Take a look at the image of the Thai painter above. Unique, isn't it? Have you seen an image like it before this posting?
There are many people online who would love to get their hands on this picture so they could post it to a stock photo site for sale. Or they might use it in connection with a marketing campaign regarding Thailand. But neither will happen — at least not with any real impact to us.
RoverTreks™ copyrights this image. It is signed digitally by our commercial digital signature service that protects all content on our website. If this image shows up anywhere other than where we put it on the Internet, it will constitute prima facie evidence of the theft and unauthorized use of this image.
The Cyberspace Crime Climate
Cybercrime is a 24-hour a day, seven day a week business. Think of it as an electronic OK Corral shootout, except, that all of the action is transparent to you, constant, and ongoing in the underbelly of cyberspace.
Fraud in commerce, thefts of intellectual property, trafficking in stolen data and child pornography, losses of network services, extortion of businesses and their system administrators, thefts of computer time, and widespread wiretapping were common 20-years ago. Today, the cyberspace crime climate is known as an Advanced Persistent Threat (APT) environment.
What are APT's? They are nations and dedicated cyberspace organized crime groups launching automated attacks on sites across the Internet. Sometimes criminal groups are co-opted by nations.
Word Press (WP) is the most popular content management system on the Internet. Not surprisingly, WP sites are under constant attack.
Now, just for fun, let's throw into the APT threat mix your Internet Service Provider (ISP), itself under constant attack, and also dedicated to monitoring and profiling your activity and throttling your bandwidth online. Why? Because they can. It's their network you're using. They pay for their bandwidth and they want to maximize their profits. Plus, they must comply with various laws that govern their activities to help the government monitor you.
Next, let's add into all of the above the actions your competitors. You know, those who would like to copy your work and market it as their own. When you consider this range of threats, you'll begin to grasp the cybercrime environment you work in every day.
Your Problem In Cyberspace: Proof of Who You Are And What You Own
When you send us an Email, how do we know you are who you say you are? For all we know, you could be a Nigerian running an online fraud scheme masquerading as a Staff Sergeant in the U.S. Army and contacting us about one of our Craigslist ads.
And how do we know that picture of you on Twitter is really you? And how do we know the pictures you post online are yours?
Authentication. This is one of three big challenges in cyberspace. With respect to data, U.S. Cybercrime laws revolve around three core “CIA” issues: Confidentiality, Integrity and Authentication.
The notion of confidentiality is self-evident. If you want to keep a secret, keep it to yourself. If you want to share a secret, encrypt it and send it to a trusted party able to decrypt it. Then it becomes confidential information. But it's not a secret anymore because more than one person knows about it.
Integrity refers to the non-repudiation of data. If you create something — a photo, poem, source code for a new program — and use irrefutable proof that you are the creator, then a condition of non-repudiation is said to exist. Even you cannot state that you were NOT the creator. That's non-repudiation.
Authentication refers to proving who you are and what you own. In this post, we'll focus on authentication.
How to Protect Your Property Online
There are many actions you can take to protect your brand online. You can trademark your name, brand, and logo and copyright what you publish. But these actions may not be enough. You’ll need evidence to prove your intent to protect your brand if theft or unauthorized use of your property online occurs.
Artists, writers, bloggers, photographers and other online entrepreneurs are particularly vulnerable to online theft. They must display their work to become known.
If you publish online, you might notice a photo, story, source code, or other material you've posted ends up on a website without your permission. Or you might notice a duplicate of your entire website with new branding.
This form of theft is known as web scraping. It became common 15-years ago. And incidents are on the rise.
Web scraping occurs in two forms. The first is manual, where an individual attempts to copy and select or right-click and select content from a website. The second and more common form involves automated tools to download all content from a site.
Generally, it's not illegal to download the contents of a public site, unless that site displays warning banners declaring the content to be protected content via copyright and other methods. What is illegal is the unauthorized reuse of copyrighted, trademarked, or protected content.
Every few weeks we'll see a post from a writer, blogger, or photographer complaining about the theft and reuse of something they've put online. The first response by the victim is, understandably, anger. The second response raises the question “what can I do about it?”
Does the online copying of public content constitute theft? From where you sit, the answer is always “yes.” Legally, the answer may not be so clear, since proof is an element of the offense.
So, what can you do about it?
Think Through Your Assumptions
First, did you copyright and create evidence of your efforts to brand your contents? If the answer to this question is “no,” your remedies are almost nil.
Second, if you did copyright or take other active measures to protect your data, what is your proof? Just posting a story, photo or other files on your site with a copyright notice may not be enough.
Once you upload a file to the Internet, it's difficult to claim brand and ownership rights unless you invoke copyright and take active measures to protect your files. That's because postings on the Internet are inherently public absent specific measures to brand and protect.
In corporeal space, theft occurs when property exists in one space but disappears when stolen. The loss is obvious.
In cyberspace, theft occurs when a file is copied from one location to another. The original file remains unaltered.
Third, is your brand copyrighted and trademarked?
Fourth, even with a copyright declaration and obvious theft of a unique file, how far are you prepared to go to assert your brand and ownership rights even if you can prove a loss?
Fifth, did you really have to put your file in cyberspace, to begin with?
Most victims do not want to invest the time, money and effort to engage in a legal battle over intellectual property unless an incident involves a clear violation of the law (like trademark infringement) and a calculable loss. And most prosecutors won't touch a case unless a loss reaches their prosecutive threshold (e.g. $100K or more).
Stake Your Claims With Digital Signatures
A simple act to copy-proof your work is to sign all files you post on the Internet with a digital signature. You use cryptographic tools to do so.
A digital signature is a digital fingerprint of a file and proof that you controlled a file at a known date and time. When you sign a file with your cryptographic key, there's no doubt you had that file in your possession at the date and time of creation.
The existence of your file elsewhere, in a location where you did not post it or where there is no attribution to you, could suggest the theft or unauthorized use of your work.
Note: This assumes you do not give up branding or ownership rights as a condition of posting.
Mark Your Files as Read-Only
Even minor changes to a file will change its' digital fingerprint. For example, programs like Microsoft Word can invoke file changes to a file when that file is opened even when there are no changes to the contents visible to the writer. That's because Word and the operating system will mark the file with new opening, closing, and access dates.
You can limit changes to the digital signature of files by marking them as read-only before you sign and post them on the Internet. Making files read-only is not a panacea. We'll talk about this more in our next post.
In Part II of this series, we'll tell you about two cryptographic tools you can use: one free, the other a commercial or fee-for-service tool with some free service options. Either can go a long way to help you protect your online content.
Until then, practice safe hex in cyberspace.
Karla & Tom