Will JPEG's Next 'Privacy and Security' Features Include DRM?

David Gerard has concerns about the Joint Photographic Experts Group (the ISO working group handling the JPEG standard for image compression). "They seem to think they can advance the cause of DRM for JPEG images...with a bit of applied blockchain." He bases that charge on the fact that the JPEG committee organized a special session on blockchain, and then created an ad hoc group to define use cases. After six months' collaboration, the group has produced a white paper -- "Towards a Standardized Framework for Media Blockchain" -- as announced in the press release following the 80th meeting in July. The Executive Summary declares, "Fake news, copyright violation, media forensics, privacy and security are emerging challenges for digital media. JPEG has determined that blockchain technology has great potential as a technology component to address these challenges in transparent and trustable media transactions... [T]he standardization committee continues to work on improving various components of the standard. This includes incorporation of new technologies addressing current challenges related to transparent and trustable media transactions such as JPEG Privacy and Security."

"JPEG Privacy and Security" is described later in the paper. "JPEG Privacy & Security aims at developing a standard for realizing secure image information sharing, capable of ensuring privacy, maintaining data integrity, and protecting intellectual property rights."

That is, "Privacy and Security" is a euphemism for Digital Rights Management (DRM) in JPEG.... Chair of the group Dr, Frederik Temmermans stressed to me that "JPEG is not working on DRM in particular but on a more generic framework that supports privacy and security features." But DRM is very much a significant part of this.

Re: DRM is all about money and not about privacy.

[Anonymous Coward]

What in the fuck? How are you conflating DRM and GDPR? Do you have any idea what you are talking about (no)?

Re:DRM is all about money and not about privacy.

[Anonymous Coward]

You don't have to give up more privacy with GDPR, you're starting to see how much privacy you were already giving up because services have to be more specific about what they are doing.

Re:

[Z00L00K]

You have obviously missed all the updated agreements that now have appeared with writing circumventing GDPR.

Re:

[gravewax]

If they are agreements circumventing GDPR then it isn't GDPR that is violating your privacy, it is the arsehole politicians looking to work around it and the reasons they have to do that is GDPR actually makes what they were previously doing silently illegal.

Re:

[HiThere]

In the case it's not the politicians, but the web sites that are violating your privacy.

That said, most of the sites I visit posted notices saying they weren't doing anything in violation. Like Slashdot did.

Re:

[gravewax]

The claim from the OP was that laws and agreements have been passed that permit the bypassing of GDPR, websites can't do that (at least not without agreements from lawmakers.)

Re:

[Anonymous Coward]

You have obviously missed all the updated agreements that now have appeared with writing circumventing GDPR.

Yes, GDPR requires them to get an explicit permission from you to store data about you that they didn't need a permission for before.
If you get a lot of requests like that then it is because you didn't care about your privacy before.
If you agree to them it is because you don't care about your privacy now.

Luckily GDPR also requires that companies delete the data about you they have if you ask them to and EU has already told them that the fines are supposed to be a deterrent and not something that they can wr

Re:

[thegarbz]

You don't circumvent the GDPR by such an agreement. All you do is get told what it was which was being hoovered up in the first place. Congradulations, you just discovered how "on the market" you already were while using your free services.

Not only that but some US site warn us to go away

[aepervius]

Quite a few site I land on just plain tell" go away we cannot offer you any page view due to GPDR" (paraphrased the real message is : "We recognize you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore access cannot be granted at this time. For any issues, contact content@richmond.com or call 804-649-6000. )", you got to ask yourself what the heck of a shaddy thing th

Re:

[omnichad]

If a website is wholly supported by advertising, they probably aren't making enough money on ads that aren't based on heavy tracking data. So they refuse their operational expenses by blocking access from unprofitable areas. This doesn't mean it's good or right. Just more transparent than it was before

Re:

[Gavagai80]

If it costs a website more to serve up a page with non-tracking ads to a European than to serve up a "blocked" page, then their web design must've reached new levels of absurdity with hundreds of gigabytes of javascript libraries.

Re:

[omnichad]

Static pages are less resource intensive than dynamic content. Also, people don't tend to browse around from blocked page to blocked page.

Re:

[HiThere]

To be fair, many smaller sites just can't afford a lawyer to tell them that what they're doing already is legal. You shouldn't assume that they're actually doing something vile, when it's plausible that they just don't know what the law means.

Re:

[Anonymous Coward]

The GDPR is great, if you are in Europe, but it is a toothless law. Because treaties supersede laws, the WIPO treaty supersedes the GDPR, so if a DRM mechanism violates privacy provisions, it can by the WIPO act.

No treaties does not supersede laws.
Companies doesn't have to care about treaties, they have to follow the law, nothing else.
The treaty might require a country to change the law, but until that has been done the companies have to follow the law.
This might mean that the country is faced with steep fines for violating the treaty but you still have to follow the law.

There are thousands of cases where you have awkward situations where treaties and laws are in conflict with each other and the country keeps payin

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Is that really DRM?

I think the better word for what you are stating is steganography [wikipedia.org]. Yes, it is a good way to locate the source of leaked data, but I would not call it DRM since it can't be used to control who can see the image, and when.

A better example of DRM in imagery would be the dot patterns (CDS [wikipedia.org] shown on some bank notes that mainstream software like Photoshop, some scanners, and some printers, are forced to detect and reject loading/editing the image. But you can only enforce such a thing at the st

Re:

[dcollins117]

Anyone noticed how we over time have been forced to give up more and more of our privacy?

No. People choose to cede privacy but are not forced to.

Re:

[HiThere]

This depends on your definition of "forced". Have you gone to see a doctor recently? Visited an emergency room? Opened a bank account?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gravewax]

ahhhh perhaps you might want to go read what GDPR is, it is the OPPOSITE of what you are claiming. GDPR is all about giving users back ownership and control of their data and imposing sanctions against those that abuse your data. I doubt it will have much effect but it certainly isn't about giving up more privacy.

Re:DRM is all about money and not about privacy.

[Opportunist]

What the GDPR did was force companies to actually show you just what kind of privacy they rip off you in exchange for their "service". Before that, they could simply silently take away your privacy.

Saying that the GDPR makes you give up your privacy is like saying having to label food puts artificial crap and MSG into it. It was in there before, you just didn't know.

Re:

[Kjella]

What the GDPR did was force companies to actually show you just what kind of privacy they rip off you in exchange for their "service". Before that, they could simply silently take away your privacy. Saying that the GDPR makes you give up your privacy is like saying having to label food puts artificial crap and MSG into it. It was in there before, you just didn't know.

The only thing the GDPR has done is to drive consumers into EULA exhaustion on every damn website they visit and make sure they have a tracking cookie to remember your GDPR consent, try turning cookies off and you'll now go crazy. And once you do click OK there's no standard placement/icon/requirement to let you go back and review/change what you've agreed to. Basically what the solution completely fails to have is some sort of auto-negotiation where the web page could say I'd like to track you in these way

Re:

[MrMr]

..there's no standard placement/icon/requirement to let you go back and review/change what you've agreed to..
If you cannot easily see what you agreed to earlier, that would be in breach of article 12.1 of the GDPR. That is the very first article specifying the rights of the consumer. It may be stupid legislation, for protecting dumb consumers, but is is deliberate and thouroughly planned stupidity all the same.

Re:

[thegarbz]

The only thing the GDPR has done is to drive consumers into EULA exhaustion

And yet here we are talking about privacy, so clearly the GDPR has done more than that.

Oh and many websites load faster for EU visitors, so no, the GDPR has done much more precisely becaue in many cases an EULA is not sufficient for GDPR compliance.

Re:

[gravewax]

yes it is and that is great as now I can make a choice to give them access to my data or decide their content is not worth trading my data for. Previously they would just take my data.

Re:

[Anonymous Coward]

How the fuck does GDPR take away privacy. All GDPR does is force companies to reveal how much of your data they are taking and ensure they have your permission. Previously they did this without any permission. GDPR increases your privacy not decreases it. It also puts a responsibility on those companies where they can face serious financial punishments if they don't protect your data from compromise.

Re:

[dfghjk]

"Jury is still out on the "GIF" pronounciation."

No, it's not and there is no jury. The author of the format stated the correct pronunciation so it's not up for debate. Since the day GIF was used it has been pronounced "jif", it's only recently that children feel entitled to ignore history because they can't be bothered to learn it.

"So to me, GIF has always been the same "G" I say "graphics" with, just with "iff" on the end: "giff""

When you create a format that the entire world uses, feel free to name it ho

Re:

[Kernel Kurtz]

It's not my fault the author of the format has a poor grasp on the English language and chooses to pronounce it as a "J".

He learned how to say giraffe in his ESL class and it just stuck from there.

Giraffics Interchange Format.

Re:You don't call a JPEG a "Jay-/f/eg"

[Anonymous Coward]

Just like you don't call a GIF a "âYgâY©if" because "the "G" stands for "graphics."

I don't call a GIF a "âYgâY©if" because that's unpronounceable smartphone-produced garbage. I'm taking you off my Christmas list until you get a phone with a functional keyboard. No jifts for you this year.

Re:

[kriston]

I'm typing this in a real computer, you dotard.

Peanut butter?

[Anonymous Coward]

Over here, "jif" is a brand of household cleaning products.

Re:

[Hognoxious]

When I was a kid it was a kind of lemon juice. You had to be careful not to get them confused your apple pie would taste awful.

Re:

[UnknownSoldier]

/sarcasm Because graphics is pronounced Jraphics, oh wait!

/sarcasm It's pronounced Gif like gift, you git. =P

Re:

[mrbester]

It's weird, but I have never heard anybody, least of all someone from CompuServe, pronounce GIF with a soft G. It was as in gift with no deviations until only recently, at which point I don't care how the creators wanted it to be pronounced because it's too late now. If everybody was saying it wrong, why weren't they being corrected 25 years ago?

Re:

[omnichad]

I've been saying it with a soft g for around 20 years now. There were no debates because nerds were not talking to each other out loud, only by electronic communication. When they had to add the word to their vernacular spoken English they finally had to think about pronunciation. Before that, everyone assumed we all pronounced it the same, if at all.

Re:

[UnknownSoldier]

> have never heard anybody, least of all someone from CompuServe, pronounce GIF with a soft G.

Same. Guess it depends on location: east/west, US vs UK, etc.

> why weren't they being corrected 25 years ago?

Because no one really gives a fuck except the pedantic. A similar argument arose over how "gib" was pronounced in the Quake 1 days:

* Hard G, like "gift" (with near-close front unrounded vowel) (/g_ft/), similar to gibbous [cambridge.org]; rhymes with "rib",

* Soft G, like "jive" pronounced "jib" [cambridge.org], (with tailed z, /d_

Re:

[mrbester]

Except they didn't, of course. Much like they didn't invent the telephone...

Otis might have invented the safety elevator, but he built on an invention that has been around for over 2000 years.

Re:

[radja]

companies don't get to choose how I pronounce things. I'm dutch, and pronounce it with a dutch 'g'.

Re:

[Hognoxious]

I'm dutch, and pronounce it with a dutch 'g'.

I hope you give people advance warning so they can deploy their umbrellas.

Re:

[rajkiran_g]

What about GIMP, then?

Re:

[ByteSlicer]

It's pronounced "Jiff," like the peanut butter more moms prefer.

If you pronounce GIF as "jiff", then how do you pronounce "JIF" (JPEG Interchange Format)?

Re:

[ByteSlicer]

Obviously, that was exactly the point I was making.
If you want to have conversations like "Please send me that in jiff format. You know, the JPEG one, not the CompuServe one.", be my guest.
I'll avoid the homophones and call a GIF a giff...

Re:

[dfghjk]

What was the guidance from the creators of the format, and why does that matter?

Imagine two words with the same pronunciation! How can we ever cope!

Re:

[Marlin Schwanke]

mandatory cameras that will check if you're not taking pictures of the screen and call a SWAT team to your location if you do.

Isn’t that why we have all been switched over to laptops with the little camera right at the top of the screen? Easily defeated with a piece of tape isn’t it?

This helps the migration to png, thanks!

[Anonymous Coward]

If you really want to lose your customer base, add in unwanted DRM

Re:

[KiloByte]

And in this case, the customer base is 0. What we all use is an ancient version of JPEG -- the format has completely ossified. Any proposed additions get a big fat rejection: see the libjpeg8 debacle. With a compat break, you can as well go to a completely new format, and proposals from the JPEG group have been laughed out (see JPEG2000).

So the public would move to:
* FLIF (free, technically the best, esp. for non-photographic or hybrid images)
* AVIF (free, has big political backing)
* BPG (useless because

Re:

[Anonymous Coward]

What we all use is an ancient version of JPEG -- the format has completely ossified.

But such an ancient format leaves you free to write the encoder however you want and there were major improvements over the years/decades.
MP3 is the same on this aspect. MP3s made in the 90s are known to be garbage, relatively. Did you know that MP3 is a good as AAC? I found some comparison using the latest MP3 encoder (probably just the latest version of LAME) and you can't really tell them apart. Although, AAC was just a bit overhyped, was probably better early on but still 128K AAC sounds bad if for you

Re:

[KiloByte]

Did you know that MP3 is a good as AAC?

Uhm, there are MP3 samples at 320kbps (the max allowed by the format) that even I, with my aged ears and not so good gear, can ABX from lossless. Those with better ears and more training can ABX a typical not-specially-picked piece of music (stress on "music", there's a lot of crap serfed for ~4 bits of dynamic range).

You want OPUS not AAC, by the way, it's a good deal better, with no sample+gear+person combination known to ABX it at 128kbps, and hard at 96kbps.

Re:

[Kjella]

And a lossy image format is something for which DRM is a non-starter, because of the ease of screenshotting or even taking the picture of the screen with a camera.

Not sure why you emphasized lossy, taking a screenshot of a JPG is less useful than a screenshot of a PNG as you lost the most efficient representation and will either have to save it losslessly or suffer transcoding losses. As for the analog hole that's true for using a video camera too but DRM for video is still a big thing, what you can snap with your cell phone will have a lot lower quality. That leaves screenshots, of course this would have to tie into the protected media framework but for all intents

Re:

[JaredOfEuropa]

Addressing IP issues, blockchain, privacy *and* fake news? This sounds like a desparate bid to remain relevant. “organized a special session on blockchain, and then created an ad hoc group to define use cases.” That ought to tell you the whole story right there.

Honestly..

[Anonymous Coward]

Fuck DRM. Tired of the constant battles, tired of watching the shrinking public domain. Tired of rightsholders benefiting from technology and giving little back. Tired of the constant battle for an open Internet. Fuck 'em all.

Re:

[umdesch4]

Dammit, I wish I had mod points. But what's the down-mod for "too funny and made me spray my beer" ?

Re:

[Opportunist]

So then you know that this piece of malware was written by Ali Ben Gali in Ticspoli, Generistan. Now what? Try calling the police in Generistan to arrest him? They'll laugh at you, tell you that they have real problems to deal with and can't waste resources on your first world problems, and hang up.

I'm not kidding. We did at quite a few times identify control servers for malware, handed the case to interpol and basically got the answer that it's useless because 'til you get anything going in that particular

Re:

[Anonymous Coward]

I'm not advocating vigilante justice in the general. But, there is a time and a place for it, and at some point you just have to grow some balls and go there yourself.

I once supplied some software to a US company in good faith that they would purchase it. Once they had the library they went completely dark with their communications. For a while I suspected they were still using the software, and had spent the 5-10 minutes required to decompile and remove the simple date-expiration check I had added to the v

No Patent

[theshowmecanuck]

There's no patent on jpeg. So who says people have to use DRM'd jpeg encoders?

Re:

[proibido]

They could enforce it in popular hardware like smartphones, digital cameras, etc..
Some high profile websites (like image banks) could adopt it in a way to prevent others to seal their content.
Even Facebook can adopt it to stop people from using YOUR content which is now THEIRS.

Re:

[TheReaperD]

No, but every movie studio, professional photographer and other media company will because their lawyers and CEOs will demand it.

Re: No Patent

[phantomfive]

Content producers mostly favor things that give them more money for the things they produce.

JPEG2000 didn't teach them

[CaptQuark]

I guess they didn't learn from their ill-received JPEG2000 format that not everyone appreciates messing with a near-universal standard. Maybe they will call the Blockchain version JPEG2020 so we can ignore it too.

---

Re: JPEG2000 didn't teach them

[phantomfive]

Yeah getting the buzzword "2000" wasn't enough. Now they decided to go with a buzzword *and* a technology that won't actually work to reach their goal (OK, proof of ownership is one thing, but block chain won't stop screenshots. It's not designed to do that)

Re:

[Kjella]

I guess they didn't learn from their ill-received JPEG2000 format that not everyone appreciates messing with a near-universal standard. Maybe they will call the Blockchain version JPEG2020 so we can ignore it too.

Which is why I'm not very concerned. The JPEG group was there at the right time, in the right place 25 years ago when we needed a "good enough" picture standard for the web and I don't know they've achieved anything of significance since. There's been tons of attempts to replace it which hasn't moved the needle an inch, it'd take an industry-wide alliance with a completely royalty free and open standard to even stand a chance. I'll believe it when I see cameras do "RAW+[new image format]" instead of "RAW+JP

Re:

[Kjella]

So I don't know if JPEG was cutting edge in 1992 or lossy encoding was widespread in the scientific and research spaces and JPEG just happened to be one such implementation? Can anyone who was there at the time comment?

I think the most correct thing to say is that around that time doing Discrete Cosine Transformations [wikipedia.org] in real time became feasible. Just a random blurb [pagesperso-orange.fr] I found:

Currently, the Atari JPEG decoder can decompress a 24 bits 320x200 picture in less than one second, which allows use of JPEG in games for example. This decoder is faster on the Falcon030 than the one we have tested on PC 486 DX2 66Mhz.

Wohoo we can decompress a 320x200 JPG in less than a second. If you wanted to show something like a 1024x768 (XGA, 1990) photo that'd only take like 12 seconds. It's also at the core of MP3 encoding, which also became feasible around the 486/Pentium days. Before that it was usually GIFs with lossless LZW compression or simply BMP with none whatsoever.

JPEG2000 addressed the biggest problem with JPEG

[Solandri]

It featured a lossless compression mode. Back around 2000, I used JPEG2000 to make archival copies of my scanned photos. They came out roughly half the size of an equivalent TIFF.

JPEG2000's drawback (and probably its undoing) was that it was simply too processor-intensive for the hardware at the time. It took my 300 MHz Celeron about 5 minutes to compress a photo into JPEG2000 format, nearly a minute to decompress (read) it. That meant that you still had to rely on TIFF to save your intermediate phot

Fight nonfreedom with more calls for freedom.

[jbn-o]

Maybe they learned that enough people on corporate repeater sites like these will dance the DRM (digital restrictions management [gnu.org] because I side with the user class) two-step: when something isn't yet implemented, push for its need absent any evidence that such need exists. Ignore that we need not think above business above all else, and ignore that even within that all-too-limited business-first framing businesses existed and worked at least as well without DRM. Later, if the DRM is implemented but not yet

JPEG?

[Hognoxious]

JPEG? Is that still a thing?

Re:

[Anonymous Coward]

"WebP is better in every way."

Except for browser support [keycdn.com].

No thanks, I'll stick with PNG. For web page graphics it is a perfect little format and has great browser support. If I am truly optimising page load times then I can put all my little graphics in one big PNG and use CSS sprites [css-tricks.com].

For those wanting a comparison of PNG vs WebP you can get one here [andrewmunsell.com]. The main advantage is alpha transparency with lossy encoding, e.g. transparent backgrounds for JPEG images. This is actually a pretty good application, as I o

if they wanted 'authentication'..

[Anonymous Coward]

as in 'is this picture the authentic original'. digital signature and checksum could simply be embedded into the file.

resize, resample, crop, or otherwise alter the image and the checksum fails.

anything else is over-reaching that stated goal.

if jpg evolves into a drm-laden piece of shit, the format will die

Label it "JPEG2001"

[knorthern knight]

Mockery is the best weapon.

There ARE legitimate security issues with photos

[Anonymous Coward]

A big one is a digital signature to verify lack of tampering (photoshop). Ideally, you'd like to be able to crop or redact some portions but still have a valid signature on the rest. (Some sort of tree hash seems the obvious way to do that.)

And blockchain is a good way to build a notary service, attesting to the fact that I took a picture prior to some time. Either for copyright registration ordocumentary ("this picture of Bad Shit was taken during the incident and not staged later") purposes.

Re:

[account_deleted]

Comment removed based on user account deletion

Oh look, it's nothing. Screenshot, resave.

[Aereus]

Stupid people aren't going to make sure the pictures they look at have a proper paper trail, just like they don't fact-check things now. And groups seeking to spread fake-news either aren't going to use a traceable image format, or they will merely screenshot and resave the image before using it themselves to break the chain.