Since an effective access control would by definition not be subject to circumvention, there is no conceivable situation where someone might be guilty of circumventing an effective access control.

https://www.merriam-webster.com/dictionary/effective

An ineffective access control? Perhaps, but the DMCA doesn't mention those.

Well, the thing YouTube does (whether you call it an access control or not) does actually have a measurable "effect" on people. It makes those people seek out third-party tools when they don't perceive any other reasonable way of downloading the work. So by that logic, it's pretty effective.

Nothing is ever 100% effective -- even the best encryption is technically a compromise -- other than OTP. YouTube just happens to be on the low end of effectiveness; the third-party tools likely wouldn't exist if it were on the high end. But I guess even slight effectiveness is enough for DMCA purposes.

As I understand the 'cipher' is in how you find the next tiny piece of stream. I haven't grasped fully how that works for Youtube but it is certainly more than 'increment a counter'. I believe it is something like 'read a variable in the previous packet and decode it'.

If they wanted any semblance of an argument, decoding that variable should require a session key that is set on log-in or after a captcha. But I doubt they do that, it would be a horrible hassle to handle the session dependant encoding.

Interesting. So instead of authorizing the fetching of pieces by way of authentication, they're just saying "you can have another piece if we've been talking since the very first piece". I guess that's a bit of a control, just not secret whatsoever.

I feel conditioned to equate the two, but they're distinct concepts I suppose. A CAPTCHA is an access control, and one that doesn't rely on secrets.

Doesn't it more boil down to "if the available bit rate is above ABC then grab the next piece $foo, else if the available bit rate is above DEF then grab the next piece $bar, else if the available bit rate ..." (etc)?

Not really sure where you're getting "authentication" from for this?

I'm saying they're controlling access via a control that is not authentication, and not secret, it's simply knowledge of the previous chunk.

I can see arguments on both sides as to whether such a thing is (or isn't) a form of access control. IMHO, it's so weak that it shouldn't even be considered a control. But if the DMCA (and legal precedent) says that there merely needs to be intent and some effect, then perhaps it is a form of control, if some aspect of the scheme was added specifically to thwart casual downloading and it had the effect of people seeking out third-party tools -- a form of access control that falls outside the usual mechanisms such as authentication and/or secrets.

A bit like a building with a lock that is totally pickable by the most amateur picker: it's no secret how to open it, so unauthorized people routinely let themselves in, but legally it's established that the intent of any lock is keeping unauthorized people out, and the presence of the lock does have the effect of keeping most people out, so therefore it's an effective control (to some reasonable extent) and therefore it's illegal to enter without authorization.

You keep using words like "controlling", "authorization" and "authentication" for something that doesn't even have those concepts included in its design. At all.

And from that incorrect addition of your words, you're trying to spring board to saying the DMCA applies.

What the hell?

Iirc correctly the youtube-dl thing was about an additional layer of "protection" that was only used for music video's and the like