content verification site.
6Automated tools might be developed to more accurately as-
sess audio quality, for example, by measuring the difference be-
tween audio channels. If little or no difference is found between
audio channels, it would suggest the audio was acquired through-
the-air.
8
We classified the attack point as insider (as op-
posed to outsider) if any one of the following con-
ditions are met:
□
If the copy appearance date is prior to cinema
release.
□
If the copy has editing room artifacts such as
frequent boom microphones in shot or is obvi-
ously not the final released edit (see Figure 3 for
examples).
□
If the copy has any industry related text or overt
watermarks (see Figures 4, 5, 6, and 8, for
examples).
□
If the copy has good though-air video capture
but apparently direct captured audio and ap-
peared before DVD/VHS release date. In this
case a cinema employee likely captured the au-
dio directly from the projector and captured the
video via a camcorder positioned in the projec-
tion booth or in an optimally located cinema
seat.
□
If the copy is plainly made from DVD source
and appeared before DVD release date (likewise
for VHS).
Other copies are classified as outsider sourced or
unknown.
4.1.6 Limitations
Our analysis provides some much-needed empirical
data; however, it is important to be aware of some
of the limitations inherent in our methodology. First,
no analysis of this type will ever be able to access
all or even nearly all distinct unauthorized copies of
movies. Hence we inherently underestimate the num-
ber of such copies in existence. Our usage of con-
tent verification sites to determine when each movie
became available on the Internet is a key idea that
permits retrospective analysis, allowing us to avoid a
lengthy data collection process. These sites also re-
lieve us of much of the load of decoy removal, but
can introduce other errors. Specifically they result in
estimates for the appearance time of files on the In-
ternet that are somewhat later than they should be.
Thus, our estimates of the number of insider copies
are conservative. Furthermore, the content verifica-
tion site we used appears to remove entries for par-
ticularly poor copies, which are often posted earlier
than higher-quality copies, adding some bias to our
analysis. From our experience reviewing the study
samples, the content verification sites appear to be
otherwise very accurate. Our spot checking of release
dates against other data sources revealed occasional
minor discrepancies such as inconsistent reporting of
limited and wide release dates, but these errors were
rare and not very significant. We did not find any
movies in our sample that appeared to be decoys.
Our copy sampling and viewing procedure may
introduce some additional errors. We were unable
to view 27 of the samples we downloaded. While
it is possible that some of these samples were cor-
rupted, we suspect that most were encoded in for-
mats that were unplayable when only a small sample
was obtained. In addition, because a movie with in-
sider markings may not have these markings in ev-
ery frame, the insider markings may not appear in
the short sample of each movie that we viewed, caus-
ing us to undercount the number of copies with such
markings. Also, some samples may have had insider
markings removed before they were posted to the In-
ternet. Again, this results in an overly conservative
estimate of insider leaks.
The one area where we may not be conservative is
in our estimates of insider leaks of unmarked DVD-
quality copies. Some of these copies that appear in
the weeks prior to official consumer DVD release
may have been purchased by consumers from stores
that made them available prior to the release date.
It should also be noted that our study focused on
popular movies. It is not clear whether we would find
similar patterns for small, independent movies.
4.2 Results
Of the 312 movies we studied, 183 were indexed on
the content verification site, indicating widespread
Internet availability. Of the 285 movie samples we
examined, 77% appear to have been leaked origi-
nally by industry insiders (determined using the cri-
teria we outlined in section 4.1.5). On average, the
movie samples we examined were indexed 100 days
after theater release and 83 days before DVD release.
While only 7 of these movies were indexed prior to
their theater release date, 163 were indexed prior to
their DVD release date. Only 5% of the movies we
studied that had been released on DVD as of the time
of our study were first indexed after their DVD re-
9
 0
 5
 10
 15
 20
 25
-5
 0
 5
 10
 15
 20
 25
 30
 35
 40
Movies Released on InternetWeeks (week 0 is theater release)
Figure 10: Distribution of theater/Internet release
time lags for samples in our data set. Week 0 is the
week a movie was first released in U.S. theaters.
lease date, indicating that consumer DVD copying
currently represents a relatively minor factor com-
pared with insider leaks.
Figures 10 and 11 illustrate the distribution of time
lags between appearance on the content verification
site and theater and DVD release, respectively. The
graphs show that many movies appear on the Inter-
net within three weeks of their theater release date.
These include movies leaked during the production
and cinema distribution process as well as copies sent
to critics and Oscar reviewers. A second wave of
leaks begins about one month before DVD release.
Most of those leaks likely originate from DVD press-
ing plants, DVD distributors, retail employees, or Os-
car reviewers; however, some may occur as a result of
consumer copying of DVDs purchased at stores that
sell them before their official release date.
The vast majority of the samples in our data set
were DVD quality. Those that were not DVD qual-
ity had shorter lag times between their theater release
and Internet availability. Likewise, those with overt
watermarks or textual markers also had shorter lag
times. Table 1 shows the classifications of the movies
in our data set along with the average lag times for
each classification. Note that we have multiple sam-
ples for about half of the movies in our data set, for
example both a through-the-air quality sample and a
DVD quality sample.
The percentage of movies indexed on the content
verification site and the mean lag times varied consid-
erably between movie studios. The production and
distribution processes of each studio may account for
 0
 5
 10
 15
 20
-60
-50
-40
-30
-20
-10
 0
 10
 20
Movies Released on InternetWeeks (week 0 is DVD release)
Figure 11: Distribution of DVD/Internet release
time lags for samples in our data set. Week 0 is the
week a movie was released officially to U.S. con-
sumers on DVD.
some of this variation, as well the types of movies
produced.
Table 2 shows the data we collected for each studio
with five or more movies in our data set. Note that in
some cases movies are listed as being released by a
studio that is a division of a larger movie production
company. Thus, for example, Walt Disney movies
in our sample may be classified as being released by
Buena Vista Pictures or Touchstone Pictures.
5 Current and Recommended Secu-
rity Measures
The movie industry has been taking steps to identify
and shut down illegal video reproduction facilities
and stop the distribution of pirated videos and DVDs
for some time [30, 32]. However, until recently,
there were few public reports of industry steps to pre-
vent individuals from obtaining the first unauthorized
copy from which many other copies might be repro-
duced. We refer to this first unauthorized copy as
a leaked copy, and view the prevention of leaks to
be paramount in preventing unauthorized reproduc-
tion of fresh, high quality copies of movies. Leaked
copies are of particular concern to the movie indus-
try because they make it possible for illegal copies of
movies to be reproduced widely before a theatrical
release. Fortunately, leak prevention is, perhaps, the
security area where the industry can most easily exert
control.
10
Number of
Samples
Theater
Internet
Lag
(days)
DVD
Internet
Lag
(days)
Reviewed
Samples
285
100
-83
Insider
220 (77%)
105
-79
Outsider
65 (23%)
86
-96
Incomplete
video editing
4 (1%)
38
-192
Incomplete
audio editing
1 (
□ 1%)
12
-362
Watermark or
text marker
35 (12%)
52
-141
VHS quality
6 (2%)
60
-149
DVD quality
223 (78%)
123
-62
Through-the-
air video
46 (16%)
9
-171
Through-the-
air audio
39 (14%)
10
-171
Table 1: Classification of movies in sample. Num-
bers in parentheses represent percentage of reviewed
samples.
In the following subsections we first review known
steps the movie industry is currently taking to prevent
leaks and then consider additional countermeasures
appropriate in three distinct phases: short, medium,
and long term. The short term solutions are intended
to suggest immediate and simple actions to prevent
leaks. The medium term solutions apply existing
technology, but require both modification of the con-
tent delivery processes and development of techni-
cal solutions. The long term solutions depend on
the advancement of content management technolo-
gies, and hence are contingent on some factors out-
side the movie industry’s direct control. Our pro-
posed solutions are broad recommendations. Each
production facility should perform considerable self-
examination about how they handle content to best
limit the possibility of leaks. Where this leads to new
internal procedures and technologies, it is likely to be
successful. If new measures attempt only to modify
the behavior of outsiders, the effort is likely to fail.
5.1 Current Leak Prevention Efforts
The following overview of current leak prevention ef-
forts was developed after researching news reports of
movie industry security measures. Of course, it is
likely that the industry is also pursuing other security
measures that they have not publicized.
The MPAA is reportedly working on best practices
recommendations to assist movie studios in combat-
ing piracy [12]. According to insiders we spoke with,
the studios have followed security procedures for
some time such as coding pre-release copies and re-
quiring that all pre-release copies be signed out when
they leave the studio. However, these procedures are
often insufficient for preventing leaks.
Pre-release copies of movies are typically marked
with anti-piracy messages and in some cases water-
marks or overt textual markings that may be useful in
identifying the source of an unauthorized copy. The
pre-release copy of The Hulk that was posted to the
Internet contained unique security tags on the bottom
right corner of the screen, as shown in Figure 1. Al-
though Gonzalez used software to black out the secu-
rity tags before posting the film to the Internet, studio
officials were reportedly able to identify the source
of the leak from the remnants of these tags. The FBI
was also able to track the uploaded copy to Gonzalez
through his Internet Service Provider. Industry of-
ficials are hoping that the felony indictment against
Gonzalez will send a strong message to others who
are considering leaking movies to the Internet [17].
Because Oscar screeners are often a source of fresh
high-quality leaks, Walt Disney Studios sent screen-
ers on video rather than DVD last year for movies
such as 25th Hour and Treasure Planet that were not
scheduled to come out on DVD for some time. This
appears to be an unusual step [18]; however, in this
case it appears to have prevented the screeners from
being leaked and widely distributed on the Internet.
The samples of these movies in our data set appear
to be unmarked DVD copies leaked during the DVD
production or distribution process (appearing on the
content verification site 27 and 37 days before their
respective DVD release dates).
Some studios have begun using metal detectors
and employing security guards equipped with night-
vision goggles and binoculars at their pre-release
screenings. In addition, electronic devices, includ-
ing cell phones, have been banned from these screen-
ings. Such measures were reportedly used at pre-
release screenings of the Warner Brothers movies
Dreamcatcher and The Matrix Reloaded; the Dis-
ney movies The Lizzie McGuire Movie and Finding
Nemo; the Sony Pictures movie Anger Management;
11
Studio
Releases
Number of
Releases
Indexed on
Content
Verification
Site
Number
of
Releases
on DVD
Box
Office
Take Per
Release
(millions
of $s)
Theater
Internet
Lag
(days)
DVD
Internet
Lag
(days)
20th Century Fox
25
15 (60%)
20
$64
96
-115
Buena Vista Pictures
17
10 (59%)
15
$79
132
-59
Columbia Pictures
27
19 (70%)
23
$58
66
-105
Dimension Films
7
5 (71%)
7
$20
146
-21
DreamWorks
9
5 (45%)
9
$71
100
-51
Fox Searchlight Pictures
8
6 (75%)
7
$19
42
-139
Lions Gate Films
9
5 (45%)
7
$9
77
-164
MGM/UA
19
12 (63%)
15
$25
77
-88
Miramax Films
23
9 (39%)
21
$21
108
-98
New Line Cinema
15
11 (73%)
12
$87
55
-130
Paramount Pictures
24
16 (67%)
21
$48
67
-86
Sony Pictures Classics
7
0 (0%)
6
$3
NA
NA
Touchstone Pictures
12
7 (58%)
12
$62
104
-55
Universal Pictures
18
15 (83%)
14
$76
69
-97
Warner Bros.
37
29 (78%)
30
$57
63
-103
Table 2: Statistics For Each Studio with Five or More Movies in Our Data Set.
the Paramount Pictures movie The Italian Job; and
the 20th Century Fox movies Daredevil and Down
With Love. Of these movies, only Dreamcatcher, The
Matrix Reloaded, Daredevil, and Finding Nemo ap-
pear to have been leaked to the Internet near their the-
ater release dates (these movies first appeared on the
content verification site 6, 1, 3, and 1 days after their
respective theater release dates, indicating that they
may have been leaked just prior to theater release).
The first three samples appear to be very good cam-
corder copies, possibly with directly-recorded audio
tracks. They may have been recorded during a pre-
release screening or during a public cinema screen-
ing after release. However, the high audio quality
suggests the possibility that they were leaked by a
cinema employee. The Finding Nemo sample was
reportedly a poor camcorder copy that was removed
from the content verification site’s database prior to
our study because its quality was deemed unsatisfac-
tory. Fox and Sony Pictures have reportedly caught
individuals using camcorders at some of their screen-
ings. In April 2003, federal prosecutors in Los An-
geles charged a man with recording movies at critic
screenings using a camcorder. He reportedly had a
lucrative business selling pirated videos that he repro-
duced on 11 VHS recorders in his home. According
to a press interview with Ken Jacobsen, the MPAA’s
senior vice president and director of worldwide anti-
piracy, the MPAA has determined that 28 movies that
became available illegally before their U.S. theatri-
cal release between May 2002 and March 2003 were
recorded with a camcorder at a pre-release screen-
ing [4, 12, 26, 29].
Some studios have reportedly started using mes-
sengers to hand-deliver prints of popular movies with
phony labels to theaters. However, according to a
USA Today article, some of these prints are disap-
pearing despite this measure. In addition, some stu-
dios have cut down on their use of test-market screen-
ings in order to prevent leaks. For example, Sony
prohibited test-market screenings of Men in Black 2,
despite the director’s objections [29]. This precau-
tion may have prevented a pre-release leak, as Men
in Black 2 did not appear on the content verification
site until 126 days after its theater release.
Because the demand for unauthorized copies is of-
ten extremely high during periods when a movie is
available only in certain countries, some studios are
changing their release strategies to reduce or elim-
inate time lags between movie openings in differ-
ent countries. For example, Fox released X2 simul-
taneously in 58 countries and Warner Brothers re-
leased The Matrix Reloaded nearly worldwide within
a nine-day period instead of over a more typical re-
12
lease period of several months [26, 29].
A number of technical approaches to preventing
leaks are also being pursued. In 2000, Macrovision
received a patent on a method for preventing through-
the-air capture of projected movies by superimposing
infra red images on the visual image.7 These im-
ages are not detectable to the theater audience, but
show up on video captured by most camcorders. The
Sarnoff Corporation and Cinea are developing a dig-
ital movie encoding designed to confuse camcorders
without being detectable by human viewers. Work on
this project is being partially funded by a two-year
grant from the National Institute of Standards and
Technology (NIST) [8, 19].8 Cinea also has devel-
oped a secure digital movie distribution system that
includes encryption and auditing schemes [7]. How-
ever, digital projection is not expected to come to
most cinemas for some time to come due to concerns
about equipment cost and projection quality. Further-
more, while digital distribution has cost-saving and
anti-piracy benefits for movie studios, theater own-
ers see little benefit from making a substantial invest-
ment in digital projection equipment. Studios may
need to subsidize the purchase of digital projection
equipment if they expect to see it adopted in the near
future [1, 31].
5.2 Short-term Mitigation
The movie industry has already begun to address
the vulnerabilities inherent in the current workflow.
While increased physical security at screenings, wa-
termarking and other technologies are laudable and
often effective, they fail fundamentally to address in-
sider threats. There is an implicit assumption that
all employees of the studio and production and dis-
tribution services are trusted. Any misbehavior of a
single employee can nullify all the best practices and
well placed trust throughout the content distribution
process.
We believe that the movie industry should treat
7U.S. Patent 6018374, Method and system for preventing the
off screen copying of a video or film presentation, issued January
25, 2000
8The NIST program that is funding this project typically
funds projects that are too risky for most investors but have po-
tential for broad economic benefits. Given the revenue losses
due to piracy reported by the movie industry, the $2.3 million
this project is estimated to cost seems like a good investment if
it has any reasonable chance of success.
movie content in the same way the Federal Bureau
of Investigation (FBI) treats sensitive intelligence and
evidence. In these cases, the FBI establishes a chain
of custody for sensitive artifacts. This defines a pro-
cedure for tracking where the artifact is at all times,
as well as who is responsible for it. Obviously, this
has enormous value as a forensic tool when some-
thing goes wrong (e.g., determining responsibility).
More importantly, if consistently applied, this miti-
gates loss and exposure by clearly indicating who is
responsible for the artifact at all times (i.e., overnight,
in transit).
Particularly during production, many current secu-
rity problems can be traced to the chaotic workflow.
Policy must be developed that clearly delineates the
process by which content is obtained or accessed,
who is authorized to view or access it, and how fail-
ures in the process are reported. This policy, among
other things, would codify the chain of custody. We
expect that the MPAA’s best practices work will go a
long way toward this goal, but we caution that gen-
eral best practices guidelines cannot take into consid-
eration all aspects of each individual studio’s opera-
tion.
To illustrate the definition and use of policy, con-
sider the content used by an audio production facility.
A rough cut of the content is often played back to mu-
sicians while the background music is created. This
helps musicians adjust their performance in response
to the content imagery, and is essential to establish-
ing auditory and visual continuity. The playback and
storage of the rough-cut at the audio production fa-
cility are potential leakage channels.
One policy that may mitigate leakage in the audio
production facility mandates that an appointed recip-
ient of the content (possibly an employee of the pro-
duction house) must be present during any use of the
content. That person is responsible for ensuring that
(a) the content is always in their immediate posses-
sion, or (b) locked in a safe that only they have ac-
cess to. This simple policy, while potentially costly
and cumbersome, reduces the point of vulnerability
to a single person. Like any system, if the trusted
part of the system (in this case, the entity guarding
the movie) becomes compromised, all is lost.
A second policy would define the environments in
which the content could be used. For example, the
policy would mandate that screenings must be held
in private screening rooms with guards. The studios
13
have made considerable progress in the physical se-
curity of screenings. While preliminary, anecdotal
evidence suggests that these techniques are some-
what successful in preventing camcorder copying,
these measures must be extended to other venues as
well: screenings needed for audio and CGI must be
accompanied by physical control by the studios of
the playback devices, pre-approved lists of the autho-
rized personnel who may be present during viewing,
etc. In addition, studios should reconsider their pol-
icy of allowing executives to check out pre-release
copies for home viewing and of sending pre-release
copies to investors upon their request. Once outside
the studio environment, these copies may be vulnera-
ble to unauthorized copying by many parties includ-
ing family members and household employees.
Where movie production and screening activities
occur entirely in the digital domain, adequate net-
work security measures should be taken, and evi-
dence of their completeness presented to the produc-
tion managers. There should be a minimum set of se-
curity practices for any computer that will store any
part of the content (e.g., physical separation from the
Internet). Security audits of the networks should be
commonplace. Physical measures, such as remov-
able storage devices that are returned at the end of
each work day to on-site security personnel may help
prevent leakage. There is considerable experience
with this kind of content management in the legal,
engineering, and military manufacturing industries.
Continual vigilance is a necessary ingredient of
any solution. As with any security system, having
a consistent process for managing sensitive artifacts
is essential. We argue that insider attacks can only
be mitigated in the short term by, (a) developing
sound procedures for handling content, (b) applying
it uniformly to all employees of the production and
distribution process, (c) putting in place a compre-
hensive infrastructure for documenting compliance
with policy, and (d) auditing compliance frequently.
See guidelines on both physical and computer secu-
rity [5, 6, 13] for further detail.
Similar strategies should be applied to the distri-
bution processes. For example, some unauthorized
copying may be mitigated by reducing the number of
copies sent to Oscar reviewers [18]. Our data sug-
gests that many high quality copies are leaked from
DVD pressing plants and stores. The distribution pro-
cess creates many high quality authorized copies, any
one of which can be leaked. Hence, the challenge is
to create a process that delays, rather than prevents,
leakage. Before tackling the extremely difficult prob-
lem of preventing DVD copying by consumers, it
seems prudent to stop the unauthorized copying that
takes place before consumers have an opportunity to
buy or rent DVDs. It seems clear that more monitor-
ing and stringent controls over DVD production fa-
cilities and distributors must be applied. Other mea-
sures, such as reducing DVD production and storage
times, may further mitigate unauthorized copying.
5.3 Medium-term Mitigation
As described above, the movie industry is actively
exploring the application of advanced technologies to
prevent unauthorized copying. It is likely that these
investigations will yield strong protections against
specific threats. As is true generally in computer se-
curity, singular solutions rarely address all threats.
Hence, we argue that the best way to mitigate the risk
of leakage in the medium term is to combine ranges
of available technologies and procedures into com-
prehensive solutions.
Consider the following trusted device aimed at ad-
dressing the leakage resulting from critic or awards
judge content distribution.9 Assume there is a trusted
content player that provides digital or analog out-
put appropriate for a home theater.10 Assume fur-
ther that this device is tamper resistant and has in-
ternal storage containing the content. Each device
has a battery-backed internal clock. When a user
(e.g., critic) wants to use the device, she must enter
a time-specific key to unlock the content. Variants of
one-time password schemes can be used for this pur-
pose [16]. To obtain the password, the user must call
a central operator and give the serial number of the
device and content, as well as some private authenti-
cating information [21]. The user would be given the
one time password which would unlock the device
9There is some precedent in the music industry for trusted
devices. It has been reported that recent CDs have been delivered
to critics in sealed CD players [23]. These are considered trusted
players because they must be returned unopened. Furthermore, a
special player is required to play the DVDs released for airplane
use.
10We will not, for now, consider devices that include their own
physical output device (screen). Their introduction may reduce
the risk of leakage, but significantly increase their size, power
consumption, and cost.
14
for that time and allow only one playing.
The content is stored on the device in an encrypted
format. The one-time-passwords provide access to a
decryption key to the player internally, but not to the
user. Hence, the code is only useful for that particu-
lar playing. Moreover, stealing and breaking into the
machine would yield only the encrypted content (and
hence make the unencrypted content very difficult to
obtain without a valid password).11
At playback, the player would project a one time
tracking code on top of the content. This code might
be an overt identifier or an invisible digital water-
mark [10]. The advantage of this approach is that
not only could the user be identified in the event of
leakage, but she would not have deniability (i.e. the
watermark would expose the exact player, user, and
time). If the user loses the authenticating information
or the player, she would be responsible for contacting
the central operator. Of course, the player would al-
low the user to cancel/pause a play-back, thus avoid-
ing exposure resulting from a distracted user.
Note that some adversaries with video editing ca-
pabilities may be able to remove the tracking code
from the content. However, removal of the code
should significantly damage content quality. For ex-
ample, placing a black box over or blurring out the
code would create visually distracting artifacts, par-
ticularly where the code is large. The design of such
codes is an open area of research and is outside the
scope of this work.
The player could be made Internet accessible (and
hence be continually reused for different movies).
Studio personnel would push encrypted content and
associated keying material over an untrusted network
and into the player. Because the keys are never stored
on the device, transmission of the encrypted content
can be performed without additional exposure to loss.
The efficacy of the trusted player approach is cru-
cially dependent on policy: how and when authen-
ticating information is assigned and used will deter-
mine whether leaks are avoided. Hence, where ad-
vanced technologies are applied, the short term sug-
gestions are still applicable, and in our minds, essen-
tial.
11For brevity, we omit many details of the design and con-
struction of the player hardware and software.
5.4 Long-term Mitigation
The unauthorized copying of movies is an instance
of the larger problem of content control.
Often
cast as digital rights management (DRM) [25, 14],
other industries such as design and manufacturing,
legal document management, and finance are cur-
rently wrestling with digital content control. The
movie industry is facing a particularly daunting prob-
lem: because other industries do not directly expose
their content to outsiders at any phase, much less to
the public at large, the problem is somewhat more
tractable for them.
The scientific community is only beginning to un-
derstand DRM. Hence, we cannot begin to predict
when a solution appropriate for the movie industry is
going to be available. Solutions like Microsoft’s Next
Generation Secure Computing Base for Windows [9]
provide commodity-grade DRM. However, they do
not provide a level of security necessary to protect
highly valuable content:
the DRM-enabling hard-
ware can be manipulated via physical attack. Hence,
until such time as stronger DRM becomes available,
it is incumbent on the industry to embrace currently
available techniques and procedures.
We feel that it is useful to consider what (poten-
tially unique) requirements the movie industry may
place on DRM systems. There are two separate DRM
systems appropriate for movie content: one for con-
sumer users and one for the production and distri-
bution environments. Because consumer DRM has
been discussed at length in related works, we focus
on the latter. The following describes a few impor-
tant preliminary requirements:
□
scale - The production and distribution work-
flow encompasses many different companies
(sometimes on different continents), and a huge
number of users. The DRM system must be able
to efficiently manage this large, decentralized
user community.
□ flexibility - The production process coalesces
many disparate artifacts into the finished prod-
uct. Hence, the DRM solution must support
complex policies that control access, duplica-
tion, and modification of content artifacts.
□
simplicity - Any DRM solution which adds sig-
nificant complexity or frustrates progress will
15
fail. It is important that the solution seamlessly
integrate with current procedures.
We are encouraged by the economics of the pro-
duction and distribution process: the movie industry
has enormous influence on the companies that pro-
vide services to it. Hence, it may mandate certain
technologies or vendors. Such environments natu-
rally lead to uniform (and safe) practices, and reduce
the industry’s exposure to leaks.
Implementing DRM only to prevent insider attacks
avoids many of the concerns that have been raised
about the possible mandated use of DRM in the con-
sumer environment. For example, it avoids concerns
about the ability of DRM to accommodate fair use,
difficulties in managing a public key infrastructure,
and the likelihood that DRM technology will be un-
able to prevent the distribution of content over peer-
to-peer networks [3, 28]. Furthermore, the technical
challenge of implementing a system in this more con-
trolled environment is much more tractable than the
challenge of using DRM in a consumer environment.
It is much easier to mandate the use of certain equip-
ment and require individuals to participate in incon-
venient authentication procedures than it would be in
a consumer environment. In the event that content
is leaked despite the use of a DRM system, water-
marking may make it possible to precisely identify
the source of an insider leak. In the more controlled
environment, it may be feasible to register all indi-
viduals who are authorized to view content, and to
impose overt watermarks that are easily detectable
and can resist removal, but might be unacceptable to
consumers. Furthermore, unlike in a consumer envi-
ronment where it may be difficult to track down and
punish every individual who makes an unauthorized
copy,12 insiders who are identified as the source of a
leak can be fired from their jobs or have their con-
tracts terminated, in addition to being subjected to
legal action and possibly criminal prosecution.
12Despite the difficulty of this task, the recording industry re-
cently announced that it has begun searching file-sharing net-
works to find users who are sharing “substantial” numbers of
music files. The RIAA says it expects to file hundreds of law-
suits against these users by the end of the year [2].
6 Discussion and Conclusions
Our research presents the first publicly available as-
sessment of the source of leaks of popular movies
and provides a security analysis and recommenda-
tions for mitigating against future leaks. Our research
suggests that the movie industry would likely bene-
fit from implementation of some established ideas in
data security; however, additional measures may be
necessary in the long term. Our research suffers from
the fact that we are not industry insiders nor own-
ers of the leaked content, and our data collection was
limited to information that we could obtain through
public sources using modest resources. Collecting
statistics on sources of leaks and performing a secu-
rity analysis should be much easier for the industry
than it was for us, and we assume that studios are
engaged in such processes on their own.
We draw the reader’s thoughts back to the Hanssen
case and make the point that the movie industry ought
to treat everybody within its influence equally, from
studio executives and investors, down through movie
editors, truck drivers and out to the critics. Such el-
ementary procedures as audit trails of custody would
seem to be in order. While we expect that this is al-
ready done to some extent, it must be applied evenly
and without preference. Our study shows a large
amount of insider leakage. Hence, we argue that
current mitigation techniques are insufficient. Given
the revenue losses claimed by the industry, spending
more money and effort on internal controls is appro-
priate.
Movie artifacts are handled by a limited number
of employees in a controlled manner during produc-
tion and through much of the distribution process. In
the later stages of distribution, content is handled by
a large and mostly anonymous community. Secur-
ing the former environment is difficult but tractable.
Securing the latter is nearly impossible. Hence, fo-
cusing efforts on insider threats addresses the most
costly leakage, and represents the best opportunity
for success.
References
[1] Associated Press.
First movie distributed
via satellite opens in New York. CNN.com,
17 November 2000.
http://www.cnn.
16
com/2000/TECH/computing/11/17/
digital.theater.ap/.
[2] Associated Press.
Record industry to sue
downloaders.
CNN.com,
26 June 2003.
http://www.cnn.com/2003/TECH/
internet/06/25/download.suits.
ap/index.html.
[3] P. Biddle, P. England, M. Peinado, and
B. Willman.
The darknet and the future
of content distribution.
In Proceedings of
the 2002 ACM Workshop on Digital Rights
Management, Washington, DC, 18 November
2002. http://crypto.stanford.edu/
DRM2002/darknet5.doc.
[4] Robert W. Butler.
Movie
industry
battles
film
piracy
on many
fronts.
The Kansas City Star,
22
June 2003.
http://www.kansascity.com/mld/
kansascitystar/6141893.htm.
[5] Computer Emergency Response Team (CERT).
CERT Homepage.
http://www.cert.
org/.
[6] William Cheswick, Steven Bellovin, and Avi
Rubin. Firewalls and Internet Security: Re-
pelling the Wily Hacker.
ACM Books /
Addison-Wesley, Second edition, 2003.
[7] Cinea.
Cinea demonstrates field ready se-
curity solution for major studios, 18 July
2003. http://www.cinea.com/press/
press_release_new.htm.
[8] Cinea. Cinea, Sarnoff collaborate in develop-
ing anti-piracy technology to fight camcorder
taping of movies in digital cinemas, 4 March
2003. http://www.cinea.com/press/
press_release_03042003_2.htm.
[9] Microsoft Corperation. Next Generation Secure
Computing Base, July 2003. http://www.
microsoft.com/ngscb.
[10] Ingemar Cox, Joe Kilian, Tom Leighton, and
Talal Shamoon. Secure spread spectrum water-
marking for multimedia. IEEE Transactions on
Image Processing, 6(12):1673–1687, 1997.
[11] Deloitte and Touche. The impact of piracy on
the film industry, June 2003.
[12] Claudia Eller and Michael Cieply.
The
movie
watchers
are
being
watched.
The Baltimore
Sun,
31 March
2003.
http://www.zeropaid.com/news/
articles/auto/13302003c.
[13] Simson Garfinkel and Gene Spafford. Practical
UNIX and Internet Security. O’Reilly, Second
edition, April 1996.
[14] C.A. Gunter, S. Weeks, and A. Wright. Models
and languages for digital rights. In Proceedings
of 34th Annual Hawaii Int. Conf. on System Sci-
ences (HICSS). IEEE, January 2001.
[15] Lia Haberman. Hulk: It’s not easy being CG.
E! Online, 10 June 2003.
[16] N.M. Haller. The S/Key
□
One-Time Password
System. In Proceedings of 1994 Internet Soci-
ety Symposium on Network and Distributed Sys-
tem Security, pages 151–157, February 1994.
San Diego, CA.
[17] P.J. Huffstutter.
How Hulk
crushed
the
online
pirate.
Los
Angeles
Times,
26
June
2003.
http:
//www.latimes.com/business/
la-fi-hulk26jun26224419,1,
1391001.story.
[18] Anna Wilde Mathews, Bruce Orwall, and Kathy
Chen. Pursuing Oscars, big studios give pirates
a hand. The Wall Street Journal, page A1, 3
March 2003.
[19] Ellen McCarthy. A new focus on movie piracy:
Battling bootleggers with distortion. The Wash-
ington Post, page E5, 14 October 2002. http:
//www.washingtonpost.com/c2/
wp-dyn?pagename=article&node=
&contentId=A18443-2002Oct12.
[20] Erin McClam.
N.J. man pleads guilty
to
posting
‘Hulk’
bootleg.
News-
day.com, 25 June 2003.
http://www.
newsday.com/news/local/wire/
ny-bc-nj--hulkbootleg0625jun25,
0,5965106.story?coll=
ny-ap-regional-wire.
17
[21] P. McDaniel. Authentication. In The Internet
Encyclopedia. John Wiley and Sons, Inc., 2002.
[22] Motion Picture Association of America. Anti-
piracy, 2003.
http://www.mpaa.org/
anti-piracy/.
[23] Chris Nelson. Epic records takes steps to seal
its newest music. The New York Times, page C7,
16 September 2002.
[24] Peter G. Neumann. Computer Related Risks.
ACM Books / Addison-Wesley, First edition,
1995.
[25] A. Ramanujapuram and P. Ram. Digital con-
tent and intellectual property rights. Dr. Dobb’s
Journal, May 1998.
[26] Steven Rea.
Studios battling movie piracy.
The Philadelphia Inquirer, 15 May 2003.
http://www.philly.com/mld/
inquirer/news/frong/5864665.htm.
[27] Reuters. N.J. man admits guilt over ‘Hulk’
bootleg. CNN.com, 26 June 2003.
[28] Pamela Samuelson. DRM
□
and, or, vs.

the
law. Communications of the ACM, 46(4):41–
45, 2003.
[29] Andy Seiler
and Mike Snider.
The
movie
industry
fights
off
the
pirates.
USA Today,
6 May 2003.
http:
//www.usatoday.com/tech/news/
2003-05-06-movies-piracy_x.htm.
[30] Dom Serafini. DVD piracy in the U.S. be-
comes an industry. Video Age International,
23(2), March–April 2003. http://www.
videoageinternational.com/2003/
articles/March/piracy.htm.
[31] Eric A. Taub. Among film’s ghosts, its future.
The New York Times, 19 June 2003. http:
//www.nytimes.com/2003/06/19/
technology/circuits/19cine.html.
[32] Jack Valenti. A clear present and future danger:
The potential undoing of America’s greatest ex-
port trade prize. Testimony before the House
Appropriations Subcommittee on Commerce,
Justice, State, the Judiciary, and Related Agen-
cies, 23 April 2002. http://www.mpaa.
org/jack/2002/2002_04_23b.htm.
[33] Richard Wray.
Matrix downloaded: Net
piracy could cost film business billions.
The Guardian,
4 June 2003.
http:
//film.guardian.co.uk/news/
story/0,12589,969754,00.html.
18