> [The W3C] needs to hear from you now. Please share this post, and spread the word. Help the W3C be the organization it is meant to be.
This isn't about the W3C.
This is about EME, and about the companies that created it and promoted it: Google, Microsoft and Netflix (as you can see on the spec, for example https://www.w3.org/TR/encrypted-media/ ).
Telling the W3C not to do DRM is not going to be effective. The only thing that can work is to put direct pressure on the parties behind EME, and their products: Google and Chrome, Microsoft and IE/Edge, and Netflix.
Not only is it not effective to focus on the W3C, it's counterproductive - it shifts the blame away from the real culprits just mentioned. If you lobby the W3C against EME but still use products from the companies that created EME, you're sending mixed messages at best.
Furthermore, even if somehow we got the W3C to not do EME, it wouldn't matter. Google, Microsoft and Netflix would still be implementing it. They would just find another standards body.
Sure DRM is bad, but you can't tell people not to build things a priori like that, and DRM will be built because the content studios demand it, and the studios hold the content which everyone wants. The EFF greatly overestimates the amount of influence browser makers have. No amount of technical pressure will make an ounce of difference, because browser makers have literally no leverage on rights holders. If the streaming technology isn't available, then the studios will simply choose not to stream it, and whoever builds it first will have a huge market advantage.
Fighting EME not only is ineffectual, it harms open web standards by giving legs to completely proprietary solutions like Flash and Silverlight. The bottom line is that EME is a cleaner solution which compromises in a way that will make open standards more relevant going forward rather than taking an ideological position that will undermine the utility of open standards in the marketplace.
Instead of attempting to fight a self-harming losing battle, I wish the EFF would focus on the real problem which is the DMCA's overreach. Studios should feel free to build whatever DRM schemes they want, just like the people should be free to circumvent those measures for content they have legally purchased. Copyright law is sufficient to balance individual and studios' rights across a diversity of scenarios with getting a technical quagmire that benefits no one.
I think I agree with you, but the EFF raises some good questions. If content producers have this kind of control, how do you ever create a new browser? And can users really choose their browser if the major publishers have that much control?
In other words, if I want to create a new browser, I then have to convince every single publisher whose content I want to display that they should add me to some list of approved providers. This does seem like it's just going to reenforce any initial power dynamics. I'm not sure what a better solution is though.
That would be consistent, and relates to the main question I have: Why does the CDM need to be a blackbox? Couldn't the decryption be standardized with all proprietary information boiling down to secret license keys?
The CDM depends on whole-pipe proprietary implementation. You cannot implement, say, a video decoding library that is both open source and prevents the user from rerouting the video output away from HDCP HDMI sinks.
> Because what they want to achieve is fundamentally impossible, and have to be done in a security-through-obscurity way.
Which clearly cannot both be true at the same time. It isn't that it's impossible but there is actually some way to do it. It's just regular unadulterated impossible.
So why not give up the charade and publish the source code to the DRM? That can't cause it to be ineffective because it's already ineffective. It's not even a fig leaf, it's just security theater.
> Which clearly cannot both be true at the same time.
They meant that all they can do is delay the inevitable for some time by security-through-obscurity. And yes, the IP holders are perfectly aware of that, but preventing piracy even for a few weeks after release can have a measurable impact on their profits.
Now we're getting somewhere. But there are still a couple of problems.
The first is that controlling the market for players isn't a legitimate purpose. You can't go to a court or Congress and say "we need DRM so we can monopolize and exercise market power in the market for DVD players and web browsers." It isn't supposed to do that, even if it does. So if the studios won't admit to that as its purpose then the people who want to get rid of DRM can easily win the argument against the lie they claim is its purpose. But if they do admit that its purpose is monopolization they also lose, because in that case it is effective but not legitimate. This is, incidentally, the reason why many suspect the reason we still have DRM has something to do with government corruption.
And the second problem is that controlling the market for players doesn't actually do them any good. It is the thing that causes them harm. Making the user experience worse is how you lose customers to piracy (and legitimate competitors).
And it gives power to people they don't want it to. If you buy $2000 worth of content on iTunes and the content providers demand that you re-purchase it if you switch platforms, that doesn't get you to re-purchase it, it gets you to not switch platforms. Which gives the platform providers more leverage over the content providers, because now they have captive users. If you're Fox or Paramount, you do not want your position with respect to Apple to be the one software developers have to the App Store.
DRM is a footgun. It's the opposite of "commoditize your complements." [1] We should get rid of it.
EME is not even a complete standard, its basically just a shim to bridge in a closed source DRM module that can do arbitrary things on the host platform, and needs specific DRM module support from providers. You cant just target EME as Netflix, or some other streaming site, you have to target Google Widevine, or Apple Fairplay etc.
Implementing EME in no way enables you to use these DRM technologies, so its a 100% worthless "standard".
The DRM/CDM modules are not browser agnostic either, and the browser <-> CDM api is entirely unspecified.
closed source DRM module that can do arbitrary things on the host platform
I don't know about other browsers, but at least Firefox is sandboxing EME modules so that they can only do a few approved things (security bugs aside, of course).
Back then, Mozilla's plan was for the CDM to inspect the running Firefox and deny playback if it detects tampering of the relevant browser parts.
How the hell that is supposed to work if the CDM is oh-so-sandboxed is left as an exercise for the reader.
Did anyone actually check that own builds of vanilla Firefox sources are able to use the Adobe CDM? Wouldn't surprise me at all if it only worked with the official Mozilla-signed Windows binaries (yep, at least the Mozilla flavour of the "portable" and "interoperable" EME is provided for Windows and Windows only).
Yes, having spent the last decade founding and building a premium content streaming service I am well aware of what EME is and how the CDMs work. It is infinitely preferable to a proprietary plugin.
Because everything else happening on the page is still regular web stuff, not encapsulated in a proprietary plugin like Flash. Essentially much smaller surface area of proprietary stuff, and because each browser only implements one CDM and they are responsible for the integration it doesn't break as much the way that Flash increasingly did over time.
If I go to a page with a video on it that uses flash, the rest of the page works just fine if I don't have the flash plugin installed. This is identical behavior to not having the CDM. If the rest of the page also uses flash, that's entirely separate. It is even possible that the rest of the page could be flash, while playing a video with either the native <video> tag or through a CDM.
Integration between the video and the rest of the page is going to break without {video tag support with the necessary codec,flash,EME support with the necessary CDM}. Again, there is no difference.
You're trying to pretend that there is somehow a more usable page with EME+CDM over flash, when most of the time the video was the goal.
> having spent the last decade founding and building a premium content streaming service
You're fighting against the General Purpose Computer. Sorry, you don't get to run code on my computer without my approval. You don't get to turn my General Purpose Computer into an appliance. If you care at all about preserving any control over your own General Purpose Computers, stop. You've already spent a decade building the seeds of technology that lock down the web. Now John Deere has used the same ideas to take away property rights. You are adding difficulties to legitimate users while the pirates ignore your CDM and go straight to torrents/etc. Was the delusion that you're protecting anything worth these costs?
I grant you that the point is largely video, and I probably made a poor choice to reference other things happening on the page, but even within purely the video playback, a CDM is hands down far less proprietary code than a plugin like Flash which not only is poorly optimized for any given browser, but also introduces a whole host of other issues which a CDM doesn't get anywhere near (eg. flash cookies).
The rest of your comment is just straight up offensive zealotry. Spare me the ideological rants and go re-read my opening comment carefully. I spent the first 7 years fighting against DRM in direct conversation with rights holders. I have signed deals with hundreds of small distributors to stream content without DRM. I have done more for the cause of avoiding DRM in practice than a million EFF press releases which do nothing but preach to the choir. Furthermore, I am not building DRM, I am only implementing existing industry-standard DRM as required by studios. I can choose not to do so, in which case I won't get the content I need to build a viable business, and then I will go out of business, but the status quo will not have changed.
This nonsense about me forcing you to run code on your computer without your approval is asinine. I am not forcing you to run anything, run what you want, but I'm not allowed to stream certain content to you without it, that is beyond my control. If you only want unencumbered content, then don't use my service. This is not the same class of issue as nerfed hardware like John Deere. Like it or not, there is a legitimate reason for legal copyright which is inherently different from property rights, and conflating the two completely undermines any legitimate point which you might wish to make.
> ...a CDM is hands down far less proprietary code than a plugin like Flash
Sure, but it still relies a binary blob, just like Flash.
> ...I am only implementing existing industry-standard DRM as required by studios. I can choose not to do so, in which case I won't get the content I need to build a viable business, and then I will go out of business, but the status quo will not have changed.
Don't forget the story of how Apple forced the music industry into abandoning DRM on their "high-value intellectual property".
Had Google, Mozilla, Apple, and Microsoft all refused to play ball, and also continued to push towards the removal of Flash and Silverlight from the web, we would likely soon be seeing either the same abandonment of DRM'd streaming video, or the abandonment of streaming video by the major studios (and subsequent void filling by smaller players).
Streaming services would most likely move to native desktop applications, like they do with mobile apps, before abandoning DRM. Netflix already has a Windows desktop application, but they don't seem to promote it much.
> Was the delusion that you're protecting anything worth
Dude, that's just not how you make friends and influence people. He knows all the arguments, he said it. Wouldn't it be more interesting to try to find with him a way we can all work together towards a better future, without attempting to shame the counterpart into a public admission of moral failure which will, of course, never happen?
That's why Linux has been successful: beyond the zealots, there were significant amounts of people (including Torvalds) who did not ask anyone to repent their proprietary sins before joining. "We build A, you build B, let's see if we can make something together which is a bit more like A, because we honestly think A is awesome, but hey, we like your B as well! It's just that we cannot help you if you keep it to yourself..."
The thing is, "we" are currently not building anything that might allay studios' fears. "We" don't even understand those fears, or choose to disregard them entirely. Of course they'll go out and do their own thing. If there was a safe way to deliver what they want (encrypted tamper-proof streaming) in an open-source package, they would likely consider it. But there isn't, afaik. Are "we" building it? No, we try to slut-shame "them" into giving up. That ain't gonna work, when there are billion of dollars and millions of jobs at risk.
> If there was a safe way to deliver what they want (encrypted tamper-proof streaming) in an open-source package, they would likely consider it. But there isn't, afaik.
The problem is fundamentally that "encrypted tamper-proof streaming" is not possible regardless of whether the implementation is open source. It would be trivial to write free software that respects copying restrictions. And then people would be able to bypass it using the same methods used when the copying restrictions are enforced by proprietary software, i.e. by writing different software that doesn't respect the copy restrictions.
> That ain't gonna work, when there are billion of dollars and millions of jobs at risk.
There is no risk to money or jobs. There is literally more Netflix content on torrent sites than there is on Netflix. Netflix nonetheless makes substantial profits.
Eliminating DRM would reduce piracy by improving the experience of legitimate purchasers without having any effect on the experience of people who download from torrent sites.
> Are "we" building it? No, we try to slut-shame "them" into giving up.
When you encounter someone who is demanding that everyone look for water using a divining rod, you don't build them a divining rod. You teach them that it isn't possible to find water that way.
> The problem is fundamentally that "encrypted tamper-proof streaming" is not possible
In an absolute sense maybe not, but you can have decent approximations. As OP points out, music ended up being ok with watermarking. Hollywood might be ok with something like hardware tokens (which imho would be superior to "just download and execute this blob and shut up").
> There is no risk to money or jobs.
If that was the case, we wouldn't be hearing musicians crying foul about Spotify every other day.
> Eliminating DRM would reduce piracy by improving the experience of legitimate purchasers
At current prices, that's unlikely. The experience is not terrible with current players either; what drives privacy at this point is mostly price. Hollywood doesn't want to give up margins that are unrealistic in the digital age, which is why they fixate on DRM.
> When you encounter someone [...] You teach them that it isn't possible
There is teaching and there is shaming. Shouting at them that they are morally-corrupt buffoons is not "teaching".
> In an absolute sense maybe not, but you can have decent approximations.
No you can't. It's all inherently snake oil. The nature of the universe is such that if you can see something then you can copy it. Either you get people to respect copyright by believing in the social contract or you lose. There is no technological solution.
> As OP points out, music ended up being ok with watermarking.
Watermarking isn't DRM. (Though it shares a lot of the same failings in the sense that it reduces quality for legitimate purchasers and can be removed by pirates.)
> Hollywood might be ok with something like hardware tokens (which imho would be superior to "just download and execute this blob and shut up").
That kind of hardware is just software embedded in silicon. Any "hardware token" can be fully emulated in software as soon as you extract the keys out of it, which somebody is going to figure out how to do and then tell all their pirate friends how to do. By the time the hardware is in enough hands that you can require it to be used, it's already broken. And you can't patch silicon over the internet, so the pirates win for a decade. Then you come out with some new hardware that pirates have several years to break before it's in enough hands that you can require it again.
> If that was the case, we wouldn't be hearing musicians crying foul about Spotify every other day.
Spotify has DRM. Losing money to competition is not the same thing as losing money to piracy.
> At current prices, that's unlikely. The experience is not terrible with current players either; what drives privacy at this point is mostly price.
It's mostly not. A Netflix subscription is extremely affordable. The problem with it is that their app kind of sucks, and even that is rainbows and sunshine compared to the unmitigated horror of cable TV set top boxes. Movie companies should stick to making movies and leave the software to Canonical and Apple and Google.
> Hollywood doesn't want to give up margins that are unrealistic in the digital age, which is why they fixate on DRM.
Except that those two things have nothing to do with each other.
> There is teaching and there is shaming. Shouting at them that they are morally-corrupt buffoons is not "teaching".
That's because there are three different sets of people: The actual artists, the morally-corrupt buffoons, and legislators. Teaching is what the artists need. The others need something else.
Exactly. What I have found is that when I examine deeply enough, most DRM content is not even worth it, and even for purely entertainment purposes, there exist plenty of non DRM solutions: movie theaters, libraries, outdoor activities to name just a few. I found Michael Niedermayer's quote very nice in this regard:
"Breaking DRM is a little like attempting to break through a door even though the window is wide open and the only thing in the house is a bunch of things you dont want and which you would get tomorrow for free anyway"
(https://ffmpeg.org/pipermail/ffmpeg-devel/2016-January/18824...).
And if you really don't even want to accidentally support or open such DRM content, you can configure the browser appropriately (media.eme.enabled and --disable-eme in Firefox).
> If you don't want DRM, don't watch media that requires DRM.
Well, obviously I don't.
> Nobody is making you use it.
The point is that there are fears that this could change once DRM is entrenched enough -- and getting into browsers is a Big Step along that road. (Hence the talk about changing General Purpose computers into appliances.)
Yes, perhaps in the future, movie and computer game studios will lobby hardware manufacturers like Intel, AMD and ARM for locked-down hardware (non-free BIOS etc.) in order to protect their DRM.
I think general purpose computers and entertainment computers really need to be separate. Movies and AAA computer games cost a lot of money to produce, so I understand that the studios want to protect their investments with DRM. However, locked-down computers that users don't control themselves are fundamentally incompatible with a free society.
The only solution I can see for people to both preserve their freedom and enjoy some AAA content is to own 2 computers: 1 for AAA entertainment and another for everything else. Fortunately, computers are getting cheap and tiny.
I was working for Mozilla when EME first came up, and sat in one of the big sessions at that year's Mozilla Summit about it. Wrote up some thoughts here:
> The EFF greatly overestimates the amount of influence browser makers have.
The only reason the MAFIAA is lobbying the W3C and bribing Microsoft / Google / et al to support their backwards DRM is because the web has leverage over them.
There would have been no market for this if there was not publisher demand for baked-in proprietary DRM at the browser level, because they knew they were constantly losing revenue depending on broken flash / silverlight plugins.
If these companies had not caved to their demands, they would have had to accept gradual obsolescence since the web would have been wholly incompatible with their outdated business model. Because, up until this point, the web has been demonstrably more important to people than access to traditional big media IP, because they were losing revenue and market share.
>Fighting EME not only is ineffectual, it harms open web standards by giving legs to completely proprietary solutions like Flash and Silverlight. The bottom line is that EME is a cleaner solution which compromises in a way that will make open standards more relevant going forward rather than taking an ideological position that will undermine the utility of open standards in the marketplace.
Counterpoint: Flash and Silverlight, being "unclean solutions", are fundamentally hampered - the market split, and "HTML5" won (for now). The mere existence of a widely-accepted "clean solution" could easily do more harm than good.
Apple made highly successful hardware, players named iPods. Apple effectively controlled what most users put on these players. The music industry had to consider it. And getting rid of DRM there took many years.
>DRM will be built because the content studios demand it, and the studios hold the content which everyone wants
Why do you believe the copyright holders (or the browser makers) are the ones who potentially hold absolute power in this scenario, rather than the users? Any DRM is an unsustainable system, EME is not going to change this. I also have strong doubts that EME will do anything to push the so-called "content industry" towards better sustainability as you suggest it will. There is still zero incentive for any knowledgeable user to buy into it. If anything it will just make the system more complicated because of the proliferation of even more competing, incompatible DRM systems that only work on certain devices with very specific configuration requirements.
I agree that some of the ridiculousness in the DMCA is part of the problem, but this isn't going to be solved by building more walled gardens, it's going to be solved by thinking about how it can actually benefit the user in the long run.
Agreed. Every implementation of DRM has been or will be broken eventually, and can keep people out of something that wasn't intended to be always locked.
Putting DRM on software and music is like building shitty locks into every book in the library or single in the record store. It doesn't make sense.
> No amount of technical pressure will make an ounce of difference, because browser makers have literally no leverage on rights holders. I
That's completely false. What would rights holders do if no browser supported their DRM extension? Stop streaming altogether? Browser makers just didn't want this fight because most of them have online streaming ventures of their own.
Not from the open web, but excluded from participating in parts of the web economy and content.
I am under the impression that the big content owners have renewed faith in winning the battles on the two fronts that matter to them: enforcing end-to-end controlled digital channels, from service to the consumer's own computer (DRM), and preventing the alternative of piracy.
They have learned that piracy cannot effectively be prevented by technical means, but that no longer matters if you can scare the vast majority of consumers with lawsuits and out of court settlements. This is now happening in a lot of economically strong countries.
Because, for all of its sins, the DMCA provides one very crucial piece of legislation, without which the web as we know it would crumble: Safe Harbor.
Without the Safe Harbor, people wouldn't be getting takedown notices or content ID - sites like YouTube, Reddit, Hacker News, comment boards, blogs... all would have been sued into oblivion years ago, as they would have been held liable for the content uploaded by their users.
Fixing the DMCA, then, requires a precise modification of the law, not just a straight up repeal - and getting that done without loosing ground in other areas would be a tough job for any lobby or politician.
"browser makers have literally no leverage on rights holders."
Yes they do. They could implement a torrent client directly in the browser, and add a few torrent search engines to the standard search engines, so that searching and streaming a torrent becomes as easy as searching and streaming a youtube video.
Exactly, I think you can't win versus a drm movement. The only thing you can do is make the thing as open, public, regulated and planned as possible.
But I think they will try to block it, because, reasons. And then we will end with an implementation for chrome, ie, opera and a plug-in for Firefox...
You're slightly wrong. The people you want to put pressure on is not Google, Microsoft, and Netflix--it's people like the MPAA and the RIAA, who are the ones obligating that Netflix do this sort of stuff to get access to the content.
This is better, but still not enough. You can only put pressure on all of these parties (and others) by going to the top: change the law. This at least has a better chance at succeeding than telling people to not watch great shows.
While I wait for that to happen or not, I'll continue not using Chrome, IE/Edge, or Netflix -- nor buying music or movies except in a form I can copy and distribute and play on local devices with no network and no proprietary or secret bits. EME existing or not doesn't affect me one bit.
If FF had declined to put EME in the build (as many believed they should) then perhaps some pressure could have been brought to bear. At this stage, I don't think it matters who you email, it's done.
Incorrect. If Firefox had not put it in, nothing would have happened because programmers have (largely) decided to give chrome a majority market-share amongst them, and advocate it to their non-technical peers, increasing its market share amongst that group as well.
If programmers actually used firefox and advocated it to the point where it had a majority market share then maybe their refusal would carry some weight.
But as it stands the web dev community has said loud and clear what their priorities are, and this is just a natural consequence of that.
I used to make an effort to use FF, but it gradually got slower, froze up more often, had problems with content I was viewing.
The final straw was when they had a big update. Instead of fixing any of these issues, they gave me the ability to call people with service I don't use by clicking a link :/
Similar boat here. I abandoned Firefox back in the day due to the memory and freezing problems, and general lack of responsiveness compared to Chrome. The difference in everyday use was massive here; we went from having a browser that could hardly handle having 3 tabs open while using a gigabyte of memory, to one that worked flawlessly and used a fraction of the resources. Firefox then put in a lot of effort fixing those issues. By this time though, Chrome's built-in DevTools was more robust for my tastes compared to Firebug or the horrific early versions of their built-in replacement. I had a good development setup, all the addons I needed, and a fast browser. I simply had little reason to switch back.
I did spend a brief period swapping back to Firefox for the sake of perceived privacy, but then they started bundling all sorts of third party bloatware and it was just too much. I'm not a superfan of the information I imagine Google collects from my using Chrome, but the browser itself is just too good to give up. Firefox now only gets opened to verify cross-browser functionality of frontend UIs I work on, and on rare occasions when I want to use a proxy in a browser without it being used system-wide.
I personally think that firefox got a lot better recently. I've been using ff dev since it launched, and it's been pretty good. And in speed tests, it's started to beat Chrome, although things may have since reversed.
I also use FF in day-to-day both due to privacy concerns and general fitness for my style, but chrome's dev tools are objectively superior, you have to face it...
Browser can be either better technically, or you might have valency for certain design decisions.
If there is a browser vendors that claims certain social values, but is constantly failing to execute them in the design, you might as well just use the technically better one that does not pretend to protect the values you consider worth protecting. You will be spared of the constant disappointment.
When it was launched, Chrome/Chromium had 2 advantages over Firefox: Speed and superior developer tools.
Chrome was unbelievably quick: the moment you clicked on the launcher and browser 'chrome' (heh) appeared instantaneously, Firefox was comparatively sluggish, and notoriously memory hungry (though that might have been the fault of sloppily written plugins)
I don't have an issue with them including it, but to make it impossible to remove in an easy 1,2,3 clicks like you can with regular extensions is absolutely asinine. Browsers need to be more modular in this respect but I may be the minority with this opinion.
I wish browsers were more like uzbl, where the default were a simple browser and add-ons were like linux distros. You could have a firefox browser distro with a firefox branding and plugins to get great features but be able to remove them easily or strip it to its bare core.
This makes a difference. You won't be able to watch EME-locked content, but every time you try, a content publisher will have to come up with the resources to send you the page with the locked content, all to no avail.
Of course, you'll probably either cancel your Netflix or find a workaround. But you won't be casually supporting EME on sites you never knew were using it. Your every day browsing will automatically block EME.
"The Net interprets censorship as damage and routes around it." - John Gilmore
Opt out of CDM playback, uninstall CDMs and stop all CDM downloads
You have the choice to globally opt out of HTML5 DRM playback. Once you opt out, Firefox will delete any downloaded CDMs from your hard drive, cease all future CDM downloads and disable DRM playback. This affects only DRM-controlled HTML5 audio and video. To opt out of HTML5 DRM playback completely, follow these steps:
Click the menu button and choose Options.
Click the Content panel.
Remove the check mark next to Play DRM content.
For a normal user, the problem is that the Play DRM content checkbox is hidden by default.
In order to enable it, you must go to about:config and enable browser.eme.ui.enabled. While you are there, you can just disable media.eme.enabled and media.eme.apiVisible.
Thanks for the correction. I forgot that EME support (using Google's Widevine CDM) won't ship on OS X until Firefox 47, which is still in the Firefox Beta channel for another few weeks.
On most Linux distributions, Firefox is built from source and then shipped via a package manager. At least on Arch, --disable-eme is not passed as a configure flag. Yes, one could build Firefox oneself, but it is a beast to compile. It is also ridiculous that this needs to be done at build time.
A perhaps easier approach that should work based on the name (but have not confirmed) is to lock via the user.js method user_pref/lockPref("media.eme.enabled", false). If this works as intended, then simply make this config file part of the deployment should be enough.
Consumers have the power but not the knowledge.
Users have the knowledge but not the power.
We don't like EME for technical reasons that the average consumer does not understand. Consumers will embrace EME because it connects them to content providers and not doing so would be like the linux users from over a decade ago who couldn't run flash.
I would guess I'm in a small minority but I don't want my browser to play media. I want to use separate applications for that. The browser can know what I want to launch, and offer to do it, but I don't ever want media to play within a web page.
You are not alone. Even ignoring the problems of Flash, most web players are so bad I much prefer to just pass URLs to mpv but ... I don't want them to be better, I want it to be easier to use external programs of my preference.
I didn't know that. I think that Netflix, Google Play Movies, etc. are the only valid use for DRM: high value content that is rented.
Types of DRM that are bad magazines this is just my opinion, are eBooks, music, etc. that are purchased.
I donate a few times a year to EFF and FSF. I think there are occasions when DRM is OK, and even though I almost exclusively use Linux laptops (just converted my last Mac to Linux this week) other people using proprietary software does not much bother me.
I mostly agree with you, and I think we are largely on the same side, but the case of renting a newly released movie does to seem different. That said, I would be very happy if there were no DRM in the world, and I would just go to the movie theater to see new movies.
I was the featured Creative Commoner many years ago, and I appreciate a world where Creative Commons licenses are used and mostly libre software is used, but while I can afford to release a book under CC, which I have done a few times, a movie studio that drops 100M making a film can not use CC.
The problem is that DRM is incompatible with an open computer, and leads us to the situation we are on mobile, where users can't control their computers at all.
Content producers have the right to rent their content. They just don't have the right to cripple the entire economy and everybody's infosec doing so.
> but the case of renting a newly released movie does to seem different
Why? Genuine question.
DRM doesn't save new movies from piracy - new releases still hit the public torrent sites extremely quickly (sometimes before release).
And I don't understand what CC has to do with DRM. One is an intellectual property license, the other is a bucket of suck that categorically cannot work if users are to be allowed control their own machines.
I don't think it's really different. I don't think DRM have ever prevented any content from being freely available on the internet, they merely annoy legitimate users who paid for it (or would have paid for it if the content had been readable on their system)
I think mark_l_watson has a point, when it comes to renting or streaming content DRM is the publisher's method of control.
It's when I purchase a single player game that is online only that I get angry.
Renting doesn't excuse the overreaching nature of DRM however, and its usage of presumption of guilt. I.e. such level of control is still unacceptable. Besides, all that is purely theoretical in case when the rented digital product isn't available DRM-free for purchasing (which can be pointed out to as an option for those who don't want renting). And in case of video, that's exactly the situation. I.e. it's not DRMed because it's rented, it's DRMed because they just want to always DRM it.
Out of curiosity, what's your proposal for enforcing rental contract business rules on a viewer's device?
Content providers see DRM as an implementation of a movie ticket system. You know, walls, doors and a doorman that kick you out after the movie is over. Also far from honour system.
See below. In reality, this DRM has nothing to do with rental, because you can't buy same content DRM-free anyway.
And nothing should be "enforced" on user's device. It's user's, not anyone's else. Your analogy with the movie theater is invalid, because there you visit, and leave when it's finished. Here it's your private [digital] space, and no DRM junk should have any business violating your privacy for any kind of enforcement purposes.
I don't even think it is Google, Microsoft, and Netflix. It's the media companies and film studios, which demand protection for their valuable products. When Netflix signs a license for a film or show, even its own, this license certainly says that is has to be copy protected, like with Blu-ray discs.
I also don't get much of the argument of the EFF. A browser which doesn't support EME can't use sites which require EME, like Netflix. Maybe my English is bad or the text badly written.
Browsers want to get rid of Flash and other plugins. Netflix was the largest site using Flash. Netflix distributes content, and the content owners aren't willing to have their content distributed.
I don't disagree with what you say, but it's possible to see EME as a pragmatic inevitability, assuming that browsers want to get rid of plugins (which seems like a good change) and assuming that content owners demand DRM (which makes less sense to tech-minded people).
> don't disagree with what you say, but it's possible to see EME as a pragmatic inevitability, assuming that browsers want to get rid of plugins
Or browsers could just collectively get rid of plugins, and the media industry could whine ineffectually at the lack of DRM. They're not going to build their own browser, and people wouldn't use it if they did. Netflix wouldn't go away; millions of people would complain if it stopped working.
>Netflix wouldn't go away; millions of people would complain if it stopped working.
The Media industry would likely rally behind a platform that decided to play ball (like HBO Go), which would then implement some frankenstein DRM solution. "Get rid of plugins and the studios will adopt non-DRM solutions" seems about as useful as "Get rid of Limewire and people will stop pirating."
Windows 7 doesn't provide the Windows Runtime infrastructure to support sandboxed, remotely-maintained, universal apps. They'd have to write a new desktop program, and that's pretty unlikely.
Maybe, but Netflix isn't some little 2-bit company, they're huge and definitely have the resources to build a new program. Now obviously, building a new desktop program to support a dying OS might not make that much sense, but if the customers demand it, Netflix can do it.
They don't need to build a desktop program for Windows 7 when they can show video in a browser.
The advantage of building a Universal app using Windows Runtime is that it will run on Windows 8/8.1/10, Xbox One and Windows Phone. That's more than half a billion users....
Native apps need to be installed and kept up-to-date, bringing portability issues. I now have to install the app on all devices I need to watch Netflix on. Meanwhile, all devices have a browser installed.
It is only inevitable insofar as the old open web was incompatible with proprietary DRM. The real ethical answer would have been for the W3C and browser ecosystem to ignore the MAFIAA and let them flounder without baked in user freedom destroying DRM.
They would have to start shipping their own proprietary apps to support their DRM, which is how things should have been. Browers could have gotten rid of plugins without DRM by forcing the old publishers to not be able to operate exclusively through web sites.
Media DRM is not and never was primarily designed to prevent piracy. Rather, DRM is used by content producers (Fox, Disney, Warner, etc) to assert control over the rest of vertical market. This article is a prime example of this. Thanks to DRM the movie studios force browser vendors to sign agreements to get access to the CDM, and from that agreement they can assert control. They can subtly suggest, for example, "Hey, Mozilla, could you revamp your plugin API to make blocking ads harder? It's fine if you don't, but, oh, by the way, your CDM agreement expires next month. Looking forward to seeing you at the re-negotiation meeting."
The same thing goes for encryption on Blu-ray discs, which forces Blu-ray player manufacturers to sign agreements with them. HDCP on HDMI and DisplayPort asserts control over TV manufacturers and infests video cards.
This is the same industry that pushed the DMCA on us, extends copyright in perpetuity, sues families because their kid downloaded an MP3, would like nothing more than SOPA to pass, etc, etc.
I know that the comments here like to demonize Google, Microsoft, Netflix, etc. Honestly, I don't believe it's their fault; Netflix in particular. Netflix is in no position to fight this. If they say no, the media empire will pull all their licenses and the company will collapse. And Netflix is already fighting for its life against these same companies for net neutrality (the major ISPs are owned by the media empire...). Google is leashed by its need for advertising revenue. Microsoft is beholden to its customers, who want access to DRM'd content.
In other words, we shouldn't be taking our fight to the W3C, Google, Microsoft, Netflix, etc. The media empire is the real enemy here. And there's hope. The rise of cheap, digital cameras and distribution platforms like YouTube and Twitch have enabled a wide array of independent artists to create AAA content mostly unbeholden to the incumbent media giants. Some of the best and most entertaining content I've watched has come from Patreon funded YouTubers. If that was the only content that the world watched, the media empire would starve and whither away, and DRM along with them.
Is there real evidence for this? Does Paramount care about ad blocking?
I feel like the simple explanation (DRM is about piracy + a certain worldview about effectiveness about DRM) is a bit easier to believe than a conspiracy.
DRM is being used as a red herring so that movie studios can control web browsers? What?
"Some of the traditional — dare I say — mediums like television remain very healthy and very attractive for advertisers because they're not subject to the whims of adblocking."
> This system, "Encrypted Media Extensions" (EME) uses standards-defined code to funnel video into a proprietary container called a "Content Decryption Module." For a new browser to support this new video streaming standard -- which major studios and cable operators are pushing for -- it would have to convince those entertainment companies or one of their partners to let them have a CDM, or this part of the "open" Web would not display in their new browser.
This is the crux of the issue. The W3C is creating a standard which gives control to the publishers over which browsers can display their content.
Whether that's "right" or "wrong" is worth debating, but sometimes the real issue at stake gets obscured in these discussions.
I've read many articles critical of EME and this is the first time I've heard this information. If true, as you said, it is THE issue.
It was always my assumption that EME represented a standard way for CDM's to interact with the browser. EME is to CDMs as NPAPI is to plugins. That is to say, a CDM can theoretically work in any browser implementing the EME standard. Is this assumption completely false?
See here[0] in the FAQ "What does this mean for downstream users of the Firefox code base?"
>>> The solution consists of three parts: the browser, the CDM host and the CDM.
>>> However, the CDM will refuse to work if it finds itself in a host that isn’t identical to the Mozilla-shipped CDM host executable.
At first, I interpreted this to mean Mozilla, not Adobe, had implemented the restriction due to some particulars about the deal with Adobe. But I was wrong...
>>> This leaves downstream users of the Firefox code base with the following options:
>>> 4. Making arrangements directly with Adobe to get a non-Mozilla CDM host executable recognized by the CDM.
In other words, the CDM can discriminate on the CDM host.
My only hope is that this is non-standard temporary behaviour while Mozilla finishes EME. Otherwise, this is extremely terrible.
...and this - I guess - is where the DMCA issue that the EFF raises comes in.
Because sure, you could build a browser that loads Adobe's CRM and fools it into thinking it's been loaded into Firefox - but if you did that, you could well be construed as defeating a technological copyright protection method.
So then, the only way CDMs are acceptable IMO is if they're never given enough information to know where they're running.
This should be a critical part of the standard and I'm surprised I haven't heard the EFF pushing for this, specifically. If the CDM has enough information to discriminate, your choice of browser for watching DRMed video is entirely in the publisher's hands.
The fact that you may get in trouble for fooling the CDM to run on another browser is almost beside the point. Why should we trust a black box with ANY information outside of the DRM-specific?
A website can refuse to load based on my user-agent, for example. However, I have full control over what the website knows about my browser including my user-agent. Because of this fact, I am always free from browser-discrimination on the Web.
But I have zero control over what the CDM knows about my browser. Therefore, the CDM has complete and unavoidable ability to prevent me from accessing parts of the public Web based solely on my choice of browser. AFAIK this is unprecedented. It means that users are no longer free from browser-discrimination, perhaps for the first time in the history of the Web.
The standard is not at all concerned with the browser-CDM interaction, sadly. And yes, that's a major issue with the standard. We (Mozilla) brought it up repeatedly when the standard was being developed, because it causes precisely the issues you describe, and basically got ignored. Microsoft, Google, and Netflix (the editors for the standard) simply didn't see this as a problem.
Now in practice, Mozilla aims to give the CDM as little information as possible, because we think it's the right thing to do. But nothing in the EME standard requires us to do that, and I can't tell you what other browsers do with their CDMs.
> It means that users are no longer free from browser-discrimination
That's correct. You never _really_ were, by the way: sites can and do use Modernizr-like testing instead of UA string sniffing to detect what browser you're running, so the only way to avoid being discriminated against by a site that really wants to discriminate is to have a browser which responds the same way an "approved" browser does to all API calls... Doable, but in practice requires using an "approved" browser with some tweaks that are invisible to the site.
a CDM can theoretically work in any browser implementing the EME standard
Nope, it's the opposite. The CDM API is not standardized and in practice every browser uses a different CDM: Chrome has Widevine, Firefox has Adobe, IE/Edge has PlayReady, and it's not clear what Safari uses.
Bullshit. EME specifies a Javascript API for use by websites.
What Firefox uses to talk with a CDM is right there in the name of that Github repo: it's an interface called GMP and was created by Mozilla specifically for video/media-type browser plugins.
It's not used by Chrome, Safari or any other non-Mozilla browser.
The EME standard is a standard for a way for scripts on a page to ask the browser to talk to the CDM. The actual interaction between the browser and the CDM is completely unspecified; it just needs to enable the browser to implement the EME APIs.
I think a more apt comparison is that EME is to CDMs more like the 2D canvas API is to graphics libraries. At least in a world in which graphics libraries had very restrictive licenses and you could require, via the canvas API, a particular graphics library to be used for rendering your canvas.
Thank you, bzbarsky. Please help us (me) understand the situation a bit better if you have the time.
1. Could you please describe a bit more about the browser-CDM interaction and what is implemented there?
2. Why do you think the browser-CDM interaction was left unspecified? Wouldn't a standard be beneficial to all parties, even CDM developers (no need to back-and-forth with browser developers: just follow the standard)?
3. For a browser to support a CDM, is a developer required to write CDM-specific browser code? That is, if CDM APIs are not standardized, then does the browser need to be modified to accommodate each API? Maybe this is obvious but I can't believe this is the state of things.
4. I, and I believe many others, have been under the impression from the beginning that EME was intended to globally constrain CDM behaviour. What you've described in this thread is entirely different. EME is just an API for CDM-script interaction and nothing more. Meanwhile, these blobs are integrated into the browser and the extent to which they're constrained is up to the browser developers. Unlike an NPAPI plugin, there is no standard for what they're allowed to do or know.
It occurs to me now that a standard defining browser-CDM interaction would never come from the W3C as it is simply outside their scope (ie. Web standards, not browser standards). CDMs can choose where to run today because there wasn't enough interest (or coordination) in establishing a standard browser-agnostic environment for them to run in. Now the CDMs are here, entrenching themselves, and the time to establish this environment is long gone. Is this an accurate representation?
> Could you please describe a bit more about the browser-CDM interaction and what is implemented there?
I don't really know what this interaction looks like in non-Firefox browsers. Last I checked, the CDMs Chrome ships didn't work with Chromium, but I don't know whether that's still true, and I don't know whether the browser-side bits involved are implemented at all in Chromium or just in Chrome. Likewise, I don't know whether the CDM interaction bits in Safari are in the public WebKit repo or not. IE's source is not available, of course. In the case of Firefox, https://hacks.mozilla.org/2014/05/reconciling-mozillas-missi... really does cover most of the details. We put together an API that made sense on our (Firefox) end internally. We then worked with some CDM vendors to integrate their products, by building shims to convert the API their CDMs exposed to the API we wanted to be using internally. That's probably all I can say on the subject.
https://hsivonen.fi/eme/ has a reasonably in-depth discussion of the way these bits fit together from someone who was much more intimately involved in this than I was.
> Why do you think the browser-CDM interaction was left unspecified?
Because the people writing the spec pushed back pretty explicitly on doing so, claiming that this would take too much time and overconstrain things too much in terms of both CDM and browser implementations.
> Wouldn't a standard be beneficial to all parties, even CDM developers (no need to back-and-forth with browser developers)
The CDM developers I'm aware of are Google, Apple, Microsoft, and Adobe. Three of these are also browser developers, who are shipping their own CDM in their own browser. Two of those three, along with Netflix, happened to be the spec editors.
There was literally zero incentive for them to standardize the browser/CDM interaction, and some incentives to NOT do so. So they didn't.
> For a browser to support a CDM, is a developer required to write CDM-specific browser code?
Yes. Not just that, but for actual CDMs on the market the developer is also required to work with the CDM vendor to accept that particular browser as a trusted enough party.
This is because CDMs are supposed to prevent the decoded data being captured, so they must either handle their own on-screen display or do so via an intermediary they trust. See also the "What does this mean for downstream users of the Firefox code base?" section of https://hacks.mozilla.org/2014/05/reconciling-mozillas-missi... and note that in the setup described there the CDM basically bakes in some sort of signature of the actual browser _binary_ that it's willing to work with. So just compiling the same, or worse yet slightly modified, source is not enough to get something that works with the same CDM.
> Maybe this is obvious but I can't believe this is the state of things.
It's totally the state of things.
> I, and I believe many others, have been under the impression from the beginning that EME was intended to globally constrain CDM behaviour.
EME describes a set of things that a CDM must effectively support. This means that a browser can demand that a CDM run in a sandbox that limits its interactions with the outside world to whatever is needed to support the EME APIs. This is the approach Firefox is taking with its CDMs.
Of course the CDM vendor can tell the browser vendor to go take a hike with its sandboxing demands and simply refuse to run in such a sandbox. Then the browser vendor can either back down or not ship that particular CDM.
There was a lot of talk about how EME opened the _possibility_ of CDMs that were more constrained than NPAPI plugins are (because the NPAPI includes all sorts of stuff, whereas a CDM could be built with a much smaller and more sandboxable API). And some people (the Netflix ones in particular, iirc) sure made it sound like this possibility would be a definite reality. And to some extent they were right: the CDMs in Firefox are certainly a lot more sandboxed than NPAPI plugins! But that's because Firefox decided to make it so, and EME somewhat enabled it to make that decision, and the CDM vendors involved agreed to play along.
> (ie. Web standards, not browser standards)
I'm not sure the distinction is that meaningful.
That said, the W3C can, when it wants to, work with other standards bodies on joint things. Examples include WebSocket (API defined by W3C, wire protocol defined by IETF), WebRTC (similar), JavaScript (API and integration points defined by W3C, language defined by ECMA), and probably other things I'm forgetting. If people had really cared about standardizing the browser/CDM interaction and had really decided that the W3C was the wrong venue for it (which is not obvious), another venue could have been found.
> because there wasn't enough interest (or coordination) in establishing a standard browser-agnostic environment for them to run in.
Correct. The only interest expressed in such a thing was from Mozilla and Opera, as I recall. Oddly enough, those were the only major browser vendors that were not also CDM vendors. What a coincidence!
> Is this an accurate representation?
I think the time to establish such an environment is not any more gone than it used to be, because nothing has much changed. Apple, Google, and Microsoft are still both browser vendors and CDM vendors, and still not interested in standardizing CDM stuff. Mozilla could create a "standard" on its own, but it would be rather meaningless in practice. And the problem of CDMs wanting to authenticate exactly who they're talking to on the binary level would remain.
I think the point is that to consume any particular piece of content, the publisher decides which CDM is appropriate, which effectively lets them decide who (which browser) can consume their content.
In the assumption I'm describing, it's irrelevant which CDM a publisher chooses. The reason being that the CDM must operate via EME, an open standard that can be implemented by any browser. Therefore, CDMs are inherently browser agnostic just like NPAPI plugins.
Is it really true that CDMs are actually browser-specific or are able to enforce a browser whitelist? If so, that is horrific.
> Is it really true that CDMs are actually browser-specific or are able to enforce a browser whitelist?
The EME standard only covers the DOM APIs and the interactions between the video player JavaScript and the CDM. There is no standard browser API or ABI for CDMs like there is for NPAPI.
For the site, it doesn't matter. For someone who wants to build a new browser that supports EME, it does matter. There is no standard CDM API, so they must get copy open-source code (from Firefox or Chrome) or rely on documentation from a closed-sourced CDM.
For Firefox, Mozilla has a plugin ABI called GMP (Gecko Media Plugin) similar to NPAPI. Unlike NPAPI, GMPs are not directly instantiated by web content and, AFAIK, the list of supported GMPs is hardcoded in Firefox. Cisco's OpenH264 codec and Adobe's Primetime CDM are GMPs. Google's Widevine CDM has its own API, so Firefox uses a Mozilla-written GMP that wraps Google's Widevine DLL or .so binary.
I'm afraid I don't know the history of it well enough to give a good answer, but IIUC what the EFF is claiming here is that CDMs are (potentially proprietary) blackboxes and that EME treats them as such. Therefore, publishers are able to decide which browsers are even allowed to use the CDM which they designate.
EME is the standardized specification on the browser side... That's all it is.
CDMs could technically only work for one browser via fingerprinting, but that could already happen without EME (or DRM entorely) using browser fingerprinting to only serve content to UAs the publishers "trust".
Honestly, I'm not against online/streaming content being protected with DRM. I don't think it's very effective but it doesn't effect me as I don't own the content so I don't really care.
This seems to be a step to far though. The browser should be a standards based 'viewer' that anyone with the will and the time can create. Let's say Netflix implements this DRM. They account for more than a third of internet traffic. If your browser can't support Netflix it's dead in the water.
This is open to so much abuse. The gatekeepers (it seems to be the entertainment companies in this case) get to choose which browsers live and die. As we've seen over the last 20 years competition in the browser space is very important - without Mozilla stepping up and competing with IE I can't imagine the sorry state the internet would be in today.
Edit: Once again, the DMCA rears it's ugly head. Time and again it seems to be the thing that is abused to screw over consumers. Maybe that's what we should actually be fighting against.
I don't have any problems with the concept of DRM (controlling how a movie is used) but I have major issues with what is required to implement it. Essentially by definition you need to run some code that the user doesn't control on their computer. How Firefox does it isn't that bad because it is fairly well sandboxed but over time the urge will be to push it further up the stack so that gaining access to the content becomes more and more difficult.
I suspect give enough time they will push until they close the Analog Loophole.
It seems to me that the implementation issue is just a symptom of a deeper problem: copyright and DRM by definition grants a monopoly. This monopoly can be abused. For instance, if you want to watch movie X and it is distributed in such a way that you have to give private data, your options are not to watch it or get a "non official" version.
Could the copyright law be extend in order to prevent its abuse and protect the consumers, for instance by using the concept of "abusive clause" [0]?
Edit: Once again, the DMCA rears it's ugly head. Time and again it seems to be the thing that is abused to screw over consumers. Maybe that's what we should actually be fighting against.
We should have prevented it in the first place, but given recent quasi-legal expansions centered around legal vagaries of it, I would completely agree we need to revamp and revisit laws relating to computing.
But the idea with EME was to create a standard interface to those CDMs. That way the entertainment companies can't be gatekeepers, as the CDM will work in any browser that implements EME, even your own that you made from scratch.
I'm not 100% clear on the technical side of this but according to the article, in order to implement the 'standard' you require permission from the entertainment companies as they control the CDM. So they're the gatekeepers. Is this incorrect?
Yes I think it works like this: publisher decides CDM, and EME describes a standard interface for all CDMs.
The trick, which EFF points out, is that CDMs are allowed to be blackboxes, and publishers can create their own and distribute them any way they see fit, which effectively lets them determine which browsers may consume their content.
But no matter what they can decide that already...
User agent checking (and other fingerprint checking systems), custom plugins which are required, or even going around the browser entirely and requiring a downloadable program or app to playback.
If the standard doesn't have EME, then alternatives will be made which will be much worse. EME is the best possible outcome in a world where DRM exists, and I would be just as happy as everyone else here if DRM was gone entirely, that just isn't going to happen any time soon.
Well, historically all those mechanisms have been problems for the open web. To me, the question is why you couldn't achieve the same thing without making the CDM a blackbox, e.g. just by issuing license keys and standardizing the encryption/decryption of content. It seems like the only benefit to making CDMs blackboxes is that it gives publishers more control over the user's environment.
That locks me in to your encryption system, and probably locks me into other things as a result. That also doesn't give me the ability to enforce other DRM things like only one playback per device, or only allowing it to happen between 7am and 7pm, it also means that i need to trust the client, whih is exactly what DRM is trying to not do (because if the publishers could trust the client, an HTML flag for "don't let them save this" would suffice.)
DRM by nature basically needs to be a black box. This just standardized how that black box hooks into the system, and sandboxes it to limit what it can look at (and so we don't have a repeat of the Sony music issues)
We know that this is something the publisher's want. That doesn't mean CDM functionality can't be standardized. It doesn't need to be a black box, and you don't need to trust the client any more than you trust the user.
The point EFF is making is that its up to the W3C to maintain the balance between the power of publishers and the freedom of users.
> This system, "Encrypted Media Extensions" (EME) uses standards-defined code to funnel video into a proprietary container called a "Content Decryption Module." For a new browser to support this new video streaming standard -- which major studios and cable operators are pushing for -- it would have to convince those entertainment companies or one of their partners to let them have a CDM, or this part of the "open" Web would not display in their new browser.
Isn't this just a standardization of the status quo, with Flash/Silverlight? Why is it that I always feel like I'm being sold a bill of goods when I read EFF pieces?
I am a little confused by this comment. What status quo?
Silverlight is deprecated. Flash is (at least seems to me) taking its final breaths.
HTML5 pushed many web native standards for open media: https://developer.mozilla.org/en-US/docs/Web/Guide/HTML/Usin.... In fact, the HTML5 video/audio was so open that YouTube had to kill a Chrome extension that allowed users to use YouTube as a music source without advertisements or video: http://thenextweb.com/insider/2015/07/21/how-youtube-killed-.... (Side note: the history of what went on with Streamus is woefully simplified in this article...but let's just say the Streamus dev was open from Day 1 with Google but only after his extensions started getting traction they shut it down.)
Anyway, moral of the story is this would be a standardization that steps _back_ (in many ways) to the days of Flash/Silverlight dominance...not standardization of the status quo (at least IMO).
I have tried implementing NPAPI loading in a standalone C++ app to load Silverlight, but failed horribly. NPAPI is badly documented. Anyone here with any tips? :-)
Problem is that Netflix & co are stuck with Flash or similar because content owners will not allow it to be streamed/provided without DRM. So currently it's Flash with no alternative.
EME is not the ideal situation from the consumer's PoV, but it's on par with flash (maybe a bit better) and preferable to nothing* .
It would be a net loss if previously unencrypted content would now become encrypted, but I don't think that's likely as a host like say Youtube already had access to DRM/encryption in their Flash player even before HTML5 video was a thing but never used it. I thus expect it to be mostly a net gain/neutral.
* If you personally think nothing is preferable over watching content with EME: great, don't use it. But forcing that choice upon others is not better.
I was mostly trying to point out that the previous comment was referring to Flash and Silverlight as if they weren't fading/phased out technologies (which they are as I understood it).
As far as DRM goes, the whole thing is sticky, but I am mostly against this adoption to W3 since in its current purposed state, it seems too far counter to the open ideals of what the W3 should embody.
To clarify: I am not against DRM, I am against DRM that allows publishers to dictate consumer behavior (such as what browser can play the content) and I think EME puts too much power unrelated to DRM back in the hands of the publishers.
Problem is that Netflix & co are stuck with Flash or similar because content owners will not allow it to be streamed/provided without DRM
That's the content owners' problem, not Netflix&co. Let others produce open content that does work with an open web, and let's see how long the content owners will stay unmoved.
>Let's see how long the content owners will stay unmoved.
They won't - Netflix isn't the only platform, just the largest - and compared to its competition its being rather altruistic in this situation.
The content owners will more likely decide to license less content to Netflix (to Netflix's credit, they are trying to depend less on other's people content) - but will license that will play ball. And the content owners do have a place to go, HBO GO/Now's platform being the first I can think of.
In theory a new browser could load the existing Flash NPAPI plugin without help from Adobe, but it's much more work for new browsers to support EME. And plugins (read: Flash) are being phased out, so if EME could be killed then DRM would also be phased out from the Web.
The biggest problem is intellectual property. Copyright lasts life + 70 years and patents last 20 years. That's a long time to have a legal monopoly on something, and is partly why companies are so big and can behave so badly.
Innovation comes through competition, not monopoly. Ideally, we'd eliminate patents and copyrights altogether, but as a compromise, I think having terms of 3 years, with no renewals, is fair. That way a business can capitalize on what it creates and get a 3 year head start on competition, but you still get competition fairly soon which benefits consumers.
I agree although three years seems a bit too short. I would say copyright for 10 years and no software patents altogether. Also copyrighting APIs seems like it warrants a close re-look as well. Then again, none of the "leaders" of any of the nations are listening are they? They are almost unanimously aligning behind big-business interests.
I saw a study some years ago that compared the interests of copyright holders of that of consumers, and concluded that 14 years after initial publication (non-renewable of course) is the optimal duration for copyright.
You can test your convictions by disabling DRM content in Firefox. Uncheck "Play DRM content".
Unfortunately, convictions won't have consequences on future decisions because the standard is here and the more you wait the more it becomes embedded. W3C allowed it to come to light when various plugins wouldn't make DRM viable or at least more difficult to implement and reach general agreement. Now, even if you can opt out with Firefox, Netflix really don't care about that because you decided to disable it so you are a bad client anyway. I understand why the article is talking about pop-ups because the moment Firefox decided to implement it, we lost the fight. I use Firefox but lately, I am saddened by their lack of strong convictions and how they tend to follow google a little too much. (At least, FF sandboxed the CDM, while not perfect, the other browsers didn't do it, isn't it?)
Mozilla fought harder against EME than any other browser vendor by far. As a user concerned about the open web, using Mozilla products is a way to bolster it.
To be fair, there were specific people at Google who _did_ fight the EME spec, including in the W3C discussion; the spec was written by the "youtube" part of Google, and the people who were more in the "open web" part of Google didn't necessarily agree with it. But yes, Google as a whole sure didn't object and didn't exactly delay implementing in Chrome...
Because, with the recent decisions re Thunderbird & Firefox, the only browsers that were designed with the intelligent and free user in mind aren't getting better - they're actually getting worse. Also, EFF has been running articles about DRM lately. It's not that we're only stoking the fire now... It's that they are writing about it again.
Vivaldi also shares a design lineage with Opera 12 and previous, in terms of who the designers are/were. When we lost Opera, I think we lost the open web in a lot of ways. As much as Opera was a closed-source proprietary engine etc. browser, it stood out against the background of the larger Web giants. When they folded and gave in to Google, I was horrified.
Still, the loss of a Community Firefox is a bad thing.
As a long-time FF user I should be flattered, but it seems like a tough claim to back up. I don't see any design emphasis in Firefox on 'intelligent' users; 'free' is a little easier to believe, in the sense that the other major browsers are very tightly bound to certain OSes and/or their creators (IE/Edge on Win, Safari on OSX, Chrome on, well, lots of things). Chrome seems just as likely to appeal to the intelligent user (if their smarts run toward fast browsing), though given all its telemetry (e100.net etc.) it isn't perhaps the most free...
Are clickbait titles permitted on HN? The link has absolutely nothing to do with Firefox, let alone "saving it". It's an opinion piece / call to action regarding the W3C and the state of Encrypted Media Extensions. "Firefox" does not belong in the title, as it's irrelevant to the topic. Luring us with the name of a popular open source application, to then present a piece with a barely-related agenda behind it should not be acceptable.
As a side note, I'm sad to see that the EFF has adopted a PETA-like strategy to the way they tackle issues.
> We need more browsers that treat their users, rather than publishers, as their customers.
Until they started talking about DRM I was hoping that we were "saving Firefox" from mandatory extension signing.
As of Firefox 47, you will not be able to install any extension which hasn't been digitally signed by Mozilla. There will be no about:config setting to override this. They claim that this will prevent adware from disabling the digital signature requirement. But it's also taking power out of the hands of users, with the justification that supposedly Mozilla knows better than their users do what code they want to run.
This is the death-knell of Firefox for me. I'll be switching to an unbranded fork and hoping that the security updates keep coming.
I'm interested to see how effective the EME is to prevent illicit copying of media. YouTube and Netflix both use DRM now but it doesn't stop youtube-dl or pirate WEB-DL rips from netflix from existing.
There is a way to protect the content by adding per-user (subscriber) watermarks in the video/audio streams. Thus, no one will need these shady CDMs and Co. Of course, you say, you can try to find those watermarks/etc. But in the same way you can try to circumvent CDM code as well. Still, it will allow to eliminate proprietary extensions from the web standards.
Question: He says EME will allow publishers to dictate which browsers can implement CDMs that can interoperate with their content, and therefore control the browser market, and that this will quell innovation. I have questions about this, however. In the old but waning status quo, Adobe and Microsoft got to decide which browsers would work with Silverlight and Flash (right?) so it still wasn't possible for a developer to make a new browser that could play DRMed video without getting their permission. What is the meaningful difference from the new status quo?
Is the difference that now, publishers control content and compatibility, whereas before publishers controlled content and DRM companies controlled compatibility? Is that actually a meaningful change for users or for browser developers? It doesn't seem like it is.
> In the old but waning status quo, Adobe and Microsoft got to decide which browsers would work with Silverlight and Flash (right?)
Nope. The status quo was that any browser which implemented NPAPI (officially the Mozilla plugin API, but historically used by everyone but IE) could use Silverlight and Flash. That's how Google Chrome got Flash support initially and the reason why obscure browsers that neither Adobe and Microsoft cared about could still support both.
Honest question: How relevant is DRM in preventing piracy in non-interactive media?
Consider a theoretical world in which DRM would reliably prevent unauthorized copying or decryption of DRM-secured content 100% of the time. The obvious attack vector for pirates would be to play the video and audio and just capture it with a camera directly in front of the monitor, and a microphone attached to every speaker.
Are pirates doing this today, or is it just not worth it because DRM schemes are easily circumvented? I'm quite confident that copying of the physical signals should produce good results. There are consumer cameras capturing 4K video, and a video that's distorted by a non-orthogonal view on the screen can trivially be fixed in software. (It loses some fidelity, but you should still be able to get near-full-HD output out.)
I just found out that Firefox removed the 3D Inspector with v.47. It's a shame because that was an excellent tool for auditing and inspecting. If you haven't had the chance, give it a whirl.
And then it's trivial for the DRM creator to sue you under the DMCA. I also suspect that CDMs can update (this is called "renewability" in DRM newspeak).
That's the large problem here. If you wanted to get the content out, it would be more effective to obtain a HDCP master key, since that one is embedded in a lot of deployed physical devices and thus cannot be easily changed (AFAIK). A CDM in a webbrowser can be updated today and content distributors could stop using the old key tomorrow already.
> Literally none of the dominant browsers from a decade ago are in widespread use today.
Sorry to nitpick and detract from the real point here, but unless my memory deceives me IE was the dominant browser in 2006 and by a lot of measures still is. What a bizarre statement to make.
Chrome, for better or for worse, has the largest market share, by a fair margin. IE11+/Edge, Safari, and Firefox each have a good share, but none are dominant.
Let's get something straight here. This EME debacle was never a choice between DRM and no DRM, it was a choice between DRM in a consistent standard vs DRM with a thousand ad-hoc plugins.
The browser without EME will be pilloried by its users for not supporting the content they want to access. Users use a browser to access content, not to support philosophical positions on what software should and shouldn't do.
The lesser of two evils was chosen. You don't have to like it, but that's the reality of this situation. It is not realistic to suggest that the largest browser vendors not support user demanded content.
Speaking of philosophical positions, most DRMed content accessed by a user in a browser is going to be of the streaming variety, i.e. something that DRM isn't preventing you from doing something you're otherwise not supposed to be doing anyways.
The unsupported assertion that a DRM-free universe "is not realistic" is not an argument, even when it is repeated for emphasis in italics.
In the music industry, DRM seemed inevitable until one morning Steve Jobs woke up on the wrong side of the bed. Then the whole thing crumbled overnight.
iTunes was not "pilloried by its users for not supporting the content they want to access". Users did prefer to buy DRM-free music, bolstering iTunes marketshare in the process. The historical record demonstrates the opposite of your hypothetical.
If Chrome or Safari drew a line in the sand and said "No DRM", that would be the end of DRM on the web. It seems they are not willing to do that. But that is a reflection on the lack of leadership at the technology companies, not on the inevitability of DRM.
Everybody loves to bring up MP3s as an argument in favor of the notion that, if someone stands up to DRM, the entire industry will shift to no longer require DRM. And that's complete bullshit. You're extrapolating a very extreme position from a single instance, one that is arguably unique.
Not only that, but it's also wrong. Music DRM did not die. DRM on purchased music went away, but streaming music still has DRM. So the music industry didn't even completely ditch DRM like you claim it did.
No it wouldn't have - we'd just continue on the existing path of multiple different plugins with their own incompatibilities and security holes, which is strictly worse for the user.
Furthermore, you imply a level of informal cooperation between the browser vendors that doesn't exist. It turns into a game of prisoners dilemma, where the first person to defect gets to claim a massive feature that none of the others do, and the others are left in worse shape.
I'm no fan of DRM, but again, it's the world we live in.
> we'd just continue on the existing path of multiple different plugins with their own incompatibilities and security holes, which is strictly worse for the user.
And this is how it should be. I want users to get tired of installing more plugins. I want them to roll their eyes when a site says "you need to do add $x to be able to use this site." We had the same problems with mp3's, and we won out. I see no reason we can't win out with any other media.
* Users "rolling their eyes" means nothing when they'll gladly click OK to dismiss all the security warnings and installations of n plugins so they can watch Netflix. They'll complain, but the plugin will still be installed at the end of the day. I'd rather that plugin be sandboxed.
* That the practical implications of lessened security are more real, hence important than the theoretical concerns by a sandboxed plugin who's entire mission in life is stopping you from recording a fscking video stream.
The user you're talking about, the one who signs up for Netflix, gets prompted to download a plugin, shakes their head sadly and cancels their subscription because DRM is evil, doesn't exist outside of FSF patrons.
it was a choice between DRM in a consistent standard vs DRM with a thousand ad-hoc plugins
The thousand ad-hoc plugins would have been the better solution. We should be striving to make DRM as expensive for the producer and troublesome for the user as possible.
I have to agree... in the end, if you can't access Netflix, Hulu, Amazon Video, etc, the majority of people won't use your browser. In order to succeed, imho, you need a great base UI, good support for emerging standards and to support the sites that people use most... Facebook, Google, YouTube and Netflix.
At least EME lets all browsers stand a chance of being able to use all the sites they want to use. And as much as I don't like DRM, it's commercially unavoidable, regardless of how weak the implementation is.
I think you misunderstood EME. It doesn't let browsers compete on equal footing. The parts that actually matter for accessing Netflix are deliberately excluded from standardization.
So here I have my shiny new browser. I implemented all the relevant standards. Now, how can my users access Netflix? They can't, not unless I can strike a deal with one of the CDM providers, who, incidentally, for the most part are browser vendors themselves, i.e. my competitors.
It dosent get rid of the "1000s of adhoc plugins" problem whatsoever, CDMs (the thing EME is merely a bridge to) are platform specific, closed source, arbitrary blobs of code that can do anything on the host system, you do not target "EME" as a streaming host you target these CDMs.
In practical sense it does because the big content providers are incentivized to work with the common DRM solutions, in order to keep eyes on their product without causing massive headaches for everyone involved. Smaller producers don't have the influence to start putting out custom DRM solutions.
You will probably still have the morons who insist they need some special thing, but that's just standard.
As I pointed out above, on Firefox they can't "do anything on the host system" as they'll be sandboxed and allowed only the necessary mechanisms to do their job.
You do recognize that a large percentage of the population heavily disagrees with you about this? The concept of ownership regarding pieces of information or data (music or a video can be thought of as a piece of information or data) is far from settled.
I mostly agree, but isn't it plausible that a centralized standard allows DRM to become more prevalent? Right now lots of copyright-able content is begrudgingly released freely to attract eyeballs, but that could decrease if DRM becomes more seamless.
The DRM makers still have to write, ship, and get people to install the decryption piece - EME just gives it hooks into the browser (and allows said plugin to be appropriately sandboxed, restricted, and treated like the hostile black box piece of crap that it is).
So in other words, probably not any more than the current system.
Just that now, the CDM piece ships by default in Chrome, Safari, IE/Edge and is automatically downloaded on demand on Firefox. They're probably fine with ignoring the existence of any other browser.
The problem here is capture. W3C has been captured by the digital restrictions management cabal. Mozilla, Google, Apple, and Amazon are playing along. In three cases, they are the cabal.
If Firefox really cared about its users maybe it shouldn't have broken the security of Firefox Accounts and Sync. It used to be secure; it no longer is.
The short version is that Mozilla now uses one's Firefox account password to secure one's synced data — but there are places one enters one's Firefox account password which load JavaScript from Mozilla servers, which means that Mozilla, an employee or a government (or anyone else who can act as mozilla.com …) can serve malicious JavaScript and steal one's Firefox password and all synced data, including browsing history and passwords.
In the old system your data was encrypted with a key that was only stored on your devices. Adding a new device meant that you had to do a kind of key exchange process (which was perceived as complicated[1]).
When Mozilla introduced the new system there was very little information on how the data was encrypted. I think the documentation only said that they used TLS (or something like that). But when reading their current documentation I see that it's not the case; they are apparently encrypting your data with a key derived from your password. So if you use a (cryptographically) strong password it should be secure[2]. Assuming that it works as documented of course.
The new system encrypts one's secrets with a function of one's Firefox account password and stores it on Mozilla's servers. That has two effects: one, an insecure Firefox account password (i.e., a password it is possible to remember) can compromise one's entire synced data; two, anywhere one enters one's Firefox account password is a potential danger.
As it turns out, Mozilla serves JavaScript files which are used to handle Firefox account passwords. Any government Mozilla is beholden to could compel them to serve malicious versions of those files and steal one's Firefox account password (and then decrypt all of one's synced data, including passwords). Likewise, a malicious Mozilla employee could do the same.
As a result Mozilla Sync may no longer be used by anyone who cares about the privacy of his browsing history and/or passwords.
Currently, watching a DRM protected video requires flash and gives an inferior experience than watching a non DRM protected video. Most of the non protected video can be easily downloaded using youtube-dl. Recently, I wanted to watch a movie on M6 live (french TV). Firefox (on wine to have the latest upgrade of flash) crashed twice. As a result, I downloaded it from a torrent and removed it after watching it.
I think the current situation gives a lot of motivation to avoid DRM. If EME becomes a standard, we would lose much.
yeah but so? from my read-through, its not literally "save the one and only firefox", its "we need an environment that allows for other browsers to enter the field" which DRM prevents
Does EME prevent new browsers from implementing it freely. I admit I haven't read the spec but from what I've read second-hand, it seems like it enables the vendor to ship the DRM code as a binary blob that runs natively in a sandbox.
As I understand, EME doesn't lockout new browsers, it locks out new architectures and kernels. But any new architecture that comes along that anyone would want to use to view DRM-encumbered media would be mainstream enough that content providors would support it, and people running an experimental OS kernel already have to use a more traditional system for a lot of things, and probably aren't a demographic too keen on DRM in the first place.
EME doesn't prevent browsers from implementing EME. But since EME doesn't describe how the browser should talk to the CDM (just how scripts on a page talk to the browser), implementing EME is not useful in terms of working with actual CDMs that exist in the real world...
ctrl+f for "What does this mean for downstream users of the Firefox code base?"
tl;dr you either need to run a mozilla-built sandbox with no modifications, or literally call up adobe and ask about being given a CDM for your own browser, which they might just scoff at
It really should be "Save Mozilla", not Save Firefox. After all, it was Mozilla that changed the web. We should all be using SeaMonkey, or some other coherent suite.
This isn't about the W3C.
This is about EME, and about the companies that created it and promoted it: Google, Microsoft and Netflix (as you can see on the spec, for example https://www.w3.org/TR/encrypted-media/ ).
Telling the W3C not to do DRM is not going to be effective. The only thing that can work is to put direct pressure on the parties behind EME, and their products: Google and Chrome, Microsoft and IE/Edge, and Netflix.
Not only is it not effective to focus on the W3C, it's counterproductive - it shifts the blame away from the real culprits just mentioned. If you lobby the W3C against EME but still use products from the companies that created EME, you're sending mixed messages at best.
Furthermore, even if somehow we got the W3C to not do EME, it wouldn't matter. Google, Microsoft and Netflix would still be implementing it. They would just find another standards body.