OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Kill the RIAA: a protocol
From: Matt Curtin (cmcurtininterhack.net)
Date: Thu Jul 27 2000 - 08:25:18 CDT

>>>>> "Jeff" == Jeff Kandt <jeffscrollbar.com> writes:

[I dropped all of the lists but coderpunks because it's generally bad
form to crosspost to other lists and I don't know what each list's
specific policy is.]

  Jeff> I've downloaded maybe twenty songs with Napster in my life,
  Jeff> but the RIAA has gotten me pretty pissed tonight.

I've never used Napster, but I'm no less displeased with RIAA and
their posse, including Metallica. I don't know if I can stand to see
another quote where Lars Ulrich so eloquently demonstrates his
complete failure to get it. (It would be interesting to see how he
might have commented on the situation before Metallica had a major
label contract.) But I'm drifting ... let's get back to the protocol.

  Jeff> The music labels are going down and they know it. They're
  Jeff> making a last grab at milking undeserved money from
  Jeff> copyrighted bits because they know how little time they have
  Jeff> left.

If you haven't, by the way, I suggest reading John Perry Barlow's
"Selling Wine Without Bottles",
http://www.eff.org/pub/Publications/John_Perry_Barlow/HTML/idea_economy_article.html.

  Jeff> I'd like to pay the musicians for music I download, but I
  Jeff> can't.

Note that there has been a fair bit of work done in the area of
micropayment schemes, which might or might not be appropriate for what
you're discussing here. Basically, it depends on the model that
you're envisioning: are you imagining sub-dollar payments? (Payment
per track? What if one piece would come in multiple tracks -- like a
multi-movement concerto?)

Which, if any, of the existing schemes is appropriate will depend on
the design requirements, which we haven't seen. That should be the
first order of business. (Some notes later hint at requirements, but
we really should have a specific list of requirements.)

  Jeff> If I'm willing to tip my musicians maybe others are, too.

This is the basis of Kelsey and Schneier's "Street Performer
Protocol", http://www.counterpane.com/street_performer.html.

  Jeff> Although the protocol attempts to assure that the embedded
  Jeff> payment information is legitimate, it fails if people strip
  Jeff> the payment info from the files before they distribute them.

What about providing a means for the artist to sign the file along
with its payment information? With my cypherpunk hat on, I'm
naturally thinking of something that would follow the PGP web-of-trust
model of key validation, in order to prevent there being some other
manufacturer-type from getting himself in the middle and siphoning off
the payments, perhaps for the service of signing the artist's key.

  Jeff> Warning: I am not a cryptographer. There are probably gaping
  Jeff> holes. But like I said, I'm just trying to get the ball
  Jeff> rolling.

With that in mind, I doubly recommend against jumping right into
protocol design. Putting together a list of requirements for the
protocol is much more sensible, particularly at this stage.

Some requirements that I have gleaned from what you've written:
 o Must be easy for people to make payments
 o Must be easy for artists to receive payments
 o Payments Must be voluntary

Some questions that arise:
 o Should payments be anonymous?
 o What if the artist changes physical location? (Embedding the data
   like where to send the payment right in the file is probably not
   going to work well in the long term.)

Focusing on requirements and collecting questions -- perhaps ones that
you can't answer -- for this system would be most helpful for getting
serious discussion happening and is probably most likely to result in
the creation of a real protocol. If that works and the protocol seems
to be reasonable, then we can start talking about writing code to make
it happen. 

-- 
Matt Curtin cmcurtininterhack.net http://www.interhack.net/people/cmcurtin/