88 comments

[ 3.3 ms ] story [ 151 ms ] thread
Choice summary quote:

> The problem here seemed to be that Netflix and the MPAA realized that they had enough power to push this through without needing to protect security researchers, and just decided "we can do it, so fuck it, let's do it." And Tim Berners-Lee -- who had the ability to block it -- caved in and let it happen. The whole thing is a travesty.

Also, this line of thinking really stood out to me -

> [...] this argument [that DRM is a necessary evil] rests on the assumption that the web needs those content producers more than those content producers need the web -- and I'm not convinced that's an accurate portrayal of reality. It is fair to note that, especially with the rise of smart devices from phones to tablets to TVs, you could envision a world in which the big content producers "abandoned" the web and only put their content in proprietary DRM'd apps. And maybe that does happen. But my response to that is... so what?

I have to agree with the author here - so what? I don't think such "proprietary DRM'd apps" would have any trouble taking off for people seeking content from big providers, so why does W3C feel it needs to bend so far to the will of Netflix and the like?

I don't know the scenario you provided is what I had hoped would happen not that they would html would have DRM support.
This is what I don't get about the W3C and it's significance. Tim Berners-Lee (who is a personal hero of mine) could have blocked it, sure, but that means absolutely nothing. Like, nothing whatsoever. Since Tim Berners-Lee doesn't author a popular web browser.

The only opinions that matter are those of Google, Apple, Microsoft, and Mozilla. And not all at the same significance. But that's it, that's the entire list. So I don't understand why W3C is even involved any more, why it even exists? It has no power, so... what's the point?

Tim Berners-Lee's position looks worse from that perspective. If he truly had no power to change or even influence the outcome, why would he take a position of compromise on his core values?

For a comparison, take Richard Stallman's stance on not owning/carrying a cellphone. His position clearly does not influence telco policy, nor gov't policy on surveillance law. He has even stated publicly that it is a symbolic action and that he depends on the ability of others around him to make urgent calls if necessary. Yet he still takes the symbolic action. Why? Because standing up for one's principles is important, even in the face of a large inconvenience (or even dependence in this case on others).

Berners-Lee would suffer essentially zero inconvenience from taking a principled stance in the face of much larger corporate players who in reality determine W3C policy. His only hit would be to his ego, since it would reveal that his stance is largely symbolic rather than being a real player in the W3C.

I can certainly understand his stance given the prominence of such compromises in the tech industry. But I certainly do not agree with it, and I find it likely that history will not honor it as a principled stance.

Can't browser manufacturers simply refuse to implement this standard? After all if Google doesn't implement it there will be some 70% of users not able to use Netflix (Or whatever other service requires this) and that might be a good enough incentive for Netflix to skip out on DRM.
DRM is only there because of Chrome implementing it, Firefox resisted but had to give up due to market share.
Yea but what's the incentive for Google ? They are a player in this space as well, and if anything they seem to want to scale up (Youtube Red, etc).

(And suddenly, people remember how monopolies hurt consumers and regret giving Chrome so much market-share. Or not.)

I would ask people to get off Chrome & GitHub. Chrome for future of browsing and github for future of development. There are wonderful (I'd dare and say better) alternatives very easily available.

"As long as monopoly doesn't hurt me, why should I care."

This is somewhat ironic, since Youtube became big because of content right infringements.
Cross the bridge and then burn it is a proven strategy, I wouldn't exactly consider it ironic.
Well they're implementing an ad-blocker which seems counter-intuitive for a company built on ad revenue. The same idea applies here as well, if you force advertisers to do reasonable adverts people are more likely to accept the remaining ads. Pop-unders are one of several reasons why I run an adblocker for any site I don't visit regularly.
Netflix wasn't able to use DRM in Safari on iOS for years... so they just made a native app available instead. iOS is pretty significant in Netflix's home/original market, and they were happy to not have an in-browser experience there.
Honest question:

What is different about this compared to all the previous things we've had that used plugins?

The DRM plugin is for decryption only and runs in a sandbox (in Firefox anyways). Flash has a much larger attack surface. Performance of flash is usually much poorer when compared to the browser's video player.
Not trolling, just genuinely curious: what about this is so awful then? This sounds like a step in the right direction?
I also don't understand the big deal. I'd be happy for someone to point out the obvious thing I'm missing. I believe content creators/owners should be able to do whatever they want with what they create/own, just like I can do whatever I want with what I create/own.
DRM makes it hard for me to make backup copies of media that I've bought and own, so you can see how DRM goes against your stated belief. That's just one for starters. The article itself goes into a few more reasons.
But that doesn't go against my stated belief. If someone wants to offer you a time-limited or location-limited video they can do that. You don't have to pay for it. And I say this as an Australian who doesn't pay for Netflix because of stupid regional restrictions. Vote with your wallet and let people do as they please.
What's awful is that I, or you, or anyone else, cannot take the web specs and implement a browser that correctly displays websites that are following those standards. To correctly display every website I have to make backroom deals for big $ with companies.
Isn't that basically the same? In the past, you could use the W3C standards to build a browser which would display everything except plugin/ActiveX content. Now you can build a browser which can display a higher percentage of content, including audio and video, except DRM restricted material.

This seems like an exceedingly fine distinction between the web as it works in theory and as it has actually worked at any point in its history since the number of browsers exceeded 1.

This makes DRM easy. Very easy.

So easy that Twitter and Facebook are considering to implement it for all videos. So easy that YouTube is starting to implement it.

This kills the web.

The web as you knew it is dead and buried.
So, just like the web until ~2014, when Flash video was the default and sites could very easily add DRM to their players?
And building DRM was so complicated close to no sites had it? Yes, exactly that.

Right now, YouTube is working on adding EME based DRM, as are Twitter and Facebook.

Even with their Flash based video, you could always easily download it.

It isn't. Every time one of these articles hit a bunch of people get outraged but none of them have figured out how to a) convince the average person buying DRMed content why they should care or b) how calling for the W3C (or before that, Mozilla) to make a token symbolic gesture would in any way change the dynamic when three of the four major browsers are made by DRM vendors.
I can't find where in the article people are being forced to use this?
When content providers, a la YouTube switch to it.
YouTube probably won't force this, but even if they do, nobody forces you to use YouTube.
YouTube doesn't need to want to use this, the content providers will be breathing in its neck about NotDoingEnoughToStopPirates, and they'll comply out of wish to avoid frivolous lawsuits.

Riiight, I'll just move to next high speed, high capacity video platform, that will magically grow in the meantime.

I agree that DRM is a bad thing, but in this instance, what is the alternative to implementing in the browser? Media companies will each have their own DRM plugins, which won't work on all browsers and platforms. Which is worse?
DRM in HTML is worse.
DRM in the browser is worse. Because it makes this too easy.

Now Facebook and Twitter wre considering DRM for their video content, and YouTube is already implementing it.

In a few years you won't be able to download a single video you see on the web. Great.

And despite the downvotes, this is a huge problem because videos are not only movies and tv series: videos are also interviews, live reporting, crimes, calling out politicians or worse. If you can't download those, you have one card less to play when they decide to put them down from the Internet.
Being in the spec is worse, because now it is the browser's responsibility. This is what EME defenders don't seem to understand, it's all about offloading the responsibility off of media companies and onto browser vendors.

Let me repeat that, EME is a redistribution of software maintenance (bugs, etc.) off of the media companies and onto browser vendors.

Past experience with buggy software has shown me media companies are way worse at this than Microsoft/Google/Mozilla whose job is to ship working code.
> Past experience with buggy software has shown me media companies are way worse at this than Microsoft/Google/Mozilla whose job is to ship working code.

With EME, you still have to download a proprietary binary written by the media companies and run it on your computer. It's not inherently any less buggy than the previous approaches were.

The proprietary DRM components come from Google, Microsoft and Apple.
Which is exactly why they want to offload the responsibility onto someone else.
That is a good thing if you care in the least about security. Being secure is a selling point of browsers, and hence they take code quality seriously-- bug trackers, bug bounties, regular and automatic updates.

History has shown that third party plugin providers care not even a little bit about how slow or broken their plugins are, because they have a monopoly on that content you want to view. As a result, in a world where the content creators control the plugin code, everyone ends up with broken, insecure, slow plugins.

We're trying to exit that world. Don't start getting nostalgic for it.

I would actually have preferred that. Making DRM a harder and more inconvenient choice means DRM is a less attractive option. Making DRM easy and painless means it becomes normal.

You might ask, if DRM is so easy and painless, what's so bad about it?

The thing is, I only think it will be easy and painless for one specific type of use, such as watching from netflix.com in a browser. You can forget about trying to consume the media in any other way (other than what Netflix has decided is "good").

And then some years down the road some brilliant manager comes up with the idea of using DRM for many more things than video. After all, why should our visitors be able to see the source code of our websites? Why should imgur's visitors be able to "steal" images that they are hosting and put them other places?

This doesn't make DRM any easier. It makes it easier for media companies. If you are implementing a browser now you have to do backroom deals with DRM providers to use their plugins.

Hopefully you have a nest egg from advertisement sales or manufacturing a popular phone or something, otherwise the DRM providers won't give 2 shits about you.

The alternative is forcing media companies to adapt to market demand. Instead we're forcing developers and users to adapt to media company demand.

That's worse than letting crappy proprietary plugins continue to die a deserved death.

> The alternative is forcing media companies to adapt to market demand.

Citation needed that there's market demand. A couple decades in, as far as I can tell the average consumer is all too happy with the current setup, which is why there's been so little effective opposition.

> Instead we're forcing developers and users to adapt to media company demand.

Developers … of browsers, who were the ones who backed this proposal so they could stop having to support the performance and security problems of plugins. If you're just developing a website which doesn't sell restricted content, your life doesn't change in any way. If you do, well, the contract terms haven't changed – the only difference is that you don't need to maintain a second development and hosting environment for Flash/Silverlight.

As for the user experience, the only change from that perspective is that things have gotten easier. Most users have never had unrestricted commercial video so all they're losing is the need to install a plugin or pay someone to remove malware from their PC when they forget to update that plugin. Plus the fans don't stay on constantly when playing >480p like they did with Flash.

I don't like DRM but if hyperbolic rhetoric was going to solve this problem that would have happened a decade or two earlier.

You don't know what you're talking about. Studios would rather kill streaming on PCs entirely, and force streaming to happen on approved devices than give up DRM, and they have the market clout to do just that. Bottom line is they have the content people want so they do what they want, browser makers have no leverage to play activist in this situation.
Not to mention that they would be riddled with security holes, with no regular update schedule or bug bounty in sight.

DRM isnt going away, this may be the lesser of two evils.

Well that's an awfully uncharitable title. Isn't it possible he simply thinks EME is a better alternative than Flash/Silverlight? Because I sure do.
Fortunately the article is more even handed than the title and cites two broad issues with this:

> First, the question of whether or not EME even needs to be in HTML at all. Many -- even those who dislike DRM -- have argued that it was kind of necessary. The underlying argument here is that certain content producers would effectively abandon the web without EME being in HTML5.

> The second issue is much more problematic. A bunch of W3C members had made a clear proposal that if EME is included, there should be a covenant that W3C members will not sue security researchers under Section 1201 of the DMCA should they crack any DRM. There is no reason not to support this. Security researchers should be encouraged to be searching for vulnerabilities in DRM and encryption in order to better protect us all.

Adding legal agreements into a technical standard is tricky. Security researchers absolutely need protection, but it should be addressed at via legislation. There needs to be a clear way to distinguish security research from malicious hacking that applies across technologies.
Fat chance that happening, if anything we will see increased restriction on who is allowed and not allowed to "research" security limited to only government approved contractors that file for permission to do with the FBI
It's not a better alternative, because it makes DRM too easily accessible. Many companies that would never have used Flash for DRM are now using EME or considering it. Including YouTube, Twitter, Facebook, etc.

In a few years every video on the web will use DRM, and you won't even be able to download YouTube videos.

A platform being simple to implement doesn't seem like a good argument against that platform, even if you dislike it for other reasons.
if that platform is anti-social, you want to raise the barrier for entry, not lower it.
If the platform is obnoxious, people will abandon it for other alternatives.

You know, like the crappy ones (flash, silverlight) we've been trying to ditch for a decade now.

If that's what content creators want, isn't it in their right?

You're technically not allowed to download YouTube videos anyway, there just isn't a convenient measure against it. You're not paying, you're probably blocking ads and now you want to download stuff for free? You're worthless to creators.

Also, you're not getting to see all the videos that aren't on Youtube exactly because there is no DRM.

> If that's what content creators want, isn't it in their right?

Absolutely. That's not particularly relevant to the normative question of whether the HTML standard should make adding DRM less of a pain point though.

> If that's what content creators want, isn't it in their right?

No, because DRM + DMCA has repeatedly been used to violate consumers' and researchers' fair use rights. It's my right to lock my house, unless you're inside it and I'm effectively turning it into a prison.

No, it’s not in their right. If I buy a book on Amazon, I have a right to make a copy, but DRM prevents me from that.

If I buy a movie on Google Play Movies, I have the right to make up to 7 backups without DRM, but DRM prevents me from that.

>If that's what content creators want, isn't it in their right?

No, they have no right to control my computer

> It's not a better alternative, because it makes DRM too easily accessible

As anti-DRM as I am, what you're basically saying is that DRM which is essentially encryption used with some sort of e-commerce system should be difficult and obtuse, so as to discourage it's use, while at least implying (and I'm betting you are) that you'd be pro-encryption on the user's side for security and privacy.

You have the right to privacy and to use encryption to enforce that privacy, but so do content creators have the right to lock you out until you're willing to pay money, watch ads, or whatever system they have in mind. You aren't entitled to content any more than Doubleclick is entitled to your browsing history.

> DRM which is essentially encryption used with some sort of e-commerce system

I'd say this is incorrect. At it's core DRM requires a locked-down system, either on the hardware or software level, but always closed source, to hide operations from the owner of the device. Encryption is a big part of this but technically doesn't need to be.

I agree that content creators have the right to stop me from consuming their content if I don't pay money, watch ads or whatever, but they don't have the right to require me to install unknown software or hardware on my computer.

> but they don't have the right to require me to install unknown software or hardware on my computer.

Yes and that's why they're adding DRM support to HTML5, so you don't need to and the browser you're using can act as the endpoint allowing access to the content. Now you don't need to install Flash or ick Silverlight to do so.

More to the point though, they absolutely do. A content creator can set any kind of wacky requirements for you to consume their content that they see fit; and it's your decision as a content consumer to decide if you're going to jump through whatever hoops of fire to do so. You, and no one else aside from the creator (or more likely, distributor) has a right to say what is a reasonable expectation and what is an unreasonable expectation.

I would however add that recently there has been a push to "Steamify" many content delivery systems to remove the friction typically associated with DRM and to make consuming DRM-enabled content more seamless. I think content distributors are slowly waking up to the fact that they cannot stop the Piracy end of things, so the solution is to do what Steam did for video games: make Piracy less attractive by making legal ownership better value for money, and less effort.

>Yes and that's why they're adding DRM support to HTML5, so you don't need to and the browser you're using can act as the endpoint allowing access to the content.

This still means you'll need a specific browser. Open-source browsers will likely not work anymore.

Then don't use open source browsers, or don't consume the content.
If Firefox and Chromium don't work with EME I will go buy a a hat, and eat it.

I'd hazard the folks who truly get locked out, users of more ideological browsers on more fringe linux distros, already were not using flash or silverlight, because those already required a proprietary blob of code. And frankly they're probably not interested in content that is locked down.

Firefox and Chromium already don’t work with EME unless you install a proprietary addon.
>>Now you don't need to install Flash or ick Silverlight to do so.

I dont think you understand how EME work

You still need to have a CDM, which is functionally the exact same as a flash plugin, the CDM's are not part of the standard, Adobe, MS and Google are the only providers of the CDM's so every browser not made by those 3 have to go begging for permission to include the binary non-open blob in their browser if they want to use EME for media

It's irrelevant. The rights holders and/or distributors have every right to demand certain conditions for you to view their IP. Information isn't free unless the holder says it is, end of story, and if they demand you have to read it while standing on your head, you have every right to choose not to do so, but you can't then circumvent their requirements because you disagree with how their implemented and claim to be on the right side.
And that’s false. There’s laws about this, and there’s rights about this. And the right owners can do what they want, if the law allows me to sell content for which I bought a license, I should be able to do so.
I'm not sure what you're attempting to state here. If you buy content, you have the right to access it? That's correct but it's not contrary to anything I've said.
I have the right to access it, copy it, sell it, or rent it out.

If DRM prevents me from doing so, it violates my rights.

No, you do not have those rights. You have the rights outlined in the terms of service of the given distributor you bought it from.

Some like Amazon MP3 are much more liberal in terms of what you can do with your purchased media, but you do not own the rights to copy it, sell it, or rent it. If you don't believe me, try and do it.

>The rights holders and/or distributors have every right to demand certain conditions for you to view their IP. Information isn't free unless the holder says it is

So you believe "rights holders" rights are unlimited, and they should have the power to demand anything?

Surely not. "Right Holders" have only the very limited rights granted to them under copyright law, some people including myself believe they have too many rights but they sure as hell are not unlimited like you seem to imply. They do not get full and total control over their content, only the control allowed under copyright law which has many limits and exemptions including but not limited to fair use rights for the public, and a limited in duration term which they have those rights

The purpose of copyright law is NOT to protect the creator, it is promote useful sciences and exchange of knowledge. Copyright is to help promote creation FOR THE PUBLIC GOOD, not personal profit. People seem to forget that

Copyright today seems to be at odds with its constitutional purpose, its legal reason for existence

> So you believe "rights holders" rights are unlimited, and they should have the power to demand anything?

That's exactly not what I said:

> The rights holders and/or distributors have every right to demand certain conditions for you to view their IP.

"Certain conditions" here referring to a subscription to a given service as many artists do on sites like Patreon, subscription through an exclusive DRM-enabled device like an Apple TV or FireTV, heck you could even consider the set-top boxes used by cable and satellite TV companies as that sort of requirement (and an active subscription of course).

The only media to which this doesn't really apply is OTA TV, Radio, and YouTube videos (mostly, excluding stuff confined to YouTube Red) and what I'm saying is that the creator of any given media has every right to decide which media channels it will be distributed through, at what cost, and via what channels be it iTunes, Patreon or Amazon or all of the above (as it's able to be.) You, for example, couldn't record all episodes of Last Week Tonight, and post them for sale on iTunes; the fact that HBO doesn't do that doesn't give you the right to then do it yourself, for profit or otherwise.

and none of what you posted has anything to do with what we are talking about when it comes to EME or DRM

HBO does not need either to protect me from selling Copies of their content on iTunes.

EME and DRM is about preventing users from utilizing their rights under copyright law to format shift, time shift or consume content they paid for on the devices they desire, instead Hollywood wants to be able to charge the consumer no only for access to the content, but seperatly for each device, each view, each access, and be able to control when and where they view said content preventing users from view their content if they happen to travel internationally, or buy a device not blessed by Hollywood

none of which is allowed under Copyright law directly, but because of the provisions in DMCA preventing breaking of DRM they have illegitimately gained these rights and are using it to violate consumers fair use rights wholesale

I don't get the gripe. EME is used solely for wrangling media bits and it doesn't insist on any specific CDM. It's up to the browser manufacturers to decide if they want to include any closed-source implementations.

The fact that commercial browser manufacturers include their own closed-source implementation makes perfect sense (IE = playready, Safari = fairplay, Chrome = widevine).

If ARRI decides to create a web browser, would you expect them not to allow their end users to natively play ARRI raw files if they could provide it, simply because other browsers can't include that closed-source capability? Seems to me like an arbitrary restriction.

If I want to use open-source-only browser, and lose out on some of the proprietary commercial stuff I get elsewhere, that's a respectable choice, but it shouldn't be the only one.

It's not the only choice. This is not about what browsers implement, this is about what open-standards spec.
Sure, but EME with an open-source clearkeys-only CDM is essentially equivalent to a vanilla js aes lib, no?
Considering Firefox is open-source, is patching in a backdoor to the EME implementation a feasible way of handling the DRM situation? I don't see many reasons why I would not want to be running client-side intentionally backdoored EME?
Firefox includes a proprietary binary for EME.
Don't blame Tim for what we ALL have done to the Internet since three decades. This was the inevitable result of commercialisation. Tim can't stop it, no matter how much respect/influence he might have. DRM (as an abstract idea) won't go until we stop having to earn money to survive, and I don't see THAT happening soon. The Internet has just become the latest arena where the age-old battle is playing out.
This. People don't understand the forces at work here. They think we can get a coalition of free software advocates to prevent the march of DRM, but they fail to realize that content rights-holders have market clout. Consumers will jump through whatever stupid hoops they put up. Meanwhile, free software advocates have no market clout, if they succeed in killing EME in a browser, then the general consumer perception will be that that browser is broken and will lose marketshare.

This situation sucks, and I fought against it professionally for almost a decade, but at the end of the day if there's a market need for something, tech will be built for it in a completely amoral fashion.

EME removes much of the cost associated with adding DRM to content in exchange for increased portability of content that is DRM'd.

This doesn't seem like a good trade-off to me. Yes it's only for "media", but once it's essentially free to add DRM, I foresee a whole bunch of current content becoming "media" in ways that I'm going to find unfortunate even totally disregarding the DRM aspects.

That said, I neither consume much content that's currently DRM'd nor do I have any technical difficulty accessing such content, so other's might want different trade-offs.

I definitely do not understand what's going on here. As noted in the appeal posted by Doctorow [1], DMCA prohibits bypassing DRM so this W3C "approval" seems completely unnecessary. If it's oversight that you want, then a W3C standard isn't the way. A W3C standard is just a description of system behavior; it doesn't carry with it any penalties for deviation. If it did, I would have sued all the browser devs who delayed support HTML5 elements citing compensatory damages: my livelihood was affected!

At the same time, the appeal seems misaligned because (again) the specification may be superior in accessibility, privacy, etc. but the implementation can be total crap. What option do you have? Open a ticket for Chrome or Firefox? Stop watching Fox News because their plugin is buggy and slow?

This whole thing seems like a polite disagreement among intellectuals. The EFF expected more from Berners-Lee but it turns out that he chose to act differently.

[1] https://www.eff.org/deeplinks/2017/07/notice-w3c-effs-appeal...