w3c / publishingcg

Repository of the Publishing Community Group
https://www.w3.org/community/publishingcg/
Other
19 stars 5 forks source link

Content Verification/Signing #39

Open wareid opened 2 years ago

wareid commented 2 years ago

Introduction

As a publisher, I want to verify my content with retailers to guard against fraudulent sales and ensure readers are getting the real version of the book.

Detail

There is a rise in fraudulent sales of book content, where a bad actor obtains the book file and metadata, removes DRM (if present), and posts the content on retail platforms posing as the publisher. The fraudulent copy is often priced lower than the original, and appears identical to the authentic version. Sales of this product benefit the bad actor, and no proceeds go to the author.

This issue impacts a number of people within the book supply chain, including:

Proposal (if any)

Develop a method for publishers to sign their content with a key that the retailer recognizes as verification. This could extend to a "shared secret" method between retailers and publishers to determine the authenticity of content. Content without the signature expected by the retailer would be flagged as suspicious and not be sold until authenticity is confirmed or fraud is determined.

Jeffxz commented 2 years ago

Thanks @wareid. Will put this in next PCG meeting agenda

wareid commented 2 years ago

Excellent timing, this is an example of this very thing happening with a print book, but you can see the parallels: https://twitter.com/fchollet/status/1550930876183166976

liamquin commented 2 years ago

This sounds like it overlaps with Verifiable Credentials, and we could add a use case, User wants to prove they previously bought a book, and maybe another, Reader device can follow links between books differently depending on whether the user has the book, maybe on another device or even from another distributor/retailer.

Jeffxz commented 2 years ago

Hi, @liamquin. Just a quick question, by Verifiable Credentials do you mean this?

liamquin commented 2 years ago

On Wed, 2022-08-10 at 05:22 -0700, Zheng (Jeff) Xu wrote:

Hi, @liamquin. Just a quick question, by Verifiable Credentials do you mean this?

Yes (and related specs).

-- Liam Quin, https://www.delightfulcomputing.com/ Available for XML/Document/Information Architecture/XSLT/ XSL/XQuery/Web/Text Processing/A11Y training, work & consulting. Barefoot Web-slave, antique illustrations:  http://www.fromoldbooks.org

TzviyaSiegman commented 2 years ago

Hi @liamquin I think VC might be a little heavier than what is needed here. Although, it is a possible solution. The solution might be more along the lines of signatures.

Jeffxz commented 2 years ago

Here is discussion from today's meeting .

eorgeK: Issue 39: Retailers gard against fraudlent versions. forward. of their titles being sold through other sites..

Naiomi: This is with big retailers, like Amazon..

Zakim sees Naomi on the speaker queue: Zakim sees Naomi_ on the speaker queue.

Naomi Kennedy: I am a developer andhaving a security key will not work. We have to be able to idenify duplicate content..

eorgeK: A legitimate is submitted, then another title is submitted with a minor change in the title, and it is not flagged as the identical title..

eorgeK: I do not have a solution. Amazon cannot identify the fradualent title..

Zakim sees Naomi , Bill Kasdorf on the speaker queue: Zakim sees Naomi_, Bill_Kasdorf_ on the speaker queue.

eorgeK: Block chain was suggested, but that failed. It is less about a DRM total prevention and more about helping retailers to identify fraud..

eorgeK: We have to help retailers manage the self publishing environment. I am speaking for myself, not PRH..

eorgeK: The fradulent title is sold at a dollar cheaper and that sales increases and it climbs above the the original title..

Bill: This gets misnamed as piracy, but counterfitting is a better word..

Naomi Kennedy: Bootleged version is another term..

Bill: Does it make sence for the CG to formally attack this issue?.

Zakim sees Naomi , Bill Kasdorf , AvneeshSingh on the speaker queue: Zakim sees Naomi_, Bill_Kasdorf_, AvneeshSingh on the speaker queue.

Naomi Kennedy: I cannot lead it, but can participate..

Bill: We could recruit from outside the CG to chair this TF..

Naomi Kennedy: We need retailer involvement..

Zakim sees Naomi , Bill Kasdorf on the speaker queue: Zakim sees Naomi_, Bill_Kasdorf_ on the speaker queue.

Zakim sees Naomi , Bill Kasdorf on the speaker queue: Zakim sees Naomi_, Bill_Kasdorf_ on the speaker queue.

vneeshSingh: +1 it is esentail to have retailers like Amazon in this task force.
Jeffxz commented 2 years ago

A few questions we would like to discuss in next week PCG meeting.

  1. Do we have data about marketing damage of counterfaiting of digital book. => To determine how big the problem is and might use the data to convince 3rd party to take action.
  2. Specific damage cases for counterfaiting. such as a. when user was able to retrieve epub, then modified and uploaded to self-publishing platform. b. when user was able to retrieve epub, then modified and uploaded to random digital book website. c. other cases? => To have a sense of priority of different solution/direction.
Jeffxz commented 2 years ago

Here is the discussion from today's meeting

<wendyreid> https://twitter.com/shershovitz/status/1567538503621251073

Good job Zakim :)

<JF> this has come around before: https://www.w3.org/2012/08/electronic-books/submissions/webooks2013_submission_41.html

<JF> https://www.ala.org/ala/washoff/contactwo/oitp/emailtutorials/accessibilitya/10.htm

wendyreid: explaining about https://github.com/w3c/publishingcg/issues/39
… some way to explore might be content signature? Share secret between publisher and retailer?

<JF> AND accessibility experts too

<JF> ;-)

wendyreid: still need to explore idea and we need to learn methods and what we can standize

Lars: maybe can think about potential of blockchain. maybe worth of exploring

liisamk: we worked title by title to make sure counterfeit title to be taken down
… but still see this happens in self publishing platform
… this happens a lot after a new book released especially getting into library and epub are exposed to hackers

<Lars> help

<Lars> Never mind ;)

liisamk: sometimes content is modified and maybe even injected a few words at end of last page which is used for marketing purpose

<Lars> How do I put myself on the queue? I forgot :p

use "q+"
… sometimes they add certain character to part of metadata
… retailers are willing to take down counterfeits but no one has good idea about how to prevent it or slow it down yet.
… it's bad for consumer as well since the quality is bad. sometimes image are wrong, css are ripped off so the layout can be terrible.

<Lars> Thanks!

<rickj> * I have to leave to get to the AC meeting at TPAC. Thanks for the good conversations

JF: it's also happened for music. There are multiple problems. Most DRM can not be used since it is bundle to certain distributors
… some DRM are not good for a11y
… recognizing the problem but to find a solution can be tricky

<JF> https://www.w3.org/2012/08/electronic-books/submissions/webooks2013_submission_41.html

<JF> https://www.ala.org/ala/washoff/contactwo/oitp/emailtutorials/accessibilitya/10.htm

<JF> another relevant link: https://www.wired.com/story/ebooks-drm-blind-accessibility-dmca/

Zheng: problem that DRM will be cracked, is not our issue here - which behaviour is more damaging to the industry?

<JF> me +1 to Wendy

<gpellegrino> https://content-blockchain.org/building-blocks/what-is-the-iscc/

<gpellegrino> https://isccdemo.content-blockchain.org/

gpellegrino: comparing two code there is possibility to compare book

<Lars> Thanks Gregorio! I was looking for this. Highly recommended solution

p_belfanti: the issue is probably more about re-distribute the book - counterfeit

<Lars> Reach out to Sebastian Posth (@posth )

<wendyreid> https://www.scenarex.ca/

Lars: There is a company in Canada ^ for blockchain tech on digital books

liisamk: we are not trying to address DRM.

<JF> +1 Liisa

liisamk: the counterfeiting is the real issue
… what we are trying to find is to build some guide to help people maybe in suplychain to understand to recognize counterfeit

Zheng: who could provide a copyright check - publisher or distributor (Amazon, etc.) - tool for similarity check on products handed in
… maybe rough mechanism could help
… would it make sense to have a TF for this issue?

<liisamk> +1 to an anti-counterfeit TF

JF: we need to properly scope the issue, problem and solution

<wendyreid> https://github.com/w3c/publishingcg/issues/39

wendyreid: can we have more detailed info in above github issue
… lightweight platform / solution is recommended
… maybe some signature could help (signature.xml)
… we can explore this way

<JF> +1 to "True and Verified"

liisamk: recommend further discussion in a separate TF
… I can lead the taskforce

Zheng: we can set up a different TF for counterfeiting issue

<johnr> present John Roque

<Zakim> JF, you wanted to remind about Verified Credentials as a possibility

<JF> https://www.w3.org/TR/vc-data-model/

JF: there is some spec ^ in W3C and shared in the github issue. That might help

wendyreid: can check with Ivan about the vc data model
… recommend to reach out more retailer, publisher and other group as well as BISG

Zheng: we can kick off - try to shout out to people outside of PCG - to expand the network makes sense - has not to be a member of PCG - reach out to distirbutors
Jeffxz commented 2 years ago

I like the idea of creating signature or "token" to be shared between publisher, distributor and retailer. There is one thing I could not figure out how to use this signature for the case of self-publishing and even for those counterfeit creators. It's because they probably can provide a signature for the counterfeit digital publication.

liamquin commented 2 years ago

On Wed, 2022-09-14 at 16:42 -0700, Zheng (Jeff) Xu wrote:

I like the idea of creating signature or "token" to be shared between publisher, distributor and retailer. There is one thing I could not figure out how to use this signature for the case of self-publishing and even for those counterfeit creators. It's because they probably can provide a signature for the counterfeit digital publication.

The W3C Verifiable Credentials Working Group has done a lot of work in this area, and their Recommendations would likely form a useful and secure standards-based basis for digital publishing.

It indeed does not prevent counterfeiting. However, other approaches exist for that when the content of the books can be made public.

liam

-- Liam Quin, https://www.delightfulcomputing.com/ Available for XML/Document/Information Architecture/XSLT/ XSL/XQuery/Web/Text Processing/A11Y training, work & consulting. Barefoot Web-slave, antique illustrations:  http://www.fromoldbooks.org