The paper lays out eight principles for maintaining personal privacy in watermarks.  Some of these are straight out of the information privacy playbook and apply to a wide range of technologies, such as "Provide notice to end users" and "Provide reasonable access and correction procedures for personally identifiable information." 

Yet others are specific to watermarking.  For example, "Avoid embedding independently useful identifying information directly in watermark": in other words, make the watermark scheme depend on looking up an otherwise meaningless number in a proprietary database.  This principle falls in naturally with the nature of most digital watermarks, which cannot hold enough data to contain meaningful personal information anyway. 

Another interesting example is "Control access to reading capability," i.e., make it so that members of the general public cannot easily obtain technology to detect watermarks or interpret their payloads.  This issue came up indirectly a year ago when DRM-free music tracks on Apple's iTunes were found to contain plainly readable headers with personal information about iTunes users.  In a case like this, watermarking could actually benefit the user by making such information harder to read. 

CDT received input for this white paper from a variety of sources, ranging from the Digital Watermarking Alliance (DWA), the trade association of watermarking technology vendors, to the Electronic Frontier Foundation (EFF).  The neutrality of tone in this paper reflects the intersection of interests of the parties that contributed expertise and/or funding to CDT's research.  The paper says little about specific watermarking applications; in fact, the first sentence in the introduction is "Digital watermarking technology is a general‑purpose technology with a wide variety of possible applications."  The DWA, for example, is application-agnostic; its interest is essentially to see watermarking deployed as widely as possible.

The paper takes the position that although watermarking has already been deployed in various applications, the technology's privacy implications have yet to be explored.  Thus, the paper is intended to serve as a proactive or "prophylactic" set of guidelines for would-be implementers, with the implication that future implementations will be held up against the privacy guidelines.

It is true that the privacy implications of watermarks are currently untested.  The music industry, for example, is starting to experiment with watermarks for unencrypted MP3 files, but those purport to contain only information about the retailers where the files are sold (such as Amazon or Wal-Mart).  There are a few real-world examples of so-called transactional watermarking, wherein a file is marked with the identity of the downloading user or device.  One is Cinea's Running Marks, which is being embedded into set-top boxes for digital video; another is Activated Content's watermarking scheme for pre-release music files. 

There may be other transactional watermarking schemes in operation today that are kept secret, in part to avoid outcries over privacy.  Certainly the deployment of transactional watermarking in the media industry is being held back by privacy concerns (from content owners as well as consumer advocates), and that's another reason why the DWA is particularly interested in this work.  If service providers or device makers can show that their implementations adhere to the CDT privacy principles, then they will effectively get a seal of approval -- from no less than the EFF -- that users ought not to be concerned about privacy.

We are not privacy experts, but still, this white paper looks like a very worthwhile and helpful piece of work.  It is a worthy successor to CDT's outstanding 2006 work on evaluating DRM systems from consumers' perspective.  It continues to position CDT as one of the few reasonable moderate voices among the often cacophonous crowd of partisans inside the Capital Beltway, an organization that refreshingly does not confuse technology per se with the interests of entities that may abuse it.