Harry Potter and the Spoiler of Secrets

The publishers of the final Harry Potter novel gave it a good run.

But despite unprecedented measures taken to keep all details of 'Harry Potter and the Deathly Hallows' under wraps up to the moment of its official release at 12:01am Saturday morning, digital photographs of the book's pages were leaked over the Internet late Monday, and on Tuesday customers of an online book seller began receiving copies, according to a statement by Scholastic, U.S. publisher of the wildly successful fantasy series.

Could those leaks have been prevented? Scholastic and Bloombury, the U.K. publisher, reportedly spent up to $20 million on security to preserve the integrity of the 'magic moment' of the midnight release. Was that enough? And how much of the security effort was "marketing porn" and how much of it was real?

ChannelWeb spoke with IT security professionals and sources close to the publishing process in an attempt to recreate what the Harry Potter team might have done to protect the manuscript for as long as they did and what they might have done differently to have succeeded in preventing any leaks at all.

We broke the security effort down into three stages.

First, the longest period, encapsulating the editing, revision, design and production process that started when author J.K. Rowling finished her first draft of 'Harry Potter and the Deathly Hallows' in mid-January through to the shipping of the final version to print sometime in late spring. Second, the printing process itself, when the number of individuals handling the manuscript (and potentially leaking it) grew exponentially. Finally, the distribution phase, which may have begun as early as late June, when security almost entirely ceased to be controlled by the publishers and printer, and became the responsibility of thousands of outside distributors, retailers and libraries.

NEXT: Securing The Editing and Design Stage The Editing and Design Stage

Scholastic would not return calls and emails about the security in place for this period. But a detailed -- if somewhat breathless -- account of the security process appeared on Time magazine's Web site on June 27, complete with a timeline documenting the basic chain-of-possession for Rowling's drafts from her home in Scotland to her American editors in New York and back again.

What the Time story doesn't tell us is that Time's parent company, Time Warner, has a huge stake in the Harry Potter franchise. Warner Bros. Studios produces the Harry Potter films and the media behemoth also distributes them.

Security guru and Counterpane CTO Bruce Schneier suspects that when it comes to the hype surrounding 'Deathly Hallows' security, the hype may be a lot more important to the owners of the franchise than the security.

"There not going to lose any money over this, it's just going create buzz," said Schneier, referring to the original bit torrent leak. "But you have to pretend like you care, because it's all marketing."

At the very least, the Time magazine article should probably be taken with a grain of salt.

That said, several details emerge from the Time story. For most of this period, very few people had access to drafts of what would become the 'Deathly Hallows' manuscript. These included Rowling herself, her main American editor Arthur A. Levine, her continuity editor Cheryl Klein, Scholastic lawyer Mark Seidenfeld, artist Mary GrandPre and a few others. In delivering drafts from Rowling to this small group of people and back again, the publishers apparently decided that using human couriers carrying printed pages was safer than sending files over the Internet.

But the fact that this method worked -- there's no evidence anything was leaked during this period -- doesn't mean it was the smartest from a security standpoint.

On at least two separate occasions, according to Time, Scholastic flew individuals to the U.K. to collect hard copies from Rowling in person. But this approach may actually have been less secure, as a practical matter, than electronic delivery. Though it may seem counterintuitive, the physical documents were probably more likely to be lost, stolen, or copied in transit than an encrypted digital file sent over the Internet.

"Securing that type of information within a digital communication is something that's pretty easily achieved today," said Devin Redmond, director of security products and strategy at Websense, a vendor of data leak protection and Web filtering software. "I couldn't see the security benefit in sending someone in person. They may have had some specific reason for doing that, but I don't see it."

The Time piece doesn't detail the stage at which the Scholastic team began working in a digital format to prepare the final manuscript for print, or what kind of IT security was in place to protect this process, if any.

But ChannelWeb has learned that Scholastic is still in the process of investigating different data leak prevention software options, leaving it unclear what IT precautions it may have in place now.

"From a prospects level, we have been in talks with Scholastic," a spokesperson for data leak protection vendor Vontu told CRN. "They're definitely investigating solutions right now, but we don't think they have a vendor in place. They may be 'piecemealing' or using other kinds of security."

NEXT: The Printing Stage The Printing Stage

If Scholastic has been tight-lipped about their security practices, the printer of the books takes inscrutability to new heights of absurdity.

"I'm sorry, but we have no comment regarding any title that we may or may not be producing. We have no comment regarding any security practices that we may or may not use or contemplate," emailed Doug Fitzgerald, executive VP of marketing and corporate communications at R.R. Donnelly, in a reply to queries about the printer's role in securing the book's contents.

But several media reports name Chicago-based R.R. Donnelly as the U.S. printer of 'Harry Potter and the Deathly Hallows', and ChannelWeb's own investigation leads us to believe that the books were printed at the company's Crawfordsville, Ind. plant.

Furthermore, a source in Crawfordsville presents compelling evidence that whatever security practices R.R. Donnelly may or may not have used, they worked.

"I live on the railroad tracks, and during the month of June the tracks were shaking four or five times a night," said Jim Amidon, the director of public affairs at Wabash College, a small all-men's university in Crawfordsville. "I can tell you there has been almost no rail traffic in the past two weeks, so I'd guess the books are out in the warehouses."

Going by Amidon, this means the first bit torrent leak happened about two weeks after the books left the R.R. Donnelly plant. Someone involved in the book's printing may have sat on their prize for a couple weeks before posting it on the Internet, but it seems more likely that the theft occurred during the distribution phase.

As for security at the plant, Amidon described a tightly controlled environment, where employees weren't allowed to bring in cell phones. Brent Rubeck, owner of Crawfordsville Computers, said employees working on the Harry Potter book used special entrances during the project.

"They don't strip search the employees, but the count the paper that's going into the machines. They don't let them take in lunch pails," Rubeck said, relating what friends who work at the plant had told him.

Rubeck, whose business provides IT services and sales for the Crawfordsville area, said he wasn't aware of any outsourced IT security conducted at the plant. Guessing at how R.R. Donnelly might have locked down their systems during the Potter print run, he said he would have gone as simple as possible.

"You would keep very few copies on a flash drive. Not stored on any servers anywhere, not on any network. I don't care if it's encrypted. Somebody there's got a password. Somebody would download a copy just to bring it home to read it themselves," he said.

Without knowing precisely how R.R. Donnelly runs its production and print processes, information security experts could only offer general guidance for best preventing a leak from the IT side of the house. They argue that the best strategy is a three-layered approach encompassing a document management system, a digital rights management (DRM) system, and data leak prevention (DLP) software.

Document management systems are designed to provide version control and collaboration functionality, but also serve as a secure, access-controlled electronic repository for all of the various drafts and edits. DRM systems are designed to protect entire documents, acting as a "wrapper" that prevents unauthorized users from opening them or legitimate ones from copying them. DLP software focuses on the data in a document rather than the document itself -- while a DRM system might prevent someone from e-mailing a word processor file containing a chapter, for example, DLP software might prevent them from sending an e-mail in which they've retyped a few key paragraphs.

"You have document software for creating, editing, collaborating on the content," said Steve Roop, Vontu's vice president of products and marketing. "You have DRM to protect a specific document that happens to be 769 pages long and 2.5 megs. You have DLP to protect the content of the individual pages and the plotlines."

Meanwhile, media reports painted security measures taken at the U.K. printing plant as decidedly more low-tech -- supposedly the British printers made floor workers labor with the lights turned down to unreadably dim during the Harry Potter run.

NEXT: The Distribution Stage The Distribution Stage

"Fundamentally, you can't prevent a leak in distribution," said Schneier. "Because there's too many physical objects. You can protect the manuscript, you can maybe protect the production. In previous years, you could say [to distributors and retailers], 'If you leak it, you can't have the next one.' They can't do that with Book 7.

"There's no technology fix here. It's all about people. This works and fails based on trusted people. The problem is, in the later stages of the book, there's just too many people you have to trust."

Other security pros agreed that the thousand-dollar GPS trackers reportedly installed on delivery trucks or even on the boxes of books themselves would have had dubious security value at this stage of the game.

"As soon as things are in paper format, you have to accept it's going to be out of your control," said Roop. "From the publisher to the printing to the public release, they need to shorten that time frame as much as possible so that they can limit the risk of the paper books being in warehouses, and on trucks, and in the distributors' or retailers' hands. During that time frame you just have to admit to yourself that the potential for leakage is very high."

John Kindervag wonders if all the security hype might have actually had a role in causing the bit torrent leak.

"You have to wonder, did they make a target of themselves with that Time magazine article, by saying no one can get to it? Did they take someone who might not have been interested in doing that and challenge them? I don't know that you want to throw those challenges out to people," said the senior security architect at Vigilar, a Dallas-based solution provider.

Meanwhile, the one legitimately toothy security tool Scholastic still has during distribution -- its powerful legal reach -- has been wielded with increasing frequency as the 'magic moment' approaches.

On Wednesday, Scholastic stated that DeepDiscount.com, a customer of distributor Levy Home Entertainment, had shipped about 1,000 books to customers ahead of schedule. The publishing house promised "immediate legal action" against the distributor and retailer. Blogs and Web sites posting the pirated photo files of the book have been contacted with forcefully worded take-down notices from the publisher. Some sites have even claimed they were contacted by Scholastic for merely posting links to other sites containing such files.

These legal maneuverings raise an interesting question. The Harry Potter franchise may have spent tens of millions securing its magic moment, but how much will all the potential lawsuits wind up costing the public?

The Next Magic Moment

For future book releases of this nature, the experts suggest that a shift to on-demand publishing, where books are printed out on purchase, might be the most realistic way to secure a book's contents all the way up to the point of release. Other solutions -- like time-sensitive locks on reinforced book boxes or light-sensitive RFID strips inside the boxes that would emit a signal if opened -- were considered fun, but either insanely impractical or of dubious functionality.

Ironically, the medium that the 'Deathly Hallows' team had least control over may yet prove to be the best defense for Harry Potter's final magic moment, and future ones. Though Scholastic clearly fears the wild corners of the Internet where Harry Potter fandom speaks freely, it is exactly that wildness that has created spontaneous community shaming of leakers and an effective cloud of misdirection surrounding which spoilers are real and which are fake.

Speaking to ChannelWeb on the phone, Kindervag related just how deeply the devotion to Harry Potter runs.

"In this case, there's no bad publicity. I've got a 15-year-old daughter who's re-reading every Harry Potter book in anticipation of this. She's scared to death about this phone call, because I might somehow find out the ending and give it away. If I leaked that to her, then I'd be in much bigger trouble than Scholastic."