High Fidelity’s content protection plan has high costs

[Editor’s note: In this opinion column, Kitely CEO Ilan Tochner is responding to High Fidelity’s content protection plan, which uses the same blockchain technology as that which powers Bitcoin. Tochner previously managed an identity rights protection company, IDChoice, and worked in Unit 8200, Israel’s equivalent of the NSA.]

High Fidelity is a new virtual world platform from Second Life founder Philip Rosedale. (Image courtesy High Fidelity.)

First, I’d like to begin by saying that we in Kitely find High Fidelity’s commitment to building an open-source foundation for a virtual reality metaverse commendable.

We’re rooting for their success, especially as some virtual world pundits seem to be willing to forgo having an open metaverse in exchange for being given access to a cheaper or — currently — more polished platform that creates single-vendor lock-in.

In my opinion, if you care about your future rights then you shouldn’t help promote platforms that will limit your freedoms down the road.

Specifically, if you care about content ownership then focus on helping build the ecosystem of open-source virtual reality platforms such as High Fidelity. Even if you’re planning on using a walled garden solution — such as a “closed grid” — make sure that it will be based on a platform that is open source and has more than one vendor offering services for it.

Another point that is important to state up front is that blockchain technology can be very useful for things that have a low transaction rate and don’t require anonymity.

Blockchain diagram. (Image courtesy IBM.)

Blockchain and anonymity

If you want to keep a public record of real estate ownership where the identities of the owners are publicly known then a blockchain is a great way to do so. However, the very nature of the public ledgers that blockchains utilize makes anonymity very hard to protect over time, especially if transactions can be correlated with data gathered from third parties.

See for example this article which explains how various techniques used to anonymize Bitcoin transactions can be overcome using data from online marketplaces to find the real identities of the buyers.

While the article states some ways of protecting against these particular vulnerabilities, history has taught us that with enough data, partial knowledge of what the data represents and various mathematical techniques, researchers eventually find ways to bypass all anonymization schemes.

Given that all information stored in public blockchains is permanently accessible to everyone, no data stored in a public blockchain can be considered permanently anonymous.

This is a problem for a system that defines content ownership, especially if the people designing it assume that they can promise anonymity to the people using it, which the High Fidelity article does.

If you have no problem with people knowing everything you buy or claim the right to use then that’s not an issue that should bother you.

However, if you want to use any content which you wouldn’t want any party that is interested in tracking your actions to know you use then you should avoid having your association with that content become part of a permanent public record such as the proposed public inventory blockchain.

User-generated content

Another big issue with the proposed system is that most legally licensed content in people’s possession will not come from marketplaces.

Nowadays, people create billions of pictures each day using their mobile phones. A few years from now, people will capture billions of volumetric videos each day using volumetric capture devices that will become standard on mobile phones and AR headgear.

People will save and share those videos with their friends in multi-user virtual environments that will be accessed using personal virtual reality devices.

In time, the entities in those volumetric videos will be automatically separated into manipulable objects that people will be able to copy and store in their inventories for use in other environments.

When that happens the number of new 3D objects people create and acquire each day will greatly surpass the number of objects they acquire in marketplaces.

Students practicing in-world building skills. (Image courtesy Jane Wilde.)

All that user generated content will never pass through a review process such as the one proposed in the High Fidelity article, so that content will never have ownership information associated with it on the High Fidelity inventory blockchain.

If a significant portion of that user generated content were to go through such a review then identical 3D scanned objects will likely be submitted by many different people, making it very problematic to determine ownership of new content without dealing with a lot of user contention, thus making the proposed review phase unscalable.

As a result, systems wouldn’t be able to rely on the inventory blockchain to determine if content is legally licensed by the people trying to rez it, thus requiring additional means to verify content licensing. As the proportion of content that isn’t registered in the blockchain increases compared to that which is included in it, the inventory blockchain’s value will decrease for determining who should be allowed to rez particular content.

A problem of time and space

A third problem is that even if all the transaction speed problems that currently exist with various blockchain implementations were to be resolved and the global inventory blockchain was able to handle hundreds of thousands of transactions per second, storage and bandwidth costs would make it very expensive to host a copy of the blockchain.

Remember, the aforementioned numbers are just for storing content ownership changes, they don’t include the much higher number of content ownership checks and actual item transfers that need to be made as people move with their avatar from one place to another rezzing items as they go.

Also, the blockchain itself only holds hash values representing items and the “secret” keys representing avatars involved in transactions involving these items. Managing the actual items themselves consumes orders of magnitude more storage and bandwidth than handling just their hash values.

An inventory system that doesn’t address the actual complexities involved with storage and transfer of items in people’s inventories is lacking critical components.

The takeaway from all this is that the proposed approach is very problematic. If this is what High Fidelity ends up using then we’ll support it once Kitely Market starts delivering to the High Fidelity grid, but we think that there is a better way to manage inventories and content licensing in a multi-grid Metaverse. We’ll discuss that alternative once we announce that service.

Related Posts


Ilan Tochner

Ilan Tocher is the CEO and co-founder of Kitely. Follow him on LinkedIn and Twitter.

  • Not knowing the specifics on how High Fidelity works, I’m stepping out on what my limited understanding of blockchain, and peer to peer serving is. As I see it, each physical machine that is running the High Fidelity client is configured as a P2P network. As such, that machine can process the computations necessary to verify the blockchain that has my chair that I purchased from Jane Resident. whether it came from Hi FI, Kitely, or an OpenSim grid. When the machine is off, the particular blockchain network simply works around it until it is powered on again, and the queue gets verified then. Very much like cryptocurrency mining.

    That being rehashed for the moment, anonymity has always been a very selective concept. The Nymwars should be a reminder that just because you have a particular private identity, digitally, authoritarian agencies still know who you are in the default world. They have the power to open as much information on you that they need, should they need it. Going through the global judicial system for permission is simply a formality that they are trying hard to sidestep. The only thing saving our butts from that is the hundreds of years of bureaucracy that anchors us to physical reality. There is documentation everywhere on the internet illustrating how someone thinking they could get away with IP theft was hauled into a default world court in order to atone for their misdemeanor.

    I don’t pretend that I’m completely savvy about the mechanics of blockchain and peer to peer serving. I’m sure someone will chime in with further details. Please do!

    • Hi Joey,

      The blockchain is a distributed public ledger that is built from a constantly growing list of blocks that are cryptographically signed to ensure that they aren’t tampered with. Each such block contains a certain number of transactions that are often, but not always, encoded in a way that should make it hard for parties that weren’t involved in those transactions to learn the true identities of the parties that were involved in them.

      The problem is that all this information is kept permanently and is accessible to everyone, not just to powerful agencies. So, once the methods that were used to try to hide the identities of the parties encoded in the blockchain are overcome, anyone having access to those tools can know the full history of the parties encoded in the blockchain as pertaining to the the transactions the blockchain handles. This means that everyone’s dirty laundry is on display in perpetuity and accessible on demand using the right tools. Again, not just to agencies that have very little interest in law abiding people, but to anyone who you interact with. What would that do to personal freedoms if you know anyone having an interest in you can know about everything you did?

      As for the technical specifics, let’s do some quick math using High Fidelity’s numbers (which IMO are unrealistically low for the aforementioned reason). They assumed 500-1000 transactions per second for 10 million active users. Let’s call that 50 transactions per second per million active users. For a metaverse with 1 billion users that would equal 50,000 transactions per second. This is Ignoring the majority of the world’s population and disregarding autonomous devices being active agents in the metaverse as well (if you were to include these the numbers could grow by several orders of magnitude).

      Each transaction needs to hold at least a representation of the item transferred and the identities of at least two parties that exchanged ownership/licensing of the transferred item. with 128bits (16 bytes) used for each of these representations you get at least 48 bytes per transaction. Multiply that by 50,000 and you get 2.4 million bytes per second permanently added to the blockchain. With 3600 seconds per hour, 24 hours per day and 365 days per year that equals an addition of more than 75 trillion bytes (about 75 terabyte) permanently added to the blockchain per year. Meaning that you consume at least that amount of bandwidth per year just to get a full copy of the public ledger to your end device, not including all protocol communication overheads.

      Once the data is on the device, the device needs to store the entire blockchain to be able to verify all the history without having to rely on third parties (that is what most blockchains do). So, after just 10 years the end device needs to allocate more than 750 terabytes just to hold the blockchain. This doesn’t count the actual database that is required to be able to quickly calculate the current state of each handled item without parsing all the past information in the blockchain. Assuming just 1000 items per user and 32 bytes to store each items identifier and the identifier of the user the item was acquired from you get 32,000 bytes per user, multiply that by one billion users and you get 32 terabytes of in-memory storage for being able to handle the real-time verification of the 50,000 transactions that the blockchain needs to handle. Again, if you assume that people will acquire 3D objects as often as they acquire digital pictures nowadays, this number can grow by orders of magnitude.

      High Fidelity is aware of these calculations so it’s approach isn’t to save the blockchain on every end-device in the network but rather to have trusted nodes, probably sitting on powerful clusters of servers in some datacenter, that will get paid in HFC (their proposed High Fidelity Currency) for handling this data. Once you consider that, you then need to consider that these nodes will also need to handle all the queries that will be created in the network regarding the stored transactions. These queries will greatly outnumber the number of transactions relating to content ownership/licensing changes. Meaning that the amount of bandwidth the nodes will need to use is orders of magnitude greater than they’ll require just for collecting the constantly growing blockchain. All in all, it winds up being a very expensive approach in terms of RAM, storage, and bandwidth resulting in people having to pay to prove they have the right to rezz items.

      There are Approaches that retain the goals that High Fidelity is trying to achieve without creating these high operational costs that preclude efficient distribution of the ownership proof algorithm.

      • Tony Lester

        What he said is 1000% correct. Block chains are anything but private, and thief proof.

      • Heh, see why I’m so willing to admit I don’t understand how the tech works? I had forgotten entirely about the nodes. Once you mentioned them, I slapped my forehead in an “of course!” moment.

  • Tony Lester

    So you exchange the amateur content theft for the professionals at SL2.0. Do you really trust the Lindens step children to be open on anything that doesn’t make them a profit?

  • Cinder Biscuits

    First of all, I do agree that a blockchain or a distributed ledger or whatever you want to call it is not the right tool for the job, but I disagree on this article’s reasoning.

    Great strides are being made with cryptocurrencies like Zcash (zero knowledge proofs), Monero, and Dash (coin mixing) to provide users with anonymity. The article referenced is about Bitcoin which was never intended to be an anonymous or untraceable method of exchange.

    The article also refers to the proposed ledger as an “inventory blockchain” which HiFi’s proposal doesn’t suggest, they are building a licensing system, not an inventory system. User generated content has nothing to do with unless the content is submitted through their review process.

    Now, what arguments are there for even doing this as a distributed ledger? There don’t seem to be many other than it’s a hot tech at the moment. Being that licensed objects must go through a central authority to be listed defeats the entire purpose of the technology.

    Blockchains are great when multiple parties need to read the same information, but for whatever reason there can’t be or shouldn’t be any specific individual party in control of that data. High Fidelity, or any other marketplace, would be in control of the data under this proposal. Making a blockchain an immeasurable waste of bandwidth and electricity. (Did you know that the bitcoin network’s power consumption is 1/5 of the power consumed for the entire UK?)

    Read access: While blockchains do have specific security features regarding write access (ie. Proof-of-work which itself is not very strong, only computationally expensive, and only with a sufficiently long chain and a decent number of nodes), blockchains do not have inherent security against read access. Indeed, blockchains are mechanisms for copying data to all relevant participants – this is what consensus is all about. So if you think controlling access to a single database is a pain in the neck, multiply that by the number of nodes in your blockchain to get the new attack surface area.

    High-Fidelity server is open source: As far as any potential DRM mechanism based on the proposed blockchain, will it do any good anyway? If it is as described, a mechanism for tracking licenses, what mechanisms will be put in place to ensure the licenses are even checked and not simply bypassed and allowed to rez the licensed content or remove the licensed content if it is rezzed somewhere else? As far as I can see, it suffers the very same DRM issues as OpenSim does involving rouge servers and bypassing DRM.

    • Hi Cinder,

      Please read the article I linked to. It specifically states that using the described attack “a small amount of additional information, namely that two (or more)
      transactions were made by the same entity, is sufficient to undo the
      effect of mixing.” and “using improved mixing techniques, such as multi-round mixing, is only partially effective”. They also mentioned that “some anonymity weaknesses have recently been revealed in Monero”. Again, this is just one article describing two known attack methods.

      My main point is that no scheme will remain secure indefinitely when enough data about transactions is publicly known and an attacker can easily inject plaintext messages into the ledger (for example by giving specific known items as gifts to avatars visiting a domain, thus creating traceable records of transactions in the inventory/licensing rights blockchain even if some aspects of those transaction are hidden as in the case of zcach).

      If avatars buy something inside a domain, even from a legitimate source, then the transaction in both the currency and inventory blockchains can be correlated with whatever additional data can be extracted about the avatar and its behavior inworld. Done over time and over enough modified or hacked domain servers and you can use correlations to pinpoint people’s identity even if you are unable to bypass the protections provided by each blockchain separately.

      I mentioned unregistered user generated content in my article because its existence will eventually turn the use of the proposed content licensing system, with its associated costs, into an unjustifiable expense for domain operators. I discussed additional weaknesses of the proposed scheme in the High Fidelity forums thread that discusses this article: https://forums.highfidelity.com/t/hifi-blockchain/13072/46

  • Hi Phillip 🙂 First, I’d like to repeat our respect for the way you’re working with the community on building what we hope will be an important foundation for the open metaverse. As such, I hope you’ll view any criticism we make of your proposals as constructive feedback designed to help us all end up with the best metaverse we can create.

    While the handling of inventory and IP rights is different, it does have a lot of interdependencies, which is why I mentioned inventory handling in this article. That aside, the problem I see with handling the transaction rate you mentioned isn’t with creating a network of distributed servers that can handle the required calculation speeds. Rather we’re concerned about the speed that the block chain will grow as a result of this transaction rate, and what that would mean for domain owners’ (not to mention users’) ability to mirror the blockchain in order to query the system.

    You can see my numerical analysis of server resource requirements when just handling hashes in this comment http://www.hypergridbusiness.com/2017/08/high-fidelitys-digital-certificates/#comment-3483746748 . If we’re building for the long run then we should plan for success and I believe you’ll agree that my calculations in that comment aren’t completely off the mark. Please correct me if I’m wrong.

    In any case, if it becomes expensive to hold a copy of the blockchain (even without doing any operations on it) then people/organizations that do decide to mirror that data will charge a price for accessing it (in one way or another). And when that happens then we create attack vectors against the community that wouldn’t exist if a public blockchain wasn’t used for IP rights management. (You can see some of my comments in this High Fidelity forums thread for a few examples: https://forums.highfidelity.com/t/hifi-blockchain/13072/62 )

    The article I linked to mentions how the attack method that was used can bypass mixing and a few other anonymization schemes. All anonymization schemes have vulnerabilities that can be exploited given enough time, data and the analyst’s ability to create new data points or use correlations with known information. The methodology for attacking some anonymization schemes may not be known now, but cryptanalysis is a rapidly evolving field and with a public blockchain the entire public ledger becomes exploitable once the desired attack method is devised. I recommend preemptively avoiding this particular vulnerability by not using a public blockchain to begin with.

    I want to make sure that the number of developers working to build the High Fidelity codebase will grow over time so that the project can remain viable. For that to happen it’s important to ensure that the foundation services that power the growth of the High Fidelity ecosystem are designed to handle the potential vulnerabilities that may affect these services down the road. Given that there are other options for building the type of IP rights protection service you mentioned that are less vulnerable to abuse, I hope you’ll be open to reconsider how you implement this service.

    One preferable approach to the type of service you wish to provide would be to forgo using a public blockchain and just use cryptographic certificates that are transferred to the end user’s device or a trusted third party acting as the user’s proxy. There would still be a place for one, or more, service providers providing components of the IP rights service you want to create, but this way we’ll retain the ability to prove ownership to third parties without having to deal with the aforementioned issues.

    Obviously my last paragraph didn’t cover all the required details for a working implementation, but I’d be happy to discuss them elsewhere (the forums thread on Hypergrid Business is probably not the best venue for working out technical specifications). I also think it’s important to define what types of IP licensing you wish this system to support. The approach you mentioned in your blog post seems to limit usage of an authorized content instance to one location at a time. Not supporting copy permissions for bought content may be too restrictive for some usage scenarios.

    In any case, we look forward to working with you and the High Fidelity community on this and other areas of mutual interest.

  • Tony Lester

    Ilan and Phillip, this is a very interesting discussion. Many on OpenSim and SL content maker are always worried about protecting their textures, scripts and other forms of IP. They invest the countless hours in the hope of making a living with it. Others believe that creating a pirate proof system will make them a multi-million dollar business. But let us look at the reality. Everyday pirates are far more sophisticated, the more money to be made, the more technology they throw at the problem. There is yet anything that has not be broken. The cost of entry of many enterprise keeps going down. So anything IP that is profitable is either hackable or copy-able. These characters will not abide by the rules, will not be where you can sue them. They will be in China, or one of a dozen places that disregard any IP laws. So what is my 3d spaceship model worth, $1, $5, or .10 cents. You can buy it from a broker(you), from me, or steal it. People buy because it is convenient, people sometimes steal because it is easier, and definitely cheaper. People buy from SL marketplace and Kitely because it is convenient not because they like to spend money. One day, I will get on a website and buy a copy from some guy on the other side of the world for 50 cents. It is an original copy that bypasses your block chain, and what are you going to do police every item to see if it is similar. The real focus of every VR world provider should be to make it easier for more people to use it. Everyone is still trying to pickup the content pennies from the floors and fail to see the bigger dollars from being a player in a new social market place. Improve the viewers so that anyone can use VR worlds easily, and you will get millions of eyeballs to sell stuff to. BTW the only anti-copying system that has ever worked is one that self-destructs after use, and even that is not 100% secure.

  • I know this is a late response but I do want to express my opinion. First off I want to say I respect Philip and everything he’s done to help better virtual worlds. I do believe this is a great approach but I would have to agree with Ilan on this. I believe there are other alternatives to help safeguard content instead of a public blockchain. With everything I’ve learned about Bitcoin in the past couple years they haven’t done a lot regarding security that made me appeal to them. I do applaud the approach but I believe actually keeping things anonymous is one of the key factor’s here and with me being a grid owner I need to take things seriously to keep my users protected as much as I can. Also try not to exceed the costs of running the grid. There are different ideas and approaches that can be discussed and how to go about it. So with all that said I would like to see something like this working while at the same time keeping costs down and help safeguard users in the process.

    • Area Fiftyone

      ” With everything I’ve learned about Bitcoin in the past couple years they haven’t done a lot regarding security that made me appeal to them.”

      What kind of security breaches are you talking about ?

  • Rene

    A blockchain can be just fine if the entire process, including scaling, is thought through. The problem is looking at half-baked solutions like the High Fidelity (HF) one, as if that is ever going to gell towards an efficient solution. Efficiency is not an emergent property – it takes concerted thought to work out the solution space, and it has to happen before implementation. Thankfully, the HF approach is not implemented, so there is time to amend the thinking process.
    Consider reading through this article: http://www.techradar.com/news/microsoft-is-making-a-blockchain-thats-fit-for-business in which Microsoft is developing an open-source business ready Coco framework. it addresses many of the efficiency concerns, though it requires trusted execution enclaves.
    And, thank you, Ilan, for pointing out all the deficiencies in the High Fidelity design. As for anonymity, we are well past ensuring that. If any state actor or well funded institution takes an interest in a fictive person, they can correlate that fictive person to a real identity or set of people given the huge amount of correlative data available publically and otherwise.

  • It’s true that the Bitcoin blockchain uses ids that can sometimes be traced back to real identities, but the Bitcoin blockchain isn’t the only blockchain (despite what Bitcoin maximalists say). Several blockchains have been designed specifically to protect anonymity and privacy. Probably the best-known one is Zcash. Another one is ZenCash.

    • Hi Troy,

      The point is that there are vulnerabilities and ways to exploit them for every non-trivial system you devise. There have already been several vulnerabilities discovered in zsach as well, and those are just the ones the people responsible for trying to secure this cryptocurrency are aware of.

      To assume that just because something is designed to provide long-term security it will actually be able to do so ignores the history of advancements in math, computer science, and even just plain-old faulty implementations that are found in even the most scrutinized open-source projects.

      If we believe anonymity is something to strive for then we should avoid writing transactions in a public ledger that is designed around the assumption that P =/= NP (which may or may not be the case) or that quantum computing won’t advance enough to make the “hard to compute” cryptography algorithms that cryptocurrencies are built on trivial to crack.

      We need to take a cautious approach when assuming the complexity of attacking the system. Public ledgers simply create a very big potential attack vector, especially for determining anonymity using external correlations. While future security fixes may prevent known vulnerabilities from being exploited against future transactions, the nature of a blockchain means that all transactions prior to the fix may become susceptible to a type of scrutiny that will remove any anonymity promises that were designed into the system.