WIPO Releases Secure Content Timestamping Service

The World Intellectual Property Organization (WIPO) recently announced that it has released WIPO PROOF, a tool for verifying the date and time of a digital file, such as one containing a copyrightable work. For a nominal price of CHF 20 ($21), you can obtain a token–a small file–from WIPO that contains a tamper-proof timestamp with a cryptographic hash of the file’s contents, evidence that you had possession of the digital file at a certain point in time.

This announcement has gotten some notice in copyright circles; in the United States, the most common reaction has been, “Why?” Yet while WIPO PROOF isn’t valuable for U.S. copyright purposes, it’s valuable elsewhere in the world–and it’s valuable outside of the copyright realm.

WIPO PROOF works by using a few standard cryptography functions. One of these is hashes. A hash (a/k/a hash value) is the output of a special type of mathematical function that reduces arbitrarily large amounts of information to small fixed-size data, like an extreme type of data compression algorithm. It does this in such a way that two different inputs to the function are almost certain to produce different hash values even if they are only very slightly different, while two identical inputs will always produce the same hash value. The result is a number that serves as an identifier for content or data that’s unique for most practical purposes.

For example, if you input a file containing a mystery novel ebook to a hash function, you get a hash value X. If you input an exact copy of the ebook file to the same hash function, you will get X again. But then if you change one word of the novel–e.g., change “The butler did it” to “The cook did it”–you get a completely different hash value. (This isn’t the same as a fingerprint, which is a special type of hash value that denotes uniqueness of content as perceived by a human, so that, for example, two music files containing the same sound recording in different formats will produce the same fingerprint.)

Given a digital file as input, WIPO PROOF gets a hash value for the file from your browser (using the standard SHA-2 algorithm) and sends it to a server at WIPO. WIPO creates a timestamp, appends it to the hash, and creates a digital signature of the result using its highly secure private key.

A digital signature of a message–in this case the content file hash and timestamp–is a way to enable the message to be checked for tampering. Digital signatures also use hashes. A digital signature algorithm computes the hash of a message and encrypts the hash using a private key. If someone wants to ensure that the message hasn’t been altered, they can use the public key that corresponds to the private key to decrypt the signature, then use the same hash function to recompute the hash of the message. The decrypted signature and the recomputed hash should be equal; if they aren’t, then the message has been tampered with.

WIPO provides the public key needed to check the content hash and timestamp for integrity. It does this by adding a public key certificate. A public key certificate is essentially a way to have a trusted third party called a certificate authority vouch for the integrity and ownership of some data, in this case WIPO’s public key. WIPO uses certSIGN of Romania as its certificate authority. The public key certificate essentially says that certSIGN vouches for the fact that the public key belongs to WIPO and that WIPO is a trustworthy organization.

The content hash, timestamp, digital signature, and public key certificate all come together to form the WIPO PROOF token, a file that is just a few kilobytes in size. Once WIPO generates the token, the user can download it from WIPO’s website. WIPO keeps a copy in its database, as a backup and so that it can re-generate the token in the future if any of the cryptographic algorithms used to generate it are cracked.

All of these cryptographic functions have been in wide use for a long time. Yet this scheme has certain advantages. The most important is that it uses web browsers’ built-in standard hash functions to compute hashes. This means that the data that you want to timestamp never has to leave the computer it’s on, which is important for efficiency (the data could be very large) as well as confidentiality. Although web browsers have supported hash functions for a long time, the standard they supported until recently was SHA-1, which was hacked back in 2017; now browsers support the successor standard SHA-2.

Once you have a WIPO PROOF token, you can use it as evidence that you had possession of a file at a point in time. You do this by using the public key to decrypt the digital signature, as described above, to check the integrity of the content hash and timestamp. (WIPO provides an online tool that does this.) Then you can recompute the hash of the content and check to see that it matches the content hash in the token, which is proof that your file is the same one as (or an exact copy of) the file that you had at the time of the timestamp.

So what is the application of WIPO PROOF to copyright?

International copyright law provides that a creative work is copyrighted automatically as soon as it’s fixed in a tangible medium (such as a digital file) without the creator having to take any action. Proof of existence of a creative work at a certain point in time matters in litigation. Yet in U.S. copyright law, it’s necessary to register your work with the U.S. Copyright Office in order to sue for infringement, and your registration is your proof of existence at a point in time. The Supreme Court affirmed this just last year with its decision in Fourth Estate v. Wall-Street.com, which established that it isn’t sufficient merely to apply for copyright registration in order to sue for copyright infringement, the Copyright Office has to approve the application (a process that can take months). 

In this light, WIPO PROOF is merely a high-tech version of “poor man’s copyright,” such as sending your content to yourself in the mail and having the U.S. Postal Service’s postmark serve as a trusted timestamp. This has no value in U.S. law. At least one recent startup company has tried building blockchain versions of poor man’s copyright, where deposit on a blockchain serves as an unalterable record of ownership and creation date. These are equally worthless without actual Copyright registration.

However, the U.S. is the only country with this type of system. Several other countries have voluntary registration systems in which registration isn’t required to bring suit but can serve as evidence that a work existed at a point in time. WIPO PROOF is most useful in the many other countries that have no copyright registration formalities at all, or have antiquated, inefficient, paper-based systems. It is a simple and inexpensive way of bridging the digital divide in such places.

WIPO also sees WIPO PROOF as valuable in other types of IP management and protection scenarios. For example, data sets (such as in pharmaceutics and life sciences) typically don’t qualify for copyright or patent protection, yet it can be important to prove their ownership and origin dates. More generally, WIPO sees WIPO PROOF as a way to help people and businesses protect intellectual property at earlier points in their development before the need for formal protection sets in. That’s part of WIPO’s mission and the real value of WIPO PROOF.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: