In the computer forensics world, photo forensics is a niche specialty. Most people involved in computer forensics perform tasks like file recovery, log file data mining, deep packet inspection, and malware analysis. There are plenty of people who perform auditing and compliance assurance (both are types of forensics). However, outside of these relatively common skills are the really weird forms of forensics and profiling. Like linguistic analysis, biometrics, and photo reconstruction.
Second Fiddle
There's a scene in Fiddler on the Roof where Lazar approaches Tevye (the milkman) and asks about marrying Tevye's daughter. However, Lazar is not direct and Tevye assumes that Lazar is asking to buy his milk cow. ("Today you want one. Tomorrow you may want two." "Two? What would I do with two?" "The same as you do with one.") Since photo forensics is a rarity, I sometimes run into similar miscommunication issues, where I interpret the topic one way but other people interpret it differently.
For example, I once gave a talk titled "Image Forensics". A solid half of the people who showed up thought I was going to talk about hard drive analysis. Why? Because analyzing a disk image (or "image") is a much more common problem than picture ("image") forensics. I have since learned to preference my talks and papers with words like "photo", "pictures", or "computer graphics". This helps avoid confusion.
Uniquely Distinct
Even within the image/photo forensic world, there are common terms that are poorly defined. For example, image "ballistics" and "fingerprints" are terms that are usually used interchangeably. They refer to a derived signature that can identify a type of camera or specific application.
The problem is, this type of analysis really isn't comparable to fingerprints in the physical "blood-splatter and footprints" forensic world. Human fingerprints are considered "unique". But a photo fingerprint is not unique. At best, it is "distinct". Although some cameras do include specific serial numbers ("unique to that camera"), they are a rarity. Usually fingerprints identify a type of application (but many people may have that program) or a type of camera. But this really depends on the manufacturer. A particular fingerprint could be limited to identifying a specific make (e.g., most Blackberry's generate pictures that have similar fingerprints) or product line (e.g., the Canon A610 and Canon A720 generally look alike if you ignore the model number). Similarly, Android phones all use the Android operating system. The default camera app is typically the same, regardless of the camera manufacturer. So don't be surprised if an HTC Hero has a similar ballistic signature/fingerprint to a Motorola Razr or Samsung Galaxy Nexus. And then there is rebranding, where the manufacturer puts their name on some other camera; the old HP PhotoSmart 618 is actually a rebranded Ricoh.
Names like fingerprint or ballistics suggest an analogy to physical crime investigation. However, this type of signature really isn't ballistics except in the general case. The analogy is not like "these two bullets came from the same gun". It is more like "these two bullets were fired by the same type of gun".
And yet, we still describe this signature analysis method as "photo ballistics" and "image fingerprinting", even though the analogy is incomplete. Using these terms may give people the wrong impression unless they are fluent in the technical details.
Raster and Bitmap
Another confusing term is the word "bitmap". When most people hear "bitmap", they think "BMP". However, BMP (pronounced "bitmap") is a specific file format. In contrast, a generic bitmap is typically a raster graphic where each bit or byte directly maps into an image pixel. There are plenty of cases where a bitmap is not a BMP. For example, JPEG files can contain a small JFIF thumbnail image that is a raw bitmap/raster and not an actual BMP. Similarly, TIFF and PDF both have raw image formats where they list the bytes as a bitmap. These lack the standard BMP header and are not BMP files.
People also assume that BMP is laid out as one big unencoded graphic, but that isn't always the case. BMP supports some compression options, like RLE (run-length encoding), and can have really odd byte or line padding. Saying that BMP is a bitmap is no different from saying that PNG is a bitmap -- both have headers, compression options, and store raster graphics. Yet a PNG is almost always significantly smaller than a BMP and saying "PNG" (or "ping") doesn't usually make people think "bitmap".
Ironically, the file format most like a flat bitmap is a PPM and not a BMP. The portable pixel map family of formats (ppm, pgm, pbm, etc.) have a minimal header and then data that is spread out like a flat image. These formats are really a basic, raw bitmap.
Raw is not well done
The other format term that causes confusion is "raw". This usually refers to the "straight from the camera" file format. Raw is supposed to be a lossless format that represents what the camera's sensor captured.
However, there is no single "raw" format; every camera-raw is different. For example, Canon uses two different raw formats. The older "CRW" (Canon RaW) uses a CIFF container (Camera Image File Format). This is a variation of the TIFF container, but it uses relative offsets rather than absolute offsets. The newer "CR2" (Canon Raw 2) is an actual TIFF container that holds a lossless JPEG and a lossy JPEG. Other formats, like ERF (Epson Raw Format) and NEF (Nikon Electronic Format), are also TIFF containers with minor variations. The Panasonic RAW format looks like a TIFF except that the TIFF type is 0x0055 instead of 0x002a (they changed the magic key so standard TIFF viewers won't view the file).
Anyone who thinks camera-raw is a simple format has never seen the source code to dcraw, the most powerful raw-to-JPEG converter out there. This program has tons of special cases -- some are based on manufacturers and others are specific to particular camera models. (The source code functions "adobe_coeff" and "identify" are just amazing -- these are a huge tables of special cases and special handling conditions for specific camera makes and models. The rules are things like "if the camera is a Canon Powershot A5, then ignore the height and width specified in the file and use 960x773 instead".)
Outside of dcraw, Photoshop can import a subset of raw variants, but can only save in a fraction of the variations. Photoshop cannot import and exportall of the various raw file formats. (Adobe also has a "Photoshop Raw" format, but that is different from any camera-raw format.)
Back in 2004, Adobe tried to formalize the raw format by introducing DNG (a Digital Negative) as yet-another TIFF variant. However, only a few cameras have adopted it. The vast majority of manufacturers still use their own formats.
I always find it funny when people talkaboutediting the raw file in order to bypass JPEG artifacts or forensic detection. The vast majority of camera-raw formats can be loaded and converted, but not saved in the original format. People who suggest editing and maintaining the raw format really don't know what they are talking about. Maintaining a lossless format to remove compression artifacts is good, but retaining the original raw format is almost never necessary and usually isn't possible.
Frankly, there is nothing that a DNG or proprietary raw format can store that cannot be represented in a PNG. This includes very large pixel depths, lossless encoding, and even Exif data that provides detailed meta information. (Adobe products place Exif blocks in PNG text or compressed text blocks.) And PNGs compress way better than TIFF -- especially since most raw formats don't bother with compression at all.
The big difference between camera-raw formats and lossless raster bitmaps is really in the lossless sensor data. The actual picture usually isn't stored as RGB color. Instead, it looks like a dithered grayscale image. This is the sensor information before the color filter array (CFA) is applied to estimate the color. Even pictures that claim to have 12-bit or 14-bit color per component really isn't representative of the deep depths when they are converted to RGB. This is because the CFA averages colors to make the actual pixels. (E.g., in an RG/GB pattern, two greens are averaged to determine the actual pixel-green color.) This isn't to say that deeper depths isn't better; but 12-bit data may only have 10 or 11 bits of reliable information. And unless you have a very special monitor, your display only shows you 8-bit color depths anyway. In reality, there is no real benefit to retaining more than 8-bit color after you convert to the display since you won't see what you are working on anyway. In Photoshop, loading a camera-raw file gives you a special window for converting from a deep bit depth to 8-bit color, but after you click on the "open image" button, the image is converted to 8-bit deep.
Raw files also have one other gotcha... Along with the lossless image, most raw files contain a high-quality lossy JPEG. The basic idea: if you don't know how to parse the huge lossless image, then you can still pull out a huge JPEG. Users need to be careful when a program says that it can handle raw files since it might be using the large JPEG instead of the actual lossless raw sensor data.
Clarity and Focus
Over the last few weeks I have had technical discussions with people who didn't use the same definitions and assumed that we had the same mindset. I was talking about pictures, while they were thinking hard drives. They were talking about hashes while I was thinking profiles, and a small group ended up being split between generic lossless raster images and specific file formats. When talking about any technical terminology, it is important to have a common baseline. Just because someone works in computer forensics, does not mean they interpret the same words the same way. People may envision different problem spaces, alternate analogies, or variable data formats.
Every year Beloit College releases their Mindset List. This is a list of phrases and colloquialisms that have become outdated. Incoming college freshment may not understand it when you say "like a broken record" since they grew up with CDs and portable MP3 players. Most of them have never owned a record player and many have never actually seen a vinyl disc. They may also be confused by terms that changed meaning. For example, when I was growing up, a "thong" was a type of shoe and not an undergarment.
If you fail to adapt to the changing world, then you will end up confused and misunderstood. For a company, failing to grasp a changing world will lead to failure. For politicians, it shortens careers.
Capture The Moment
Kodak declared bankruptcy today. The company that invented the first easy-use camera, defined the film used by movies for a century, and created the Bayer mosaic filter pattern to give digital cameras color is finally coming to a slow end.
It's hard to say that we didn't see this coming. I cannot recall anything new or cutting edge from Eastman Kodak in over a decade. In 2011, their stock value dropped 80%. Sadly, Kodak failed to adapt to the modern world. They never grasped the concept that digital photography would completely replace film. While they do sell a few digital cameras, they were still heavily invested in film.
Bankruptcy grants companies time to reorient themselves. However, I think Kodak is far too devoted to old technologies for a successful recovery. I hope they prove me wrong, otherwise the freshmen class of 2030 won't understand phrases like "a Kodak moment" and "shake it like a Polaroid picture".
Like a Broken Record
I was pretty impressed by the SOPA/PIPA blackout. The online community spoke, and many members of congress listened. I've heard reports that congressional office phones wouldn't stop ringing with people opposed to these bills. A significant number of the Senators and Representatives who previously supported SOPA and PIPA have now dropped their support. However, there are still plenty who think these bills are a good thing.
Unfortunately, one of the PIPA supporters is from Colorado. He may represent my state in Congress, but he does not represent my views.
I find it ironic that Senator Michael Bennet (D-Colorado) want to support censorship of sites that violate intellectual property rights, but he has no problems with infringing copyright directly. Bennet is a co-sponsor of PIPA, the Senate's version of SOPA. On 13-Jan-2012, the Senator violated the NFL's copyright by uploading a video clip of the Denver Broncos to YouTube and then tweeting about it. The local news channel caught wind of this and questioned the Senator about it. Bennet said that his copyright infringement wouldn't endanger YouTube if PIPA passes because YouTube is domestic and not foreign.
"Actually it's not [subject to the terms of PIPA] because YouTube is excluded from the bill as it's written right now," Bennet told 9NEWS. "Notwithstanding the fact that I think the bill is too broad, in this case it doesn't create the unintended consequence your viewer is worried about."
What Bennet fails to realize is that YouTube has foreign locations. For example, the URL that he posted is http://www.youtube.com/watch?v=xZw1G4Z0QSc. This content is available from http://www.youtube.co.uk/watch?v=xZw1G4Z0QSc in the United Kingdom and http://www.youtube.jp/watch?v=xZw1G4Z0QSc in Japan. Both of these foreign URLs redirect to "youtube.com". YouTube uses a distributed network that has hosts located all over the world -- not just in the United States. That video may have been uploaded by an American, but it may be streaming from a foreign server. The content that Bennet posted on YouTube is in violation of copyright, is available from a foreign URL, and could come from a foreign server. Therefore, it would be a PIPA violation.
Bennet clearly doesn't understand that his infringing content was not just uploaded in the United States. It was uploaded to the world. And by posting it to both YouTube and Twitter, he has given the NFL the option to submit a PIPA takedown notice to both companies. Both YouTube and Twitter could be taken offline because of Senator Michael Bennet's theft of intellectual property.
This copyright infringement isn't an isolated case. If you look at Bennet's YouTube uploads, you'll see plenty of news clips. It doesn't matter that these clips feature him. He doesn't own the copyright to those clips, the various news channels own them. Bennet appears to be a habitual copyright infringer.
Goodbye Kodachrome, Hello Black and White
I'm under the belief that the remaining congressmen who support SOPA and PIPA don't care what their constituents think. They have already made up their minds and will not be swayed by logic, facts, or concerned citizens. As Bennet has shown, they are not even interested in protecting copyright or intellectual property -- they just want to support these bills.
The ProPublica website has a roll call that lists each congressman and their stance of PIPA/SOPA. The site also lists how much funding each has received from the music/movie/TV industry and the computer/Internet industry. I find this the most fascinating part. If you sort the list by donations from the music/movie/TV industry, then 9 out of the top 10 recipients are supporting the bills -- including my own congressman. (I looked at the values on 19-Jan-2012, but their results may change with future updates.) The 10th congressman, Roy Blunt, changed to the opposition following Wednesday's Internet blackout.
Initially I expected to see the largest recipients of funds from the computer/Internet industry to oppose the bills, but that isn't the case. Sorting by the computer/Internet industry shows that 6 out of the top 10 recipients support the bills, 2 oppose them, and two are unknown. But look a little closer and you'll see why -- most of the top recipients of computer/Internet funds received even more money from the music/movie/TV industry. In fact, only about a dozen congressman have voiced a position that runs contrary to the amount of money they received -- and most of these contradictions come from people who received less than $20,000 total from the two sets of special interests. ($20,000 isn't much in terms of special interest revenue.) In contrast, of the 15 congressmen who received more than $100,000 from either group, only 2 are voting contrary to the major funding source and 3 have not declared their preference.
Now we've run full circle. The strongest supporters of these bills appear to be working for special interest groups and lobbyists. They are not representing their constituents; they are representing whoever pays them the most. Isn't that one of the things that Occupy Wall Street wants to change?
The debate around SOPA and PIPA is not about protecting intellectual property or copyright theft. It is about rushing through legislation that tries to solve a problem by ignoring it. The false belief that is propagated by these bills is simple: If you don't see the problem, then it must not exist. This is the story of Kodak, and Kodak is just the beginning. SOPA, PIPA, and similar legislations denote the final grasps from an industry that doesn't understand that times have changed. On the Internet, there is no clear line between foreign and domestic. We are all connected, whether they want to see it or not.
Yesterday the Whitehouse released a statement concerning the Stop Online Piracy Act (SOPA), the PROTECT IP Act, and the Online Protection and Digital ENforcement Act (OPEN) -- three similar and competing bills currently working their way through the House and Senate. Although it is written with a political correctness that you won't see on my blog, it basically says that the Whitehouse wants to see more protections for intellectual property, BUT it will not support any bill that does so by violating free speech or online censorship. In effect, the Whitehouse has just announced that it will reject all three of these bills.
Speaking on behalf of the Whitehouse, Victoria Espinel, Aneesh Chopra, and Howard Schmidt also discussed the technical limitations that make enforcing SOPA, PIPA, and OPEN impractical. For example, they wrote:
Our analysis of the DNS filtering provisions in some proposed legislation suggests that they pose a real risk to cybersecurity and yet leave contraband goods and services accessible online. We must avoid legislation that drives users to dangerous, unreliable DNS servers and puts next-generation security policies, such as the deployment of DNSSEC, at risk.
In other words, solve the problem -- don't try to mask it with filters.
However, some people have already begun criticizing the President's stance. One of the most vocal is Rupert Murdoch -- a person well-known for supporting biased and false news reports, being involved in serious and repeated phonehacking, and who claims that providing aggregate link services is content theft, even though his own companies do it. Shortly after the Whitehouse made their statement, Murdoch tweeted:
@rupertmurdoch Rupert Murdoch
Piracy leader is Google who streams movies free, sells advts around them. No wonder pouring millions into lobbying.
This is hypocrisy at its finest, considering that Murdoch's foxnews.com has free streaming videos and advertisements, they hosts their own YouTube channel, and their TV news channel plays YouTube videos along with paid commercial advertisements -- all for free. And while Google has been involved in lobbying against SOPA, Rupert Murdoch personally lobbied for SOPA.
Murdoch isn't the only person angry at the Whitehouse's stance on SOPA. His twitter stream is filled with twidiots who also think SOPA was a good thing. People like George Elliot (@OccupyPiracy) who wrote, "@rupertmurdoch So true about Google. Not sure why people don't realize WHY they oppose #sopa. Poison Profits from theft/piracy."
To really understand the problems with SOPA, let's run through a hypothetical future that I'll call "Day 6".
Day 6
Under SOPA, hosting, DNS, and/or network service providers have five days to comply with a SOPA takedown notification (Sec. 102(c)(2)(A)(i)). On the sixth day, they will be in violation of the law.
Now, for this hypothetical situation, we need a villain. Someone who is in copyright violation. I'll choose Senator Lamar Smith -- SOPA's sponsor. The website VICE identified that Smith violated copyright when he used a picture without permission. Back on 24-July-2011, Smith's campaign website featured a nature-based background image. The background image came from the Flickr stream of DJ Schulte. According to Schulte, this picture is available with his explicit permission or through a Creative Commons license that requires attribution. Neither Smith, nor anyone associated with him, ever contacted Schulte for permission, and Smith did not provide the required attribution. Thus, Smith was in violation of the copyright.
Of course, that violation was before SOPA... Since we are assuming SOPA passed today, let's look at his website today. At the top is a big banner ad with the Austin skyline.
I also looked at his website at the House of Representatives.
Again, he uses a lot of stock photos that lack attribution and could have come from many different web sites. For example, the banner at the top includes a picture of the Alamo that could have come from Getty Images or a variety of web sites. The gold "Judiciary" image originated from iStockphoto, but Smith could have downloaded it from any of a dozen web sites. Again, there is no attribution.
Since I have seen that Lamar Smith has stolen at least one image before, and I suspect that he is using other images without permission, I can help protect America by submitting a SOPA notification against Lamar Smith's web sites.
Now, keep in mind, I'm not the copyright holder. I'm not even affiliated with these pictures. I don't even have conclusive proof that the current pictures are used in violation of copyright. However, SOPA does not say that I have to be the copyright holder to file a complaint. As far as the strength of the complaint, SOPA page 9 line 4 only says that I have to provide "relevant evidence". Page 32 line 1 says that I must identify the evidence, and on page 49 (lines 1-2), it says that I have to be working in "good faith" and provide "credible evidence". I, in my non-legal-expert opinion, believe that I have met these requirements. So I'll file a SOPA takedown notice...
Wait a minute... He's not foreign!
Now, I know what you're thinking. Rep. Lamar Smith and his websites are not "foreign" entities. SOPA Section 101 explicitly defines "foreign" in terms of network servers and network addresses located outside of the United States.
However, Section 102 gives an alternate definition on page 10 (lines 7-22). In particular, it defines a "foreign infringing site" as a (1) US-directed site used by US citizens, (2) an owner or operator who is in violation of various intellectual property laws, and (3) a site that would be subject to seizure in the United States if (3a) action were brought by the Attorney General, and (3b) it were domestic.
SOPA doesn't say that the claim must be filed with the Attorney General. The definition also doesn't say that the site has to be foreign. In this scenario, Smith's websites are US-facing, appear to be in violation, and would be subject to seizure if the Attorney General got involved. So even though his site is domestic, he fits the definition for a "foreign infringing site".
Decisions, decisions...
At this point, I have a SOPA complaint and I'm ready to submit it. The big question becomes: where should I send this hypothetical SOPA takedown notice? The bottom of SOPA page 13, Section 102(c)(2)(A) talks about "Service Providers". It says that I can contact the hosting site, domain registrar (DNS provider), or network provider. The law doesn't say which one and doesn't give a preference. The law doesn't even say that I must try to contact Lamar Smith. However, it does say that I have to file the complaint with a court -- not which court or whether the court must rule on the complaint; I only have to file it.
The US Courts are not known for speed. It typically take weeks or months for a response to any particular filing. For example, the Eastern district of Pennsylvania says that a defendant has 14 days to respond to a filing. So if I file my complaint with them, then there would be a minimum of 14 days before the court would make any ruling. Yet, SOPA says that whoever I send the complaint to must take action within five days. So if I submit my complaint to the court and to the provider on the same day, then the provider must take action long before the court rules on the merits of my complaint.
So we know that the complaint must be sent. But where to send it? The "common sense" answer would be to send it to Lamar Smith. However, that isn't required and -- as a suspected repeat copyright infringer -- he is unlikely to do anything. So I could send it to the hosting provider. www.texansforlamarsmith.com is at 107.22.28.1 -- that's Amazon.com. Amazon has the option to remove the images, block access to the images, or even take down the Smith's entire website. And they must act within 5 days.
But why stop there? I don't have to send it to the hosting provider. I can send it to the network provider! In this case, the 107.22.0.0/16 subnet is also managed by Amazon. (In the more general case, the hosting provider is not always the same as the network provider.) I can tell Amazon to block access to 107.22.28.1 since that computer is hosting content that violates copyright. Of course, multiple domains -- unrelated to Lamar Smith -- may be sharing that same network address. But from the network provider's viewpoint, they can only filter connectivity and not specific content such as a web page or image.
I can even take this up a notch... Amazon's network (AS16509) receives network traffic from a dozen peer networks. This includes Qwest, Telianet, GLBX, Cogent, and Level3. I can send each of them a SOPA notice, telling them to block connectivity to 107.22.28.1, or requesting that they block the entire 107.22.0.0/16 subnet! That's over 64,000 network addresses! Remember: SOPA doesn't say that the request has to be specific; I can use a very broad sword to cut out this offender.
But why play with the network when I can go after the DNS registrar? According to the robotex network lookup service, www.texansforlamarsmith.com is a domain managed by Network Solutions. They are one of the biggest domain registrars out there. I can use SOPA to tell them to unregister the domain "texansforlamarsmith.com". Lookups for his domain would fail. And while his domain does host content that is not in copyright violation, none of it would be accessible because of one or two offending pictures.
However, my abuse does not need to stop there. The way you find Smith's domain is by going through a chain of domain servers. As SOPA specifies, the domain registrars can be told to stop lookups for the domain. In effect, if any required element of the DNS lookup chain fails, then the host is inaccessible.
Smith's domain is hosted by two servers: ns13.worldnic.com and ns14.worldnic.com -- both hosted by Network Solutions. If these servers did not exist, then you wouldn't be able to lookup "texansforlamarsmith.com", and you wouldn't be able to find his site and view any content that violates copyright. To do this, I could either send the SOPA request to Network Solutions... or I could send it to the top-level DNS servers -- there's only about 30 of these in the world. By telling each of them to take down the two Network Solutions servers, I am guaranteed to stop people from accessing Smith's site. Of course, those two servers host literally hundreds of thousands of other domain names. But in this theoretical example, I don't mind a "little collateral damage" as long as I stop people from accessing the copyright-infringing content.
Burn The Witch!
So far, I have shown that by going after texansforlamarsmith.com, I can end up censoring content for an entire host, entire domain, entire subnet, or hundreds of thousands of companies. It all depends on where I choose to submit the SOPA notification. But that's not a full "Scorched Earth" scenario. Instead, let's go after lamarsmith.house.gov.
Hmmm... where could I send the SOPA takedown notices?
lamarsmith.house.gov. I could be polite and just ask him to take down any offensive content that might be violating copyright.
house.gov. I could ask the hosting site to filter or remove the offending content. This would block the content or his entire site.
Authoritative DNS. The domain "lamarsmith.house.gov" is hosted by two different DNS servers: chyron.house.gov and mercury.house.gov. I can ask these servers to de-list Lamar Smith's subdomain. That would cut off his entire site.
Top-level DNS (tDNS). The whole "house.gov" domain is managed by a.gov-servers.net and b.gov-servers.net. They manage all of the ".gov" domain. So I can ask them to de-list the entire House of Representatives.
tDNS Network. The .gov tDNS servers have the network addresses 143.228.129.38 and 143.231.1.67. I can contact the various primary routing providers and request that they block access to these two servers. By being unable to access anything.gov, I will ensure that no United States citizen will be harmed by accessing lamarsmith.house.gov. And in the process, I will take the entire US government offline.
But that's just the DNS. What about network access? When you access lamarsmith.house.gov, you are not actually accessing a single server on the web. Instead, the US Government has outsourced hosting to a distributed network company called Akamai. Akamai maintains a distributed network of over a hundred thousand servers, designed to speed content along the last mile to your computer. By distributing content this way, popular stuff on one site won't cause a flood of network traffic that could block connectivity. Companies like Akamai distribute the hosting to nodes all over the Internet.
Remember that "foreign infringing sites" issue from SOPA (Section 102) that I skirted around by taking SOPA's definition literally? Many of Akamai's servers are located outside of the United States. That makes them "foreign" -- now there is no definition issue.
Your domain lookup for "lamarsmith.house.gov" will probably show a different set of network addresses than my lookup since we are on different parts of the Internet. This means that Akamai is distributing these infringing images from thousands of locations. In my case, I see his host as being located at 204.2.171.49 and 204.2.171.58. Those network addresses also host content from College Humor, RealNetworks, the Washington Post, Grammy.com (the official site of Music's Biggest Night), Home Depot, and many other companies. According to Akamai, they handle "a significant portion of World Wide Web traffic -- over a trillion interactions each day."
With one SOPA request, I can take down thousands of very big companies. Or... I could have all of Akamai taken offline since -- without them -- you couldn't access content from lamarsmith.house.gov. Of course, this would also impact every major site on the Internet (and most minor sites) -- Akamai is a huge company and is used by almost everyone. To quote Akamai:
Today Akamai handles tens of billions of daily Web interactions for companies like Audi, NBC, and Fujitsu, and organizations like the U.S. Department of Defense and NASDAQ — powering brand new business models that serve the changing online economy.
Because I have a reason to believe that Lamar Smith has put up content that violates copyright, I can have significant portions of the Internet taken offline as fast as 6 days after SOPA passes.
Making it all possible
By this point, you're probably thinking that no sane company would act on my SOPA takedown notice. I mean, seriously, who would take down Akamai and most of the Internet over one picture hosted on Lamar Smith's website?
The answer is found in SOPA "Title II: Additional Enhancements to Combat Intellectual Property Theft" (beginning on page 54, line 17). Basically, if a court decides that I do have a valid claim, then anyone who doesn't help with the filtering can face very severe financial penalties. In general, corporate attorneys are very risk adverse -- the bigger the company is, the less risk they like to take. If there is a possibility that I have a valid claim, then they will react in order to mitigate their risk from litigation. Besides, Section 104 gives them immunity if they do filter based on the SOPA notification.
So let's say that you are a risk adverse attorney at a big company. You have a choice: filter with immunity, or don't filter and face potentially very large fines -- large enough to worry your stockholders. Of course you will filter; you have nothing to lose.
Uh, oops...
Finally, let's say I went through this entire exercise and the courts decide that I took down the entire Internet without cause. Maybe I made a filing mistake. Maybe Smith wasn't in copyright violation after all. Maybe I overlooked some requirement... Remember: I'm not a lawyer and this is not legal advice. What's the worse that can happen to me?
According to SOPA Section 104 (page 48), I am immune from prosecution in both Federal and State courts because my actions were based on a "reasonable belief" (page 48 lines 14-15), was based on "credible evidence" (page 49, line 2), and was made in "good faith" (page 49, line 1). And what about the service providers that assisted with the unlawful takedown? They are immune as well.
Back to Reality
I do believe that we need better laws to protect intellectual property. However, SOPA doesn't provide any protection -- the content was still stolen, and as this exercise has shown, none of my actions actually caused Lamar Smith to be directly penalized for violating any copyrights. In theory, I can take down the entire Internet because of Lamar Smith's choice of web pictures, and he doesn't even get a fine.
Why is SOPA a bad idea? First, it doesn't solve the problem. And second, it introduces many new and bigger problems.
Although I have been focused on SOPA, try this same exercise with PIPA and OPEN. Those bills are almost as bad. For this reason, I support the Whitehouse's stance on these new bills -- these bills are not the answer. In addition, people like Rupert Murdoch and his supporters clearly do not understand the problem.
By now, you've probably heard that Congress is working on a bill called SOPA -- the Stop Online Piracy Act. This bill is intended to deter copyright infringement. It has the support of nearly every name in the music and movie industry.
However, legal watchdogs such as the Electronic Frontier Foundation, Stanford Law, and the ACLU have all pointed out that this law will not stop copyright infringement and will have a chilling effect on innovation and service offerings across the Internet.
The biggest online companies have also stated that they oppose SOPA: Google, Yahoo!, Facebook, Amazon, Twitter, AOL, LinkedIn, eBay, Mozilla Corporation, Reddit (OMG, did I just acknowledge Reddit?), and many more. GoDaddy was initially a supporter, but after customers began to take their money elsewhere, GoDaddy switched to opposing the bill. Google, Amazon, Facebook, and Twitter have even considered going dark -- offline -- to protest SOPA.
(Wikipedia has a fair review with both pros and cons. I'm surprised and appreciative of the mostly-unbiased evaluation, considering that the Wikimedia Foundation is a vocal opponent to the bill.)
Most recently, a few members of congress have asked the technorati to provide expert testimony regarding the potential impact from the bill. The experts include Alexis Ohanian (Reddit founder), Stewart Baker (former Department of Homeland Security policy director), Paul Vixie (ISC chairman, Internet pioneer, and creator of BIND -- the first and most used DNS server), and Dan Kaminsky (well-known security speaker).
What does SOPA really do?
A lot of people have been trying to summarize the problems with this bill. The bill's sponsor, Representative Lamar Smith (R-Tx), describes it as follows:
The Stop Online Piracy Act specifically targets websites dedicated to illegal and infringing activity. Often based overseas, these websites are called “rogue sites” because they flout U.S. law and face zero legal consequences for their criminal activity. Rogue sites not only steal America’s products and profits; they steal jobs that rightly belong here at home. This bill cuts off the flow of revenue to rogue sites by preventing criminals from selling and distributing counterfeit products to U.S. consumers.
Just this quote by itself should be a red flag that something is very very very wrong. If web sites are "based overseas", then "U.S. law" does not apply. "U.S. law" only applies to the United States. The rest of the world does not abide by "U.S. law" because they are not the United States. Moreover, countries that ignore US law are not doing it in an attempt to "flout U.S. law and face zero legal consequences" -- they ignore it because our law is not their law; they have their own laws.
I'm also concerned with Smith's mixing of counterfeit goods with Internet technologies. Counterfeit goods are physical and tangible; Internet access is not. Moreover, Internet companies can be located anywhere in the world. When you buy an iPhone from Apple (a US company with an online store), the product comes from China. These foreign countries are not "steal[ing] jobs that rightly belong here at home"; they are providing services because US workers are either too expensive or too particular about their jobs. And while counterfeit goods are a problem, US Laws are not going to stop the Shadow Markets overseas. As Robert Neuwirth explained in Wired Magazine, the Shadow Market (or "System D") is a $10 Trillion economy -- the second largest economy in the world. Companies that try to stop this market, instead of embracing it, are doomed to fail.
My Summary
While all of these organizations and people are telling me that SOPA is bad (or attempting to promote their support), I haven't found any that actually enumerate the issues. And while I am certainly not a legal expert, there are some parts of the bill that really bother me. (You can read the official text of the bill here: PDF.)
The very first thing in the bill (Sec. 2(a)(1)) says that this bill is not an attempt to constrain free speech or protected press. Yet, other parts of this bill explicitly contradict this paragraph.
Title I covers definitions. It starts with DNS. (No wonder Paul Vixie and Dan Kaminsky are involved. This is their specialty.) Then it covers various Internet-related definitions. I only spot-checked this section, but nothing alarming stood out.
Section 102 starts the actual focus of the bill. It defines a "foreign infringing site" as one that
"is committing or facilitating the commission of criminal violations punishable under section 2318, 2319, 2319A, 2319B, or 2320, or chapter 90, of title 18, United States Code; and (3) the Internet site would, by reason of acts described in paragraph (1), be subject to seizure in the United States in an action brought by the Attorney General if such site were a domestic Internet site."
This definition really bothers me since it attempts to apply US Law to non-US countries. Moreover, since it cites laws where it would be illegal if it were done here, why do we need another law that would still make it illegal? This law provides no new protections.
Chilling Effect
Section 102 (pages 10-14) basically states that infringers must be given notice. However, there is a problem here. This law completely bypasses the legal system. Simply saying that someone is infringing is enough to send a notice. There is nothing about proving that they are infringing, resolving conflicts with Fair Use in the copyright act, or even requiring that a court of law must make the infringement determination. This is guaranteed to be abused and will cause a chilling effect.
Censorship
Page 14 (still Section 102) has a huge issue. It states that domain registrars and hosting providers must take steps to block access when given an infringement claim. The bill even goes so far as to say, "including measures designed to prevent the domain name of the foreign infringing site (or portion thereof) from resolving to that domain name’s Internet Protocol address. Such actions shall be taken as expeditiously as possible, but in any case within 5 days after being served with a copy of the order, or within such time as the court may order." There is no question here -- this is censorship. If someone sends an infringement notice, then the ISP, hosting provider, and/or DNS registrar must take action.
De-listing at the DNS level takes down an entire domain, not just a single web page. If even one person puts up a potential copyright infringing image or document on a public web site like Google, Yahoo!, Facebook, or Flickr, then that entire domain might be taken down. The law doesn't say that the complaint must be sent to the narrowest focus (whoever hosts the individual file). It only says that it must be sent somewhere. If you send it to the DNS provider, then they have 5 days to comply and take google.com offline.
Blocking Internet access to content outside of the United States has one other limitation: it won't work. The Internet was designed (with US Government funding) to route around disruptions and filters. It was designed to retain connectivity in the event of a nuclear attack. Filters and attempts to restrict access will not remove content; the Internet will simply route around the blockage. Even name resolution systems like DNS are not essential. There are plenty of darknets (networks that operate separately from, or parallel to, the Internet). The absolute worse case is that filtering will drive these providers a little more underground, and eventually -- through popularity -- increase their visibility.
Bypassing Due Process and Oversight
There is another problem with forcing companies to take the enforcement action: Internet companies are not police officers. The Internet was designed for connectivity, not disconnectivity. Without legal oversight, a company can easily go rogue -- blocking competitors or suspected infringers. While I have repeatedly criticized ICANN for failing to enforce their policies, placing the enforcement of DNS into the end-company's hands is a very bad solution. For example, if you don't like a particular domain, then you can have them de-listed in some of the top-level domain servers without de-listing them everywhere. This partial blocking will break DNS since DNS is intended to serve the same information to everyone. Conflicting DNS entries will only cause problems since your lookup results will vary based on who responds to the query first. (A little cache delay is supported by DNS. Long-term cache conflicts are not.)
Section 102(c)(2)(B) (page 15) gives the same requirements to Internet Search Engines. This means that you are not only blocking access to the domain (assuming the site is still in DNS), you are also stopping it from being indexed or returned as a result. Section 102(c)(2)(C) targets payment services like eBay and PayPal. 102(c)(2)(D) goes after ad services (e.g., Google Ads).
Immunity
Section 102(c)(5) (page 21) introduces another huge problem. It discusses immunity from litigation. In particular, 102(c)(5)(B) says that any person or company that complies with a takedown notice is immune from suit based on their actions. That's right, if you help enforce censorship of foreign web sites then you are above the law and untouchable.
Section 102 is just screaming for abuse. It will become trivial to take down web sites. For example, plant some copyright information on google.com and then flood Google with thousands of takedown requests -- only one of which is for the copyright violation. After 5 days, you can have Google taken offline. This same trick will work with DNS providers like GoDaddy, hosting providers like Amazon's cloud, and content providers like Facebook.
No Owner Requirement
Amazingly, nothing in Section 102 says that the complaint must be made by the copyright holder. Anyone can file a complaint. Moreover, while it mentions "courts", it doesn't say that they must be US courts. A foreign company can file a complaint just as easily as a local company. And since foreign laws are not like our laws, you might actually be in violation (if you were in their country). I can fully see China, Iran, and Saudi Arabia (as well as other countries) submitting takedown notices since criticizing their governments are illegal actions. (They don't have the same free speech laws as us. Well, us without SOPA. So their complaints do not result in a violation of the First Amendment.)
I remember reading about an Australian teen who sent bogus DMCA takedown notices to Google. Google, in turn, took the offending videos off of YouTube. The teen had no claim to these videos, and the actual video copyright holder had wanted the videos to remain up (for advertising their TV show). This abuse happened under DMCA, but SOPA would have a much wider reach. So what would happen under SOPA? Since there is no judicial oversight, and no requirement for the complaint to come from the content owner, Google would have 5 days to take it down. Fortunately for Google, they would be immune to any lawsuit based on their enforcement of a SOPA complaint.
But let's give SOPA the benefit of the doubt and assume that the content is in violation of copyright or is illegal, and it is the entire site, and it is harmful, and it should be taken down. The whole concept of blocking partial access -- so nobody in the United States can get to it -- fails to solve the problem. The content still exists and other people can still get to it. This is the ostrich approach: if you don't see it, then it must not exist. The real, vigilante solution is to retain access and DoS the site into oblivion. This is what spammers did to Blue Security -- a company that ended up being dropped by multiple service providers before going out of business. With SOPA, anyone can play the role of the spammers and cause any company to lose Internet access and go out of business.
Scope
Section 103 (page 25) identifies "sites dedicated to theft of U.S. Property". The bill defines the scope as "an Internet site, or a portion thereof, that is a U.S.-directed site and is used by users within the United States". Since the United States doesn't have any official language, this means that any site anywhere in the world is as a potential violator.
Without SOPA, we have companies like Ralph Lauren sending DMCA takedown notices to web services that use their photos for criticism or news reporting -- acceptable uses under copyright Fair Use. However non-US companies, like Boing Boing, would just ignore it since US law (DMCA) does not apply to their Canadian company. With SOPA, Ralph Lauren can have the domain "boingboing.net" taken offline or made inaccessible to people in the United States.
Counter Notices
SOPA does describe a process for a counter notification (Section 103, page 25). That is, if a provider receives a takedown notice, then a counter notice may be provided to leave the site up. But there's a timing problem. First, the takedown recipient (DNS, service, payment, or hosting provider) only has five days to act on the takedown before they are in violation of SOPA. Yet, notification must be written and submitted from a foreign entity. If all network access is cut off, then they cannot email the counter notice. And the US Post Office cannot deliver an international letter in under 5 days. In other words, an authentic counter notification may not be delivered in time.
Immunity for Vigilante Justice
Section 104 (page 48) is guaranteed to lead to the most abuses. It says:
No cause of action shall lie in any Federal or State court or administrative agency against, no person may rely in any claim or cause of action against, and no liability for damages to any person shall be granted against, a service provider, payment network provider, Internet advertising service, advertiser, Internet search engine, domain name registry, or domain name registrar for taking any action described in section 102(c)(2), section 103(d)(2), or section 103(b) with respect to an Internet site, or otherwise voluntarily blocking access to or ending financial affiliation with an Internet site, in the reasonable belief that -
(1) the Internet site is a foreign infringing site or is an Internet site dedicated to theft of U.S. property; and
(2) the action is consistent with the entity's terms of service or other contractual rights.
That's right: anyone who voluntarily helps enforce a SOPA takedown notice -- even if it hasn't been proven to be a legitimate request -- is immune from prosecution. You just have to say that you thought it was legitimate.
Similarly, Section 105 (page 48) addresses sites that impact public health. It says that a provider is immune if they takedown a site or domain or entire company when they believe there is "credible evidence". Moreover, they will be immune from liability for their actions.
Section 104 and 105 completely bypass "due process" and the entire legal system. If you act in what you claim to be good faith, then you are immune from legal prosecution.
Unrelated Additions
Title II (pages 54-78) attempts to update existing copyright, espionage, and intellectual property laws. They mainly modify penalties. However, if the action is already illegal, then making it more illegal won't stop it. And since most people don't know what the current penalties are, making penalties more severe is not a deterrent. But more importantly: if the alleged illegal action is happening outside of the reach of US law enforcement (i.e., in another country) then these updated penalties will have zero effect.
Supporters
There is a list of SOPA supporters. Many of these companies are already known to abuse DMCA takedown notices. This includes Universal Music, Sony, and Warner Brothers. According to a study by USC/Berkeley, nearly a third of all DMCA takedown notices are improper.
While some of the supporters are known to abuse the existing laws, others were either late in the game or still haven't embraced an Internet-enabled economy. (I'm including nearly the entire music and movie industry here, as well as most of the publishers who are listed.) These are either companies that don't understand what they are supporting, or are refusing to adapt to the new Internet economy. There's no going back to the 1900's.
I couldn't help but notice that that the PDF document listing supporters has the title "TALKING POINTS: RAMOS AND COMPEAN". As far as I can tell, this refers to Ignacio Ramos and Jose Compean -- two border patrol agents who killed an unarmed immigrant in 2006 and had their sentences commuted by Bush in 2009. The title is unrelated to SOPA and seems to indicate that Lamar Smith likes to recycle old content or isn't paying attention to what he is doing.
The author of the PDF is listed as "kims". I think this refers to Lamar Smith's assistant, "Kims Smith". (Yes, the reference is titled, "Smith: Keep Texas Safe from Gitmo Detainees" -- so Lamar Smith is clearly showing a level of xenophobia on par with Kim Jong Il.)
Vote No
SOPA explicitly bypasses the judicial system, requires enforcement by commercial organizations, attempts to apply US laws to foreign countries, and fails to understand the nature of the Internet. Its sponsor, Lamar Smith, does not think the bill's critics have any legitimacy.
Thirty years ago, we were not surprised that most of congress was computer illiterate. Twenty years ago, we laughed when President George Bush was amazed by barcode scanners found in everyday life. Five years ago we were stunned by Ted Stevens' lack of technical knowledge (series of tubes), particularly since he chaired the United States Senate Committee on Commerce, Science and Transportation.
Today, ignorance of the Internet is no longer a joke or an excuse. Lamar Smith clearly does not understand the basics of a global economy, impact of national laws on a world-wide network, or even how content on the Internet is access, distributed, or -- yes -- even filtered. He wants to undermine the judicial system and give immunity to vigilantes and "volunteers". Moreover, he wants to establish a national content filtering system similar to those found in China, Iran, and North Korea -- content that potentially violates the national law will be removed or made inaccessible to people in our country.
Smith recently announced a desire to be re-elected. In my opinion, he should NOT be re-elected. Moreover, he should step down now.
I've been looking at a lot of advertisement-related images lately. (Yes, this is work related.) The issue that I've been fighting with is that many of the pictures look different depending on the viewing tool. Firefox, Gimp, Photoshop, Safari, Corel Painter, and even Microsoft Photo Viewer can display the exact same picture with completely different colors.
Turns out, the problem is due to the color space. Pictures on the monitor are displayed using RGB (red, green, blue). This is an additive color space. This means that a lack of color is black and we add in different amounts of R, G, and B in order to achieve the desired color. If you maximize the value of all three color components then you see white.
However, in the print industry they rely on a subtractive color model. Ink absorbs visible lightwaves and our eyes see whatever colors are reflected and not absorbed. The lack of any color means everything is reflected; white means no pigments. If you want to see red, then you add in pigments that absorb green and blue, leaving red to be reflected. The opposite of red is cyan (a greenish-blue color). Green's opposite is magenta, and blue inverses to yellow. This defines the CMY color space.
A is for Apple, B is for Banana, ... K is for Black
Numerically it is trivial and lossless to convert between RGB and CMY. If R is in the range [0:1], then C=1-R. Similarly, M=1-G and Y=1-B; and R=1-C, G=1-M, B=1-Y. No problem. Except... When it comes to printing, you don't want to put in a ton of red, green, and blue ink in order to make a dark color. Instead, you can use a base color, like black. To make a dark red, you would mix a little cyan with a little black instead of mixing a little cyan with a lot of magenta and yellow. Since "B" is already taken by the abbreviation for Blue, "K" is used for black. CMYK is a four-color system that mixes cyan, magenta, yellow, and black.
And that's the problem... How do you combine the black level (K) with C, M, and Y to return the original R, G, and B colors? As it turns out, there is no consistent method or universally accepted algorithm to compute K from RGB or to combine CMYK to determine the RGB equivalent. There are lots of different algorithms and none of them are wrong. The only time it is "wrong" is when one algorithm is used to convert RGB to CMYK and a different algorithm converts CMYK back to RGB. Sadly, this mixing happens all of the time.
Your Village Called...
When a JPEG stores a CMYK image, it usually stores a minimum amount of information. Specifically, it encodes four color channels. Technically, they are encoded as YCCK -- shorthand for YCbCr with K. When decoding, most JPEG libraries will convert the YCC component back into RGB -- that's how a regular JPEG works. Since there is an extra color channel, they just append it, yielding RGBK. And since there is a direct correlation between RGB and CMY (without K), we can apply the conversion and call this CMYK.
However, there are a few JPEG libraries that don't know what to do with "K". They treat the extra value as an alpha channel (A) for identifying transparencies. So although the returned image is supposed to be treated as CMYK, it is actually handled as RGBA or CMYA. Some graphics programs, like ImageMagick, dispose of the alpha channel; since K is lost, you only see CMY/RGB.
But the technical gotchas doesn't stop there. Adobe typically reverses the color order. Instead of seeing RGB, you see BGR (blue/green/red). Similarly, CMY becomes YMC. And confusing K and A gives you YMCA. (It's fun to play with the YMCA...) The net result is that colors can look completely wrong if the library doesn't handle YCCK properly. The image can look faded (no K) and/or have a mixed-up palette (BGR instead of RGB).
Can't Cut the Mustard
Assuming you work out the decoding cases, there is still the basic problem of rendering the image on the monitor. The CMYK needs to be converted back to RGB, and that depends on the K algorithm. If you know what algorithm was used to create K, then you can reverse it and see the correct colors. But if you don't know the algorithm, then you'll need to guess... and you will probably guess wrong.
To give you an idea of the different algorithms, I'll use a test picture from Heinz that I found on the web site Ads of the World.
If you view the full-size picture with different web browsers, you'll probably see different colors. What color you actually see depends on the algorithm used to combine K with CMY.
None
The simplest algorithm is to simply ignore K. This is the only "always wrong" algorithm, but it is good enough for libraries that don't support CMYK images. (In contrast, some program simply complain that they don't support CMYK.) The result is a very washed-out image.
Linear
A linear combination is a very simple and computationally inexpensive algorithm. It is best used when black ink is your cheapest color. The black level is determined by maximizing the common portion of C, M, and Y. This pulls out the dark. (Typically a little bit of color is kept, but the amount of K is maximized.) However, if you apply a linear combination algorithm for the CMYK to RGB conversion when K was not derived from the linear algorithm, then you will end up with a very dark picture because you add in too much black.
RGB to CMYK:
K = Min(1-R,1-G,1-B)
C = (1-R)-K
M = (1-G)-K
Y = (1-B)-K
CMYK to RGB:
R = 1-(C+K)
G = 1-(M+K)
B = 1-(Y+K)
Linear is the default algorithm used by OpenOffice and it's variants, like NeoOffice. If you open this picture in OpenOffice, you will see this dark version of the image. Now, keep in mind, the linear algorithm isn't wrong! It is a perfectly fine option if you don't know what algorithm to use. (I am not recommending that OpenOffice change their code.)
Blending
The blending algorithm is typically the best-in-class option for when you don't know what algorithm to use. It makes colors appear a little brighter. Rather than adding in a linear amount of black, the amount of black is scaled based on the amount of available color:
K = Min(1-R,1-G,1-B)
C = ((1-R)-K)/(1-K)
M = ((1-G)-K)/(1-K)
Y = ((1-B)-K)/(1-K)
and the inverse:
R = 1 - (C×(1-K))+K
G = 1 - (M×(1-K))+K
B = 1 - (Y×(1-K))+K
While the overall color looks close to the original image, his sleeves are more greenish than blue and his collar looks bright red.
Blending is about the best you can get without using a color profile. However, if the encoding used Linear, then decoding with Blended will make pictures very faint.
Profiles
There are these really complex structures defined by the International Color Consortium called ICC Profiles. Rather than using a simple equation to convert between RGB and CMYK, color profiles can define anything from a set of complex matrix transforms to massive lookup tables. Using an ICC Profile, you can specify a non-linear transformation that better represents the physical absorption properties of the ink.
If the JPEG contains an ICC Profile, then you can apply the profile and see the intended colors. (Popeye includes an ICC Profile.) However, not all web browsers support embedded ICC Profiles, and even the ones that do provide support don't seem to support all of the different profile configurations. Basically, the support just isn't there yet. For now, profiles are better used on pictures for graphic programs, like Gimp and Photoshop, than on pictures intended for the web.
But let's assume that you are using a program that fully supports color profiles. You may still be seeing the wrong colors. This is because there are plenty of CMYK JPEG images that lack an embedded ICC Profile. So what is a good default if you support color profiles but the image doesn't provide one? Apple uses a generic CMYK profile. Adobe CS4 and CS5 both use generic Adobe CMYK profiles, but neither uses the same generic profile. Here's what Popeye looks like if it is missing the embedded ICC Profile. I rendered it using the default Apple, Adobe CS4, and Adobe CS5 profiles and then saved the results as a lossless PNG:
Each of them is good enough to render the image. However, each displays the image with different colors. (If they all look the same to you, then try using a better monitor or move off your mobile device and use a real computer.)
The Devil Wears Muted Prada
Now, I can totally understand the need to convert from RGB to CMYK for printing. (Some printers even use more than four colors in order to print higher quality images with better color representation.) The conversion, especially when tuned for a specific printer, can greatly enhance the final printing. However, a lot of the publishing industry seems to be focused on using CMYK all of the time -- because it is the in-thing to do and not because it is practical or yields better results.
For example, the following picture is from the Vogue web site. It was featured on Photoshop Disasters because someone is missing a leg. However, I could help but notice the two gargoyles, shelf with skulls in an empty greenhouse, and, oh yeah, the completely washed-out coloring.
In this case, the JPEG on their web site is a three-channel image: YUV which renders to RGB; there is no black level. However, it has the same washed-out look that happens when a CMYK image is encoded with a color profile and decoded using the wrong algorithm. We can even see this in the RGB color space map:
Notice how the darker area bends away from true black (lower-left). That type of curve is typical for an incorrectly converted CMYK image. This means that someone at Vogue (or between the photographer and the web site) took a CMYK image, applied the wrong K-transformation, and then saved the result as a regular RGB JPEG. The transformation lost color and makes the image appear flat and uninspired.
However, this is not the only example of a washed-out image at Vogue. I took a screenshot of the front page at www.vogue.com:
Notice how the left and right columns have bright, vibrant pictures. Yet, the central image is dull and washed out. The blacks are not black, blues are muted, and surfaces lack detail. That center picture is another "was CMYK but converted to RGB for the web" that applied the wrong CMYK algorithm. I'm sure that the real picture was sharp and bright and spectacular, but the one on the web is dim and lackluster. And nobody at Vogue seems to have noticed that these dull photos are all over their web site. Seriously, follow the links on their site and you're bound to see them. While there are plenty of full-color images, the "CMYK to RGB wrong" images really stand out. (Look for the faded blacks and fabric without texture. The texture vanishes because minor color permutations that create the representation of texture are all converted back to similar colors without enough variation to recreate the texture.)
What Vogue needs to do is either (1) stop sending CMYK ready-for-print pictures to their web staff, or (2) use the same program that created the CMYK image to generate a color-correct RGB image. But really, you shouldn't need to covert to CMYK until just before you print. This way, you'll retain all of the vibrant colors in your fashion-forward photography. Otherwise, photos of Tangerine Tango (Pantone's Color of the Year for 2012) will end up looking more like Papaya Whip or Persian Orange. (Heh, look at me, giving fashion advice to Vogue!)
Update 2012-01-07: I just rechecked the Vogue website. Interestingly, since this blog came out, they have updated their site and now it is very hard to find any of the "CMYK-to-RGB wrong" images. Granted, they update their website frequently. However, I've been watching their site off-and-on for over a year. (They are always a great site to find examples of photoshopping. Right up there with Victoria's Secret and Ralph Lauren.) This is the first time I have ever seen their entire update missing the "bad CMYK conversion" images.
