
How to prevent screenshots in a web browser - bakerfreak
http://www.patrick-wied.at/blog/image-protection-on-the-web/#/
======
dsr_
How to drive away customers: prioritize your unproven loss of income over
making an attractive product. Accuse all your users of copyright infringement.

~~~
paulhauggis
I really dislike this attitude on HN. You can have great products that make no
money because cracks get popular (I have done testing with my own software and
know for sure this is the case) and get higher results than the original
product listing on google, Adblock, and many other methods thought to be
"rights".

Even look at music piracy. Pirates did the big labels a favor: small,
independent artists can't make a living anymore because everyone just expects
it to now be free. They now are almost forced to go with a big label if they
actually want to make any kind of living.

~~~
kstrauser
That attitude is realism. It's not unreasonable to take minor steps to make
casual copying easier - the clear GIF overlay is a good example of that - but
there ain't no such thing as perfect digital restrictions management. Anything
beyond those minor steps becomes an inconvenient nuisance for your real
customers and the risk/reward paying just isn't worth it.

Imagine you have a stock photo website. Basically honest potential customers
might try right-clicking a photo once to download it, and failing that will
whip out their credit card. Basically dishonest non-potential customers aren't
going to pay you and see your protections as something fun to be worked
around.

There just isn't a business case for heroic measures that can ultimately be
trivially defeated.

~~~
smtddr
_> >Basically dishonest non-potential customers aren't going to pay you and
see your protections as something fun to be worked around._

You have no idea how much time I've spent on sites doing weird things to try
and stop the user from downloading their content. Like online schools that
don't want anyone to save the class-lesson videos. I don't even want the
media, I just find it irresistible to understand and ultimately defeat their
protection.

------
kstrauser
TL;DR You can't, stop trying. It's not worth the effort, it's tilting at
windmills, and it pisses your users off. Just stop.

~~~
todd3834
I am glad that this guy tried. I found some of the techniques pretty clever
and I enjoyed reading the article. I do not believe you can stop people from
taking screenshots and stealing images but I never considered some of the
techniques the author explained. He was much closer to solving this than I
expected.

~~~
shmerl
Instead of that, the author could just talk about why interlacing was used in
video in the past. No need to bring any DRM context in the discussion. The
tone of the article is what's offending, not the technical details.

~~~
pa7
Could you please elaborate what's offending you? (author here) for me it was
just a fun experiment I didn't intend to offend anyone

~~~
shmerl
Just the notion that DRM is something that should be used in general. I find
the concept of DRM to be insulting towards the users.

Also this part:

 _> seems like there is a problem — let’s solve it for fun and profit_

It's like saying: "Police state struggles with policing measures. Let's help
it for fun and profit". I hope you get the idea why this can sound offending.

~~~
todd3834
I don't see anything wrong with developing a better bike lock for fun and
profit. Not to build a straw-man argument but isn't that the same line of
thinking?

~~~
shmerl
I explained the analogy above. DRM is not like a bike lock at all.

------
CanSpice
Clearly the best way is to link to a popular site and have your webserver be
overwhelmed by traffic. Can't serve images? Then users can't steal them!

------
shmerl
Why would anyone want to do such stupid thing? It would prompt users to bypass
it just because. And there are tons of ways to make a series of screenshots or
even a video of the screen.

Ksnapshot, imagemagick (import), ffmpeg, avconv etc. etc.

 _> let’s assume things on the web should be protected…_

Let's assume DRM is a dumb and nasty idea which always leads to very crooked
practices. Period. As if we don't have enough of this EME nonsense.

~~~
stcredzero
The evidence shows that DRM in the service of corporations and businesses
tends to be nasty. But there are reasons to believe that DRM, if used to
protect the data and privacy of individuals would be very valuable, with the
caveat that it would have to be implemented in a trustworthy way.

What if there was a way to provide access to your medical records to people
who need them, only for as long as they need them? What if even the provider
of the service couldn't easily circumvent this?

~~~
shmerl
_> But there are reasons to believe that DRM, if used to protect the data and
privacy of individuals would be very valuable, with the caveat that it would
have to be implemented in a trustworthy way._

DRM can not be trustworthy by its mere definition (because trust is a mutual
thing, and those who deploy DRM don't trust you - the user. So you have every
reason not to trust them in return). And it never can be valuable since it's
not only unethical and insulting towards users (since it uses presumption of
guilt and police state ideas), but it's also completely ineffective and all it
does is punishing paying customers, while the vast majority of actual pirates
don't deal with it. DRM should just die out for good.

 _> What if there was a way to provide access to your medical records to
people who need them, only for as long as they need them?_

Authentication and information security has nothing to do with DRM, even
though both can have features like encryption. Let's not mix unrelated
subjects.

~~~
stcredzero
tl;dr - Let's please think about the _economics!_ Let's not just believe
emotionally charged Internet aphorisms, but examine things thoughtfully.

 _Authentication and information security has nothing to do with DRM, even
though both can have features like encryption. Let 's not mix unrelated
subjects._

What is the limiting of who can have my personal data and when, but Digital
Rights Management, or DRM? One cannot stop at authentication, because to be
complete, one has to prevent copying data. Without this, it becomes
problematic to trace who has released information, and without some legal
support, nothing at all is practical.

 _DRM can not be trustworthy by its mere definition_

Sorry, but this is fluff. You could apply this "logic" to authentication as
well. DRM has to involve some mutual trust and cooperation to the same extent
that any protocol involves mutual trust and cooperation.

The key is to realize that DRM as practiced by corporations is evil and
unworkable because the _economics_ were utterly unrealistic. Really, where DRM
could help individuals would be the elimination of trivial deniability on the
part of corporations. Right now, when your data privacy is breached, there is
no cost to "break" anything and it's very hard to pin this on a particular
corporation. Add a DRM mechanism, and then there is something tangible to
apply protection laws to and a labor cost with definite intent to breach an
individual's privacy. In aggregate, the cost and potential legal liability
becomes too high to for virtually any corporation to contemplate. We would
arrive at a situation where corporations could afford to violate the privacy
of a few select individuals, but could no longer do so to the public
wholesale. Ordinary citizens would enjoy a measure of protection, though rich
individuals and corporations would not.

Sounds pretty good to me.

Underlying everything, I'm not so much advocating DRM, as I'm calling to
question emotionally charged "magical thinking" combined with naive induction.
Let's not just leave things at "DRM is bad" devoid of real examination of
what's happening.

EDIT: It also occurs to me that the _historical factual differences_ between
individuals and corporations should be used to modify the current formulation
of "legal persons." "Legal Persons" should be considered as "persons" only in
terms of a few specific factors, like the owning of property. The historical
difference between actual and legal persons with regards to data privacy
abuses would be an important corpus of information in support of this.

~~~
shmerl
Let me repeat it again. Authentication is OK. DRM is not. If you don't get the
difference, let's explain. Authentication is simply ensuring that you are you.
Normal security mechanism, nothing wrong with it.

DRM can employ authentication in itself, sure. But DRM is not about ensuring
that you are you. DRM is about _limiting what you can do with your own system
in various ways and / or spying on you (even when it already knows that you
are you)_. Simply because DRM is preemptive policing.

I have no problem with authentication, same way I have no problems with you
using a lock on your door (normal security). I have problems with DRM, same
way I'd have problems with police putting their camera in someone's house
(overreaching preemptive policing).

Hopefully this makes it more clear. I often see people confuse DRM with merely
security / authentication / encryption etc. That's plain wrong.

 _> The key is to realize that DRM as practiced by corporations is evil and
unworkable because the economics were utterly unrealistic._

No. It's evil because it's using police state methodology of treating everyone
as potential criminal and employing presumption of guilt, which results in
overreaching policing measures which violate one's privacy and security.

~~~
moheeb
" _It 's evil because it's using police state methodology of treating everyone
as potential criminal and employing presumption of guilt_"

Isn't that what you're doing when you lock your doors though?

~~~
shmerl
_> Isn't that what you're doing when you lock your doors though?_

No. You lock your doors to protect your house from external threats. Here it's
completely reversed. DRM invades your private digital space (your computer,
your system, the programs you run etc.) for the sake of policing _you_. I.e.
it's not like a lock on your house doors. It's like a police camera _placed
inside your house_. That's exactly what makes it overreaching and
unacceptable.

Policing itself is a not an evil idea in general. But it's evil when it's
overreaching. Saying - "let's prevent crime" is OK. Saying "let's place police
cameras in everyone's house to prevent crime" is not OK.

~~~
moheeb
The previous poster is talking about personal DRM. You keep misunderstanding
what they are saying.

In the personal DRM case it would not be invading " _your private digital
space_ ", you would be using it to protect your digital space.

It is not like " _a police camera placed inside your house._ " It is the
equivalent of the homeowner placing a security camera themselves to protect
their property.

~~~
shmerl
There is no such thing as "personal DRM". That's what you and the previous
poster fail to understand. DRM is always about policing others by invading
their digital space.

Protecting your own digital space is called security. Let's be clear on terms
usage, otherwise time will be wasted because of misunderstanding.

~~~
stcredzero
No. You fail to understand that DRM as practiced by Sony et al is just one
application. In one way, it's understandable if you had not been exposed to
the academic literature early enough, because after a certain point, political
activism, popular accounts, and corporate literature swamp anything more
academic and general.

 _DRM is always about policing others by invading their digital space._

Or about voluntarily giving some autonomy up. In the case of organizations
like Facebook, they would be giving up autonomy, such that they would only run
certain audited versions of certain software. Given that such companies have
large numbers of computers aggregated in a relatively small number of
locations, the economics of verifying these mechanisms is much more favorable
than the inadvisable "traditional" use of DRM has been.

You are not going to be able to process ideas like this properly, if your only
background is uneducated Internet backlash.

 _Protecting your own digital space is called security. Let 's be clear on
terms usage, otherwise time will be wasted because of misunderstanding._

Throughout, you have been insistent on an imprecise, popularized usage of
terms. I will agree, however, that time has been wasted because of
misunderstanding.

~~~
shmerl
_> You fail to understand that DRM as practiced by Sony et al is just one
application. _

They created the term and they polluted it for good. Trying to whitewash it
now serves no useful purpose except causing confusion. If you want to talk
about concepts of protecting your personal information - just use another
term, otherwise misunderstanding is guaranteed (like above).

 _> popularized usage of terms_

No, it was you who tried to create your own interpretation of DRM which
differs from what its designers put into it. That's up to you, but don't
expect anyone to understand you.

~~~
stcredzero
_Trying to whitewash it now serves no useful purpose except causing
confusion._

Again proof that you have no familiarity with the abstract concepts or its
history, prior to the popularized furor. Nor do you care or are particularly
curious, or are capable of processing the logical implications of such new
information.

 _No, it was you who tried to create your own interpretation of DRM which
differs from what its designers put into it._

Let me assure you that the designers of DRM had the other interpretations in
mind the whole time. You are basically arguing for your own ignorance.

 _don 't expect anyone to understand you._

In other words, I should expect only uninformed rubes on the Internet.

------
nbush
Cool, I love counterintuitive (and even counterproductive) solutions just for
their own sake. I tried to do a similar thing with text a while ago:
[http://nbush.github.io/headache/](http://nbush.github.io/headache/)

~~~
abbeyj
As a challenge I wanted to see how hard it would be to circumvent this. Here's
a bookmarklet:
javascript:void(function(s,i){for(i=0;i<s.length;i++)if(window.getComputedStyle(s[i]).color=='transparent')s[i].style.display='none'}(document.getElementsByTagName('span')))

That should be one line with no spaces if gets line wrapped.

~~~
nbush
Nice work! Here's another solution posted in an earlier thread:
javascript:d=document.createElement("div");d.innerHTML="<style>span:nth-
child(odd) {display:none;}</style>";document.body.appendChild(d);

I don't think there's any easy way for the obfuscation to stay ahead of JS
reversal. Thanks for taking a look!

------
ZoFreX
I think maybe you _could_ do this. What about the new, controversial DRM
extensions? They're for video, but you could just show a 1 frame video on loop
as an image, right?

If those support HDCP then it's encrypted all the way to the display, and it
would be challenging to screenshot it.

(Of course, you could take a photo of the screen, but that's a substantial
degradation).

~~~
drdaeman
Isn't HDCP broken?

------
dyeje
You could still subvert this by taking an actual picture of the screen with a
camera I think.

~~~
alexhawdon
Yup. In audio copy protection this is referred to as the 'analogue hole'
([http://en.wikipedia.org/wiki/Analog_hole](http://en.wikipedia.org/wiki/Analog_hole)),
and there's pretty much nothing you can do about it.

------
spindritf
Previously,
[https://news.ycombinator.com/item?id=8022315](https://news.ycombinator.com/item?id=8022315)

------
joeblau
You're still sending the picture across the network to the screen in your most
valiant attempt, but by using the inspector's resources, you can get a url
link to the cat image[1]. Like you say at the end of the article, it's not
really worth it.

The site being slow is a better deterrent than anything written in the post. 9
Seconds to first byte[2].

[1] - [http://www.patrick-wied.at/talks/image-
protection/demos/cat....](http://www.patrick-wied.at/talks/image-
protection/demos/cat.png)

[2] -
[http://www.webpagetest.org/result/140714_WZ_S9F/](http://www.webpagetest.org/result/140714_WZ_S9F/)

------
cousin_it
So here's a startup idea that can help with that.

1) Build a library for hiding encrypted information inside images. It should
be hard to detect (indistinguishable from random) and robust (e.g. survive
printing and scanning).

2) Build a web crawler, coupled with a key store. Crawl the internet for
images that contain our encrypted info.

3) The copyright owners will be our paying clients. They will display images
only to logged in users, use our service to embed the user information in the
image, and deposit the encryption key with us.

4) Whenever the crawler finds a stolen image, we notify the copyright owners
and send them the details of the user who leaked it. We don't notify the user,
of course.

Right?

~~~
AlyssaRowan
It seems to me that you've basically described Digimarc®'s business model.

~~~
cousin_it
Hah! Yes, you're right.

------
jastanton
I did something similar you can demo:
[http://jastanton.com/experiments/imagescrambler/](http://jastanton.com/experiments/imagescrambler/)

Shuffle an image, re-assemble with a bunch of divs with background offset and
just the right amount to bring the picture back. If you download the image you
get a scrambled imaged.

Doesn't protect against screenshot.

Very fun :)

------
stonogo
1\. You can't.

2\. Stop trying.

~~~
philjackson
Read his "Was it all worth it?" section.

------
fuzzywalrus
Anyone else try it?

I was curious and tried his live demo URL. and I used OS X's built in screen
capture while using Chrome. The screen capture worked, no special tricks
needed. I didn't see any visual degradation between my screen shot and the
original.

The long and short of it is his DRM did not work.

~~~
hobbes78
That also happened to me. But then I realized I set the browser to display
everything in 110% by default. If you go back to 100% indeed you can't do a
proper screenshot...

------
FedRegister
When will website authors learn that you control the content but the client,
by virtue of owning their computer, controls the presentation. At best you can
make suggestions. At worse you're at the total mercy of the user.

If you want to give out indelible images then go back to print.

------
NathanKP
That demo messed with my eyes. Even though it is interlacing faster than the
eye can see for some reason it still felt weird to look at it. Overall, not
worth the trouble or the decline in user experience.

~~~
AlyssaRowan
Lesson learned: LCD monitors are _absolutely horrible_ at interlacing. And you
can, of course, put them back together with one line of JavaScript. As he
says, it's futile. People should stop doing this. Yawn.

I am associated with a... _certain industry_... (ahem) which frequently finds
its content reposted (and it wouldn't be right or proper of me to identify any
further, but I'm sure it's a moderately generalised problem).

One must be realistic about these things - if we're going to publish things,
some people are going to pirate them and that's that. It leaves our control to
some degree when we let it loose, regardless of what legal rights we may have.
We're going to find them plastered all over Tumblr or TPB or something no
matter what we (or Tumblr!) do. That is not necessarily all a negative,
especially if it might drive interest and traffic, which may be worth more
than any one or two pieces of content for some. If we get enough customers to
support ourselves and what we do, that's fine (and we can thank our loyal
repeat customers for that; many others are simply not in such a position).

"The invisible wall" _might_ be worth it as a courtesy "please don't save this
image" thing, but developer tools exist in browsers, so that really _is_ only
a courtesy thing: anything else is a fantasy and nothing else is really
workable, but perhaps it presents a _sort of_ reasonable-ish balance, if it
doesn't degrade anyone's experience and if people are at least aware we'd
prefer that not to happen on balance. I feel the same about any light DRM (for
example, for PC gaming, I'd say Steam is fairly "courtesy DRM" compared to its
peers, excepting its peers like GOG that have no DRM at all).

(I'm also a reverse-engineer of some experience, so I've found myself
analysing others' solutions in other industries quite a lot over the years -
it's interesting to look back and see how my own opinions on this matter have
evolved from a vehement rejection of any DRM as a matter of principle, to a
slightly more nuanced position that it is _occasionally_ not devilspawn but
we'd still have a better world without it and anything that may cause users
any inconvenience is completely unacceptable.)

Fairly discreet and tasteful watermarking is all we've ever found to be a
reasonable solution. What we see when people _do_ repost them, as a result, is
_more sales_ \- when a few people obviously like what they saw and looked it
up. Not a lot, but some. Yay. Have we gained more than we've "lost" (not that
we ever had those in the first place)? I don't know, I don't have a crystal
ball to guess at events that have never happened, but we've gained _some_ as a
result of this, and some is always better than none.

Except those people who edit or crop out the watermarks then reblog them. Fuck
those people. That gets right up my nose; there's piracy, and then there's
_plagiarism_ , and that's how I interpret that one - it feels like they're
taking credit for it (and if they are, that's dangerous: people might think
they know what they're doing and get themselves in dangerous situations), or
at least they're definitely removing ours, which is irksome particularly when
you see a comment thread asking for, as the parlance goes, "sauce" (the source
of the content). Those are people who wanted more, dammit, and you cropped out
the thing that could have linked them where to get more, and since it's been
reposted, they probably don't even know. That's just putting barriers in
people's way for no good reason. (Thank you for those few that do reverse
image searches in such cases and find us that way anyway, you're heroes. ♥)

Any thoughts?

~~~
drz
Image search gets you the sauce on any reasonably popular image, so a
watermark isn't as critical as you seem to think it is.

If a customer willing to pay for content is really intrigued by your image,
he'll find the sauce.

------
terminado
[http://www.patrick-wied.at/talks/image-
protection/demos/cat....](http://www.patrick-wied.at/talks/image-
protection/demos/cat.png)

------
miketuritzin
This article (which I enjoyed) reminded me of a paper [1] I co-authored a long
time ago about protecting 3D content using a remote rendering system. The big
advantage that we had over 2D content (images) is obviously that we never gave
clients a full representation of the protected asset.

[1]
[http://graphics.stanford.edu/papers/protected/protected.pdf](http://graphics.stanford.edu/papers/protected/protected.pdf)

------
snorkel
Good article explaining some clever techniques. I don't understand all of the
whiners here who expected something perfect and foolproof.

------
Scalar
I found this fairly clever but pretty impractical. If you put an image online
you must assume that it is public domain. The only real way to prevent true
theft is to offer a lower quality image but this defeats the purpose of
putting your image online in the first place.

Nonetheless there are pretty smart ways to monetize content like this and any
professional source will pay to use it.

------
meshko
There is a silly Russian saying which school teachers usually use on that
really smart asshole kid in the class -- "a fool got blessed by smart head".
Somehow reading this made me think of that. Also think of the environment, how
much power will you waste on this useless hack if it were to get wide adoption
(not going to happen of course, but _if_)

------
spiritplumber
It took 20 years to get image interoperability down to "solved problem"
status, so let's get start from scratch by coming up with something that you
have no idea will work on cheap tablets, will eat up CPU on battery powered
devices, and makes unwarranted assumptions about display technology! Yay!

------
joosters
It broke my firefox :( First, a popup error message reporting:

SyntaxHighlighter Can't find brush for :jscript

and then the whole browser became unresponsive and needed to be restarted. On
the plus side, you've helped Firefox development by discovering a new bug!

------
russelluresti
So, the demo obviously blinks (at least on my monitor), and the first time I
took a screen shot, I got the whole image (though I only got half the second
time). So, it doesn't actually work all that well.

But cool write-up, I guess.

------
zobzu
Its kinda cool even thus of course id never want that on a website.

That said, i took a screenshot on windows 8.1+Firefox and it worked just fine.
I took a few more screenshots.... and they were all fine too...

------
qwerta
I got more solutions:

1) Ship your own lock-down hardware (tablet) to customers, so they can visit
your website

2) Install booths around country which will show your website. No cameras or
phones allowed inside!

------
wslh
The answer is simple: you can't prevent (all) users from taking a screenshot
in a web browser.

The solution is trivial: launch a VM, make a screenshot, hook APIs such as
DirectX, etc.

------
autokad
interesting article and method. when viewed from remote desktop, the image
always appears interlaced.

otherwise, on a regular screen its barely noticeable. at first glance it looks
fine, but then i get the feeling something is off. if i blink or look away
quickly, i can see some of the interlacing. but overall, interesting idea of
treating the images more as movies rather than images

------
skizm
I am having trouble with the last demo, I always get the full image when I
print screen and then paste to paint. Anyone else?

------
sidcool
If someone gets really pissed off, they will just take a pic of their screen
with an SLR and then photoshop it.

------
bsimpson
That looks terrible in Chrome for Android.

------
Qantourisc
Also this burns a lot of CPU cycles :(

------
justbaker
The title is incredibly misleading..

------
drz
Take a few screenshots, until you get one image with the odd lines, and one
with the even lines, then stitch them back together in Photoshop.

2 minute job, tops.

~~~
Aardwolf
2 minutes is quite a long time. Long enough to not bother unless you _really_
want that particular image...

~~~
programmer_dude
This can be automated in javascript. There is no need for photoshop. I won't
be surprised if someone comes up with a browser extension to neutralize it.

------
MrZongle2
Ah, the newest form of "disabling right-click on a web page".

Infuriating, bad design then. Still is.

------
GotAnyMegadeth
I could see it flickering and when I tried to print screen I got the image...

Disclaimer: I only skimmed the artcle

------
EGreg
And oncw again if your user is a developer he'd or she'd be able to stitch it
back together.

~~~
scrollaway
That was not the point of the article. In fact, had you read the article,
you'd find that your point has been addressed three times over and that the
author acknowledges it's all futile anyway.

~~~
mikeash
I don't think he quite does. His conclusion is basically that image protection
isn't _worth_ it, because more exposure is better. That's different from
declaring it to be futile.

~~~
EGreg
Exactly. I _read_ the article. At the end he declares it isn't _worth it_ ,
which is a different sentiment altogether. He seems to believe that his last-
minute addressing of the screenshot "attack" is adequate, even though earlier
he was talking about an audience which is a developer themselves. For such an
audience, his mitigation of the attack isn't really effective at all. That's
what I was pointing out. He just forgot about the standard he set up in first
part of his article when writing the update.

