TiVo Multi-Room Viewing (Yet Again)

Recently, in TiVo Multi-Room Viewing (Again), I indicated my disappointment that my new (second) TiVo DVR can't share recordings with my first TiVo if the recordings are copy-protected.

I have a home wireless network. Both of my TiVos are nodes on it (in addition to my two Mac computers, a cable modem, and assorted Apple TV and AirPort networking devices). After a TiVo makes a recording, in theory that recording can be copied via the network to the other TiVo, in what the folks at TiVo Inc. call "multi-room viewing" or MRV. The only problem is, an awful lot of the programs are copy-protected: their digital bitstreams contain a flag bit that says, "This program can be copied once, i.e., only for a single generation. The copy cannot then itself be copied."

Owing to how TiVo Inc. has chosen to comply with an agreement it has entered into with CableLabs, a consortium representing the cable TV industry and, indirectly, the providers of copyright-protected programming to cable channels, that flag bit is in fact honored by not letting a copy-protected program participate in MRV.

Note that no programs on channels that are broadcast locally over the air and then carried on cable are copy-protected in this way, only many (but not all) programs on cable-only channels.

If a copy-protected program on the first TiVo could be viewed on a second TiVo, then the way that would happen is this: it would be copied to the second TiVo. Thenceforth, it could be watched on the second TiVo ... or the original could still be watched on the first TiVo.

But, no. TiVo Inc. chooses instead to not allow MRV copying of "copy once" originals. As far as I can tell, the main reason is the fear on the part of the cable industry and program copyright holders that the original bitstream could be intercepted and have its copy protection stripped while a legitimate copy is being made across the home computer network.

In theory, at least, TiVo Inc. could go to CableLabs and ask for special approval of a (presently unspecified) scrambling or encryption method that, if used by TiVo DVRs for MRV, would nullify the piracy threat. However, the granting of said approval is not something that has happened ... yet.


The present way of doing MRV ties the original version of a copy-protected program to a specific device: the actual TiVo DVR that made the recording. A non-copy protected recording is, on the other hand, tied to a specific home network, not a specific device on that network. I believe any "fix" for the present inability to share copy-protected programs among multiple TiVos on a single home network would need to make such programs network-specific rather than device-specific.

I believe it was the original intent of TiVo Inc. to do exactly this, but the CableLabs agreement got in the way.

TiVo Inc. apparently intended to base MRV authorization on the TiVo's Media Access Key (MAK). The MAK is a unique 10-digit number that identifies every TiVo. It can be brought up on a TiVo's associated TV screen by means of the Messages and Settings menu hierarchy of the TiVo. Once you know what your TiVo's MAK is, you can (for instance) enter it into TiVo Desktop/TiVo Transfer software on your computer to enable TiVoToGo.

TiVoToGo is the ability to copy (again, non-copy protected) recordings from a TiVo to a computer. Once the copies are on the computer, they can be viewed and/or decrypted, then converted to other video formats such as for use on an iPod.

The decryption of a computer file with a .TiVo extension, once it has been copied from a TiVo DVR to the computer via TiVoToGo, requires that you enter the MAK of the originating TiVo into the computer software doing the decrypting. (That is, the MAK needs to be specified both to copy the recording and to decrypt it. The latter may be done by the same software as the former. If it is not, the MAK has to be specified to both.)


Details of the TiVo encryption-decryption system are hard to come by. Apparently, the TiVo DVR takes the "MPEG-2 program stream" which contains the TV show's video and audio information, as recorded in digital form, and it puts some kind of digital "wrapper" around it. For the original video and audio to be played, the wrapper must first be removed. This is something that cannot be done properly unless the software knows the MAK used by the originating TiVo DVR at the time the wrapper was created — at the time the show was recorded by that DVR, that is.

When a recording is copied from its original TiVo to a computer or to a second TiVo, the wrapper comes along with it. The resulting copy of the original recording cannot be played unless it can be unwrapped first — which can't happen unless the computer or second TiVo knows the MAK.

As I found out when I added a second TiVo to my home network, all TiVos on the same home network share the same MAK! (A TiVo on a different home network, though, has a different MAK.) Clearly, if the MAK is the basis for unobstructed MRV'ing of material on a local home network, all TiVos on the same home net should be able to participate in unobstructed MRV sharing of copy-protected material, in particular. TiVos not on the same network, since they do not share the same MAK, couldn't share the recordings. Neither could computer software applications that have not been supplied with the original MAK.


I suggest as a possible solution to the current MRV impasse that the MAK might be used as a digital "watermark" which the recording TiVo (or any other compliant DVR) visibly embeds in the video of a recording that is being shared via MRV.

Below is a sample of a watermarked image:


In the simplest implementation, "watermarking" would indelibly stamp the copied video recording with the identity (MAK) of its source DVR, which, as I have said, is actually the MAK of the home network. Any DVR with the same MAK (because it is on the same network) could compensate for the watermark and effectively "erase" it from the video as it is being legitimately played back. Watermark "erasure" would be done for legitimate playback only. The watermark would remain a part of the original recording and all copies made of it. Moreover, if a third-generation copy were made from a legitimate second-generation copy, it too would bear the watermark. No matter how many generations of copies were made, every generation's copies would duly inherit the watermark.

In a more elaborate implementation of the watermark strategy, instead of using the actual MAK as the watermark, the watermark could be an encrypted version of the MAK that could be matched for purposes of "erasure" during playback only by using that same encryption key (or a closely related one) to manipulate the supposedly identical MAK which is known to the playback device or application. More on that possibility later.

Or, instead of using the (encrypted or not) MAK as the watermark, the recording TiVo could use the user name on the account to which the TiVo belongs. Because every TiVo on the home network has access, via the network, to the TiVo Inc. database, it could (based on the MAK) fetch the same user name when doing MRV playback of a copy-protected recording. The retrieved user name, instead of the MAK itself, could be used as the basis of "erasing" the watermark for playback.


In any implementation of MRV watermarking, the MAK would be crucial in three ways. First, the MAK would need to be specified by the receiving TiVo to the recording TiVo in order for the latter to gain access to the recording TiVo's Now Playing list. Second, the MAK would be required for the receiving TiVo to be able to "unwrap" the copied recording. Third, the MAK would be required for the receiving TiVo to know how to "erase" the video watermark at playback time.

Similarly, if the destination device were a computer and not another TiVo, the same three mandatory uses of the MAK would apply. All legitimate uses of a watermarked TiVo recording would be MAK-dependent in three interlocking ways.

If a watermarked video recording were intercepted and diverted in an act of piracy, all protocol-compliant computer software, or any protocol-compliant home-entertainment hardware such as a TiVo or another DVR, could simply refuse to play it if that software or hardware were not privy to the same MAK. Alternatively, protocol-compliant software or hardware could go ahead and play it in the assurance that the watermark would show up on screen and effectively ruin the playback.

Non-compliant software/hardware might also play it ... but the watermark would be constructed such that only protocol-compliant software/hardware, on the same network with the recording DVR and therefore privy to the same MAK, could successfully "erase" it during playback. Non-compliant software or hardware accordingly would be able to play the video only in a "ruined," visibly degraded way, owing to the presence of the uncompensated visible watermark.


In the scheme I propose, the watermark, which would show up on a TV or computer screen that was trying to play an unauthorized copy of an original recording, would be in some way based on the MAK of the recording DVR. The MAK uniquely identifies the TiVo account of the owner of the recording TiVo, whose responsibility it is to see that his personal recordings don't show up in someone else's hands. As a legitimate TiVo user wanting to avoid the consequences of having "my" recordings show up in "your" (illicit) hands — I might face de-authorization of my TiVo account, or worse — it would accordingly behoove me to make sure my home network was secure against piracy.

In a worst-case scenario, a video pirate might supply a customer with (a) a watermarked video recording derived from someone's TiVo, along with (b) playback software or hardware that is capable of "erasing" the watermark during playback, but only if given (c) the MAK used to watermark the recording.

That scenario could be averted by encrypting the watermark, as suggested earlier. That is, instead of having the watermark be the MAK itself, it could be an encrypted version of the MAK that would be matched for purposes of "erasure" during playback only by using that same secret key (or a closely related one) to manipulate the original MAK and "erase" the watermark. Our pirate (or his customer) would thus have to know the actual MAK of the recording TiVo, not just the encrypted version thereof which shows up as the watermark. He would also have to know the key used to encrypt the MAK for purposes of creating and "erasing" the watermark.

Such an encrypting key might at some point be discovered by the piracy community and compromised. Because TiVos are regularly updated from TiVo Central by means of an Internet connection or phone line, the encrypting key in question could be changed any time it was compromised. If that happened, MRV copies made with the old key would no longer work.

That is, unfortunately, unavoidable. Occasionally, blameless users would be irked to find a legitimate copy they made only yesterday no longer works today. But that's far better than the current situation, in which legitimate users can never make MRV copies of copy-protected TiVo recordings.

Note also that if the MAK-based watermark were encrypted, casual users who stumble across a pirated video online would be unable to learn the MAK of the source TiVo — which is a good thing. Yet TiVo Inc. or any other authorized watchdog, being privy to the original encryption key, would be easily able to identify exactly whose TiVo the pirated copy originated from.


I realize that the ideas I'm broaching herein are sketchy and provisional. They need to be vetted to make sure they are reasonably watertight. The various interlocking concerns who are involved in this issue do have a right to protect their programming against piracy. No one who says otherwise is going to win that argument.

Still, the key word in that preceding paragraph is "reasonably." It is generally recognized that dedicated pirates will find a way around any copy-protection system, given enough time. The aim is to make it very, very hard for them to do so, since making it absolutely impossible is impossible.

That said, any sketchy proposal such as this one needs fleshing out and thorough vetting by all concerned who would be betting their "family jewels" on the success of the methodology. Such fleshing out and vetting ought to be done in the context of developing a full industry-standard protocol for MRV and "to go" usage of copy-protected recordings made by home DVRs and potentially used by other DVRs/hardware devices/computer applications.

It is the present absence of such a multi-industry protocol and accord which is really to blame for my not being able to MRV my copy-protected recordings of TNT's "The Closer."