So What Can Google Do?

Having spent some time deconstructing Google’s careful attempts to protect the content of their Google Print partners, it seems only fair that I also give my thoughts on how they can improve the restrictions without affecting the usability. One could argue that I shouldn’t help them with this – but then, I think people will vote with their feet when it comes to DRM-like features. And anyway, it’s an interesting technical challenge.

The best method would probably be an extension of what they are doing now. Have ten nested <div>s, each of which has a background-image set, and each of which has a near-identical URL – the only thing wrong being the signature which they already incorporate into their URLs. The “print” servlet should serve up a clear GIF when it receives a bad signature. So, given that there’s no programmatic way (short of reverse-engineering the signature algorithm) to choose between:

a user would have to resort to checking each one by hand to see which was the real image. (Or writing a specialised extension to sort through and pick out the one with the largest size.) That would defeat at least some of the methods we’ve come up with so far, or at least make things a lot slower.

But when it comes down to it, they’ll probably be content with the current clue barrier.

Update: Having now read some Slashdot comments, you could combine the above technique with image slicing (where the true image was at a different stack position in each slice) to multiply the number of possibilities. Manually searching 10 possibilities for a non-blank image would be OK. Searching 100 sets of 10 slices to find the valid strips would be a lot nastier.

5 thoughts on “So What Can Google Do?

  1. They should also check the referring url. That one raises the clue barrier by a lot (and makes it a lot more hassle to automate). Or are they doing that already?

  2. dolphinling: I don’t think they should check the Referer, and here’s why. Referer is optional according to the HTTP spec – many people don’t like it being sent, for privacy reasons. Requiring it is bad form at best, and spec-breaking at worst.

    It’s also difficult to do in a way that’s not easy to circumvent. They could check for “google.com” – but that’s child’s play to avoid. And anything more complicated could break if they link their services together in new and interesting ways.

    In addition, any check is really not that hard to get around. If they implement all the other restrictions, anyone who got around those would find bypassing referer checks trivial.

    So it fails the clue barrier test – it’s hard to implement, and easy to dodge.

  3. Why not just use print screen at high resolution and then save the image from Paint or something. :)

  4. Jafe: of course you can do that, but you end up with either a heck of a lot of data (saving losslessly) or worse image quality (re-compressing the JPEG). Also, you end up with the borders as well.

  5. I think google still have their methods. For example, google could produce several GIF or PNG files with irregular transparent areas, when these files overlap each other, you can see the result. However it may take you hours to open those files in photoshop or gimp and reconstruct the original file. And even the patterns they could make them interlaced, which will make it harder to work.

    And the other method they can use is making several image in different divs with different view port. And outside of the view port, they can put irregular pattern and letters or words of course.

    Hacking is good for brain, as while as hiking is good for body. Anyway, have fun.