Marking Copies of Fonts

Suppose a foundry marks each copy of the fonts it ships to clients with some unique key buried somewhere in the metadata, such that if an illegal copy is found, it's possible to trace its source.

Have you ever heard of something like this?
Do you think this would be a good idea?
«1

Comments

  • It definitely wouldn't work for web fonts. Any user can download a WOFF/WOFF2 file from a website—so I'm not sure what a embedded ID somewhere in the file would achieve.

    I guess you're thinking more about OTFs though right?
  • Ori Ben-Dor
    Ori Ben-Dor Posts: 386
    Yup.
  • Ray Larabie
    Ray Larabie Posts: 1,436
    I'd like to see that just for curiosity's sake.
  • James Puckett
    James Puckett Posts: 1,998
    IIRC Letterhead fonts tried this at one point and it was not well received. And  just because the font can be traced to a purchase doesn’t mean that the purchaser released it on a pirate font site. Every time they send a job to print someone else gets a copy. 
  • Ori Ben-Dor
    Ori Ben-Dor Posts: 386
    Wow, I'm surprised someone has actually tried that.
    This is an interesting story, and a bizarre one.

    By the way, if I'm ever going to do that (which I'm not), I think I won't use some metadata field, but some glyph. It's more cool :)
  • George Thomas
    George Thomas Posts: 647
    edited April 2017
    ...I won't use some metadata field, but some glyph...

    That's been done too. Why waste your time when it could be more productively spent? Trying to catch a pirate, unless you have a large quantity of fonts at risk, is not time well spent.


  • John Hudson
    John Hudson Posts: 3,227
    And  just because the font can be traced to a purchase doesn’t mean that the purchaser released it on a pirate font site. Every time they send a job to print someone else gets a copy. 

    The point of serialising fonts with licensee data isn't to trace the source of pirated versions but to be able to clearly identify unlicensed use. In this respect, serialising fonts is no different from serialising other forms of software.
  • And  just because the font can be traced to a purchase doesn’t mean that the purchaser released it on a pirate font site. Every time they send a job to print someone else gets a copy. 

    The point of serialising fonts with licensee data isn't to trace the source of pirated versions but to be able to clearly identify unlicensed use. In this respect, serialising fonts is no different from serialising other forms of software.
    But technology-wise, there is a vast difference. I can code in various copy-protection schemes and checking mechanisms into an application. I can then attempt to prevent even the installation, run-time checking, etc. by unauthorized people. (Which can still be broken, sometimes in seconds. It's happen to me over the years.)

    One cannot practically do that with a font. With fonts it is more like trying to find who removed the proverbial needle in the haystack after it has been found and moved elsewhere. Unless a license holder admits to releasing a font in the wild, it would be incredibly difficult (impossible) to identify the perpetrator. Without knowing who actually did the deed, one cannot really do much about it. Even if one knows, there is little to be done.

    I'm a pessimist when it comes to this issue. It's going to happen and there is nothing preventative I can do about it and can only hope some sites would honor a take down notice. This subject has paralyzed me in fact. I'm sitting on the first commercial fonts I have made since the 1980s/1990s. If and when I do release them, I don't want them out and about illegally for at least a couple weeks...

    Sorry for the pessimistic first post.

    Mike
  • Mark Simonson
    Mark Simonson Posts: 1,739
    Well, you won't have any chance of making money from fonts you never release.
  • Truer words haven't been spoken, Mark.

    And I will release them. I haven't decided the who to sell through nor even pricing yet. And then there is that hesitation to overcome. But I will. Probably. Maybe...else I'll keep using them for layout work.
  • John Hudson
    John Hudson Posts: 3,227
    edited April 2017
    One cannot practically do that with a font. With fonts it is more like trying to find who removed the proverbial needle in the haystack after it has been found and moved elsewhere. Unless a license holder admits to releasing a font in the wild, it would be incredibly difficult (impossible) to identify the perpetrator.

    Again, and as I said, serialisation is not about identifying a 'perpetrator' responsible for distributing a font illegally. It is about being able to say to someone using the font 'Excuse me, but this font is not licensed to you. Please pay for a license.'
  • Yes, John. Agreed. I worded the dumb analogy wrong.

    But how are you even going to know the font is being used in the wild and who is using it?
  • yanone
    yanone Posts: 130
    But how are you even going to know the font is being used in the wild and who is using it?
    For webfonts, either by coincidence (friends and family send me links to sites that use my fonts all the time) or by future (or even present?) web crawl technology.
    I could probably write a simple web font crawler in an hour and a list with the internet’s most popular web sites should also be easy to find.

    Anyway, I find it a very good idea to tag all outgoing fonts for detection of illegal use, as John said. I plan to integrate a subsetter into my future online shop, so that's a very convenient place to add the tag.

    By the way, thinking about it, what do you think about this:
    Like what Mark said, but less offensive. Put the licensee's company/name into the font and forbid him via EULA to remove the tag (which is probably already the case in most EULA's). Then, if you find a font without a tag, it's probably also unlicensed.
    Or is an encoded/non-human-readable string better?
  • We tag our web fonts. The order number is included in a namerecord similar to how Font Squirrel does it.

    We've found it useful for checking to see if a website is using a properly licensed font, or for diagnosing font problems (i.e. customer made some dumb modification and now the kerning is gone). 

    We don't tag our desktop fonts, but I wish we did. I can think of several times where being able to verify the legitimacy of a license, or even knowing an approximate date when the font was issued, would have been very helpful. 

    Slightly off topic: I LOVE that FontForge and Font Squirrel include breadcrumbs in the fonts they produce. Being able to crack a font and see that it's been modified is super helpful for tech support. 
  • yanone
    yanone Posts: 130
    edited April 2017
    So we’re talking about a checksum. How would one go about that technically?
    If you’re writing a simple checksum of the entire file into the file, the checksum of the file changes. So it needs to be done table by table. But how?

    By the way, thanks for that discussion. I'm now determined to do it for all the fonts I'm going to deliver.
  • Simon Cozens
    Simon Cozens Posts: 752
    edited April 2017
    Each table has a checksum already. Why not just use that?

    $ ttx -l Coolangatta-Regular.otf
    Listing table info for "Coolangatta-Regular.otf":
        tag     checksum   length   offset
        ----  ----------  -------  -------
        CFF   0x33C11B8E    11531     3596
        GDEF  0x0D6B0E4F      176    15128
        GPOS  0xD3A2D170     4168    15304
        GSUB  0x63027664      414    19472
        OS/2  0x693A809F       96     1432
        STAT  0xCC1FE487       62    19888
        cmap  0x47E1FE1E     1436     2128
        head  0x0C4DE7E2       54      228
        hhea  0x06740475       36     1396
        hmtx  0x55282F8B     1112      284
        maxp  0x01165000        6      220
        name  0x2325C533      600     1528
        post  0xFFB80032       32     3564
  • Ori Ben-Dor
    Ori Ben-Dor Posts: 386
    What exactly does Font Squirrel do?

    And I'm not sure I understand what checksum has to do with marking copies: Unless you're serializing copies using some unique tag, all copies will have the same checksum, and if you do have a unique tag, you don't need the checksum. Checksum can help you detect if a copy has been modified, but then again, if it has, you don't need checksum to be able to tell that, you can simply use diff or so. What am I missing?
  • yanone
    yanone Posts: 130
    Right, the checksums are for modification detection only. In my case, wanting to offer fonts online with a subsetter, there is no one file that I can diff against. Each file could be different and need to be 'signed' on the fly.
  • In steganography, information is hidden for example in images or audio files. The least significant bit of an image pixel or an audio sample can be used to encode a piece of additional data.

    Applied to fonts, you could put in a @yanone logo with a rough outline, and the point positions would differ slightly in each sold font. Only you would know the original outline and be able to extract the information encoded in the point coordinate differences.
  • yanone
    yanone Posts: 130
    That's pretty cool, but is there a practical advantage over putting the information in the font openly, such as in a name table entry? I would encrypt my checksum string so that a modifier can't repeat the string creation for modified tables, and leave it at that. The user is already forbidden by EULA to modify the fonts, so a missing checksum already breaks the warranty.
  • Ori Ben-Dor
    Ori Ben-Dor Posts: 386
    You don't need a logo with rough outlines to hide information. If any glyph has a horizontal/vertical straight segment, you can simply add extra points in the middle of it. If such a segment is N units long, there are 2^(N-1) different ways to place extra points along that segment, so even really short segments are all you'll ever need :smile:
  • Kent Lew
    Kent Lew Posts: 944
    I did this once, on a lark. I was asked to donate gratis copies of Whitman for use by students only for projects within the context of a particular design course. I added specific extra points along the vertical edge of one serif of one of the capitals (in addition to a name mod).

    If I ever care to inspect some free font version roaming around out there and find these extra points, then I’ll know that it originated from that classroom.

    a) I’ll probably never bother to do that, and b) there won’t really be any practical recourse. But at least I’ll know where it came from.

    And I suppose I would then be able tell that instructor that his best efforts to impress upon his students the value of fonts and educate them against sharing will have failed.
  • You don't need a logo with rough outlines to hide information. If any glyph has a horizontal/vertical straight segment, you can simply add extra points in the middle of it.
    But that would look suspicious. If somebody cracks open the font, notices the extra points and removes them, the extra information is gone ;)
  • Thomas Phinney
    Thomas Phinney Posts: 2,896
    I'll just note that AFAIK, every possible technique mentioned in this thread has actually been used by at least one foundry in the wild.

    One of the major foundries used to put a license number in the metadata of every font they sold online, at time of purchase. (Not sure if they still do or not.)
  • Put the purchase (transaction) and the license on the blockchain and put a reference to that transaction in the font file as metadata. (Ethereum)  Anyone can verify who purchased it, when and what rights were allowed. I'm convinced this is how licensing will be done in the future. Cryptocurrency will also allow for micropayments, (think .0001 cents per use of a font on a webpage) with the font served cheaply with redundant decentralized nodes, including automatic royalty splits with smart contracts.
  • http://po.et has an implementation of this very concept.
  • Thomas Phinney
    Thomas Phinney Posts: 2,896
    edited January 2018
    Cryptocurrency will also allow for micropayments, (think .0001 cents per use of a font on a webpage)
    No, the opposite is true, to date. Cryptocurrencies have many advantages, but payment overhead is their biggest weakness, today at least. The costs of cryptocurrency transactions are very high. Never under $10, and averaging $28 per transaction. So, something like a factor of 30-100x the overhead of alternatives.
  • James Puckett
    James Puckett Posts: 1,998
    edited January 2018
    Put the purchase (transaction) and the license on the blockchain and put a reference to that transaction in the font file as metadata. (Ethereum)  Anyone can verify who purchased it, when and what rights were allowed.
    Why does anybody need to verify font licensing rights with crypto? OS or software based font DRM system built on blockchain is a hopeless cause. We saw that when some type foundries tried to get DRM and/or licensing data built into web fonts. If the blockchain system is going to use the licensing data to handle serving fonts like Typekit it doesn’t require a blockchain. That stuff can be stored in a database without needing the extra overhead of crypto. To me po.et’s idea sounds like someone spouting nonsense about disrupting existing systems with blockchain to get the attention of gullible investors.
  • Thomas, you are thinking of Bitcoin, which, it is fair to say has expensive transaction fees. Ethereum's transactions are 1/20th of that right now, and with scaling technologies on the horizon will be much less. Bitcoin is Myspace, Ethereum is Facebook.

    James, you might want to look at IPFS, which solves the problem of centralized server downtime (Typekit) since the font files are distributed to the point that they are served at a city level.


    A blockchain, being an immutable record solves licensing issues. What license does your customer have? Who knows, but with a blockchain you can instantly verify the rights that were purchased, regardless of the distributor. Server, desktop, web, etc. 

    Cryptocurrenty will allow us to presell fractional rights of typefaces, have smart contracts instantly perform royalty splits, or crowdfund exotic typefaces with limited market appeal - these are just the easy ones.

    We have a problem with centralization and typefaces. Those databases and servers can and do go down. As far as the business aspect, Monotype anyone? Breaking that monopoly will require a 10x solution, and cryptocurrency is the best option on the horizon.