Why Photoshop doesn't provide secure metadata

Certain feature requests come up over and over, and customers wonder why Adobe doesn’t address them.  In many cases it’s a matter of time, resources, and priorities
(i.e. good idea, we just haven’t gotten there yet).  In other cases, however, there are conceptual issues that make addressing the request impractical or impossible.

One of those cases concerns something that seems simple: letting Photoshop users apply copyright & other info, then lock it so that it can’t be removed.  Photographers in particular request this capability year in and year out.  Unfortunately there are good reasons why things don’t work as desired.  If you’re interested in the details, read on for an explanation from Photoshop architect Russell Williams.

If I understand what you’re looking for — a way to distribute your image so that somebody can’t strip out the copyright, the only way to come close is to embed the copyright in the image with a watermark, either visible or invisible. Digimarc can do it with a mostly-invisible watermark. The less visible it is, the less robust it is to image manipulation.

It’s not just that the capability is lacking in Photoshop to attach a non-removable copyright. It is not logically possible to put a copyright notice in metadata (not embedded in the image data) in a way that it can’t be removed.

If the image data is accessible to someone, there’s no way to force them to keep the copyright notice with it. There are lots of programs that will open and re-save JPEGs, TIFFs, and even PSDs.  It would be trivial to produce a version that doesn’t save the copyright with it.  Not to mention metadata editing programs that can just remove or change arbitrary metadata. There’s no way to stop somebody from using one of those programs.

Even if they don’t happen to have a program that will re-save the image without the copyright or edit the metadata, they can always "print to PDF" out of any program that can open the image, or even show the image at 100%, do screenshots while scrolling around the image, and reassemble it. If they can see it, they can remove any attached copyright notice.

Everything else comes down to only sending the full resolution version to people you trust, because anybody who has the full resolution version can strip out any associated metadata.

You can send out two versions together, one encrypted and one not encrypted — a low resolution unencrypted version and a high resolution encrypted version, or a visibly watermarked unencrypted version and an unwatermarked encrypted one. Of course anybody who’s going to legitimately decrypt the encrypted version has to have the matching software to do it.

Acrobat 7 or later will let you attach an arbitrary file to a PDF and encrypt only the attached file. You could send out a low resolution or visibly watermarked PDF and attach the full PSD to it in encrypted form. Anybody with a PDF reader can get the low resolution version, but getting the high resolution version out requires opening it with Acrobat and extracting the attached file with the required password. You can do essentially the same thing with any password utility and WinZip or similar program to package the two files together.

That approach is cryptographically secure — hackers can’t work around the password. This is true because it’s fundamentally different from the "PDF permissions" password or the DVD or iTunes protection schemes. In those schemes, the data has to be decrypted in order to be displayed, played or used, and you’re relying on the software to prevent the user from doing something you don’t like with the data once it’s decrypted. But once it’s been decrypted for any reason, it’s vulnerable to hacking, screen shots, capturing the audio signal going to the computer’s speaker, or whatever. In contrast, in the "two file" scheme mentioned above, you’re never decrypting the protected file on an untrusted person’s computer.

But even a cryptographically secure password still relies on your trust in the people to whom you give the password.

0 thoughts on “Why Photoshop doesn't provide secure metadata

  1. Folks interested in this topic should check out Andrew “bunnie” Huang’s book, Hacking the XBox. The book describes how he defeated the XBox security by soldering a few extra chips into the box. Bottom line: If you can watch the movie or play the song, you can get at the bits behind it, too. (I like this story of how he hacks into a microchip by melting the top off with acid, sticking a tiny piece of electrician’s tape on it, then zapping it with UV light. Nothing stops this guy…)

  2. I don’t care about locking metadata (only a small percentage of humans know how to modify it anyway). I just want a check box in Save For Web that will send it with the image.
    Turns out I saved thousands of images with no metadata because I assumed Adobe was a meta data company. Johnny then pointed out that their one and only concern in making Save For Web was file size, so metadata would never be part of that.
    Save As doesn’t have the kind of quality control I’ve gotten used to in Save For Web, so a meta-save option would be great.
    [The capability is there, but the necessary options are far too obscure. Here’s what to do:
    — Choose Save for Web
    — Hit Save
    — In the dialog where you pick file name/location, click the popup menu next to “Settings.” Choose “Other…”
    — In the second popup menu from the top, choose “Saving Files,” then check “Include XMP.”
    — You can then optionally record this configuration as a preset. I’ve made one called “Include XMP.” That way it’ll always be available at the bottom of the Save for Web naming/location dialog box.
    As I say, this capability needs to be made much easier to find–presented as a checkbox alongside other optimization options. I’m sorry we haven’t done that so far. –J.]

  3. Thanks for the Save tip… does XMP contain everything in IPTC?
    [Yep. Sorry, I spoke too soon. Some fields are preserved while others aren’t. I may be able to share a more complete list soon if you’re interested. –J.]

  4. I have been wondering lately why the Digital Rights Management style protection that is currently being used with legally purchased mpeg-4 audio isn’t available yet for photographs. I think that many of us would love the ability to distribute a file that could only be used on a limited number of computers. My big fear as a photographer is not that one of my clients will use my images without permission / compensation but rather that there is no way to control where my files go once they are handed off to an art director, editor, etc.
    [Adobe’s LiveCycle offers these things, but the company has released a package targeted at photographers. –J.]

  5. David, DRM wouldn’t fix it, for the same reasons R. Williams outlines above. If someone can open the photo and view it on a computer screen, then screenshots can be grabbed and then pasted into Photoshop or some other program. No way to prevent that from happening. And of course the copyright data doesn’t go along with it, either.
    On a somewhat cruder level, in the world of audio, if you are playing music (DRM-protected or not) off of your computer, you could capture the signal coming out of your sound card, feed it into another recording device (e.g., the input to a second computer’s sound card), and record it, no protection. Again, no way to prevent this from happening.

  6. @David Marx
    Seeing as DRM has failed almost completely for both movies (HD DVD keys being decryptet even before they are rolled out) and music (to the point where even EMI decided to drop DRM for online downloads) – wouldn’t it be a very unwise decision to start using DRM for images?

  7. Valid Reasons for being about to password protect metadata in an image..
    1. The Orphan Works Bill.
    2. Control of Image Use.
    3. Reduce unauthorised Use.
    Now most people are aware that images uploaded to websites automatically strip out the Metadata, this could be made illegal.
    If metadata could be ‘locked’ into the image by the creator, anyone doing a screen grab would then be using the images illegally and that is easily proven by the fact that an image grab will not contain the data…
    Now if hackers can embed code in an image, I am confident Adobe could write code to not only lock the metadata into an image, but also that anyone opening the file and stripping out the image would suddenly find the image would not open…
    [No one is debating the desirability of being able to lock metadata. But I’m sick of hearing photographers say, “We want this, but we’re unable to use the tools that are already in our hands to do it”–namely, PDF. You want us to somehow make this work with plain vanilla JPEG files that can be read by any application. That’s like putting a bank vault door in the middle of an open field, thinking that no one will simply walk around it. –J.]

  8. [No one is debating the desirability of being able to lock metadata. But I’m sick of hearing photographers say, “We want this, but we’re unable to use the tools that are already in our hands to do it”–namely, PDF. You want us to somehow make this work with plain vanilla JPEG files that can be read by any application. That’s like putting a bank vault door in the middle of an open field, thinking that no one will simply walk around it. –J.]
    J, your comment actually proves that you know little about the work of a professional photograher, how images are used etc.. whilst using PDF is fine for e-mailing an image to someone, it is NOT a feasible proposition when someone has paid you several hundred pounds to produce an image in a hi res quality format to see it destroyed in a PDF File
    [How exactly would the file be “destroyed”? It sounds like perhaps you don’t know much about PDF. –J.]
    and no QUALITY printer will accept an original image for printing in a PDF file…
    [No quality printers will accept PDFs? That would indeed be news to me, and to a great many other people, I think. –J.]
    The stripping of metadata from an image should be illegal, I own the copyright to each image I produce and contrary to popular belief, no one has the legal right to copy it in whole or in part and use it for any purpose without paying me first… this problem is costing the industry millions in lost earnings and therefore affects the economy as we are not paying tax on earnings that have been stolen from us.
    [Again, I’m not debating what should or should not be legal. I’m saying that you can’t take plain vanilla JPEGs, bolt a secure lock onto them, and then ask that all software be able to read the JPEGs just as before (displaying but not editing the locked data). Hence my analogy about building a door in the middle of a field. –J.]

Leave a Reply

Your email address will not be published.