Ask HN: How should I secure my ebooks?

4 points by demosthenes ↗ HN
I'm about to publish an ebook and am looking for ways of securing it.

The target readers are high school students so it might have to be fairly robust. On the other hand, a light-touch approach and a friendly notice about paying if you think it's worth it might be enough.

So far, every solution I've looked at seems either insecure (eg. IP restricted / expiring download links) or annoying for users (custom readers, plugins). Also, much of it is limited to Windows.

Do you have any experience of this? Any advice? Recommendations?

9 comments

[ 3.2 ms ] story [ 25.8 ms ] thread
Imo it's just not worth it, if somebody can read it he can make a copy of it and redistribute it "illegally". Only thing you'll accomplish is pissing of the ones who retrieve it legally and the "harder" (harder for the average Joe) you make it the more annoying it'll be.

Only reliable "secure" way of publishing an ebook is not publishing it as an ebook at all.

We realize there'd no way to eliminate piracy altogether.

We're just looking for the simplest way to make casual piracy tricky enough to discourage anyone who might want to pay for it. And of course a way that doesn't piss off paying users.

I'm not too concerned about piracy by people who would never have paid in the first place.

I've thought of this before and here is what I came up with. Each ebook purchased should be unique. This does not have to be a manual process. You should take the transaction ID of the ebook purchase, use it to generate a steganographic image, and patch that somewhere into your PDF file. A good way to do this might be to use Least Significant Bit encryption. Directly quoted from Wikipedia:

>>>For example: a 24-bit bitmap will have 8 bits representing each of the three color values (red, green, and blue) at each pixel. If we consider just the blue there will be 28 different values of blue. The difference between 11111111 and 11111110 in the value for blue intensity is likely to be undetectable by the human eye. Therefore, the least significant bit can be used (more or less undetectably) for something else other than color information. If we do it with the green and the red as well we can get one letter of ASCII text for every three pixels

Now, there are two main problems here, as I see:

1. The text can still be scraped from the ebook and redistributed as a .doc file. For this reason, you may also want to include some text steganography (e.g., draw some ASCII art with varying characters; change the order of people you thank on the "dedication" page).

2. The pirate-distributor could insert pixel noise randomly all over the file. Then, your trans-id information encrypted in the LSB-image would be lost. In my opinion, however, this is unlikely, because the security I've described is not (at least typically) used in practice (with eBooks, as far as I know).

These aren't preventative measures [1]. But if something does end up circulating on the net, you have a unique ID and can then probably sue their parents. Be sure to explicitly forbid them from circulating the PDF/consent to being sued if they do/what have you, in the terms of service.

[1] Unless you explain that each ebook is uniquely secured, which may prove something of a deterrent; unfortunately, one measure of security is to not let people know that the property is secured in the first place. This may make the steganography more vulnerable to attack.

Thanks for the advice!

I see how it would make sense if we had the money to go after people with lawyers. However, I can neither afford that nor am I particularly interested in having to do that.

I mostly see it as a deterrent.

Surely the same effect could be achieved by putting the purchaser's name / email address on there, without the hassle of steganography.

The impact of seeing your data emblazoned on the PDF would probably be a bigger deterrent than a hidden watermark, though of course it could quite easily be removed by a determined pirate.

If you use -any- sort of DRM, it will be extremely restrictive to the end user. Personally, I think really what is needed is for it to be convenient for the end user. This is what keeps me buying music from Amazon MP3. I don't even need any software other than a browser if I'm buying a single song. There's nothing to stop me from sharing my files with a few friends but Amazon MP3 probably makes up for whatever sales that would be lost this way because I like the service so much I recommend it to people all the time. Just give the user a raw, non-drm PDF file. If you really need to do -something-, dynamically insert a unique user ID on the last page of the book, just on the page, no steganography, write "Purchased by user #12345." PDF is pretty much a read-only format, so this wouldn't be easy to remove.

This probably won't keep people from casually sharing the book with their friends but will probably effectively put them off of sharing it publicly on the internet or p2p.

That approach -- making paying more convenient than not -- only works for adults, ie people who have an surfeit of money and a lack of time. High school students are the opposite.
I'm personally fresh out of high school, still 18 in fact. If your price point is so high that your target audience will actually -look- for a pirated version before they even consider a purchase, you are not going to have very good sales. The rule of thumb for DRM is pretty much if anyone can view the content, then the content can be cracked and distributed. Any significantly good, well-known product will be available for free somewhere, it's just a question of how hard it is to find.

Consider that many high school students can't purchase things online anyway, lacking credit cards, which means no matter what, "stealing" the product is more convenient for them.