License metadata for web pages is published with the content it describes. If someone publishes false metadata, it can be taken down or corrected.
But with non-web content (such as files on peer-to-peer networks), incorrect metadata can propagate around the network, since it's extremely difficult to get everyone to correct it.
Our solution is to embed a link to a license info page that includes the license metadata, rather than including it directly in the file. For example:
mysong.mp3 links to
http://example.com/licenseinfo (using ID3 tags)
The URL for the page that includes license metadata for a file is known as a WebStatement URL after the name used in XMP.
The page at the WebStatement URL should also identify the licensed media file with a content-derived identifier (e.g., SHA1 hash, see example below) or other independently verifiable identifier so that a program can verify that the page is making a license assertion about the media file at hand.
This has additional benefits besides preventing the propagation of incorrect license metadata: the metadata can now be linked to and indexed by search engines. Imagine searching the Web for music under a Creative Commons license, and then downloading it from a peer-to-peer network.
Third parties can also build authentication services that provide additional assurance that the data is valid.
Software will automatically download the license info page. Security impact: Anyone who can get you to download their file, just like anyone who can get you to visit their web page, can get you to visit another page and discover your IP address.
Publishing the license info page
The license info page must have or HTTP redirect to a page that has a license notice for the file in question. (Readers should be ready to follow several HTTP redirects.)
Example HTML fragment with RDFa:
<span about="urn:sha1:MSMBC5VEUDLTC26UT5W7GZBAKZHCY2MD"> Example_Song.mp3 is licensed under <a rel="license" href="http://creativecommons.org/licenses/by/3.0/">CC BY 3.0</a> </span>
This fragment includes the statement
<urn:sha1:MSMBC5VEUDLTC26UT5W7GZBAKZHCY2MD> :license <http://creativecommons.org/licenses/by/3.0/> .
which may be read as "File with the SHA1 hash (base32 encoded) of MSMB... is licensed under CC BY 3.0."
See XMP for tools and code for embedding XMP in PDF and JPEG formats.